From 3cf7362f383d2cfa705c3897f6199087c5ddb033 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 15 Mar 2015 12:27:18 +0100
Subject: exchange connections munin plugin

tor_connections started blocking and I wasn't able to find the root
cause for it nor an updated version of the plugin.
This also blocked munin itself, which had the issue that the node
disappeared within munin.

Based on https://lists.torproject.org/pipermail/tor-talk/2006-June/010486.html
it seems to more or less match the open filedescriptors and hence
we monitor rather this than rely on a unmanageable plugin.

The only drawback is that this must run as root, as non-root users
can't read the filedescriptors from proc.
---
 files/munin/tor_connections | 162 --------------------------------------------
 files/munin/tor_openfds     |  32 +++++++++
 manifests/munin.pp          |   5 +-
 3 files changed, 35 insertions(+), 164 deletions(-)
 delete mode 100755 files/munin/tor_connections
 create mode 100644 files/munin/tor_openfds

diff --git a/files/munin/tor_connections b/files/munin/tor_connections
deleted file mode 100755
index c1d0a92..0000000
--- a/files/munin/tor_connections
+++ /dev/null
@@ -1,162 +0,0 @@
-#!/usr/bin/perl -w
-#
-# Munin plugin to monitor Tor
-#
-# Author: Ge van Geldorp <ge@gse.nl>
-#
-# Parameters understood:
-#
-# 	host       - Change which host to graph (default localhost)
-# 	port       - Change which port to connect to (default 9051)
-#	password   - Plain-text control channel password (see torrc
-#	             HashedControlPassword parameter)
-#	cookiefile - Name of the file containing the control channel cookie
-#	             (see torrc CookieAuthentication parameter)
-#
-# Using HashedControlPassword authentication has the problem that you must
-# include the plain-text password in the munin config file. To have any
-# effect, that file shouldn't be world-readable.
-# If you're using CookieAuthentication, you should run this plugin as a user
-# which has read access to the tor datafiles. Also note that bugs in versions
-# upto and including 0.1.1.20 prevent CookieAuthentication from working.
-#
-# Usage: place in /etc/munin/node.d/ (or link it there using ln -s)
-#
-# Parameters understood:
-# 	config   (required)
-# 	autoconf (optional - used by munin-config)
-#
-#
-# Magic markers - optional - used by installation scripts and
-# munin-config:
-#
-#%# family=contrib
-#%# capabilities=autoconf
-
-use strict;
-use IO::Socket::INET;
-
-# Config
-our $address = $ENV{host}  || "localhost";	# Default: localhost
-our $port    = $ENV{port}  || 9051;		# Default: 9051
-
-# Don't edit below this line
-
-sub Authenticate
-{
-	my ($socket) = @_;
-	my $authline = "AUTHENTICATE";
-	if (defined($ENV{cookiefile})) {
-		if (open(COOKIE, "<$ENV{cookiefile}")) {
-			binmode COOKIE;
-			my $cookie;
-			$authline .= " ";
-			while (read(COOKIE, $cookie, 32)) {
-				foreach my $byte (unpack "C*", $cookie) {
-					$authline .= sprintf "%02x", $byte;
-				}
-			}
-			close COOKIE;
-		}
-	} elsif (defined($ENV{password})) {
-		$authline .= ' "' . $ENV{password} . '"';
-	}
-	print $socket "$authline\r\n";
-	my $replyline = <$socket>;
-	if (substr($replyline, 0, 1) != '2') {
-		$replyline =~ s/\s*$//;
-		return "Failed to authenticate: $replyline";
-	}
-
-	return;
-}
-
-if ($ARGV[0] and $ARGV[0] eq "autoconf") {
-	# Try to connect to the daemon
-	my $socket = IO::Socket::INET->new("$address:$port")
-		or my $failed = 1;
-
-	if ($failed) {
-		print "no (failed to connect to $address port $port)\n";
-		exit 1;
-	}
-
-	my $msg = Authenticate($socket);
-	if (defined($msg)) {
-		print $socket "QUIT\r\n";
-		close($socket);
-		print "no ($msg)\n";
-		exit 1;
-	}
-
-	print $socket "QUIT\r\n";
-	close($socket);
-	print "yes\n";
-	exit 0;
-}
-
-my %connections = ("new",       0,
-                   "launched",  0,
-                   "connected", 0,
-                   "failed",    0,
-                   "closed",    0);
-
-if ($ARGV[0] and $ARGV[0] eq "config") {
-	print "graph_title Connections\n";
-	print "graph_args -l 0 --base 1000\n";
-	print "graph_vlabel connections\n";
-	print "graph_category Tor\n";
-	print "graph_period second\n";
-	print "graph_info This graph shows the number of Tor OR connections.\n";
-
-	foreach my $status (keys %connections) {
-		print "$status.label $status\n";
-		print "$status.type GAUGE\n";
-		print "$status.max 50000\n";
-		print "$status.min 0\n";
-	}
-	
-        exit 0;
-}
-
-my $socket = IO::Socket::INET->new("$address:$port")
-	or die("Couldn't connect to $address port $port: $!");
-
-my $msg = Authenticate($socket);
-if (defined($msg)) {
-	print $socket "QUIT\r\n";
-	close($socket);
-	die "$msg\n";
-}
-
-print $socket "GETINFO orconn-status\r\n";
-my $replyline = <$socket>;
-if (substr($replyline, 0, 1) != '2') {
-	print $socket "QUIT\r\n";
-	close($socket);
-	$replyline =~ s/\s*$//;
-	die "Failed to get orconn-status info: $replyline\n";
-}
-
-while (! (($replyline = <$socket>) =~ /^\.\s*$/)) {
-	my @reply = split(/\s+/, $replyline);
-	$connections{lc($reply[1])}++;
-}
-$replyline = <$socket>;
-if (substr($replyline, 0, 1) != '2') {
-	print $socket "QUIT\r\n";
-	close($socket);
-	$replyline =~ s/\s*$//;
-	die "Failed to authenticate: $replyline\n";
-}
-
-print $socket "QUIT\r\n";
-close($socket);
-
-while (my ($status, $count) = each(%connections)) {
-	print "$status.value $count\n";
-}
-
-exit 0;
-
-# vim:syntax=perl
diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds
new file mode 100644
index 0000000..69f63bc
--- /dev/null
+++ b/files/munin/tor_openfds
@@ -0,0 +1,32 @@
+#!/usr/bin/perl -w
+# https://lists.torproject.org/pipermail/tor-talk/2006-June/010486.html
+
+use strict;
+
+# Script to monitor the amount of FDs used by
+# the Tor process (var/run/tor/tor.pid)
+
+if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i)
+{
+        print "graph_title Open file descriptors for Tor\n";
+        print "graph_args --base 1000 -l 0\n";
+        print "graph_vlabel open FDs\n";
+        print "graph_category network\n";
+        print "count.label TorFDs\n";
+        exit 0;
+}
+
+open (PID, "/var/run/tor/tor.pid") or exit 1;
+my $pid = <PID>;
+close PID;
+chomp $pid;
+
+$pid =~ /^[0-9]+$/ or exit 1;
+
+opendir (FDS, "/proc/$pid/fd") or exit 1;
+my @fds = readdir(FDS);
+closedir FDS;
+
+my $count = scalar @fds - 2;
+
+print "count.value $count\n";
diff --git a/manifests/munin.pp b/manifests/munin.pp
index 4412337..ef71f57 100644
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
@@ -11,8 +11,9 @@ class tor::munin {
     config  => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
   }
   munin::plugin::deploy {
-    'tor_connections':
-      source => 'tor/munin/tor_connections';
+    'tor_openfds':
+      config  => 'user root',
+      source => 'tor/munin/tor_openfds';
     'tor_routers':
       source => 'tor/munin/tor_routers';
     'tor_traffic':
-- 
cgit v1.2.3


From 4676a02bf6e18ab2ea2f430b461b5475034ae699 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 15 Mar 2015 13:06:40 +0100
Subject: make sure it's an array

---
 templates/torrc.hidden_service.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb
index 4dec0b2..7cd849f 100644
--- a/templates/torrc.hidden_service.erb
+++ b/templates/torrc.hidden_service.erb
@@ -1,6 +1,6 @@
 # hidden service <%= @name %>
 HiddenServiceDir <%= @data_dir %>/<%= @name %>
-<% @ports.each do |port| -%>
+<% Array(@ports).each do |port| -%>
 HiddenServicePort <%= port %>
 <% end -%>
 
-- 
cgit v1.2.3


From 55084912ec9a5b8bcc8766d5db95beb16b618892 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 15 Mar 2015 13:07:32 +0100
Subject: make it simpler to define ports

if we have only one port directly map it to the same port on the
localhost.
---
 templates/torrc.hidden_service.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb
index 7cd849f..6a97351 100644
--- a/templates/torrc.hidden_service.erb
+++ b/templates/torrc.hidden_service.erb
@@ -1,6 +1,6 @@
 # hidden service <%= @name %>
 HiddenServiceDir <%= @data_dir %>/<%= @name %>
 <% Array(@ports).each do |port| -%>
-HiddenServicePort <%= port %>
+HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %>
 <% end -%>
 
-- 
cgit v1.2.3


From a7599e6308ad6c2ca7b3e19fd3364694e9fd6f9c Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 15 Mar 2015 13:32:25 +0100
Subject: add a fact to collect hidden services

---
 lib/facter/tor_hidden_services.rb | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 lib/facter/tor_hidden_services.rb

diff --git a/lib/facter/tor_hidden_services.rb b/lib/facter/tor_hidden_services.rb
new file mode 100644
index 0000000..c2a6cca
--- /dev/null
+++ b/lib/facter/tor_hidden_services.rb
@@ -0,0 +1,19 @@
+Facter.add(:tor_hidden_services) do
+  confine :kernel => "Linux"
+  setcode do
+    config_file = '/etc/tor/torrc'
+    if File.exists?(config_file)
+      dirs = File.read(config_file).split("\n").select{|l|
+        l =~ /^HiddenServiceDir/
+      }.collect{|l| l.sub(/^HiddenServiceDir /,'') }
+      dirs.inject({}) { |res,d|
+        if File.exists?(h=File.join(d,'hostname'))
+          res[File.basename(d)] = File.read(h).chomp
+        end
+        res
+      }
+    else
+      {}
+    end
+  end
+end
-- 
cgit v1.2.3


From 4bad7d07bdefaa88df8b80a9b8bf31119e1449d3 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 15 Mar 2015 15:10:09 +0100
Subject: have them all in the same category

---
 files/munin/tor_openfds | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds
index 69f63bc..dbf57cd 100644
--- a/files/munin/tor_openfds
+++ b/files/munin/tor_openfds
@@ -11,7 +11,7 @@ if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i)
         print "graph_title Open file descriptors for Tor\n";
         print "graph_args --base 1000 -l 0\n";
         print "graph_vlabel open FDs\n";
-        print "graph_category network\n";
+        print "graph_category Tor\n";
         print "count.label TorFDs\n";
         exit 0;
 }
-- 
cgit v1.2.3


From 76e6ee3e854f5efd018dedc15af14d62e7f4549e Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 19 Apr 2015 23:05:43 +0200
Subject: setting owner, group & mode is not supported by latest concat module

---
 manifests/daemon/base.pp           | 6 ------
 manifests/daemon/bridge.pp         | 3 ---
 manifests/daemon/control.pp        | 3 ---
 manifests/daemon/directory.pp      | 3 ---
 manifests/daemon/dns.pp            | 3 ---
 manifests/daemon/exit_policy.pp    | 3 ---
 manifests/daemon/hidden_service.pp | 3 ---
 manifests/daemon/map_address.pp    | 3 ---
 manifests/daemon/relay.pp          | 3 ---
 manifests/daemon/snippet.pp        | 3 ---
 manifests/daemon/socks.pp          | 3 ---
 manifests/daemon/transparent.pp    | 3 ---
 12 files changed, 39 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 63d7bc4..e687a67 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -58,9 +58,6 @@ class tor::daemon::base inherits tor::base {
   concat::fragment { '00.header':
     ensure  => present,
     content => template('tor/torrc.header.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 00,
     target  => $tor::daemon::config_file,
   }
@@ -68,9 +65,6 @@ class tor::daemon::base inherits tor::base {
   # global configurations
   concat::fragment { '01.global':
     content => template('tor/torrc.global.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 01,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp
index 063f565..83d74e0 100644
--- a/manifests/daemon/bridge.pp
+++ b/manifests/daemon/bridge.pp
@@ -8,9 +8,6 @@ define tor::daemon::bridge(
   concat::fragment { "10.bridge.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.bridge.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 10,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp
index 0172656..001e2b2 100644
--- a/manifests/daemon/control.pp
+++ b/manifests/daemon/control.pp
@@ -18,9 +18,6 @@ define tor::daemon::control(
   concat::fragment { '04.control':
     ensure  => $ensure,
     content => template('tor/torrc.control.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0600',
     order   => 04,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
index d877a86..e2e405d 100644
--- a/manifests/daemon/directory.pp
+++ b/manifests/daemon/directory.pp
@@ -8,9 +8,6 @@ define tor::daemon::directory (
   concat::fragment { '06.directory':
     ensure  => $ensure,
     content => template('tor/torrc.directory.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 06,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp
index f3a7027..95e62d8 100644
--- a/manifests/daemon/dns.pp
+++ b/manifests/daemon/dns.pp
@@ -7,9 +7,6 @@ define tor::daemon::dns(
   concat::fragment { "08.dns.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.dns.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 08,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp
index f459ece..df0fb99 100644
--- a/manifests/daemon/exit_policy.pp
+++ b/manifests/daemon/exit_policy.pp
@@ -8,9 +8,6 @@ define tor::daemon::exit_policy(
   concat::fragment { "07.exit_policy.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.exit_policy.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 07,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
index c827211..b54aa44 100644
--- a/manifests/daemon/hidden_service.pp
+++ b/manifests/daemon/hidden_service.pp
@@ -7,9 +7,6 @@ define tor::daemon::hidden_service(
   concat::fragment { "05.hidden_service.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.hidden_service.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 05,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp
index cfbd3da..d41ccea 100644
--- a/manifests/daemon/map_address.pp
+++ b/manifests/daemon/map_address.pp
@@ -7,9 +7,6 @@ define tor::daemon::map_address(
   concat::fragment { "08.map_address.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.map_address.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 08,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp
index 3ef8602..8150f63 100644
--- a/manifests/daemon/relay.pp
+++ b/manifests/daemon/relay.pp
@@ -33,9 +33,6 @@ define tor::daemon::relay(
   concat::fragment { '03.relay':
     ensure  => $ensure,
     content => template('tor/torrc.relay.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 03,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp
index b9089b4..7e1494c 100644
--- a/manifests/daemon/snippet.pp
+++ b/manifests/daemon/snippet.pp
@@ -6,9 +6,6 @@ define tor::daemon::snippet(
   concat::fragment { "99.snippet.${name}":
     ensure  => $ensure,
     content => $content,
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 99,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp
index 910461c..54c8b6a 100644
--- a/manifests/daemon/socks.pp
+++ b/manifests/daemon/socks.pp
@@ -6,9 +6,6 @@ define tor::daemon::socks(
 
   concat::fragment { '02.socks':
     content => template('tor/torrc.socks.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 02,
     target  => $tor::daemon::config_file,
   }
diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp
index 74fed4f..b5e9bc5 100644
--- a/manifests/daemon/transparent.pp
+++ b/manifests/daemon/transparent.pp
@@ -7,9 +7,6 @@ define tor::daemon::transparent(
   concat::fragment { "09.transparent.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.transparent.erb'),
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    mode    => '0644',
     order   => 09,
     target  => $tor::daemon::config_file,
   }
-- 
cgit v1.2.3


