diff options
Diffstat (limited to 'manifests/daemon')
| -rw-r--r-- | manifests/daemon/base.pp | 66 | ||||
| -rw-r--r-- | manifests/daemon/bridge.pp | 15 | ||||
| -rw-r--r-- | manifests/daemon/control.pp | 20 | ||||
| -rw-r--r-- | manifests/daemon/directory.pp | 20 | ||||
| -rw-r--r-- | manifests/daemon/dns.pp | 15 | ||||
| -rw-r--r-- | manifests/daemon/exit_policy.pp | 15 | ||||
| -rw-r--r-- | manifests/daemon/hidden_service.pp | 23 | ||||
| -rw-r--r-- | manifests/daemon/map_address.pp | 15 | ||||
| -rw-r--r-- | manifests/daemon/onion_service.pp | 65 | ||||
| -rw-r--r-- | manifests/daemon/params.pp | 19 | ||||
| -rw-r--r-- | manifests/daemon/relay.pp | 27 | ||||
| -rw-r--r-- | manifests/daemon/snippet.pp | 14 | ||||
| -rw-r--r-- | manifests/daemon/socks.pp | 17 | ||||
| -rw-r--r-- | manifests/daemon/transparent.pp | 13 | ||||
| -rw-r--r-- | manifests/daemon/transport_plugin.pp | 15 |
15 files changed, 230 insertions, 129 deletions
diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp index f3bbc37..86156af 100644 --- a/manifests/daemon/base.pp +++ b/manifests/daemon/base.pp @@ -1,70 +1,62 @@ # extend basic tor things with a snippet based daemon configuration class tor::daemon::base inherits tor::base { - # packages, user, group - Service['tor'] { - subscribe => Concat[$tor::daemon::config_file], - } - Package[ 'tor' ] { - require => File[$tor::daemon::data_dir], - } + include ::tor::daemon::params - group { 'debian-tor': - ensure => present, - allowdupe => false, - } + if $tor::daemon::params::manage_user { + group { $tor::daemon::params::group: + ensure => present, + allowdupe => false, + } - user { 'debian-tor': - ensure => present, - allowdupe => false, - comment => 'tor user,,,', - home => $tor::daemon::data_dir, - shell => '/bin/false', - gid => 'debian-tor', - require => Group['debian-tor'], + user { $tor::daemon::params::user: + ensure => present, + allowdupe => false, + comment => 'tor user,,,', + home => $tor::daemon::data_dir, + shell => '/bin/false', + gid => $tor::daemon::params::group, + require => Group[$tor::daemon::params::group], + } } # directories file { $tor::daemon::data_dir: ensure => directory, - mode => '0700', - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], + mode => $tor::daemon::params::data_dir_mode, + owner => $tor::daemon::params::user, + group => 'root', + require => Package['tor'], } file { '/etc/tor': ensure => directory, mode => '0755', - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { '/var/lib/puppet/modules/tor': - ensure => absent, - recurse => true, - force => true, + owner => 'root', + group => 'root', + require => Package['tor'], } # tor configuration file concat { $tor::daemon::config_file: - mode => '0600', - owner => 'debian-tor', - group => 'debian-tor', + mode => '0640', + owner => 'root', + group => $tor::daemon::params::group, + require => Package['tor'], + notify => Service['tor'], } # config file headers concat::fragment { '00.header': content => template('tor/torrc.header.erb'), - order => 00, + order => '00', target => $tor::daemon::config_file, } # global configurations concat::fragment { '01.global': content => template('tor/torrc.global.erb'), - order => 01, + order => '01', target => $tor::daemon::config_file, } } diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp index a448f82..e09f4f7 100644 --- a/manifests/daemon/bridge.pp +++ b/manifests/daemon/bridge.pp @@ -2,12 +2,15 @@ define tor::daemon::bridge( $ip, $port, - $fingerprint = false ) { - - concat::fragment { "10.bridge.${name}": - content => template('tor/torrc.bridge.erb'), - order => 10, - target => $tor::daemon::config_file, + $fingerprint = false, + $ensure = 'present', +) { + if $ensure == 'present' { + concat::fragment { "10.bridge.