26 lines
1.4 KiB
Nix
26 lines
1.4 KiB
Nix
# tor settings: <https://2019.www.torproject.org/docs/tor-manual.html.en>
|
|
{ lib, ... }:
|
|
{
|
|
# tor hidden service hostnames aren't deterministic, so persist.
|
|
# might be able to get away with just persisting /var/lib/tor/onion, not sure.
|
|
sane.persist.sys.byStore.plaintext = [
|
|
{ user = "tor"; group = "tor"; mode = "0710"; path = "/var/lib/tor"; method = "bind"; }
|
|
];
|
|
|
|
# tor: `tor.enable` doesn't start a relay, exit node, proxy, etc. it's minimal.
|
|
# tor.client.enable configures a torsocks proxy, accessible *only* to localhost.
|
|
# at 127.0.0.1:9050
|
|
services.tor.enable = true;
|
|
services.tor.client.enable = true;
|
|
|
|
# in order for services to read /var/lib/tor/onion/*/hostname, they must be able to traverse /var/lib/tor,
|
|
# and /var/lib/tor must have g+x.
|
|
# DataDirectoryGroupReadable causes tor to use g+rx, technically more than we need, but all the files are 600 so it's fine.
|
|
services.tor.settings.DataDirectoryGroupReadable = true;
|
|
# StateDirectoryMode defaults to 0700, and thereby prevents the onion hostnames from being group readable
|
|
systemd.services.tor.serviceConfig.StateDirectoryMode = lib.mkForce "0710";
|
|
users.users.tor.homeMode = "0710"; # home mode defaults to 0700, causing readability problems, enforced by nixos "users" activation script
|
|
|
|
services.tor.settings.SafeLogging = false; # show actual .onion names in the syslog, else debugging is impossible
|
|
}
|