GNU bug report logs - #41694
[PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

Previous Next

Package: guix-patches;

Reported by: Brice Waegeneire <brice <at> waegenei.re>

Date: Wed, 3 Jun 2020 19:14:01 UTC

Severity: normal

Tags: patch

Done: Brice Waegeneire <brice <at> waegenei.re>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 41694 in the body.
You can then email your comments to 41694 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#41694; Package guix-patches. (Wed, 03 Jun 2020 19:14:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Brice Waegeneire <brice <at> waegenei.re>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Wed, 03 Jun 2020 19:14:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Cc: guix-devel <at> gnu.org, ludo <at> gnu.org
Subject: [PATCH] doc: cookbook: Add entry about getting substitutes through
 Tor.
Date: Wed,  3 Jun 2020 21:12:49 +0200

* doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
---
 doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 5574a60857..83abc704ca 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@*
 Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
+Copyright @copyright{} 2020 Brice Waegeneire@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1326,6 +1327,7 @@ reference.
 * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
+* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
 @end menu
 
 @node Customizing the Kernel
@@ -1785,6 +1787,59 @@ mount itself.
                 ))
 @end lisp
 
+@node Getting substitutes from Tor
+@section Getting substitutes from Tor
+
+@quotation Warning
+@emph{Not all} Guix daemon's traffic will go through Tor!  Only
+HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
+will still go through the clearnet.  Again, this configuration isn't
+foolproof some of your traffic won't get routed by Tor at all.  Use it
+at your own risk.
+@end quotation
+
+Guix's substitute server is available as a hidden service, if you want
+to use it to get your substitutes from Tor configure your system as
+follow:
+
+@lisp
+(use-modules (gnu))
+(use-service-module base networking)
+
+(operating-system
+  …
+  (services
+    (cons
+      (service tor-service-type
+              (tor-configuration
+                (config-file (plain-file "tor-config"
+                                         "HTTPTunnelPort 127.0.0.1:9250"))))
+      (modify-services %base-services
+                       (guix-service-type
+                         config => (guix-configuration
+                                     (inherit config)
+                                     ;; ci.guix.gnu.org's hidden service
+                                     (substitute-urls "https://bp7o7ckwlewr4slm.onion")
+                                     (http-proxy "http://localhost:9250")))))))
+@end lisp
+
+This will keep a tor process running that provides a HTTP CONNECT tunnel
+which will be used by @command{guix-daemon}.  The daemon can use other
+protocols than HTTP(S) to get remote resources, request using those
+protocols won't go through Tor since we are only setting a HTTP tunnel
+here.  Note that @code{substitutes-urls} is using HTTPS and not HTTP or
+it won't work, that's a limitation of Tor's tunnel; you may want to use
+@command{privoxy} instead to avoid such limitations.
+
+If you don't want to always get substitutes through Tor but using it just
+some of the times, then skip the @code{guix-configuration}.  When you
+want to get a substitute from the Tor tunnel run:
+
+@example
+# herd set-http-proxy guix-daemon http://localhost:9250
+$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
+@end example
+
 @c *********************************************************************
 @node Advanced package management
 @chapter Advanced package management
-- 
2.26.2
Information forwarded to guix-patches <at> gnu.org:
bug#41694; Package guix-patches. (Thu, 04 Jun 2020 12:30:02 GMT) Full text and rfc822 format available.

Message #8 received at 41694 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Brice Waegeneire <brice <at> waegenei.re>
Cc: guix-devel <at> gnu.org, 41694 <at> debbugs.gnu.org
Subject: Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting
 substitutes through Tor.
Date: Thu, 04 Jun 2020 14:29:36 +0200

Hi,

Brice Waegeneire <brice <at> waegenei.re> skribis:

> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.

Yay!

