From 54fcafe131c411a49e4277cd0d14c6ea20044203 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 20 May 2014 23:20:58 +0300 Subject: Initial commit for obfsproxy server feature in platform --- provider_base/services/obfsproxy.json | 10 +++ puppet/manifests/site.pp | 5 ++ puppet/modules/obfsproxy/files/obfsproxy_daemon | 99 ++++++++++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 64 ++++++++++++++ puppet/modules/obfsproxy/templates/etc_conf.erb | 11 +++ .../site_apt/manifests/preferences/obfsproxy.pp | 9 ++ puppet/modules/site_obfsproxy/README | 0 puppet/modules/site_obfsproxy/manifests/init.pp | 28 ++++++ 8 files changed, 226 insertions(+) create mode 100644 provider_base/services/obfsproxy.json create mode 100755 puppet/modules/obfsproxy/files/obfsproxy_daemon create mode 100644 puppet/modules/obfsproxy/manifests/init.pp create mode 100644 puppet/modules/obfsproxy/templates/etc_conf.erb create mode 100644 puppet/modules/site_apt/manifests/preferences/obfsproxy.pp create mode 100644 puppet/modules/site_obfsproxy/README create mode 100644 puppet/modules/site_obfsproxy/manifests/init.pp diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json new file mode 100644 index 00000000..954ae868 --- /dev/null +++ b/provider_base/services/obfsproxy.json @@ -0,0 +1,10 @@ +{ + "obfsproxy": { + "scramblesuit": { + "password": "= base32_secret :scramblesuit_password", + //"port" : "= rand(11..5555)" + "port" : "= obfs_port :scramblesuit_port, 18000..32000" + }, + "gateway_address": "= nodes[:services => 'openvpn'].field('openvpn.gateway_address')[0]" + } +} diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 9afa5dfd..8e00fbbd 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -10,6 +10,7 @@ notice("Services for ${fqdn}: ${services_str}") if member($services, 'openvpn') { include site_openvpn + include site_obfsproxy } if member($services, 'couchdb') { @@ -42,4 +43,8 @@ if member($services, 'static') { include site_static } +if $services =~ /\bobfsproxy\b/ { + include site_obfsproxy +} + include site_config::packages::uninstall diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon new file mode 100755 index 00000000..f5914980 --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_daemon @@ -0,0 +1,99 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: obfsproxy daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: obfsproxy daemon +# Description: obfsproxy daemon +### END INIT INFO + +. /lib/lsb/init-functions + +DAEMON=/usr/bin/obfsproxy +NAME=obfsproxy +DESC="obfsproxy daemon" +USER=obfsproxy +PIDFILE=/var/run/obfsproxy.pid +CONF=/etc/obfsproxy.conf + +# If the daemon is not there, then exit. +test -x $DAEMON || exit 0 + +if [ -f $CONF ] ; then + . $CONF +else + echo "Obfsproxy configuration file is missing, aborting..." + exit +fi + +DAEMONARGS=" --log-min-severity=$LOG $TRANSPORT $PARAM \ + --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + +start_obfsproxy() { + start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ + -b -c $USER --startas $DAEMON --$DAEMONARGS +} + +stop_obfsproxy() { + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE +} + +status_obfsproxy() { + status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" +} + +case $1 in + start) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + exit + fi + fi + log_begin_msg "Starting $DESC" + start_obfsproxy + log_end_msg $? + ;; + stop) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + log_begin_msg "Stopping $DESC" + stop_obfsproxy + rm -f $PIDFILE + log_end_msg $? + fi + else + log_daemon_msg "$NAME is not running" + log_end_msg $? + fi + ;; + restart) + $0 stop && sleep 2 && $0 start + ;; + status) +# if [ -e $PIDFILE ]; then +# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? +# status_obfsproxy +# else +# log_daemon_msg "$NAME is not running" +# log_end_msg 0 +# fi + status_obfsproxy + ;; + reload) + if [ -e $PIDFILE ]; then + start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME + log_success_msg "$DESC reloaded successfully" + else + log_failure_msg "$PIDFILE does not exists" + fi + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp new file mode 100644 index 00000000..4deebb62 --- /dev/null +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -0,0 +1,64 @@ +class obfsproxy ( + $transport, + $port, + $param, + $dest_ip, + $dest_port +){ + + user { obfsproxy: + ensure => present, + system => true, + gid => obfsproxy, + } + + group { obfsproxy: + ensure => present, + system => true, + } + +# file { '/etc/default/obfsproxy': +# path => '/etc/default/obfsproxy', +# owner => 'root', +# group => 'root', +# mode => '0750', +# content => template('obfsproxy/etc_default_conf.erb'), +# } + + file { '/etc/init.d/obfsproxy': + path => '/etc/init.d/obfsproxy', + ensure => present, + source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', + owner => 'root', + group => 'root', + mode => '0755', + require => File['/etc/obfsproxy.conf'], + subscribe => File['/etc/obfsproxy.conf'], + #content => template('obfsproxy/etc_init_d.erb'), + } + + file { '/etc/obfsproxy.conf': + path => '/etc/obfsproxy.conf', + ensure => present, + owner => 'root', + group => 'root', + mode => '0750', + content => template('obfsproxy/etc_conf.erb'), + } + + package { "obfsproxy": + ensure => present, + } + + service { "obfsproxy": + ensure => running, + status => '/usr/sbin/service obfsproxy status + | grep "is running"', + require => [ + Package["obfsproxy"], + File["/etc/init.d/obfsproxy"] ] + } + + +} + diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb new file mode 100644 index 00000000..3313b326 --- /dev/null +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -0,0 +1,11 @@ +TRANSPORT=<%= @transport %> +PORT=<%= @port %> +DEST_IP=<%= @dest_ip %> +DEST_PORT=<%= @dest_port %> +<% if @transport == "scramblesuit" %> +PARAM=--password=<%= @param %> +<% else %> +PARAM=<%= @param %> +<% end %> +LOG=info + diff --git a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp new file mode 100644 index 00000000..081086e5 --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp @@ -0,0 +1,9 @@ +class site_apt::preferences::obfsproxy { + + apt::preferences_snippet { 'obfsproxy': + package => 'obfsproxy', + release => "${::lsbdistcodename}-backports", + priority => 999; + } + +} diff --git a/puppet/modules/site_obfsproxy/README b/puppet/modules/site_obfsproxy/README new file mode 100644 index 00000000..e69de29b diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp new file mode 100644 index 00000000..23a8dd30 --- /dev/null +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -0,0 +1,28 @@ +class site_obfsproxy { + tag 'leap_service' + Class['site_config::default'] -> Class['site_obfsproxy'] + + $transport = 'scramblesuit' + + $obfsproxy = hiera('obfsproxy') + $scramblesuit = $obfsproxy['scramblesuit'] + $scram_pass = $scramblesuit['password'] + $scram_port = $scramblesuit['port'] + $dest_ip = $obfsproxy['gateway_address'] + $dest_port = '443' + + include site_apt::preferences::twisted + include site_apt::preferences::obfsproxy + + class { 'obfsproxy': + transport => $transport, + port => $scram_port, + param => $scram_pass, + dest_ip => $dest_ip, + dest_port => $dest_port, + } + +} + + + -- cgit v1.2.3 From 156c2e1194c65d2f7813b946ac8baa90ffdf1f39 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 21 May 2014 20:42:46 +0300 Subject: Make shorewall accept incoming traffic for obfsproxy server --- puppet/modules/site_obfsproxy/manifests/init.pp | 2 ++ .../modules/site_shorewall/manifests/obfsproxy.pp | 24 ++++++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 puppet/modules/site_shorewall/manifests/obfsproxy.pp diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 23a8dd30..276b30db 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -22,6 +22,8 @@ class site_obfsproxy { dest_port => $dest_port, } + include site_shorewall::obfsproxy + } diff --git a/puppet/modules/site_shorewall/manifests/obfsproxy.pp b/puppet/modules/site_shorewall/manifests/obfsproxy.pp new file mode 100644 index 00000000..68fb9b9f --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/obfsproxy.pp @@ -0,0 +1,24 @@ +class site_shorewall::obfsproxy { + + include site_shorewall::defaults + + $obfsproxy = hiera('obfsproxy') + $scramblesuit = $obfsproxy['scramblesuit'] + $scram_port = $scramblesuit['port'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_obfsproxy': + content => "PARAM - - tcp $scram_port ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-obfs': + source => 'net', + destination => '$FW', + action => 'leap_obfsproxy(ACCEPT)', + order => 200; + } + +} -- cgit v1.2.3 From 94e0791cff9a3ce47e66c56a921e41b83b52b3d9 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 21 May 2014 21:52:14 +0300 Subject: Add data directory to save scramblesuit's state. Also clean up a little the obfsproxy puppet class, create appropriate directories, restrict permissions. --- puppet/modules/obfsproxy/files/obfsproxy_daemon | 7 +++--- puppet/modules/obfsproxy/manifests/init.pp | 30 ++++++++++++++++--------- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon index f5914980..4c9bcedc 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_daemon +++ b/puppet/modules/obfsproxy/files/obfsproxy_daemon @@ -16,8 +16,9 @@ DAEMON=/usr/bin/obfsproxy NAME=obfsproxy DESC="obfsproxy daemon" USER=obfsproxy +DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid -CONF=/etc/obfsproxy.conf +CONF=$DATDIR/obfsproxy.conf # If the daemon is not there, then exit. test -x $DAEMON || exit 0 @@ -29,8 +30,8 @@ else exit fi -DAEMONARGS=" --log-min-severity=$LOG $TRANSPORT $PARAM \ - --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" +DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ + $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 4deebb62..c15a0dc8 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -6,13 +6,16 @@ class obfsproxy ( $dest_port ){ - user { obfsproxy: + $user = 'obfsproxy' + $conf = '/etc/obfsproxy/obfsproxy.conf' + + user { $user: ensure => present, system => true, - gid => obfsproxy, + gid => $user, } - group { obfsproxy: + group { $user: ensure => present, system => true, } @@ -31,19 +34,26 @@ class obfsproxy ( source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', owner => 'root', group => 'root', - mode => '0755', - require => File['/etc/obfsproxy.conf'], - subscribe => File['/etc/obfsproxy.conf'], - #content => template('obfsproxy/etc_init_d.erb'), + mode => '0750', + require => File[$conf], + subscribe => File[$conf], } - file { '/etc/obfsproxy.conf': - path => '/etc/obfsproxy.conf', + file { $conf : + path => $conf, ensure => present, owner => 'root', group => 'root', - mode => '0750', + mode => '0600', content => template('obfsproxy/etc_conf.erb'), + require => File['/etc/obfsproxy'], + } + + file { '/etc/obfsproxy': + ensure => directory, + owner => $user, + group => $user, + mode => '0700', } package { "obfsproxy": -- cgit v1.2.3 From cfcc589c6465dab8a4d3923d6c81623ecfbeb8c1 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 03:57:28 +0300 Subject: Reflect change in leap_cli, use rand_range macro --- provider_base/services/obfsproxy.