add tor client + hidden ssh service on pennyworth

modules/tor-hidden-service.nix

@@ -0,0 +1,42 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+  hiddenServices = config.services.tor.hiddenServices;
+in {
+  options.services.tor = { 
+    hiddenServices = mkOption { default = []; };
+  };
+
+  config = mkIf (hiddenServices != []) {
+    assertions = map (hiddenService: {
+      assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService;
+      message   = "all hidden services should define a name and a port..";
+    }) hiddenServices;
+
+    services.tor.enable = true;
+
+    services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: ''
+      HiddenServiceDir /var/lib/tor/${hiddenService.name}
+      HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port}
+    '') hiddenServices);
+
+    systemd.services."install-tor-hidden-service-keys" = {
+      wantedBy = ["tor.service"];
+      serviceConfig.Type = "oneshot";
+      serviceConfig.User = "tor";
+      serviceConfig.Group = "keys";
+      # TODO: update on change?
+      # TODO: better ways to get the keys on the server
+      script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then ''
+        if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then
+          mkdir -p /var/lib/tor/${hiddenService.name}/
+          cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key
+          cp ${hiddenService.hostname} /var/lib/tor/${hiddenService.name}/hostname
+          chmod -R 700 /var/lib/tor/${hiddenService.name};
+        fi
+      '' else "true") hiddenServices);
+    };
+  };
+}

packages/shallot.nix

@@ -0,0 +1,24 @@
+with import <nixpkgs> {};
+
+stdenv.mkDerivation {
+  name = "shallot-0.0.3-alpha";
+
+  src = fetchFromGitHub {
+    rev = "831de01b13b309933d32efe8388444ef6a831cfb";
+    owner = "katmagic";
+    repo = "Shallot";
+    sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r";
+  };
+
+  buildInputs = [openssl];
+
+  buildPhase = ''
+    ./configure
+    make
+  '';
+
+  installPhase = ''
+    mkdir -p $out/bin
+    mv shallot $out/bin
+  '';
+}

pennyworth/configuration.nix

@@ -16,6 +16,7 @@ in
       ../roles/common.nix
       ../modules/mailz.nix
       ../modules/nginx.nix
+      ../modules/tor-hidden-service.nix
   ];
 
   networking.hostName = secrets.hostnames.pennyworth;
@@ -78,4 +79,11 @@ in
         ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem
       fi
     '';
+
+  services.tor.hiddenServices = [
+    { name = "ssh";
+      port = 22;
+      hostname = "/run/keys/torkeys/ssh.pennyworth.hostname";
+      private_key = "/run/keys/torkeys/ssh.pennyworth.key"; }
+  ];
 }

roles/common.nix

@@ -36,6 +36,16 @@
   	challengeResponseAuthentication = false;
   };
 
+  services.tor = {
+    enable = true;
+    client.enable = true;
+  };
+
+  programs.ssh.extraConfig = ''
+    Host *.onion
+      ProxyCommand nc -xlocalhost:9050 -X5 %h %p
+  '';
+
   environment.systemPackages = with pkgs; [
     # v important.
     cowsay ponysay