diff options
| author | mh <mh@immerda.ch> | 2018-02-13 01:22:57 +0100 |
|---|---|---|
| committer | mh <mh@immerda.ch> | 2018-02-13 01:22:57 +0100 |
| commit | 24bd5ca46dc90c663f241933410d085fc1311fab (patch) | |
| tree | f3498601b49fe453230c7a042edfd99b5c2f77f0 | |
| parent | 1fcbe72115d57d53fced2777c8b54a4ee4ec17e9 (diff) | |
| parent | 228ae4a53999dbc49fa7c4d2883468dde10f19fb (diff) | |
Merge remote-tracking branch 'shared/master'
32 files changed, 419 insertions, 369 deletions
diff --git a/.fixtures.yml b/.fixtures.yml new file mode 100644 index 0000000..ba96496 --- /dev/null +++ b/.fixtures.yml @@ -0,0 +1,6 @@ +fixtures: + repositories: + "concat": + "repo": "https://github.com/puppetlabs/puppetlabs-concat.git" + symlinks: + "tor": "#{source_dir}" diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..268210d --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,21 @@ +image: ruby:2.3 + +# Test job template +.test_template: &test_definition + stage: test + script: + - bundle install --jobs $(nproc) --without docs --path vendor + - bundle exec rake tests + - bundle exec rake spec + +# Test with version present on Debian stable +test:puppet48: + variables: + PUPPET_VERSION: "~> 4.8.2" + FACTER_VERSION: '~> 2.4.6' + HIERA_VERSION: '~> 3.2.0' + <<: *test_definition + +# Test with latest Puppet release +test:puppetlatest: + <<: *test_definition @@ -1,49 +1,18 @@ -source ENV['GEM_SOURCE'] || 'https://rubygems.org' - -def location_for(place, fake_version = nil) - if place =~ /^(git[:@][^#]*)#(.*)/ - [fake_version, { :git => $1, :branch => $2, :require => false }].compact - elsif place =~ /^file:\/\/(.*)/ - ['>= 0', { :path => File.expand_path($1), :require => false }] - else - [place, { :require => false }] - end -end - -group :development, :unit_tests do - # rspec must be v2 for ruby 1.8.7 - if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9' - gem 'rspec', '~> 2.0' - else - gem 'rspec', '~> 3.1.0', :require => false - end - - gem 'rake', '~> 10.1.0', :require => false - gem 'rspec-puppet', '~> 2.2', :require => false - gem 'mocha', :require => false - # keep for its rake task for now - gem 'puppetlabs_spec_helper', :require => false - gem 'puppet-lint', :require => false - gem 'librarian-puppet', :require => false - gem 'metadata-json-lint', :require => false - gem 'pry', :require => false - gem 'simplecov', :require => false -end - -facterversion = ENV['GEM_FACTER_VERSION'] || ENV['FACTER_GEM_VERSION'] -if facterversion - gem 'facter', *location_for(facterversion) -else - gem 'facter', :require => false -end +# vim:ft=ruby +source 'https://rubygems.org' -puppetversion = ENV['GEM_PUPPET_VERSION'] || ENV['PUPPET_GEM_VERSION'] -if puppetversion - gem 'puppet', *location_for(puppetversion) -else - gem 'puppet', :require => false -end +gem 'rake' +# 5.3.4 is currently broken +# https://github.com/rodjek/rspec-puppet/issues/647 +gem 'puppet', ENV['PUPPET_VERSION'] || '< 5.3.4' gem 'base32' -# vim:ft=ruby +group :tests do + gem 'facter', ENV['FACTER_VERSION'] + gem 'hiera', ENV['HIERA_VERSION'] + gem 'puppetlabs_spec_helper' + gem 'librarian-puppet' + gem 'metadata-json-lint' + gem 'semantic_puppet' +end @@ -1,229 +0,0 @@ -puppet module for managing tor -============================== - -This module tries to manage tor, making sure it is installed, running, has munin -graphs if desired and allows for configuration of relays, hidden services, exit -policies, etc. - -! Upgrade Notice ! - - previously, if you did not set the $outbound_bindaddress variable, it was being - automatically set to the $listen_address variable. Now this is not being done - and instead you will need to set the $outbound_bindaddress explicitly for it to - be set. - - the tor::relay{} variables $bandwidth_rate and $bandwidth_burst were previously - used for the tor configuration variables RelayBandwidthRate and - RelayBandwidthBurst, these have been renamed to $relay_bandwidth_rate and - $relay_bandwidth_burst. If you were using these, please rename your variables in - your configuration. - - The variables $bandwidth_rate and $bandwidth_burst are now used for the tor - configuration variables BandwidthRate and BandwidthBurst. If you used - $bandwidth_rate or $bandwidth_burst please be aware that these values have - changed and adjust your configuration as necessary. - - The $tor_ensure_version