${name}": + content => template('tor/torrc.bridge.erb'), + order => '10', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp index 4137c3e..ee4a1fd 100644 --- a/manifests/daemon/control.pp +++ b/manifests/daemon/control.pp @@ -1,26 +1,26 @@ # control definition define tor::daemon::control( + $ensure = 'present', $port = 0, $hashed_control_password = '', $cookie_authentication = 0, $cookie_auth_file = '', $cookie_auth_file_group_readable = '', - $ensure = present ) { +) { - if $cookie_authentication == '0' - and $hashed_control_password == '' - and $ensure != 'absent' { + if $ensure == 'present' { + if $cookie_authentication == '0' and $hashed_control_password == '' { fail('You need to define the tor control password') } - if $cookie_authentication == 0 - and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { + if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { # lint:ignore:80chars notice('You set a tor cookie authentication option, but do not have cookie_authentication on') # lint:ignore:80chars } - concat::fragment { '04.control': - content => template('tor/torrc.control.erb'), - order => 04, - target => $tor::daemon::config_file, + concat::fragment { '04.control': + content => template('tor/torrc.control.erb'), + order => '04', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp index 3eaef9f..b2f77fe 100644 --- a/manifests/daemon/directory.pp +++ b/manifests/daemon/directory.pp @@ -1,22 +1,24 @@ # directory advertising define tor::daemon::directory ( + $ensure = 'present', $port = 0, $port_front_page = '/etc/tor/tor-exit-notice.html', - $ensure = present ) { - - concat::fragment { '06.directory': - content => template('tor/torrc.directory.erb'), - order => 06, - target => $tor::daemon::config_file, +) { + if $ensure == 'present' { + concat::fragment { '06.directory': + content => template('tor/torrc.directory.erb'), + order => '06', + target => $tor::daemon::config_file, + } } + include ::tor::daemon::params file { '/etc/tor/tor-exit-notice.html': ensure => $ensure, source => 'puppet:///modules/tor/tor-exit-notice.html', require => File['/etc/tor'], - owner => 'debian-tor', - group => 'debian-tor', + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, mode => '0644', } } - diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp index 599abd8..899f920 100644 --- a/manifests/daemon/dns.pp +++ b/manifests/daemon/dns.pp @@ -1,11 +1,14 @@ # DNS definition define tor::daemon::dns( - $port = 0 ) { - - concat::fragment { "08.dns.${name}": - content => template('tor/torrc.dns.erb'), - order => '08', - target => $tor::daemon::config_file, + $ensure = 'present', + $port = 0, +){ + if $ensure == 'present' { + concat::fragment { "08.dns.${name}": + content => template('tor/torrc.dns.erb'), + order => '08', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp index c117d5d..62876c7 100644 --- a/manifests/daemon/exit_policy.pp +++ b/manifests/daemon/exit_policy.pp @@ -1,13 +1,16 @@ # exit policies define tor::daemon::exit_policy( + $ensure = 'present', $accept = [], $reject = [], - $reject_private = 1 ) { - - concat::fragment { "07.exit_policy.${name}": - content => template('tor/torrc.exit_policy.erb'), - order => 07, - target => $tor::daemon::config_file, + $reject_private = 1, +) { + if $ensure == 'present' { + concat::fragment { "07.exit_policy.${name}": + content => template('tor/torrc.exit_policy.erb'), + order => '07', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp index 9e053cc..8a062c5 100644 --- a/manifests/daemon/hidden_service.pp +++ b/manifests/daemon/hidden_service.pp @@ -3,19 +3,14 @@ define tor::daemon::hidden_service( $ports = [], $single_hop = false, $v3 = false, - $data_dir = $tor::daemon::data_dir ) { - - - - if $single_hop { - file { "${$data_dir}/${$name}/onion_service_non_anonymous": - ensure => 'present', - } - } - - concat::fragment { "05.hidden_service.