Unable to Disable SSH Onion Service in Nix-Bitcoin

[cryptedx]

Description

I am trying to disable the SSH onion address in my Nix-Bitcoin setup, but it remains active despite setting nix-bitcoin.onionServices.sshd.enable = false;.

Even after rebuilding the system with nixos-rebuild switch, I can still see the SSH onion directory at /var/lib/tor/onion/sshd/, and Tor continues to serve SSH over the onion network.

---

Steps to Reproduce

1. Set the following in /etc/nixos/configuration.nix:

   nix-bitcoin.onionServices.sshd.enable = false;
   services.tor.onionServices.sshd.enable = false; # is not working at all, gives me a build error after running nixos-rebuild switch

2. Run:

   sudo nixos-rebuild switch --show-trace

3. Check if SSH Onion Service is still active:

   sudo ls -al /var/lib/tor/onion/

   • The output still shows sshd exists.
4. Restart Tor and check logs:

   sudo systemctl restart tor.service
   journalctl -u tor.service -n 50 --no-pager | grep ssh

   • Tor still seems to recognize SSH as an onion service.

---

Observed Behavior

• The SSH onion service remains active even though I explicitly disabled it in my configuration.
• nixos-option nix-bitcoin.onionServices.sshd.enable confirms that it is set to false, but the service still exists.

---

Expected Behavior

• The SSH onion service should be completely disabled after setting nix-bitcoin.onionServices.sshd.enable = false; and rebuilding the system.

---

Debugging Information

• nixos-option nix-bitcoin.onionServices.sshd.enable output:

  Value: false
  

• sudo ls -al /var/lib/tor/onion/ output:

  drwx------ 6 tor tor 4096 Feb  9 10:28 .
  drwx------ 4 tor tor 4096 Feb  9 10:39 ..
  drwx------ 3 tor tor 4096 Jan 31 20:22 bitcoind
  drwx------ 3 tor tor 4096 Feb  2 22:34 electrs
  drwx------ 3 tor tor 4096 Feb  3 20:38 mempool-frontend
  drwx------ 3 tor tor 4096 Feb  9 10:28 sshd
  

• journalctl -u tor.service -n 50 --no-pager | grep ssh output:

  [Tor logs still show sshd being served]
  

---

System Information

• NixOS Version: 24.11
• Nix-Bitcoin Version: 0.0.118
• Tor Version: 0.4.8.13
• Deployment Method: nixos-rebuild

---

Possible Causes

• secure-node.nix might be overriding the SSH onion setting.
• services.tor.relay.onionServices.sshd might still be enabled somewhere.
• A cached Tor configuration might be reloading the old settings.

---

Question

• How can I permanently disable the SSH onion service?
• Is there an additional override I need to set?
• Could there be a bug preventing nix-bitcoin.onionServices.sshd.enable = false; from being applied correctly?

Thanks in advance for any guidance!

[jonasnick]

Hey @cryptedx,

Thanks for the report. The reason that nix-bitcoin.onionServices.sshd.enable = false; doesn't work is that the sshd onion service isn't enabled in that way in the first place. Instead, it is "manually" created in secure-node.nix via services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };.

services.tor.onionServices.sshd.enable = false; doesn't work because that option doesn't exist.

The way the tor module is written I don't see an easy way to disable the sshd module once it has been enabled via the secure-node.nix import. However, nix-bitcoin should support disabling the sshd onion service even when secure-node.nix is used.

While not permanently disabling the onion service, you can set it to an unused port via

services.tor.relay.onionServices.sshd.map = [ 12345 ];

I tested this with our test framework by starting a VM via

./tests/run-tests.sh --scenario '{
imports = [ scenarios.secureNode ];
services.openssh = {
  enable = true;
};
services.tor.relay.onionServices.sshd.map = [ 12345 ];
}' vm

and then running nodeinfo.

[cryptedx]

Thanks for your help. I can confirm that I was able to change the port with your method. This adds some more safety for me.

Are you going to add a way to disable sshd completely?