was converted to a parameter for the tor and - tor::daemon classes. - - The $torsocks_ensure_version was converted to a parameter for the - tor::torsocks class. - - The options that used to be settable with the - tor::daemon::global_opts define now are parameters for the - tor::daemon class, and tor::daemon::global_opts was - removed accordingly. - - -Dependencies -============ - -This module needs: - -- the concat module: https://gitlab.com/shared-puppet-modules-group/concat -- the apt module https://gitlab.com/shared-puppet-modules-group/apt or https://github.com/puppetlabs/puppetlabs-apt/ - -Usage -===== - -Installing tor --------------- - -To install tor, simply include the 'tor' class in your manifests: - - class { 'tor': } - -You can specify the $ensure_version class parameter to get a specific -version installed. - -However, if you want to make configuration changes to your tor daemon, you will -want to instead include the 'tor::daemon' class in your manifests, which will -inherit the 'tor' class from above: - - class { '::tor::daemon': } - -You have the following class parameters that you can specify: - -data_dir (default: '/var/lib/tor') -config_file (default: '/etc/tor/torrc') -use_bridges (default: 0) -automap_hosts_on_resolve (default: 0) -log_rules (default: ['notice file /var/log/tor/notices.log']) - -The data_dir will be used for the tor user's $HOME, and the tor DataDirectory -value. - -The config_file will be managed and the daemon restarted when -it changed. - -use_bridges and automap_hosts_on_resolve are used to set the -UseBridges and AutomapHostsOnResolve torrc settings. - -The log_rules can be an array of different Log lines, each will be added to the -config, for example the following will use syslog: - - class { '::tor::daemon': - log_rules => [ 'notice syslog' ], - } - -If you want to set specific options for the tor class, -you may pass them directly to the tor::daemon in your manifests, -e.g.: - - class { '::tor::daemon': - use_munin => true, - automap_hosts_on_resolve => 1, - } - -Configuring socks ------------------ - -To configure tor socks support, you can do the following: - - tor::daemon::socks { "listen_locally": listen_addresses => [ '127.0.0.1' ]; } - -this will setup the SocksListenAddress to be 127.0.0.1. You also can pass the -following options to tor::daemon::socks: - -$port = 0 - SocksPort -$listen_address - can pass multiple values to configure SocksListenAddress lines -$policies - can pass multiple values to configure SocksPolicy lines - -Installing torsocks -------------------- - -To install torsocks, simply include the 'torsocks' class in your manifests: - - class { 'tor::torsocks': } - -You can specify the $ensure_version class parameter to get a specific -version installed. - -Configuring relays -================== - -An example relay configuration: - - tor::daemon::relay { "foobar": - port => 9001, listen_addresses => '192.168.0.1', address => '192.168.0.1', - bandwidth_rate => '256', bandwidth_burst => '256', contact_info => "Foo <collective at example dot com>", - my_family => '<long family string here>' - } - -You have the following options that can be passed to a relay, with the defaults shown: - -$port = 0, -$listen_addresses = [], -$portforwarding = 0, # PortForwarding 0|1, set for opening ports at the router via UPnP. - # Requires 'tor-fw-helper' binary present. -$bandwidth_rate = '', # KB/s, defaulting to using tor's default: 5120KB/s -$bandwidth_burst = '', # KB/s, defaulting to using tor's default: 10240KB/s -$relay_bandwidth_rate = 0, # KB/s, 0 for no limit. -$relay_bandwidth_burst = 0, # KB/s, 0 for no limit. -$accounting_max = 0, # GB, 0 for no limit. -$accounting_start = [], -$contact_info = '', -$my_family = '', # TODO: autofill with other relays -$address = "tor.