@@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@*
Copyright @copyright{} 2020 John Soo@*
Copyright @copyright{} 2020 Jonathan Brielmaier@*
Copyright @copyright{} 2020 Edgar Vincent@*
+Copyright @copyright{} 2021 raid5atemyhomework@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands on the UNIX domain socket
@file{/var/run/tor/control-sock}, which will be made writable by members of the
@code{tor} group.
+@item @code{control-port?} (default: @code{#f})
+Whether or not to provide a ``control port'' by which Tor can be controlled
+to, for instance, dynamically instantiate tor onion services. This is more
+commonly supported by Tor controllers than using a UNIX domain socket as
+above. If @code{#t}, Tor will listen for authenticated control commands over
+the control port 9051. In order to authenticate to this port, Tor controllers
+need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, which
+will be made readable by members of the @code{tor} group.
+
+This can be set to a number instead, which will make Tor listen for control
+commands over the specified port number.
+
@end table
@end deftp
@@ -747,7 +747,9 @@ demand.")))
(socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
(default 'tcp))
(control-socket? tor-control-socket-path
- (default #f)))
+ (default #f))
+ (control-port? tor-control-port?
+ (default #f))) ; #f | #t | number
(define %tor-accounts
;; User account and groups for Tor.
@@ -770,7 +772,8 @@ demand.")))
"Return a 'torrc' file for CONFIG."
(match config
(($ <tor-configuration> tor config-file services
- socks-socket-type control-socket?)
+ socks-socket-type control-socket?
+ control-port?)
(computed-file
"torrc"
(with-imported-modules '((guix build utils))
@@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port))
ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeCheck
ControlSocketsGroupWritable 1\n"
port))
+ (when #$control-port?
+ (format port
+ "\
+ControlPort ~a
+CookieAuthentication 1
+CookieAuthFileGroupReadable 1
+DataDirectoryGroupReadable 1\n"
+ #$(if (eq? control-port? #t)
+ 9051
+ control-port?)))
(for-each (match-lambda
((service (ports hosts) ...)
@@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%"
;; Allow Tor to access the hidden services' directories.
(mkdir-p "/var/lib/tor")
(chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
- (chmod "/var/lib/tor" #o700)
+ ;; Allow Tor controllers to access the cookie file if control-port?
+ ;; By default this is where Tor puts the cookie file, and most Tor
+ ;; controllers expect this file location (and not on `/var/run/tor`).
+ (chmod "/var/lib/tor" #$(if (tor-control-port? config)
+ #o750
+ #o700))
;; Make sure /var/lib is accessible to the 'tor' user.
(chmod "/var/lib" #o755)