18 files changed, 117 insertions, 33 deletions
diff --git a/provider_base/services/_tor_common.json b/provider_base/services/_tor_common.json
new file mode 100644
index 00000000..461232dc
--- /dev/null
+++ b/provider_base/services/_tor_common.json
@@ -0,0 +1,8 @@
+{
+  "tor": {
+    "type": "disabled",
+    "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
+    "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
+    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')"
+  }
+}
diff --git a/provider_base/services/tor_exit.json b/provider_base/services/tor_exit.json
new file mode 100644
index 00000000..dab3b76f
--- /dev/null
+++ b/provider_base/services/tor_exit.json
@@ -0,0 +1,5 @@
+{
+  "tor": {
+    "bandwidth_rate": 6550
+  }
+}
diff --git a/provider_base/services/tor_exit.rb b/provider_base/services/tor_exit.rb
new file mode 100644
index 00000000..bd801a3d
--- /dev/null
+++ b/provider_base/services/tor_exit.rb
@@ -0,0 +1,6 @@
+if self.services.include?("tor_hidden_service") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or tor_hidden_service (node #{self.name})."
+  exit(1)
+end
+apply_partial("_tor_common")
+self.tor['type'] = "exit"
diff --git a/provider_base/services/tor_hidden_service.json b/provider_base/services/tor_hidden_service.json
new file mode 100644
index 00000000..137932fa
--- /dev/null
+++ b/provider_base/services/tor_hidden_service.json
@@ -0,0 +1,11 @@
+{
+  "tor": {
+    "hidden_service": {
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)",
+      "address": "=> onion_address(:node_tor_pub_key)",
+      "single_hop": false
+    }
+  }
+}
diff --git a/provider_base/services/tor_hidden_service.rb b/provider_base/services/tor_hidden_service.rb
new file mode 100644
index 00000000..8b8eb24d
--- /dev/null
+++ b/provider_base/services/tor_hidden_service.rb
@@ -0,0 +1,4 @@
+if self.services.include?("tor_exit") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `tor_hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})."
+end
+self.tor['type'] = "hidden_service"
diff --git a/provider_base/services/tor_relay.json b/provider_base/services/tor_relay.json
new file mode 100644
index 00000000..dab3b76f
--- /dev/null
+++ b/provider_base/services/tor_relay.json
@@ -0,0 +1,5 @@
+{
+  "tor": {
+    "bandwidth_rate": 6550
+  }
+}
diff --git a/provider_base/services/tor_relay.rb b/provider_base/services/tor_relay.rb
new file mode 100644
index 00000000..7fce6ae4
--- /dev/null
+++ b/provider_base/services/tor_relay.rb
@@ -0,0 +1,6 @@
+
+if self.services.include?("tor_exit") || self.services.include?("tor_hidden_service")
+  LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or tor_hidden_service (node #{self.name})."
+end
+apply_partial("_tor_common")
+self.tor['type'] = "relay"
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index e243c5df..1f80c47c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -44,10 +44,18 @@ node default {
     include site_nagios
   }
 
-  if member($services, 'tor') {
+  if member($services, 'tor_relay') {
     include site_tor::relay
   }
 
+  if member($services, 'tor_exit') {
+    include site_tor::relay
+  }
+
+  if member($services, 'tor_hidden_service') {
+    include site_tor::hidden_service
+  }
+
   if member($services, 'mx') {
     include site_mx
   }
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 1d19094e..ddf69a42 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -1,5 +1,5 @@
 <VirtualHost 127.0.0.1:80>
-  ServerName <%= @tor_domain %>
+  ServerName <%= @onion_domain %>
 
   <IfModule mod_headers.c>
     Header always unset X-Powered-By
diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index 31cf328e..f23727f7 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,13 +1,15 @@
 # create hidden service for static sites
 class site_static::hidden_service ( $single_hop = false ) {
+  Class['site_tor::hidden_service'] -> Class['site_static::hidden_service']
+  include site_tor::hidden_service
 
