Next: , Previous: , Up: System Configuration   [Contents][Index]


3.11 Getting substitutes from Tor

Guix daemon can use a HTTP proxy to get substitutes, here we are configuring it to get them via Tor.

Warning: Not all Guix daemon’s traffic will go through Tor! Only HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn’t foolproof some of your traffic won’t get routed by Tor at all. Use it at your own risk.

Also note that the procedure described here applies only to package substitution. When you update your guix distribution with guix pull, you still need to use torsocks if you want to route the connection to guix’s git repository servers through Tor.

Guix’s substitute server is available as a Onion service, if you want to use it to get your substitutes through Tor configure your system as follow:

(use-modules (gnu))
(use-service-module base networking)

(operating-system
  
  (services
    (cons
      (service tor-service-type
              (tor-configuration
                (config-file (plain-file "tor-config"
                                         "HTTPTunnelPort 127.0.0.1:9250"))))
      (modify-services %base-services
        (guix-service-type
          config => (guix-configuration
                      (inherit config)
                      ;; ci.guix.gnu.org's Onion service
                      (substitute-urls
                       "https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion")
                      (http-proxy "http://localhost:9250")))))))

This will keep a tor process running that provides a HTTP CONNECT tunnel which will be used by guix-daemon. The daemon can use other protocols than HTTP(S) to get remote resources, request using those protocols won’t go through Tor since we are only setting a HTTP tunnel here. Note that substitutes-urls is using HTTPS and not HTTP or it won’t work, that’s a limitation of Tor’s tunnel; you may want to use privoxy instead to avoid such limitations.

If you don’t want to always get substitutes through Tor but using it just some of the times, then skip the guix-configuration. When you want to get a substitute from the Tor tunnel run:

sudo herd set-http-proxy guix-daemon http://localhost:9250
guix build \
  --substitute-urls=https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion …

Next: Setting up NGINX with Lua, Previous: Setting up a bind mount, Up: System Configuration   [Contents][Index]