From 355de06fe474e5a25a4daca72c55681a0b7c6e83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Wed, 7 Feb 2018 03:20:41 +0100 Subject: [PATCH] nixos/tor: add hiddenServices..authorizeClient --- nixos/modules/services/security/tor.nix | 30 +++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index fa4aeb22ae9d..fed91756e769 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -88,6 +88,9 @@ let ${flip concatMapStrings v.map (p: '' HiddenServicePort ${toString p.port} ${p.destination} '')} + ${optionalString (v.authorizeClient != null) '' + HiddenServiceAuthorizeClient ${v.authorizeClient.authType} ${concatStringsSep "," v.authorizeClient.clientNames} + ''} '')) + cfg.extraConfig; @@ -619,6 +622,33 @@ in })); }; + authorizeClient = mkOption { + default = null; + description = "If configured, the hidden service is accessible for authorized clients only."; + type = types.nullOr (types.submodule ({config, ...}: { + + options = { + + authType = mkOption { + type = types.enum [ "basic" "stealth" ]; + description = '' + Either "basic" for a general-purpose authorization protocol + or "stealth" for a less scalable protocol + that also hides service activity from unauthorized clients. + ''; + }; + + clientNames = mkOption { + type = types.nonEmptyListOf (types.strMatching "[A-Za-z0-9+-_]+"); + description = '' + Only clients that are listed here are authorized to access the hidden service. + Generated authorization data can be found in ${torDirectory}/onion/$name/hostname. + Clients need to put this authorization data in their configuration file using HidServAuth. + ''; + }; + }; + })); + }; }; config = {