From a51a51fe181a7fc6cc1f23e742078cbeed740658 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 19 Apr 2015 23:17:25 +0200
Subject: make it work with latest concat module

---
 manifests/daemon/base.pp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index e687a67..9cfcc50 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -1,10 +1,7 @@
 # extend basic tor things with a snippet based daemon configuration
 class tor::daemon::base inherits tor::base {
-  # packages, user, group
-  Service['tor'] {
-    subscribe => File[$tor::daemon::config_file],
-  }
 
+  # packages, user, group
   Package[ 'tor' ] {
     require => File[$tor::daemon::data_dir],
   }
@@ -52,6 +49,7 @@ class tor::daemon::base inherits tor::base {
     mode   => '0600',
     owner  => 'debian-tor',
     group  => 'debian-tor',
+    notify => Service['tor'],
   }
 
   # config file headers
-- 
cgit v1.2.3


From 28b9509b148675d48e721c069491735b8141aff2 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 19 Apr 2015 23:19:33 +0200
Subject: linting

---
 manifests/daemon/base.pp           | 4 ++--
 manifests/daemon/bridge.pp         | 2 +-
 manifests/daemon/control.pp        | 2 +-
 manifests/daemon/directory.pp      | 2 +-
 manifests/daemon/dns.pp            | 2 +-
 manifests/daemon/exit_policy.pp    | 2 +-
 manifests/daemon/hidden_service.pp | 2 +-
 manifests/daemon/map_address.pp    | 2 +-
 manifests/daemon/relay.pp          | 2 +-
 manifests/daemon/snippet.pp        | 2 +-
 manifests/daemon/socks.pp          | 2 +-
 manifests/daemon/transparent.pp    | 2 +-
 12 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 9cfcc50..5db3e31 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -56,14 +56,14 @@ class tor::daemon::base inherits tor::base {
   concat::fragment { '00.header':
     ensure  => present,
     content => template('tor/torrc.header.erb'),
-    order   => 00,
+    order   => '00',
     target  => $tor::daemon::config_file,
   }
 
   # global configurations
   concat::fragment { '01.global':
     content => template('tor/torrc.global.erb'),
-    order   => 01,
+    order   => '01',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp
index 83d74e0..a9a21d4 100644
--- a/manifests/daemon/bridge.pp
+++ b/manifests/daemon/bridge.pp
@@ -8,7 +8,7 @@ define tor::daemon::bridge(
   concat::fragment { "10.bridge.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.bridge.erb'),
-    order   => 10,
+    order   => '10',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp
index 001e2b2..5e81c65 100644
--- a/manifests/daemon/control.pp
+++ b/manifests/daemon/control.pp
@@ -18,7 +18,7 @@ define tor::daemon::control(
   concat::fragment { '04.control':
     ensure  => $ensure,
     content => template('tor/torrc.control.erb'),
-    order   => 04,
+    order   => '04',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
index e2e405d..8a90899 100644
--- a/manifests/daemon/directory.pp
+++ b/manifests/daemon/directory.pp
@@ -8,7 +8,7 @@ define tor::daemon::directory (
   concat::fragment { '06.directory':
     ensure  => $ensure,
     content => template('tor/torrc.directory.erb'),
-    order   => 06,
+    order   => '06',
     target  => $tor::daemon::config_file,
   }
 
diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp
index 95e62d8..e8d4fc8 100644
--- a/manifests/daemon/dns.pp
+++ b/manifests/daemon/dns.pp
@@ -7,7 +7,7 @@ define tor::daemon::dns(
   concat::fragment { "08.dns.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.dns.erb'),
-    order   => 08,
+    order   => '08',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp
index df0fb99..5f4d3e8 100644
--- a/manifests/daemon/exit_policy.pp
+++ b/manifests/daemon/exit_policy.pp
@@ -8,7 +8,7 @@ define tor::daemon::exit_policy(
   concat::fragment { "07.exit_policy.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.exit_policy.erb'),
-    order   => 07,
+    order   => '07',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
index b54aa44..cf316b5 100644
--- a/manifests/daemon/hidden_service.pp
+++ b/manifests/daemon/hidden_service.pp
@@ -7,7 +7,7 @@ define tor::daemon::hidden_service(
   concat::fragment { "05.hidden_service.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.hidden_service.erb'),
-    order   => 05,
+    order   => '05',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp
index d41ccea..ac624a0 100644
--- a/manifests/daemon/map_address.pp
+++ b/manifests/daemon/map_address.pp
@@ -7,7 +7,7 @@ define tor::daemon::map_address(
   concat::fragment { "08.map_address.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.map_address.erb'),
-    order   => 08,
+    order   => '08',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp
index 8150f63..5eae618 100644
--- a/manifests/daemon/relay.pp
+++ b/manifests/daemon/relay.pp
@@ -33,7 +33,7 @@ define tor::daemon::relay(
   concat::fragment { '03.relay':
     ensure  => $ensure,
     content => template('tor/torrc.relay.erb'),
-    order   => 03,
+    order   => '03',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp
index 7e1494c..1f22d0c 100644
--- a/manifests/daemon/snippet.pp
+++ b/manifests/daemon/snippet.pp
@@ -6,7 +6,7 @@ define tor::daemon::snippet(
   concat::fragment { "99.snippet.${name}":
     ensure  => $ensure,
     content => $content,
-    order   => 99,
+    order   => '99',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp
index 54c8b6a..17ce40b 100644
--- a/manifests/daemon/socks.pp
+++ b/manifests/daemon/socks.pp
@@ -6,7 +6,7 @@ define tor::daemon::socks(
 
   concat::fragment { '02.socks':
     content => template('tor/torrc.socks.erb'),
-    order   => 02,
+    order   => '02',
     target  => $tor::daemon::config_file,
   }
 }
diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp
index b5e9bc5..6ac7b44 100644
--- a/manifests/daemon/transparent.pp
+++ b/manifests/daemon/transparent.pp
@@ -7,7 +7,7 @@ define tor::daemon::transparent(
   concat::fragment { "09.transparent.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.transparent.erb'),
-    order   => 09,
+    order   => '09',
     target  => $tor::daemon::config_file,
   }
 }
-- 
cgit v1.2.3


From 24f919c9ffcff07a0ff0a5157ed5f5661c784b12 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 4 Sep 2016 20:27:28 +0200
Subject: fix #2 - mention correct class

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 7777438..188acca 100644
--- a/README
+++ b/README
@@ -113,7 +113,7 @@ Installing torsocks
 
 To install torsocks, simply include the 'torsocks' class in your manifests:
 
-    class { 'torsocks': }
+    class { 'tor::torsocks': }
 
 You can specify the $ensure_version class parameter to get a specific
 version installed.
-- 
cgit v1.2.3


From d08f07eae13d02431b1c4142634f49e978b551de Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 4 Sep 2016 21:00:45 +0200
Subject: make module also work on EL7

* user is different
* user must not be managed
* make access more safe, it doesn't make sense that the user running
  the daemon owns the config, nor the config directory.
---
 manifests/base.pp             |  9 ++++++-
 manifests/daemon/base.pp      | 56 +++++++++++++++++++------------------------
 manifests/daemon/directory.pp |  5 ++--
 manifests/daemon/params.pp    | 18 ++++++++++++++
 manifests/munin.pp            |  3 ++-
 5 files changed, 56 insertions(+), 35 deletions(-)
 create mode 100644 manifests/daemon/params.pp

diff --git a/manifests/base.pp b/manifests/base.pp
index b98451b..31b9edb 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,8 +1,15 @@
 # basic management of resources for tor
 class tor::base {
-  package { [ 'tor', 'tor-geoipdb' ]:
+  package {'tor':
     ensure => $tor::ensure_version,
   }
+  case $osfamily {
+    'Debian': {
+      package {'tor-geoipdb':
+        ensure => $tor::ensure_version,
+      }
+    }
+  }
 
   service { 'tor':
     ensure     => running,
diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 5db3e31..217a122 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -1,54 +1,48 @@
 # extend basic tor things with a snippet based daemon configuration
 class tor::daemon::base inherits tor::base {
 
-  # packages, user, group
-  Package[ 'tor' ] {
-    require => File[$tor::daemon::data_dir],
-  }
+  include ::tor::daemon::params
 
-  group { 'debian-tor':
-    ensure    => present,
-    allowdupe => false,
-  }
+  if $tor::daemon::params::manage_user {
+    group { $tor::daemon::params::group:
+      ensure    => present,
+      allowdupe => false,
+    }
 
-  user { 'debian-tor':
-    ensure    => present,
-    allowdupe => false,
-    comment   => 'tor user,,,',
-    home      => $tor::daemon::data_dir,
-    shell     => '/bin/false',
-    gid       => 'debian-tor',
-    require   => Group['debian-tor'],
+    user { $tor::daemon::params::user:
+      ensure    => present,
+      allowdupe => false,
+      comment   => 'tor user,,,',
+      home      => $tor::daemon::data_dir,
+      shell     => '/bin/false',
+      gid       => $tor::daemon::params::group,
+      require   => Group[$tor::daemon::params::group],
+    }
   }
 
   # directories
   file { $tor::daemon::data_dir:
     ensure  => directory,
-    mode    => '0700',
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    require => User['debian-tor'],
+    mode    => '0750',
+    owner   => $tor::daemon::params::user,
+    group   => 'root',
+    require => Package['tor'],
   }
 
   file { '/etc/tor':
     ensure  => directory,
     mode    => '0755',
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
-    require => User['debian-tor'],
-  }
-
-  file { '/var/lib/puppet/modules/tor':
-    ensure  => absent,
-    recurse => true,
-    force   => true,
+    owner   => 'root',
+    group   => 'root',
+    require => Package['tor'],
   }
 
   # tor configuration file
   concat { $tor::daemon::config_file:
     mode   => '0600',
-    owner  => 'debian-tor',
-    group  => 'debian-tor',
+    owner  => 'root',
+    group  => 'root',
+    require => Package['tor'],
     notify => Service['tor'],
   }
 
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
index 8a90899..4dc2afa 100644
--- a/manifests/daemon/directory.pp
+++ b/manifests/daemon/directory.pp
@@ -12,12 +12,13 @@ define tor::daemon::directory (
     target  => $tor::daemon::config_file,
   }
 
+  include ::tor::daemon::params
   file { '/etc/tor/tor-exit-notice.html':
     ensure  => $ensure,
     source  => 'puppet:///modules/tor/tor-exit-notice.html',
     require => File['/etc/tor'],
-    owner   => 'debian-tor',
-    group   => 'debian-tor',
+    owner   => $tor::daemon::params::user,
+    group   => $tor::daemon::params::group,
     mode    => '0644',
   }
 }
diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp
new file mode 100644
index 0000000..b2d8e34
--- /dev/null
+++ b/manifests/daemon/params.pp
@@ -0,0 +1,18 @@
+# setup variables for different distributions
+class tor::daemon::params {
+
+  case $osfamily {
+    'RedHat': {
+      $user        = 'toranon'
+      $group       = 'toranon'
+      $manage_user = false
+    }
+    'Debian': {
+      $user        = 'debian-tor'
+      $group       = 'debian-tor'
+      $manage_user = true
+    }
+    default: { fail("No support for osfamily ${osfamily}") }
+  }
+
+}
diff --git a/manifests/munin.pp b/manifests/munin.pp
index ef71f57..1b043f1 100644
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
@@ -7,8 +7,9 @@ class tor::munin {
       cookie_auth_file      => '/var/run/tor/control.authcookie',
   }
 
+  include ::tor::daemon::params
   Munin::Plugin::Deploy {
-    config  => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+    config  => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
   }
   munin::plugin::deploy {
     'tor_openfds':
-- 
cgit v1.2.3


From 5c4d6c56d9fc0c006e43e4bbeea9d755f44fe10b Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 7 Oct 2016 02:02:43 +0200
Subject: redhat & debian have different modes

