Merge pull request #23962 from oxij/nixos/tor-sec

nixos: tor: usability and security fixes

nixos/modules/services/security/tor.nix

@@ -12,6 +12,10 @@ let
   torRc = ''
     User tor
     DataDirectory ${torDirectory}
+    ${optionalString cfg.enableGeoIP ''
+      GeoIPFile ${pkgs.tor.geoip}/share/tor/geoip
+      GeoIPv6File ${pkgs.tor.geoip}/share/tor/geoip6
+    ''}
 
     ${optint "ControlPort" cfg.controlPort}
   ''
@@ -58,6 +62,18 @@ in
         '';
       };
 
+      enableGeoIP = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whenever to configure Tor daemon to use GeoIP databases.
+
+          Disabling this will disable by-country statistics for
+          bridges and relays and some client and third-party software
+          functionality.
+        '';
+      };
+
       extraConfig = mkOption {
         type = types.lines;
         default = "";

nixos/modules/services/security/torify.nix

@@ -19,15 +19,23 @@ in
 {
 
   ###### interface
-  
+
   options = {
-  
+
     services.tor.tsocks = {
 
       enable = mkOption {
-        default = cfg.enable && cfg.client.enable;
+        default = false;
         description = ''
-          Whether to build tsocks wrapper script to relay application traffic via TOR.
+          Whether to build tsocks wrapper script to relay application traffic via Tor.
+
+          <important>
+            <para>You shouldn't use this unless you know what you're
+            doing because your installation of Tor already comes with
+            its own superior (doesn't leak DNS queries)
+            <literal>torsocks</literal> wrapper which does pretty much
+            exactly the same thing as this.</para>
+          </important>
         '';
       };