diff options
Diffstat (limited to 'puppet/modules/tor/manifests')
25 files changed, 459 insertions, 0 deletions
diff --git a/puppet/modules/tor b/puppet/modules/tor deleted file mode 160000 -Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6 diff --git a/puppet/modules/tor/manifests/arm.pp b/puppet/modules/tor/manifests/arm.pp new file mode 100644 index 00000000..44ddcbbf --- /dev/null +++ b/puppet/modules/tor/manifests/arm.pp @@ -0,0 +1,9 @@ +# manage tor-arm +class tor::arm ( + $ensure_version = 'installed' +){ + include ::tor + package{'tor-arm': + ensure => $ensure_version, + } +} diff --git a/puppet/modules/tor/manifests/base.pp b/puppet/modules/tor/manifests/base.pp new file mode 100644 index 00000000..b98451be --- /dev/null +++ b/puppet/modules/tor/manifests/base.pp @@ -0,0 +1,14 @@ +# basic management of resources for tor +class tor::base { + package { [ 'tor', 'tor-geoipdb' ]: + ensure => $tor::ensure_version, + } + + service { 'tor': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => Package['tor'], + } +} diff --git a/puppet/modules/tor/manifests/compact.pp b/puppet/modules/tor/manifests/compact.pp new file mode 100644 index 00000000..c0f59199 --- /dev/null +++ b/puppet/modules/tor/manifests/compact.pp @@ -0,0 +1,7 @@ +# manage a complete tor +# installation with all the basics +class tor::compact { + include ::tor + include tor::polipo + include tor::torsocks +} diff --git a/puppet/modules/tor/manifests/daemon.pp b/puppet/modules/tor/manifests/daemon.pp new file mode 100644 index 00000000..2522b2cc --- /dev/null +++ b/puppet/modules/tor/manifests/daemon.pp @@ -0,0 +1,22 @@ +# manage a snippet based tor installation +class tor::daemon ( + $ensure_version = 'installed', + $use_munin = false, + $data_dir = '/var/lib/tor', + $config_file = '/etc/tor/torrc', + $use_bridges = 0, + $automap_hosts_on_resolve = 0, + $log_rules = [ 'notice file /var/log/tor/notices.log' ], + $safe_logging = 1, +) { + + class{'tor': + ensure_version => $ensure_version, + } + + include tor::daemon::base + + if $use_munin { + include tor::munin + } +} diff --git a/puppet/modules/tor/manifests/daemon/base.pp b/puppet/modules/tor/manifests/daemon/base.pp new file mode 100644 index 00000000..63d7bc4d --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/base.pp @@ -0,0 +1,77 @@ +# extend basic tor things with a snippet based daemon configuration +class tor::daemon::base inherits tor::base { + # packages, user, group + Service['tor'] { + subscribe => File[$tor::daemon::config_file], + } + + Package[ 'tor' ] { + require => File[$tor::daemon::data_dir], + } + + group { 'debian-tor': + ensure => present, + allowdupe => false, + } + + user { 'debian-tor': + ensure => present, + allowdupe => false, + comment => 'tor user,,,', + home => $tor::daemon::data_dir, + shell => '/bin/false', + gid => 'debian-tor', + require => Group['debian-tor'], + } + + # directories + file { $tor::daemon::data_dir: + ensure => directory, + mode => '0700', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/etc/tor': + ensure => directory, + mode => '0755', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/var/lib/puppet/modules/tor': + ensure => absent, + recurse => true, + force => true, + } + + # tor configuration file + concat { $tor::daemon::config_file: + mode => '0600', + owner => 'debian-tor', + group => 'debian-tor', + } + + # config file headers + concat::fragment { '00.header': + ensure => present, + content => template('tor/torrc.header.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 00, + target => $tor::daemon::config_file, + } + + # global configurations + concat::fragment { '01.global': + content => template('tor/torrc.global.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 01, + target => $tor::daemon::config_file, + } +} diff --git a/puppet/modules/tor/manifests/daemon/bridge.pp b/puppet/modules/tor/manifests/daemon/bridge.pp new file mode 100644 index 00000000..063f5656 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/bridge.pp @@ -0,0 +1,18 @@ +# Bridge definition +define tor::daemon::bridge( + $ip, + $port, + $fingerprint = false, + $ensure = present ) { + + concat::fragment { "10.bridge.${name}": + ensure => $ensure, + content => template('tor/torrc.bridge.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 10, + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/control.pp b/puppet/modules/tor/manifests/daemon/control.pp new file mode 100644 index 00000000..01726562 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/control.pp @@ -0,0 +1,27 @@ +# control definition +define tor::daemon::control( + $port = 0, + $hashed_control_password = '', + $cookie_authentication = 0, + $cookie_auth_file = '', + $cookie_auth_file_group_readable = '', + $ensure = present ) { + + if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' { + fail('You need to define the tor control password') + } + + if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { + notice('You set a tor cookie authentication option, but do not have cookie_authentication on') + } + + concat::fragment { '04.control': + ensure => $ensure, + content => template('tor/torrc.control.