> +@node Getting substitutes from Tor
> +@section Getting substitutes from Tor
> +
> +@quotation Warning
> +@emph{Not all} Guix daemon's traffic will go through Tor!  Only
> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
> +will still go through the clearnet.  Again, this configuration isn't
> +foolproof some of your traffic won't get routed by Tor at all.  Use it
> +at your own risk.
> +@end quotation

I would suggest adding a line of intro before the warning, otherwise we
see the warning before even knowing what the section is about.  :-)

> +Guix's substitute server is available as a hidden service, if you want

I think official terminology these days is “Onion service”.

> +to use it to get your substitutes from Tor configure your system as
> +follow:
> +
> +@lisp
> +(use-modules (gnu))
> +(use-service-module base networking)
> +
> +(operating-system
> +  …
> +  (services
> +    (cons
> +      (service tor-service-type
> +              (tor-configuration
> +                (config-file (plain-file "tor-config"
> +                                         "HTTPTunnelPort 127.0.0.1:9250"))))
> +      (modify-services %base-services
> +                       (guix-service-type
             ^^^^^^^^^^^^^
Too many spaces here.

> +@example
> +# herd set-http-proxy guix-daemon http://localhost:9250
> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
> +@end example

To make it copy/pastable, you can remove the prompt and write it as:

  sudo herd set-http-proxy …
  guix build …

Something along these lines LGTM.

Thank you!

Ludo’.
Reply sent to Brice Waegeneire <brice <at> waegenei.re>:
You have taken responsibility. (Thu, 04 Jun 2020 12:55:02 GMT) Full text and rfc822 format available.
Notification sent to Brice Waegeneire <brice <at> waegenei.re>:
bug acknowledged by developer. (Thu, 04 Jun 2020 12:55:02 GMT) Full text and rfc822 format available.

Message #13 received at 41694-done <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: guix-devel <at> gnu.org, 41694-done <at> debbugs.gnu.org
Subject: Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting
 substitutes through Tor.
Date: Thu, 04 Jun 2020 12:54:00 +0000

Hello,

On 2020-06-04 12:29, Ludovic Courtès wrote:
> Hi,
> 
> Brice Waegeneire <brice <at> waegenei.re> skribis:
> 
>> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
> 
> Yay!
> 
>> +@node Getting substitutes from Tor
>> +@section Getting substitutes from Tor
>> +
>> +@quotation Warning
>> +@emph{Not all} Guix daemon's traffic will go through Tor!  Only
>> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
>> +will still go through the clearnet.  Again, this configuration isn't
>> +foolproof some of your traffic won't get routed by Tor at all.  Use 
>> it
>> +at your own risk.
>> +@end quotation
> 
> I would suggest adding a line of intro before the warning, otherwise we
> see the warning before even knowing what the section is about.  :-)
> 
>> +Guix's substitute server is available as a hidden service, if you 
>> want
> 
> I think official terminology these days is “Onion service”.
> 
>> +to use it to get your substitutes from Tor configure your system as
>> +follow:
>> +
>> +@lisp
>> +(use-modules (gnu))
>> +(use-service-module base networking)
>> +
>> +(operating-system
>> +  …
>> +  (services
>> +    (cons
>> +      (service tor-service-type
>> +              (tor-configuration
>> +                (config-file (plain-file "tor-config"
>> +                                         "HTTPTunnelPort 
>> 127.0.0.1:9250"))))
>> +      (modify-services %base-services
>> +                       (guix-service-type
>              ^^^^^^^^^^^^^
> Too many spaces here.
> 
>> +@example
>> +# herd set-http-proxy guix-daemon http://localhost:9250
>> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
>> +@end example
> 
> To make it copy/pastable, you can remove the prompt and write it as:
> 
>   sudo herd set-http-proxy …
>   guix build …
> 
> Something along these lines LGTM.
> 
> Thank you!
> 
> Ludo’.

Thank you for the review Ludovic.

Pushed as c987b72382e739bf887849b02c533eda317ea52b with the 3 
modifications you
were requesting.

- Brice
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 03 Jul 2020 11:24:07 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 355 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.