${domain}", -$bridge_relay = 0, -$ensure = present -$nickname = $name - -Configuring the control ------------------------ - -To pass parameters to configure the ControlPort and the HashedControlPassword, -you would do something like this: - - tor::daemon::control { "foo-control": - port => '80', hashed_control_password => '<somehash>', - ensure => present -} - -Note: you must pass a hashed password to the control port, if you are going to -use it. - - -Configuring hidden services ---------------------------- - -To configure a tor hidden service you can do something like the following: - - tor::daemon::onion_service { "onion_ssh": ports => 22 } - -The HiddenServiceDir is set to the ${data_dir}/${name}. - -Configuring directories ------------------------ - -An example directory configuration: - - tor::daemon::directory { 'ssh_directory': - port => 80, listen_address => '192.168.0.1', - port_front_page => '/etc/tor/tor.html' - } - -Configuring exit policies --------------------------- - -To configure exit policies, you can do the following: - -tor::daemon::exit_policy { "ssh_exit_policy": - accept => "192.168.0.1:22", - reject => "*:*"; - } - } - - -Polipo -====== - -Polipo support can be enabled by doing: - - include tor::polipo - -this will inherit the tor class by default, remove privoxy if its installed, and -install polipo, making sure it is running. - - -Munin -===== - -If you are using munin, and have the puppet munin module installed, you can set -the use_munin parameter to true when defining the tor::daemon class to have -graphs setup for you. - -Functions -========= - -This module comes with 2 functions specific to tor support. They require the base32 gem to be installed on the master or wherever they are executed. - -onion_address -------------- - -This function takes a 1024bit RSA private key as an argument and returns the onion address for a hidden service for that key. - -generate_onion_key ------------------- - -This function takes a path (on the puppetmaster!) and an identifier for a key and returns an array containing the matching onion address and the private key. The private key either exists under the supplied `path/key_identifier` or is being generated on the fly and stored under that path for the next execution. diff --git a/README.md b/README.md new file mode 100644 index 0000000..97213c4 --- /dev/null +++ b/README.md @@ -0,0 +1,262 @@ +# tor + +#### Table of Contents + +* [Overview](#overview) + * [Upgrade Notice](#upgrade-notice) +* [Dependencies](#dependencies) +* [Usage](#usage) + * [Installing tor](#installing-tor) + * [Configuring SOCKS](#configuring-socks) + * [Installing torsocks](#installing-torsocks) + * [Configuring relays](#configuring-relays) + * [Configuring the control](#configuring-control) + * [Configuring onion services](#configuring-onion-services) + * [Configuring directories](#configuring-directories) + * [Configuring exit policies](#configuring-exit-policies) + * [Configuring transport plugins](#configuring-transport-plugins) +* [Functions](#functions) +* [Polipo](#polipo) +* [Munin](#munin) + +# Overview<a name="overview"></a> + +This module tries to manage tor, making sure it is installed, running, has +munin graphs if desired and allows for configuration of relays, onion services, +exit policies, etc. + +## Upgrade Notice<a name="upgrade-notice"></a> + + * All of the `listen_address` variables have been deprecated, since they have + been deprecated in tor since 0.2.3.x-alpha. Please read the new tor man page + if you were using those variables. + + * Previously, if you did not set the `$outbound_bindaddress` variable, it was + being automatically set to the `$listen_address variable`. Now this is not + being done and instead you will need to set the `$outbound_bindaddress` + explicitly for it to be set. + + * The `tor::relay{}` variables `$bandwidth_rate` and `$bandwidth_burst` were + previously used for the tor configuration variables `RelayBandwidthRate` and + `RelayBandwidthBurst`, these have been renamed to `$relay_bandwidth_rate` + and `$relay_bandwidth_burst`. If you were using these, please rename your + variables in your configuration. + + * The variables `$bandwidth_rate` and `$bandwidth_burst` are now used for the + tor configuration variables `BandwidthRate` and `BandwidthBurst`. If you + used `$bandwidth_rate` or `$bandwidth_burst` please be aware that these + values have changed and adjust your configuration as necessary. + + * The `$tor_ensure_version` was converted to a parameter for the tor and + `tor::daemon` classes. + + * The `$torsocks_ensure_version` was converted to a parameter for the + `tor::torsocks` class. + + * The options that used to be settable with the `tor::daemon::global_opts` + define now are parameters for the `tor::daemon class`, and + `tor::daemon::global_opts` was removed accordingly. + + +# Dependencies<a