TOR service: refactored options to avoid mess

svn path=/nixos/trunk/; revision=23850
2025-06-12 04:35:41 +03:00 · 2010-09-18 11:30:14 +00:00 · 2010-09-18 11:30:14 +00:00 · b2b227c99f
commit b2b227c99f
parent 259c007f70
1 changed files with 174 additions and 172 deletions
--- a/modules/services/security/tor.nix
+++ b/modules/services/security/tor.nix
@ -27,14 +27,17 @@ in
  
    services.tor = {

-      enable = mkOption {
-        default = false;
+      config = mkOption {
+        default = "";
        description = ''
-          Whether to enable the Tor anonymous routing daemon.
+          Extra configuration. Contents will be added verbatim to the 
+          configuration file.
        '';
      };

-      enableClient = mkOption {
+      client = {
+
+        enable = mkOption {
          default = true;
          description = ''
            Whether to enable Tor daemon to route application connections.
@ -61,15 +64,9 @@ in
          '';
        };

-      config = mkOption {
-        default = "";
-        description = ''
-          Extra configuration. Contents will be added verbatim to the 
-          configuration file.
-        '';
-      };
+        privoxy = {

-      enablePrivoxy = mkOption {
+          enable = mkOption {
            default = true;
            description = ''
              Whether to enable a special instance of privoxy dedicated to Tor.
@ -78,12 +75,12 @@ in
              Most people using Tor want to anonymize their web traffic, so by 
              default we enable an special instance of privoxy specifically for
              Tor.
-          However, if you are only going to use Tor only as a relay then you
-          can disable this option.
+              However, if you are only going to use Tor only for other kinds of
+              traffic then you can disable this option.
            '';
          };

-      privoxyListenAddress = mkOption {
+          listenAddress = mkOption {
            default = "127.0.0.1:8118";
            description = ''
              Address that Tor's instance of privoxy is listening to.
@ -94,7 +91,7 @@ in
            '';
          };

-      privoxyConfig = mkOption {
+          config = mkOption {
            default = "";
            description = ''
              Extra configuration for Tor's instance of privoxy. Contents will be 
@ -106,16 +103,22 @@ in
            '';
          };

-      enableRelay = mkOption {
+        };
+
+      };
+
+      relay = {      
+
+        enable = mkOption {
          default = false;
          description = ''
-          Whether to enable relaying traffic for others.
+            Whether to enable relaying TOR traffic for others.

            See https://www.torproject.org/docs/tor-doc-relay for details.
          '';
        };

-      isBridgeRelay = mkOption {
+        isBridge = mkOption {
          default = false;
          description = ''
            Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
@ -131,7 +134,7 @@ in
          '';
        };

-      isExitRelay = mkOption {
+        isExit = mkOption {
          default = false;
          description = ''
            An exit relay allows Tor users to access regular Internet services.
@ -150,7 +153,7 @@ in
          '';
        };

-      relayBandwidthRate = mkOption {
+        bandwidthRate = mkOption {
          default = 0;
          example = 100;
          description = ''
@ -159,7 +162,7 @@ in
          '';
        };

-      relayBandwidthBurst = mkOption {
+        bandwidthBurst = mkOption {
          default = 0;
          example = 200;
          description = ''
@ -169,20 +172,20 @@ in
          '';
        };

-      relayPort = mkOption {
+        port = mkOption {
          default = 9001;
          description = ''
            What port to advertise for Tor connections.
          '';
        };

-      relayListenAddress = mkOption {
+        listenAddress = mkOption {
          default = "";
          example = "0.0.0.0:9090";
          description = ''
            Set this if you need to listen on a port other than the one advertised
            in relayPort (e.g. to advertise 443 but bind to 9090). You'll need to do
-          ipchains or other port forwarding yourself to make this work.
+            ipchains or other port forwsarding yourself to make this work.
          '';
        };

@ -210,17 +213,16 @@ in

    };

