summaryrefslogtreecommitdiff
path: root/puppet/modules/tor/manifests
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2016-11-04 10:54:28 -0400
committerMicah Anderson <micah@riseup.net>2016-11-04 10:54:28 -0400
commit34a381efa8f6295080c843f86bfa07d4e41056af (patch)
tree9282cf5d4c876688602705a7fa0002bc4a810bde /puppet/modules/tor/manifests
parent0a72bc6fd292bf9367b314fcb0347c4d35042f16 (diff)
parent5821964ff7e16ca7aa9141bd09a77d355db492a9 (diff)
Merge branch 'develop'
Diffstat (limited to 'puppet/modules/tor/manifests')
m---------puppet/modules/tor0
-rw-r--r--puppet/modules/tor/manifests/arm.pp9
-rw-r--r--puppet/modules/tor/manifests/base.pp14
-rw-r--r--puppet/modules/tor/manifests/compact.pp7
-rw-r--r--puppet/modules/tor/manifests/daemon.pp22
-rw-r--r--puppet/modules/tor/manifests/daemon/base.pp77
-rw-r--r--puppet/modules/tor/manifests/daemon/bridge.pp18
-rw-r--r--puppet/modules/tor/manifests/daemon/control.pp27
-rw-r--r--puppet/modules/tor/manifests/daemon/directory.pp27
-rw-r--r--puppet/modules/tor/manifests/daemon/dns.pp17
-rw-r--r--puppet/modules/tor/manifests/daemon/exit_policy.pp18
-rw-r--r--puppet/modules/tor/manifests/daemon/hidden_service.pp17
-rw-r--r--puppet/modules/tor/manifests/daemon/map_address.pp17
-rw-r--r--puppet/modules/tor/manifests/daemon/relay.pp42
-rw-r--r--puppet/modules/tor/manifests/daemon/snippet.pp16
-rw-r--r--puppet/modules/tor/manifests/daemon/socks.pp15
-rw-r--r--puppet/modules/tor/manifests/daemon/transparent.pp17
-rw-r--r--puppet/modules/tor/manifests/init.pp6
-rw-r--r--puppet/modules/tor/manifests/munin.pp21
-rw-r--r--puppet/modules/tor/manifests/polipo.pp9
-rw-r--r--puppet/modules/tor/manifests/polipo/base.pp22
-rw-r--r--puppet/modules/tor/manifests/polipo/debian.pp7
-rw-r--r--puppet/modules/tor/manifests/repo.pp16
-rw-r--r--puppet/modules/tor/manifests/repo/debian.pp9
-rw-r--r--puppet/modules/tor/manifests/torsocks.pp9
25 files changed, 459 insertions, 0 deletions
diff --git a/puppet/modules/tor b/puppet/modules/tor
deleted file mode 160000
-Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6
diff --git a/puppet/modules/tor/manifests/arm.pp b/puppet/modules/tor/manifests/arm.pp
new file mode 100644
index 00000000..44ddcbbf
--- /dev/null
+++ b/puppet/modules/tor/manifests/arm.pp
@@ -0,0 +1,9 @@
+# manage tor-arm
+class tor::arm (
+ $ensure_version = 'installed'
+){
+ include ::tor
+ package{'tor-arm':
+ ensure => $ensure_version,
+ }
+}
diff --git a/puppet/modules/tor/manifests/base.pp b/puppet/modules/tor/manifests/base.pp
new file mode 100644
index 00000000..b98451be
--- /dev/null
+++ b/puppet/modules/tor/manifests/base.pp
@@ -0,0 +1,14 @@
+# basic management of resources for tor
+class tor::base {
+ package { [ 'tor', 'tor-geoipdb' ]:
+ ensure => $tor::ensure_version,
+ }
+
+ service { 'tor':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => Package['tor'],
+ }
+}
diff --git a/puppet/modules/tor/manifests/compact.pp b/puppet/modules/tor/manifests/compact.pp
new file mode 100644
index 00000000..c0f59199
--- /dev/null
+++ b/puppet/modules/tor/manifests/compact.pp
@@ -0,0 +1,7 @@
+# manage a complete tor
+# installation with all the basics
+class tor::compact {
+ include ::tor
+ include tor::polipo
+ include tor::torsocks
+}
diff --git a/puppet/modules/tor/manifests/daemon.pp b/puppet/modules/tor/manifests/daemon.pp
new file mode 100644
index 00000000..2522b2cc
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon.pp
@@ -0,0 +1,22 @@
+# manage a snippet based tor installation
+class tor::daemon (
+ $ensure_version = 'installed',
+ $use_munin = false,
+ $data_dir = '/var/lib/tor',
+ $config_file = '/etc/tor/torrc',
+ $use_bridges = 0,
+ $automap_hosts_on_resolve = 0,
+ $log_rules = [ 'notice file /var/log/tor/notices.log' ],
+ $safe_logging = 1,
+) {
+
+ class{'tor':
+ ensure_version => $ensure_version,
+ }
+
+ include tor::daemon::base
+
+ if $use_munin {
+ include tor::munin
+ }
+}
diff --git a/puppet/modules/tor/manifests/daemon/base.pp b/puppet/modules/tor/manifests/daemon/base.pp
new file mode 100644
index 00000000..63d7bc4d
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/base.pp
@@ -0,0 +1,77 @@
+# extend basic tor things with a snippet based daemon configuration