name="dependencies"></a> + +This module needs: + + * the [concat module](https://github.com/puppetlabs/puppetlabs-concat.git) + +# Usage<a name="usage"></a> + +## Installing tor<a name="installing-tor"></a> + +To install tor, simply include the 'tor' class in your manifests: + + class { 'tor': } + +You can specify the `$ensure_version` class parameter to get a specific +version installed. + +However, if you want to make configuration changes to your tor daemon, you will +want to instead include the `tor::daemon` class in your manifests, which will +inherit the `tor` class from above: + + class { '::tor::daemon': } + +You have the following class parameters that you can specify: + + data_dir (default: '/var/lib/tor') + config_file (default: '/etc/tor/torrc') + use_bridges (default: 0) + automap_hosts_on_resolve (default: 0) + log_rules (default: ['notice file /var/log/tor/notices.log']) + +The `data_dir` will be used for the tor user's `$HOME`, and the tor +`DataDirectory` value. + +The `config_file` will be managed and the daemon restarted when it changed. + +`use_bridges` and `automap_hosts_on_resolve` are used to set the `UseBridges` +and `AutomapHostsOnResolve` torrc settings. + +The `log_rules` can be an array of different Log lines, each will be added to +the config, for example the following will use syslog: + + class { '::tor::daemon': + log_rules => [ 'notice syslog' ], + } + +If you want to set specific options for the tor class, you may pass them +directly to the tor::daemon in your manifests, e.g.: + + class { '::tor::daemon': + use_munin => true, + automap_hosts_on_resolve => 1, + } + +## Configuring SOCKS<a name="configuring-socks"></a> + +To configure tor socks support, you can do the following: + + tor::daemon::socks { "listen_locally": + port => 0, + policies => 'your super policy'; + } + +## Installing torsocks<a name="installing-torsocks"></a> + +To install torsocks, simply include the `torsocks` class in your manifests: + + class { 'tor::torsocks': } + +You can specify the `$ensure_version` class parameter to get a specific +version installed. + +# Configuring relays<a name="configuring-relays"></a> + +An example relay configuration: + + tor::daemon::relay { "foobar": + port => '9001', + address => '192.168.0.1', + bandwidth_rate => '256', + bandwidth_burst => '256', + contact_info => "Foo <collective at example dot com>", + my_family => '<long family string here>'; + } + +You have the following options that can be passed to a relay, with the defaults +shown: + + $port = 0, + $portforwarding = 0, # PortForwarding 0|1, set for opening ports at the router via UPnP. + # Requires 'tor-fw-helper' binary present. + $bandwidth_rate = '', # KB/s, defaulting to using tor's default: 5120KB/s + $bandwidth_burst = '', # KB/s, defaulting to using tor's default: 10240KB/s + $relay_bandwidth_rate = 0, # KB/s, 0 for no limit. + $relay_bandwidth_burst = 0, # KB/s, 0 for no limit. + $accounting_max = 0, # GB, 0 for no limit. + $accounting_start = [], + $contact_info = '', + $my_family = '', # TODO: autofill with other relays + $address = "tor.${domain}", + $bridge_relay = 0, + $ensure = present + $nickname = $name + +## Configuring the control<a name="configuring-control"></a> + +To pass parameters to configure the `ControlPort` and the +`HashedControlPassword`, you would do something like this: + + tor::daemon::control { "foo-control": + port => '80', + hashed_control_password => '<somehash>', + ensure => present; + } + +Note: you must pass a hashed password to the control port, if you are going to +use it. + +## Configuring onion services<a name="configuring-onion-services"></a> + +To configure a tor onion service you can do something like the following: + + tor::daemon::onion_service { "onion_ssh": + ports => 22; + } + +The `HiddenServiceDir` is set to the `${data_dir}/${name}`, but you can override +it with the parameter `datadir`. + +If you wish to enable v3-style onion services to correspond with the v2-style +onion services (the same configuration will be applied to both), you can pass +the parameter `v3 => true`. The default is `false`. + +If you wish to enable single-hop onion addresses, you can enable them by +passing `single_hop => true`. The default is `false`. + +Onion services used to be called hidden services, so an old interface +`tor::daemon::hidden_service` is