nixos/hosts/alpha/tor.nix

{
  pkgs,
  secrets,
  ...
}: let
  # The websocket pluggable-transport isn't in nixpkgs yet.
  # https://github.com/NixOS/nixpkgs/pull/277487
  webtunnel = pkgs.buildGoModule {
    pname = "webtunnel";
    version = "main";
    src = pkgs.fetchFromGitLab {
      domain = "gitlab.torproject.org";
      group = "tpo";
      owner = "anti-censorship/pluggable-transports";
      repo = "webtunnel";
      rev = "e64b1b3562f3ab50d06141ecd513a21ec74fe8c6";
      hash = "sha256-25ZtoCe1bcN6VrSzMfwzT8xSO3xw2qzE4Me3Gi4GbVs=";
    };
    vendorHash = "sha256-3AAPySLAoMimXUOiy8Ctl+ghG5q+3dWRNGXHpl9nfG0=";
  };
in {
  # Bridges are Tor relays that help circumvent censorship. WebTunnel is a
  # censorship-resistant pluggable transport designed to mimic encrypted web
  # traffic (HTTPS). It works by wrapping the payload connection into a
  # WebSocket-like HTTPS connection, appearing to network observers as an
  # ordinary HTTPS (WebSocket) connection.
  # https://community.torproject.org/relay/setup/webtunnel/
  # https://community.torproject.org/relay/setup/webtunnel/source/
  #
  # Test the bridge by setting
  #   webtunnel 10.0.0.2:443 FINGERPRINT url=https://yourdomain/path
  # in the Tor Browser settings (from webtunnel/source final notes).
  services.tor = {
    enable = true;
    relay = {
      enable = true;
      role = "bridge";
    };
    settings = {
      Nickname = "DXV7520WebTunnel";
      ContactInfo = "admin@caspervk.net";
      ORPort = [
        {
          addr = "127.0.0.1";
          port = "auto";
        }
        {
          addr = "[::1]";
          port = "auto";
        }
      ];
      AssumeReachable = true;
      ServerTransportPlugin.transports = ["webtunnel"];
      ServerTransportPlugin.exec = "${webtunnel}/bin/server";
      ServerTransportListenAddr = "webtunnel 127.0.0.1:15000";
      ServerTransportOptions = "webtunnel url=${secrets.hosts.alpha.tor.webtunnel-host + secrets.hosts.alpha.tor.webtunnel-path}";
    };
  };

  environment.persistence."/nix/persist" = {
    directories = [
      {
        directory = "/var/lib/tor";
        user = "tor";
        group = "tor";
        mode = "0700";
      }
    ];
  };
}
alpha: tor webtunnel bridge 2024-12-03 01:24:21 +01:00			`{`
			`pkgs,`
			`secrets,`
			`...`
			`}: let`
			`# The websocket pluggable-transport isn't in nixpkgs yet.`
			`# https://github.com/NixOS/nixpkgs/pull/277487`
			`webtunnel = pkgs.buildGoModule {`
			`pname = "webtunnel";`
			`version = "main";`
			`src = pkgs.fetchFromGitLab {`
			`domain = "gitlab.torproject.org";`
			`group = "tpo";`
			`owner = "anti-censorship/pluggable-transports";`
			`repo = "webtunnel";`
			`rev = "e64b1b3562f3ab50d06141ecd513a21ec74fe8c6";`
			`hash = "sha256-25ZtoCe1bcN6VrSzMfwzT8xSO3xw2qzE4Me3Gi4GbVs=";`
			`};`
			`vendorHash = "sha256-3AAPySLAoMimXUOiy8Ctl+ghG5q+3dWRNGXHpl9nfG0=";`
			`};`
			`in {`
			`# Bridges are Tor relays that help circumvent censorship. WebTunnel is a`
			`# censorship-resistant pluggable transport designed to mimic encrypted web`
			`# traffic (HTTPS). It works by wrapping the payload connection into a`
			`# WebSocket-like HTTPS connection, appearing to network observers as an`
			`# ordinary HTTPS (WebSocket) connection.`
			`# https://community.torproject.org/relay/setup/webtunnel/`
			`# https://community.torproject.org/relay/setup/webtunnel/source/`
			`#`
			`# Test the bridge by setting`
			`# webtunnel 10.0.0.2:443 FINGERPRINT url=https://yourdomain/path`
			`# in the Tor Browser settings (from webtunnel/source final notes).`
			`services.tor = {`
			`enable = true;`
			`relay = {`
			`enable = true;`
			`role = "bridge";`
			`};`
			`settings = {`
			`Nickname = "DXV7520WebTunnel";`
			`ContactInfo = "admin@caspervk.net";`
			`ORPort = [`
			`{`
			`addr = "127.0.0.1";`
			`port = "auto";`
			`}`
alpha: enable ivp6 for tor webtunnel bridge 2024-12-03 22:13:13 +01:00			`{`
			`addr = "[::1]";`
			`port = "auto";`
			`}`
alpha: tor webtunnel bridge 2024-12-03 01:24:21 +01:00			`];`
			`AssumeReachable = true;`
			`ServerTransportPlugin.transports = ["webtunnel"];`
			`ServerTransportPlugin.exec = "${webtunnel}/bin/server";`
			`ServerTransportListenAddr = "webtunnel 127.0.0.1:15000";`
			`ServerTransportOptions = "webtunnel url=${secrets.hosts.alpha.tor.webtunnel-host + secrets.hosts.alpha.tor.webtunnel-path}";`
			`};`
			`};`

			`environment.persistence."/nix/persist" = {`
			`directories = [`
			`{`
			`directory = "/var/lib/tor";`
			`user = "tor";`
			`group = "tor";`
			`mode = "0700";`
			`}`
			`];`
			`};`
			`}`