+class tor::daemon::base inherits tor::base {
+ # packages, user, group
+ Service['tor'] {
+ subscribe => File[$tor::daemon::config_file],
+ }
+
+ Package[ 'tor' ] {
+ require => File[$tor::daemon::data_dir],
+ }
+
+ group { 'debian-tor':
+ ensure => present,
+ allowdupe => false,
+ }
+
+ user { 'debian-tor':
+ ensure => present,
+ allowdupe => false,
+ comment => 'tor user,,,',
+ home => $tor::daemon::data_dir,
+ shell => '/bin/false',
+ gid => 'debian-tor',
+ require => Group['debian-tor'],
+ }
+
+ # directories
+ file { $tor::daemon::data_dir:
+ ensure => directory,
+ mode => '0700',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ require => User['debian-tor'],
+ }
+
+ file { '/etc/tor':
+ ensure => directory,
+ mode => '0755',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ require => User['debian-tor'],
+ }
+
+ file { '/var/lib/puppet/modules/tor':
+ ensure => absent,
+ recurse => true,
+ force => true,
+ }
+
+ # tor configuration file
+ concat { $tor::daemon::config_file:
+ mode => '0600',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ }
+
+ # config file headers
+ concat::fragment { '00.header':
+ ensure => present,
+ content => template('tor/torrc.header.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 00,
+ target => $tor::daemon::config_file,
+ }
+
+ # global configurations
+ concat::fragment { '01.global':
+ content => template('tor/torrc.global.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 01,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/puppet/modules/tor/manifests/daemon/bridge.pp b/puppet/modules/tor/manifests/daemon/bridge.pp
new file mode 100644
index 00000000..063f5656
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/bridge.pp
@@ -0,0 +1,18 @@
+# Bridge definition
+define tor::daemon::bridge(
+ $ip,
+ $port,
+ $fingerprint = false,
+ $ensure = present ) {
+
+ concat::fragment { "10.bridge.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.bridge.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 10,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/control.pp b/puppet/modules/tor/manifests/daemon/control.pp
new file mode 100644
index 00000000..01726562
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/control.pp
@@ -0,0 +1,27 @@
+# control definition
+define tor::daemon::control(
+ $port = 0,
+ $hashed_control_password = '',
+ $cookie_authentication = 0,
+ $cookie_auth_file = '',
+ $cookie_auth_file_group_readable = '',
+ $ensure = present ) {
+
+ if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' {
+ fail('You need to define the tor control password')
+ }
+
+ if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
+ notice('You set a tor cookie authentication option, but do not have cookie_authentication on')
+ }
+
+ concat::fragment { '04.control':
+ ensure => $ensure,
+ content => template('tor/torrc.control.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600',
+ order => 04,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/puppet/modules/tor/manifests/daemon/directory.pp b/puppet/modules/tor/manifests/daemon/directory.pp
new file mode 100644
index 00000000..d877a861
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/directory.pp
@@ -0,0 +1,27 @@
+# directory advertising
+define tor::daemon::directory (
+ $port = 0,
+ $listen_addresses = [],
+ $port_front_page = '/etc/tor/tor-exit-notice.html',
+ $ensure = present ) {
+
+ concat::fragment { '06.directory':
+ ensure => $ensure,
+ content => template('tor/torrc.directory.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 06,
+ target => $tor::daemon::config_file,
+ }
+
+ file { '/etc/tor/tor-exit-notice.html':
+ ensure => $ensure,
+ source => 'puppet:///modules/tor/tor-exit-notice.html',
+ require => File['/etc/tor'],
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/dns.pp b/puppet/modules/tor/manifests/daemon/dns.pp
new file mode 100644
index 00000000..4677f24d
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/dns.pp
@@ -0,0 +1,17 @@
+# DNS definition
+define tor::daemon::dns(
+ $port = 0,
+ $listen_addresses = [],
+ $ensure = present ) {
+
+ concat::fragment { "08.dns.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.dns.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => '08',
