caspervk/nixos
1
0
Fork 0
Code Activity Actions

tor: multiple instances in containers

Browse source
This commit is contained in:
Casper V. Kristensen 2024-11-18 00:13:36 +01:00
parent 7b6353545d
commit 1f585246c2
1 changed files with 56 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
hosts/tor/tor.nix
View file

@ -1,7 +1,15 @@
{pkgs, ...}: { {
services.tor = { config,
pkgs,
secrets,
...
}: let
mkTorConfig = {
orPort,
controlPort,
dirPort,
}: {
enable = true; enable = true;
openFirewall = true;
relay = { relay = {
enable = true; enable = true;
role = "exit"; role = "exit";
@ -12,15 +20,15 @@
ORPort = [ ORPort = [
{ {
addr = "185.231.102.51"; addr = "185.231.102.51";
port = 443; port = orPort;
} }
{ {
addr = "[2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b]"; addr = "[2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b]";
port = 443; port = orPort;
} }
]; ];
ControlPort = 9051; # for nyx, localhost only ControlPort = controlPort; # for nyx, localhost only
DirPort = 80; DirPort = dirPort;
DirPortFrontPage = builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html); DirPortFrontPage = builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html);
ExitRelay = true; ExitRelay = true;
IPv6Exit = true; IPv6Exit = true;
@ -29,8 +37,49 @@
"reject *:25" "reject *:25"
"accept *:*" "accept *:*"
]; ];
# https://support.torproject.org/relay-operators/multiple-relays/
MyFamily = builtins.concatStringsSep "," [
"1B9D2C9E0EFE2C6BD23D62B2FCD145886AD242D1" # instance 1
];
}; };
}; };
in {
containers.tor-1 = {
autoStart = true;
# TODO: what does ephemeral mean?
ephemeral = true;
bindMounts = {
# https://support.torproject.org/relay-operators/upgrade-or-move/
"/var/lib/tor/keys/ed25519_master_id_secret_key".hostPath = config.age.secrets.tor-1-ed25519-master-id-secret-key.path;
"/var/lib/tor/keys/secret_id_key".hostPath = config.age.secrets.tor-1-secret-id-key.path;
};
config = {config, ...}: {
services.tor = mkTorConfig {
orPort = 443;
controlPort = 9051;
dirPort = 80;
};
system.stateVersion = config.system.stateVersion;
};
};
environment.systemPackages = with pkgs; [
nyx # Command-line monitor for Tor
];
age.secrets.tor-ed25519-master-id-secret-key = {
file = "${secrets}/secrets/tor-1-ed25519-master-id-secret-key.age";
mode = "400";
owner = "root";
group = "root";
};
age.secrets.tor-secret-id-key = {
file = "${secrets}/secrets/tor-1-secret-id-key.age";
mode = "400";
owner = "root";
group = "root";
};
# https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded # https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded
# https://lists.torproject.org/pipermail/tor-talk/2012-August/025296.html # https://lists.torproject.org/pipermail/tor-talk/2012-August/025296.html
@ -92,19 +141,4 @@
# Disable RFC1323 timestamps (TODO: why?) # Disable RFC1323 timestamps (TODO: why?)
"net.ipv4.tcp_timestamps" = 0; "net.ipv4.tcp_timestamps" = 0;
}; };
environment.systemPackages = with pkgs; [
nyx # Command-line monitor for Tor
];
environment.persistence."/nix/persist" = {
directories = [
{
directory = "/var/lib/tor";
user = "tor";
group = "tor";
mode = "0700";
}
];
};
} }