nixos/tor: fix eval · pyrox.dev/nixpkgs@18765d0

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/tor: fix eval

Resolves #369847

philiptaron.tngl.sh 1 year ago 18765d04 92ef45ef

+32 -33

1 changed file

expand all

nixos

modules

services

security

tor.nix

+32 -33

nixos/modules/services/security/tor.nix

··· 5 5 pkgs, 6 6 ... 7 7 }: 8 - with builtins; 9 8 let 10 9 cfg = config.services.tor; 11 10 opt = options.services.tor; ··· 15 14 See [torrc manual](https://2019.www.torproject.org/docs/tor-manual.html.en#${option}). 16 15 ''; 17 16 bindsPrivilegedPort = 18 - any 17 + lib.any 19 18 ( 20 19 p0: 21 20 let ··· 25 24 false 26 25 else 27 26 let 28 - p2 = if isInt p1 then p1 else toInt p1; 27 + p2 = if lib.isInt p1 then p1 else lib.toInt p1; 29 28 in 30 29 p1 != null && 0 < p2 && p2 < 1024 31 30 ) ··· 197 196 config = lib.mkIf doConfig { 198 197 # Only add flags in SOCKSPort to avoid duplicates 199 198 flags = 200 - filter (name: config.${name} == true) flags 199 + lib.filter (name: config.${name} == true) flags 201 200 ++ lib.optional (config.SessionGroup != null) "SessionGroup=${toString config.SessionGroup}"; 202 201 }; 203 202 } ··· 272 271 k: v: 273 272 if v == null then 274 273 "" 275 - else if isBool v then 274 + else if lib.isBool v then 276 275 (if v then "1" else "0") 277 276 else if v ? "unix" && v.unix != null then 278 - "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags) 277 + "unix:" + v.unix + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags) 279 278 else if v ? "port" && v.port != null then 280 279 lib.optionalString (v ? "addr" && v.addr != null) "${v.addr}:" 281 280 + toString v.port 282 - + lib.optionalString (v ? "flags") (" " + concatStringsSep " " v.flags) 281 + + lib.optionalString (v ? "flags") (" " + lib.concatStringsSep " " v.flags) 283 282 else if k == "ServerTransportPlugin" then 284 - lib.optionalString (v.transports != [ ]) "${concatStringsSep "," v.transports} exec ${v.exec}" 283 + lib.optionalString (v.transports != [ ]) "${lib.concatStringsSep "," v.transports} exec ${v.exec}" 285 284 else if k == "HidServAuth" then 286 285 v.onion + " " + v.auth 287 286 else ··· 298 297 k: v: 299 298 # Not necesssary, but prettier rendering 300 299 if 301 - elem k [ 300 + lib.elem k [ 302 301 "AutomapHostsSuffixes" 303 302 "DirPolicy" 304 303 "ExitPolicy" ··· 306 305 ] 307 306 && v != [ ] 308 307 then 309 - concatStringsSep "," v 308 + lib.concatStringsSep "," v 310 309 else 311 310 v 312 311 ) (lib.filterAttrs (k: v: !(v == null || v == "")) settings) ··· 750 749 ]); 751 750 apply = map ( 752 751 v: 753 - if isInt v then 752 + if lib.isInt v then 754 753 { 755 754 port = v; 756 755 target = null; ··· 816 815 settings.HiddenServiceVersion = config.version; 817 816 settings.HiddenServiceAuthorizeClient = 818 817 if config.authorizeClient != null then 819 - config.authorizeClient.authType + " " + concatStringsSep "," config.authorizeClient.clientNames 818 + config.authorizeClient.authType + " " + lib.concatStringsSep "," config.authorizeClient.clientNames 820 819 else 821 820 null; 822 821 settings.HiddenServicePort = map ( ··· 998 997 } 999 998 )) 1000 999 ]); 1001 - apply = p: if isInt p || isString p then { port = p; } else p; 1000 + apply = p: if lib.isInt p || lib.isString p then { port = p; } else p; 1002 1001 }; 1003 1002 options.ExtORPortCookieAuthFile = optionPath "ExtORPortCookieAuthFile"; 1004 1003 options.ExtORPortCookieAuthFileGroupReadable = optionBool "ExtORPortCookieAuthFileGroupReadable"; ··· 1198 1197 lib.mapAttrsToList ( 1199 1198 n: o: 1200 1199 lib.optionals (o.settings.HiddenServiceVersion == 2) [ 1201 - (optional (o.settings.HiddenServiceExportCircuitID != null) '' 1200 + (lib.optional (o.settings.HiddenServiceExportCircuitID != null) '' 1202 1201 HiddenServiceExportCircuitID is used in the HiddenService: ${n} 1203 1202 but this option is only for v3 hidden services. 