From c393af8fd5321b8ddf547aed22f833899e56e20e Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 12:08:10 -0400 Subject: Lint --- .../modules/site_static/manifests/hidden_service.pp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index f1f15f8e..8a10398a 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -5,18 +5,18 @@ class site_static::hidden_service { tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } file { '/var/lib/tor/webapp/': - ensure => directory, - owner => 'debian-tor', - group => 'debian-tor', - mode => '2700'; + ensure => directory, + owner => 'debian-tor', + group => 'debian-tor', + mode => '2700'; '/var/lib/tor/static/private_key': - ensure => present, - source => "/srv/leap/files/nodes/${::hostname}/tor.key", - owner => 'debian-tor', - group => 'debian-tor', - mode => '0600', - notify => Service['tor']; + ensure => present, + source => "/srv/leap/files/nodes/${::hostname}/tor.key", + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + notify => Service['tor']; '/var/lib/tor/static/hostname': ensure => present, -- cgit v1.2.3 From ada9645de11d75701db8202f34de5c26a2b749c2 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Mon, 24 Apr 2017 14:38:32 -0400 Subject: Add single-hop hidden service capability. This cuts the number of hops for a tor onion service from 6 to 3, speeding it up considerably. This removes the anonymity aspect of the service, so it must be enabled intentionally, knowing that the server's location no longer is hidden. --- puppet/modules/site_static/manifests/hidden_service.pp | 7 +++++-- puppet/modules/site_static/manifests/init.pp | 3 +-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index 8a10398a..b64a35bc 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,8 +1,11 @@ # create hidden service for static sites -class site_static::hidden_service { +class site_static::hidden_service ( $single_hop = false ) { include tor::daemon - tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] } + tor::daemon::hidden_service { 'static': + ports => [ '80 127.0.0.1:80'], + single_hop => $single_hop + } file { '/var/lib/tor/webapp/': ensure => directory, diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index dd3f912d..8be791e5 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -74,8 +74,7 @@ class site_static { if $tor { $hidden_service = $tor['hidden_service'] $tor_domain = "${hidden_service['address']}.onion" - if $hidden_service['active'] { - include site_static::hidden_service + class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] } # Currently, we only support a single hidden service address per server. # So if there is more than one domain configured, then we need to make sure -- cgit v1.2.3 From 68e9a28da2db4cb494bc19a1aeaa0663cb286414 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 2 May 2017 16:23:20 -0400 Subject: Restructure site_tor to be more clear and re-usable (fixes #8784). This makes a more clear site_tor::relay class that the leap service includes, and a more generic site_tor class that other classes can depend on for setting up the initial install. --- puppet/modules/site_static/manifests/hidden_service.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index b64a35bc..31cf328e 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,7 +1,7 @@ # create hidden service for static sites class site_static::hidden_service ( $single_hop = false ) { - include tor::daemon + include site_tor tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], single_hop => $single_hop -- cgit v1.2.3 From 1e463c6638a05a237d660f458f5a147353be3fc1 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 26 May 2017 16:41:51 -0700 Subject: static - support for renewing certs with let's encrypt for static sites --- puppet/modules/site_static/manifests/domain.pp | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 6cf2c653..e456c94e 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,25 +1,30 @@ # configure static service for domain define site_static::domain ( - $ca_cert, + $ca_cert=undef, $key, $cert, $tls_only=true, $use_hidden_service=false, $locations=undef, $aliases=undef, - $apache_config=undef) { + $apache_config=undef, + $www_alias=false) { $domain = $name $base_dir = '/srv/static' - $cafile = "${cert}\n${ca_cert}" + if ($ca_cert) { + $certfile = "${cert}\n${ca_cert}" + } else { + $certfile = $cert + } if is_hash($locations) { create_resources(site_static::location, $locations) } x509::cert { $domain: - content => $cafile, + content => $certfile, notify => Service[apache] } x509::key { $domain: -- cgit v1.2.3 From 804e022221bfb0b5200282e556d75e601271dac5 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 15 Aug 2017 17:35:55 -0700 Subject: Bug: fix hidden service for static hidden service should be activated iff tor is among the active services and tor.hidden_service.active == true --- puppet/modules/site_static/manifests/init.pp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 8be791e5..96d92f74 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -12,6 +12,11 @@ class site_static { $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) + if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true { + $tor_active = true + } else { + $tor_active = false + } file { '/srv/static/': @@ -67,15 +72,17 @@ class site_static { } package { 'zlib1g-dev': - ensure => installed + ensure => installed } } - if $tor { + if $tor_active { $hidden_service = $tor['hidden_service'] $tor_domain = "${hidden_service['address']}.onion" - class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] + class { 