diff options
| author | Alyssa Ross <hi@alyssa.is> | 2020-12-15 21:30:24 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-12-16 12:20:03 +0000 |
| commit | e17d4b05a12fe1b567ef4d55d2f01c23ff48228d (patch) | |
| tree | 77c4b87889780d574337ca13d569c037257c7ea7 | |
| parent | cd75006f1abd1671f2367b8cfd9406b32f5296da (diff) | |
nixos/tor: don't do privoxy stuff by default
It's very surprising that services.tor.client.enable would set
services.privoxy.enable. This violates the principle of least
astonishment, because it's Privoxy that can integrate with Tor, rather
than the other way around.
So this patch moves the Privoxy Tor integration to the Privoxy module,
and it also disables it by default. This change is documented in the
release notes.
Reported-by: V <v@anomalous.eu>
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2103.xml | 13 | ||||
| -rw-r--r-- | nixos/modules/services/networking/privoxy.nix | 20 | ||||
| -rw-r--r-- | nixos/modules/services/security/tor.nix | 31 |
3 files changed, 34 insertions, 30 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml index 35c10d3e5939..458170e803b3 100644 --- a/nixos/doc/manual/release-notes/rl-2103.xml +++ b/nixos/doc/manual/release-notes/rl-2103.xml @@ -265,6 +265,19 @@ located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>. </para> </listitem> + <listitem> + <para> + Enabling the Tor client no longer silently also enables and + configures Privoxy, and the + <varname>services.tor.client.privoxy.enable</varname> option has + been removed. To enable Privoxy, and to configure it to use + Tor's faster port, use the following configuration: + </para> + <programlisting> + <xref linkend="opt-services.privoxy.enable" /> = true; + <xref linkend="opt-services.privoxy.enableTor" /> = true; + </programlisting> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/networking/privoxy.nix b/nixos/modules/services/networking/privoxy.nix index 1f41c720adf5..e3b34cb0c616 100644 --- a/nixos/modules/services/networking/privoxy.nix +++ b/nixos/modules/services/networking/privoxy.nix @@ -8,15 +8,22 @@ let cfg = config.services.privoxy; - confFile = pkgs.writeText "privoxy.conf" '' + confFile = pkgs.writeText "privoxy.conf" ('' user-manual ${privoxy}/share/doc/privoxy/user-manual confdir ${privoxy}/etc/ listen-address ${cfg.listenAddress} enable-edit-actions ${if (cfg.enableEditActions == true) then "1" else "0"} ${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles} ${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles} + '' + optionalString cfg.enableTor '' + forward-socks4a / ${config.services.tor.client.socksListenAddressFaster} . + toggle 1 + enable-remote-toggle 0 + enable-edit-actions 0 + enable-remote-http-toggle 0 + '' + '' ${cfg.extraConfig} - ''; + ''); in @@ -72,6 +79,15 @@ in ''; }; + enableTor = mkOption { + type = types.bool; + default = false; + description = '' + Whether to configure Privoxy to use Tor's faster SOCKS port, + suitable for HTTP. + ''; + }; + extraConfig = mkOption { type = types.lines; default = "" ; diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 38dc378887a8..1cceee065b1b 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -107,6 +107,9 @@ let in { imports = [ + (mkRemovedOptionModule [ "services" "tor" "client" "privoxy" "enable" ] '' + Use services.privoxy.enable and services.privoxy.enableTor instead. + '') (mkRenamedOptionModule [ "services" "tor" "relay" "portSpec" ] [ "services" "tor" "relay" "port" ]) (mkRemovedOptionModule [ "services" "tor" "relay" "isBridge" ] "Use services.tor.relay.role instead.") (mkRemovedOptionModule [ "services" "tor" "relay" "isExit" ] "Use services.tor.relay.role instead.") @@ -270,23 +273,6 @@ in description = "List of suffixes to use with automapHostsOnResolve"; }; }; - - privoxy.enable = mkOption { - type = types.bool; - default = true; - description = '' - Whether to enable and configure the system Privoxy to use Tor's - faster port, suitable for HTTP. - - To have anonymity, protocols need to be scrubbed of identifying - information, and this can be accomplished for HTTP by Privoxy. - - Privoxy can also be useful for KDE torification. A good setup would be: - setting SOCKS proxy to the default Tor port, providing maximum - circuit isolation where possible; and setting HTTP proxy to Privoxy - to route HTTP traffic over faster, but less isolated port. - ''; - }; }; relay = { @@ -784,16 +770,5 @@ in }; environment.systemPackages = [ cfg.package ]; - - services.privoxy = mkIf (cfg.client.enable && cfg.client.privoxy.enable) { - enable = true; - extraConfig = '' - forward-socks4a / ${cfg.client.socksListenAddressFaster} . - toggle 1 - enable-remote-toggle 0 - enable-edit-actions 0 - enable-remote-http-toggle 0 - ''; - }; }; } |