-  include site_tor
   tor::daemon::hidden_service { 'static':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $single_hop
   }
+
   file {
-    '/var/lib/tor/webapp/':
+    '/var/lib/tor/static/':
       ensure => directory,
       owner  => 'debian-tor',
       group  => 'debian-tor',
@@ -23,7 +25,7 @@ class site_static::hidden_service ( $single_hop = false ) {
 
     '/var/lib/tor/static/hostname':
       ensure  => present,
-      content => "${::site_static::tor_domain}\n",
+      content => "${::site_static::onion_domain}\n",
       owner   => 'debian-tor',
       group   => 'debian-tor',
       mode    => '0600',
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 96d92f74..40c6a28b 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -7,15 +7,16 @@ class site_static {
   include site_config::x509::key
   include site_config::x509::ca_bundle
 
-  $static         = hiera('static')
-  $domains        = $static['domains']
-  $formats        = $static['formats']
-  $bootstrap      = $static['bootstrap_files']
-  $tor            = hiera('tor', false)
-  if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true {
-    $tor_active = true
+  $services  = hiera('services', [])
+  $static    = hiera('static')
+  $domains   = $static['domains']
+  $formats   = $static['formats']
+  $bootstrap = $static['bootstrap_files']
+  $tor       = hiera('tor', false)
+  if $tor and member($services, 'tor_hidden_service') {
+    $onion_active = true
   } else {
-    $tor_active = false
+    $onion_active = false
   }
 
   file {
@@ -76,9 +77,9 @@ class site_static {
     }
   }
 
-  if $tor_active {
+  if $onion_active {
     $hidden_service = $tor['hidden_service']
-    $tor_domain     = "${hidden_service['address']}.onion"
+    $onion_domain     = "${hidden_service['address']}.onion"
     class { 'site_static::hidden_service':
       single_hop => $hidden_service['single_hop']
     }
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 75d834e7..716df437 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -74,14 +74,14 @@
   Require all granted
 </Directory>
 
-<%- if @tor_active && (@always_use_hidden_service || @use_hidden_service) -%>
+<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%>
 ##
-## Tor
+## Hidden Service
 ##
 <VirtualHost 127.0.0.1:80>
-  ServerName <%= @tor_domain %>
+  ServerName <%= @onion_domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @onion_domain %>
 <%- end -%>
 
   <IfModule mod_headers.c>
@@ -105,7 +105,7 @@
 <VirtualHost *:80>
   ServerName <%= @domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @domain %>
 <%- end -%>
 <%- @aliases && @aliases.each do |domain_alias| -%>
   ServerAlias <%= domain_alias %>
@@ -127,7 +127,7 @@
 <VirtualHost *:443>
   ServerName <%= @domain %>
 <%- if @www_alias -%>
-  ServerAlias www.<%= @tor_domain %>
+  ServerAlias www.<%= @domain %>
 <%- end -%>
 <%- @aliases && @aliases.each do |domain_alias| -%>
   ServerAlias <%= domain_alias %>
diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp
index 078f80ae..85c24bfc 100644
--- a/puppet/modules/site_tor/manifests/disable_exit.pp
+++ b/puppet/modules/site_tor/manifests/disable_exit.pp
@@ -1,7 +1,13 @@
+# ensure that the tor relay is not configured as an exit node
 class site_tor::disable_exit {
   tor::daemon::exit_policy {
     'no_exit_at_all':
       reject => [ '*:*' ];
   }
+# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given.
+  tor::daemon::snippet {
+    'disable_exit':
+      content => 'ExitRelay 0';
+  }
 }
 
diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp
new file mode 100644
index 00000000..87a7b696
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/hidden_service.pp
@@ -0,0 +1,13 @@
+# This class simply makes sure a base tor is installed and configured
+# It doesn't configure any specific hidden service functionality,
+# instead that is configured in site_webapp::hidden_service and
+# site_static::hidden_service.
+#
+# Those could be factored out to make them more generic.
+class site_tor::hidden_service {
+  tag 'leap_service'
+  Class['site_config::default'] -> Class['site_tor::hidden_service']
+
+  include site_config::default
+  include site_tor
+}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 3f3f1d0c..1f87da6b 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -1,8 +1,10 @@
 # Configure tor hidden service for webapp
 class site_webapp::hidden_service {
+  Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service']
+  include site_tor::hidden_service
   $tor              = hiera('tor')
   $hidden_service   = $tor['hidden_service']
-  $tor_domain       = "${hidden_service['address']}.onion"
+  $onion_domain     = "${hidden_service['address']}.onion"
 
   include site_apache::common
   include apache::module::headers
@@ -10,7 +12,6 @@ class site_webapp::hidden_service {
   include apache::module::expires
   include apache::module::removeip
 