'site_static::hidden_service': + single_hop => $hidden_service['single_hop'] } + # Currently, we only support a single hidden service address per server. # So if there is more than one domain configured, then we need to make sure # we don't enable the hidden service for every domain. -- cgit v1.2.3 From 96f8af37b4a3bbd9a15651e27f588073c0601299 Mon Sep 17 00:00:00 2001 From: elijah Date: Tue, 19 Sep 2017 11:54:27 -0700 Subject: Feat: split tor service into three The 'tor' service is now three separate services, 'tor_exit', 'tor_relay', or 'hidden_service'. --- puppet/modules/site_static/manifests/hidden_service.pp | 2 +- puppet/modules/site_static/manifests/init.pp | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index 31cf328e..dcf3785e 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -23,7 +23,7 @@ class site_static::hidden_service ( $single_hop = false ) { '/var/lib/tor/static/hostname': ensure => present, - content => "${::site_static::tor_domain}\n", + content => "${::site_static::onion_domain}\n", owner => 'debian-tor', group => 'debian-tor', mode => '0600', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 96d92f74..4ddce5ed 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -12,10 +12,10 @@ class site_static { $formats = $static['formats'] $bootstrap = $static['bootstrap_files'] $tor = hiera('tor', false) - if $tor and member($services, 'tor') and $tor['hidden_service']['active'] == true { - $tor_active = true + if $tor and member($services, 'hidden_service') { + $onion_active = true } else { - $tor_active = false + $onion_active = false } file { @@ -76,9 +76,9 @@ class site_static { } } - if $tor_active { + if $onion_active { $hidden_service = $tor['hidden_service'] - $tor_domain = "${hidden_service['address']}.onion" + $onion_domain = "${hidden_service['address']}.onion" class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop'] } -- cgit v1.2.3 From 5b10def43d134e5735bfcec1237c04cf66e8610b Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 19 Sep 2017 15:36:06 -0400 Subject: Feat: Refactor tor services In order to refactor the tor services, we need to split them out into three different services. This adds the hidden service class that is necessary to support the previous commits. Fixes #8864. --- puppet/modules/site_static/manifests/hidden_service.pp | 6 ++++-- puppet/modules/site_static/manifests/init.pp | 13 +++++++------ 2 files changed, 11 insertions(+), 8 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index dcf3785e..f23727f7 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,13 +1,15 @@ # create hidden service for static sites class site_static::hidden_service ( $single_hop = false ) { + Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] + include site_tor::hidden_service - include site_tor tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], single_hop => $single_hop } + file { - '/var/lib/tor/webapp/': + '/var/lib/tor/static/': ensure => directory, owner => 'debian-tor', group => 'debian-tor', diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4ddce5ed..40c6a28b 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -7,12 +7,13 @@ class site_static { include site_config::x509::key include site_config::x509::ca_bundle - $static = hiera('static') - $domains = $static['domains'] - $formats = $static['formats'] - $bootstrap = $static['bootstrap_files'] - $tor = hiera('tor', false) - if $tor and member($services, 'hidden_service') { + $services = hiera('services', []) + $static = hiera('static') + $domains = $static['domains'] + $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + $tor = hiera('tor', false) + if $tor and member($services, 'tor_hidden_service') { $onion_active = true } else { $onion_active = false -- cgit v1.2.3 From 414e36cf11364a9e581eb260b3267078b6cdda44 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sat, 7 Oct 2017 13:50:55 -0400 Subject: feat: add v3 tor hidden service support Resolves: #8879 --- puppet/modules/site_static/manifests/hidden_service.pp | 5 +++-- puppet/modules/site_static/manifests/init.pp | 5 ++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'puppet/modules/site_static/manifests') diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp index f23727f7..c5d12c34 100644 --- a/puppet/modules/site_static/manifests/hidden_service.pp +++ b/puppet/modules/site_static/manifests/hidden_service.pp @@ -1,11 +1,12 @@ # create hidden service for static sites -class site_static::hidden_service ( $single_hop = false ) { +class site_static::hidden_service ( $single_hop = false, $v3 = false ) { Class['site_tor::hidden_service'] -> Class['site_static::hidden_service'] include site_tor::hidden_service tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'], - single_hop => $single_hop + single_hop => $single_hop, + v3 => $v3 } file { diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 40c6a28b..fdc5782f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -60,10 +60,8 @@ class site_static { include site_config::ruby::dev if (member($formats, 'rack')) { - include site_apt::preferences::passenger class { 'passenger': manage_munin => false, - require => Class['site_apt::preferences::passenger'] } } @@ -81,7 +79,8 @@ class site_static { $hidden_service = $tor['hidden_service'] $onion_domain = "${hidden_service['address']}.onion" class { 'site_static::hidden_service': - single_hop => $hidden_service['single_hop'] + single_hop => $hidden_service['single_hop'], + v3 => $hidden_service['v3'] } # Currently, we only support a single hidden service address per server. -- cgit v1.2.3