Skip to content

tor

Part of the clan networking abstraction to define how to reach machines through the Tor network, if used has the lowest priority

System
Network

Experimental

This service is experimental and will change in the future.

This module is part of Clan's networking interface.

Clan's networking module automatically manages connections across available network transports and falls back intelligently. When you run clan ssh or clan machines update, Clan attempts each configured network in priority order until a connection succeeds.

The example below configures all your NixOS machines to be reachable over the Tor network. By default, the tor module has the lowest priority among networks, as it's the slowest.

  inventory.instances = {
        # Fallback: Secure connections via Tor
        tor = {
            roles.server.tags.nixos = { };
        };
};

Roles

The tor service has the following roles:

  • client
  • server

The client role has no configuration

Options for the server role

portMapping

List of port mappings for the Tor onion service. Each mapping defines which ports are exposed through Tor and where they should forward to. Default exposes SSH (port 22) for remote access.

Type: list of raw value

Default:

[
  {
    port = 22;
    target = {
      port = 22;
    };
  }
]

Declared in: clanServices/tor/default.nix

secretHostname

Whether to keep the onion service hostname secret.

When enabled (default), the hostname is stored securely as a secret var and not exposed in your configuration.

If you expose SSH, it is recommended to keep this set to true in public configurainos as anyone with knowledge of the hostname could try brut-forcing attacks against it.

Type: boolean

Default:

true

Declared in: clanServices/tor/default.nix