From fdb58381afa317ab9639dffa59f4155395b68718 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Thu, 14 Sep 2017 10:33:41 -0400
Subject: Bug: Ensure tor exit is disabled properly

Simply disabling exit policies is not enough to disable an exit node, it also
needs to be explicitly disabled. This may change in future versions of tor, but
for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This
fixes #8863.
---
 puppet/modules/site_tor/manifests/disable_exit.pp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp
index 078f80ae..85c24bfc 100644
--- a/puppet/modules/site_tor/manifests/disable_exit.pp
+++ b/puppet/modules/site_tor/manifests/disable_exit.pp
@@ -1,7 +1,13 @@
+# ensure that the tor relay is not configured as an exit node
 class site_tor::disable_exit {
   tor::daemon::exit_policy {
     'no_exit_at_all':
       reject => [ '*:*' ];
   }
+# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given.
+  tor::daemon::snippet {
+    'disable_exit':
+      content => 'ExitRelay 0';
+  }
 }
 
-- 
cgit v1.2.3