From 16a1b0e53160fd26cd778bedfa9cfe23848c07bc Mon Sep 17 00:00:00 2001
From: euxane <euxane.trangirard@euxane.eu>
Date: Sun, 7 Sep 2025 13:09:20 +0200
Subject: [PATCH] nixos/tor: add onion service unix sockets to BindPaths

Setting up an onion service with a UNIX socket with
`services.tor.relay.onionServices.<name>.target.unix` didn't work out
of the box because the tor service runs within an isolated root.
This adds the missing path binding to make this work.
---
 nixos/modules/services/security/tor.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 3d5c817532e5..219458870472 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -1410,7 +1410,14 @@ in
         RootDirectoryStartOnly = true;
         #InaccessiblePaths = [ "-+${runDir}/root" ];
         UMask = "0066";
-        BindPaths = [ stateDir ];
+        BindPaths = [
+          stateDir
+        ]
+        ++ lib.catAttrs "unix" (
+          lib.catAttrs "target" (
+            lib.concatMap (onionService: onionService.map) (lib.attrValues cfg.relay.onionServices)
+          )
+        );
         BindReadOnlyPaths = [
           builtins.storeDir
           "/etc"