diff options
| author | Micah Anderson <micah@riseup.net> | 2017-11-28 11:35:01 -0500 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2017-11-28 11:35:01 -0500 |
| commit | 0d251e2ceddd3e02ed8bba8725830689dbdd1397 (patch) | |
| tree | 37d7096d9e458ca1e6431dff8a2f571553011c44 /puppet/modules/site_tor | |
| parent | 93a181d44e2d8163ae44945aac1b6477e268170d (diff) | |
| parent | bf6c56d86c7ba45e7ca766d990a9e9162025e5ac (diff) | |
Merge tag 'refs/tags/0.10.0' into stable
Release 0.10.0
Diffstat (limited to 'puppet/modules/site_tor')
| -rw-r--r-- | puppet/modules/site_tor/manifests/disable_exit.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_tor/manifests/hidden_service.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/site_tor/manifests/init.pp | 49 | ||||
| -rw-r--r-- | puppet/modules/site_tor/manifests/relay.pp | 45 |
4 files changed, 73 insertions, 40 deletions
diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp index 078f80ae..85c24bfc 100644 --- a/puppet/modules/site_tor/manifests/disable_exit.pp +++ b/puppet/modules/site_tor/manifests/disable_exit.pp @@ -1,7 +1,13 @@ +# ensure that the tor relay is not configured as an exit node class site_tor::disable_exit { tor::daemon::exit_policy { 'no_exit_at_all': reject => [ '*:*' ]; } +# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given. + tor::daemon::snippet { + 'disable_exit': + content => 'ExitRelay 0'; + } } diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp new file mode 100644 index 00000000..87a7b696 --- /dev/null +++ b/puppet/modules/site_tor/manifests/hidden_service.pp @@ -0,0 +1,13 @@ +# This class simply makes sure a base tor is installed and configured +# It doesn't configure any specific hidden service functionality, +# instead that is configured in site_webapp::hidden_service and +# site_static::hidden_service. +# +# Those could be factored out to make them more generic. +class site_tor::hidden_service { + tag 'leap_service' + Class['site_config::default'] -> Class['site_tor::hidden_service'] + + include site_config::default + include site_tor +} diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index 2207a5a9..5e209ba8 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,45 +1,14 @@ +# generic configuration needed for tor class site_tor { - tag 'leap_service' - Class['site_config::default'] -> Class['site_tor'] - $tor = hiera('tor') - $bandwidth_rate = $tor['bandwidth_rate'] - $tor_type = $tor['type'] - $nickname = $tor['nickname'] - $contact_emails = join($tor['contacts'],', ') - $family = $tor['family'] + # Ensure the tor version is the latest from backports + # see https://0xacab.org/leap/platform/issues/8783 + apt::preferences_snippet { 'tor': + package => 'tor', + release => "${::lsbdistcodename}-backports", + priority => 999, + before => Class['tor::daemon'] } - $address = hiera('ip_address') - - $openvpn = hiera('openvpn', undef) - if $openvpn { - $openvpn_ports = $openvpn['ports'] - } - else { - $openvpn_ports = [] - } - - include site_config::default - include tor::daemon - tor::daemon::relay { $nickname: - port => 9001, - address => $address, - contact_info => obfuscate_email($contact_emails), - bandwidth_rate => $bandwidth_rate, - my_family => $family - } - - if ( $tor_type == 'exit'){ - # Only enable the daemon directory if the node isn't also a webapp node - # or running openvpn on port 80 - if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { - tor::daemon::directory { $::hostname: port => 80 } - } - } - else { - include site_tor::disable_exit - } - - include site_shorewall::tor + class { 'tor::daemon': ensure_version => latest } } diff --git a/puppet/modules/site_tor/manifests/relay.pp b/puppet/modules/site_tor/manifests/relay.pp new file mode 100644 index 00000000..fcb83bc1 --- /dev/null +++ b/puppet/modules/site_tor/manifests/relay.pp @@ -0,0 +1,45 @@ +class site_tor::relay { + tag 'leap_service' + Class['site_config::default'] -> Class['site_tor::relay'] + + $tor = hiera('tor') + $bandwidth_rate = $tor['bandwidth_rate'] + $tor_type = $tor['type'] + $nickname = $tor['nickname'] + $contact_emails = join($tor['contacts'],', ') + $family = $tor['family'] + + $address = hiera('ip_address') + + $openvpn = hiera('openvpn', undef) + if $openvpn { + $openvpn_ports = $openvpn['ports'] + } + else { + $openvpn_ports = [] + } + + include site_config::default + include site_tor + + tor::daemon::relay { $nickname: + port => 9001, + address => $address, + contact_info => obfuscate_email($contact_emails), + bandwidth_rate => $bandwidth_rate, + my_family => $family + } + + if ( $tor_type == 'exit'){ + # Only enable the daemon directory if the node isn't also a webapp node + # or running openvpn on port 80 + if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') { + tor::daemon::directory { $::hostname: port => 80 } + } + } + else { + include site_tor::disable_exit + } + + include site_shorewall::tor +} |