summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--provider_base/lib/macros/keys.rb8
-rw-r--r--provider_base/services/tor.json12
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb33
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp43
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp8
m---------puppet/modules/sshd0
6 files changed, 96 insertions, 8 deletions
diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb
index 0d46acb5..ea4c3df2 100644
--- a/provider_base/lib/macros/keys.rb
+++ b/provider_base/lib/macros/keys.rb
@@ -15,8 +15,10 @@ module LeapCli
path = file_path(path_name)
if path.nil?
generate_tor_key(key_type)
+ file_path(path_name)
+ else
+ path
end
- return path
end
#
@@ -27,8 +29,10 @@ module LeapCli
path = file_path(path_name)
if path.nil?
generate_tor_key(key_type)
+ file_path(path_name)
+ else
+ path
end
- return path
end
#
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 87fb9682..55d3d2ee 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -4,12 +4,12 @@
"contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
"nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
"family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')",
- "hidden_service": null,
- "key": {
- "type": "RSA",
- "public": "= tor_public_key_path(:node_tor_pub_key, tor.key.type) if tor.hidden_service",
- "private": "= tor_private_key_path(:node_tor_priv_key, tor.key.type) if tor.hidden_service",
- "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service"
+ "hidden_service": {
+ "active": null,
+ "key_type": "RSA",
+ "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+ "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+ "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
}
}
}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
new file mode 100644
index 00000000..0c6f3b8e
--- /dev/null
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -0,0 +1,33 @@
+<VirtualHost 127.0.0.1:80>
+ ServerName <%= tor_domain %>
+
+ <IfModule mod_headers.c>
+ Header always unset X-Powered-By
+ Header always unset X-Runtime
+ </IfModule>
+
+<% if (defined? @services) and (@services.include? 'webapp') -%>
+ DocumentRoot /srv/leap/webapp/public
+
+ RewriteEngine On
+ # Check for maintenance file and redirect all requests
+ RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
+ RewriteCond %{SCRIPT_FILENAME} !maintenance.html
+ RewriteCond %{REQUEST_URI} !/images/maintenance.jpg
+ RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L]
+
+ # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt
+ AllowEncodedSlashes on
+ PassengerAllowEncodedSlashes on
+ PassengerFriendlyErrorPages off
+ SetEnv TMPDIR /var/tmp
+
+ # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes)
+ <Location /assets/>
+ Header unset ETag
+ FileETag None
+ ExpiresActive On
+ ExpiresDefault "access plus 1 year"
+ </Location>
+<% end -%>
+</VirtualHost>
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
new file mode 100644
index 00000000..ac0e8a37
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -0,0 +1,43 @@
+class site_webapp::hidden_service {
+ $tor = hiera('tor')
+ $hidden_service = $tor['hidden_service']
+ $tor_domain = "${hidden_service['address']}.onion"
+
+ include site_apache::common
+ include site_apache::module::headers
+ include site_apache::module::alias
+ include site_apache::module::expires
+ include site_apache::module::removeip
+
+ include tor::daemon
+ tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' }
+
+ file {
+ '/var/lib/tor/webapp/':
+ ensure => directory,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '2700';
+
+ '/var/lib/tor/webapp/private_key':
+ ensure => present,
+ source => '/srv/leap/files/nodes/web/tor.key',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600';
+
+ '/var/lib/tor/webapp/hostname':
+ ensure => present,
+ content => $tor_domain,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600';
+ }
+
+ apache::vhost::file {
+ 'hidden_service':
+ content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+ }
+
+ include site_shorewall::tor
+} \ No newline at end of file
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 17b010f3..752993c1 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -10,6 +10,7 @@ class site_webapp {
$webapp = hiera('webapp')
$api_version = $webapp['api_version']
$secret_token = $webapp['secret_token']
+ $tor = hiera('tor', false)
Class['site_config::default'] -> Class['site_webapp']
@@ -157,6 +158,13 @@ class site_webapp {
notify => Service['apache'];
}
+ if $tor {
+ $hidden_service = $tor['hidden_service']
+ if $hidden_service['active'] {
+ include site_webapp::hidden_service
+ }
+ }
+
include site_shorewall::webapp
include site_check_mk::agent::webapp
}
diff --git a/puppet/modules/sshd b/puppet/modules/sshd
-Subproject 4652fbcae0aadcded5d390e71882aec1b1b738b
+Subproject 750a497758d94c2f5a6cad23cecc3dbde2d2f92