From f08c7119234b7ba7c348f5249460a2a52b561ad7 Mon Sep 17 00:00:00 2001 From: "Casper V. Kristensen" Date: Sun, 6 Aug 2023 00:45:08 +0200 Subject: [PATCH] tor --- flake.nix | 8 + hosts/tor/default.nix | 49 +++++ hosts/tor/hardware.nix | 49 +++++ modules/tor/default.nix | 34 ++++ modules/tor/tor-exit-notice.html | 319 +++++++++++++++++++++++++++++++ 5 files changed, 459 insertions(+) create mode 100644 hosts/tor/default.nix create mode 100644 hosts/tor/hardware.nix create mode 100644 modules/tor/default.nix create mode 100644 modules/tor/tor-exit-notice.html diff --git a/flake.nix b/flake.nix index 6fad95a..48f57db 100644 --- a/flake.nix +++ b/flake.nix @@ -39,6 +39,14 @@ ./hosts/zeta ]; }; + # Tor relay + tor = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = inputs; # pass flake inputs to modules + modules = [ + ./hosts/tor + ]; + }; }; }; } diff --git a/hosts/tor/default.nix b/hosts/tor/default.nix new file mode 100644 index 0000000..2da7f07 --- /dev/null +++ b/hosts/tor/default.nix @@ -0,0 +1,49 @@ +{ ... }: + +{ + imports = [ + ./hardware.nix + ../../modules/base + ../../modules/tor + ]; + + networking = { + hostName = "tor"; + interfaces.ens3.ipv6.addresses = [{ + address = "2a0d:3e83:0001:b284::1"; + prefixLength = 64; + }]; + defaultGateway6 = { + # https://www.ssdvps.dk/knowledgebase/18/IPv6-Gateway.html + address = "2a0d:3e83:1::1"; + interface = "ens3"; + }; + }; + + boot = { + loader = { + grub = { + enable = true; + device = "/dev/vda"; + }; + }; + initrd.luks.devices.crypted.device = "/dev/disk/by-label/crypted"; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It's perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + + # This value determines the Home Manager release that your + # configuration is compatible with. This helps avoid breakage + # when a new Home Manager release introduces backwards + # incompatible changes. + # You can update Home Manager without changing this value. See + # the Home Manager release notes for a list of state version + # changes in each release. + home-manager.users.caspervk.home.stateVersion = "23.05"; # Did you read the comment? +} diff --git a/hosts/tor/hardware.nix b/hosts/tor/hardware.nix new file mode 100644 index 0000000..afef259 --- /dev/null +++ b/hosts/tor/hardware.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { + device = "none"; + fsType = "tmpfs"; + options = [ "defaults" "size=2G" "mode=755" ]; + }; + + fileSystems."/boot" = + { + device = "/dev/disk/by-label/BOOT"; + fsType = "vfat"; + }; + + fileSystems."/nix" = + { + device = "/dev/disk/by-label/nix"; + fsType = "ext4"; + }; + + swapDevices = [ + { + device = "/nix/persist/swapfile"; + size = 4 * 1024; # 4 GiB + } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} + diff --git a/modules/tor/default.nix b/modules/tor/default.nix new file mode 100644 index 0000000..2f2be99 --- /dev/null +++ b/modules/tor/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: { + services.tor = { + enable = true; + openFirewall = true; + relay = { + enable = true; + role = "exit"; + }; + settings = { + ContactInfo = "admin@caspervk.net"; + Nickname = "caspervk"; + DirPort = 80; + ORPort = 443; + ControlPort = 9051; + DirPortFrontPage = builtins.toFile "tor-exit-notice.html" (builtins.readFile ./tor-exit-notice.html); + ExitRelay = true; + ExitPolicy = [ + "reject *:25" + "accept *:*" + ]; + IPv6Exit = true; + }; + }; + + environment.systemPackages = with pkgs; [ + nyx # Command-line monitor for Tor + ]; + + environment.persistence."/nix/persist" = { + directories = [ + { directory = "/var/lib/tor/keys"; user = "tor"; group = "tor"; mode = "0700"; } + ]; + }; +} diff --git a/modules/tor/tor-exit-notice.html b/modules/tor/tor-exit-notice.html new file mode 100644 index 0000000..e43636f --- /dev/null +++ b/modules/tor/tor-exit-notice.html @@ -0,0 +1,319 @@ + + + + +This is a Tor Exit Router + + + + + + + +
+

This is a Tor Exit Router

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ +

+You are most likely accessing this website because you've had some issue with +the traffic coming from this IP. This router is part of the Tor Anonymity Network, which is +dedicated to providing +privacy to people who need it most: average computer users. This +router IP should be generating no other traffic, unless it has been +compromised.

+ +

+Tor works by running user traffic through a random chain of encrypted +servers, and then letting the traffic exit the Tor network through an +exit node like this one. This design makes it very hard for a service to +know which user is connecting to it, since it can only see the IP-address +of the Tor exit node:

+ +

+ +Illustration showing how a user might connect to a service through the Tor network. The user first sends their data through three daisy-chained encrypted Tor servers that exist on three different continents. Then the last Tor server in the chain connects to the target service over the normal internet. + + + + + + + + + + + + + + + + + + + + + +The user +This server +Your service +Tor encrypted link +Unencrypted link + + + + + + +

+ +

+Read more about how Tor works.

+ +

+Tor sees use by many +important segments of the population, including whistle blowers, +journalists, Chinese dissidents skirting the Great Firewall and oppressive +censorship, abuse victims, stalker targets, the US military, and law +enforcement, just to name a few. While Tor is not designed for malicious +computer users, it is true that they can use the network for malicious ends. +In reality however, the actual amount of abuse is quite low. This +is largely because criminals and hackers have significantly better access to +privacy and anonymity than do the regular users whom they prey upon. Criminals +can and do build, +sell, and trade far larger and more +powerful networks than Tor on a daily basis. Thus, in the mind of this +operator, the social need for easily accessible censorship-resistant private, +anonymous communication trumps the risk of unskilled bad actors, who are +almost always more easily uncovered by traditional police work than by +extensive monitoring and surveillance anyway.

+ +

+In terms of applicable law, the best way to understand Tor is to consider it a +network of routers operating as common carriers, much like the Internet +backbone. However, unlike the Internet backbone routers, Tor routers +explicitly do not contain identifiable routing information about the source of +a packet, and no single Tor node can determine both the origin and destination +of a given transmission.

+ +

+As such, there is little the operator of this router can do to help you track +the connection further. This router maintains no logs of any of the Tor +traffic, so there is little that can be done to trace either legitimate or +illegitimate traffic (or to filter one from the other). Attempts to +seize this router will accomplish nothing.

+ +

For more information, please consult the following documentation:

+ + + +

+That being said, if you still have a complaint about the router, you may +email the maintainer. If +complaints are related to a particular service that is being abused, I will +consider removing that service from my exit policy, which would prevent my +router from allowing that traffic to exit through it. I can only do this on an +IP+destination port basis, however. Common P2P ports are +already blocked.

+ +

+You also have the option of blocking this IP address and others on +the Tor network if you so desire. The Tor project provides a web service +to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a +specified IP:port combination, and an official DNSRBL is also available to +determine if a given IP address is actually a Tor exit server. Please +be considerate +when using these options. It would be unfortunate to deny all Tor users access +to your site indefinitely simply because of a few bad apples.

+ +
+ +