-  include site_tor
   tor::daemon::hidden_service { 'webapp':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $hidden_service['single_hop']
@@ -33,7 +34,7 @@ class site_webapp::hidden_service {
 
     '/var/lib/tor/webapp/hostname':
       ensure  => present,
-      content => "${tor_domain}\n",
+      content => "${onion_domain}\n",
       owner   => 'debian-tor',
       group   => 'debian-tor',
       mode    => '0600',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index deb8e8c8..605d71b3 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,6 +1,7 @@
 # configure webapp service
 class site_webapp {
   tag 'leap_service'
+  $services         = hiera('services', [])
   $definition_files = hiera('definition_files')
   $provider         = $definition_files['provider']
   $eip_service      = $definition_files['eip_service']
@@ -177,11 +178,9 @@ class site_webapp {
       notify  => Service['apache'];
   }
 
-  if $tor {
+  if $tor and member($services, 'tor_hidden_service') {
     $hidden_service = $tor['hidden_service']
-    if $hidden_service['active'] {
-      include ::site_webapp::hidden_service
-    }
+    include ::site_webapp::hidden_service
   }
 
 
diff --git a/tests/platform-ci/ci-build.sh b/tests/platform-ci/ci-build.sh
index 4710bc88..06af59ca 100755
--- a/tests/platform-ci/ci-build.sh
+++ b/tests/platform-ci/ci-build.sh
@@ -71,6 +71,13 @@ test() {
 }
 
 build_from_scratch() {
+  # allow passing into the function the services, use a default set if empty
+  SERVICES=$1
+  if [ -z "$SERVICES" ]
+  then
+      SERVICES='couchdb,soledad,mx,webapp,tor_relay,monitor'
+  fi
+
   # when using gitlab-runner locally, CI_JOB_ID is always 1 which
   # will conflict with running/terminating AWS instances in subsequent runs
   # therefore we pick a random number in this case
@@ -78,10 +85,7 @@ build_from_scratch() {
 
   # create node(s) with unique id so we can run tests in parallel
   NAME="citest${CI_JOB_ID:-0}"
-
-
   TAG='single'
-  SERVICES='couchdb,soledad,mx,webapp,tor,monitor'
 
   # leap_platform/tests/platform-ci/provider
   PROVIDERDIR="${ROOTDIR}/provider"
@@ -184,7 +188,7 @@ upgrade_test() {
 
   cd "$PROVIDERDIR"
 
-  build_from_scratch
+  build_from_scratch 'couchdb,soledad,mx,webapp,tor,monitor'
   deploy
   test
 
@@ -200,6 +204,11 @@ upgrade_test() {
   /usr/local/bin/bundle install
 
   cd "$PROVIDERDIR"
+
+  # due to the 'tor' service no longer being valid in 0.10, we need to change
+  # that service to 'tor_relay'. This is done by changing the services array
+  # with jq to be set to the full correct list of services
+  jq '.services = ["couchdb","soledad","mx","webapp","tor_relay","monitor"]' < nodes/${NAME}.json
   deploy
   test
 
diff --git a/tests/platform-ci/provider/nodes/catalogtest.json b/tests/platform-ci/provider/nodes/catalogtest.json
index 05703666..bbf79d9e 100644
--- a/tests/platform-ci/provider/nodes/catalogtest.json
+++ b/tests/platform-ci/provider/nodes/catalogtest.json
@@ -10,7 +10,7 @@
     "webapp",
     "monitor",
     "openvpn",
-    "tor",
+    "tor_relay",
     "obfsproxy",
     "static"
   ],