diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 23:09:20 -0200 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 23:09:20 -0200 |
| commit | f252115be193d58d345b7d18228800c68a1e47aa (patch) | |
| tree | 31c95ada21d54314ecb1650f2b19e8540386dd62 /manifests | |
| parent | 89d3242cc7d4607f5eb8f1df39985c3597ee428d (diff) | |
| parent | a780e84001177f10a86a7bf824589c0553f513a0 (diff) | |
Merge branch 'master' of ssh://labs.riseup.net/shared-tor
Conflicts:
manifests/daemon.pp
Diffstat (limited to 'manifests')
| -rw-r--r-- | manifests/base.pp | 14 | ||||
| -rw-r--r-- | manifests/compact.pp | 7 | ||||
| -rw-r--r-- | manifests/daemon.pp | 209 | ||||
| -rw-r--r-- | manifests/daemon/base.pp | 77 | ||||
| -rw-r--r-- | manifests/daemon/bridge.pp | 18 | ||||
| -rw-r--r-- | manifests/daemon/control.pp | 27 | ||||
| -rw-r--r-- | manifests/daemon/directory.pp | 27 | ||||
| -rw-r--r-- | manifests/daemon/dns.pp | 17 | ||||
| -rw-r--r-- | manifests/daemon/exit_policy.pp | 18 | ||||
| -rw-r--r-- | manifests/daemon/hidden_service.pp | 17 | ||||
| -rw-r--r-- | manifests/daemon/map_address.pp | 17 | ||||
| -rw-r--r-- | manifests/daemon/relay.pp | 41 | ||||
| -rw-r--r-- | manifests/daemon/snippet.pp | 16 | ||||
| -rw-r--r-- | manifests/daemon/socks.pp | 15 | ||||
| -rw-r--r-- | manifests/daemon/transparent.pp | 17 | ||||
| -rw-r--r-- | manifests/init.pp | 29 | ||||
| -rw-r--r-- | manifests/munin.pp | 34 | ||||
| -rw-r--r-- | manifests/polipo.pp | 46 | ||||
| -rw-r--r-- | manifests/polipo/base.pp | 22 | ||||
| -rw-r--r-- | manifests/polipo/debian.pp | 13 | ||||
| -rw-r--r-- | manifests/torsocks.pp | 9 |
21 files changed, 414 insertions, 276 deletions
diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..b98451b --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,14 @@ +# basic management of resources for tor +class tor::base { + package { [ 'tor', 'tor-geoipdb' ]: + ensure => $tor::ensure_version, + } + + service { 'tor': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => Package['tor'], + } +} diff --git a/manifests/compact.pp b/manifests/compact.pp new file mode 100644 index 0000000..c0f5919 --- /dev/null +++ b/manifests/compact.pp @@ -0,0 +1,7 @@ +# manage a complete tor +# installation with all the basics +class tor::compact { + include ::tor + include tor::polipo + include tor::torsocks +} diff --git a/manifests/daemon.pp b/manifests/daemon.pp index d1d57df..2440180 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -1,200 +1,21 @@ -# tor::daemon -class tor::daemon inherits tor { +# manage a snippet based tor installation +class tor::daemon ( + $ensure_version = 'installed', + $use_munin = false, + $data_dir = '/var/lib/tor', + $config_file = '/etc/tor/torrc', + $use_bridges = 0, + $automap_hosts_on_resolve = 0, + $log_rules = [ 'notice file /var/log/tor/notices.log' ] +) { - # config variables - $data_dir = '/var/lib/tor' - $config_file = '/etc/tor/torrc' - $spool_dir = '/var/lib/puppet/modules/tor' - $snippet_dir = "${spool_dir}/torrc.d" - - # packages, user, group - Service['tor'] { - subscribe => File[$config_file], - } - - Package[ 'tor', 'torsocks' ] { - require => File[$data_dir], - } - - group { 'debian-tor': - ensure => present, - allowdupe => false, - } - - user { 'debian-tor': - allowdupe => false, - comment => 'tor user,,,', - ensure => present, - home => $data_dir, - shell => '/bin/bash', - gid => 'debian-tor', - require => Group['debian-tor'], - } - - # directories - file { "${data_dir}": - ensure => directory, - mode => 0700, - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { '/etc/tor': - ensure => directory, - mode => 0755, - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { "${spool_dir}": - ensure => directory, - owner => 'debian-tor', group => 'debian-tor', mode => 0755, - } - - file { "${snippet_dir}": - ensure => directory, - owner => 'debian-tor', group => 'debian-tor', mode => 0755, - require => File[$spool_dir], - } - - # tor configuration file - concatenated_file { "${config_file}": - dir => $snippet_dir, - mode => 0600, - owner => 'debian-tor', group => 'debian-tor', + class{'tor': + ensure_version => $ensure_version, } - # config file headers - concatenated_file_part { '00.header': - dir => $snippet_dir, - content => template('tor/torrc.header.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => present, - } - - # global configurations - define global_opts( $data_dir = $tor::daemon::data_dir, - $log_rules = [ 'notice file /var/log/tor/notices.log' ] ) { - - concatenated_file_part { '01.global': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.global.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } - } - - # socks definition - define socks( $port = 0, - $listen_addresses = [], - $policies = [] ) { + include tor::daemon::base - concatenated_file_part { '02.socks': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.socks.