Guix daemon can use a HTTP proxy to get substitutes, here we are configuring it to get them via Tor.
Warning: Not all Guix daemon’s traffic will go through Tor! Only HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn’t foolproof some of your traffic won’t get routed by Tor at all. Use it at your own risk.
Also note that the procedure described here applies only to package substitution. When you update your guix distribution with
guix pull, you still need to use
torsocksif you want to route the connection to guix’s git repository servers through Tor.
Guix’s substitute server is available as a Onion service, if you want to use it to get your substitutes through Tor configure your system as follow:
(use-modules (gnu)) (use-service-module base networking) (operating-system … (services (cons (service tor-service-type (tor-configuration (config-file (plain-file "tor-config" "HTTPTunnelPort 127.0.0.1:9250")))) (modify-services %base-services (guix-service-type config => (guix-configuration (inherit config) ;; ci.guix.gnu.org's Onion service (substitute-urls "https://bp7o7ckwlewr4slm.onion") (http-proxy "http://localhost:9250")))))))
This will keep a tor process running that provides a HTTP CONNECT tunnel
which will be used by
guix-daemon. The daemon can use other
protocols than HTTP(S) to get remote resources, request using those
protocols won’t go through Tor since we are only setting a HTTP tunnel
here. Note that
substitutes-urls is using HTTPS and not HTTP or
it won’t work, that’s a limitation of Tor’s tunnel; you may want to use
privoxy instead to avoid such limitations.
If you don’t want to always get substitutes through Tor but using it just
some of the times, then skip the
guix-configuration. When you
want to get a substitute from the Tor tunnel run:
sudo herd set-http-proxy guix-daemon http://localhost:9250 guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion …