[PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

DoneSubmitted by Brice Waegeneire.
Details
2 participants
  • Brice Waegeneire
  • Ludovic Courtès
Owner
unassigned
Severity
normal
B
B
Brice Waegeneire wrote on 3 Jun 2020 21:12
Download
(address . guix-patches@gnu.org)
20200603191249.29382-1-brice@waegenei.re
Download
* doc/guix-cookbook.texi (Getting substitutes from Tor): New section.--- doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+)
Toggle diff (82 lines)diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texiindex 5574a60857..83abc704ca 100644--- a/doc/guix-cookbook.texi+++ b/doc/guix-cookbook.texi@@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@* Copyright @copyright{} 2020 Oleg Pykhalov@* Copyright @copyright{} 2020 Matthew Brooks@* Copyright @copyright{} 2020 Marcin Karpezo@*+Copyright @copyright{} 2020 Brice Waegeneire@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or@@ -1326,6 +1327,7 @@ reference. * Connecting to Wireguard VPN:: Connecting to a Wireguard VPN. * Customizing a Window Manager:: Handle customization of a Window manager on Guix System. * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.+* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor. @end menu @node Customizing the Kernel@@ -1785,6 +1787,59 @@ mount itself. )) @end lisp +@node Getting substitutes from Tor+@section Getting substitutes from Tor++@quotation Warning+@emph{Not all} Guix daemon's traffic will go through Tor! Only+HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections+will still go through the clearnet. Again, this configuration isn't+foolproof some of your traffic won't get routed by Tor at all. Use it+at your own risk.+@end quotation++Guix's substitute server is available as a hidden service, if you want+to use it to get your substitutes from Tor configure your system as+follow:++@lisp+(use-modules (gnu))+(use-service-module base networking)++(operating-system+ …+ (services+ (cons+ (service tor-service-type+ (tor-configuration+ (config-file (plain-file "tor-config"+ "HTTPTunnelPort 127.0.0.1:9250"))))+ (modify-services %base-services+ (guix-service-type+ config => (guix-configuration+ (inherit config)+ ;; ci.guix.gnu.org's hidden service+ (substitute-urls "https://bp7o7ckwlewr4slm.onion")+ (http-proxy "http://localhost:9250")))))))+@end lisp++This will keep a tor process running that provides a HTTP CONNECT tunnel+which will be used by @command{guix-daemon}. The daemon can use other+protocols than HTTP(S) to get remote resources, request using those+protocols won't go through Tor since we are only setting a HTTP tunnel+here. Note that @code{substitutes-urls} is using HTTPS and not HTTP or+it won't work, that's a limitation of Tor's tunnel; you may want to use+@command{privoxy} instead to avoid such limitations.++If you don't want to always get substitutes through Tor but using it just+some of the times, then skip the @code{guix-configuration}. When you+want to get a substitute from the Tor tunnel run:++@example+# herd set-http-proxy guix-daemon http://localhost:9250+$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello+@end example+ @c ********************************************************************* @node Advanced package management @chapter Advanced package management-- 2.26.2
L
L
Ludovic Courtès wrote on 4 Jun 2020 14:29
Download
(name . Brice Waegeneire)(address . brice@waegenei.re)
87367baua7.fsf@gnu.org
Download
Hi,
Brice Waegeneire <brice@waegenei.re> skribis:
Toggle quote (2 lines)> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
Yay!
Toggle quote (11 lines)> +@node Getting substitutes from Tor> +@section Getting substitutes from Tor> +> +@quotation Warning> +@emph{Not all} Guix daemon's traffic will go through Tor! Only> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections> +will still go through the clearnet. Again, this configuration isn't> +foolproof some of your traffic won't get routed by Tor at all. Use it> +at your own risk.> +@end quotation
I would suggest adding a line of intro before the warning, otherwise wesee the warning before even knowing what the section is about. :-)
Toggle quote (2 lines)> +Guix's substitute server is available as a hidden service, if you want
I think official terminology these days is “Onion service”.
Toggle quote (17 lines)> +to use it to get your substitutes from Tor configure your system as> +follow:> +> +@lisp> +(use-modules (gnu))> +(use-service-module base networking)> +> +(operating-system> + …> + (services> + (cons> + (service tor-service-type> + (tor-configuration> + (config-file (plain-file "tor-config"> + "HTTPTunnelPort 127.0.0.1:9250"))))> + (modify-services %base-services> + (guix-service-type
^^^^^^^^^^^^^Too many spaces here.
Toggle quote (5 lines)> +@example> +# herd set-http-proxy guix-daemon http://localhost:9250> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello> +@end example
To make it copy/pastable, you can remove the prompt and write it as:
sudo herd set-http-proxy … guix build …
Something along these lines LGTM.
Thank you!
Ludo’.
B
B
Brice Waegeneire wrote on 4 Jun 2020 14:54
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)
5b7e576318d73e89ba5a9cafb6861061@waegenei.re
Download
Hello,
On 2020-06-04 12:29, Ludovic Courtès wrote:
Toggle quote (65 lines)> Hi,> > Brice Waegeneire <brice@waegenei.re> skribis:> >> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.> > Yay!> >> +@node Getting substitutes from Tor>> +@section Getting substitutes from Tor>> +>> +@quotation Warning>> +@emph{Not all} Guix daemon's traffic will go through Tor! Only>> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections>> +will still go through the clearnet. Again, this configuration isn't>> +foolproof some of your traffic won't get routed by Tor at all. Use >> it>> +at your own risk.>> +@end quotation> > I would suggest adding a line of intro before the warning, otherwise we> see the warning before even knowing what the section is about. :-)> >> +Guix's substitute server is available as a hidden service, if you >> want> > I think official terminology these days is “Onion service”.> >> +to use it to get your substitutes from Tor configure your system as>> +follow:>> +>> +@lisp>> +(use-modules (gnu))>> +(use-service-module base networking)>> +>> +(operating-system>> + …>> + (services>> + (cons>> + (service tor-service-type>> + (tor-configuration>> + (config-file (plain-file "tor-config">> + "HTTPTunnelPort >> 127.0.0.1:9250"))))>> + (modify-services %base-services>> + (guix-service-type> ^^^^^^^^^^^^^> Too many spaces here.> >> +@example>> +# herd set-http-proxy guix-daemon http://localhost:9250>> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello>> +@end example> > To make it copy/pastable, you can remove the prompt and write it as:> > sudo herd set-http-proxy …> guix build …> > Something along these lines LGTM.> > Thank you!> > Ludo’.
Thank you for the review Ludovic.
Pushed as c987b72382e739bf887849b02c533eda317ea52b with the 3 modifications youwere requesting.
- Brice
Closed
?
Your may also send email to 41694@debbugs.gnu.org to comment.