---
 manifests/daemon/base.pp   |  2 +-
 manifests/daemon/params.pp | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 217a122..ec42cb6 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -23,7 +23,7 @@ class tor::daemon::base inherits tor::base {
   # directories
   file { $tor::daemon::data_dir:
     ensure  => directory,
-    mode    => '0750',
+    mode    => $tor::daemon::params::data_dir_mode,
     owner   => $tor::daemon::params::user,
     group   => 'root',
     require => Package['tor'],
diff --git a/manifests/daemon/params.pp b/manifests/daemon/params.pp
index b2d8e34..0c35cd6 100644
--- a/manifests/daemon/params.pp
+++ b/manifests/daemon/params.pp
@@ -3,14 +3,16 @@ class tor::daemon::params {
 
   case $osfamily {
     'RedHat': {
-      $user        = 'toranon'
-      $group       = 'toranon'
-      $manage_user = false
+      $user          = 'toranon'
+      $group         = 'toranon'
+      $manage_user   = false
+      $data_dir_mode = '0750'
     }
     'Debian': {
-      $user        = 'debian-tor'
-      $group       = 'debian-tor'
-      $manage_user = true
+      $user          = 'debian-tor'
+      $group         = 'debian-tor'
+      $manage_user   = true
+      $data_dir_mode = '0700'
     }
     default: { fail("No support for osfamily ${osfamily}") }
   }
-- 
cgit v1.2.3


From c87feabd8cb4351fd1c5d6abb574c58a6f2f8dc5 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 7 Oct 2016 02:28:57 +0200
Subject: linting

---
 manifests/daemon/base.pp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index ec42cb6..24a8278 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -39,11 +39,11 @@ class tor::daemon::base inherits tor::base {
 
   # tor configuration file
   concat { $tor::daemon::config_file:
-    mode   => '0600',
-    owner  => 'root',
-    group  => 'root',
+    mode    => '0600',
+    owner   => 'root',
+    group   => 'root',
     require => Package['tor'],
-    notify => Service['tor'],
+    notify  => Service['tor'],
   }
 
   # config file headers
-- 
cgit v1.2.3


From 6f1172ec053a1c095624d73aa9f0f020c36ca1ed Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 14 Oct 2016 05:02:00 +0200
Subject: that the tor daemon can actually reread its config, so it must be
 readable by the user running it

---
 manifests/daemon/base.pp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 24a8278..335c5e4 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -39,9 +39,9 @@ class tor::daemon::base inherits tor::base {
 
   # tor configuration file
   concat { $tor::daemon::config_file:
-    mode    => '0600',
+    mode    => '0640',
     owner   => 'root',
-    group   => 'root',
+    group   => $tor::daemon::params::group,
     require => Package['tor'],
     notify  => Service['tor'],
   }
-- 
cgit v1.2.3


From 40ad50af8fb8c27a1000b335617573cffa1b4340 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 14 Oct 2016 20:18:50 +0200
Subject: support repo for RedHat based systems

---
 manifests/repo.pp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/manifests/repo.pp b/manifests/repo.pp
index f625599..7637f61 100644
--- a/manifests/repo.pp
+++ b/manifests/repo.pp
@@ -9,6 +9,9 @@ class tor::repo (
       $location = 'https://deb.torproject.org/torproject.org/'
       class { 'tor::repo::debian': }
     }
+    'RedHat': {
+      # no need as EPEL is the relevant reference
+    }
     default: {
       fail("Unsupported managed repository for osfamily: ${::osfamily}, operatingsystem: ${::operatingsystem}, module ${module_name} currently only supports managing repos for osfamily Debian and Ubuntu")
     }
-- 
cgit v1.2.3


From 83eeff12c4eefc0847eca0f3357f03ffadd70daa Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 14 Oct 2016 20:19:25 +0200
Subject: linting

---
 manifests/repo.pp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/manifests/repo.pp b/manifests/repo.pp
index 7637f61..6770feb 100644
--- a/manifests/repo.pp
+++ b/manifests/repo.pp
@@ -1,3 +1,4 @@
+# add upstream repositories of torproject
 class tor::repo (
   $ensure      = present,
   $source_name = 'torproject.org',
-- 
cgit v1.2.3


From 0329bdf2c0b2c157cf80c15f7dde580fbd243e3c Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 21 Oct 2016 17:46:09 +0200
Subject: add a testing boilerplate

---
 .gitignore                           |  8 +++++-
 Gemfile                              | 48 ++++++++++++++++++++++++++++++++++++
 Rakefile                             |  7 ++++++
 spec/puppetlabs_spec_helper_clone.rb | 34 +++++++++++++++++++++++++
 spec/spec_helper.rb                  | 48 ++++++++++++++++++++++++++++++++++++
 5 files changed, 144 insertions(+), 1 deletion(-)
 create mode 100644 Gemfile
 create mode 100644 Rakefile
 create mode 100644 spec/puppetlabs_spec_helper_clone.rb
 create mode 100755 spec/spec_helper.rb

diff --git a/.gitignore b/.gitignore
index 1377554..0669604 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,7 @@
-*.swp
+.tmp_*~
+.librarian
+.tmp
+spec/fixtures/modules
+spec/fixtures/manifests
+spec/fixtures/tmp
+*.lock
diff --git a/Gemfile b/Gemfile
new file mode 100644
index 0000000..d4109b9
--- /dev/null
+++ b/Gemfile
@@ -0,0 +1,48 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+def location_for(place, fake_version = nil)
+  if place =~ /^(git[:@][^#]*)#(.*)/
+    [fake_version, { :git => $1, :branch => $2, :require => false }].compact
+  elsif place =~ /^file:\/\/(.*)/
+    ['>= 0', { :path => File.expand_path($1), :require => false }]
+  else
+    [place, { :require => false }]
+  end
+end
+
+group :development, :unit_tests do
+  # rspec must be v2 for ruby 1.8.7
+  if RUBY_VERSION >= '1.8.7' and RUBY_VERSION < '1.9'
+    gem 'rspec', '~> 2.0'
+  else
+    gem 'rspec', '~> 3.1.0',     :require => false
+  end
+
+  gem 'rake', '~> 10.1.0',       :require => false
+  gem 'rspec-puppet', '~> 2.2',  :require => false
+  gem 'mocha',                   :require => false
+  # keep for its rake task for now
+  gem 'puppetlabs_spec_helper',  :require => false
+  gem 'puppet-lint',             :require => false
+  gem 'metadata-json-lint',      :require => false
+  gem 'pry',                     :require => false
+  gem 'simplecov',               :require => false
+end
+
+facterversion = ENV['GEM_FACTER_VERSION'] || ENV['FACTER_GEM_VERSION']
+if facterversion
+  gem 'facter', *location_for(facterversion)
+else
+  gem 'facter', :require => false
+end
+
+puppetversion = ENV['GEM_PUPPET_VERSION'] || ENV['PUPPET_GEM_VERSION']
+if puppetversion
+  gem 'puppet', *location_for(puppetversion)
+else
+  gem 'puppet', :require => false
+end
+
+gem 'base32'
+
+# vim:ft=ruby
diff --git a/Rakefile b/Rakefile
new file mode 100644
index 0000000..e136b8e
--- /dev/null
+++ b/Rakefile
@@ -0,0 +1,7 @@
+require 'rubygems'
+# keep for compatibility for now
+require 'puppetlabs_spec_helper/rake_tasks'
+require 'puppet-lint/tasks/puppet-lint'
+PuppetLint.configuration.send('disable_80chars')
+PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
+
diff --git a/spec/puppetlabs_spec_helper_clone.rb b/spec/puppetlabs_spec_helper_clone.rb
new file mode 100644
index 0000000..6a94a3b
--- /dev/null
+++ b/spec/puppetlabs_spec_helper_clone.rb
@@ -0,0 +1,34 @@
+#This file pulls in only the minimum necessary to let unmigrated specs still work
+
+# Define the main module namespace for use by the helper modules
+module PuppetlabsSpec
+  # FIXTURE_DIR represents the standard locations of all fixture data. Normally
+  # this represents <project>/spec/fixtures. This will be used by the fixtures
+  # library to find relative fixture data.
+  FIXTURE_DIR = File.join("spec", "fixtures") unless defined?(FIXTURE_DIR)
+end
+
+# Require all necessary helper libraries so they can be used later
+require 'puppetlabs_spec_helper/puppetlabs_spec/files'
+require 'puppetlabs_spec_helper/puppetlabs_spec/fixtures'
+#require 'puppetlabs_spec_helper/puppetlabs_spec/puppet_internals'
+require 'puppetlabs_spec_helper/puppetlabs_spec/matchers'
+
+RSpec.configure do |config|
+  # Include PuppetlabsSpec helpers so they can be called at convenience
+  config.extend PuppetlabsSpec::Files
+  config.extend PuppetlabsSpec::Fixtures
+  config.include PuppetlabsSpec::Fixtures
+
+  config.parser = 'future' if ENV['FUTURE_PARSER'] == 'yes'
+  config.strict_variables = true if ENV['STRICT_VARIABLES'] == 'yes'
+  config.stringify_facts = false if ENV['STRINGIFY_FACTS'] == 'no'
+  config.trusted_node_data = true if ENV['TRUSTED_NODE_DATA'] == 'yes'
+  config.ordering = ENV['ORDERING'] if ENV['ORDERING']
+
+  # This will cleanup any files that were created with tmpdir or tmpfile
+  config.after :each do
+    PuppetlabsSpec::Files.cleanup
+  end
+end
+
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
new file mode 100755
index 0000000..66cfb3b
--- /dev/null
+++ b/spec/spec_helper.rb
@@ -0,0 +1,48 @@
+#! /usr/bin/env ruby -S rspec
+dir = File.expand_path(File.dirname(__FILE__))
+$LOAD_PATH.unshift File.join(dir, 'lib')
+
+# So everyone else doesn't have to include this base constant.
+module PuppetSpec
+  FIXTURE_DIR = File.join(dir = File.expand_path(File.dirname(__FILE__)), "fixtures") unless defined?(FIXTURE_DIR)
+end
+
+require 'puppet'
+require 'rspec-puppet'
+require 'puppetlabs_spec_helper/module_spec_helper'
+require 'mocha/api'
+#require 'puppetlabs_spec_helper/module_spec_helper'
+require 'puppetlabs_spec_helper_clone'
+
+# hack to enable all the expect syntax (like allow_any_instance_of) in rspec-puppet examples
+RSpec::Mocks::Syntax.enable_expect(RSpec::Puppet::ManifestMatchers)
+
+RSpec.configure do |config|
+  config.module_path = File.join(File.dirname(File.expand_path(__FILE__)), 'fixtures', 'modules')
+  config.manifest_dir = File.join(File.dirname(File.expand_path(__FILE__)), 'fixtures', 'manifests')
+  config.environmentpath = spec_path = File.expand_path(File.join(Dir.pwd, 'spec'))
+
+  config.add_setting :puppet_future
+  #config.puppet_future = (ENV['FUTURE_PARSER'] == 'yes' or Puppet.version.to_f >= 4.0)
+  config.puppet_future = Puppet.version.to_f >= 4.0
+
+  config.before :each do
+    # Ensure that we don't accidentally cache facts and environment between
+    # test cases.  This requires each example group to explicitly load the
+    # facts being exercised with something like
+    # Facter.collection.loader.load(:ipaddress)
+    Facter.clear
+    Facter.clear_messages
+
+    RSpec::Mocks.setup
+  end
+
+  config.after :each do
+    RSpec::Mocks.verify
+    RSpec::Mocks.teardown
+  end
+end
+
+# Helper class to test handling of arguments which are derived from string
+class AlsoString < String
+end
-- 
cgit v1.2.3


From 826fd077aca94acf6a8d41d643b8f06ed7fb7090 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 21 Oct 2016 17:54:08 +0200
Subject: add functions to support dealing with keys for onion addresses

---
 README                                            | 17 +++++-
 lib/puppet/parser/functions/generate_onion_key.rb | 40 +++++++++++++
 lib/puppet/parser/functions/onion_address.rb      | 28 +++++++++
 spec/functions/generate_onion_key_spec.rb         | 73 +++++++++++++++++++++++
 spec/functions/onion_address_spec.rb              | 48 +++++++++++++++
 5 files changed, 205 insertions(+), 1 deletion(-)
 create mode 100644 lib/puppet/parser/functions/generate_onion_key.rb
 create mode 100644 lib/puppet/parser/functions/onion_address.rb
 create mode 100644 spec/functions/generate_onion_key_spec.rb
 create mode 100644 spec/functions/onion_address_spec.rb

diff --git a/README b/README
index 188acca..bf2968d 100644
--- a/README
+++ b/README
@@ -40,7 +40,8 @@ Dependencies
 
 This module needs:
 
-- the concat module: git://labs.riseup.net/shared-concat
+- the concat module: https://gitlab.com/shared-puppet-modules-group/concat
+- the apt module https://gitlab.com/shared-puppet-modules-group/apt or https://github.com/puppetlabs/puppetlabs-apt/
 
 Usage
 =====
@@ -212,3 +213,17 @@ If you are using munin, and have the puppet munin module installed, you can set
 the use_munin parameter to true when defining the tor::daemon class to have
 graphs setup for you.
 