still available, with the feature +set of that time. + +## Configuring directories<a name="configuring-directories"></a> + +An example directory configuration: + + tor::daemon::directory { 'ssh_directory': + port => '80', + port_front_page => '/etc/tor/tor.html'; + } + +## Configuring exit policies<a name="configuring-exit-policies"></a> + +To configure exit policies, you can do the following: + + tor::daemon::exit_policy { "ssh_exit_policy": + accept => "192.168.0.1:22", + reject => "*:*"; + } + +## Configuring transport plugins<a name="configuring-transport-plugins"></a> + +To configure transport plugins, you can do the following: + + tor::daemon::transport_plugins { "obfs4": + ext_port => '80', + servertransport_plugin => 'obfs4 exec /usr/bin/obfs4proxy', + } + +If you wish to use `obfs4proxy`, you will also need to install the required +Debian package, as the puppet module will not do it for you. + +Other options for transport plugins are also available but not defined by +default: + + $servertransport_listenaddr #Set a different address for the transport plugin mechanism + $servertransport_options #Pass a k=v parameters to the transport proxy + +# Functions<a name="functions"></a> + +This module comes with 2 functions specific to tor support. They require the base32 gem to be installed on the master or wherever they are executed. + +## onion_address + +This function takes a 1024bit RSA private key as an argument and returns the onion address for an onion service for that key. + +## generate_onion_key + +This function takes a path (on the puppetmaster!) and an identifier for a key and returns an array containing the matching onion address and the private key. The private key either exists under the supplied `path/key_identifier` or is being generated on the fly and stored under that path for the next execution. + +# Polipo<a name="polipo"></a> + +Polipo support can be enabled by doing: + + include tor::polipo + +This will inherit the `tor` class by default, remove `privoxy` if it's +installed, and install `polipo`, making sure it is running. + +# Munin<a name="munin"></a> + +If you are using `munin`, and have the puppet munin module installed, you can +set the `use_munin` parameter to `true` when defining the `tor::daemon` class +to have graphs setup for you. @@ -1,9 +1,14 @@ require 'rubygems' # keep for compatibility for now require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] +task :tests do + # run syntax checks on manifests, templates and hiera data + # also runs :metadata_lint + Rake::Task[:validate].invoke + + # runs puppet-lint + Rake::Task[:lint].invoke +end # use librarian-puppet to manage fixtures instead of .fixtures.yml # offers more possibilities like explicit version management, forge downloads,... @@ -14,4 +19,5 @@ task :librarian_spec_prep do sh "ln -s #{pwd} #{pwd}/spec/fixtures/modules/tor" end end + task :spec_prep => :librarian_spec_prep diff --git a/manifests/base.pp b/manifests/base.pp index b5aa7e9..13d8507 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -3,12 +3,10 @@ class tor::base { package {'tor': ensure => $tor::version, } - case $osfamily { - 'Debian': { - package {'tor-geoipdb': - ensure => $tor::version, - before => Service['tor'], - } + if $facts['osfamily'] == 'Debian' { + package {'tor-geoipdb': + ensure => $tor::version, + before => Service['tor'], } } diff --git a/manifests/compact.pp b/manifests/compact.pp index e44ffed..901dd8b 100644 --- a/manifests/compact.pp +++ b/manifests/compact.pp @@ -3,7 +3,7 @@ class tor::compact { include ::tor include tor::torsocks - if $osfamily == 'Debian' { + if $facts['osfamily'] == 'Debian' { include tor::polipo } } diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp index 027a49d..ee4a1fd 100644 --- a/manifests/daemon/control.pp +++ b/manifests/daemon/control.pp @@ -13,8 +13,8 @@ define tor::daemon::control( fail('You need to define the tor control password') } - if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { - notice('You set a tor cookie authentication option, but do not have cookie_authentication on') + if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { # lint:ignore:80chars + notice('You set a tor cookie authentication option, but do not have cookie_authentication on') # lint:ignore:80chars } concat::fragment { '04.control': diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp