talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

tor: add tor.proxyHook (#426763)

Browse Source
This commit is contained in:
Philip Taron 2025-07-25 15:16:39 -07:00 committed by GitHub
commit 0ca32f3372
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 99 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/build-helpers/fetchers.chapter.md
View File

@ -163,6 +163,8 @@ Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automaticall
The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors. The environment variable `NIX_SSL_CERT_FILE` is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.
To use a temporary Tor instance as a proxy for fetching from `.onion` addresses, add `nativeBuildInputs = [ tor.proxyHook ];` to the fetcher parameters.
[]{#fetchurl} []{#fetchurl}
## `fetchurl` {#sec-pkgs-fetchers-fetchurl} ## `fetchurl` {#sec-pkgs-fetchers-fetchurl}

13
pkgs/build-support/fetchgit/default.nix
View File

@ -157,6 +157,19 @@ lib.makeOverridable (
"GIT_PROXY_COMMAND" "GIT_PROXY_COMMAND"
"NIX_GIT_SSL_CAINFO" "NIX_GIT_SSL_CAINFO"
"SOCKS_SERVER" "SOCKS_SERVER"
# This is a parameter intended to be set by setup hooks or preFetch
# scripts that want per-URL control over HTTP proxies used by Git
# (if per-URL control isn't needed, `http_proxy` etc. will
# suffice). It must be a whitespace-separated (with backslash as an
# escape character) list of pairs like this:
#
# http://domain1/path1 proxy1 https://domain2/path2 proxy2
#
# where the URLs are as documented in the `git-config` manual page
# under `http.<url>.*`, and the proxies are as documented on the
# same page under `http.proxy`.
"FETCHGIT_HTTP_PROXIES"
]; ];
inherit preferLocalBuild meta allowedRequisites; inherit preferLocalBuild meta allowedRequisites;

5
pkgs/build-support/fetchgit/nix-prefetch-git
View File

@ -126,6 +126,11 @@ init_remote(){
echo "$sparseCheckout" | git sparse-checkout set --stdin ${nonConeMode:+--no-cone} echo "$sparseCheckout" | git sparse-checkout set --stdin ${nonConeMode:+--no-cone}
fi fi
( [ -n "$http_proxy" ] && clean_git config --global http.proxy "$http_proxy" ) || true ( [ -n "$http_proxy" ] && clean_git config --global http.proxy "$http_proxy" ) || true
local proxy_pairs i
read -a proxy_pairs <<< "${FETCHGIT_HTTP_PROXIES:-}"
for ((i = 1; i < ${#proxy_pairs[@]}; i += 2)); do
clean_git config --global "http.${proxy_pairs[$i - 1]}.proxy" "${proxy_pairs[$i]}"
done
} }
# Return the reference of an hash if it exists on the remote repository. # Return the reference of an hash if it exists on the remote repository.

16
pkgs/by-name/to/tor/package.nix
View File

@ -19,6 +19,7 @@
nixosTests, nixosTests,
writeShellScript, writeShellScript,
versionCheckHook, versionCheckHook,
makeSetupHook,
}: }:
let let
@ -111,8 +112,21 @@ stdenv.mkDerivation (finalAttrs: {
versionCheckProgramArg = "--version"; versionCheckProgramArg = "--version";
passthru = { passthru = {
tests.tor = nixosTests.tor; tests = {
inherit (nixosTests) tor;
proxyHook = callPackage ./proxy-hook-tests.nix {
tor = finalAttrs.finalPackage;
};
};
updateScript = callPackage ./update.nix { }; updateScript = callPackage ./update.nix { };
proxyHook = makeSetupHook {
name = "tor-proxy-hook";
substitutions = {
grep = lib.getExe gnugrep;
tee = lib.getExe' coreutils "tee";
tor = lib.getExe finalAttrs.finalPackage;
};
} ./proxy-hook.sh;
}; };
meta = { meta = {

45
pkgs/by-name/to/tor/proxy-hook-tests.nix Normal file
View File

@ -0,0 +1,45 @@
{
testers,
fetchFromGitLab,
fetchgit,
fetchurl,
fetchzip,
linkFarm,
tor,
}:
let
domain = "eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion";
rev = "933c5491db00c703d5d8264fdabd5a5b10aff96f";
hash = "sha256-o6Wpso8GSlQH39GpH3IXZyrVhdP8pEYFxLDq9a7yHX0=";
in
linkFarm "tor-proxy-hook-tests" {
fetchgit = testers.invalidateFetcherByDrvHash fetchgit {
name = "fetchgit-tor-source";
url = "http://${domain}/tpo/core/tor";
inherit rev hash;
nativeBuildInputs = [ tor.proxyHook ];
};
fetchzip = testers.invalidateFetcherByDrvHash fetchzip {
name = "fetchzip-tor-source";
url = "http://${domain}/tpo/core/tor/-/archive/${rev}/tor-${rev}.zip";
inherit hash;
nativeBuildInputs = [ tor.proxyHook ];
};
fetchurl = testers.invalidateFetcherByDrvHash fetchurl {
name = "fetchurl-tor-source";
url = "http://${domain}/tpo/core/tor/-/raw/${rev}/Cargo.lock";
hash = "sha256-oX4WbsscLADgJ5o+czpueyAih7ic0u4lZQs7y1vMA3A=";
nativeBuildInputs = [ tor.proxyHook ];
};
fetchFromGitLab = testers.invalidateFetcherByDrvHash fetchFromGitLab {
name = "gitlab-tor-source";
protocol = "http";
owner = "tpo/core";
repo = "tor";
inherit domain rev hash;
nativeBuildInputs = [ tor.proxyHook ];
};
}

19
pkgs/by-name/to/tor/proxy-hook.sh Normal file
View File

@ -0,0 +1,19 @@
_setupTorProxy(){
local torSocket=$NIX_BUILD_TOP/.tor.sock
local torPort=unix:$torSocket
exec {tor_fd}< <(@tor@ --DataDirectory "$NIX_BUILD_TOP/.tor" --SocksPort "$torPort")
exitHooks+=("kill '$!'")
# Wait for Tor to start
read < <(<&$tor_fd- @tee@ /dev/fd/2 | @grep@ -m 1 -F 'Bootstrapped 100% (done): Done')
export ALL_PROXY="socks5h://localhost$torSocket"
# A Git repository may have submodules that fetch from clearnet URLs, so
# for better performance, use Tor only for onion addresses. (fetchgit
# doesn't respect ALL_PROXY, so this doesn't conflict.)
export FETCHGIT_HTTP_PROXIES="http://*.onion $ALL_PROXY ${FETCHGIT_HTTP_PROXIES-}"
}
postHooks+=(_setupTorProxy)