+Functions
+=========
+
+This module comes with 2 functions specific to tor support. They require the base32 gem to be installed on the master or wherever they are executed.
+
+onion_address
+-------------
+
+This function takes a 1024bit RSA private key as an argument and returns the onion address for a hidden service for that key.
+
+generate_onion_key
+------------------
+
+This function takes a path (on the puppetmaster!) and an identifier for a key and returns an array containing the matching onion address and the private key. The private key either exists under the supplied `path/key_identifier` or is being generated on the fly and stored under that path for the next execution.
diff --git a/lib/puppet/parser/functions/generate_onion_key.rb b/lib/puppet/parser/functions/generate_onion_key.rb
new file mode 100644
index 0000000..2964268
--- /dev/null
+++ b/lib/puppet/parser/functions/generate_onion_key.rb
@@ -0,0 +1,40 @@
+module Puppet::Parser::Functions
+  newfunction(:generate_onion_key, :type => :rvalue, :doc => <<-EOS
+Generates or loads a rsa private key for an onion service, returns they onion
+onion address and the private key content.
+
+Requires a location to load and store the private key, as well an identifier, which will be used as a filename in the location.
+
+Example:
+
+    res = generate_onion_key('/tmp','my_secrect_key')
+    notice "Onion Address: \${res[0]"
+    notice "Priavte Key: \${res[1]"
+
+
+If /tmp/my_secrect_key.key exists, it will be loaded and the onion address will be generated from it.
+
+  EOS
+  ) do |args|
+    location = args.shift
+    identifier = args.shift
+
+    raise(Puppet::ParseError, "generate_onion_key(): requires 2 arguments") unless [location,identifier].all?{|i| !i.nil? }
+
+    raise(Puppet::ParseError, "generate_onion_key(): requires location (#{location}) to be a directory") unless File.directory?(location)
+    path = File.join(location,identifier)
+
+    private_key = if File.exists?(path)
+      pk = OpenSSL::PKey::RSA.new(File.read(path))
+      raise(Puppet::ParseError, "generate_onion_key(): key in path #{path} must have a length of 1024bit") unless (pk.n.num_bytes * 8) == 1024
+      pk
+    else
+      # 1024 is hardcoded by tor
+      pk = OpenSSL::PKey::RSA.generate(1024)
+      File.open(path,'w'){|f| f << pk.to_s }
+      pk
+    end
+
+    [ function_onion_address([private_key]), private_key.to_s ]
+  end
+end
diff --git a/lib/puppet/parser/functions/onion_address.rb b/lib/puppet/parser/functions/onion_address.rb
new file mode 100644
index 0000000..a3db2f4
--- /dev/null
+++ b/lib/puppet/parser/functions/onion_address.rb
@@ -0,0 +1,28 @@
+require 'base32'
+module Puppet::Parser::Functions
+  newfunction(:onion_address, :type => :rvalue, :doc => <<-EOS
+Generates an onion address from a 1024-bit RSA private key.
+
+Example:
+
+  onion_address("-----BEGIN RSA PRIVATE KEY-----
+MII....
+-----END RSA PRIVATE KEY-----")
+
+Returns the onionadress for that key, *without* the .onion suffix.
+  EOS
+  ) do |args|
+    key = args.shift
+    raise(Puppet::ParseError, "onion_address(): requires 1 argument") unless key && args.empty?
+    private_key = key.is_a?(OpenSSL::PKey::RSA) ? key : OpenSSL::PKey::RSA.new(key)
+
+    # the onion address are a base32 encoded string of the first half of the sha1 over the
+    # der format of the public key
+    # https://trac.torproject.org/projects/tor/wiki/doc/HiddenServiceNames#Howare.onionnamescreated
+    # We can skip the first 22 bits of the der format as they are ignored by tor
+    # https://timtaubert.de/blog/2014/11/using-the-webcrypto-api-to-generate-onion-names-for-tor-hidden-services/
+    # https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt#n525
+    public_key_der = private_key.public_key.to_der
+    Base32.encode(Digest::SHA1.digest(public_key_der[22..-1]))[0..15].downcase
+  end
+end
diff --git a/spec/functions/generate_onion_key_spec.rb b/spec/functions/generate_onion_key_spec.rb
new file mode 100644
index 0000000..07a9f91
--- /dev/null
+++ b/spec/functions/generate_onion_key_spec.rb
@@ -0,0 +1,73 @@
+require 'spec_helper'
+require 'fileutils'
+
+describe 'generate_onion_key' do
+  before(:all) do
+    @tmp_path = File.expand_path(File.join(File.dirname(__FILE__),'..','fixtures','tmp'))
+    @test_path = File.join(@tmp_path,'test')
+    @drpsyff5srkctr7h_str = "-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC9OUBOkL73n43ogC/Jma54/ZZDEpoisqpkGJHgbcRGJIxcqqfL
+PbnT3hD5SUCVXxLnzWDCTwTe2VOzIUlBXmslwVXnCJh/XGZg9NHiNU3EAZTwu1g9
+8gNmmG1bymaoEBkuC1osijOj+CN+gzLzApiMbDxddpxTn70LWaSqMDbfdQIDAQAB
+An88nBn9EGAa8QCDeIvWB2PbXV7EHTFB6/ioFzairIYx8YMEK6WTdDIRqw/EybHm
+Jo3nseFMXAMzXmlw9zh/t76ZzE7ooYocSPIEzpu4gDRsa5/mqRCGajs8A8ooiHN5
+Tc9cHzIfhjOYhu3VxF0G9LTAC8nKdWQkHm+h+J6A6+wBAkEA2E6GcIdPGTSfaNRS
+BHOpKUUSvH7W0e5fyYe221EhESdTFjVkaO5YN9HvcqYh27nik0azKgNj6PiE01FC
+0q4fgQJBAN/ycGS3dX5WRXEOpbQ04LKyxCFMVgS+tN5ueDgbv/SxWAxidLYcVfbg
+CcUA+L2OaQ95S97CxYlCLda10vIPOfUCQQCUvQJzFIgOlAHdqsovJ3011Lp6hVmg
+h6K0SK8zhkkPq5PVnKdMBEEDOUfG9XgoyFyF20LN7ADirSlgyesCRhuBAkEAmuCE
+MmNecn0fkUzb9IENVQik85JjeuyZEau8oLEwU/3CMu50YO2/1fijSQee/xlaN0Vf
+3zM8geyu3urodFdrcQJBAMBcecMvo4ddZ/GnwpKJuXEhKSwQfPOeb8lK12NvKuVE
+znq+qT/KbJlwy/27X/auCAzD5rJ9VVzyWiu8nnwICS8=
+-----END RSA PRIVATE KEY-----\n"
+  end
+  describe 'signature validation' do
+    it { is_expected.not_to eq(nil) }
+    it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /requires 2 arguments/) }
+    it { is_expected.to run.with_params(1).and_raise_error(Puppet::ParseError, /requires 2 arguments/) }
+    it { is_expected.to run.with_params('/etc/passwd','test').and_raise_error(Puppet::ParseError, /requires location \(\/etc\/passwd\) to be a directory/) }
+    describe 'with a key bigger than 1024' do
+      before(:each) do
+        FileUtils.mkdir_p(@tmp_path) unless File.directory?(@tmp_path)
+        File.open(@test_path,'w'){|f| f << OpenSSL::PKey::RSA.generate(2048) }
+      end
+      it { is_expected.to run.with_params(@tmp_path,'test').and_raise_error(Puppet::ParseError, /must have a length of 1024bit/) }
+    end
+  end
+
+  describe 'normal operation' do
+    before(:all) do
+      FileUtils.rm_rf(@tmp_path) if File.exists?(@tmp_path)
+      FileUtils.mkdir_p(@tmp_path)
+    end
+    after(:all) do
+      FileUtils.rm_rf(@tmp_path) if File.exists?(@tmp_path)
+    end
+    let(:return_value) {
+      scope.function_generate_onion_key([@tmp_path,'test'])
+    }
+    context 'without an existing key' do
+      it 'returns an onion address and a key ' do
+        expect(return_value.size).to be(2)
+      end
+      it 'creates and stores the key' do
+        expect(return_value.last).to be_eql(File.read(File.join(@tmp_path,'test')))
+      end
+      it 'returns a proper onion address' do
+        expect(return_value.first).to be_eql(scope.function_onion_address([File.read(File.join(@tmp_path,'test'))]))
+      end
+      it 'does not recreate a key once created' do
+        expect(scope.function_generate_onion_key([@tmp_path,'test'])).to be_eql(scope.function_generate_onion_key([@tmp_path,'test']))
+      end
+      it 'creates to different keys for different names' do
+        expect(scope.function_generate_onion_key([@tmp_path,'test']).first).to_not be_eql(scope.function_generate_onion_key([@tmp_path,'test2']))
+      end
+    end
+    context 'with an existing key' do
+      before(:all) do
+        File.open(@test_path,'w'){|f| f << @drpsyff5srkctr7h_str }
+      end
+      it { is_expected.to run.with_params(@tmp_path,'test').and_return(['drpsyff5srkctr7h',@drpsyff5srkctr7h_str]) }
+    end
+  end
+end
diff --git a/spec/functions/onion_address_spec.rb b/spec/functions/onion_address_spec.rb
new file mode 100644
index 0000000..942d022
--- /dev/null
+++ b/spec/functions/onion_address_spec.rb
@@ -0,0 +1,48 @@
+require 'spec_helper'
+
+describe 'onion_address' do
+  describe 'signature validation' do
+    it { is_expected.not_to eq(nil) }
+    it { is_expected.to run.with_params().and_raise_error(Puppet::ParseError, /requires 1 argument/) }
+    it { is_expected.to run.with_params(1,2).and_raise_error(Puppet::ParseError, /requires 1 argument/) }
+  end
+
+  describe 'normal operation' do
+    it { is_expected.to run.with_params(
+"-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQC9OUBOkL73n43ogC/Jma54/ZZDEpoisqpkGJHgbcRGJIxcqqfL
+PbnT3hD5SUCVXxLnzWDCTwTe2VOzIUlBXmslwVXnCJh/XGZg9NHiNU3EAZTwu1g9
+8gNmmG1bymaoEBkuC1osijOj+CN+gzLzApiMbDxddpxTn70LWaSqMDbfdQIDAQAB
+An88nBn9EGAa8QCDeIvWB2PbXV7EHTFB6/ioFzairIYx8YMEK6WTdDIRqw/EybHm
+Jo3nseFMXAMzXmlw9zh/t76ZzE7ooYocSPIEzpu4gDRsa5/mqRCGajs8A8ooiHN5
+Tc9cHzIfhjOYhu3VxF0G9LTAC8nKdWQkHm+h+J6A6+wBAkEA2E6GcIdPGTSfaNRS
+BHOpKUUSvH7W0e5fyYe221EhESdTFjVkaO5YN9HvcqYh27nik0azKgNj6PiE01FC
+0q4fgQJBAN/ycGS3dX5WRXEOpbQ04LKyxCFMVgS+tN5ueDgbv/SxWAxidLYcVfbg
+CcUA+L2OaQ95S97CxYlCLda10vIPOfUCQQCUvQJzFIgOlAHdqsovJ3011Lp6hVmg
+h6K0SK8zhkkPq5PVnKdMBEEDOUfG9XgoyFyF20LN7ADirSlgyesCRhuBAkEAmuCE
+MmNecn0fkUzb9IENVQik85JjeuyZEau8oLEwU/3CMu50YO2/1fijSQee/xlaN0Vf
+3zM8geyu3urodFdrcQJBAMBcecMvo4ddZ/GnwpKJuXEhKSwQfPOeb8lK12NvKuVE
+znq+qT/KbJlwy/27X/auCAzD5rJ9VVzyWiu8nnwICS8=
+-----END RSA PRIVATE KEY-----"
+    ).and_return("drpsyff5srkctr7h")}
+  end
+  describe 'by getting an RSA key' do
+    it { is_expected.to run.with_params(OpenSSL::PKey::RSA.new(
+"-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDbvYjbtJB9vTnEygyq4Bzp0xxtTl3ZYKC6JbxgRzP8uLv1HoxX
+20EmQUZ/LNBXHebc6frlObhtpKULFuBzAy5LpdKI9CUErkl3D3AigFgP3XP/PtdP
+m11TuxdBoKL6Jbo54NpUVOGQ5SJJaNEOfhmgMSCtlyyI9DBni3PLO2P0sQIDAQAB
+AoGAPTlt7Gk+6QnUErSJGwMeize67+mp1GtL3RGujtTH8141YHKGf+QjHtmJHt4J
+nnxCWsMGmN+gN0xsf8578w+r0fvDjZ3e5lVUpR/8ds90a654Lr/pgqLc3H1EZ9Pr
+GDFjPdaMtdTSX5hSAB2EDLfDUU19bdFRK+k71mglrMLpdQECQQDmJt3mmX67kAzH
+w2I/BEbmOlonmn3c98VyawoNrk0fKAluoYWHxxk9SuCu2ZDQyyPKPQuZbgdPnUNp
+kV3PuQ6ZAkEA9GtTjMfceX8ArLTmOMIMVP2t8yzbcK2uqukMG79JiPZbYKIstjho
+XUpO/jZhTb9p8M4NV/09z091gMTOF6Fd2QJBAM1I7bS6ROhX3I5yIDfFQNgqRC//
+BTULa/par2T0i6W2uHMNb2VkmYaqOy66sQkLqKjDOo1oLu08gNyw5NRbZEECQQCr
+FDR25a28nNisCjLap3haRPXssAko5WjM2DJReaLO6yEqklkZcoIaSljgNtAEy2Yr
+1w4f+HG7GbL1XsuiXqCBAkAeYljaIVhqGOOez0ORaCm0FCLoTJ6/fn7009os/qgr
+n2xsVGUNm+E0pvAMT0LIx2KvpLxe2Y0Xx497/vyM6e7G
+-----END RSA PRIVATE KEY-----")
+    ).and_return("d3ep6pcs4to4hbwo") }
+  end
+end
-- 
cgit v1.2.3


From 4510682dff23142df5de4cfcc988e4319fcb73cd Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Mon, 31 Oct 2016 23:15:18 +0100
Subject: add a default set of specs so that the minimum is tested

---
 Gemfile                     |  1 +
 Rakefile                    | 10 +++++++
 metadata.json               | 71 +++++++++++++++++++++++++++++++++++++++++++++
 spec/classes/base_spec.rb   | 44 ++++++++++++++++++++++++++++
 spec/classes/daemon_spec.rb | 31 ++++++++++++++++++++
 spec/classes/init_spec.rb   | 27 +++++++++++++++++
 6 files changed, 184 insertions(+)
 create mode 100644 metadata.json
 create mode 100644 spec/classes/base_spec.rb
 create mode 100644 spec/classes/daemon_spec.rb
 create mode 100644 spec/classes/init_spec.rb

diff --git a/Gemfile b/Gemfile
index d4109b9..f182839 100644
--- a/Gemfile
+++ b/Gemfile
@@ -24,6 +24,7 @@ group :development, :unit_tests do
   # keep for its rake task for now
   gem 'puppetlabs_spec_helper',  :require => false
   gem 'puppet-lint',             :require => false
+  gem 'librarian-puppet',        :require => false
   gem 'metadata-json-lint',      :require => false
   gem 'pry',                     :require => false
   gem 'simplecov',               :require => false
diff --git a/Rakefile b/Rakefile
index e136b8e..0c37d3b 100644
--- a/Rakefile
+++ b/Rakefile
@@ -5,3 +5,13 @@ require 'puppet-lint/tasks/puppet-lint'
 PuppetLint.configuration.send('disable_80chars')
 PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
 