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/exit_policy.pp b/puppet/modules/tor/manifests/daemon/exit_policy.pp
new file mode 100644
index 00000000..f459ece7
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/exit_policy.pp
@@ -0,0 +1,18 @@
+# exit policies
+define tor::daemon::exit_policy(
+ $accept = [],
+ $reject = [],
+ $reject_private = 1,
+ $ensure = present ) {
+
+ concat::fragment { "07.exit_policy.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.exit_policy.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 07,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/hidden_service.pp b/puppet/modules/tor/manifests/daemon/hidden_service.pp
new file mode 100644
index 00000000..c8272116
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/hidden_service.pp
@@ -0,0 +1,17 @@
+# hidden services definition
+define tor::daemon::hidden_service(
+ $ports = [],
+ $data_dir = $tor::daemon::data_dir,
+ $ensure = present ) {
+
+ concat::fragment { "05.hidden_service.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.hidden_service.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 05,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/map_address.pp b/puppet/modules/tor/manifests/daemon/map_address.pp
new file mode 100644
index 00000000..270eac21
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/map_address.pp
@@ -0,0 +1,17 @@
+# map address definition
+define tor::daemon::map_address(
+ $address = '',
+ $newaddress = '',
+ $ensure = 'present') {
+
+ concat::fragment { "08.map_address.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.map_address.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => '08',
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/relay.pp b/puppet/modules/tor/manifests/daemon/relay.pp
new file mode 100644
index 00000000..ff528937
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/relay.pp
@@ -0,0 +1,42 @@
+# relay definition
+define tor::daemon::relay(
+ $port = 0,
+ $listen_addresses = [],
+ $outbound_bindaddresses = [],
+ $portforwarding = 0,
+ # KB/s, defaulting to using tor's default: 5120KB/s
+ $bandwidth_rate = '',
+ # KB/s, defaulting to using tor's default: 10240KB/s
+ $bandwidth_burst = '',
+ # KB/s, 0 for no limit
+ $relay_bandwidth_rate = 0,
+ # KB/s, 0 for no limit
+ $relay_bandwidth_burst = 0,
+ # GB, 0 for no limit
+ $accounting_max = 0,
+ $accounting_start = [],
+ $contact_info = '',
+ # TODO: autofill with other relays
+ $my_family = '',
+ $address = "tor.${::domain}",
+ $bridge_relay = 0,
+ $ensure = present ) {
+
+ $nickname = $name
+
+ if $outbound_bindaddresses == [] {
+ $real_outbound_bindaddresses = []
+ } else {
+ $real_outbound_bindaddresses = $outbound_bindaddresses
+ }
+
+ concat::fragment { '03.relay':
+ ensure => $ensure,
+ content => template('tor/torrc.relay.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 03,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/puppet/modules/tor/manifests/daemon/snippet.pp b/puppet/modules/tor/manifests/daemon/snippet.pp
new file mode 100644
index 00000000..b9089b40
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/snippet.pp
@@ -0,0 +1,16 @@
+# Arbitrary torrc snippet definition
+define tor::daemon::snippet(
+ $content = '',
+ $ensure = present ) {
+
+ concat::fragment { "99.snippet.${name}":
+ ensure => $ensure,
+ content => $content,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 99,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/daemon/socks.pp b/puppet/modules/tor/manifests/daemon/socks.pp
new file mode 100644
index 00000000..910461c9
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/socks.pp
@@ -0,0 +1,15 @@
+# socks definition
+define tor::daemon::socks(
+ $port = 0,
+ $listen_addresses = [],
+ $policies = [] ) {
+
+ concat::fragment { '02.socks':
+ content => template('tor/torrc.socks.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 02,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/puppet/modules/tor/manifests/daemon/transparent.pp b/puppet/modules/tor/manifests/daemon/transparent.pp
new file mode 100644
index 00000000..65d744f4
--- /dev/null
+++ b/puppet/modules/tor/manifests/daemon/transparent.pp
@@ -0,0 +1,17 @@
+# Transparent proxy definition
