caspervk/nixos
1
0
Fork 0
Code Activity Actions

tor: multiple instances in containers

Browse source
This commit is contained in:
Casper V. Kristensen 2024-11-18 02:47:58 +01:00
parent 7b6353545d
commit aae37eb2d4
1 changed files with 89 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

126
hosts/tor/tor.nix
View file

@ -1,37 +1,84 @@
{pkgs, ...}: { {
services.tor = { config,
enable = true; pkgs,
openFirewall = true; ...
relay = { }: {
enable = true; # TODO: Explain why we use containers (tor is bad: cpu)
role = "exit"; # > sudo machinectl shell tor-1 /usr/bin/env systemctl status tor
# > sudo machinectl shell tor-1 /usr/bin/env journalctl -eu tor.service
containers = let
mkTorContainer = {
stateDir,
orPort,
controlPort,
}: {
autoStart = true;
ephemeral = true; # impermanence
bindMounts = {
"/var/lib/tor/" = {
hostPath = stateDir;
isReadOnly = false;
};
};
config = {...}: {
services.tor = {
enable = true;
relay = {
enable = true;
role = "exit";
};
# https://manpages.debian.org/testing/tor/torrc.5.en.html
settings = {
Nickname = "DXV7520";
ContactInfo = "admin@caspervk.net";
ORPort = [
{
addr = "185.231.102.51";
port = orPort;
}
{
addr = "[2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b]";
port = orPort;
}
];
ControlPort = controlPort; # for nyx, localhost only
ExitRelay = true;
IPv6Exit = true;
ExitPolicy = [
"reject *:22"
"reject *:25"
"accept *:*"
];
# https://support.torproject.org/relay-operators/multiple-relays/
MyFamily = builtins.concatStringsSep "," [
"1B9D2C9E0EFE2C6BD23D62B2FCD145886AD242D1" # tor-1
"293CE00D11B1D8B99AE8811CBDFDA3F353353710" # tor-2
];
};
};
system.stateVersion = config.system.stateVersion;
};
}; };
settings = { in {
Nickname = "DXV7520"; tor-1 = mkTorContainer {
ContactInfo = "admin@caspervk.net"; stateDir = "/var/lib/tor-1/";
ORPort = [ orPort = 443;
{ controlPort = 9051;
addr = "185.231.102.51"; };
port = 443; tor-2 = mkTorContainer {
} stateDir = "/var/lib/tor-2/";
{ orPort = 444;
addr = "[2a0c:5700:3133:650:b0ea:eeff:fedb:1f7b]"; controlPort = 9052;
port = 443;
}
];
ControlPort = 9051; # for nyx, localhost only
DirPort = 80;
DirPortFrontPage = builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html);
ExitRelay = true;
IPv6Exit = true;
ExitPolicy = [
"reject *:22"
"reject *:25"
"accept *:*"
];
}; };
}; };
environment.systemPackages = with pkgs; [
nyx # Command-line monitor for Tor
];
# TODO: serve `builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html)` on HTTP
# Exit Notice HTML page (https://community.torproject.org/relay/setup/exit/)
# https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded # https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded
# https://lists.torproject.org/pipermail/tor-talk/2012-August/025296.html # https://lists.torproject.org/pipermail/tor-talk/2012-August/025296.html
# https://www.ibm.com/docs/en/linux-on-systems?topic=recommendations-network-performance-tuning # https://www.ibm.com/docs/en/linux-on-systems?topic=recommendations-network-performance-tuning
@ -93,16 +140,21 @@
"net.ipv4.tcp_timestamps" = 0; "net.ipv4.tcp_timestamps" = 0;
}; };
environment.systemPackages = with pkgs; [ # Mounting /var/lib/tor/ relies on the 'tor' user having the same static
nyx # Command-line monitor for Tor # uid/gid inside and outside the container. This might break if NixOS
]; # switches to a DynamicUser for the tor service.
environment.persistence."/nix/persist" = { environment.persistence."/nix/persist" = {
directories = [ directories = [
{ {
directory = "/var/lib/tor"; directory = "/var/lib/tor-1";
user = "tor"; user = builtins.toString config.ids.uids.tor;
group = "tor"; group = builtins.toString config.ids.gids.tor;
mode = "0700";
}
{
directory = "/var/lib/tor-2";
user = builtins.toString config.ids.uids.tor;
group = builtins.toString config.ids.gids.tor;
mode = "0700"; mode = "0700";
} }
]; ];