nixos/tor: use RuntimeDirectory, StateDirectory (#39083)

pyrox.dev / nixpkgs

fork atom

lol

fork atom

authored by

Robert Schütz and committed by

GitHub 8 years ago 5bd12c69 f00221d0

+4 -6

1 changed file

expand all

unified split

nixos

modules

services

security

tor.nix

+4 -6

nixos/modules/services/security/tor.nix

··· 703 after = [ "network.target" ]; 704 restartTriggers = [ torRcFile ]; 705 706 - # Translated from the upstream contrib/dist/tor.service.in 707 - preStart = '' 708 - install -o tor -g tor -d ${torDirectory}/onion ${torRunDirectory} 709 - ${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config 710 - ''; 711 - 712 serviceConfig = 713 { Type = "simple"; 714 ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; 715 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 716 KillSignal = "SIGINT"; ··· 725 # DeviceAllow /dev/urandom r 726 # .. but we can't specify DeviceAllow multiple times. 'closed' 727 # is close enough. 728 PrivateTmp = "yes"; 729 DevicePolicy = "closed"; 730 InaccessibleDirectories = "/home";

··· 703 after = [ "network.target" ]; 704 restartTriggers = [ torRcFile ]; 705 706 serviceConfig = 707 { Type = "simple"; 708 + # Translated from the upstream contrib/dist/tor.service.in 709 + ExecStartPre = "${pkgs.tor}/bin/tor -f ${torRcFile} --verify-config"; 710 ExecStart = "${pkgs.tor}/bin/tor -f ${torRcFile} --RunAsDaemon 0"; 711 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; 712 KillSignal = "SIGINT"; ··· 721 # DeviceAllow /dev/urandom r 722 # .. but we can't specify DeviceAllow multiple times. 'closed' 723 # is close enough. 724 + RuntimeDirectory = "tor"; 725 + StateDirectory = [ "tor" "tor/onion" ]; 726 PrivateTmp = "yes"; 727 DevicePolicy = "closed"; 728 InaccessibleDirectories = "/home";