From ada9645de11d75701db8202f34de5c26a2b749c2 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Mon, 24 Apr 2017 14:38:32 -0400
Subject: Add single-hop hidden service capability.

This cuts the number of hops for a tor onion service from 6 to 3,
speeding it up considerably. This removes the anonymity aspect of the
service, so it must be enabled intentionally, knowing that the server's
location no longer is hidden.
---
 puppet/modules/site_static/manifests/hidden_service.pp | 7 +++++--
 puppet/modules/site_static/manifests/init.pp           | 3 +--
 puppet/modules/site_tor/manifests/init.pp              | 2 +-
 puppet/modules/site_webapp/manifests/hidden_service.pp | 5 ++++-
 4 files changed, 11 insertions(+), 6 deletions(-)

(limited to 'puppet')

diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index 8a10398a..b64a35bc 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,8 +1,11 @@
 # create hidden service for static sites
-class site_static::hidden_service {
+class site_static::hidden_service ( $single_hop = false ) {
 
   include tor::daemon
-  tor::daemon::hidden_service { 'static': ports => [ '80 127.0.0.1:80'] }
+  tor::daemon::hidden_service { 'static':
+    ports      => [ '80 127.0.0.1:80'],
+    single_hop => $single_hop
+  }
   file {
     '/var/lib/tor/webapp/':
       ensure => directory,
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index dd3f912d..8be791e5 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -74,8 +74,7 @@ class site_static {
   if $tor {
     $hidden_service = $tor['hidden_service']
     $tor_domain     = "${hidden_service['address']}.onion"
-    if $hidden_service['active'] {
-      include site_static::hidden_service
+      class { 'site_static::hidden_service': single_hop => $hidden_service['single_hop']
     }
     # Currently, we only support a single hidden service address per server.
     # So if there is more than one domain configured, then we need to make sure
diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp
index 2207a5a9..8a92a944 100644
--- a/puppet/modules/site_tor/manifests/init.pp
+++ b/puppet/modules/site_tor/manifests/init.pp
@@ -20,7 +20,7 @@ class site_tor {
   }
 
   include site_config::default
-  include tor::daemon
+  class { 'tor::daemon': ensure_version => latest }
   tor::daemon::relay { $nickname:
     port           => 9001,
     address        => $address,
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 81d431cd..6651df86 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -11,7 +11,10 @@ class site_webapp::hidden_service {
   include apache::module::removeip
 
   include tor::daemon
-  tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] }
+  tor::daemon::hidden_service { 'webapp':
+    ports      => [ '80 127.0.0.1:80'],
+    single_hop => $hidden_service['single_hop']
+  }
 
   file {
     '/var/lib/tor/webapp/':
-- 
cgit v1.2.3