${name}": - content => template('tor/torrc.hidden_service.erb'), - order => 05, - target => $tor::daemon::config_file, + $data_dir = $tor::daemon::data_dir, +) { + info("Using tor::daemon::hidden_service is deprecated, please use tor::daemon::onion_service for ${name}") + tor::daemon::onion_service{ + $name: + ports => $ports, + single_hop => $single_hop, + v3 => $v3, + data_dir => $data_dir, } } diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp index 1829eae..ca21ed9 100644 --- a/manifests/daemon/map_address.pp +++ b/manifests/daemon/map_address.pp @@ -1,12 +1,15 @@ # map address definition define tor::daemon::map_address( + $ensure = 'present', $address = '', - $newaddress = '' ) { - - concat::fragment { "08.map_address.${name}": - content => template('tor/torrc.map_address.erb'), - order => '08', - target => $tor::daemon::config_file, + $newaddress = '', +) { + if $ensure == 'present' { + concat::fragment { "08.map_address.${name}": + content => template('tor/torrc.map_address.erb'), + order => '08', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/onion_service.pp b/manifests/daemon/onion_service.pp new file mode 100644 index 0000000..cb55d06 --- /dev/null +++ b/manifests/daemon/onion_service.pp @@ -0,0 +1,65 @@ +# onion services definition +define tor::daemon::onion_service( + $ensure = 'present', + $ports = [], + $data_dir = $tor::daemon::data_dir, + $v3 = false, + $single_hop = false, + $private_key = undef, + $private_key_name = $name, + $private_key_store_path = undef, +) { + + $data_dir_path = "${data_dir}/${name}" + if $ensure == 'present' { + include ::tor::daemon::params + concat::fragment { "05.onion_service.${name}": + content => template('tor/torrc.onion_service.erb'), + order => '05', + target => $tor::daemon::config_file, + } + if $single_hop { + file { "${$data_dir_path}/onion_service_non_anonymous": + ensure => 'present', + notify => Service['tor']; + } + } + } + if $private_key or ($private_key_name and $private_key_store_path) { + if $private_key and ($private_key_name and $private_key_store_path) { + fail('Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them') + } + if $private_key_store_path and $private_key_name { + $tmp = generate_onion_key($private_key_store_path,$private_key_name) + $os_hostname = $tmp[0] + $real_private_key = $tmp[1] + } else { + $os_hostname = onion_address($private_key) + $real_private_key = $private_key + } + file{ + $data_dir_path: + ensure => directory, + purge => true, + force => true, + recurse => true, + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => '0600', + require => Package['tor']; + "${data_dir_path}/private_key": + content => $real_private_key, + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => '0600', + notify => Service['tor']; + "${data_dir_path}/hostname": + content => "${os_hostname}.onion\n", + owner => $tor::daemon::params::user, + group => $tor::daemon::params::group, + mode => '0600', + notify => Service['tor']; + } + } +} + diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp new file mode 100644 index 0000000..39126ee --- /dev/null +++ b/manifests/daemon/params.pp @@ -0,0 +1,19 @@ +# setup variables for different distributions +class tor::daemon::params { + case $facts['osfamily'] { + 'RedHat': { + $user = 'toranon' + $group = 'toranon' + $manage_user = false + $data_dir_mode = '0750' + } + 'Debian': { + $user = 'debian-tor' + $group = 'debian-tor' + $manage_user = true + $data_dir_mode = '0700' + } + default: { fail("No support for osfamily ${facts['osfamily']}") } + } + +} diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp index fa908f5..bc72dd0 100644 --- a/manifests/daemon/relay.pp +++ b/manifests/daemon/relay.pp @@ -1,5 +1,6 @@ # relay definition define tor::daemon::relay( + $ensure = 'present', $port = 0, $outbound_bindaddresses = [], $portforwarding = 0, @@ -13,25 +14,27 @@ define tor::daemon::relay( $relay_bandwidth_burst = 0, # GB, 0 for no limit $accounting_max = 0, - $accounting_start = "month 1 0:00", + $accounting_start = 'month 1 0:00', $contact_info = '', # TODO: autofill with other relays $my_family = '', $address = "tor.