From d08f07eae13d02431b1c4142634f49e978b551de Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 4 Sep 2016 21:00:45 +0200
Subject: make module also work on EL7

* user is different
* user must not be managed
* make access more safe, it doesn't make sense that the user running
  the daemon owns the config, nor the config directory.
---
 manifests/base.pp             |  9 ++++++-
 manifests/daemon/base.pp      | 56 +++++++++++++++++++------------------------
 manifests/daemon/directory.pp |  5 ++--
 manifests/daemon/params.pp    | 18 ++++++++++++++
 manifests/munin.pp            |  3 ++-
 5 files changed, 56 insertions(+), 35 deletions(-)
 create mode 100644 manifests/daemon/params.pp

diff --git a/manifests/base.pp b/manifests/base.pp
index b98451b..31b9edb 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,8 +1,15 @@
 # basic management of resources for tor
 class tor::base {
-  package { [ 'tor', 'tor-geoipdb' ]:
+  package {'tor':
     ensure => $tor::ensure_version,
   }
+  case $osfamily {
+    'Debian': {
+      package {'tor-geoipdb':
+        ensure => $tor::ensure_version,
+      }
+    }
+  }
 
   service { 'tor':
     ensure     => running,
diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 5db3e31..217a122 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -1,54 +1,48 @@
 # extend basic tor things with a snippet based daemon configuration
 class tor::daemon::base inherits tor::base {
 
-  # packages, user, group
-  Package[ 'tor' ] {
-    require => File[$tor::daemon::data_dir],
-  }
+  include ::tor::daemon::params
 
-  group { 'debian-tor':
-    ensure    => present,
-    allowdupe => false,
-  }
+  if $tor::daemon::params::manage_user {
+    group { $tor::daemon::params::group:
+      ensure    => present,
+      allowdupe => false,
+    }
 
-  user { 'debian-tor':
-    ensure    => present,
-    allowdupe => false,
-    comment   => 'tor user,,,',
-    home      => $tor::daemon::data_dir,
-    shell     => '/bin/false',
-    gid       => 'debian-tor',
-    require   => Group['debian-tor'],
+    user { $tor::daemon::params::user:
+      ensure    => present,
+      allowdupe => false,
+      comment   => 'tor user,,,',
+      home      => $tor::daemon::data_dir,
+      shell     => '/bin/false',
+      gid       => $tor::daemon::params::group,
+      require   => Group[$tor::daemon::params::group],
+    }
   }
 
   # directories
   file { $tor::daemon::data_dir:
     ensure  => directory,
-    mode    => '0700',
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    require => User['debian-tor'],
+    mode    => '0750',
+    owner   => $tor::daemon::params::user,
+    group   => 'root',
+    require => Package['tor'],
   }
 
   file { '/etc/tor':
     ensure  => directory,
     mode    => '0755',
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    require => User['debian-tor'],
-  }
-
-  file { '/var/lib/puppet/modules/tor':
-    ensure  => absent,
-    recurse => true,
-    force   => true,
+    owner   => 'root',
+    group   => 'root',
+    require => Package['tor'],
   }
 
   # tor configuration file
   concat { $tor::daemon::config_file:
     mode   => '0600',
-    owner  => 'debian-tor',
-    group  => 'debian-tor',
+    owner  => 'root',
+    group  => 'root',
+    require => Package['tor'],
     notify => Service['tor'],
   }
 
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
index 8a90899..4dc2afa 100644
--- a/manifests/daemon/directory.pp
+++ b/manifests/daemon/directory.pp
@@ -12,12 +12,13 @@ define tor::daemon::directory (
     target  => $tor::daemon::config_file,
   }
 
+  include ::tor::daemon::params
   file { '/etc/tor/tor-exit-notice.html':
     ensure  => $ensure,
     source  => 'puppet:///modules/tor/tor-exit-notice.html',
     require => File['/etc/tor'],
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
+    owner   => $tor::daemon::params::user,
+    group   => $tor::daemon::params::group,
     mode    => '0644',
   }
 }
diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp
new file mode 100644
index 0000000..b2d8e34
--- /dev/null
+++ b/manifests/daemon/params.pp
@@ -0,0 +1,18 @@
+# setup variables for different distributions
+class tor::daemon::params {
+
+  case $osfamily {
+    'RedHat': {
+      $user        = 'toranon'
+      $group       = 'toranon'
+      $manage_user = false
+    }
+    'Debian': {
+      $user        = 'debian-tor'
+      $group       = 'debian-tor'
+      $manage_user = true
+    }
+    default: { fail("No support for osfamily ${osfamily}") }
+  }
+
+}
diff --git a/manifests/munin.pp b/manifests/munin.pp
index ef71f57..1b043f1 100644
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
@@ -7,8 +7,9 @@ class tor::munin {
       cookie_auth_file      => '/var/run/tor/control.authcookie',
   }
 
+  include ::tor::daemon::params
   Munin::Plugin::Deploy {
-    config  => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+    config  => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
   }
   munin::plugin::deploy {
     'tor_openfds':
-- 
cgit v1.2.3