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + order => 04, + target => $tor::daemon::config_file, + } +} diff --git a/puppet/modules/tor/manifests/daemon/directory.pp b/puppet/modules/tor/manifests/daemon/directory.pp new file mode 100644 index 00000000..d877a861 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/directory.pp @@ -0,0 +1,27 @@ +# directory advertising +define tor::daemon::directory ( + $port = 0, + $listen_addresses = [], + $port_front_page = '/etc/tor/tor-exit-notice.html', + $ensure = present ) { + + concat::fragment { '06.directory': + ensure => $ensure, + content => template('tor/torrc.directory.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 06, + target => $tor::daemon::config_file, + } + + file { '/etc/tor/tor-exit-notice.html': + ensure => $ensure, + source => 'puppet:///modules/tor/tor-exit-notice.html', + require => File['/etc/tor'], + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + } +} + diff --git a/puppet/modules/tor/manifests/daemon/dns.pp b/puppet/modules/tor/manifests/daemon/dns.pp new file mode 100644 index 00000000..4677f24d --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/dns.pp @@ -0,0 +1,17 @@ +# DNS definition +define tor::daemon::dns( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "08.dns.${name}": + ensure => $ensure, + content => template('tor/torrc.dns.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => '08', + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/exit_policy.pp b/puppet/modules/tor/manifests/daemon/exit_policy.pp new file mode 100644 index 00000000..f459ece7 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/exit_policy.pp @@ -0,0 +1,18 @@ +# exit policies +define tor::daemon::exit_policy( + $accept = [], + $reject = [], + $reject_private = 1, + $ensure = present ) { + + concat::fragment { "07.exit_policy.${name}": + ensure => $ensure, + content => template('tor/torrc.exit_policy.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 07, + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/hidden_service.pp b/puppet/modules/tor/manifests/daemon/hidden_service.pp new file mode 100644 index 00000000..c8272116 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/hidden_service.pp @@ -0,0 +1,17 @@ +# hidden services definition +define tor::daemon::hidden_service( + $ports = [], + $data_dir = $tor::daemon::data_dir, + $ensure = present ) { + + concat::fragment { "05.hidden_service.${name}": + ensure => $ensure, + content => template('tor/torrc.hidden_service.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 05, + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/map_address.pp b/puppet/modules/tor/manifests/daemon/map_address.pp new file mode 100644 index 00000000..270eac21 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/map_address.pp @@ -0,0 +1,17 @@ +# map address definition +define tor::daemon::map_address( + $address = '', + $newaddress = '', + $ensure = 'present') { + + concat::fragment { "08.map_address.${name}": + ensure => $ensure, + content => template('tor/torrc.map_address.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => '08', + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/relay.pp b/puppet/modules/tor/manifests/daemon/relay.pp new file mode 100644 index 00000000..ff528937 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/relay.pp @@ -0,0 +1,42 @@ +# relay definition +define tor::daemon::relay( + $port = 0, + $listen_addresses = [], + $outbound_bindaddresses = [], + $portforwarding = 0, + # KB/s, defaulting to using tor's default: 5120KB/s + $bandwidth_rate = '', + # KB/s, defaulting to using tor's default: 10240KB/s + $bandwidth_burst = '', + # KB/s, 0 for no limit + $relay_bandwidth_rate = 0, + # KB/s, 0 for no limit + $relay_bandwidth_burst = 0, + # GB, 0 for no limit + $accounting_max = 0, + $accounting_start = [], + $contact_info = '', + # TODO: autofill with other relays + $my_family = '', + $address = "tor.${::domain}", + $bridge_relay = 0, + $ensure = present ) { + + $nickname = $name + + if $outbound_bindaddresses == [] { + $real_outbound_bindaddresses = [] + } else { + $real_outbound_bindaddresses = $outbound_bindaddresses + } + + concat::fragment { '03.relay': + ensure => $ensure, + content => template('tor/torrc.relay.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 03, + target => $tor::daemon::config_file, + } +} diff --git a/puppet/modules/tor/manifests/daemon/snippet.pp b/puppet/modules/tor/manifests/daemon/snippet.pp new file mode 100644 index 00000000..b9089b40 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/snippet.pp @@ -0,0 +1,16 @@ +# Arbitrary torrc snippet definition +define tor::daemon::snippet( + $content = '', + $ensure = present ) { + + concat::fragment { "99.snippet.