+# use librarian-puppet to manage fixtures instead of .fixtures.yml
+# offers more possibilities like explicit version management, forge downloads,...
+task :librarian_spec_prep do
+  sh "librarian-puppet install --path=spec/fixtures/modules/"
+  pwd = `pwd`.strip
+  unless File.directory?("#{pwd}/spec/fixtures/modules/tor")
+    sh "ln -s #{pwd} #{pwd}/spec/fixtures/modules/tor"
+  end
+end
+task :spec_prep => :librarian_spec_prep
diff --git a/metadata.json b/metadata.json
new file mode 100644
index 0000000..d83f0cb
--- /dev/null
+++ b/metadata.json
@@ -0,0 +1,71 @@
+{
+  "name": "duritong-tor",
+  "version": "0.0.1",
+  "author": "duritong and others",
+  "summary": "Manage tor and its components",
+  "description": "Manage tor and its components",
+  "license": "GPLv3",
+  "source": "https://github.com/duritong/puppet-tor",
+  "project_page": "https://github.com/duritong/puppet-tor",
+  "issues_url": "https://github.com/duritong/puppet-tor/issues",
+  "operatingsystem_support": [
+    {
+      "operatingsystem": "RedHat",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "CentOS",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "OracleLinux",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "Scientific",
+      "operatingsystemrelease": [
+        "7"
+      ]
+    },
+    {
+      "operatingsystem": "Debian",
+      "operatingsystemrelease": [
+        "6",
+        "7",
+        "8"
+      ]
+    },
+    {
+      "operatingsystem": "Ubuntu",
+      "operatingsystemrelease": [
+        "10.04",
+        "12.04",
+        "14.04",
+        "16.04"
+      ]
+    }
+  ],
+  "requirements": [
+    {
+      "name": "puppet",
+      "version_requirement": ">=2.7.20 <5.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "name": "puppetlabs-stdlib"
+    },
+    {
+      "name": "puppetlabs-concat"
+    },
+    {
+      "name": "puppetlabs-apt"
+    }
+  ]
+}
diff --git a/spec/classes/base_spec.rb b/spec/classes/base_spec.rb
new file mode 100644
index 0000000..7f288ec
--- /dev/null
+++ b/spec/classes/base_spec.rb
@@ -0,0 +1,44 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+
+describe 'tor::base', :type => 'class' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:facts){ default_facts }
+  let(:pre_condition){'include ::tor
+                       Exec{path => "/bin"}' }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_package('tor').with_ensure('installed') }
+    it { is_expected.to_not contain_package('tor-geoipdb').with_ensure('installed') }
+    it { is_expected.to contain_service('tor').with(
+      :ensure     => 'running',
+      :enable     => 'true',
+      :hasrestart => 'true',
+      :hasstatus  => 'true',
+      :require    => 'Package[tor]',
+    ) }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_package('tor').with_ensure('installed') }
+      it { is_expected.to contain_package('tor-geoipdb').with_ensure('installed') }
+      it { is_expected.to contain_service('tor').with(
+        :ensure     => 'running',
+        :enable     => 'true',
+        :hasrestart => 'true',
+        :hasstatus  => 'true',
+        :require    => 'Package[tor]',
+      ) }
+    end
+  end
+end
diff --git a/spec/classes/daemon_spec.rb b/spec/classes/daemon_spec.rb
new file mode 100644
index 0000000..db5291d
--- /dev/null
+++ b/spec/classes/daemon_spec.rb
@@ -0,0 +1,31 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+
+describe 'tor::daemon', :type => 'class' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}' }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_class('tor') }
+    it { is_expected.to contain_class('tor::daemon::base') }
+    it { is_expected.to_not contain_class('tor::munin') }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_class('tor') }
+      it { is_expected.to contain_class('tor::daemon::base') }
+      it { is_expected.to_not contain_class('tor::munin') }
+    end
+  end
+end
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
new file mode 100644
index 0000000..be4f30b
--- /dev/null
+++ b/spec/classes/init_spec.rb
@@ -0,0 +1,27 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+
+describe 'tor', :type => 'class' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}' }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_class('tor::base') }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_class('tor::base') }
+    end
+  end
+end
-- 
cgit v1.2.3


From 720c1670750345e8c361219a58c2722a603e26bb Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 1 Nov 2016 20:26:20 +0100
Subject: add support for onionbalance

---
 manifests/onionbalance.pp               | 81 +++++++++++++++++++++++++++++++++
 manifests/onionbalance/key.pp           | 25 ++++++++++
 manifests/onionbalance/keys.pp          | 11 +++++
 spec/classes/onionbalance_spec.rb       | 60 ++++++++++++++++++++++++
 templates/onionbalance/Debian.torrc.erb |  5 ++
 templates/onionbalance/RedHat.torrc.erb | 13 ++++++
 templates/onionbalance/config.yaml.erb  | 10 ++++
 7 files changed, 205 insertions(+)
 create mode 100644 manifests/onionbalance.pp
 create mode 100644 manifests/onionbalance/key.pp
 create mode 100644 manifests/onionbalance/keys.pp
 create mode 100644 spec/classes/onionbalance_spec.rb
 create mode 100644 templates/onionbalance/Debian.torrc.erb
 create mode 100644 templates/onionbalance/RedHat.torrc.erb
 create mode 100644 templates/onionbalance/config.yaml.erb

diff --git a/manifests/onionbalance.pp b/manifests/onionbalance.pp
new file mode 100644
index 0000000..34831d3
--- /dev/null
+++ b/manifests/onionbalance.pp
@@ -0,0 +1,81 @@
+# manages an onionbalance installation
+#
+# Parameters:
+#
+#  services: a hash of onionbalance service instances
+#    services => {
+#      keyname_of_service1 => {
+#        name1        => onionservice_addr_3,
+#        name2        => onionservice_addr_2,
+#        _key_content => content_of_key_of_onionbalanced_service1,
+#      },
+#    }
+#
+class tor::onionbalance(
+  $services,
+) {
+
+  include ::tor
+
+  case $osfamily {
+    'Debian': {
+      $pkg_name = 'onionbalance'
+      $instance_file = '/etc/tor/instances/onionbalance/torrc'
+      $instance_user = '_tor-onionbalance'
+      exec{'/usr/sbin/tor-instance-create onionbalance':
+        creates => '/etc/tor/instances/onionbalance',
+        require => Package['tor'],
+        before  => File[$instance_file],
+      } -> augeas{"manage_onionbalance_in_group_${instance_user}":
+        context => '/files/etc/group',
+        changes => [ "set ${instance_user}/user[last()+1] onionbalance" ],
+        onlyif  => "match ${instance_user}/*[../user='onionbalance'] size == 0",
+        require => Package['onionbalance'],
+      }
+    }
+    'RedHat': {
+      $instance_file = '/etc/tor/onionbalance.torrc'
+      $instance_user = 'toranon'
+      $pkg_name      = 'python2-onionbalance'
+    }
+    default: {
+      fail("OSFamily ${osfamily} not (yet) supported for onionbalance")
+    }
+  }
+
+  package{$pkg_name:
+    ensure => 'installed',
+    tag    => 'onionbalance',
+  } -> file{
+    '/etc/onionbalance/config.yaml':
+      content => template('tor/onionbalance/config.yaml.erb'),
+      owner   => root,
+      group   => $instance_user,
+      mode    => '0640',
+      notify  => Service['onionbalance'];
+    $instance_file:
+      content => template("tor/onionbalance/${osfamily}.torrc.erb"),
+      owner   => root,
+      group   => 0,
+      mode    => '0644',
+      require => Package['tor'],
+      notify  => Service['tor@onionbalance'],
+  }
+
+  tor::onionbalance::keys{
+    keys($services):
+      values => $services,
+      group  => $instance_user,
+  }
+
+  service{
+    'tor@onionbalance':
+      ensure => running,
+      enable => true;
+    'onionbalance':
+      ensure    => running,
+      enable    => true,
+      subscribe => Service['tor@onionbalance'];
+  }
+
+}
diff --git a/manifests/onionbalance/key.pp b/manifests/onionbalance/key.pp
new file mode 100644
index 0000000..e0016fc
--- /dev/null
+++ b/manifests/onionbalance/key.pp
@@ -0,0 +1,25 @@
+# manage onionbalance keys
+#
+#  key_content will be treated as path
+#  to a file containing the key content
+#  if the value starts with a /
+#
+define tor::onionbalance::key(
+  $key_content,
+  $group,
+){
+
+  if $key_content =~ /^\// {
+    $content = file($key_content)
+  } else {
+    $content = $key_content
+  }
+  Package<| tag == 'onionbalance' |> -> file{
+    "/etc/onionbalance/${name}.key":
+      content => $content,
+      owner   => root,
+      group   => $group,
+      mode    => '0640',
+      notify  => Service['onionbalance'];
+  }
+}
diff --git a/manifests/onionbalance/keys.pp b/manifests/onionbalance/keys.pp
new file mode 100644
index 0000000..e3040f5
--- /dev/null
+++ b/manifests/onionbalance/keys.pp
@@ -0,0 +1,11 @@
+# a wrapper to manage onionbalance keys
+define tor::onionbalance::keys(
+  $values,
+  $group,
+) {
+  tor::onionbalance::key{
+    $name:
+      key_content => $values[$name]['_key_content'],
+      group       => $group,
+  }
+}
diff --git a/spec/classes/onionbalance_spec.rb b/spec/classes/onionbalance_spec.rb
new file mode 100644
index 0000000..ff9bb27
--- /dev/null
+++ b/spec/classes/onionbalance_spec.rb
@@ -0,0 +1,60 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+
+describe 'tor::onionbalance', :type => 'class' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}' }
+  let(:params){
+    {
+      :services  => {
+        'keyname_of_service1' => {
+          'name1'        => 'onionservice_addr_3',
+          'name2'        => 'onionservice_addr_2',
+          '_key_content' => 'content_of_key_of_onionbalanced_service1',
+        },
+      },
+    }
+  }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_package('python2-onionbalance').with(
+      :ensure => 'installed',
+    ) }
+    it { is_expected.to contain_service('tor@onionbalance').with(
+      :ensure => 'running',
+      :enable => true,
+    ) }
+    it { is_expected.to contain_service('onionbalance').with(
+      :ensure    => 'running',
+      :enable    => true,
+      :subscribe => 'Service[tor@onionbalance]',
+    ) }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_package('onionbalance').with(
+        :ensure => 'installed',
+      ) }
+      it { is_expected.to contain_service('tor@onionbalance').with(
+        :ensure => 'running',
+        :enable => true,
+      ) }
+      it { is_expected.to contain_service('onionbalance').with(
+        :ensure    => 'running',
+        :enable    => true,
+        :subscribe => 'Service[tor@onionbalance]',
+      ) }
+    end
+  end
+end
diff --git a/templates/onionbalance/Debian.torrc.erb b/templates/onionbalance/Debian.torrc.erb
new file mode 100644
index 0000000..4b1afc4
--- /dev/null
+++ b/templates/onionbalance/Debian.torrc.erb
@@ -0,0 +1,5 @@
+# Tor config for the onionbalance management server
+# ---
+# The onionbalance service must be able to access the Tor control port.
+ControlPort 9051
+SocksPort 0
diff --git a/templates/onionbalance/RedHat.torrc.erb b/templates/onionbalance/RedHat.torrc.erb
new file mode 100644
index 0000000..023748b
--- /dev/null
+++ b/templates/onionbalance/RedHat.torrc.erb
@@ -0,0 +1,13 @@
+# Tor config for the onionbalance management server
+# ---
+# The onionbalance service must be able to access the Tor control port.
+
+DataDirectory /var/lib/tor/onionbalance-data
+
+ControlPort 9051
+CookieAuthentication 1
+SocksPort 0
+
+CookieAuthFileGroupReadable 1
+CookieAuthFile /run/tor/onionbalance.control.authcookie
+
diff --git a/templates/onionbalance/config.yaml.erb b/templates/onionbalance/config.yaml.erb
new file mode 100644
index 0000000..3f45bd1
--- /dev/null
+++ b/templates/onionbalance/config.yaml.erb
@@ -0,0 +1,10 @@
+# OnionBalance Config File
+services:
+<% @services.keys.sort.each do |key| -%>
+- instances:
+<% (@services[key].keys - ['_key_content']).sort.each do |inst| -%>
+    - address: <%= @services[key][inst] %>
+      name: <%= inst %>
+<% end -%>
+  key: <%= key %>.key
+<% end -%>
-- 
cgit v1.2.3


From 914df896d915cea5acade2732526d3bbc75b176d Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 1 Nov 2016 21:29:31 +0100
Subject: make it possible to also add pregenerated private keys for onion
 services or even let them pregenerate on the fly

---
 .gitignore                                 |   3 +-
 manifests/daemon/hidden_service.pp         |  48 +++++++++++-
 spec/defines/daemon_hidden_service_spec.rb | 122 +++++++++++++++++++++++++++++
 spec/tmp/.keep                             |   0
 templates/torrc.hidden_service.erb         |   2 +-
 5 files changed, 170 insertions(+), 5 deletions(-)
 create mode 100644 spec/defines/daemon_hidden_service_spec.rb
 create mode 100644 spec/tmp/.keep

diff --git a/.gitignore b/.gitignore
index 0669604..d51c0ba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,6 @@
 .tmp
 spec/fixtures/modules
 spec/fixtures/manifests
-spec/fixtures/tmp
+spec/tmp
+!spec/tmp/.keep
 *.lock
diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
index cf316b5..895fc53 100644
--- a/manifests/daemon/hidden_service.pp
+++ b/manifests/daemon/hidden_service.pp
@@ -1,14 +1,56 @@
 # hidden services definition
 define tor::daemon::hidden_service(
-  $ports    = [],
-  $data_dir = $tor::daemon::data_dir,
-  $ensure   = present ) {
+  $ensure                 = present,
+  $ports                  = [],
+  $data_dir               = $tor::daemon::data_dir,
+  $private_key            = undef,
+  $private_key_name       = $name,
+  $private_key_store_path = undef,
+) {
 
