43 lines
1.6 KiB
Nix
43 lines
1.6 KiB
Nix
{ config, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
hiddenServices = config.services.tor.hiddenServices;
|
|
in {
|
|
options.services.tor = {
|
|
hiddenServices = mkOption { default = []; };
|
|
};
|
|
|
|
config = mkIf (hiddenServices != []) {
|
|
assertions = map (hiddenService: {
|
|
assertion = hasAttr "name" hiddenService && hasAttr "port" hiddenService;
|
|
message = "all hidden services should define a name and a port..";
|
|
}) hiddenServices;
|
|
|
|
services.tor.enable = true;
|
|
|
|
services.tor.extraConfig = concatStringsSep "\n" (map (hiddenService: ''
|
|
HiddenServiceDir /var/lib/tor/${hiddenService.name}
|
|
HiddenServicePort ${toString (if hasAttr "remote_port" hiddenService then hiddenService.remote_port else hiddenService.port)} 127.0.0.1:${toString hiddenService.port}
|
|
'') hiddenServices);
|
|
|
|
systemd.services."install-tor-hidden-service-keys" = {
|
|
wantedBy = ["tor.service"];
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.User = "tor";
|
|
serviceConfig.Group = "keys";
|
|
# TODO: update on change?
|
|
# TODO: better ways to get the keys on the server
|
|
script = concatStringsSep "\n" (map (hiddenService: if (hasAttr "private_key" hiddenService && hasAttr "hostname" hiddenService) then ''
|
|
if ! [[ -e /var/lib/tor/${hiddenService.name}/private_key ]]; then
|
|
mkdir -p /var/lib/tor/${hiddenService.name}/
|
|
cp ${hiddenService.private_key} /var/lib/tor/${hiddenService.name}/private_key
|
|
echo ${hiddenService.hostname} > /var/lib/tor/${hiddenService.name}/hostname
|
|
chmod -R 700 /var/lib/tor/${hiddenService.name};
|
|
fi
|
|
'' else "true") hiddenServices);
|
|
};
|
|
};
|
|
}
|