From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eEv4Fkf2114yQQAA0tVLHw (envelope-from ) for ; Wed, 03 Jun 2020 19:13:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id mCy6Ekf2116mSAAAbx9fmQ (envelope-from ) for ; Wed, 03 Jun 2020 19:13:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C118994036C for ; Wed, 3 Jun 2020 19:13:10 +0000 (UTC) Received: from localhost ([::1]:48732 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jgYp3-0003T1-KD for larch@yhetil.org; Wed, 03 Jun 2020 15:13:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34450) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgYou-0003Sq-PE; Wed, 03 Jun 2020 15:13:00 -0400 Received: from relay5-d.mail.gandi.net ([217.70.183.197]:59571) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jgYot-000472-1y; Wed, 03 Jun 2020 15:13:00 -0400 X-Originating-IP: 78.237.113.178 Received: from localhost (luy13-1-78-237-113-178.fbx.proxad.net [78.237.113.178]) (Authenticated sender: brice@waegenei.re) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 076C71C0002; Wed, 3 Jun 2020 19:12:54 +0000 (UTC) From: Brice Waegeneire To: guix-patches@gnu.org Subject: [PATCH] doc: cookbook: Add entry about getting substitutes through Tor. Date: Wed, 3 Jun 2020 21:12:49 +0200 Message-Id: <20200603191249.29382-1-brice@waegenei.re> X-Mailer: git-send-email 2.26.2 In-Reply-To: <87blmmkx87.fsf@gnu.org> References: <87blmmkx87.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=217.70.183.197; envelope-from=brice@waegenei.re; helo=relay5-d.mail.gandi.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/03 15:12:55 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: ilIEaEOxTBTW * doc/guix-cookbook.texi (Getting substitutes from Tor): New section. --- doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 5574a60857..83abc704ca 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@* Copyright @copyright{} 2020 Oleg Pykhalov@* Copyright @copyright{} 2020 Matthew Brooks@* Copyright @copyright{} 2020 Marcin Karpezo@* +Copyright @copyright{} 2020 Brice Waegeneire@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -1326,6 +1327,7 @@ reference. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Setting up a bind mount:: Setting up a bind mount in the file-systems definition. +* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor. @end menu @node Customizing the Kernel @@ -1785,6 +1787,59 @@ mount itself. )) @end lisp +@node Getting substitutes from Tor +@section Getting substitutes from Tor + +@quotation Warning +@emph{Not all} Guix daemon's traffic will go through Tor! Only +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections +will still go through the clearnet. Again, this configuration isn't +foolproof some of your traffic won't get routed by Tor at all. Use it +at your own risk. +@end quotation + +Guix's substitute server is available as a hidden service, if you want +to use it to get your substitutes from Tor configure your system as +follow: + +@lisp +(use-modules (gnu)) +(use-service-module base networking) + +(operating-system + … + (services + (cons + (service tor-service-type + (tor-configuration + (config-file (plain-file "tor-config" + "HTTPTunnelPort 127.0.0.1:9250")))) + (modify-services %base-services + (guix-service-type + config => (guix-configuration + (inherit config) + ;; ci.guix.gnu.org's hidden service + (substitute-urls "https://bp7o7ckwlewr4slm.onion") + (http-proxy "http://localhost:9250"))))))) +@end lisp + +This will keep a tor process running that provides a HTTP CONNECT tunnel +which will be used by @command{guix-daemon}. The daemon can use other +protocols than HTTP(S) to get remote resources, request using those +protocols won't go through Tor since we are only setting a HTTP tunnel +here. Note that @code{substitutes-urls} is using HTTPS and not HTTP or +it won't work, that's a limitation of Tor's tunnel; you may want to use +@command{privoxy} instead to avoid such limitations. + +If you don't want to always get substitutes through Tor but using it just +some of the times, then skip the @code{guix-configuration}. When you +want to get a substitute from the Tor tunnel run: + +@example +# herd set-http-proxy guix-daemon http://localhost:9250 +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello +@end example + @c ********************************************************************* @node Advanced package management @chapter Advanced package management -- 2.26.2