+  $data_dir_path = "${data_dir}/${name}"
+  include ::tor::daemon::params
   concat::fragment { "05.hidden_service.${name}":
     ensure  => $ensure,
     content => template('tor/torrc.hidden_service.erb'),
     order   => '05',
     target  => $tor::daemon::config_file,
   }
+  if $private_key or ($private_key_name and $private_key_store_path) {
+    if $private_key and ($private_key_name and $private_key_store_path) {
+      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
+    }
+    if $private_key_store_path and $private_key_name {
+      $tmp = generate_onion_key($private_key_store_path,$private_key_name)
+      $os_hostname = $tmp[0]
+      $real_private_key = $tmp[1]
+    } else {
+      $os_hostname = onion_address($private_key)
+      $real_private_key = $private_key
+    }
+    file{
+      $data_dir_path:
+        ensure  => directory,
+        purge   => true,
+        force   => true,
+        recurse => true,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => $tor::daemon::params::data_dir_mode,
+        require => Package['tor'];
+      "${data_dir_path}/private_key":
+        content => $real_private_key,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+      "${data_dir_path}/hostname":
+        content => "${os_hostname}.onion\n",
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+    }
+  }
 }
 
diff --git a/spec/defines/daemon_hidden_service_spec.rb b/spec/defines/daemon_hidden_service_spec.rb
new file mode 100644
index 0000000..7a3aae6
--- /dev/null
+++ b/spec/defines/daemon_hidden_service_spec.rb
@@ -0,0 +1,122 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+require 'openssl'
+
+describe 'tor::daemon::hidden_service', :type => 'define' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:title){ 'test_os' }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}
+                      include tor::daemon' }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with(
+      :ensure  => 'present',
+      :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
+      :order   => '05',
+      :target  => '/etc/tor/torrc',
+    )}
+    it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) }
+    it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with(
+        :ensure  => 'present',
+        :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
+        :order   => '05',
+        :target  => '/etc/tor/torrc',
+      )}
+      it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) }
+      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    end
+    context 'with differt port params' do
+      let(:params){
+        {
+          :ports => ['25','443 192.168.0.1:8443']
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 25 127.0.0.1:25/) }
+      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 443 192.168.0.1:8443/) }
+      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    end
+    context 'with private_key' do
+      let(:params){
+        {
+          :ports       => ['80'],
+          :private_key => OpenSSL::PKey::RSA.generate(1024).to_s,
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
+      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
+        :ensure  => 'directory',
+        :purge   => true,
+        :force   => true,
+        :recurse => true,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0750',
+        :require => 'Package[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
+        :content => /^[a-z2-7]{16}\.onion\n/,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+    end
+    context 'with private key to generate' do
+      let(:params){
+        {
+          :ports                  => ['80'],
+          :private_key_name       => 'test_os',
+          :private_key_store_path => File.expand_path(File.join(File.dirname(__FILE__),'..','tmp')),
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
+      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
+        :ensure  => 'directory',
+        :purge   => true,
+        :force   => true,
+        :recurse => true,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0750',
+        :require => 'Package[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
+        :content => /^[a-z2-7]{16}\.onion\n/,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+    end
+  end
+end
diff --git a/spec/tmp/.keep b/spec/tmp/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb
index 6a97351..77168d8 100644
--- a/templates/torrc.hidden_service.erb
+++ b/templates/torrc.hidden_service.erb
@@ -1,5 +1,5 @@
 # hidden service <%= @name %>
-HiddenServiceDir <%= @data_dir %>/<%= @name %>
+HiddenServiceDir <%= @data_dir_path %>
 <% Array(@ports).each do |port| -%>
 HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %>
 <% end -%>
-- 
cgit v1.2.3


From a51345c154ed58731eef7719492e492953c2531c Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 4 Nov 2016 15:11:11 +0100
Subject: make sure the onionservice directory has the right mode

---
 manifests/daemon/hidden_service.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
index 895fc53..1519b56 100644
--- a/manifests/daemon/hidden_service.pp
+++ b/manifests/daemon/hidden_service.pp
@@ -36,7 +36,7 @@ define tor::daemon::hidden_service(
         recurse => true,
         owner   => $tor::daemon::params::user,
         group   => $tor::daemon::params::group,
-        mode    => $tor::daemon::params::data_dir_mode,
+        mode    => '0600',
         require => Package['tor'];
       "${data_dir_path}/private_key":
         content => $real_private_key,
-- 
cgit v1.2.3


From 34ef388fcfc92d37faad08ca9216d787a53e186c Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 4 Nov 2016 15:17:40 +0100
Subject: rename hidden service to onion service to follow the new naming
 conventions

---
 README                                     |   2 +-
 manifests/daemon/hidden_service.pp         |  56 -------------
 manifests/daemon/onions_service.pp         |  56 +++++++++++++
 spec/defines/daemon_hidden_service_spec.rb | 122 -----------------------------
 spec/defines/daemon_onion_service_spec.rb  | 122 +++++++++++++++++++++++++++++
 5 files changed, 179 insertions(+), 179 deletions(-)
 delete mode 100644 manifests/daemon/hidden_service.pp
 create mode 100644 manifests/daemon/onions_service.pp
 delete mode 100644 spec/defines/daemon_hidden_service_spec.rb
 create mode 100644 spec/defines/daemon_onion_service_spec.rb

diff --git a/README b/README
index bf2968d..3b6c524 100644
--- a/README
+++ b/README
@@ -169,7 +169,7 @@ Configuring hidden services
 
 To configure a tor hidden service you can do something like the following:
 
- tor::daemon::hidden_service { "hidden_ssh": ports => 22 }
+ tor::daemon::onion_service { "onion_ssh": ports => 22 }
 
 The HiddenServiceDir is set to the ${data_dir}/${name}.
 
diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
deleted file mode 100644
index 1519b56..0000000
--- a/manifests/daemon/hidden_service.pp
+++ /dev/null
@@ -1,56 +0,0 @@
-# hidden services definition
-define tor::daemon::hidden_service(
-  $ensure                 = present,
-  $ports                  = [],
-  $data_dir               = $tor::daemon::data_dir,
-  $private_key            = undef,
-  $private_key_name       = $name,
-  $private_key_store_path = undef,
-) {
-
-  $data_dir_path = "${data_dir}/${name}"
-  include ::tor::daemon::params
-  concat::fragment { "05.hidden_service.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.hidden_service.erb'),
-    order   => '05',
-    target  => $tor::daemon::config_file,
-  }
-  if $private_key or ($private_key_name and $private_key_store_path) {
-    if $private_key and ($private_key_name and $private_key_store_path) {
-      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
-    }
-    if $private_key_store_path and $private_key_name {
-      $tmp = generate_onion_key($private_key_store_path,$private_key_name)
-      $os_hostname = $tmp[0]
-      $real_private_key = $tmp[1]
-    } else {
-      $os_hostname = onion_address($private_key)
-      $real_private_key = $private_key
-    }
-    file{
-      $data_dir_path:
-        ensure  => directory,
-        purge   => true,
-        force   => true,
-        recurse => true,
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        require => Package['tor'];
-      "${data_dir_path}/private_key":
-        content => $real_private_key,
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        notify  => Service['tor'];
-      "${data_dir_path}/hostname":
-        content => "${os_hostname}.onion\n",
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        notify  => Service['tor'];
-    }
-  }
-}
-
diff --git a/manifests/daemon/onions_service.pp b/manifests/daemon/onions_service.pp
new file mode 100644
index 0000000..2625521
--- /dev/null
+++ b/manifests/daemon/onions_service.pp
@@ -0,0 +1,56 @@
+# onion services definition
+define tor::daemon::onion_service(
+  $ensure                 = present,
+  $ports                  = [],
+  $data_dir               = $tor::daemon::data_dir,
+  $private_key            = undef,
+  $private_key_name       = $name,
+  $private_key_store_path = undef,
+) {
+
+  $data_dir_path = "${data_dir}/${name}"
+  include ::tor::daemon::params
+  concat::fragment { "05.onion_service.${name}":
+    ensure  => $ensure,
+    content => template('tor/torrc.onion_service.erb'),
+    order   => '05',
+    target  => $tor::daemon::config_file,
+  }
+  if $private_key or ($private_key_name and $private_key_store_path) {
+    if $private_key and ($private_key_name and $private_key_store_path) {
+      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
+    }
+    if $private_key_store_path and $private_key_name {
+      $tmp = generate_onion_key($private_key_store_path,$private_key_name)
+      $os_hostname = $tmp[0]
+      $real_private_key = $tmp[1]
+    } else {
+      $os_hostname = onion_address($private_key)
+      $real_private_key = $private_key
+    }
+    file{
+      $data_dir_path:
+        ensure  => directory,
+        purge   => true,
+        force   => true,
+        recurse => true,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        require => Package['tor'];
+      "${data_dir_path}/private_key":
+        content => $real_private_key,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+      "${data_dir_path}/hostname":
+        content => "${os_hostname}.onion\n",
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+    }
+  }
+}
+
diff --git a/spec/defines/daemon_hidden_service_spec.rb b/spec/defines/daemon_hidden_service_spec.rb
deleted file mode 100644
index 7a3aae6..0000000
--- a/spec/defines/daemon_hidden_service_spec.rb
+++ /dev/null
@@ -1,122 +0,0 @@
-require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
-require 'openssl'
-
-describe 'tor::daemon::hidden_service', :type => 'define' do
-  let(:default_facts) {
-    {
-      :osfamily        => 'RedHat',
-      :operatingsystem => 'CentOS',
-    }
-  }
-  let(:title){ 'test_os' }
-  let(:facts){ default_facts }
-  let(:pre_condition){'Exec{path => "/bin"}
-                      include tor::daemon' }
-  describe 'with standard' do
-    it { is_expected.to compile.with_all_deps }
-
-    it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with(
-      :ensure  => 'present',
-      :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
-      :order   => '05',
-      :target  => '/etc/tor/torrc',
-    )}
-    it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) }
-    it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
-    context 'on Debian' do
-      let(:facts) {
-        {
-          :osfamily        => 'Debian',
-          :operatingsystem => 'Debian',
-        }
-      }
-      it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with(
-        :ensure  => 'present',
-        :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
-        :order   => '05',
-        :target  => '/etc/tor/torrc',
-      )}
-      it { is_expected.to_not contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort/) }
-      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
-    end
-    context 'with differt port params' do
-      let(:params){
-        {
-          :ports => ['25','443 192.168.0.1:8443']
-        }
-      }
-      it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 25 127.0.0.1:25/) }
-      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 443 192.168.0.1:8443/) }
-      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
-    end
-    context 'with private_key' do
-      let(:params){
-        {
-          :ports       => ['80'],
-          :private_key => OpenSSL::PKey::RSA.generate(1024).to_s,
-        }
-      }
-      it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
-      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
-        :ensure  => 'directory',
-        :purge   => true,
-        :force   => true,
-        :recurse => true,
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0750',
-        :require => 'Package[tor]',
-      )}
-      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
-        :content => /^[a-z2-7]{16}\.onion\n/,
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0600',
-        :notify  => 'Service[tor]',
-      )}
-      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0600',
-        :notify  => 'Service[tor]',
-      )}
-    end
-    context 'with private key to generate' do
-      let(:params){
-        {
-          :ports                  => ['80'],
-          :private_key_name       => 'test_os',
-          :private_key_store_path => File.expand_path(File.join(File.dirname(__FILE__),'..','tmp')),
-        }
-      }
-      it { is_expected.to compile.with_all_deps }
-      it { is_expected.to contain_concat__fragment('05.hidden_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
-      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
-        :ensure  => 'directory',
-        :purge   => true,
-        :force   => true,
-        :recurse => true,
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0750',
-        :require => 'Package[tor]',
-      )}
-      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
-        :content => /^[a-z2-7]{16}\.onion\n/,
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0600',
-        :notify  => 'Service[tor]',
-      )}
-      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
-        :owner   => 'toranon',
-        :group   => 'toranon',
-        :mode    => '0600',
-        :notify  => 'Service[tor]',
-      )}
-    end
-  end
-end
diff --git a/spec/defines/daemon_onion_service_spec.rb b/spec/defines/daemon_onion_service_spec.rb
new file mode 100644
index 0000000..bf9641d
--- /dev/null
+++ b/spec/defines/daemon_onion_service_spec.rb
@@ -0,0 +1,122 @@
+require File.expand_path(File.join(File.dirname(__FILE__),'../spec_helper'))
+require 'openssl'
+
+describe 'tor::daemon::onion_service', :type => 'define' do
+  let(:default_facts) {
+    {
+      :osfamily        => 'RedHat',
+      :operatingsystem => 'CentOS',
+    }
+  }
+  let(:title){ 'test_os' }
+  let(:facts){ default_facts }
+  let(:pre_condition){'Exec{path => "/bin"}
+                      include tor::daemon' }
+  describe 'with standard' do
+    it { is_expected.to compile.with_all_deps }
+
+    it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with(
+      :ensure  => 'present',
+      :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
+      :order   => '05',
+      :target  => '/etc/tor/torrc',
+    )}
+    it { is_expected.to_not contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort/) }
+    it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    context 'on Debian' do
+      let(:facts) {
+        {
+          :osfamily        => 'Debian',
+          :operatingsystem => 'Debian',
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with(
+        :ensure  => 'present',
+        :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
+        :order   => '05',
+        :target  => '/etc/tor/torrc',
+      )}
+      it { is_expected.to_not contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort/) }
+      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    end
+    context 'with differt port params' do
+      let(:params){
+        {
+          :ports => ['25','443 192.168.0.1:8443']
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort 25 127.0.0.1:25/) }
+      it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort 443 192.168.0.1:8443/) }
+      it { is_expected.to_not contain_file('/var/lib/tor/test_os') }
+    end
+    context 'with private_key' do
+      let(:params){
+        {
+          :ports       => ['80'],
+          :private_key => OpenSSL::PKey::RSA.generate(1024).to_s,
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
+      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
+        :ensure  => 'directory',
+        :purge   => true,
+        :force   => true,
+        :recurse => true,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0750',
+        :require => 'Package[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
+        :content => /^[a-z2-7]{16}\.onion\n/,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+    end
+    context 'with private key to generate' do
+      let(:params){
+        {
+          :ports                  => ['80'],
+          :private_key_name       => 'test_os',
+          :private_key_store_path => File.expand_path(File.join(File.dirname(__FILE__),'..','tmp')),
+        }
+      }
+      it { is_expected.to compile.with_all_deps }
+      it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with_content(/^HiddenServicePort 80 127.0.0.1:80/) }
+      it { is_expected.to contain_file('/var/lib/tor/test_os').with(
+        :ensure  => 'directory',
+        :purge   => true,
+        :force   => true,
+        :recurse => true,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0750',
+        :require => 'Package[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
+        :content => /^[a-z2-7]{16}\.onion\n/,
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+      it { is_expected.to contain_file('/var/lib/tor/test_os/private_key').with(
+        :owner   => 'toranon',
+        :group   => 'toranon',
+        :mode    => '0600',
+        :notify  => 'Service[tor]',
+      )}
+    end
+  end
+end
-- 
cgit v1.2.3


