Merge pull request #34690 from dotlambda/tor

nixos/tor: add hiddenServices.<name>.authorizeClient
author: Joachim F <joachifm@users.noreply.github.com> 2018-02-08 17:08:44 +0000
committer: GitHub <noreply@github.com> 2018-02-08 17:08:44 +0000
commit: 65e6fbf2b5c4c7b2dba0d02369f65870496b7197 (patch)
tree: 1484f11b94b74de285baaff1c9b3c35b29bcba6d /nixos
parent: 6b45dbd99c6078801dd49fd22c1f175b9fd19b31 (diff)
parent: 355de06fe474e5a25a4daca72c55681a0b7c6e83 (diff)
download: nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.gz
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.bz2
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.lz
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.xz
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.zst
nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.zip
1 files changed, 30 insertions, 0 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index fa4aeb22ae9d..fed91756e769 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -88,6 +88,9 @@ let
     ${flip concatMapStrings v.map (p: ''
       HiddenServicePort ${toString p.port} ${p.destination}
     '')}
+    ${optionalString (v.authorizeClient != null) ''
+      HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames}
+    ''}
   ''))
   + cfg.extraConfig;
 
@@ -619,6 +622,33 @@ in
                }));
              };
 
+             authorizeClient = mkOption {
+               default = null;
+               description = "If configured, the hidden service is accessible for authorized clients only.";
+               type = types.nullOr (types.submodule ({config, ...}: {
+
+                 options = {
+
+                   authType = mkOption {
+                     type = types.enum [ "basic" "stealth" ];
+                     description = ''
+                       Either <literal>"basic"</literal> for a general-purpose authorization protocol
+                       or <literal>"stealth"</literal> for a less scalable protocol
+                       that also hides service activity from unauthorized clients.
+                     '';
+                   };
+
+                   clientNames = mkOption {
+                     type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+");
+                     description = ''
+                       Only clients that are listed here are authorized to access the hidden service.
+                       Generated authorization data can be found in <filename>${torDirectory}/onion/$name/hostname</filename>.
+                       Clients need to put this authorization data in their configuration file using <literal>HidServAuth</literal>.
+                     '';
+                   };
+                 };
+               }));
+             };
           };
 
           config = {
author	Joachim F <joachifm@users.noreply.github.com>	2018-02-08 17:08:44 +0000
committer	GitHub <noreply@github.com>	2018-02-08 17:08:44 +0000
commit	65e6fbf2b5c4c7b2dba0d02369f65870496b7197 (patch)
tree	1484f11b94b74de285baaff1c9b3c35b29bcba6d /nixos
parent	6b45dbd99c6078801dd49fd22c1f175b9fd19b31 (diff)
parent	355de06fe474e5a25a4daca72c55681a0b7c6e83 (diff)
download	nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.gz nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.bz2 nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.lz nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.xz nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.tar.zst nixlib-65e6fbf2b5c4c7b2dba0d02369f65870496b7197.zip