GNU bug report logs - #41694
[PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Brice Waegeneire <brice <at> waegenei.re>
Subject: bug#41694: closed (Re: [bug#41694] [PATCH] doc: cookbook: Add
 entry about getting substitutes through Tor.)
Date: Thu, 04 Jun 2020 12:55:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#41694: [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 41694 <at> debbugs.gnu.org.

-- 
41694: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=41694
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Brice Waegeneire <brice <at> waegenei.re>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: guix-devel <at> gnu.org, 41694-done <at> debbugs.gnu.org
Subject: Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting
 substitutes through Tor.
Date: Thu, 04 Jun 2020 12:54:00 +0000

Hello,

On 2020-06-04 12:29, Ludovic Courtès wrote:
> Hi,
> 
> Brice Waegeneire <brice <at> waegenei.re> skribis:
> 
>> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
> 
> Yay!
> 
>> +@node Getting substitutes from Tor
>> +@section Getting substitutes from Tor
>> +
>> +@quotation Warning
>> +@emph{Not all} Guix daemon's traffic will go through Tor!  Only
>> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
>> +will still go through the clearnet.  Again, this configuration isn't
>> +foolproof some of your traffic won't get routed by Tor at all.  Use 
>> it
>> +at your own risk.
>> +@end quotation
> 
> I would suggest adding a line of intro before the warning, otherwise we
> see the warning before even knowing what the section is about.  :-)
> 
>> +Guix's substitute server is available as a hidden service, if you 
>> want
> 
> I think official terminology these days is “Onion service”.
> 
>> +to use it to get your substitutes from Tor configure your system as
>> +follow:
>> +
>> +@lisp
>> +(use-modules (gnu))
>> +(use-service-module base networking)
>> +
>> +(operating-system
>> +  …
>> +  (services
>> +    (cons
>> +      (service tor-service-type
>> +              (tor-configuration
>> +                (config-file (plain-file "tor-config"
>> +                                         "HTTPTunnelPort 
>> 127.0.0.1:9250"))))
>> +      (modify-services %base-services
>> +                       (guix-service-type
>              ^^^^^^^^^^^^^
> Too many spaces here.
> 
>> +@example
>> +# herd set-http-proxy guix-daemon http://localhost:9250
>> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
>> +@end example
> 
> To make it copy/pastable, you can remove the prompt and write it as:
> 
>   sudo herd set-http-proxy …
>   guix build …
> 
> Something along these lines LGTM.
> 
> Thank you!
> 
> Ludo’.

Thank you for the review Ludovic.

Pushed as c987b72382e739bf887849b02c533eda317ea52b with the 3 
modifications you
were requesting.

- Brice

[Message part 3 (message/rfc822, inline)]

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Cc: guix-devel <at> gnu.org, ludo <at> gnu.org
Subject: [PATCH] doc: cookbook: Add entry about getting substitutes through
 Tor.
Date: Wed,  3 Jun 2020 21:12:49 +0200

* doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
---
 doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 5574a60857..83abc704ca 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@*
 Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
+Copyright @copyright{} 2020 Brice Waegeneire@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1326,6 +1327,7 @@ reference.
 * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
+* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
 @end menu
 
 @node Customizing the Kernel
@@ -1785,6 +1787,59 @@ mount itself.
                 ))
 @end lisp
 
+@node Getting substitutes from Tor
+@section Getting substitutes from Tor
+
+@quotation Warning
+@emph{Not all} Guix daemon's traffic will go through Tor!  Only
+HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
+will still go through the clearnet.  Again, this configuration isn't
+foolproof some of your traffic won't get routed by Tor at all.  Use it
+at your own risk.
+@end quotation
+
+Guix's substitute server is available as a hidden service, if you want
+to use it to get your substitutes from Tor configure your system as
+follow:
+
+@lisp
+(use-modules (gnu))
+(use-service-module base networking)
+
+(operating-system
+  …
+  (services
+    (cons
+      (service tor-service-type
+              (tor-configuration
+                (config-file (plain-file "tor-config"
+                                         "HTTPTunnelPort 127.0.0.1:9250"))))
+      (modify-services %base-services
+                       (guix-service-type
+                         config => (guix-configuration
+                                     (inherit config)
+                                     ;; ci.guix.gnu.org's hidden service
+                                     (substitute-urls "https://bp7o7ckwlewr4slm.onion")
+                                     (http-proxy "http://localhost:9250")))))))
+@end lisp
+
+This will keep a tor process running that provides a HTTP CONNECT tunnel
+which will be used by @command{guix-daemon}.  The daemon can use other
+protocols than HTTP(S) to get remote resources, request using those
+protocols won't go through Tor since we are only setting a HTTP tunnel
+here.  Note that @code{substitutes-urls} is using HTTPS and not HTTP or
+it won't work, that's a limitation of Tor's tunnel; you may want to use
+@command{privoxy} instead to avoid such limitations.
+
+If you don't want to always get substitutes through Tor but using it just
+some of the times, then skip the @code{guix-configuration}.  When you
+want to get a substitute from the Tor tunnel run:
+
+@example
+# herd set-http-proxy guix-daemon http://localhost:9250
+$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
+@end example
+
 @c *********************************************************************
 @node Advanced package management
 @chapter Advanced package management
-- 
2.26.2

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.