From 68e9a28da2db4cb494bc19a1aeaa0663cb286414 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Tue, 2 May 2017 16:23:20 -0400
Subject: Restructure site_tor to be more clear and re-usable (fixes #8784).

This makes a more clear site_tor::relay class that the leap service
includes, and a more generic site_tor class that other classes can
depend on for setting up the initial install.
---
 puppet/manifests/site.pp                           |  2 +-
 .../site_static/manifests/hidden_service.pp        |  2 +-
 puppet/modules/site_tor/manifests/init.pp          | 41 +-------------------
 puppet/modules/site_tor/manifests/relay.pp         | 45 ++++++++++++++++++++++
 .../site_webapp/manifests/hidden_service.pp        |  2 +-
 5 files changed, 49 insertions(+), 43 deletions(-)
 create mode 100644 puppet/modules/site_tor/manifests/relay.pp

diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 3bf6a5c1..e243c5df 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -45,7 +45,7 @@ node default {
   }
 
   if member($services, 'tor') {
-    include site_tor
+    include site_tor::relay
   }
 
   if member($services, 'mx') {
diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index b64a35bc..31cf328e 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,7 +1,7 @@
 # create hidden service for static sites
 class site_static::hidden_service ( $single_hop = false ) {
 
-  include tor::daemon
+  include site_tor
   tor::daemon::hidden_service { 'static':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $single_hop
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index 8a92a944..356053c1 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -1,45 +1,6 @@
+# generic configuration needed for tor
 class site_tor {
-  tag 'leap_service'
-  Class['site_config::default'] -> Class['site_tor']
 
-  $tor            = hiera('tor')
-  $bandwidth_rate = $tor['bandwidth_rate']
-  $tor_type       = $tor['type']
-  $nickname       = $tor['nickname']
-  $contact_emails = join($tor['contacts'],', ')
-  $family         = $tor['family']
-
-  $address        = hiera('ip_address')
-
-  $openvpn        = hiera('openvpn', undef)
-  if $openvpn {
-    $openvpn_ports = $openvpn['ports']
-  }
-  else {
-    $openvpn_ports = []
-  }
-
-  include site_config::default
   class { 'tor::daemon': ensure_version => latest }
-  tor::daemon::relay { $nickname:
-    port           => 9001,
-    address        => $address,
-    contact_info   => obfuscate_email($contact_emails),
-    bandwidth_rate => $bandwidth_rate,
-    my_family      => $family
-  }
-
-  if ( $tor_type == 'exit'){
-    # Only enable the daemon directory if the node isn't also a webapp node
-    # or running openvpn on port 80
-    if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') {
-      tor::daemon::directory { $::hostname: port => 80 }
-    }
-  }
-  else {
-    include site_tor::disable_exit
-  }
-
-  include site_shorewall::tor
 
 }
diff --git a/puppet/modules/site_tor/manifests/relay.pp b/puppet/modules/site_tor/manifests/relay.pp
new file mode 100644
index 00000000..fcb83bc1
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/relay.pp
@@ -0,0 +1,45 @@
+class site_tor::relay {
+  tag 'leap_service'
+  Class['site_config::default'] -> Class['site_tor::relay']
+
+  $tor            = hiera('tor')
+  $bandwidth_rate = $tor['bandwidth_rate']
+  $tor_type       = $tor['type']
+  $nickname       = $tor['nickname']
+  $contact_emails = join($tor['contacts'],', ')
+  $family         = $tor['family']
+
+  $address        = hiera('ip_address')
+
+  $openvpn        = hiera('openvpn', undef)
+  if $openvpn {
+    $openvpn_ports = $openvpn['ports']
+  }
+  else {
+    $openvpn_ports = []
+  }
+
+  include site_config::default
+  include site_tor
+
+  tor::daemon::relay { $nickname:
+    port           => 9001,
+    address        => $address,
+    contact_info   => obfuscate_email($contact_emails),
+    bandwidth_rate => $bandwidth_rate,
+    my_family      => $family
+  }
+
+  if ( $tor_type == 'exit'){
+    # Only enable the daemon directory if the node isn't also a webapp node
+    # or running openvpn on port 80
+    if ! member($::services, 'webapp') and ! member($openvpn_ports, '80') {
+      tor::daemon::directory { $::hostname: port => 80 }
+    }
+  }
+  else {
+    include site_tor::disable_exit
+  }
+
+  include site_shorewall::tor
+}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 6651df86..3f3f1d0c 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -10,7 +10,7 @@ class site_webapp::hidden_service {
   include apache::module::expires
   include apache::module::removeip
 
-  include tor::daemon
+  include site_tor
   tor::daemon::hidden_service { 'webapp':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $hidden_service['single_hop']
-- 
cgit v1.2.3