about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nixos/modules/services/security/tor.nix18
1 files changed, 16 insertions, 2 deletions
diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 2b4132cb5688..431fd102eed0 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -17,7 +17,8 @@ let
   ''
   # Client connection config
   + optionalString cfg.client.enable  ''
-    SOCKSPort ${cfg.client.socksListenAddress}
+    SOCKSPort ${cfg.client.socksListenAddress} IsolateDestAddr
+    SOCKSPort ${cfg.client.socksListenAddressFaster}
     ${opt "SocksPolicy" cfg.client.socksPolicy}
   ''
   # Relay config
@@ -93,10 +94,23 @@ in
           example = "192.168.0.1:9100";
           description = ''
             Bind to this address to listen for connections from
-            Socks-speaking applications.
+            Socks-speaking applications. Provides strong circuit
+            isolation, separate circuit per IP address.
           '';
         };
 
+        socksListenAddressFaster = mkOption {
+          type = types.str;
+          default = "127.0.0.1:9063";
+          example = "192.168.0.1:9101";
+          description = ''
+            Bind to this address to listen for connections from
+            Socks-speaking applications. Same as socksListenAddress
+            but uses weaker circuit isolation to provide performance
+            suitable for a web browser.
+           '';
+         };
+
         socksPolicy = mkOption {
           type = types.nullOr types.str;
           default = null;