[bugfix] static sites: only enable hidden service by default if one domain is configured

The problem is that we have a single onion address per server, so if more
than one domain is configured we need to make sure they don't both try to
use the same onion address.

3 files changed, 10 insertions, 1 deletions

diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index b26cc9e3..6cf2c653 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -4,6 +4,7 @@ define site_static::domain (
   $key,
   $cert,
   $tls_only=true,
+  $use_hidden_service=false,
   $locations=undef,
   $aliases=undef,
   $apache_config=undef) {
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 824619b4..dd3f912d 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -77,6 +77,14 @@ class site_static {
     if $hidden_service['active'] {
       include site_static::hidden_service
     }
+    # Currently, we only support a single hidden service address per server.
+    # So if there is more than one domain configured, then we need to make sure
+    # we don't enable the hidden service for every domain.
+    if size(keys($domains)) == 1 {
+      $always_use_hidden_service = true
+    } else {
+      $always_use_hidden_service = false
+    }
   }
 
   create_resources(site_static::domain, $domains)
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index af9a520d..dd04ca43 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -74,7 +74,7 @@
   Require all granted
 </Directory>
 
-<%- if @tor -%>
+<%- if @tor && (@always_use_hidden_service || @use_hidden_service) -%>
 ##
 ## Tor
 ##