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } + if $use_munin { + include tor::munin } - - # relay definition - define relay( $port = 0, - $listen_addresses = [], - $outbound_bindaddresses = $listen_addresses, - $bandwidth_rate = 0, # KB/s, 0 for no limit. - $bandwidth_burst = 0, # KB/s, 0 for no limit. - $accounting_max = 0, # GB, 0 for no limit. - $accounting_start = [], - $contact_info = '', - $my_family = '', # TODO: autofill with other relays - $address = "tor.${domain}", - $bridge_relay = 0, - $ensure = present ) { - $nickname = $name - - concatenated_file_part { '03.relay': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.relay.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # control definition - define control( $port = 0, - $hashed_control_password = '', - $ensure = present ) { - - if $hashed_control_password == '' and $ensure != 'absent' { - fail("You need to define the tor control password") - } - - concatenated_file_part { '04.control': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.control.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0600, - ensure => $ensure, - } - } - - # hidden services definition - define hidden_service( $ports = [], - $data_dir = $tor::daemon::data_dir, - $ensure = present ) { - - concatenated_file_part { "05.hidden_service.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.hidden_service.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # directory advertising - define directory ( $port = 0, - $listen_addresses = [], - $port_front_page = '/etc/tor/tor.html', - $ensure = present ) { - - concatenated_file_part { '06.directory': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.directory.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - - file { '/etc/tor/tor.html': - source => "puppet:///modules/tor/tor.html", - require => File['/etc/tor'], - ensure => $ensure, - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } - } - - # exit policies - define exit_policy( $accept = [], - $reject = [], - $reject_private = 1, - $ensure = present ) { - - concatenated_file_part { "07.exit_policy.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.exit_policy.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # map address definition - define map_address( $address = '', - $newaddress = '') { - - concatenated_file_part { "08.map_address.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.map_address.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } } - diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp new file mode 100644 index 0000000..63d7bc4 --- /dev/null +++ b/manifests/daemon/base.pp @@ -0,0 +1,77 @@ +# extend basic tor things with a snippet based daemon configuration +class tor::daemon::base inherits tor::base { + # packages, user, group + Service['tor'] { + subscribe => File[$tor::daemon::config_file], + } + + Package[ 'tor' ] { + require => File[$tor::daemon::data_dir], + } + + group { 'debian-tor': + ensure => present, + allowdupe => false, + } + + user { 'debian-tor': + ensure => present, + allowdupe => false, + comment => 'tor user,,,', + home => $tor::daemon::data_dir, + shell => '/bin/false', + gid => 'debian-tor', + require => Group['debian-tor'], + } + + # directories + file { $tor::daemon::data_dir: + ensure => directory, + mode => '0700', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/etc/tor': + ensure => directory, + mode => '0755', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/var/lib/puppet/modules/tor': + ensure => absent, + recurse => true, + force => true, + } + + # tor configuration file + concat { $tor::daemon::config_file: + mode => '0600', + owner => 'debian-tor', + group => 'debian-tor', + } + + # config file headers + concat::fragment { '00.header': + ensure => present, + content => template('tor/torrc.header.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 00, + target => $tor::daemon::config_file, + } + + # global configurations + concat::fragment { '01.global': + content => template('tor/torrc.global.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 01, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp new file mode 100644 index 0000000..063f565 --- /dev/null +++ b/manifests/daemon/bridge.pp @@ -0,0 +1,18 @@ +# Bridge definition +define tor::daemon::bridge( + $ip, + $port, + $fingerprint = false, + $ensure = present ) { + + concat::fragment { "10.bridge.${name}": + ensure => $ensure, + content => template('tor/torrc.bridge.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 10, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp new file mode 100644 index 0000000..0172656 --- /dev/null +++ b/manifests/daemon/control.pp @@ -0,0 +1,27 @@ +# control definition +define tor::daemon::control( + $port = 0, + $hashed_control_password = '', + $cookie_authentication = 0, + $cookie_auth_file = '', + $cookie_auth_file_group_readable = '', + $ensure = present ) { + + if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' { + fail('You need to define the tor control password') + } + + if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { + notice('You set a tor cookie authentication option, but do not have cookie_authentication on') + } + + concat::fragment { '04.control': + ensure => $ensure, + content => template('tor/torrc.control.