pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #28939 from xtruder/nixos/tor/trans_proxy

tor module: add support for transparent proxy and dns

authored by

Jaka Hudoklin and committed by
GitHub bc557912 2d0ed7be

+81 -2
unified split
+81 -2
nixos/modules/services/security/tor.nix
··· 9 9 opt = name: value: optionalString (value != null) "${name} ${value}"; 10 10 optint = name: value: optionalString (value != null && value != 0) "${name} ${toString value}"; 11 11 12 + isolationOptions = { 13 + type = types.listOf (types.enum [ 14 + "IsolateClientAddr" 15 + "IsolateSOCKSAuth" 16 + "IsolateClientProtocol" 17 + "IsolateDestPort" 18 + "IsolateDestAddr" 19 + ]); 20 + default = []; 21 + example = [ 22 + "IsolateClientAddr" 23 + "IsolateSOCKSAuth" 24 + "IsolateClientProtocol" 25 + "IsolateDestPort" 26 + "IsolateDestAddr" 27 + ]; 28 + description = "Tor isolation options"; 29 + }; 30 + 31 + 12 32 torRc = '' 13 33 User tor 14 34 DataDirectory ${torDirectory} ··· 20 40 ${optint "ControlPort" cfg.controlPort} 21 41 '' 22 42 # Client connection config 23 - + optionalString cfg.client.enable '' 24 - SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr 43 + + optionalString cfg.client.enable '' 44 + SOCKSPort ${cfg.client.socksListenAddress} ${toString cfg.client.socksIsolationOptions} 25 45 SOCKSPort ${cfg.client.socksListenAddressFaster} 26 46 ${opt "SocksPolicy" cfg.client.socksPolicy} 47 + 48 + ${optionalString cfg.client.transparentProxy.enable '' 49 + TransPort ${cfg.client.transparentProxy.listenAddress} ${toString cfg.client.transparentProxy.isolationOptions} 50 + ''} 51 + 52 + ${optionalString cfg.client.dns.enable '' 53 + DNSPort ${cfg.client.dns.listenAddress} ${toString cfg.client.dns.isolationOptions} 54 + AutomapHostsOnResolve 1 55 + AutomapHostsSuffixes ${concatStringsSep "," cfg.client.dns.automapHostsSuffixes} 56 + ''} 27 57 '' 28 58 # Relay config 29 59 + optionalString cfg.relay.enable '' ··· 152 182 is set, we accept all (and only) requests from 153 183 <option>socksListenAddress</option>. 154 184 ''; 185 + }; 186 + 187 + socksIsolationOptions = mkOption (isolationOptions // { 188 + default = ["IsolateDestAddr"]; 189 + }); 190 + 191 + transparentProxy = { 192 + enable = mkOption { 193 + type = types.bool; 194 + default = false; 195 + description = "Whether to enable tor transaprent proxy"; 196 + }; 197 + 198 + listenAddress = mkOption { 199 + type = types.str; 200 + default = "127.0.0.1:9040"; 201 + example = "192.168.0.1:9040"; 202 + description = '' 203 + Bind transparent proxy to this address. 204 + ''; 205 + }; 206 + 207 + isolationOptions = mkOption isolationOptions; 208 + }; 209 + 210 + dns = { 211 + enable = mkOption { 212 + type = types.bool; 213 + default = false; 214 + description = "Whether to enable tor dns resolver"; 215 + }; 216 + 217 + listenAddress = mkOption { 218 + type = types.str; 219 + default = "127.0.0.1:9053"; 220 + example = "192.168.0.1:9053"; 221 + description = '' 222 + Bind tor dns to this address. 223 + ''; 224 + }; 225 + 226 + isolationOptions = mkOption isolationOptions; 227 + 228 + automapHostsSuffixes = mkOption { 229 + type = types.listOf types.str; 230 + default = [".onion" ".exit"]; 231 + example = [".onion"]; 232 + description = "List of suffixes to use with automapHostsOnResolve"; 233 + }; 155 234 }; 156 235 157 236 privoxy.enable = mkOption {