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json index 954ae868..792a4183 100644 --- a/provider_base/services/obfsproxy.json +++ b/provider_base/services/obfsproxy.json @@ -2,8 +2,7 @@ "obfsproxy": { "scramblesuit": { "password": "= base32_secret :scramblesuit_password", - //"port" : "= rand(11..5555)" - "port" : "= obfs_port :scramblesuit_port, 18000..32000" + "port" : "= rand_range :scramblesuit_port, 18000..32000" }, "gateway_address": "= nodes[:services => 'openvpn'].field('openvpn.gateway_address')[0]" } -- cgit v1.2.3 From 7c9dd9ee9653c854badaf4f1d21d7dd833e3e620 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:44:51 +0300 Subject: Move obfsproxy_daemon to obfsproxy_init --- puppet/modules/obfsproxy/files/obfsproxy_daemon | 100 ------------------------ puppet/modules/obfsproxy/files/obfsproxy_init | 100 ++++++++++++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 2 +- 3 files changed, 101 insertions(+), 101 deletions(-) delete mode 100755 puppet/modules/obfsproxy/files/obfsproxy_daemon create mode 100755 puppet/modules/obfsproxy/files/obfsproxy_init diff --git a/puppet/modules/obfsproxy/files/obfsproxy_daemon b/puppet/modules/obfsproxy/files/obfsproxy_daemon deleted file mode 100755 index 4c9bcedc..00000000 --- a/puppet/modules/obfsproxy/files/obfsproxy_daemon +++ /dev/null @@ -1,100 +0,0 @@ -#!/bin/sh - -### BEGIN INIT INFO -# Provides: obfsproxy daemon -# Required-Start: $remote_fs $syslog -# Required-Stop: $remote_fs $syslog -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: obfsproxy daemon -# Description: obfsproxy daemon -### END INIT INFO - -. /lib/lsb/init-functions - -DAEMON=/usr/bin/obfsproxy -NAME=obfsproxy -DESC="obfsproxy daemon" -USER=obfsproxy -DATDIR=/etc/obfsproxy -PIDFILE=/var/run/obfsproxy.pid -CONF=$DATDIR/obfsproxy.conf - -# If the daemon is not there, then exit. -test -x $DAEMON || exit 0 - -if [ -f $CONF ] ; then - . $CONF -else - echo "Obfsproxy configuration file is missing, aborting..." - exit -fi - -DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ - $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" - -start_obfsproxy() { - start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ - -b -c $USER --startas $DAEMON --$DAEMONARGS -} - -stop_obfsproxy() { - start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE -} - -status_obfsproxy() { - status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" -} - -case $1 in - start) - if [ -e $PIDFILE ]; then - status_obfsproxy - if [ $status = "0" ]; then - exit - fi - fi - log_begin_msg "Starting $DESC" - start_obfsproxy - log_end_msg $? - ;; - stop) - if [ -e $PIDFILE ]; then - status_obfsproxy - if [ $status = "0" ]; then - log_begin_msg "Stopping $DESC" - stop_obfsproxy - rm -f $PIDFILE - log_end_msg $? - fi - else - log_daemon_msg "$NAME is not running" - log_end_msg $? - fi - ;; - restart) - $0 stop && sleep 2 && $0 start - ;; - status) -# if [ -e $PIDFILE ]; then -# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? -# status_obfsproxy -# else -# log_daemon_msg "$NAME is not running" -# log_end_msg 0 -# fi - status_obfsproxy - ;; - reload) - if [ -e $PIDFILE ]; then - start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME - log_success_msg "$DESC reloaded successfully" - else - log_failure_msg "$PIDFILE does not exists" - fi - ;; - *) - echo "Usage: $0 {start|stop|restart|reload|status}" - exit 2 - ;; -esac diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init new file mode 100755 index 00000000..4c9bcedc --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -0,0 +1,100 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: obfsproxy daemon +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: obfsproxy daemon +# Description: obfsproxy daemon +### END INIT INFO + +. /lib/lsb/init-functions + +DAEMON=/usr/bin/obfsproxy +NAME=obfsproxy +DESC="obfsproxy daemon" +USER=obfsproxy +DATDIR=/etc/obfsproxy +PIDFILE=/var/run/obfsproxy.pid +CONF=$DATDIR/obfsproxy.conf + +# If the daemon is not there, then exit. +test -x $DAEMON || exit 0 + +if [ -f $CONF ] ; then + . $CONF +else + echo "Obfsproxy configuration file is missing, aborting..." + exit +fi + +DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ + $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + +start_obfsproxy() { + start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ + -b -c $USER --startas $DAEMON --$DAEMONARGS +} + +stop_obfsproxy() { + start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE +} + +status_obfsproxy() { + status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" +} + +case $1 in + start) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + exit + fi + fi + log_begin_msg "Starting $DESC" + start_obfsproxy + log_end_msg $? + ;; + stop) + if [ -e $PIDFILE ]; then + status_obfsproxy + if [ $status = "0" ]; then + log_begin_msg "Stopping $DESC" + stop_obfsproxy + rm -f $PIDFILE + log_end_msg $? + fi + else + log_daemon_msg "$NAME is not running" + log_end_msg $? + fi + ;; + restart) + $0 stop && sleep 2 && $0 start + ;; + status) +# if [ -e $PIDFILE ]; then +# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? +# status_obfsproxy +# else +# log_daemon_msg "$NAME is not running" +# log_end_msg 0 +# fi + status_obfsproxy + ;; + reload) + if [ -e $PIDFILE ]; then + start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME + log_success_msg "$DESC reloaded successfully" + else + log_failure_msg "$PIDFILE does not exists" + fi + ;; + *) + echo "Usage: $0 {start|stop|restart|reload|status}" + exit 2 + ;; +esac diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index c15a0dc8..e62bfcd8 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -31,7 +31,7 @@ class obfsproxy ( file { '/etc/init.d/obfsproxy': path => '/etc/init.d/obfsproxy', ensure => present, - source => 'puppet:///modules/obfsproxy/obfsproxy_daemon', + source => 'puppet:///modules/obfsproxy/obfsproxy_init', owner => 'root', group => 'root', mode => '0750', -- cgit v1.2.3 From f8694b037dfd22382dc2abd8afefd947d3531974 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:46:06 +0300 Subject: Change exit status code if config file is missing --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 4c9bcedc..2496bba7 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -27,7 +27,7 @@ if [ -f $CONF ] ; then . $CONF else echo "Obfsproxy configuration file is missing, aborting..." - exit + exit 2 fi DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ -- cgit v1.2.3 From f4b56483c6e80774f746cd1fbf7d92573dd0f51d Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:47:23 +0300 Subject: Remove commented lines from init script status section --- puppet/modules/obfsproxy/files/obfsproxy_init | 7 ------- 1 file changed, 7 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 2496bba7..5223ec9d 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -76,13 +76,6 @@ case $1 in $0 stop && sleep 2 && $0 start ;; status) -# if [ -e $PIDFILE ]; then -# #status_of_proc -p $PIDFILE $DAEMON "$NAME " && exit 0 || exit $? -# status_obfsproxy -# else -# log_daemon_msg "$NAME is not running" -# log_end_msg 0 -# fi status_obfsproxy ;; reload) -- cgit v1.2.3 From ae75dccbb6a65ee22b6185dcd8c0fedd14e35d0f Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:49:12 +0300 Subject: Remove commented lines from obfsproxy puppet module class --- puppet/modules/obfsproxy/manifests/init.pp | 8 -------- 1 file changed, 8 deletions(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index e62bfcd8..d0212c64 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -20,14 +20,6 @@ class obfsproxy ( system => true, } -# file { '/etc/default/obfsproxy': -# path => '/etc/default/obfsproxy', -# owner => 'root', -# group => 'root', -# mode => '0750', -# content => template('obfsproxy/etc_default_conf.erb'), -# } - file { '/etc/init.d/obfsproxy': path => '/etc/init.d/obfsproxy', ensure => present, -- cgit v1.2.3 From 1a0161da0ff420d26732b492898ebf0074b2292c Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 20:52:44 +0300 Subject: Line up equal signs, change double to single quotes --- puppet/modules/obfsproxy/manifests/init.pp | 8 ++++---- puppet/modules/site_obfsproxy/manifests/init.pp | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index d0212c64..456fe1a7 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,17 +48,17 @@ class obfsproxy ( mode => '0700', } - package { "obfsproxy": + package { 'obfsproxy': ensure => present, } - service { "obfsproxy": + service { 'obfsproxy': ensure => running, status => '/usr/sbin/service obfsproxy status | grep "is running"', require => [ - Package["obfsproxy"], - File["/etc/init.d/obfsproxy"] ] + Package['obfsproxy'], + File['/etc/init.d/obfsproxy'] ] } diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 276b30db..6509fec8 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -4,12 +4,12 @@ class site_obfsproxy { $transport = 'scramblesuit' - $obfsproxy = hiera('obfsproxy') + $obfsproxy = hiera('obfsproxy') $scramblesuit = $obfsproxy['scramblesuit'] - $scram_pass = $scramblesuit['password'] - $scram_port = $scramblesuit['port'] - $dest_ip = $obfsproxy['gateway_address'] - $dest_port = '443' + $scram_pass = $scramblesuit['password'] + $scram_port = $scramblesuit['port'] + $dest_ip = $obfsproxy['gateway_address'] + $dest_port = '443' include site_apt::preferences::twisted include site_apt::preferences::obfsproxy -- cgit v1.2.3 From 2f318f0be937f0bace467640f4011ba422a736b7 Mon Sep 17 00:00:00 2001 From: irregulator Date: Thu, 22 May 2014 14:34:55 +0300 Subject: Pick gateway address either from self or another openvpn node --- provider_base/services/obfsproxy.