tjh.dev
1{ lib, stdenv, fetchurl, pkg-config, libevent, openssl, zlib, torsocks
2, libseccomp, systemd, libcap, xz, zstd, scrypt, nixosTests
3, writeShellScript
4
5# for update.nix
6, writeScript
7, common-updater-scripts
8, bash
9, coreutils
10, curl
11, gnugrep
12, gnupg
13, gnused
14, nix
15}:
16let
17 tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
18 PATH="${lib.makeBinPath [coreutils gnugrep openssl]}"
19 pem="$(openssl genpkey -algorithm x25519)"
20
21 printf private_key=descriptor:x25519:
22 echo "$pem" | grep -v " PRIVATE KEY" |
23 base64 -d | tail --bytes=32 | base32 | tr -d =
24
25 printf public_key=descriptor:x25519:
26 echo "$pem" | openssl pkey -in /dev/stdin -pubout |
27 grep -v " PUBLIC KEY" |
28 base64 -d | tail --bytes=32 | base32 | tr -d =
29 '';
30in
31stdenv.mkDerivation rec {
32 pname = "tor";
33 version = "0.4.7.13";
34
35 src = fetchurl {
36 url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
37 sha256 = "sha256-IHkXLM4DRVbxEASOJgg86b6nUfMVSwrSgJdRgVsR6p0=";
38 };
39
40 outputs = [ "out" "geoip" ];
41
42 nativeBuildInputs = [ pkg-config ];
43 buildInputs = [ libevent openssl zlib xz zstd scrypt ] ++
44 lib.optionals stdenv.isLinux [ libseccomp systemd libcap ];
45
46 patches = [ ./disable-monotonic-timer-tests.patch ];
47
48 configureFlags =
49 # cross compiles correctly but needs the following
50 lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--disable-tool-name-check" ]
51 ++
52 # sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599
53 lib.optionals (stdenv.isLinux && stdenv.isAarch64) [ "--disable-seccomp" ]
54 ;
55
56 NIX_CFLAGS_LINK = lib.optionalString stdenv.cc.isGNU "-lgcc_s";
57
58 postPatch = ''
59 substituteInPlace contrib/client-tools/torify \
60 --replace 'pathfind torsocks' true \
61 --replace 'exec torsocks' 'exec ${torsocks}/bin/torsocks'
62
63 patchShebangs ./scripts/maint/checkShellScripts.sh
64 '';
65
66 enableParallelBuilding = true;
67
68 # disable tests on aarch64-darwin, the following tests fail there:
69 # oom/circbuf: [forking]
70 # FAIL src/test/test_oom.c:187: assert(c1->marked_for_close)
71 # [circbuf FAILED]
72 # oom/streambuf: [forking]
73 # FAIL src/test/test_oom.c:287: assert(x_ OP_GE 500 - 5): 0 vs 495
74 # [streambuf FAILED]
75 doCheck = !(stdenv.isDarwin && stdenv.isAarch64);
76
77 postInstall = ''
78 mkdir -p $geoip/share/tor
79 mv $out/share/tor/geoip{,6} $geoip/share/tor
80 rm -rf $out/share/tor
81 ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
82 '';
83
84 passthru = {
85 tests.tor = nixosTests.tor;
86 updateScript = import ./update.nix {
87 inherit lib;
88 inherit
89 writeScript
90 common-updater-scripts
91 bash
92 coreutils
93 curl
94 gnupg
95 gnugrep
96 gnused
97 nix
98 ;
99 };
100 };
101
102 meta = with lib; {
103 homepage = "https://www.torproject.org/";
104 description = "Anonymizing overlay network";
105
106 longDescription = ''
107 Tor helps improve your privacy by bouncing your communications around a
108 network of relays run by volunteers all around the world: it makes it
109 harder for somebody watching your Internet connection to learn what sites
110 you visit, and makes it harder for the sites you visit to track you. Tor
111 works with many of your existing applications, including web browsers,
112 instant messaging clients, remote login, and other applications based on
113 the TCP protocol.
114 '';
115
116 license = licenses.bsd3;
117
118 maintainers = with maintainers;
119 [ thoughtpolice joachifm prusnak ];
120 platforms = platforms.unix;
121 };
122}