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + order => 04, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp new file mode 100644 index 0000000..b71b6e6 --- /dev/null +++ b/manifests/daemon/directory.pp @@ -0,0 +1,27 @@ +# directory advertising +define tor::daemon::directory ( + $port = 0, + $listen_addresses = [], + $port_front_page = '/etc/tor/tor.html', + $ensure = present ) { + + concat::fragment { '06.directory': + ensure => $ensure, + content => template('tor/torrc.directory.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 06, + target => $tor::daemon::config_file, + } + + file { '/etc/tor/tor.html': + ensure => $ensure, + source => 'puppet:///modules/tor/tor.html', + require => File['/etc/tor'], + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + } +} + diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp new file mode 100644 index 0000000..f3a7027 --- /dev/null +++ b/manifests/daemon/dns.pp @@ -0,0 +1,17 @@ +# DNS definition +define tor::daemon::dns( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "08.dns.${name}": + ensure => $ensure, + content => template('tor/torrc.dns.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 08, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp new file mode 100644 index 0000000..f459ece --- /dev/null +++ b/manifests/daemon/exit_policy.pp @@ -0,0 +1,18 @@ +# exit policies +define tor::daemon::exit_policy( + $accept = [], + $reject = [], + $reject_private = 1, + $ensure = present ) { + + concat::fragment { "07.exit_policy.${name}": + ensure => $ensure, + content => template('tor/torrc.exit_policy.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 07, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp new file mode 100644 index 0000000..c827211 --- /dev/null +++ b/manifests/daemon/hidden_service.pp @@ -0,0 +1,17 @@ +# hidden services definition +define tor::daemon::hidden_service( + $ports = [], + $data_dir = $tor::daemon::data_dir, + $ensure = present ) { + + concat::fragment { "05.hidden_service.${name}": + ensure => $ensure, + content => template('tor/torrc.hidden_service.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 05, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp new file mode 100644 index 0000000..e970fe5 --- /dev/null +++ b/manifests/daemon/map_address.pp @@ -0,0 +1,17 @@ +# map address definition +define tor::daemon::map_address( + $address = '', + $newaddress = '' + $ensure = 'present') { + + concat::fragment { "08.map_address.${name}": + ensure => $ensure, + content => template('tor/torrc.map_address.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 08, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp new file mode 100644 index 0000000..d5296de --- /dev/null +++ b/manifests/daemon/relay.pp @@ -0,0 +1,41 @@ +# relay definition +define tor::daemon::relay( + $port = 0, + $listen_addresses = [], + $outbound_bindaddresses = [], + # KB/s, defaulting to using tor's default: 5120KB/s + $bandwidth_rate = '', + # KB/s, defaulting to using tor's default: 10240KB/s + $bandwidth_burst = '', + # KB/s, 0 for no limit + $relay_bandwidth_rate = 0, + # KB/s, 0 for no limit + $relay_bandwidth_burst = 0, + # GB, 0 for no limit + $accounting_max = 0, + $accounting_start = [], + $contact_info = '', + # TODO: autofill with other relays + $my_family = '', + $address = "tor.${::domain}", + $bridge_relay = 0, + $ensure = present ) { + + $nickname = $name + + if $outbound_bindaddresses == [] { + $real_outbound_bindaddresses = $listen_addresses + } else { + $real_outbound_bindaddresses = $outbound_bindaddresses + } + + concat::fragment { '03.relay': + ensure => $ensure, + content => template('tor/torrc.relay.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 03, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp new file mode 100644 index 0000000..b9089b4 --- /dev/null +++ b/manifests/daemon/snippet.pp @@ -0,0 +1,16 @@ +# Arbitrary torrc snippet definition +define tor::daemon::snippet( + $content = '', + $ensure = present ) { + + concat::fragment { "99.snippet.${name}": + ensure => $ensure, + content => $content, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 99, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp new file mode 100644 index 0000000..910461c --- /dev/null +++ b/manifests/daemon/socks.pp @@ -0,0 +1,15 @@ +# socks definition +define tor::daemon::socks( + $port = 0, + $listen_addresses = [], + $policies = [] ) { + + concat::fragment { '02.socks': + content => template('tor/torrc.socks.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 02, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp new file mode 100644 index 0000000..74fed4f --- /dev/null +++ b/manifests/daemon/transparent.pp @@ -0,0 +1,17 @@ +# Transparent proxy definition +define tor::daemon::transparent( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "09.transparent.