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json index 792a4183..d6771148 100644 --- a/provider_base/services/obfsproxy.json +++ b/provider_base/services/obfsproxy.json @@ -4,6 +4,11 @@ "password": "= base32_secret :scramblesuit_password", "port" : "= rand_range :scramblesuit_port, 18000..32000" }, - "gateway_address": "= nodes[:services => 'openvpn'].field('openvpn.gateway_address')[0]" + "gateway_address": "= self['openvpn'] ? openvpn.gateway_address : nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first" + // Later, if we add a SafeNil class that looks and acts like nil + // but will allow you to call methods on it (each returning another SafeNil) + // without throwing an exception, we could do: + // "gateway_address": "= self['openvpn'] ? openvpn.gateway_address : (nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first || nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first)" + // Perhaps we should also create a macro. } } -- cgit v1.2.3 From 7a54923591125894440b9ff7020e4b413a1c6fb5 Mon Sep 17 00:00:00 2001 From: irregulator Date: Fri, 23 May 2014 17:28:32 +0300 Subject: Address logging for obfsproxy daemon Create obfsproxy directory in /var/log, specify log file when obfsproxy is spawned by init script, create a logrotate configuration for obfsproxy's logs. --- puppet/modules/obfsproxy/files/obfsproxy_init | 5 +++-- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 14 ++++++++++++++ puppet/modules/obfsproxy/manifests/init.pp | 16 ++++++++++++++++ 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 puppet/modules/obfsproxy/files/obfsproxy_logrotate diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 5223ec9d..7a7e7609 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -19,6 +19,7 @@ USER=obfsproxy DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid CONF=$DATDIR/obfsproxy.conf +LOGFILE=/var/log/obfsproxy/log # If the daemon is not there, then exit. test -x $DAEMON || exit 0 @@ -30,8 +31,8 @@ else exit 2 fi -DAEMONARGS=" --log-min-severity=$LOG --data-dir=$DATDIR $TRANSPORT \ - $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" +DAEMONARGS=" --log-min-severity=$LOG --log-file=$LOGFILE --data-dir=$DATDIR \ + $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate new file mode 100644 index 00000000..623bbab1 --- /dev/null +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -0,0 +1,14 @@ +/var/log/obfsproxy/log { + weekly + missingok + rotate 10 + compress + delaycompress + notifempty + create 600 obfsproxy obfsproxy + postrotate + if [ -f /var/run/obfsproxy.pid ]; then + /etc/init.d/obfsproxy restart > /dev/null + fi + endscript +} diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 456fe1a7..9ba2d0fd 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,6 +48,22 @@ class obfsproxy ( mode => '0700', } + file { '/var/log/obfsproxy': + ensure => directory, + owner => $user, + group => $user, + mode => '0750', + } + + file { '/etc/logrotate.d/obfsproxy': + ensure => present, + source => 'puppet:///modules/obfsproxy/obfsproxy_logrotate', + owner => 'root', + group => 'root', + mode => '0644', + require => File['/var/log/obfsproxy'], + } + package { 'obfsproxy': ensure => present, } -- cgit v1.2.3 From fedbb6dccf7bd78b0b2a507a817dacaef0b67ac3 Mon Sep 17 00:00:00 2001 From: irregulator Date: Fri, 23 May 2014 17:45:13 +0300 Subject: Be able to specify log_level parameter for obfsproxy log_level sets minimum logging severity of obfsproxy daemon, can be error, warning, info, debug. Defaults to info. --- puppet/modules/obfsproxy/manifests/init.pp | 3 ++- puppet/modules/obfsproxy/templates/etc_conf.erb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 9ba2d0fd..1ee44d6f 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -3,7 +3,8 @@ class obfsproxy ( $port, $param, $dest_ip, - $dest_port + $dest_port, + $log_level = 'info' ){ $user = 'obfsproxy' diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index 3313b326..d9938e1a 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -7,5 +7,5 @@ PARAM=--password=<%= @param %> <% else %> PARAM=<%= @param %> <% end %> -LOG=info +LOG=<%= @log_level %> -- cgit v1.2.3 From 49c4235477ab11118f8fc92a6f554b36121b36b2 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 16:39:29 +0300 Subject: Change logrotate's frequency and number of log files to keep --- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate index 623bbab1..e776fcd3 100644 --- a/puppet/modules/obfsproxy/files/obfsproxy_logrotate +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -1,7 +1,7 @@ /var/log/obfsproxy/log { - weekly + daily missingok - rotate 10 + rotate 3 compress delaycompress notifempty -- cgit v1.2.3 From 4ad025d9d7b0c1999bf34e0acd3ca12c88358d05 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 17:41:46 +0300 Subject: Simplify init script, let puppet service resource use init status --- puppet/modules/obfsproxy/files/obfsproxy_init | 9 ++++----- puppet/modules/obfsproxy/manifests/init.pp | 2 -- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 7a7e7609..b1297738 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -44,14 +44,14 @@ stop_obfsproxy() { } status_obfsproxy() { - status_of_proc -p $PIDFILE $DAEMON $NAME && status="0" || status="$?" + status_of_proc -p $PIDFILE $DAEMON $NAME } case $1 in start) if [ -e $PIDFILE ]; then