diff --git a/modules/tor-hidden-service.nix b/modules/tor-hidden-service.nix new file mode 100644 index 0000000..984b614 --- /dev/null +++ b/modules/tor-hidden-service.nix @@ -0,0 +1,42 @@ +{ config, lib, ... }: + +with lib; + +let + hiddenServices = config.services.tor.hiddenServices; +in { + options.services.tor = { + hiddenServices = mkOption { default = []; }; + }; + + config = mkIf (hiddenServices != []) { + assertions = map (hiddenService: { + assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService; + message = "all hidden services should define a name and a port.."; + }) hiddenServices; + + services.tor.enable = true; + + services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: '' + HiddenServiceDir /var/lib/tor/${hiddenService.name} + HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port} + '') hiddenServices); + + systemd.services."install-tor-hidden-service-keys" = { + wantedBy = ["tor.service"]; + serviceConfig.Type = "oneshot"; + serviceConfig.User = "tor"; + serviceConfig.Group = "keys"; + # TODO: update on change? + # TODO: better ways to get the keys on the server + script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then '' + if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then + mkdir -p /var/lib/tor/${hiddenService.name}/ + cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key + cp ${hiddenService.hostname} /var/lib/tor/${hiddenService.name}/hostname + chmod -R 700 /var/lib/tor/${hiddenService.name}; + fi + '' else "true") hiddenServices); + }; + }; +} diff --git a/packages/shallot.nix b/packages/shallot.nix new file mode 100644 index 0000000..fad7a90 --- /dev/null +++ b/packages/shallot.nix @@ -0,0 +1,24 @@ +with import {}; + +stdenv.mkDerivation { + name = "shallot-0.0.3-alpha"; + + src = fetchFromGitHub { + rev = "831de01b13b309933d32efe8388444ef6a831cfb"; + owner = "katmagic"; + repo = "Shallot"; + sha256 = "0zlgl13vmv6zj1jk5cfjqg66n3qq9yp2202llpgvfl16rzxrlv5r"; + }; + + buildInputs = [openssl]; + + buildPhase = '' + ./configure + make + ''; + + installPhase = '' + mkdir -p $out/bin + mv shallot $out/bin + ''; +} \ No newline at end of file diff --git a/pennyworth/configuration.nix b/pennyworth/configuration.nix index 52f3dd5..570d3c1 100644 --- a/pennyworth/configuration.nix +++ b/pennyworth/configuration.nix @@ -16,6 +16,7 @@ in ../roles/common.nix ../modules/mailz.nix ../modules/nginx.nix + ../modules/tor-hidden-service.nix ]; networking.hostName = secrets.hostnames.pennyworth; @@ -78,4 +79,11 @@ in ${pkgs.openssl}/bin/openssl x509 -req -days 365 -in $dir/key.csr -signkey $dir/key.pem -out $dir/fullchain.pem fi ''; + + services.tor.hiddenServices = [ + { name = "ssh"; + port = 22; + hostname = "/run/keys/torkeys/ssh.pennyworth.hostname"; + private_key = "/run/keys/torkeys/ssh.pennyworth.key"; } + ]; } diff --git a/roles/common.nix b/roles/common.nix index 41bbe73..6aa91e4 100644 --- a/roles/common.nix +++ b/roles/common.nix @@ -36,6 +36,16 @@ challengeResponseAuthentication = false; }; + services.tor = { + enable = true; + client.enable = true; + }; + + programs.ssh.extraConfig = '' + Host *.onion + ProxyCommand nc -xlocalhost:9050 -X5 %h %p + ''; + environment.systemPackages = with pkgs; [ # v important. cowsay ponysay