index 3bbf273..b2f77fe 100644 --- a/manifests/daemon/directory.pp +++ b/manifests/daemon/directory.pp @@ -2,7 +2,6 @@ define tor::daemon::directory ( $ensure = 'present', $port = 0, - $listen_addresses = [], $port_front_page = '/etc/tor/tor-exit-notice.html', ) { if $ensure == 'present' { @@ -23,4 +22,3 @@ define tor::daemon::directory ( mode => '0644', } } - diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp index 3ae8c77..899f920 100644 --- a/manifests/daemon/dns.pp +++ b/manifests/daemon/dns.pp @@ -2,7 +2,6 @@ define tor::daemon::dns( $ensure = 'present', $port = 0, - $listen_addresses = [], ){ if $ensure == 'present' { concat::fragment { "08.dns.${name}": diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp new file mode 100644 index 0000000..8a062c5 --- /dev/null +++ b/manifests/daemon/hidden_service.pp @@ -0,0 +1,16 @@ +# hidden services definition +define tor::daemon::hidden_service( + $ports = [], + $single_hop = false, + $v3 = false, + $data_dir = $tor::daemon::data_dir, +) { + info("Using tor::daemon::hidden_service is deprecated, please use tor::daemon::onion_service for ${name}") + tor::daemon::onion_service{ + $name: + ports => $ports, + single_hop => $single_hop, + v3 => $v3, + data_dir => $data_dir, + } +} diff --git a/manifests/daemon/onion_service.pp b/manifests/daemon/onion_service.pp index 9d12a3a..cb55d06 100644 --- a/manifests/daemon/onion_service.pp +++ b/manifests/daemon/onion_service.pp @@ -3,6 +3,8 @@ define tor::daemon::onion_service( $ensure = 'present', $ports = [], $data_dir = $tor::daemon::data_dir, + $v3 = false, + $single_hop = false, $private_key = undef, $private_key_name = $name, $private_key_store_path = undef, @@ -16,6 +18,12 @@ define tor::daemon::onion_service( order => '05', target => $tor::daemon::config_file, } + if $single_hop { + file { "${$data_dir_path}/onion_service_non_anonymous": + ensure => 'present', + notify => Service['tor']; + } + } } if $private_key or ($private_key_name and $private_key_store_path) { if $private_key and ($private_key_name and $private_key_store_path) { diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp index 0c35cd6..39126ee 100644 --- a/manifests/daemon/params.pp +++ b/manifests/daemon/params.pp @@ -1,7 +1,6 @@ # setup variables for different distributions class tor::daemon::params { - - case $osfamily { + case $facts['osfamily'] { 'RedHat': { $user = 'toranon' $group = 'toranon' @@ -14,7 +13,7 @@ class tor::daemon::params { $manage_user = true $data_dir_mode = '0700' } - default: { fail("No support for osfamily ${osfamily}") } + default: { fail("No support for osfamily ${facts['osfamily']}") } } } diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp index 68e06ca..bc72dd0 100644 --- a/manifests/daemon/relay.pp +++ b/manifests/daemon/relay.pp @@ -2,7 +2,6 @@ define tor::daemon::relay( $ensure = 'present', $port = 0, - $listen_addresses = [], $outbound_bindaddresses = [], $portforwarding = 0, # KB/s, defaulting to using tor's default: 5120KB/s @@ -15,7 +14,7 @@ define tor::daemon::relay( $relay_bandwidth_burst = 0, # GB, 0 for no limit $accounting_max = 0, - $accounting_start = [], + $accounting_start = 'month 1 0:00', $contact_info = '', # TODO: autofill with other relays $my_family = '', diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp index 43256ae..76c1703 100644 --- a/manifests/daemon/socks.pp +++ b/manifests/daemon/socks.pp @@ -1,7 +1,6 @@ # socks definition define tor::daemon::socks( $port = 0, - $listen_addresses = [], $policies = [], ) { concat::fragment { '02.socks': diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp index 49f9e70..0d4620a 100644 --- a/manifests/daemon/transparent.pp +++ b/manifests/daemon/transparent.pp @@ -1,9 +1,7 @@ # Transparent proxy definition define tor::daemon::transparent( $ensure = 'present', - $port = 0, - $listen_addresses = [], -) { + $port = 0) { if $ensure == 'present' { concat::fragment { "09.transparent.