status_obfsproxy - if [ $status = "0" ]; then + if [ $? = "0" ]; then exit fi fi @@ -62,15 +62,14 @@ case $1 in stop) if [ -e $PIDFILE ]; then status_obfsproxy - if [ $status = "0" ]; then + if [ $? = "0" ]; then log_begin_msg "Stopping $DESC" stop_obfsproxy rm -f $PIDFILE log_end_msg $? fi else - log_daemon_msg "$NAME is not running" - log_end_msg $? + status_obfsproxy fi ;; restart) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 1ee44d6f..b45a60a1 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -71,8 +71,6 @@ class obfsproxy ( service { 'obfsproxy': ensure => running, - status => '/usr/sbin/service obfsproxy status - | grep "is running"', require => [ Package['obfsproxy'], File['/etc/init.d/obfsproxy'] ] -- cgit v1.2.3 From 58347eddee416410e3ad3c8c4edc2b0e40a3d26c Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 18:08:31 +0300 Subject: Subscribe obfsproxy service resource to conf file --- puppet/modules/obfsproxy/manifests/init.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index b45a60a1..4a0221af 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -39,7 +39,6 @@ class obfsproxy ( group => 'root', mode => '0600', content => template('obfsproxy/etc_conf.erb'), - require => File['/etc/obfsproxy'], } file { '/etc/obfsproxy': @@ -70,8 +69,9 @@ class obfsproxy ( } service { 'obfsproxy': - ensure => running, - require => [ + ensure => running, + subscribe => File[$conf], + require => [ Package['obfsproxy'], File['/etc/init.d/obfsproxy'] ] } -- cgit v1.2.3 From db9290a2b1b406e8231c0df569ae47c0a74ec12a Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 19:26:05 +0300 Subject: Move log files to var/log instead of var/log/obfsproxy --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- puppet/modules/obfsproxy/files/obfsproxy_logrotate | 2 +- puppet/modules/obfsproxy/manifests/init.pp | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index b1297738..629fea9f 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -19,7 +19,7 @@ USER=obfsproxy DATDIR=/etc/obfsproxy PIDFILE=/var/run/obfsproxy.pid CONF=$DATDIR/obfsproxy.conf -LOGFILE=/var/log/obfsproxy/log +LOGFILE=/var/log/obfsproxy.log # If the daemon is not there, then exit. test -x $DAEMON || exit 0 diff --git a/puppet/modules/obfsproxy/files/obfsproxy_logrotate b/puppet/modules/obfsproxy/files/obfsproxy_logrotate index e776fcd3..e5679d0c 100644 --- a/puppet/modules/obfsproxy/files/obfsproxy_logrotate +++ b/puppet/modules/obfsproxy/files/obfsproxy_logrotate @@ -1,4 +1,4 @@ -/var/log/obfsproxy/log { +/var/log/obfsproxy.log { daily missingok rotate 3 diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 4a0221af..9750932f 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -48,11 +48,11 @@ class obfsproxy ( mode => '0700', } - file { '/var/log/obfsproxy': - ensure => directory, - owner => $user, - group => $user, - mode => '0750', + file { '/var/log/obfsproxy.log': + ensure => present, + owner => $user, + group => $user, + mode => '0640', } file { '/etc/logrotate.d/obfsproxy': @@ -61,7 +61,7 @@ class obfsproxy ( owner => 'root', group => 'root', mode => '0644', - require => File['/var/log/obfsproxy'], + require => File['/var/log/obfsproxy.log'], } package { 'obfsproxy': -- cgit v1.2.3 From 436d98b3781aa66c78b3ec77fa7d47652a92f590 Mon Sep 17 00:00:00 2001 From: irregulator Date: Sat, 24 May 2014 19:33:08 +0300 Subject: Remove initscript subscription to conf file --- puppet/modules/obfsproxy/manifests/init.pp | 1 - 1 file changed, 1 deletion(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 9750932f..ddb198bb 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -29,7 +29,6 @@ class obfsproxy ( group => 'root', mode => '0750', require => File[$conf], - subscribe => File[$conf], } file { $conf : -- cgit v1.2.3 From 86035bf6936812f5b01ac7d5e3b6d026124e156e Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 27 May 2014 20:20:51 +0300 Subject: Use the try method to pick vpn gateway address in obfsproxy.json --- provider_base/services/obfsproxy.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json index d6771148..b14a0db9 100644 --- a/provider_base/services/obfsproxy.json +++ b/provider_base/services/obfsproxy.json @@ -4,11 +4,6 @@ "password": "= base32_secret :scramblesuit_password", "port" : "= rand_range :scramblesuit_port, 18000..32000" }, - "gateway_address": "= self['openvpn'] ? openvpn.gateway_address : nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first" - // Later, if we add a SafeNil class that looks and acts like nil - // but will allow you to call methods on it (each returning another SafeNil) - // without throwing an exception, we could do: - // "gateway_address": "= self['openvpn'] ? openvpn.gateway_address : (nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first || nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first)" - // Perhaps we should also create a macro. + "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" } } -- cgit v1.2.3 From 08f4c51cbbf9a4307375278ab42d31aa65d57645 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 28 May 2014 15:25:21 +0300 Subject: Include obfsproxy descriptors in openvpn.json This is needed so as obfsproxy service is automatically deployed along with eip service. --- provider_base/services/openvpn.