From bf16597ec2c0ad155527742fe07e655f555d7f62 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 4 Nov 2016 18:52:20 +0100
Subject: fix tests

---
 spec/defines/daemon_onion_service_spec.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/spec/defines/daemon_onion_service_spec.rb b/spec/defines/daemon_onion_service_spec.rb
index bf9641d..fba8efd 100644
--- a/spec/defines/daemon_onion_service_spec.rb
+++ b/spec/defines/daemon_onion_service_spec.rb
@@ -67,7 +67,7 @@ describe 'tor::daemon::onion_service', :type => 'define' do
         :recurse => true,
         :owner   => 'toranon',
         :group   => 'toranon',
-        :mode    => '0750',
+        :mode    => '0600',
         :require => 'Package[tor]',
       )}
       it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
@@ -101,7 +101,7 @@ describe 'tor::daemon::onion_service', :type => 'define' do
         :recurse => true,
         :owner   => 'toranon',
         :group   => 'toranon',
-        :mode    => '0750',
+        :mode    => '0600',
         :require => 'Package[tor]',
       )}
       it { is_expected.to contain_file('/var/lib/tor/test_os/hostname').with(
-- 
cgit v1.2.3


From d91d70dd378a4a91c740b03b0852432ef128b24a Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 4 Nov 2016 18:52:39 +0100
Subject: store key & hostname

---
 lib/puppet/parser/functions/generate_onion_key.rb | 22 ++++++---
 manifests/daemon/onion_service.pp                 | 56 +++++++++++++++++++++++
 manifests/daemon/onions_service.pp                | 56 -----------------------
 spec/functions/generate_onion_key_spec.rb         | 10 ++--
 templates/torrc.hidden_service.erb                |  6 ---
 templates/torrc.onion_service.erb                 |  6 +++
 6 files changed, 82 insertions(+), 74 deletions(-)
 create mode 100644 manifests/daemon/onion_service.pp
 delete mode 100644 manifests/daemon/onions_service.pp
 delete mode 100644 templates/torrc.hidden_service.erb
 create mode 100644 templates/torrc.onion_service.erb

diff --git a/lib/puppet/parser/functions/generate_onion_key.rb b/lib/puppet/parser/functions/generate_onion_key.rb
index 2964268..9ee5351 100644
--- a/lib/puppet/parser/functions/generate_onion_key.rb
+++ b/lib/puppet/parser/functions/generate_onion_key.rb
@@ -7,12 +7,13 @@ Requires a location to load and store the private key, as well an identifier, wh
 
 Example:
 
-    res = generate_onion_key('/tmp','my_secrect_key')
+    res = generate_onion_key('/tmp','my_secret_key')
     notice "Onion Address: \${res[0]"
     notice "Priavte Key: \${res[1]"
 
 
-If /tmp/my_secrect_key.key exists, it will be loaded and the onion address will be generated from it.
+It will also store the onion address under /tmp/my_secret_key.hostname.
+If /tmp/my_secret_key.key exists, but not the hostname file. Then the function will be loaded and the onion address will be generated from it.
 
   EOS
   ) do |args|
@@ -24,17 +25,24 @@ If /tmp/my_secrect_key.key exists, it will be loaded and the onion address will
     raise(Puppet::ParseError, "generate_onion_key(): requires location (#{location}) to be a directory") unless File.directory?(location)
     path = File.join(location,identifier)
 
-    private_key = if File.exists?(path)
-      pk = OpenSSL::PKey::RSA.new(File.read(path))
-      raise(Puppet::ParseError, "generate_onion_key(): key in path #{path} must have a length of 1024bit") unless (pk.n.num_bytes * 8) == 1024
+    private_key = if File.exists?(kf="#{path}.key")
+      pk = OpenSSL::PKey::RSA.new(File.read(kf))
+      raise(Puppet::ParseError, "generate_onion_key(): key in path #{kf} must have a length of 1024bit") unless (pk.n.num_bytes * 8) == 1024
       pk
     else
       # 1024 is hardcoded by tor
       pk = OpenSSL::PKey::RSA.generate(1024)
-      File.open(path,'w'){|f| f << pk.to_s }
+      File.open(kf,'w'){|f| f << pk.to_s }
       pk
     end
+    onion_address = if File.exists?(hf="#{path}.hostname")
+      File.read(hf)
+    else
+      oa = function_onion_address([private_key])
+      File.open(hf,'w'){|f| f << oa.to_s }
+      oa
+    end
 
-    [ function_onion_address([private_key]), private_key.to_s ]
+    [ onion_address, private_key.to_s ]
   end
 end
diff --git a/manifests/daemon/onion_service.pp b/manifests/daemon/onion_service.pp
new file mode 100644
index 0000000..2625521
--- /dev/null
+++ b/manifests/daemon/onion_service.pp
@@ -0,0 +1,56 @@
+# onion services definition
+define tor::daemon::onion_service(
+  $ensure                 = present,
+  $ports                  = [],
+  $data_dir               = $tor::daemon::data_dir,
+  $private_key            = undef,
+  $private_key_name       = $name,
+  $private_key_store_path = undef,
+) {
+
+  $data_dir_path = "${data_dir}/${name}"
+  include ::tor::daemon::params
+  concat::fragment { "05.onion_service.${name}":
+    ensure  => $ensure,
+    content => template('tor/torrc.onion_service.erb'),
+    order   => '05',
+    target  => $tor::daemon::config_file,
+  }
+  if $private_key or ($private_key_name and $private_key_store_path) {
+    if $private_key and ($private_key_name and $private_key_store_path) {
+      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
+    }
+    if $private_key_store_path and $private_key_name {
+      $tmp = generate_onion_key($private_key_store_path,$private_key_name)
+      $os_hostname = $tmp[0]
+      $real_private_key = $tmp[1]
+    } else {
+      $os_hostname = onion_address($private_key)
+      $real_private_key = $private_key
+    }
+    file{
+      $data_dir_path:
+        ensure  => directory,
+        purge   => true,
+        force   => true,
+        recurse => true,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        require => Package['tor'];
+      "${data_dir_path}/private_key":
+        content => $real_private_key,
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+      "${data_dir_path}/hostname":
+        content => "${os_hostname}.onion\n",
+        owner   => $tor::daemon::params::user,
+        group   => $tor::daemon::params::group,
+        mode    => '0600',
+        notify  => Service['tor'];
+    }
+  }
+}
+
diff --git a/manifests/daemon/onions_service.pp b/manifests/daemon/onions_service.pp
deleted file mode 100644
index 2625521..0000000
--- a/manifests/daemon/onions_service.pp
+++ /dev/null
@@ -1,56 +0,0 @@
-# onion services definition
-define tor::daemon::onion_service(
-  $ensure                 = present,
-  $ports                  = [],
-  $data_dir               = $tor::daemon::data_dir,
-  $private_key            = undef,
-  $private_key_name       = $name,
-  $private_key_store_path = undef,
-) {
-
-  $data_dir_path = "${data_dir}/${name}"
-  include ::tor::daemon::params
-  concat::fragment { "05.onion_service.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.onion_service.erb'),
-    order   => '05',
-    target  => $tor::daemon::config_file,
-  }
-  if $private_key or ($private_key_name and $private_key_store_path) {
-    if $private_key and ($private_key_name and $private_key_store_path) {
-      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
-    }
-    if $private_key_store_path and $private_key_name {
-      $tmp = generate_onion_key($private_key_store_path,$private_key_name)
-      $os_hostname = $tmp[0]
-      $real_private_key = $tmp[1]
-    } else {
-      $os_hostname = onion_address($private_key)
-      $real_private_key = $private_key
-    }
-    file{
-      $data_dir_path:
-        ensure  => directory,
-        purge   => true,
-        force   => true,
-        recurse => true,
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        require => Package['tor'];
-      "${data_dir_path}/private_key":
-        content => $real_private_key,
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        notify  => Service['tor'];
-      "${data_dir_path}/hostname":
-        content => "${os_hostname}.onion\n",
-        owner   => $tor::daemon::params::user,
-        group   => $tor::daemon::params::group,
-        mode    => '0600',
-        notify  => Service['tor'];
-    }
-  }
-}
-
diff --git a/spec/functions/generate_onion_key_spec.rb b/spec/functions/generate_onion_key_spec.rb
index 07a9f91..355f862 100644
--- a/spec/functions/generate_onion_key_spec.rb
+++ b/spec/functions/generate_onion_key_spec.rb
@@ -4,7 +4,7 @@ require 'fileutils'
 describe 'generate_onion_key' do
   before(:all) do
     @tmp_path = File.expand_path(File.join(File.dirname(__FILE__),'..','fixtures','tmp'))
-    @test_path = File.join(@tmp_path,'test')
+    @test_path = File.join(@tmp_path,'test.key')
     @drpsyff5srkctr7h_str = "-----BEGIN RSA PRIVATE KEY-----
 MIICXAIBAAKBgQC9OUBOkL73n43ogC/Jma54/ZZDEpoisqpkGJHgbcRGJIxcqqfL
 PbnT3hD5SUCVXxLnzWDCTwTe2VOzIUlBXmslwVXnCJh/XGZg9NHiNU3EAZTwu1g9
@@ -51,10 +51,10 @@ znq+qT/KbJlwy/27X/auCAzD5rJ9VVzyWiu8nnwICS8=
         expect(return_value.size).to be(2)
       end
       it 'creates and stores the key' do
-        expect(return_value.last).to be_eql(File.read(File.join(@tmp_path,'test')))
+        expect(return_value.last).to be_eql(File.read(File.join(@tmp_path,'test.key')))
       end
       it 'returns a proper onion address' do
-        expect(return_value.first).to be_eql(scope.function_onion_address([File.read(File.join(@tmp_path,'test'))]))
+        expect(return_value.first).to be_eql(scope.function_onion_address([File.read(File.join(@tmp_path,'test.key'))]))
       end
       it 'does not recreate a key once created' do
         expect(scope.function_generate_onion_key([@tmp_path,'test'])).to be_eql(scope.function_generate_onion_key([@tmp_path,'test']))
@@ -65,9 +65,9 @@ znq+qT/KbJlwy/27X/auCAzD5rJ9VVzyWiu8nnwICS8=
     end
     context 'with an existing key' do
       before(:all) do
-        File.open(@test_path,'w'){|f| f << @drpsyff5srkctr7h_str }
+        File.open(File.join(@tmp_path,'test3.key'),'w'){|f| f << @drpsyff5srkctr7h_str }
       end
-      it { is_expected.to run.with_params(@tmp_path,'test').and_return(['drpsyff5srkctr7h',@drpsyff5srkctr7h_str]) }
+      it { is_expected.to run.with_params(@tmp_path,'test3').and_return(['drpsyff5srkctr7h',@drpsyff5srkctr7h_str]) }
     end
   end
 end
diff --git a/templates/torrc.hidden_service.erb b/templates/torrc.hidden_service.erb
deleted file mode 100644
index 77168d8..0000000
--- a/templates/torrc.hidden_service.erb
+++ /dev/null
@@ -1,6 +0,0 @@
-# hidden service <%= @name %>
-HiddenServiceDir <%= @data_dir_path %>
-<% Array(@ports).each do |port| -%>
-HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %>
-<% end -%>
-
diff --git a/templates/torrc.onion_service.erb b/templates/torrc.onion_service.erb
new file mode 100644
index 0000000..77168d8
--- /dev/null
+++ b/templates/torrc.onion_service.erb
@@ -0,0 +1,6 @@
+# hidden service <%= @name %>
+HiddenServiceDir <%= @data_dir_path %>
+<% Array(@ports).each do |port| -%>
+HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %>
+<% end -%>
+
-- 
cgit v1.2.3


From d17494c600a59206601e4dfd0731b6af36b59631 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sat, 5 Nov 2016 13:38:45 +0100
Subject: correct identation

---
 templates/onionbalance/config.yaml.erb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/onionbalance/config.yaml.erb b/templates/onionbalance/config.yaml.erb
index 3f45bd1..b1d4d80 100644
--- a/templates/onionbalance/config.yaml.erb
+++ b/templates/onionbalance/config.yaml.erb
@@ -1,10 +1,10 @@
 # OnionBalance Config File
 services:
 <% @services.keys.sort.each do |key| -%>
-- instances:
+  - key: /etc/onionbalance/<%= key %>.key
+    instances:
 <% (@services[key].keys - ['_key_content']).sort.each do |inst| -%>
-    - address: <%= @services[key][inst] %>
-      name: <%= inst %>
+      - address: <%= @services[key][inst] %>
+        name: <%= inst %>
 <% end -%>
-  key: <%= key %>.key
 <% end -%>
-- 
cgit v1.2.3