${name}": diff --git a/manifests/daemon/transport_plugin.pp b/manifests/daemon/transport_plugin.pp new file mode 100644 index 0000000..1921282 --- /dev/null +++ b/manifests/daemon/transport_plugin.pp @@ -0,0 +1,13 @@ +# transport plugin +define tor::daemon::transport_plugin( + $servertransport_plugin = '', + $servertransport_listenaddr = '', + $servertransport_options = '', + $ext_port = '' ) { + + concat::fragment { '11.transport_plugin': + content => template('tor/torrc.transport_plugin.erb'), + order => 11, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/munin.pp b/manifests/munin.pp index 67e8c57..f718c37 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -9,7 +9,7 @@ class tor::munin { include ::tor::daemon::params Munin::Plugin::Deploy { - config => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 9001" + config => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 9001" # lint:ignore:80chars } munin::plugin::deploy { 'tor_openfds': diff --git a/manifests/onionbalance.pp b/manifests/onionbalance.pp index 6a6b476..1921754 100644 --- a/manifests/onionbalance.pp +++ b/manifests/onionbalance.pp @@ -17,7 +17,7 @@ class tor::onionbalance( include ::tor - case $osfamily { + case $facts['osfamily'] { 'Debian': { $pkg_name = 'onionbalance' $instance_file = '/etc/tor/instances/onionbalance/torrc' @@ -39,7 +39,7 @@ class tor::onionbalance( $pkg_name = 'python2-onionbalance' } default: { - fail("OSFamily ${osfamily} not (yet) supported for onionbalance") + fail("OSFamily ${facts['osfamily']} not (yet) supported for onionbalance") } } @@ -54,7 +54,7 @@ class tor::onionbalance( mode => '0640', notify => Service['onionbalance']; $instance_file: - content => template("tor/onionbalance/${osfamily}.torrc.erb"), + content => template("tor/onionbalance/${facts['osfamily']}.torrc.erb"), owner => root, group => 0, mode => '0644', diff --git a/manifests/repo.pp b/manifests/repo.pp index 6770feb..d9d43ec 100644 --- a/manifests/repo.pp +++ b/manifests/repo.pp @@ -14,7 +14,7 @@ class tor::repo ( # no need as EPEL is the relevant reference } default: { - fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") + fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu") # lint:ignore:80chars } } } diff --git a/manifests/repo/debian.pp b/manifests/repo/debian.pp index 174c331..81976a2 100644 --- a/manifests/repo/debian.pp +++ b/manifests/repo/debian.pp @@ -1,6 +1,6 @@ # PRIVATE CLASS: do not use directly class tor::repo::debian inherits tor::repo { - apt::source { $source_name: + apt::source { $tor::repo::source_name: ensure => $::tor::repo::ensure, location => $::tor::repo::location, key => $::tor::repo::key, diff --git a/metadata.json b/metadata.json index d83f0cb..c512129 100644 --- a/metadata.json +++ b/metadata.json @@ -1,60 +1,35 @@ { - "name": "duritong-tor", - "version": "0.0.1", - "author": "duritong and others", - "summary": "Manage tor and its components", - "description": "Manage tor and its components", - "license": "GPLv3", - "source": "https://github.com/duritong/puppet-tor", - "project_page": "https://github.com/duritong/puppet-tor", - "issues_url": "https://github.com/duritong/puppet-tor/issues", + "name": "smash-tor", + "version": "1.0.1", + "author": "SMASH", + "summary": "This project tracks the tor puppet module that manages the tor onion routing system.", + "license": "GPL-3.0", + "source": "https://gitlab.com/shared-puppet-modules-group/tor", + "project_page": "https://gitlab.com/shared-puppet-modules-group/tor", + "issues_url": "https://gitlab.com/shared-puppet-modules-group/tor/issues", + "dependencies": [ + { "name":"puppetlabs/concat" } + ], "operatingsystem_support": [ { - "operatingsystem": "RedHat", + "operatingsystem": "Debian", "operatingsystemrelease": [ - "7" + "8", + "9" ] }, { "operatingsystem": "CentOS", "operatingsystemrelease": [ - "7" - ] - }, - { - "operatingsystem": "OracleLinux", - "operatingsystemrelease": [ - "7" - ] - }, - { - "operatingsystem": "Scientific", - "operatingsystemrelease": [ - "7" - ] - }, - { - "operatingsystem": "Debian", - "operatingsystemrelease": [ - "6", "7", - "8" - ] - }, - { - "operatingsystem": "Ubuntu", - "operatingsystemrelease": [ - "10.04", - "12.04", - "14.04", - "16.04" + "6" ] } ], "requirements": [ { "name": "puppet", - "version_requirement": ">=2.7.20 <5.0.0" + "version_requirement": ">=4.0.0" } ], "dependencies": [ @@ -67,5 +42,6 @@ { "name": "puppetlabs-apt" } - ] + ], + "description": "This module tries to manage tor, making sure it is installed, running, has munin graphs if desired and allows for configuration of relays, hidden services, exit policies, etc." } diff --git a/templates/torrc.directory.erb b/templates/torrc.directory.erb index 1af9f40..d70ab39 100644 --- a/templates/torrc.directory.erb +++ b/templates/torrc.directory.erb @@ -1,11 +1,8 @@ # directory listing -<% if port != '0' -%> +<% if @port != '0' -%> DirPort <%= @port %> <% end -%> -<% listen_addresses.each do |listen_address| -%> -DirListenAddress <%= listen_address %> -<% end -%> <% if @port_front_page != '' -%> -DirPortFrontPage <%= port_front_page %> +DirPortFrontPage <%= @port_front_page %> <%- end -%> diff --git a/templates/torrc.dns.erb b/templates/torrc.dns.erb index 57cf46d..a89ba31 100644 --- a/templates/torrc.dns.erb +++ b/templates/torrc.dns.erb @@ -1,5 +1,2 @@ # DNS DNSPort <%= @port %> -<% @listen_addresses.each do |listen_address| -%> -DNSListenAddress <%= listen_address %> -<% end -%> diff --git a/templates/torrc.exit_policy.erb b/templates/torrc.exit_policy.erb index a30d43b..5481914 100644 --- a/templates/torrc.exit_policy.erb +++ b/templates/torrc.exit_policy.erb @@ -2,10 +2,10 @@ <% if @reject_private != '1' -%> ExitPolicyRejectPrivate <%= @reject_private %> <% end -%> -<% @accept.each do |policy| -%> +<% Array(@accept).each do |policy| -%> ExitPolicy accept <%= policy %> <% end -%> -<% @reject.each do |policy| -%> +<% Array(@reject).each do |policy| -%> ExitPolicy reject <%= policy %> <% end -%> diff --git a/templates/torrc.global.erb b/templates/torrc.global.erb index 9cf7816..763e63f 100644 --- a/templates/torrc.global.erb +++ b/templates/torrc.global.erb @@ -8,7 +8,7 @@ DataDirectory <%= v %> <% if (rules=scope['tor::daemon::log_rules']).empty? -%> Log notice syslog <% else -%> -<% rules.each do |log_rule| -%> +<% Array(rules).each do |log_rule| -%> Log <%= log_rule %> <% end end -%> diff --git a/templates/torrc.onion_service.erb b/templates/torrc.onion_service.erb index 77168d8..db629fc 100644 --- a/templates/torrc.onion_service.erb +++ b/templates/torrc.onion_service.erb @@ -1,6 +1,20 @@ +<% if @single_hop != false %> +HiddenServiceSingleHopMode 1 +HiddenServiceNonAnonymousMode 1 +SOCKSPort 0 +<% end %> + # hidden service <%= @name %> HiddenServiceDir <%= @data_dir_path %> <% Array(@ports).each do |port| -%> HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %> <% end -%> +<% if @v3 != false %> +# hidden service v3 static +HiddenServiceDir <%= @data_dir_path %>3 +HiddenServiceVersion 3 +<% Array(@ports).each do |port| -%> +HiddenServicePort <%= port %> +<% end -%> +<% end -%> diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index 511bda1..7735b47 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -1,11 +1,8 @@ # relay <% if @port != 0 -%> ORPort <%= @port %> -<% listen_addresses.each do |listen_address| -%> -ORListenAddress <%= listen_address %> -<% end -%> -<% real_outbound_bindaddresses.each do |outbound_bindaddress| -%> -OutboundBindAddress <%= outbound_bindaddress %> +<% Array(@real_outbound_bindaddresses).each do |outbound_bindaddress| -%> +OutboundBindAddress <%= @outbound_bindaddress %> <% end -%> <% if @nickname != '' -%> Nickname <%= @nickname %> diff --git a/templates/torrc.socks.erb b/templates/torrc.socks.erb index 4bc3ddc..c6aba60 100644 --- a/templates/torrc.socks.erb +++ b/templates/torrc.socks.erb @@ -1,9 +1,6 @@ # socks SocksPort <%= @port %> -<% @listen_addresses.each do |listen_address| -%> -SocksListenAddress <%= listen_address %> -<% end -%> -<% @policies.each do |policy| -%> +<% Array(@policies).each do |policy| -%> SocksPolicy <%= policy %> <% end -%> diff --git a/templates/torrc.transparent.erb b/templates/torrc.transparent.erb index c683150..c57d138 100644 --- a/templates/torrc.transparent.erb +++ b/templates/torrc.transparent.erb @@ -1,5 +1,2 @@ # Transparent proxy TransPort <%= @port %> -<% @listen_addresses.each do |listen_address| -%> -TransListenAddress <%= listen_address %> -<% end -%> diff --git a/templates/torrc.transport_plugin.erb b/templates/torrc.transport_plugin.erb new file mode 100644 index 0000000..d57f0e8 --- /dev/null +++ b/templates/torrc.transport_plugin.erb @@ -0,0 +1,13 @@ +# transport plugin +<% if @servertransport_plugin != '' -%> +ServerTransportPlugin <%= @servertransport_plugin %> +<% end -%> +<% if @servertransport_listenaddr != '' -%> +ServerTransportListenAddr <%= @servertransport_listenaddr %> +<% end -%> +<% if @servertransport_options != '' -%> +ServerTransportOptions <%= @servertransport_options %> +<% end -%> +<% if @ext_port != '' -%> +ExtORPort <%= @ext_port %> +<% end -%> |