${::domain}", $bridge_relay = 0, - $ensure = present ) { +) { - $nickname = $name + if $ensure == 'present' { + $nickname = $name - if $outbound_bindaddresses == [] { - $real_outbound_bindaddresses = [] - } else { - $real_outbound_bindaddresses = $outbound_bindaddresses - } + if $outbound_bindaddresses == [] { + $real_outbound_bindaddresses = [] + } else { + $real_outbound_bindaddresses = $outbound_bindaddresses + } - concat::fragment { '03.relay': - content => template('tor/torrc.relay.erb'), - order => 03, - target => $tor::daemon::config_file, + concat::fragment { '03.relay': + content => template('tor/torrc.relay.erb'), + order => '03', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp index 5a4c091..195ed77 100644 --- a/manifests/daemon/snippet.pp +++ b/manifests/daemon/snippet.pp @@ -1,11 +1,15 @@ # Arbitrary torrc snippet definition define tor::daemon::snippet( - $content = '' ) { + $ensure = 'present', + $content = '', +) { - concat::fragment { "99.snippet.${name}": - content => $content, - order => 99, - target => $tor::daemon::config_file, + if $ensure == 'present' { + concat::fragment { "99.snippet.${name}": + content => $content, + order => '99', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp index cb130d9..e36d91e 100644 --- a/manifests/daemon/socks.pp +++ b/manifests/daemon/socks.pp @@ -1,11 +1,14 @@ # socks definition define tor::daemon::socks( - $port = 0, - $policies = [] ) { - - concat::fragment { '02.socks': - content => template('tor/torrc.socks.erb'), - order => 02, - target => $tor::daemon::config_file, + $ensure = 'present', + $port = 0, + $policies = [], +) { + if $ensure == 'present' { + concat::fragment { '02.socks': + content => template('tor/torrc.socks.erb'), + order => '02', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp index 90c0142..0d4620a 100644 --- a/manifests/daemon/transparent.pp +++ b/manifests/daemon/transparent.pp @@ -1,11 +1,14 @@ # Transparent proxy definition define tor::daemon::transparent( - $port = 0 ) { + $ensure = 'present', + $port = 0) { - concat::fragment { "09.transparent.${name}": - content => template('tor/torrc.transparent.erb'), - order => '09', - target => $tor::daemon::config_file, + if $ensure == 'present' { + concat::fragment { "09.transparent.${name}": + content => template('tor/torrc.transparent.erb'), + order => '09', + target => $tor::daemon::config_file, + } } } diff --git a/manifests/daemon/transport_plugin.pp b/manifests/daemon/transport_plugin.pp index 1921282..4f7bbf2 100644 --- a/manifests/daemon/transport_plugin.pp +++ b/manifests/daemon/transport_plugin.pp @@ -1,13 +1,16 @@ # transport plugin define tor::daemon::transport_plugin( + $ensure = 'present', $servertransport_plugin = '', $servertransport_listenaddr = '', $servertransport_options = '', - $ext_port = '' ) { - - concat::fragment { '11.transport_plugin': - content => template('tor/torrc.transport_plugin.erb'), - order => 11, - target => $tor::daemon::config_file, + $ext_port = '', +) { + if $ensure == 'present' { + concat::fragment { '11.transport_plugin': + content => template('tor/torrc.transport_plugin.erb'), + order => 11, + target => $tor::daemon::config_file, + } } } |