pyrox.dev
1{ lib, stdenv, fetchurl, pkg-config, libevent, openssl, zlib, torsocks
2, libseccomp, systemd, libcap, xz, zstd, scrypt, nixosTests
3, writeShellScript
4
5# for update.nix
6, writeScript
7, common-updater-scripts
8, bash
9, coreutils
10, curl
11, gnugrep
12, gnupg
13, gnused
14, nix
15}:
16let
17 tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
18 PATH="${lib.makeBinPath [coreutils gnugrep openssl]}"
19 pem="$(openssl genpkey -algorithm x25519)"
20
21 printf private_key=descriptor:x25519:
22 echo "$pem" | grep -v " PRIVATE KEY" |
23 base64 -d | tail --bytes=32 | base32 | tr -d =
24
25 printf public_key=descriptor:x25519:
26 echo "$pem" | openssl pkey -in /dev/stdin -pubout |
27 grep -v " PUBLIC KEY" |
28 base64 -d | tail --bytes=32 | base32 | tr -d =
29 '';
30in
31stdenv.mkDerivation rec {
32 pname = "tor";
33 version = "0.4.8.9";
34
35 src = fetchurl {
36 url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
37 sha256 = "sha256-Wbt9iJD2ExtM5TRPPc6l3rIYK39PEP8MtOTYHxGyz2U=";
38 };
39
40 outputs = [ "out" "geoip" ];
41
42 nativeBuildInputs = [ pkg-config ];
43 buildInputs = [ libevent openssl zlib xz zstd scrypt ] ++
44 lib.optionals stdenv.isLinux [ libseccomp systemd libcap ];
45
46 patches = [ ./disable-monotonic-timer-tests.patch ];
47
48 configureFlags =
49 # allow inclusion of GPL-licensed code (needed for Proof of Work defense for onion services)
50 # for more details see
51 # https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQ#compiling-c-tor-with-the-pow-defense
52 [ "--enable-gpl" ]
53 ++
54 # cross compiles correctly but needs the following
55 lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--disable-tool-name-check" ]
56 ++
57 # sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599
58 lib.optionals (stdenv.isLinux && stdenv.isAarch64) [ "--disable-seccomp" ]
59 ;
60
61 NIX_CFLAGS_LINK = lib.optionalString stdenv.cc.isGNU "-lgcc_s";
62
63 postPatch = ''
64 substituteInPlace contrib/client-tools/torify \
65 --replace 'pathfind torsocks' true \
66 --replace 'exec torsocks' 'exec ${torsocks}/bin/torsocks'
67
68 patchShebangs ./scripts/maint/checkShellScripts.sh
69 '';
70
71 enableParallelBuilding = true;
72
73 # disable tests on aarch64-darwin, the following tests fail there:
74 # oom/circbuf: [forking]
75 # FAIL src/test/test_oom.c:187: assert(c1->marked_for_close)
76 # [circbuf FAILED]
77 # oom/streambuf: [forking]
78 # FAIL src/test/test_oom.c:287: assert(x_ OP_GE 500 - 5): 0 vs 495
79 # [streambuf FAILED]
80 doCheck = !(stdenv.isDarwin && stdenv.isAarch64);
81
82 postInstall = ''
83 mkdir -p $geoip/share/tor
84 mv $out/share/tor/geoip{,6} $geoip/share/tor
85 rm -rf $out/share/tor
86 ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
87 '';
88
89 passthru = {
90 tests.tor = nixosTests.tor;
91 updateScript = import ./update.nix {
92 inherit lib;
93 inherit
94 writeScript
95 common-updater-scripts
96 bash
97 coreutils
98 curl
99 gnupg
100 gnugrep
101 gnused
102 nix
103 ;
104 };
105 };
106
107 meta = with lib; {
108 homepage = "https://www.torproject.org/";
109 description = "Anonymizing overlay network";
110
111 longDescription = ''
112 Tor helps improve your privacy by bouncing your communications around a
113 network of relays run by volunteers all around the world: it makes it
114 harder for somebody watching your Internet connection to learn what sites
115 you visit, and makes it harder for the sites you visit to track you. Tor
116 works with many of your existing applications, including web browsers,
117 instant messaging clients, remote login, and other applications based on
118 the TCP protocol.
119 '';
120
121 license = with licenses; [ bsd3 gpl3Only ];
122
123 maintainers = with maintainers;
124 [ thoughtpolice joachifm prusnak ];
125 platforms = platforms.unix;
126 };
127}