+define tor::daemon::transparent(
+ $port = 0,
+ $listen_addresses = [],
+ $ensure = present ) {
+
+ concat::fragment { "09.transparent.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.transparent.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => '09',
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/puppet/modules/tor/manifests/init.pp b/puppet/modules/tor/manifests/init.pp
new file mode 100644
index 00000000..9c19c648
--- /dev/null
+++ b/puppet/modules/tor/manifests/init.pp
@@ -0,0 +1,6 @@
+# manage a basic tor installation
+class tor (
+ $ensure_version = 'installed'
+){
+ include tor::base
+}
diff --git a/puppet/modules/tor/manifests/munin.pp b/puppet/modules/tor/manifests/munin.pp
new file mode 100644
index 00000000..4412337a
--- /dev/null
+++ b/puppet/modules/tor/manifests/munin.pp
@@ -0,0 +1,21 @@
+# munin plugins for puppet
+class tor::munin {
+ tor::daemon::control{
+ 'control_port_for_munin':
+ port => 19051,
+ cookie_authentication => 1,
+ cookie_auth_file => '/var/run/tor/control.authcookie',
+ }
+
+ Munin::Plugin::Deploy {
+ config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+ }
+ munin::plugin::deploy {
+ 'tor_connections':
+ source => 'tor/munin/tor_connections';
+ 'tor_routers':
+ source => 'tor/munin/tor_routers';
+ 'tor_traffic':
+ source => 'tor/munin/tor_traffic';
+ }
+}
diff --git a/puppet/modules/tor/manifests/polipo.pp b/puppet/modules/tor/manifests/polipo.pp
new file mode 100644
index 00000000..73dc2262
--- /dev/null
+++ b/puppet/modules/tor/manifests/polipo.pp
@@ -0,0 +1,9 @@
+# manage the polipo proxy service
+class tor::polipo {
+ include ::tor
+
+ case $::operatingsystem {
+ 'debian': { include tor::polipo::debian }
+ default: { include tor::polipo::base }
+ }
+}
diff --git a/puppet/modules/tor/manifests/polipo/base.pp b/puppet/modules/tor/manifests/polipo/base.pp
new file mode 100644
index 00000000..df2d6ea6
--- /dev/null
+++ b/puppet/modules/tor/manifests/polipo/base.pp
@@ -0,0 +1,22 @@
+# manage polipo resources
+class tor::polipo::base {
+ package{'polipo':
+ ensure => present,
+ }
+
+ file { '/etc/polipo/config':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => 'puppet:///modules/tor/polipo/polipo.conf',
+ require => Package['polipo'],
+ notify => Service['polipo'],
+ }
+
+ service { 'polipo':
+ ensure => running,
+ enable => true,
+ require => [ Package['polipo'], Service['tor'] ],
+ }
+}
diff --git a/puppet/modules/tor/manifests/polipo/debian.pp b/puppet/modules/tor/manifests/polipo/debian.pp
new file mode 100644
index 00000000..607b3617
--- /dev/null
+++ b/puppet/modules/tor/manifests/polipo/debian.pp
@@ -0,0 +1,7 @@
+# manage polipo on debian
+class tor::polipo::debian inherits tor::polipo::base {
+ Service['polipo'] {
+ hasstatus => false,
+ pattern => '/usr/bin/polipo',
+ }
+}
diff --git a/puppet/modules/tor/manifests/repo.pp b/puppet/modules/tor/manifests/repo.pp
new file mode 100644
index 00000000..f6255995
--- /dev/null
+++ b/puppet/modules/tor/manifests/repo.pp
@@ -0,0 +1,16 @@
+class tor::repo (
+ $ensure = present,
+ $source_name = 'torproject.org',
+ $include_src = false,
+) {
+ case $::osfamily {
+ 'Debian': {
+ $key = '886DDD89'
+ $location = 'https://deb.torproject.org/torproject.org/'
+ class { 'tor::repo::debian': }
+ }
+ default: {
+ fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu")
+ }
+ }
+}
diff --git a/puppet/modules/tor/manifests/repo/debian.pp b/puppet/modules/tor/manifests/repo/debian.pp
new file mode 100644
index 00000000..174c3310
--- /dev/null
+++ b/puppet/modules/tor/manifests/repo/debian.pp
@@ -0,0 +1,9 @@
+# PRIVATE CLASS: do not use directly
+class tor::repo::debian inherits tor::repo {
+ apt::source { $source_name:
+ ensure => $::tor::repo::ensure,
+ location => $::tor::repo::location,
+ key => $::tor::repo::key,
+ include_src => $::tor::repo::include_src,
+ }
+}
diff --git a/puppet/modules/tor/manifests/torsocks.pp b/puppet/modules/tor/manifests/torsocks.pp
new file mode 100644
index 00000000..e9fc75b2
--- /dev/null
+++ b/puppet/modules/tor/manifests/torsocks.pp
@@ -0,0 +1,9 @@
+# manage torsocks
+class tor::torsocks (
+ $ensure_version = 'installed'
+){
+ include ::tor
+ package{'torsocks':
+ ensure => $ensure_version,
+ }
+}