6 files changed, 96 insertions, 8 deletions

diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb
index 0d46acb5..ea4c3df2 100644
--- a/provider_base/lib/macros/keys.rb
+++ b/provider_base/lib/macros/keys.rb
@@ -15,8 +15,10 @@ module LeapCli
       path = file_path(path_name)
       if path.nil?
         generate_tor_key(key_type)
+        file_path(path_name)
+      else
+        path
       end
-      return path
     end
 
     #
@@ -27,8 +29,10 @@ module LeapCli
       path = file_path(path_name)
       if path.nil?
         generate_tor_key(key_type)
+        file_path(path_name)
+      else
+        path
       end
-      return path
     end
 
     #
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 87fb9682..55d3d2ee 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -4,12 +4,12 @@
     "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
     "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
     "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')",
-    "hidden_service": null,
-    "key": {
-      "type": "RSA",
-      "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service",
-      "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service",
-      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service"
+    "hidden_service": {
+      "active": null,
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
     }
   }
 }
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
new file mode 100644
index 00000000..0c6f3b8e
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -0,0 +1,33 @@
+<VirtualHost 127.0.0.1:80>
+  ServerName <%= tor_domain %>
+
+  <IfModule mod_headers.c>
+    Header always unset X-Powered-By
+    Header always unset X-Runtime
+  </IfModule>
+
+<% if (defined? @services) and (@services.include? 'webapp') -%>
+  DocumentRoot /srv/leap/webapp/public
+
+  RewriteEngine On
+  # Check for maintenance file and redirect all requests
+  RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+  RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+  RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+  RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+  # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+  AllowEncodedSlashes on
+  PassengerAllowEncodedSlashes on
+  PassengerFriendlyErrorPages off
+  SetEnv TMPDIR /var/tmp
+
+  # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
+  <Location /assets/>
+    Header unset ETag
+    FileETag None
+    ExpiresActive On
+    ExpiresDefault "access plus 1 year"
+  </Location>
+<% end -%>
+</VirtualHost>
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
new file mode 100644
index 00000000..ac0e8a37
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -0,0 +1,43 @@
+class site_webapp::hidden_service {
+  $tor              = hiera('tor')
+  $hidden_service   = $tor['hidden_service']
+  $tor_domain       = "${hidden_service['address']}.onion"
+
+  include site_apache::common
+  include site_apache::module::headers
+  include site_apache::module::alias
+  include site_apache::module::expires
+  include site_apache::module::removeip
+
+  include tor::daemon
+  tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' }
+
+  file {
+    '/var/lib/tor/webapp/':
+      ensure  => directory,
+      owner   => 'debian-tor',
+      group   => 'debian-tor',
+      mode    => '2700';
+
+    '/var/lib/tor/webapp/private_key':
+      ensure  => present,
+      source  => '/srv/leap/files/nodes/web/tor.key',
+      owner   => 'debian-tor',
+      group   => 'debian-tor',
+      mode    => '0600';
+
+    '/var/lib/tor/webapp/hostname':
+      ensure  => present,
+      content => $tor_domain,
+      owner   => 'debian-tor',
+      group   => 'debian-tor',
+      mode    => '0600';
+  }
+
+  apache::vhost::file {
+    'hidden_service':
+      content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+  }
+
+  include site_shorewall::tor
+}
\ No newline at end of file
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 17b010f3..752993c1 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -10,6 +10,7 @@ class site_webapp {
   $webapp           = hiera('webapp')
   $api_version      = $webapp['api_version']
   $secret_token     = $webapp['secret_token']
+  $tor              = hiera('tor', false)
 
   Class['site_config::default'] -> Class['site_webapp']
 
@@ -157,6 +158,13 @@ class site_webapp {
       notify  => Service['apache'];
   }
 
+  if $tor {
+    $hidden_service = $tor['hidden_service']
+    if $hidden_service['active'] {
+      include site_webapp::hidden_service
+    }
+  }
+
   include site_shorewall::webapp
   include site_check_mk::agent::webapp
 }
diff --git a/puppet/modules/sshd b/puppet/modules/sshd
-Subproject 4652fbcae0aadcded5d390e71882aec1b1b738b
+Subproject 750a497758d94c2f5a6cad23cecc3dbde2d2f92