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 090afcd6..1ce397d0 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -26,5 +26,12 @@ "keepalive": "10 30", "tun-ipv6": true } + }, + "obfsproxy": { + "scramblesuit": { + "password": "= base32_secret :scramblesuit_password", + "port" : "= rand_range :scramblesuit_port, 18000..32000" + }, + "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" } } -- cgit v1.2.3 From 791e22b136910ecfa204eb78be747baed2b02590 Mon Sep 17 00:00:00 2001 From: irregulator Date: Wed, 28 May 2014 17:35:12 +0300 Subject: Make obfsproxy daemon bind to specific address rather than 0.0.0.0 If obfsproxy is spawned alongside eip service, make it listen to the gateway_adress IP. If obfsproxy is running standalone listen to ip_address. --- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- puppet/modules/obfsproxy/manifests/init.pp | 1 + puppet/modules/obfsproxy/templates/etc_conf.erb | 1 + puppet/modules/site_obfsproxy/manifests/init.pp | 19 ++++++++++++++----- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 629fea9f..69dbab41 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -32,7 +32,7 @@ else fi DAEMONARGS=" --log-min-severity=$LOG --log-file=$LOGFILE --data-dir=$DATDIR \ - $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server 0.0.0.0:$PORT" + $TRANSPORT $PARAM --dest=$DEST_IP:$DEST_PORT server $BINDADDR:$PORT" start_obfsproxy() { start-stop-daemon --start --quiet --oknodo -m --pidfile $PIDFILE \ diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index ddb198bb..35d47d13 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -1,5 +1,6 @@ class obfsproxy ( $transport, + $bind_address, $port, $param, $dest_ip, diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index d9938e1a..10f6a7f7 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -8,4 +8,5 @@ PARAM=--password=<%= @param %> PARAM=<%= @param %> <% end %> LOG=<%= @log_level %> +BINDADDR=<%= @bind_address %> diff --git a/puppet/modules/site_obfsproxy/manifests/init.pp b/puppet/modules/site_obfsproxy/manifests/init.pp index 6509fec8..40b7fba8 100644 --- a/puppet/modules/site_obfsproxy/manifests/init.pp +++ b/puppet/modules/site_obfsproxy/manifests/init.pp @@ -11,15 +11,24 @@ class site_obfsproxy { $dest_ip = $obfsproxy['gateway_address'] $dest_port = '443' + if $::services =~ /\bopenvpn\b/ { + $openvpn = hiera('openvpn') + $bind_address = $openvpn['gateway_address'] + } + elsif $::services =~ /\bobfsproxy\b/ { + $bind_address = hiera('ip_address') + } + include site_apt::preferences::twisted include site_apt::preferences::obfsproxy class { 'obfsproxy': - transport => $transport, - port => $scram_port, - param => $scram_pass, - dest_ip => $dest_ip, - dest_port => $dest_port, + transport => $transport, + bind_address => $bind_address, + port => $scram_port, + param => $scram_pass, + dest_ip => $dest_ip, + dest_port => $dest_port, } include site_shorewall::obfsproxy -- cgit v1.2.3 From 02963cea38c916256a6c9c959c58ed5a222f1767 Mon Sep 17 00:00:00 2001 From: irregulator Date: Fri, 30 May 2014 04:04:24 +0300 Subject: Attach node's name to scramblesuit password and port secrets This makes every node with obfsproxy service have unique port and password for scramblesuit pluggable transport. --- provider_base/services/obfsproxy.json | 4 ++-- provider_base/services/openvpn.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json index b14a0db9..ab92c11f 100644 --- a/provider_base/services/obfsproxy.json +++ b/provider_base/services/obfsproxy.json @@ -1,8 +1,8 @@ { "obfsproxy": { "scramblesuit": { - "password": "= base32_secret :scramblesuit_password", - "port" : "= rand_range :scramblesuit_port, 18000..32000" + "password": "= base32_secret('scramblesuit_password_'+name)", + "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)" }, "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" } diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 1ce397d0..c62fa04b 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -29,8 +29,8 @@ }, "obfsproxy": { "scramblesuit": { - "password": "= base32_secret :scramblesuit_password", - "port" : "= rand_range :scramblesuit_port, 18000..32000" + "password": "= base32_secret('scramblesuit_password_'+name)", + "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)" }, "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" } -- cgit v1.2.3 From abb89aca59915223ec3b6ca999d3a15ba8ede594 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:35:14 +0300 Subject: Explicitly set apt preferences for obfsproxy to wheezy-backports --- puppet/modules/site_apt/manifests/preferences/obfsproxy.