${name}": + ensure => $ensure, + content => template('tor/torrc.transparent.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 09, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/init.pp b/manifests/init.pp index 0c38073..9c19c64 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,25 +1,6 @@ -class tor { - - if !$tor_ensure_version { $tor_ensure_version = 'installed' } - if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed'} - - package { [ "tor", "tor-geoipdb" ]: - ensure => $tor_ensure_version, - } - - package { "torsocks": - ensure => $torsocks_ensure_version, - } - - service { 'tor': - ensure => running, - enable => true, - hasrestart => true, - hasstatus => true, - require => Package['tor'], - } - - if $use_munin { - include tor::munin - } +# manage a basic tor installation +class tor ( + $ensure_version = 'installed' +){ + include tor::base } diff --git a/manifests/munin.pp b/manifests/munin.pp index ac2630a..4412337 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -1,23 +1,21 @@ +# munin plugins for puppet class tor::munin { - - file { - "/usr/local/share/munin-plugins/tor_connections": - source => "puppet:///modules/tor/munin/tor_connections", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/tor_routers": - source => "puppet:///modules/tor/munin/tor_routers", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/tor_traffic": - source => "puppet:///modules/tor/munin/tor_traffic", - mode => 0755, owner => root, group => root; + tor::daemon::control{ + 'control_port_for_munin': + port => 19051, + cookie_authentication => 1, + cookie_auth_file => '/var/run/tor/control.authcookie', } - munin::plugin { - [ "tor_connections", "tor_routers", "tor_traffic" ]: - ensure => present, - config => "user debian-tor\n env.cookiefile /var/lib/tor/control_auth_cookie", - script_path_in => "/usr/local/share/munin-plugins"; + Munin::Plugin::Deploy { + config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" + } + munin::plugin::deploy { + 'tor_connections': + source => 'tor/munin/tor_connections'; + 'tor_routers': + source => 'tor/munin/tor_routers'; + 'tor_traffic': + source => 'tor/munin/tor_traffic'; } } diff --git a/manifests/polipo.pp b/manifests/polipo.pp index 73eaea2..73dc226 100644 --- a/manifests/polipo.pp +++ b/manifests/polipo.pp @@ -1,43 +1,9 @@ -class tor::polipo inherits tor { +# manage the polipo proxy service +class tor::polipo { + include ::tor - package { "privoxy": - ensure => absent, + case $::operatingsystem { + 'debian': { include tor::polipo::debian } + default: { include tor::polipo::base } } - - package { "polipo": - ensure => installed, - } - - service { "polipo": - ensure => running, - require => [ Package["polipo"], Service["tor"] ], - } - - file { "/etc/polipo": - ensure => directory, - owner => root, - group => root, - mode => 0755, - } - - file { "/etc/polipo/config": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet:///modules/tor/polipo.conf", - notify => Service["polipo"], - require => File["/etc/polipo"], - } - - # TODO: restore file to original state after the following bug is solved: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434 - file { "/etc/cron.daily/polipo": - ensure => present, - owner => root, - group => root, - mode => 0755, - source => "puppet:///modules/tor/polipo.cron", - } - } diff --git a/manifests/polipo/base.pp b/manifests/polipo/base.pp new file mode 100644 index 0000000..df2d6ea --- /dev/null +++ b/manifests/polipo/base.pp @@ -0,0 +1,22 @@ +# manage polipo resources +class tor::polipo::base { + package{'polipo': + ensure => present, + } + + file { '/etc/polipo/config': + ensure => present, + owner => root, + group => root, + mode => '0644', + source => 'puppet:///modules/tor/polipo/polipo.conf', + require => Package['polipo'], + notify => Service['polipo'], + } + + service { 'polipo': + ensure => running, + enable => true, + require => [ Package['polipo'], Service['tor'] ], + } +} diff --git a/manifests/polipo/debian.pp b/manifests/polipo/debian.pp new file mode 100644 index 0000000..e39f603 --- /dev/null +++ b/manifests/polipo/debian.pp @@ -0,0 +1,13 @@ +# manage polipo on debian +class tor::polipo::debian inherits tor::polipo::base { + # TODO: restore file to original state after the following bug is solved: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434 + file { '/etc/cron.daily/polipo': + ensure => present, + owner => root, + group => root, + mode => '0755', + require => Package['polipo'], + source => 'puppet:///modules/tor/polipo/polipo.cron', + } +} diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp new file mode 100644 index 0000000..e9fc75b --- /dev/null +++ b/manifests/torsocks.pp @@ -0,0 +1,9 @@ +# manage torsocks +class tor::torsocks ( + $ensure_version = 'installed' +){ + include ::tor + package{'torsocks': + ensure => $ensure_version, + } +} |