From 8327f1860d050eef5f6f9711e20f672f2440db8f Mon Sep 17 00:00:00 2001
From: Ingolf Wagner <contact@ingolf-wagner.de>
Date: Thu, 8 Aug 2024 01:12:10 +0200
Subject: [PATCH] made tor work

---
 components/nixos/boot/default.nix |   1 +
 components/nixos/boot/tor-ssh.nix | 100 ------------------------------
 components/nixos/boot/tor.nix     |  95 ++++++++++++++++++++++++++++
 machines/probe/configuration.nix  |   3 +
 4 files changed, 99 insertions(+), 100 deletions(-)
 delete mode 100644 components/nixos/boot/tor-ssh.nix
 create mode 100644 components/nixos/boot/tor.nix

diff --git a/components/nixos/boot/default.nix b/components/nixos/boot/default.nix
index 9bf6045..10c8491 100644
--- a/components/nixos/boot/default.nix
+++ b/components/nixos/boot/default.nix
@@ -3,6 +3,7 @@
 
   imports = [
     ./ssh.nix
+    ./tor.nix
   ];
 
   options.components.nixos.boot.enable = lib.mkOption {
diff --git a/components/nixos/boot/tor-ssh.nix b/components/nixos/boot/tor-ssh.nix
deleted file mode 100644
index 586b19f..0000000
--- a/components/nixos/boot/tor-ssh.nix
+++ /dev/null
@@ -1,100 +0,0 @@
-{ config, lib, pkgs, factsGenerator, clanLib, ... }:
-with lib;
-with types;
-
-{
-  options.components.nixos.boot = {
-
-    enable = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-    };
-
-    tor.enable = lib.mkOption {
-      type = lib.types.bool;
-      default = config.components.nixos.boot.ssh.enable;
-    };
-  };
-
-  config = mkMerge [
-
-    # todo : not working at the moment, because onion hostnames are secrets
-    (
-      let
-        onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
-        generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
-          ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
-        '';
-      in
-      {
-        # add known hosts
-        services.openssh.knownHosts =
-          mapAttrs
-            (_machine: onionId: {
-              hostNames = [ "[${onionId}]:2222" ];
-            })
-            onionIds;
-
-        # create unlook tor boot script
-        environment.systemPackages =
-          mapAttrsToList generateOnionUnlockScript onionIds;
-      }
-    )
-
-    # tor part
-    # --------
-    (mkIf (config.components.nixos.boot.tor.enable) {
-
-      #services.tor = {
-      #  enable = true;
-      #  client.enable = true;
-      #  relay.onionServices.bootup.map = [{ port = 2222; }];
-      #};
-
-      # tor setup
-      clan.core.facts.services.initrd_tor = factsGenerator.tor { name = ""; };
-
-      boot.initrd.secrets = {
-        "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.priv".path;
-        "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services.initrd_tor.secret."tor.initrd.hostname".path;
-      };
-
-      #boot.initrd.extraUtilsCommands = ''
-      #  copy_bin_and_libs ${pkgs.tor}/bin/tor
-      #'';
-
-      # fixme: this thing is not working for some reason.
-      boot.initrd.systemd.packages = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
-      boot.initrd.systemd.services.tor = {
-        path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ];
-        # todo: set wanted by
-        script =
-          let
-            torRc = pkgs.writeText "tor.rc" ''
-              DataDirectory /etc/tor
-              SOCKSPort 127.0.0.1:9050 IsolateDestAddr
-              SOCKSPort 127.0.0.1:9063
-              HiddenServiceDir /etc/tor/onion/bootup
-              HiddenServicePort 2222 127.0.0.1:2222
-            '';
-          in
-          ''
-            echo "tor: preparing onion folder"
-            # have to do this otherwise tor does not want to start
-            chmod -R 700 /etc/tor
-
-            echo "make sure localhost is up"
-            ip a a 127.0.0.1/8 dev lo
-            ip link set lo up
-
-            echo "tor: starting tor"
-            tor -f ${torRc} --verify-config
-            tor -f ${torRc}
-          '';
-      };
-    })
-
-
-  ];
-}
-
diff --git a/components/nixos/boot/tor.nix b/components/nixos/boot/tor.nix
new file mode 100644
index 0000000..bc11d2a
--- /dev/null
+++ b/components/nixos/boot/tor.nix
@@ -0,0 +1,95 @@
+{ config, lib, pkgs, factsGenerator, clanLib, ... }:
+with lib;
+with types;
+
+{
+  options.components.nixos.boot.tor = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = mkMerge [
+
+    # todo : not working at the moment, because onion hostnames are secrets
+    #(
+    #  let
+    #    onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname";
+    #    generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" ''
+    #      ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222
+    #    '';
+    #  in
+    #  {
+    #    # add known hosts
+    #    services.openssh.knownHosts =
+    #      mapAttrs
+    #        (_machine: onionId: {
+    #          hostNames = [ "[${onionId}]:2222" ];
+    #        })
+    #        onionIds;
+    #    # create unlook tor boot script
+    #    environment.systemPackages =
+    #      mapAttrsToList generateOnionUnlockScript onionIds;
+    #  }
+    #)
+
+    # tor part
+    # --------
+    (mkIf (config.components.nixos.boot.tor.enable) {
+
+      # tor secrets
+      clan.core.facts.services."initrd.tor" = factsGenerator.tor {
+        name = "initrd";
+        addressPrefix = "init";
+      };
+      boot.initrd.secrets = {
+        "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path;
+        "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path;
+      };
+
+      boot.initrd.systemd.storePaths = [
+        pkgs.tor
+        pkgs.iproute2
+        pkgs.coreutils
+      ];
+      boot.initrd.systemd.contents = {
+        "/etc/tor/tor.rc".text = ''
+          DataDirectory /etc/tor
+          SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+          SOCKSPort 127.0.0.1:9063
+          HiddenServiceDir /etc/tor/onion/bootup
+          HiddenServicePort 2222 127.0.0.1:2222
+        '';
+      };
+
+      boot.initrd.systemd.services.tor = {
+        description = "tor during init";
+        wantedBy = [ "initrd.target" ];
+        after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
+        before = [ "shutdown.target" ];
+        conflicts = [ "shutdown.target" ];
+
+        unitConfig.DefaultDependencies = false;
+        path = [
+          pkgs.tor
+          pkgs.iproute2
+          pkgs.coreutils
+        ];
+        script =
+          ''
+            echo "tor: preparing onion folder"
+            # have to do this otherwise tor does not want to start
+            chmod -R 700 /etc/tor
+
+            echo "tor: starting tor"
+            tor -f /etc/tor/tor.rc --verify-config
+            tor -f /etc/tor/tor.rc
+          '';
+      };
+    })
+
+
+  ];
+}
+
diff --git a/machines/probe/configuration.nix b/machines/probe/configuration.nix
index 48ae5c8..453ead3 100644
--- a/machines/probe/configuration.nix
+++ b/machines/probe/configuration.nix
@@ -12,6 +12,9 @@
 
   components.nixos.boot.enable = true;
   components.nixos.boot.ssh.enable = true;
+  components.nixos.boot.tor.enable = true;
+
+  components.monitor.enable = false;
 
   networking.hostName = "probe";
   users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJkqVvuJSvRMO5pG2CHNNBxjB7HlJudK4TQs3BhbOWOD" ];