Add a tip explaining how to enable-tor on NixOS
This is a little bare bones but hopefully useful, some things that could
be improved:
1. Follow steps in order and replicate (I reconstructed off of my
success, so there may be inaccuracies or things I forgot)
2. Clarify correct ownership for directories & sockets
- enable-tor's sudo child will obtain the hostname so no access is
needed after that
- does it also create the tor sockety directory?
3. Remove unnecessary boilerplate
- can the hidden service dir be left with the NixOS default?
This commit is contained in:
Yuval Kogman
parent
0e0322f0e7
commit
0861e95d13
1 changed files with 55 additions and 0 deletions
55
doc/tips/enable_tor_on_nixos.mdwn
Normal file
55
doc/tips/enable_tor_on_nixos.mdwn
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
On NixOS tor is run with a `torrc` directly in `/nix/store`, but `git-annex
|
||||
enable-tor` attempts to both read and modify `/etc/tor/torrc`.
|
||||
|
||||
This behavior can be accomodated by making a copy:
|
||||
|
||||
```sh
|
||||
torrc=$( ps -ef | egrep -o '(\S*?torrc)$' )
|
||||
|
||||
sudo mkdir -p /etc/tor
|
||||
sudo cp $torrc /etc/tor/torrc
|
||||
```
|
||||
|
||||
This should allow you to run:
|
||||
|
||||
```sh
|
||||
git-annex enable-tor
|
||||
```
|
||||
|
||||
without seeing an error, but the edited `torrc` will have no effect so
|
||||
git-annex will keep waiting for the hidden service to come online. While it
|
||||
does that, check what lines were added:
|
||||
|
||||
|
||||
```sh
|
||||
diff -u $torrc /etc/tor/torrc
|
||||
```
|
||||
|
||||
and then add a hidden service to your `configuration.nix`:
|
||||
|
||||
```nix
|
||||
# add a service for the repository
|
||||
services.tor.relay.onionServices.git-annex-5e77c94c-5907-4f43-96bf-282ae233b240 = {
|
||||
# this is where git annex configures it, which works fine, but doesn't
|
||||
# actually seem necessary, so it could be left empty
|
||||
path = "/var/lib/tor/tor-annex_1000_5e77c94c-5907-4f43-96bf-282ae233b240";
|
||||
|
||||
# the HiddenServicePort directive requires both tor and git-annex # remotedaemon
|
||||
# to be able to access the socket which is why git annex places it in a separate
|
||||
# directory, but this also needs to be made visible to tor
|
||||
map = [ {
|
||||
port = 12345;
|
||||
target.unix = "/var/lib/tor-annex/1000_5e77c94c-5907-4f43-96bf-282ae233b240/s";
|
||||
} ];
|
||||
};
|
||||
|
||||
# make the sockets directory visible to the otherwise sandboxed tor daemon
|
||||
systemd.services.tor.serviceConfig.BindPaths = [ "/var/lib/tor-annex" ];
|
||||
```
|
||||
|
||||
Note that without the `BindPaths` the tor daemon will not be able to access the
|
||||
sockets and connections will be rejected (can be diagnosed by sending tor a
|
||||
`SIGUSR2` to enable debug logging).
|
||||
|
||||
You should now be able to run `nixos-rebuild switch` and git-annex will
|
||||
detect that the hidden service is running.
|
||||
Loading…
Reference in a new issue