${name}": + ensure => $ensure, + content => $content, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 99, + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/daemon/socks.pp b/puppet/modules/tor/manifests/daemon/socks.pp new file mode 100644 index 00000000..910461c9 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/socks.pp @@ -0,0 +1,15 @@ +# socks definition +define tor::daemon::socks( + $port = 0, + $listen_addresses = [], + $policies = [] ) { + + concat::fragment { '02.socks': + content => template('tor/torrc.socks.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 02, + target => $tor::daemon::config_file, + } +} diff --git a/puppet/modules/tor/manifests/daemon/transparent.pp b/puppet/modules/tor/manifests/daemon/transparent.pp new file mode 100644 index 00000000..65d744f4 --- /dev/null +++ b/puppet/modules/tor/manifests/daemon/transparent.pp @@ -0,0 +1,17 @@ +# Transparent proxy definition +define tor::daemon::transparent( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "09.transparent.${name}": + ensure => $ensure, + content => template('tor/torrc.transparent.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => '09', + target => $tor::daemon::config_file, + } +} + diff --git a/puppet/modules/tor/manifests/init.pp b/puppet/modules/tor/manifests/init.pp new file mode 100644 index 00000000..9c19c648 --- /dev/null +++ b/puppet/modules/tor/manifests/init.pp @@ -0,0 +1,6 @@ +# manage a basic tor installation +class tor ( + $ensure_version = 'installed' +){ + include tor::base +} diff --git a/puppet/modules/tor/manifests/munin.pp b/puppet/modules/tor/manifests/munin.pp new file mode 100644 index 00000000..4412337a --- /dev/null +++ b/puppet/modules/tor/manifests/munin.pp @@ -0,0 +1,21 @@ +# munin plugins for puppet +class tor::munin { + tor::daemon::control{ + 'control_port_for_munin': + port => 19051, + cookie_authentication => 1, + cookie_auth_file => '/var/run/tor/control.authcookie', + } + + Munin::Plugin::Deploy { + config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" + } + munin::plugin::deploy { + 'tor_connections': + source => 'tor/munin/tor_connections'; + 'tor_routers': + source => 'tor/munin/tor_routers'; + 'tor_traffic': + source => 'tor/munin/tor_traffic'; + } +} diff --git a/puppet/modules/tor/manifests/polipo.pp b/puppet/modules/tor/manifests/polipo.pp new file mode 100644 index 00000000..73dc2262 --- /dev/null +++ b/puppet/modules/tor/manifests/polipo.pp @@ -0,0 +1,9 @@ +# manage the polipo proxy service +class tor::polipo { + include ::tor + + case $::operatingsystem { + 'debian': { include tor::polipo::debian } + default: { include tor::polipo::base } + } +} diff --git a/puppet/modules/tor/manifests/polipo/base.pp b/puppet/modules/tor/manifests/polipo/base.pp new file mode 100644 index 00000000..df2d6ea6 --- /dev/null +++ b/puppet/modules/tor/manifests/polipo/base.pp @@ -0,0 +1,22 @@ +# manage polipo resources +class tor::polipo::base { + package{'polipo': + ensure => present, + } + + file { '/etc/polipo/config': + ensure => present, + owner => root, + group => root, + mode => '0644', + source => 'puppet:///modules/tor/polipo/polipo.conf', + require => Package['polipo'], + notify => Service['polipo'], + } + + service { 'polipo': + ensure => running, + enable => true, + require => [ Package['polipo'], Service['tor'] ], + } +} diff --git a/puppet/modules/tor/manifests/polipo/debian.pp b/puppet/modules/tor/manifests/polipo/debian.pp new file mode 100644 index 00000000..607b3617 --- /dev/null +++ b/puppet/modules/tor/manifests/polipo/debian.pp @@ -0,0 +1,7 @@ +# manage polipo on debian +class tor::polipo::debian inherits tor::polipo::base { + Service['polipo'] { + hasstatus => false, + pattern => '/usr/bin/polipo', + } +} diff --git a/puppet/modules/tor/manifests/repo.pp b/puppet/modules/tor/manifests/repo.pp new file mode 100644 index 00000000..f6255995 --- /dev/null +++ b/puppet/modules/tor/manifests/repo.pp @@ -0,0 +1,16 @@ +class tor::repo ( + $ensure = present, + $source_name = 'torproject.org', + $include_src = false, +) { + case $::osfamily { + 'Debian': { + $key = '886DDD89' + $location = 'https://deb.torproject.org/torproject.org/' + class { 'tor::repo::debian': } + } + default: { + fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") + } + } +} diff --git a/puppet/modules/tor/manifests/repo/debian.pp b/puppet/modules/tor/manifests/repo/debian.pp new file mode 100644 index 00000000..174c3310 --- /dev/null +++ b/puppet/modules/tor/manifests/repo/debian.pp @@ -0,0 +1,9 @@ +# PRIVATE CLASS: do not use directly +class tor::repo::debian inherits tor::repo { + apt::source { $source_name: + ensure => $::tor::repo::ensure, + location => $::tor::repo::location, + key => $::tor::repo::key, + include_src => $::tor::repo::include_src, + } +} diff --git a/puppet/modules/tor/manifests/torsocks.pp b/puppet/modules/tor/manifests/torsocks.pp new file mode 100644 index 00000000..e9fc75b2 --- /dev/null +++ b/puppet/modules/tor/manifests/torsocks.pp @@ -0,0 +1,9 @@ +# manage torsocks +class tor::torsocks ( + $ensure_version = 'installed' +){ + include ::tor + package{'torsocks': + ensure => $ensure_version, + } +} |