From 720c1670750345e8c361219a58c2722a603e26bb Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 1 Nov 2016 20:26:20 +0100
Subject: add support for onionbalance

---
 manifests/onionbalance.pp               | 81 +++++++++++++++++++++++++++++++++
 manifests/onionbalance/key.pp           | 25 ++++++++++
 manifests/onionbalance/keys.pp          | 11 +++++
 spec/classes/onionbalance_spec.rb       | 60 ++++++++++++++++++++++++
 templates/onionbalance/Debian.torrc.erb |  5 ++
 templates/onionbalance/RedHat.torrc.erb | 13 ++++++
 templates/onionbalance/config.yaml.erb  | 10 ++++
 7 files changed, 205 insertions(+)
 create mode 100644 manifests/onionbalance.pp
 create mode 100644 manifests/onionbalance/key.pp
 create mode 100644 manifests/onionbalance/keys.pp
 create mode 100644 spec/classes/onionbalance_spec.rb
 create mode 100644 templates/onionbalance/Debian.torrc.erb
 create mode 100644 templates/onionbalance/RedHat.torrc.erb
 create mode 100644 templates/onionbalance/config.yaml.erb

diff --git a/manifests/onionbalance.pp b/manifests/onionbalance.pp
new file mode 100644
index 0000000..34831d3
--- /dev/null
+++ b/manifests/onionbalance.pp
@@ -0,0 +1,81 @@
+# manages an onionbalance installation
+#
+# Parameters:
+#
+#  services: a hash of onionbalance service instances
+#    services => {
+#      keyname_of_service1 => {
+#        name1        => onionservice_addr_3,
+#        name2        => onionservice_addr_2,
+#        _key_content => content_of_key_of_onionbalanced_service1,
+#      },
+#    }
+#
+class tor::onionbalance(
+  $services,
+) {
+
+  include ::tor
+
+  case $osfamily {
+    'Debian': {
+      $pkg_name = 'onionbalance'
+      $instance_file = '/etc/tor/instances/onionbalance/torrc'
+      $instance_user = '_tor-onionbalance'
+      exec{'/usr/sbin/tor-instance-create onionbalance':
+        creates => '/etc/tor/instances/onionbalance',
+        require => Package['tor'],
+        before  => File[$instance_file],
+      } -> augeas{"manage_onionbalance_in_group_${instance_user}":
+        context => '/files/etc/group',
+        changes => [ "set ${instance_user}/user[last()+1] onionbalance" ],
+        onlyif  => "match ${instance_user}/*[../user='onionbalance'] size == 0",
+        require => Package['onionbalance'],
+      }
+    }
+    'RedHat': {
+      $instance_file = '/etc/tor/onionbalance.torrc'
+      $instance_user = 'toranon'
+      $pkg_name      = 'python2-onionbalance'
+    }
+    default: {
+      fail("OSFamily ${osfamily} not (yet) supported for onionbalance")
+    }
+  }
+
+  package{$pkg_name:
+    ensure => 'installed',
+    tag    => 'onionbalance',
+  } -> file{
+    '/etc/onionbalance/config.yaml':
+      content => template('tor/onionbalance/config.yaml.erb'),
+      owner   => root,
+      group   => $instance_user,
+      mode    => '0640',
+      notify  => Service['onionbalance'];
+    $instance_file:
+      content => template("tor/onionbalance/${osfamily}.torrc.erb"),
+      owner   => root,
+      group   => 0,
+      mode    => '0644',
+      require => Package['tor'],
+      notify  => Service['tor@onionbalance'],
+  }
+
+  tor::onionbalance::keys{
+    keys($services):
+      values => $services,
+      group  => $instance_user,
+  }
+
+  service{
+    'tor@onionbalance':
+      ensure => running,
+      enable => true;
+    'onionbalance':
+      ensure    => running,
+      enable    => true,
+      subscribe => Service['tor@onionbalance'];
+  }
+
+}
diff --git a/manifests/onionbalance/key.pp b/manifests/onionbalance/key.pp
new file mode 100644
index 0000000..e0016fc
--- /dev/null
+++ b/manifests/onionbalance/key.pp
@@ -0,0 +1,25 @@
+# manage onionbalance keys
+#
+#  key_content will be treated as path
+#  to a file containing the key content
+#  if the value starts with a /
+#
+define tor::onionbalance::key(
