summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp10
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb2
-rw-r--r--puppet/modules/site_static/manifests/hidden_service.pp8
-rw-r--r--puppet/modules/site_static/manifests/init.pp21
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb12
-rw-r--r--puppet/modules/site_tor/manifests/disable_exit.pp6
-rw-r--r--puppet/modules/site_tor/manifests/hidden_service.pp13
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp7
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp7
9 files changed, 58 insertions, 28 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index e243c5df..1f80c47c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -44,10 +44,18 @@ node default {
include site_nagios
}
- if member($services, 'tor') {
+ if member($services, 'tor_relay') {
include site_tor::relay
}
+ if member($services, 'tor_exit') {
+ include site_tor::relay
+ }
+
+ if member($services, 'tor_hidden_service') {
+ include site_tor::hidden_service
+ }
+
if member($services, 'mx') {
include site_mx
}
diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
index 1d19094e..ddf69a42 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb
@@ -1,5 +1,5 @@
<VirtualHost 127.0.0.1:80>
- ServerName <%= @tor_domain %>
+ ServerName <%= @onion_domain %>
<IfModule mod_headers.c>
Header always unset X-Powered-By
diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index 31cf328e..f23727f7 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,13 +1,15 @@
# create hidden service for static sites
class site_static::hidden_service ( $single_hop = false ) {
+ Class['site_tor::hidden_service'] -> Class['site_static::hidden_service']
+ include site_tor::hidden_service
- include site_tor
tor::daemon::hidden_service { 'static':
ports => [ '80 127.0.0.1:80'],
single_hop => $single_hop
}
+
file {
- '/var/lib/tor/webapp/':
+ '/var/lib/tor/static/':
ensure => directory,
owner => 'debian-tor',
group => 'debian-tor',
@@ -23,7 +25,7 @@ class site_static::hidden_service ( $single_hop = false ) {
'/var/lib/tor/static/hostname':
ensure => present,
- content => "${::site_static::tor_domain}\n",
+ content => "${::site_static::onion_domain}\n",
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600',
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 96d92f74..40c6a28b 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -7,15 +7,16 @@ class site_static {
include site_config::x509::key
include site_config::x509::ca_bundle
- $static = hiera('static')
- $domains = $static['domains']
- $formats = $static['formats']
- $bootstrap = $static['bootstrap_files']
- $tor = hiera('tor', false)
- if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true {
- $tor_active = true
+ $services = hiera('services', [])
+ $static = hiera('static')
+ $domains = $static['domains']
+ $formats = $static['formats']
+ $bootstrap = $static['bootstrap_files']
+ $tor = hiera('tor', false)
+ if $tor and member($services, 'tor_hidden_service') {
+ $onion_active = true
} else {
- $tor_active = false
+ $onion_active = false
}
file {
@@ -76,9 +77,9 @@ class site_static {
}
}
- if $tor_active {
+ if $onion_active {
$hidden_service = $tor['hidden_service']
- $tor_domain = "${hidden_service['address']}.onion"
+ $onion_domain = "${hidden_service['address']}.onion"
class { 'site_static::hidden_service':
single_hop => $hidden_service['single_hop']
}
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 75d834e7..716df437 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -74,14 +74,14 @@
Require all granted
</Directory>
-<%- if @tor_active && (@always_use_hidden_service || @use_hidden_service) -%>
+<%- if @onion_active && (@always_use_hidden_service || @use_hidden_service) -%>
##
-## Tor
+## Hidden Service
##
<VirtualHost 127.0.0.1:80>
- ServerName <%= @tor_domain %>
+ ServerName <%= @onion_domain %>
<%- if @www_alias -%>
- ServerAlias www.<%= @tor_domain %>
+ ServerAlias www.<%= @onion_domain %>
<%- end -%>
<IfModule mod_headers.c>
@@ -105,7 +105,7 @@
<VirtualHost *:80>
ServerName <%= @domain %>
<%- if @www_alias -%>
- ServerAlias www.<%= @tor_domain %>
+ ServerAlias www.<%= @domain %>
<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
@@ -127,7 +127,7 @@
<VirtualHost *:443>
ServerName <%= @domain %>
<%- if @www_alias -%>
- ServerAlias www.<%= @tor_domain %>
+ ServerAlias www.<%= @domain %>
<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp
index 078f80ae..85c24bfc 100644
--- a/puppet/modules/site_tor/manifests/disable_exit.pp
+++ b/puppet/modules/site_tor/manifests/disable_exit.pp
@@ -1,7 +1,13 @@
+# ensure that the tor relay is not configured as an exit node
class site_tor::disable_exit {
tor::daemon::exit_policy {
'no_exit_at_all':
reject => [ '*:*' ];
}
+# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given.
+ tor::daemon::snippet {
+ 'disable_exit':
+ content => 'ExitRelay 0';
+ }
}
diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp
new file mode 100644
index 00000000..87a7b696
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/hidden_service.pp
@@ -0,0 +1,13 @@
+# This class simply makes sure a base tor is installed and configured
+# It doesn't configure any specific hidden service functionality,
+# instead that is configured in site_webapp::hidden_service and
+# site_static::hidden_service.
+#
+# Those could be factored out to make them more generic.
+class site_tor::hidden_service {
+ tag 'leap_service'
+ Class['site_config::default'] -> Class['site_tor::hidden_service']
+
+ include site_config::default
+ include site_tor
+}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 3f3f1d0c..1f87da6b 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -1,8 +1,10 @@
# Configure tor hidden service for webapp
class site_webapp::hidden_service {
+ Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service']
+ include site_tor::hidden_service
$tor = hiera('tor')
$hidden_service = $tor['hidden_service']
- $tor_domain = "${hidden_service['address']}.onion"
+ $onion_domain = "${hidden_service['address']}.onion"
include site_apache::common
include apache::module::headers
@@ -10,7 +12,6 @@ class site_webapp::hidden_service {
include apache::module::expires
include apache::module::removeip
- include site_tor
tor::daemon::hidden_service { 'webapp':
ports => [ '80 127.0.0.1:80'],
single_hop => $hidden_service['single_hop']
@@ -33,7 +34,7 @@ class site_webapp::hidden_service {
'/var/lib/tor/webapp/hostname':
ensure => present,
- content => "${tor_domain}\n",
+ content => "${onion_domain}\n",
owner => 'debian-tor',
group => 'debian-tor',
mode => '0600',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index deb8e8c8..605d71b3 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,6 +1,7 @@
# configure webapp service
class site_webapp {
tag 'leap_service'
+ $services = hiera('services', [])
$definition_files = hiera('definition_files')
$provider = $definition_files['provider']
$eip_service = $definition_files['eip_service']
@@ -177,11 +178,9 @@ class site_webapp {
notify => Service['apache'];
}
- if $tor {
+ if $tor and member($services, 'tor_hidden_service') {
$hidden_service = $tor['hidden_service']
- if $hidden_service['active'] {
- include ::site_webapp::hidden_service
- }
+ include ::site_webapp::hidden_service
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 07:24:23 +0000