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp index 081086e5..75b01956 100644 --- a/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp +++ b/puppet/modules/site_apt/manifests/preferences/obfsproxy.pp @@ -2,7 +2,7 @@ class site_apt::preferences::obfsproxy { apt::preferences_snippet { 'obfsproxy': package => 'obfsproxy', - release => "${::lsbdistcodename}-backports", + release => 'wheezy-backports', priority => 999; } -- cgit v1.2.3 From ee8064a8281c3f933aeea219baec822ec8f52b84 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:37:52 +0300 Subject: Remove unneeded newlines from obfsproxy.conf --- puppet/modules/obfsproxy/templates/etc_conf.erb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/puppet/modules/obfsproxy/templates/etc_conf.erb b/puppet/modules/obfsproxy/templates/etc_conf.erb index 10f6a7f7..8959ef78 100644 --- a/puppet/modules/obfsproxy/templates/etc_conf.erb +++ b/puppet/modules/obfsproxy/templates/etc_conf.erb @@ -2,11 +2,10 @@ TRANSPORT=<%= @transport %> PORT=<%= @port %> DEST_IP=<%= @dest_ip %> DEST_PORT=<%= @dest_port %> -<% if @transport == "scramblesuit" %> +<% if @transport == "scramblesuit" -%> PARAM=--password=<%= @param %> -<% else %> +<% else -%> PARAM=<%= @param %> -<% end %> +<% end -%> LOG=<%= @log_level %> BINDADDR=<%= @bind_address %> - -- cgit v1.2.3 From aa3e39bc8342b6800129965efad72527b53596df Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:41:46 +0300 Subject: Add User resource requirement for obfsproxy service, log, etc dir --- puppet/modules/obfsproxy/manifests/init.pp | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index 35d47d13..a23cfa58 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -42,10 +42,11 @@ class obfsproxy ( } file { '/etc/obfsproxy': - ensure => directory, - owner => $user, - group => $user, - mode => '0700', + ensure => directory, + owner => $user, + group => $user, + mode => '0700', + require => User[$user], } file { '/var/log/obfsproxy.log': @@ -53,6 +54,7 @@ class obfsproxy ( owner => $user, group => $user, mode => '0640', + require => User[$user], } file { '/etc/logrotate.d/obfsproxy': @@ -73,7 +75,9 @@ class obfsproxy ( subscribe => File[$conf], require => [ Package['obfsproxy'], - File['/etc/init.d/obfsproxy'] ] + File['/etc/init.d/obfsproxy'], + User[$user], + Group[$user]] } -- cgit v1.2.3 From e184143d3066f02968c8bb1035e0e02bae44d587 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 17:47:50 +0300 Subject: Add apt preferences requirement for obfsproxy package resource --- puppet/modules/obfsproxy/manifests/init.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/puppet/modules/obfsproxy/manifests/init.pp b/puppet/modules/obfsproxy/manifests/init.pp index a23cfa58..61714fdf 100644 --- a/puppet/modules/obfsproxy/manifests/init.pp +++ b/puppet/modules/obfsproxy/manifests/init.pp @@ -67,7 +67,8 @@ class obfsproxy ( } package { 'obfsproxy': - ensure => present, + ensure => present, + require => Class['site_apt::preferences::obfsproxy'], } service { 'obfsproxy': -- cgit v1.2.3 From 87e997658dae6655aa0a3f2da7dc8737ec9041bc Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 3 Jun 2014 21:36:09 +0300 Subject: A vpn node picks its openvpn.gateway as obfsproxy gateway address --- provider_base/services/openvpn.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index c62fa04b..1906244c 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -32,6 +32,6 @@ "password": "= base32_secret('scramblesuit_password_'+name)", "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)" }, - "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" + "gateway_address": "= openvpn.gateway_address" } } -- cgit v1.2.3 From 0e0ebab964339446ab59cffead5a5546c5dcb18e Mon Sep 17 00:00:00 2001 From: irregulator Date: Mon, 30 Jun 2014 13:19:16 +0300 Subject: Check appropriately if obfsproxy is included in services --- puppet/manifests/site.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 8e00fbbd..57942d99 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -43,7 +43,7 @@ if member($services, 'static') { include site_static } -if $services =~ /\bobfsproxy\b/ { +if member($services, 'obfsproxy') { include site_obfsproxy } -- cgit v1.2.3 From 7e278f92f34e3809d380be724f0c306430791b10 Mon Sep 17 00:00:00 2001 From: irregulator Date: Tue, 1 Jul 2014 01:49:56 +0300 Subject: Use new macro pick_node to pick vpn gateway for obfsproxy.json --- provider_base/services/obfsproxy.json | 2 +- puppet/modules/obfsproxy/files/obfsproxy_init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json index ab92c11f..979d0ef9 100644 --- a/provider_base/services/obfsproxy.json +++ b/provider_base/services/obfsproxy.json @@ -4,6 +4,6 @@ "password": "= base32_secret('scramblesuit_password_'+name)", "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)" }, - "gateway_address": "= try{openvpn.gateway_address} || try{nodes_like_me[:services => 'openvpn']['location.name' => location.name].field('openvpn.gateway_address').shuffle.first} || try{nodes_like_me[:services => 'openvpn'].field('openvpn.gateway_address').shuffle.first}" + "gateway_address": "= try{pick_node(:obfs_gateway,nodes_near_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')} || try{pick_node(:obfs_gateway,nodes_like_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')}" } } diff --git a/puppet/modules/obfsproxy/files/obfsproxy_init b/puppet/modules/obfsproxy/files/obfsproxy_init index 69dbab41..01c8013a 100755 --- a/puppet/modules/obfsproxy/files/obfsproxy_init +++ b/puppet/modules/obfsproxy/files/obfsproxy_init @@ -83,7 +83,7 @@ case $1 in start-stop-daemon --stop --signal USR1 --quiet --pidfile $PIDFILE --name $NAME log_success_msg "$DESC reloaded successfully" else - log_failure_msg "$PIDFILE does not exists" + log_failure_msg "$PIDFILE does not exist" fi ;; *) -- cgit v1.2.3