Open milahu opened 9 months ago
ideally
nixos-rebuild switch
should show a warning
this already shows a warning for services.tor.settings.BridgeRelay
fix:
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -798,7 +814,11 @@
config = mkIf cfg.enable {
# Not sure if `cfg.relay.role == "private-bridge"` helps as tor
# sends a lot of stats
- warnings = optional (cfg.settings.BridgeRelay &&
+ warnings = optional (
+ (
+ cfg.settings.BridgeRelay ||
+ cfg.relay.enable
+ ) &&
flatten (mapAttrsToList (n: o: o.map) cfg.relay.onionServices) != [])
''
Running Tor hidden services on a public relay makes the
this already shows a warning for
services.tor.settings.BridgeRelay
that warning is
Running Tor hidden services on a public relay makes the presence of hidden services visible through simple statistical analysis of publicly available data. See https://trac.torproject.org/projects/tor/ticket/8742 You can safely ignore this warning if you don't intend to actually hide your hidden services. In either case, you can always create a container/VM with a separate Tor daemon instance.
... but "you can always create a container" is harder than expected with most config snippets, either the container fails to start, or the container has no internet access
the nixos manual is helpful Container Management - nixos manual - single page Container Management - nixos manual - split page
for faster container rebuilds see also https://github.com/erikarvstedt/extra-container
example config for my server milahuuuc365.onion
yeah i know, i should make a nixos-config repo...
problem: by default, tor relay and tor hidden services run in the same tor process
tor logs will show the warning
/etc/nixos/configuration.nix
ideally
nixos-rebuild switch
should show a warning when both tor relay and tor hidden services are enabled because this is a security riskideally this would be fixed by adding
useSeparateTorProcess = true;
to the hidden service confignixos config run multiple instances of one service on different ports
Running a second instance of a service: a solution
Run enable multiple instaces of the same systemd service
related
Byte history leaks information about local usage/hidden services tor#8742
nixos/tor: add tor hidden service options nixpkgs#28081
→ ping @tnias @fpletz @Mic92 @oxij
What are the implications of a Relay hosting a Hidden Service?
How to open Tor on port 9050?