diff options
author | mh <mh@immerda.ch> | 2016-09-04 21:00:45 +0200 |
---|---|---|
committer | mh <mh@immerda.ch> | 2016-09-04 21:00:45 +0200 |
commit | d08f07eae13d02431b1c4142634f49e978b551de (patch) | |
tree | 9573ef0a099545e3189bc12dff5301de3ec41e96 | |
parent | 24f919c9ffcff07a0ff0a5157ed5f5661c784b12 (diff) |
make module also work on EL7
* user is different
* user must not be managed
* make access more safe, it doesn't make sense that the user running
the daemon owns the config, nor the config directory.
-rw-r--r-- | manifests/base.pp | 9 | ||||
-rw-r--r-- | manifests/daemon/base.pp | 56 | ||||
-rw-r--r-- | manifests/daemon/directory.pp | 5 | ||||
-rw-r--r-- | manifests/daemon/params.pp | 18 | ||||
-rw-r--r-- | manifests/munin.pp | 3 |
5 files changed, 56 insertions, 35 deletions
diff --git a/manifests/base.pp b/manifests/base.pp index b98451b..31b9edb 100644 --- a/manifests/base.pp +++ b/manifests/base.pp @@ -1,8 +1,15 @@ # basic management of resources for tor class tor::base { - package { [ 'tor', 'tor-geoipdb' ]: + package {'tor': ensure => $tor::ensure_version, } + case $osfamily { + 'Debian': { + package {'tor-geoipdb': + ensure => $tor::ensure_version, + } + } + } service { 'tor': ensure => running, diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp index 5db3e31..217a122 100644 --- a/manifests/daemon/base.pp +++ b/manifests/daemon/base.pp @@ -1,54 +1,48 @@ # extend basic tor things with a snippet based daemon configuration class tor::daemon::base inherits tor::base { - # packages, user, group - Package[ 'tor' ] { - require => File[$tor::daemon::data_dir], - } + include ::tor::daemon::params - group { 'debian-tor': - ensure => present, - allowdupe => false, - } + if $tor::daemon::params::manage_user { + group { $tor::daemon::params::group: + ensure => present, + allowdupe => false, + } - user { 'debian-tor': - ensure => present, - allowdupe => false, - comment => 'tor user,,,', - home => $tor::daemon::data_dir, - shell => '/bin/false', - gid => 'debian-tor', - require => Group['debian-tor'], + user { $tor::daemon::params::user: + ensure => present, + allowdupe => false, + comment => 'tor user,,,', + home => $tor::daemon::data_dir, + shell => '/bin/false', + gid => $tor::daemon::params::group, + require => Group[$tor::daemon::params::group], + } } # directories file { $tor::daemon::data_dir: ensure => directory, - mode => '0700', - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], + mode => '0750', + owner => $tor::daemon::params::user, + group => 'root', + require => Package['tor'], } file { '/etc/tor': ensure => directory, mode => '0755', - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { '/var/lib/puppet/modules/tor': - ensure => absent, - recurse => true, - force => true, + owner => 'root', + group => 'root', + require => Package['tor'], } # tor configuration file concat { $tor::daemon::config_file: mode => '0600', - owner => 'debian-tor', - group => 'debian-tor', + owner => 'root', + group => 'root', + require => Package['tor'], notify => Service['tor'], } diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp index 8a90899..4dc2afa 100644 --- a/manifests/daemon/directory.pp +++ b/manifests/daemon/directory.pp @@ -12,12 +12,13 @@ define tor::daemon::directory ( target => $tor::daemon::config_file, } + include ::tor::daemon::params file { '/etc/tor/tor-exit-notice.html': ensure => $ensure, source => 'puppet:///modules/tor/tor-exit-notice.html', require => File['/etc/tor'], - owner => 'debian-tor', - group => 'debian-tor', + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, mode => '0644', } } diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp new file mode 100644 index 0000000..b2d8e34 --- /dev/null +++ b/manifests/daemon/params.pp @@ -0,0 +1,18 @@ +# setup variables for different distributions +class tor::daemon::params { + + case $osfamily { + 'RedHat': { + $user = 'toranon' + $group = 'toranon' + $manage_user = false + } + 'Debian': { + $user = 'debian-tor' + $group = 'debian-tor' + $manage_user = true + } + default: { fail("No support for osfamily ${osfamily}") } + } + +} diff --git a/manifests/munin.pp b/manifests/munin.pp index ef71f57..1b043f1 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -7,8 +7,9 @@ class tor::munin { cookie_auth_file => '/var/run/tor/control.authcookie', } + include ::tor::daemon::params Munin::Plugin::Deploy { - config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" + config => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" } munin::plugin::deploy { 'tor_openfds': |