+  };
+

  ###### implementation

-  config = mkIf cfg.enable {
+  config = mkIf (cfg.client.enable || cfg.relay.enable) {
    environment.systemPackages = [ tor ];  # provides tor-resolve and torify

    assertions = [ {
-      assertion = cfg.enableRelay || cfg.enableClient;
-      message = "Need to either enable TOR client or relay functionality";
-    } {
-      assertion = cfg.enableRelay -> !(cfg.isBridgeRelay && cfg.isExitRelay);
+      assertion = cfg.relay.enable -> !(cfg.relay.isBridge && cfg.relay.isExit);
      message = "Can't be both an exit and a bridge relay at the same time";
    } ];

@ -245,7 +247,7 @@ in
        exec = "${tor}/bin/tor -f ${pkgs.writeText "torrc" cfg.config}";
      };

-    jobs.torPrivoxy = mkIf (cfg.enablePrivoxy && cfg.enableClient)
+    jobs.torPrivoxy = mkIf (cfg.client.privoxy.enable && cfg.client.enable)
      { name = "tor-privoxy";

        startOn = "starting tor";
@ -259,32 +261,32 @@ in
            # Needed to run privoxy as an unprivileged user?
            ${modprobe}/sbin/modprobe capability || true
          '';
-        exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.privoxyConfig}";
+        exec = "${privoxy}/sbin/privoxy --no-daemon --user ${torUser} ${pkgs.writeText "torPrivoxy.conf" cfg.client.privoxy.config}";
      };

      services.tor.config = ''
        DataDirectory ${stateDir}
        User ${torUser}
      ''
-      + optionalString cfg.enableClient  ''
-        SocksListenAddress ${cfg.socksListenAddress}
-        ${opt "SocksPolicy" cfg.socksPolicy}
+      + optionalString cfg.client.enable  ''
+        SocksListenAddress ${cfg.client.socksListenAddress}
+        ${opt "SocksPolicy" cfg.client.socksPolicy}
      ''
-      + optionalString cfg.enableRelay ''
-        ORPort ${toString cfg.relayPort}
-        ${opt "ORListenAddress" cfg.relayListenAddress }
-        ${opt "Nickname" cfg.nickname}
-        ${optint "RelayBandwidthRate" cfg.relayBandwidthRate}
-        ${optint "RelayBandwidthBurst" cfg.relayBandwidthBurst}
-        ${if cfg.isExitRelay then opt "ExitPolicy" cfg.exitPolicy else "ExitPolicy reject *:*"}
-        ${if cfg.isBridgeRelay then "BridgeRelay 1" else ""}
+      + optionalString cfg.relay.enable ''
+        ORPort ${toString cfg.relay.port}
+        ${opt "ORListenAddress" cfg.relay.listenAddress }
+        ${opt "Nickname" cfg.relay.nickname}
+        ${optint "RelayBandwidthRate" cfg.relay.bandwidthRate}
+        ${optint "RelayBandwidthBurst" cfg.relay.bandwidthBurst}
+        ${if cfg.relay.isExit then opt "ExitPolicy" cfg.relay.exitPolicy else "ExitPolicy reject *:*"}
+        ${if cfg.relay.isBridge then "BridgeRelay 1" else ""}
      '';
    
-      services.tor.privoxyConfig = ''
+      services.tor.client.privoxy.config = ''
        # Generally, this file goes in /etc/privoxy/config
        #
        # Tor listens as a SOCKS4a proxy here:
-        forward-socks4a / ${cfg.socksListenAddress} .
+        forward-socks4a / ${cfg.client.socksListenAddress} .
        confdir ${privoxy}/etc
        logdir ${privoxyDir}
        # actionsfile standard  # Internal purpose, recommended
@ -300,7 +302,7 @@ in
        debug   8192 # Errors - *we highly recommended enabling this*
        
        user-manual ${privoxy}/doc/privoxy/user-manual
-        listen-address  ${cfg.privoxyListenAddress}
+        listen-address  ${cfg.client.privoxy.listenAddress}
        toggle  1
        enable-remote-toggle 0
        enable-edit-actions 0