add tor client + hidden ssh service on pennyworth
parent
16bdb76bda
commit
2bc1e0458b
|
@ -0,0 +1,42 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
hiddenServices = config.services.tor.hiddenServices;
|
||||
in {
|
||||
options.services.tor = {
|
||||
hiddenServices = mkOption { default = []; };
|
||||
};
|
||||
|
||||
config = mkIf (hiddenServices != []) {
|
||||
assertions = map (hiddenService: {
|
||||
assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService;
|
||||
message = "all hidden services should define a name and a port..";
|
||||
}) hiddenServices;
|
||||
|
||||
services.tor.enable = true;
|
||||
|
||||
services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: ''
|
||||
HiddenServiceDir /var/lib/tor/${hiddenService.name}
|
||||
HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port}
|
||||
'') hiddenServices);
|
||||
|
||||
systemd.services."install-tor-hidden-service-keys" = {
|
||||
wantedBy = ["tor.service"];
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.User = "tor";
|
||||
serviceConfig.Group = "keys";
|
||||
# TODO: update on change?
|
||||
# TODO: better ways to get the keys on the server
|
||||
script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then ''
|
||||
if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then
|
||||
mkdir -p /var/lib/tor/${hiddenService.name}/
|
||||
cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key
|
||||
cp ${hiddenService.hostname} /var/lib/tor/${hiddenService.name}/hostname
|
||||
chmod -R 700 /var/lib/tor/${hiddenService.name};
|
||||
fi
|
||||
'' else "true") hiddenServices);
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
with import <nixpkgs> {};
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "shallot-0.0.3-alpha";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
rev = "831de01b13b309933d32efe8388444ef6a831cfb";
|
||||
owner = "katmagic";
|
||||
repo = "Shallot";
|
||||
sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r";
|
||||
};
|
||||
|
||||
buildInputs = [openssl];
|
||||
|
||||
buildPhase = ''
|
||||
./configure
|
||||
make
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
mv shallot $out/bin
|
||||
'';
|
||||
}
|
|
@ -16,6 +16,7 @@ in
|
|||
../roles/common.nix
|
||||
../modules/mailz.nix
|
||||
../modules/nginx.nix
|
||||
../modules/tor-hidden-service.nix
|
||||
];
|
||||
|
||||
networking.hostName = secrets.hostnames.pennyworth;
|
||||
|
@ -78,4 +79,11 @@ in
|
|||
${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
|
||||
fi
|
||||
'';
|
||||
|
||||
services.tor.hiddenServices = [
|
||||
{ name = "ssh";
|
||||
port = 22;
|
||||
hostname = "/run/keys/torkeys/ssh.pennyworth.hostname";
|
||||
private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
|
||||
];
|
||||
}
|
||||
|
|
|
@ -36,6 +36,16 @@
|
|||
challengeResponseAuthentication = false;
|
||||
};
|
||||
|
||||
services.tor = {
|
||||
enable = true;
|
||||
client.enable = true;
|
||||
};
|
||||
|
||||
programs.ssh.extraConfig = ''
|
||||
Host *.onion
|
||||
ProxyCommand nc -xlocalhost:9050 -X5 %h %p
|
||||
'';
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
# v important.
|
||||
cowsay ponysay
|
||||
|
|
Loading…
Reference in New Issue