+  $key_content,
+  $group,
+){
+
+  if $key_content =~ /^\// {
+    $content = file($key_content)
+  } else {
+    $content = $key_content
+  }
+  Package<| tag == 'onionbalance' |> -> file{
+    "/etc/onionbalance/${name}.key":
+      content => $content,
+      owner   => root,
+      group   => $group,
+      mode    => '0640',
+      notify  => Service['onionbalance'];
+  }
+}
diff --git a/manifests/onionbalance/keys.pp b/manifests/onionbalance/keys.pp
new file mode 100644
index 0000000..e3040f5
--- /dev/null
+++ b/manifests/onionbalance/keys.pp
@@ -0,0 +1,11 @@
+# a wrapper to manage onionbalance keys
+define tor::onionbalance::keys(
+  $values,
+  $group,
+) {
+  tor::onionbalance::key{
+    $name:
+      key_content => $values[$name]['_key_content'],
+      group       => $group,
+  }
+}
diff --git a/spec/classes/onionbalance_spec.rb b/spec/classes/onionbalance_spec.rb
new file mode 100644
index 0000000..ff9bb27
--- /dev/null
+++ b/spec/classes/onionbalance_spec.rb
@@ -0,0 +1,60 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+
+describe 'tor::onionbalance', :type => 'class' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}' }
+  let(:params){
+    {
+      :services  => {
+        'keyname_of_service1' => {
+          'name1'        => 'onionservice_addr_3',
+          'name2'        => 'onionservice_addr_2',
+          '_key_content' => 'content_of_key_of_onionbalanced_service1',
+        },
+      },
+    }
+  }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_package('python2-onionbalance').with(
+      :ensure => 'installed',
+    ) }
+    it { is_expected.to contain_service('tor@onionbalance').with(
+      :ensure => 'running',
+      :enable => true,
+    ) }
+    it { is_expected.to contain_service('onionbalance').with(
+      :ensure    => 'running',
+      :enable    => true,
+      :subscribe => 'Service[tor@onionbalance]',
+    ) }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_package('onionbalance').with(
+        :ensure => 'installed',
+      ) }
+      it { is_expected.to contain_service('tor@onionbalance').with(
+        :ensure => 'running',
+        :enable => true,
+      ) }
+      it { is_expected.to contain_service('onionbalance').with(
+        :ensure    => 'running',
+        :enable    => true,
+        :subscribe => 'Service[tor@onionbalance]',
+      ) }
+    end
+  end
+end
diff --git a/templates/onionbalance/Debian.torrc.erb b/templates/onionbalance/Debian.torrc.erb
new file mode 100644
index 0000000..4b1afc4
--- /dev/null
+++ b/templates/onionbalance/Debian.torrc.erb
@@ -0,0 +1,5 @@
+# Tor config for the onionbalance management server
+# ---
+# The onionbalance service must be able to access the Tor control port.
+ControlPort 9051
+SocksPort 0
diff --git a/templates/onionbalance/RedHat.torrc.erb b/templates/onionbalance/RedHat.torrc.erb
new file mode 100644
index 0000000..023748b
--- /dev/null
+++ b/templates/onionbalance/RedHat.torrc.erb
@@ -0,0 +1,13 @@
+# Tor config for the onionbalance management server
+# ---
+# The onionbalance service must be able to access the Tor control port.
+
+DataDirectory /var/lib/tor/onionbalance-data
+
+ControlPort 9051
+CookieAuthentication 1
+SocksPort 0
+
+CookieAuthFileGroupReadable 1
+CookieAuthFile /run/tor/onionbalance.control.authcookie
+
diff --git a/templates/onionbalance/config.yaml.erb b/templates/onionbalance/config.yaml.erb
new file mode 100644
index 0000000..3f45bd1
--- /dev/null
+++ b/templates/onionbalance/config.yaml.erb
@@ -0,0 +1,10 @@
+# OnionBalance Config File
+services:
+<% @services.keys.sort.each do |key| -%>
+- instances:
+<% (@services[key].keys - ['_key_content']).sort.each do |inst| -%>
+    - address: <%= @services[key][inst] %>
+      name: <%= inst %>
+<% end -%>
+  key: <%= key %>.key
+<% end -%>
-- 
cgit v1.2.3