[PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

  • Done
  • quality assurance status badge
Details
2 participants
  • Brice Waegeneire
  • Ludovic Courtès
Owner
unassigned
Submitted by
Brice Waegeneire
Severity
normal
B
B
Brice Waegeneire wrote on 3 Jun 2020 21:12
(address . guix-patches@gnu.org)
20200603191249.29382-1-brice@waegenei.re
* doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
---
doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)

Toggle diff (82 lines)
diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 5574a60857..83abc704ca 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@*
Copyright @copyright{} 2020 Oleg Pykhalov@*
Copyright @copyright{} 2020 Matthew Brooks@*
Copyright @copyright{} 2020 Marcin Karpezo@*
+Copyright @copyright{} 2020 Brice Waegeneire@*
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1326,6 +1327,7 @@ reference.
* Connecting to Wireguard VPN:: Connecting to a Wireguard VPN.
* Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
* Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
+* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
@end menu
@node Customizing the Kernel
@@ -1785,6 +1787,59 @@ mount itself.
))
@end lisp
+@node Getting substitutes from Tor
+@section Getting substitutes from Tor
+
+@quotation Warning
+@emph{Not all} Guix daemon's traffic will go through Tor! Only
+HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
+will still go through the clearnet. Again, this configuration isn't
+foolproof some of your traffic won't get routed by Tor at all. Use it
+at your own risk.
+@end quotation
+
+Guix's substitute server is available as a hidden service, if you want
+to use it to get your substitutes from Tor configure your system as
+follow:
+
+@lisp
+(use-modules (gnu))
+(use-service-module base networking)
+
+(operating-system
+ …
+ (services
+ (cons
+ (service tor-service-type
+ (tor-configuration
+ (config-file (plain-file "tor-config"
+ "HTTPTunnelPort 127.0.0.1:9250"))))
+ (modify-services %base-services
+ (guix-service-type
+ config => (guix-configuration
+ (inherit config)
+ ;; ci.guix.gnu.org's hidden service
+ (substitute-urls "https://bp7o7ckwlewr4slm.onion")
+ (http-proxy "http://localhost:9250")))))))
+@end lisp
+
+This will keep a tor process running that provides a HTTP CONNECT tunnel
+which will be used by @command{guix-daemon}. The daemon can use other
+protocols than HTTP(S) to get remote resources, request using those
+protocols won't go through Tor since we are only setting a HTTP tunnel
+here. Note that @code{substitutes-urls} is using HTTPS and not HTTP or
+it won't work, that's a limitation of Tor's tunnel; you may want to use
+@command{privoxy} instead to avoid such limitations.
+
+If you don't want to always get substitutes through Tor but using it just
+some of the times, then skip the @code{guix-configuration}. When you
+want to get a substitute from the Tor tunnel run:
+
+@example
+# herd set-http-proxy guix-daemon http://localhost:9250
+$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
+@end example
+
@c *********************************************************************
@node Advanced package management
@chapter Advanced package management
--
2.26.2
L
L
Ludovic Courtès wrote on 4 Jun 2020 14:29
(name . Brice Waegeneire)(address . brice@waegenei.re)
87367baua7.fsf@gnu.org
Hi,

Brice Waegeneire <brice@waegenei.re> skribis:

Toggle quote (2 lines)
> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.

Yay!

Toggle quote (11 lines)
> +@node Getting substitutes from Tor
> +@section Getting substitutes from Tor
> +
> +@quotation Warning
> +@emph{Not all} Guix daemon's traffic will go through Tor! Only
> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
> +will still go through the clearnet. Again, this configuration isn't
> +foolproof some of your traffic won't get routed by Tor at all. Use it
> +at your own risk.
> +@end quotation

I would suggest adding a line of intro before the warning, otherwise we
see the warning before even knowing what the section is about. :-)

Toggle quote (2 lines)
> +Guix's substitute server is available as a hidden service, if you want

I think official terminology these days is “Onion service”.

Toggle quote (17 lines)
> +to use it to get your substitutes from Tor configure your system as
> +follow:
> +
> +@lisp
> +(use-modules (gnu))
> +(use-service-module base networking)
> +
> +(operating-system
> + …
> + (services
> + (cons
> + (service tor-service-type
> + (tor-configuration
> + (config-file (plain-file "tor-config"
> + "HTTPTunnelPort 127.0.0.1:9250"))))
> + (modify-services %base-services
> + (guix-service-type
^^^^^^^^^^^^^
Too many spaces here.

Toggle quote (5 lines)
> +@example
> +# herd set-http-proxy guix-daemon http://localhost:9250
> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
> +@end example

To make it copy/pastable, you can remove the prompt and write it as:

sudo herd set-http-proxy …
guix build …

Something along these lines LGTM.

Thank you!

Ludo’.
B
B
Brice Waegeneire wrote on 4 Jun 2020 14:54
(name . Ludovic Courtès)(address . ludo@gnu.org)
5b7e576318d73e89ba5a9cafb6861061@waegenei.re
Hello,

On 2020-06-04 12:29, Ludovic Courtès wrote:
Toggle quote (65 lines)
> Hi,
>
> Brice Waegeneire <brice@waegenei.re> skribis:
>
>> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
>
> Yay!
>
>> +@node Getting substitutes from Tor
>> +@section Getting substitutes from Tor
>> +
>> +@quotation Warning
>> +@emph{Not all} Guix daemon's traffic will go through Tor! Only
>> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
>> +will still go through the clearnet. Again, this configuration isn't
>> +foolproof some of your traffic won't get routed by Tor at all. Use
>> it
>> +at your own risk.
>> +@end quotation
>
> I would suggest adding a line of intro before the warning, otherwise we
> see the warning before even knowing what the section is about. :-)
>
>> +Guix's substitute server is available as a hidden service, if you
>> want
>
> I think official terminology these days is “Onion service”.
>
>> +to use it to get your substitutes from Tor configure your system as
>> +follow:
>> +
>> +@lisp
>> +(use-modules (gnu))
>> +(use-service-module base networking)
>> +
>> +(operating-system
>> + …
>> + (services
>> + (cons
>> + (service tor-service-type
>> + (tor-configuration
>> + (config-file (plain-file "tor-config"
>> + "HTTPTunnelPort
>> 127.0.0.1:9250"))))
>> + (modify-services %base-services
>> + (guix-service-type
> ^^^^^^^^^^^^^
> Too many spaces here.
>
>> +@example
>> +# herd set-http-proxy guix-daemon http://localhost:9250
>> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
>> +@end example
>
> To make it copy/pastable, you can remove the prompt and write it as:
>
> sudo herd set-http-proxy …
> guix build …
>
> Something along these lines LGTM.
>
> Thank you!
>
> Ludo’.

Thank you for the review Ludovic.

Pushed as c987b72382e739bf887849b02c533eda317ea52b with the 3
modifications you
were requesting.

- Brice
Closed
?