Feat: split tor service into three
authorelijah <elijah@riseup.net>
Tue, 19 Sep 2017 18:54:27 +0000 (11:54 -0700)
committerMicah Anderson <micah@riseup.net>
Thu, 5 Oct 2017 23:24:34 +0000 (19:24 -0400)
The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'.

14 files changed:
provider_base/services/_tor_common.json [new file with mode: 0644]
provider_base/services/hidden_service.json [new file with mode: 0644]
provider_base/services/hidden_service.rb [new file with mode: 0644]
provider_base/services/tor_exit.json [new file with mode: 0644]
provider_base/services/tor_exit.rb [new file with mode: 0644]
provider_base/services/tor_relay.json [new file with mode: 0644]
provider_base/services/tor_relay.rb [new file with mode: 0644]
puppet/manifests/site.pp
puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
puppet/modules/site_static/manifests/hidden_service.pp
puppet/modules/site_static/manifests/init.pp
puppet/modules/site_static/templates/apache.conf.erb
puppet/modules/site_webapp/manifests/hidden_service.pp
puppet/modules/site_webapp/manifests/init.pp

diff --git a/provider_base/services/_tor_common.json b/provider_base/services/_tor_common.json
new file mode 100644 (file)
index 0000000..461232d
--- /dev/null
@@ -0,0 +1,8 @@
+{
+  "tor": {
+    "type": "disabled",
+    "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
+    "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
+    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')"
+  }
+}
diff --git a/provider_base/services/hidden_service.json b/provider_base/services/hidden_service.json
new file mode 100644 (file)
index 0000000..137932f
--- /dev/null
@@ -0,0 +1,11 @@
+{
+  "tor": {
+    "hidden_service": {
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)",
+      "address": "=> onion_address(:node_tor_pub_key)",
+      "single_hop": false
+    }
+  }
+}
diff --git a/provider_base/services/hidden_service.rb b/provider_base/services/hidden_service.rb
new file mode 100644 (file)
index 0000000..5070168
--- /dev/null
@@ -0,0 +1,4 @@
+if self.services.include?("tor_exit") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})."
+end
+self.tor['type'] = "hidden_service"
\ No newline at end of file
diff --git a/provider_base/services/tor_exit.json b/provider_base/services/tor_exit.json
new file mode 100644 (file)
index 0000000..dab3b76
--- /dev/null
@@ -0,0 +1,5 @@
+{
+  "tor": {
+    "bandwidth_rate": 6550
+  }
+}
diff --git a/provider_base/services/tor_exit.rb b/provider_base/services/tor_exit.rb
new file mode 100644 (file)
index 0000000..05c6743
--- /dev/null
@@ -0,0 +1,6 @@
+if self.services.include?("hidden_service") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or hidden_service (node #{self.name})."
+  exit(1)
+end
+apply_partial("_tor_common")
+self.tor['type'] = "exit"
diff --git a/provider_base/services/tor_relay.json b/provider_base/services/tor_relay.json
new file mode 100644 (file)
index 0000000..dab3b76
--- /dev/null
@@ -0,0 +1,5 @@
+{
+  "tor": {
+    "bandwidth_rate": 6550
+  }
+}
diff --git a/provider_base/services/tor_relay.rb b/provider_base/services/tor_relay.rb
new file mode 100644 (file)
index 0000000..42bafb9
--- /dev/null
@@ -0,0 +1,6 @@
+
+if self.services.include?("tor_exit") || self.services.include?("hidden_service")
+  LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or hidden_service (node #{self.name})."
+end
+apply_partial("_tor_common")
+self.tor['type'] = "relay"
index e243c5d..f3e752c 100644 (file)
@@ -44,10 +44,18 @@ node default {
     include site_nagios
   }
 
-  if member($services, 'tor') {
+  if member($services, 'tor_relay') {
     include site_tor::relay
   }
 
+  if member($services, 'tor_exit') {
+    include site_tor::relay
+  }
+
+  if member($services, 'hidden_service') {
+    include site_tor::hidden_service
+  }
+
   if member($services, 'mx') {
     include site_mx
   }
index 1d19094..ddf69a4 100644 (file)
@@ -1,5 +1,5 @@
 <VirtualHost 127.0.0.1:80>
-  ServerName <%= @tor_domain %>
+  ServerName <%= @onion_domain %>
 
   <IfModule mod_headers.c>
     Header always unset X-Powered-By
index 31cf328..dcf3785 100644 (file)
@@ -23,7 +23,7 @@ class site_static::hidden_service ( $single_hop = false ) {
 
     '/var/lib/tor/static/hostname':
       ensure  => present,
-      content => "${::site_static::tor_domain}\n",
+      content => "${::site_static::onion_domain}\n",
       owner   => 'debian-tor',
       group   => 'debian-tor',
       mode    => '0600',
index 96d92f7..4ddce5e 100644 (file)
@@ -12,10 +12,10 @@ class site_static {
   $formats        = $static['formats']
   $bootstrap      = $static['bootstrap_files']
   $tor            = hiera('tor', false)
-  if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true {
-    $tor_active = true
+  if $tor and member($services, 'hidden_service') {
+    $onion_active = true
   } else {
-    $tor_active = false
+    $onion_active = false
   }
 
   file {
@@ -76,9 +76,9 @@ class site_static {
     }
   }
 
-  if $tor_active {
+  if $onion_active {
     $hidden_service = $tor['hidden_service']
-    $tor_domain     = "${hidden_service['address']}.onion"
+    $onion_domain     = "${hidden_service['address']}.onion"
     class { 'site_static::hidden_service':
       single_hop => $hidden_service['single_hop']
     }
index 75d834e..716df43 100644 (file)
   Require all granted
 </Directory>
 
-<%- if @tor_active && (@always_use_hidden_service || @use_hidden_service) -%>
+<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%>
 ##
-## Tor
+## Hidden Service
 ##
 <VirtualHost 127.0.0.1:80>
-  ServerName <%= @tor_domain %>
+  ServerName <%= @onion_domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @onion_domain %>
 <%- end -%>
 
   <IfModule mod_headers.c>
 <VirtualHost *:80>
   ServerName <%= @domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @domain %>
 <%- end -%>
 <%- @aliases && @aliases.each do |domain_alias| -%>
   ServerAlias <%= domain_alias %>
 <VirtualHost *:443>
   ServerName <%= @domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @domain %>
 <%- end -%>
 <%- @aliases && @aliases.each do |domain_alias| -%>
   ServerAlias <%= domain_alias %>
index 3f3f1d0..658d62f 100644 (file)
@@ -2,7 +2,7 @@
 class site_webapp::hidden_service {
   $tor              = hiera('tor')
   $hidden_service   = $tor['hidden_service']
-  $tor_domain       = "${hidden_service['address']}.onion"
+  $onion_domain     = "${hidden_service['address']}.onion"
 
   include site_apache::common
   include apache::module::headers
@@ -33,7 +33,7 @@ class site_webapp::hidden_service {
 
     '/var/lib/tor/webapp/hostname':
       ensure  => present,
-      content => "${tor_domain}\n",
+      content => "${onion_domain}\n",
       owner   => 'debian-tor',
       group   => 'debian-tor',
       mode    => '0600',
index deb8e8c..968859b 100644 (file)
@@ -177,11 +177,9 @@ class site_webapp {
       notify  => Service['apache'];
   }
 
-  if $tor {
+  if $tor and member($services, 'hidden_service') {
     $hidden_service = $tor['hidden_service']
-    if $hidden_service['active'] {
-      include ::site_webapp::hidden_service
-    }
+    include ::site_webapp::hidden_service
   }