1204 1203 '') 1205 1204 ] 1206 1205 ++ lib.optionals (o.settings.HiddenServiceVersion != 2) [ 1207 - (optional (o.settings.HiddenServiceAuthorizeClient != null) '' 1206 + (lib.optional (o.settings.HiddenServiceAuthorizeClient != null) '' 1208 1207 HiddenServiceAuthorizeClient is used in the HiddenService: ${n} 1209 1208 but this option is only for v2 hidden services. 1210 1209 '') 1211 - (optional (o.settings.RendPostPeriod != null) '' 1210 + (lib.optional (o.settings.RendPostPeriod != null) '' 1212 1211 RendPostPeriod is used in the HiddenService: ${n} 1213 1212 but this option is only for v2 hidden services. 1214 1213 '') ··· 1245 1244 } 1246 1245 // 1247 1246 lib.optionalAttrs 1248 - (elem cfg.relay.role [ 1247 + (lib.elem cfg.relay.role [ 1249 1248 "bridge" 1250 1249 "private-bridge" 1251 1250 ]) ··· 1307 1306 1308 1307 networking.firewall = lib.mkIf cfg.openFirewall { 1309 1308 allowedTCPPorts = 1310 - concatMap 1309 + lib.concatMap 1311 1310 ( 1312 1311 o: 1313 - if isInt o && o > 0 then 1312 + if lib.isInt o && o > 0 then 1314 1313 [ o ] 1315 1314 else 1316 - lib.optionals (o ? "port" && isInt o.port && o.port > 0) [ o.port ] 1315 + lib.optionals (o ? "port" && lib.isInt o.port && o.port > 0) [ o.port ] 1317 1316 ) 1318 1317 ( 1319 1318 lib.flatten [ ··· 1341 1340 ( 1342 1341 "+" 1343 1342 + pkgs.writeShellScript "ExecStartPre" ( 1344 - concatStringsSep "\n" ( 1343 + lib.concatStringsSep "\n" ( 1345 1344 lib.flatten ( 1346 1345 [ "set -eu" ] 1347 1346 ++ lib.mapAttrsToList ( 1348 1347 name: onion: 1349 1348 lib.optional (onion.authorizedClients != [ ]) '' 1350 - rm -rf ${escapeShellArg onion.path}/authorized_clients 1351 - install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} ${escapeShellArg onion.path}/authorized_clients 1349 + rm -rf ${lib.escapeShellArg onion.path}/authorized_clients 1350 + install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path} ${lib.escapeShellArg onion.path}/authorized_clients 1352 1351 '' 1353 - ++ imap0 (i: pubKey: '' 1352 + ++ lib.imap0 (i: pubKey: '' 1354 1353 echo ${pubKey} | 1355 - install -o tor -g tor -m 0400 /dev/stdin ${escapeShellArg onion.path}/authorized_clients/${toString i}.auth 1354 + install -o tor -g tor -m 0400 /dev/stdin ${lib.escapeShellArg onion.path}/authorized_clients/${toString i}.auth 1356 1355 '') onion.authorizedClients 1357 1356 ++ lib.optional (onion.secretKey != null) '' 1358 - install -d -o tor -g tor -m 0700 ${escapeShellArg onion.path} 1359 - key="$(cut -f1 -d: ${escapeShellArg onion.secretKey} | head -1)" 1357 + install -d -o tor -g tor -m 0700 ${lib.escapeShellArg onion.path} 1358 + key="$(cut -f1 -d: ${lib.escapeShellArg onion.secretKey} | head -1)" 1360 1359 case "$key" in 1361 1360 ("== ed25519v"*"-secret") 1362 - install -o tor -g tor -m 0400 ${escapeShellArg onion.secretKey} ${escapeShellArg onion.path}/hs_ed25519_secret_key;; 1361 + install -o tor -g tor -m 0400 ${lib.escapeShellArg onion.secretKey} ${lib.escapeShellArg onion.path}/hs_ed25519_secret_key;; 1363 1362 (*) echo >&2 "NixOS does not (yet) support secret key type for onion: ${name}"; exit 1;; 1364 1363 esac 1365 1364 '' 1366 1365 ) cfg.relay.onionServices 1367 1366 ++ lib.mapAttrsToList ( 1368 1367 name: onion: 1369 - imap0 ( 1368 + lib.imap0 ( 1370 1369 i: prvKeyPath: 1371 1370 let 1372 - hostname = removeSuffix ".onion" name; 1371 + hostname = lib.removeSuffix ".onion" name; 1373 1372 in 1374 1373 '' 1375 - printf "%s:" ${escapeShellArg hostname} | cat - ${escapeShellArg prvKeyPath} | 1374 + printf "%s:" ${lib.escapeShellArg hostname} | cat - ${lib.escapeShellArg prvKeyPath} | 1376 1375 install -o tor -g tor -m 0700 /dev/stdin \ 1377 - ${runDir}/ClientOnionAuthDir/${escapeShellArg hostname}.${toString i}.auth_private 1376 + ${runDir}/ClientOnionAuthDir/${lib.escapeShellArg hostname}.${toString i}.auth_private 1378 1377 '' 1379 1378 ) onion.clientAuthorizations 1380 1379 ) cfg.client.onionServices ··· 1417 1416 BindPaths = [ stateDir ]; 1418 1417 BindReadOnlyPaths = 1419 1418 [ 1420 - storeDir 1419 + builtins.storeDir 1421 1420 "/etc" 1422 1421 ] 1423 1422 ++ lib.optionals config.services.resolved.enable [