nixos-config/modules/nixos/containers/tor.nix

{
  config,
  lib,
  pkgs,
  secretsDir,
  ...
}:
let
  inherit (lib) mkEnableOption mkIf;
  inherit (config.virtualisation.quadlet) networks;

  cfg = config.ataraxia.containers.tor;
  dockerfile = pkgs.writeText "Dockerfile.tor" ''
    FROM alpine:3

    LABEL name="tor-socks-proxy"
    LABEL version="latest"

    RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \
        echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing'   >> /etc/apk/repositories && \
        apk -U upgrade && \
        apk -v add tor@edge lyrebird@edge curl && \
        chmod 700 /var/lib/tor && \
        rm -rf /var/cache/apk/* && \
        tor --version

    RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \
        chown tor:root /etc/tor/torrc

    HEALTHCHECK --timeout=30s --start-period=60s \
        CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' || exit 1

    USER tor
    EXPOSE 8853/udp 9150/tcp

    CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]
  '';
in
{
  options.ataraxia.containers.tor = {
    enable = mkEnableOption "Enable tor client container";
  };

  config = mkIf cfg.enable {
    sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;
    sops.secrets.tor-container.mode = "0444";
    virtualisation.quadlet = {
      builds.tor-proxy = {
        autoStart = true;
        buildConfig = {
          file = toString dockerfile;
          tag = "tor-socks-proxy:latest";
        };
      };
      containers.tor-proxy = {
        autoStart = true;
        containerConfig = {
          exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";
          image = config.virtualisation.quadlet.builds.tor-proxy.ref;
          networks = [ networks.br-services.ref ];
          publishPorts = [
            "0.0.0.0:9150:9150/tcp"
            "0.0.0.0:8853:8853/udp"
          ];
          volumes = [
            "${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"
          ];
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 9150 ];
    networking.firewall.allowedUDPPorts = [ 8853 ];
  };
}
feat: add custom tor quadlet with bridge connecting 2025-08-21 04:38:56 +03:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`secretsDir,`
			`...`
			`}:`
			`let`
			`inherit (lib) mkEnableOption mkIf;`
			`inherit (config.virtualisation.quadlet) networks;`

			`cfg = config.ataraxia.containers.tor;`
			`dockerfile = pkgs.writeText "Dockerfile.tor" ''`
			`FROM alpine:3`

			`LABEL name="tor-socks-proxy"`
			`LABEL version="latest"`

			`RUN echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories && \`
			`echo '@edge https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories && \`
			`apk -U upgrade && \`
			`apk -v add tor@edge lyrebird@edge curl && \`
			`chmod 700 /var/lib/tor && \`
			`rm -rf /var/cache/apk/* && \`
			`tor --version`

			`RUN echo -e "HardwareAccel 1\nLog notice stdout\nDNSPort 0.0.0.0:8853\nSocksPort 0.0.0.0:9150\nDataDirectory /var/lib/tor" > /etc/tor/torrc && \`
			`chown tor:root /etc/tor/torrc`

			`HEALTHCHECK --timeout=30s --start-period=60s \`
			`CMD curl --fail --socks5-hostname localhost:9150 -I -L 'https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion' \|\| exit 1`

			`USER tor`
			`EXPOSE 8853/udp 9150/tcp`

			`CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]`
			`'';`
			`in`
			`{`
			`options.ataraxia.containers.tor = {`
			`enable = mkEnableOption "Enable tor client container";`
			`};`

			`config = mkIf cfg.enable {`
			`sops.secrets.tor-container.sopsFile = secretsDir + /proxy.yaml;`
			`sops.secrets.tor-container.mode = "0444";`
			`virtualisation.quadlet = {`
			`builds.tor-proxy = {`
			`autoStart = true;`
			`buildConfig = {`
			`file = toString dockerfile;`
			`tag = "tor-socks-proxy:latest";`
			`};`
			`};`
			`containers.tor-proxy = {`
			`autoStart = true;`
			`containerConfig = {`
			`exec = "sh -c 'cat /home/torrc-extra >> /etc/tor/torrc && /usr/bin/tor -f /etc/tor/torrc'";`
			`image = config.virtualisation.quadlet.builds.tor-proxy.ref;`
			`networks = [ networks.br-services.ref ];`
			`publishPorts = [`
			`"0.0.0.0:9150:9150/tcp"`
			`"0.0.0.0:8853:8853/udp"`
			`];`
			`volumes = [`
			`"${config.sops.secrets.tor-container.path}:/home/torrc-extra:ro"`
			`];`
			`};`
			`};`
			`};`
			`networking.firewall.allowedTCPPorts = [ 9150 ];`
			`networking.firewall.allowedUDPPorts = [ 8853 ];`
			`};`
			`}`