{ config, lib, pkgs, factsGenerator, clanLib, ... }: with lib; with types; { options.components.nixos.boot.tor = { enable = lib.mkOption { type = lib.types.bool; default = false; }; }; config = mkMerge [ # todo : not working at the moment, because onion hostnames are secrets #( # let # onionIds = clanLib.readFactFromAllMachines "tor.initrd.hostname"; # generateOnionUnlockScript = machine: onionId: pkgs.writers.writeDashBin "unlock-boot-${machine}-via-tor" '' # ${pkgs.tor}/bin/torify ${pkgs.openssh}/bin/ssh root@${onionId} -p 2222 # ''; # in # { # # add known hosts # services.openssh.knownHosts = # mapAttrs # (_machine: onionId: { # hostNames = [ "[${onionId}]:2222" ]; # }) # onionIds; # # create unlook tor boot script # environment.systemPackages = # mapAttrsToList generateOnionUnlockScript onionIds; # } #) # tor part # -------- (mkIf (config.components.nixos.boot.tor.enable) { # tor secrets clan.core.facts.services."initrd.tor" = factsGenerator.tor { name = "initrd"; addressPrefix = "init"; }; boot.initrd.secrets = { "/etc/tor/onion/bootup/tor.priv" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.priv".path; "/etc/tor/onion/bootup/hostname" = config.clan.core.facts.services."initrd.tor".secret."tor.initrd.hostname".path; }; boot.initrd.systemd.storePaths = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ]; boot.initrd.systemd.contents = { "/etc/tor/tor.rc".text = '' DataDirectory /etc/tor SOCKSPort 127.0.0.1:9050 IsolateDestAddr SOCKSPort 127.0.0.1:9063 HiddenServiceDir /etc/tor/onion/bootup HiddenServicePort 2222 127.0.0.1:2222 ''; }; boot.initrd.systemd.services.tor = { description = "tor during init"; wantedBy = [ "initrd.target" ]; after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; before = [ "shutdown.target" ]; conflicts = [ "shutdown.target" ]; unitConfig.DefaultDependencies = false; path = [ pkgs.tor pkgs.iproute2 pkgs.coreutils ]; script = '' echo "tor: preparing onion folder" # have to do this otherwise tor does not want to start chmod -R 700 /etc/tor echo "tor: starting tor" tor -f /etc/tor/tor.rc --verify-config tor -f /etc/tor/tor.rc ''; }; }) ]; }