blob: 7caae3282032cf35ae7664f49ebdf11e3384d18b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
{ config, lib, pkgs, ... }:
with lib;
let
inherit (pkgs) privoxy;
cfg = config.services.privoxy;
confFile = pkgs.writeText "privoxy.conf" (''
user-manual ${privoxy}/share/doc/privoxy/user-manual
confdir ${privoxy}/etc/
listen-address ${cfg.listenAddress}
enable-edit-actions ${if (cfg.enableEditActions == true) then "1" else "0"}
${concatMapStrings (f: "actionsfile ${f}\n") cfg.actionsFiles}
${concatMapStrings (f: "filterfile ${f}\n") cfg.filterFiles}
'' + optionalString cfg.enableTor ''
forward-socks5t / 127.0.0.1:9063 .
toggle 1
enable-remote-toggle 0
enable-edit-actions 0
enable-remote-http-toggle 0
'' + ''
${cfg.extraConfig}
'');
in
{
###### interface
options = {
services.privoxy = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Whether to enable the Privoxy non-caching filtering proxy.
'';
};
listenAddress = mkOption {
type = types.str;
default = "127.0.0.1:8118";
description = ''
Address the proxy server is listening to.
'';
};
actionsFiles = mkOption {
type = types.listOf types.str;
example = [ "match-all.action" "default.action" "/etc/privoxy/user.action" ];
default = [ "match-all.action" "default.action" ];
description = ''
List of paths to Privoxy action files.
These paths may either be absolute or relative to the privoxy configuration directory.
'';
};
filterFiles = mkOption {
type = types.listOf types.str;
example = [ "default.filter" "/etc/privoxy/user.filter" ];
default = [ "default.filter" ];
description = ''
List of paths to Privoxy filter files.
These paths may either be absolute or relative to the privoxy configuration directory.
'';
};
enableEditActions = mkOption {
type = types.bool;
default = false;
description = ''
Whether or not the web-based actions file editor may be used.
'';
};
enableTor = mkOption {
type = types.bool;
default = false;
description = ''
Whether to configure Privoxy to use Tor's faster SOCKS port,
suitable for HTTP.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "" ;
description = ''
Extra configuration. Contents will be added verbatim to the configuration file.
'';
};
};
};
###### implementation
config = mkIf cfg.enable {
users.users.privoxy = {
isSystemUser = true;
home = "/var/empty";
group = "privoxy";
};
users.groups.privoxy = {};
systemd.services.privoxy = {
description = "Filtering web proxy";
after = [ "network.target" "nss-lookup.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${privoxy}/bin/privoxy --no-daemon --user privoxy ${confFile}";
serviceConfig.PrivateDevices = true;
serviceConfig.PrivateTmp = true;
serviceConfig.ProtectHome = true;
serviceConfig.ProtectSystem = "full";
};
services.tor.settings.SOCKSPort = mkIf cfg.enableTor [
# Route HTTP traffic over a faster port (without IsolateDestAddr).
{ addr = "127.0.0.1"; port = 9063; IsolateDestAddr = false; }
];
};
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
}
|