From 9899d19553f55fce8ff6f6d790945777a298bacf Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sat, 5 Nov 2016 13:48:01 +0100
Subject: simplify the version requirement, as we don't need to pass that
 parameter along

---
 manifests/base.pp   |  5 +++--
 manifests/daemon.pp | 10 +++-------
 manifests/init.pp   |  2 +-
 3 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/manifests/base.pp b/manifests/base.pp
index 31b9edb..b5aa7e9 100644
--- a/manifests/base.pp
+++ b/manifests/base.pp
@@ -1,12 +1,13 @@
 # basic management of resources for tor
 class tor::base {
   package {'tor':
-    ensure => $tor::ensure_version,
+    ensure => $tor::version,
   }
   case $osfamily {
     'Debian': {
       package {'tor-geoipdb':
-        ensure => $tor::ensure_version,
+        ensure => $tor::version,
+        before => Service['tor'],
       }
     }
   }
diff --git a/manifests/daemon.pp b/manifests/daemon.pp
index 2522b2c..55c881d 100644
--- a/manifests/daemon.pp
+++ b/manifests/daemon.pp
@@ -1,6 +1,5 @@
 # manage a snippet based tor installation
 class tor::daemon (
-  $ensure_version           = 'installed',
   $use_munin                = false,
   $data_dir                 = '/var/lib/tor',
   $config_file              = '/etc/tor/torrc',
@@ -10,13 +9,10 @@ class tor::daemon (
   $safe_logging             = 1,
 ) {
 
-  class{'tor':
-    ensure_version => $ensure_version,
-  }
-
-  include tor::daemon::base
+  include ::tor
+  include ::tor::daemon::base
 
   if $use_munin {
-    include tor::munin
+    include ::tor::munin
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
index 9c19c64..ad584aa 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,6 +1,6 @@
 # manage a basic tor installation
 class tor (
-  $ensure_version = 'installed'
+  $version = 'installed'
 ){
   include tor::base
 }
-- 
cgit v1.2.3


From 6deb959721ba5e90d876ff34343c0926730faf7b Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Wed, 9 Nov 2016 23:05:37 +0100
Subject: set it to a port allowed by munin

---
 manifests/munin.pp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/manifests/munin.pp b/manifests/munin.pp
index 1b043f1..67e8c57 100644
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
@@ -2,18 +2,18 @@
 class tor::munin {
   tor::daemon::control{
     'control_port_for_munin':
-      port                  => 19051,
+      port                  => 9001,
       cookie_authentication => 1,
       cookie_auth_file      => '/var/run/tor/control.authcookie',
   }
 
   include ::tor::daemon::params
   Munin::Plugin::Deploy {
-    config  => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+    config => "user ${tor::daemon::params::user}\n env.cookiefile /var/run/tor/control.authcookie\n env.port 9001"
   }
   munin::plugin::deploy {
     'tor_openfds':
-      config  => 'user root',
+      config => 'user root',
       source => 'tor/munin/tor_openfds';
     'tor_routers':
       source => 'tor/munin/tor_routers';
-- 
cgit v1.2.3


From 58e13dbd417bfc0d4ca9712d0fe6e334992d0abc Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Thu, 10 Nov 2016 02:03:43 +0100
Subject: make the function still work with an ancient ruby version

---
 lib/puppet/parser/functions/onion_address.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/puppet/parser/functions/onion_address.rb b/lib/puppet/parser/functions/onion_address.rb
index a3db2f4..a6f9755 100644
--- a/lib/puppet/parser/functions/onion_address.rb
+++ b/lib/puppet/parser/functions/onion_address.rb
@@ -22,7 +22,9 @@ Returns the onionadress for that key, *without* the .onion suffix.
     # We can skip the first 22 bits of the der format as they are ignored by tor
     # https://timtaubert.de/blog/2014/11/using-the-webcrypto-api-to-generate-onion-names-for-tor-hidden-services/
     # https://gitweb.torproject.org/torspec.git/tree/rend-spec.txt#n525
+    # Except for Ruby 1.8.7 where the first 22 are not present at all
+    start = RUBY_VERSION.to_f < 1.9 ? 0 : 22
     public_key_der = private_key.public_key.to_der
-    Base32.encode(Digest::SHA1.digest(public_key_der[22..-1]))[0..15].downcase
+    Base32.encode(Digest::SHA1.digest(public_key_der[start..-1]))[0..15].downcase
   end
 end
-- 
cgit v1.2.3


From b80f81eb4594ddd4a2a62f21b0c5802e762f8fcc Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Thu, 10 Nov 2016 02:13:04 +0100
Subject: make it work with the old parser

---
 manifests/onionbalance.pp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/manifests/onionbalance.pp b/manifests/onionbalance.pp
index 34831d3..6a6b476 100644
--- a/manifests/onionbalance.pp
+++ b/manifests/onionbalance.pp
@@ -62,8 +62,9 @@ class tor::onionbalance(
       notify  => Service['tor@onionbalance'],
   }
 
+  $keys = keys($services)
   tor::onionbalance::keys{
-    keys($services):
+    $keys:
       values => $services,
       group  => $instance_user,
   }
-- 
cgit v1.2.3


From fb0fbe06f9c2d3c0428f9129fe67eb2c4aef8f7f Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Thu, 1 Dec 2016 11:31:01 +0100
Subject: make it work if there is no pidfile

---
 files/munin/tor_openfds | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/files/munin/tor_openfds b/files/munin/tor_openfds
index dbf57cd..9c14852 100644
--- a/files/munin/tor_openfds
+++ b/files/munin/tor_openfds
@@ -16,9 +16,15 @@ if ($ARGV[0] and $ARGV[0] =~ /^\s*config\s*$/i)
         exit 0;
 }
 
-open (PID, "/var/run/tor/tor.pid") or exit 1;
-my $pid = <PID>;
-close PID;
+my $pidfile = "/var/run/tor/tor.pid";
+my $pid = '';
+if (-e $pidfile) {
+  open (PID, $pidfile) or exit 1;
+  $pid = <PID>;
+  close PID;
+} else {
+  $pid = `pidof tor`;
+}
 chomp $pid;
 
 $pid =~ /^[0-9]+$/ or exit 1;
-- 
cgit v1.2.3


From 1a4d240aadb784c065703e790b59ee39863005b3 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Thu, 1 Dec 2016 12:26:05 +0100
Subject: torsocks actually needs a daemon

---
 manifests/torsocks.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp
index e9fc75b..9f735d4 100644
--- a/manifests/torsocks.pp
+++ b/manifests/torsocks.pp
@@ -2,7 +2,7 @@
 class tor::torsocks (
   $ensure_version = 'installed'
 ){
-  include ::tor
+  include ::tor::daemon
   package{'torsocks':
     ensure => $ensure_version,
   }
-- 
cgit v1.2.3


From 4ac020202d87afcd69de483a777eff03cef75a4c Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Sun, 19 Feb 2017 23:18:19 +0100
Subject: polipo  is not supported on EL

---
 manifests/compact.pp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/manifests/compact.pp b/manifests/compact.pp
index c0f5919..e44ffed 100644
--- a/manifests/compact.pp
+++ b/manifests/compact.pp
@@ -2,6 +2,8 @@
 # installation with all the basics
 class tor::compact {
   include ::tor
-  include tor::polipo
   include tor::torsocks
+  if $osfamily == 'Debian' {
+    include tor::polipo
+  }
 }
-- 
cgit v1.2.3


From 1fef62f18dcbcf0f1995603b8f595f67ebf483d5 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Wed, 30 Aug 2017 00:18:32 +0200
Subject: cleanup template mess that produces invalid template

---
 templates/torrc.global.erb | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/templates/torrc.global.erb b/templates/torrc.global.erb
index f577673..9cf7816 100644
--- a/templates/torrc.global.erb
+++ b/templates/torrc.global.erb
@@ -1,24 +1,24 @@
 # runtime
 RunAsDaemon 1
-<%  if (v=scope.lookupvar('tor::daemon::data_dir')) != '/var/lib/tor' -%>
+<%  if (v=scope['tor::daemon::data_dir']) != '/var/lib/tor' -%>
 DataDirectory <%= v %>
 <% end -%>
 
 # log
-<% if (rules=scope.lookupvar('tor::daemon::log_rules')).empty? -%>
+<% if (rules=scope['tor::daemon::log_rules']).empty? -%>
 Log notice syslog
 <%  else -%>
 <%   rules.each do |log_rule| -%>
 Log <%= log_rule %>
-<%    end -%>
-<%  end -%>
-<%- if @safe_logging != 1 then -%>
-SafeLogging <%= @safe_logging %>
-<%-   end -%>
+<% end
+end -%>
+<% if (v=scope['tor::daemon::safe_logging']) != 1 -%>
+SafeLogging <%= v %>
+<% end -%>
 
-<%  if (v=scope.lookupvar('tor::daemon::automap_hosts_on_resolve')) != '0' -%>
+<% if (v=scope['tor::daemon::automap_hosts_on_resolve']) != 0 -%>
 AutomapHostsOnResolve <%= v %>
-<%  end -%>
-<%  if (v=scope.lookupvar('tor::daemon::use_bridges')) != '0' -%>
+<% end -%>
+<% if (v=scope['tor::daemon::use_bridges']) != 0 -%>
 UseBridges <%= v %>
-<%- end -%>
+<% end -%>
-- 
cgit v1.2.3


From 1fcbe72115d57d53fced2777c8b54a4ee4ec17e9 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Wed, 30 Aug 2017 18:30:12 +0200
Subject: make it work with newer concat module

---
 manifests/daemon/base.pp                  |  1 -
 manifests/daemon/bridge.pp                | 15 ++++++++-------
 manifests/daemon/control.pp               | 26 ++++++++++++++------------
 manifests/daemon/directory.pp             | 15 ++++++++-------
 manifests/daemon/dns.pp                   | 15 ++++++++-------
 manifests/daemon/exit_policy.pp           | 15 ++++++++-------
 manifests/daemon/map_address.pp           | 15 ++++++++-------
 manifests/daemon/onion_service.pp         | 17 +++++++++--------
 manifests/daemon/relay.pp                 | 26 ++++++++++++++------------
 manifests/daemon/snippet.pp               | 14 ++++++++------
 manifests/daemon/socks.pp                 |  4 ++--
 manifests/daemon/transparent.pp           | 14 ++++++++------
 spec/defines/daemon_onion_service_spec.rb |  2 --
 13 files changed, 95 insertions(+), 84 deletions(-)

diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
index 335c5e4..86156af 100644
--- a/manifests/daemon/base.pp
+++ b/manifests/daemon/base.pp
@@ -48,7 +48,6 @@ class tor::daemon::base inherits tor::base {
 
   # config file headers
   concat::fragment { '00.header':
-    ensure  => present,
     content => template('tor/torrc.header.erb'),
     order   => '00',
     target  => $tor::daemon::config_file,
diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp
index a9a21d4..e09f4f7 100644
--- a/manifests/daemon/bridge.pp
+++ b/manifests/daemon/bridge.pp
@@ -3,13 +3,14 @@ define tor::daemon::bridge(
   $ip,
   $port,
   $fingerprint = false,
-  $ensure      = present ) {
-
-  concat::fragment { "10.bridge.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.bridge.erb'),
-    order   => '10',
-    target  => $tor::daemon::config_file,
+  $ensure      = 'present',
+) {
+  if $ensure == 'present' {
+    concat::fragment { "10.bridge.${name}":
+      content => template('tor/torrc.bridge.erb'),
+      order   => '10',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp
index 5e81c65..027a49d 100644
--- a/manifests/daemon/control.pp
+++ b/manifests/daemon/control.pp
@@ -1,24 +1,26 @@
 # control definition
 define tor::daemon::control(
+  $ensure                          = 'present',
   $port                            = 0,
   $hashed_control_password         = '',
   $cookie_authentication           = 0,
   $cookie_auth_file                = '',
   $cookie_auth_file_group_readable = '',
-  $ensure                          = present ) {
+) {
 
-  if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' {
-    fail('You need to define the tor control password')
-  }
+  if $ensure == 'present' {
+    if $cookie_authentication == '0' and $hashed_control_password == '' {
+      fail('You need to define the tor control password')
+    }
 
-  if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
-    notice('You set a tor cookie authentication option, but do not have cookie_authentication on')
-  }
+    if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
+      notice('You set a tor cookie authentication option, but do not have cookie_authentication on')
+    }
 
-  concat::fragment { '04.control':
-    ensure  => $ensure,
-    content => template('tor/torrc.control.erb'),
-    order   => '04',
-    target  => $tor::daemon::config_file,
+    concat::fragment { '04.control':
+      content => template('tor/torrc.control.erb'),
+      order   => '04',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
index 4dc2afa..3bbf273 100644
--- a/manifests/daemon/directory.pp
+++ b/manifests/daemon/directory.pp
@@ -1,15 +1,16 @@
 # directory advertising
 define tor::daemon::directory (
+  $ensure           = 'present',
   $port             = 0,
   $listen_addresses = [],
   $port_front_page  = '/etc/tor/tor-exit-notice.html',
-  $ensure           = present ) {
-
-  concat::fragment { '06.directory':
-    ensure  => $ensure,
-    content => template('tor/torrc.directory.erb'),
-    order   => '06',
-    target  => $tor::daemon::config_file,
+) {
+  if $ensure == 'present' {
+    concat::fragment { '06.directory':
+      content => template('tor/torrc.directory.erb'),
+      order   => '06',
+      target  => $tor::daemon::config_file,
+    }
   }
 
   include ::tor::daemon::params
diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp
index e8d4fc8..3ae8c77 100644
--- a/manifests/daemon/dns.pp
+++ b/manifests/daemon/dns.pp
@@ -1,14 +1,15 @@
 # DNS definition
 define tor::daemon::dns(
+  $ensure           = 'present',
   $port             = 0,
   $listen_addresses = [],
-  $ensure           = present ) {
-
-  concat::fragment { "08.dns.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.dns.erb'),
-    order   => '08',
-    target  => $tor::daemon::config_file,
+){
+  if $ensure == 'present' {
+    concat::fragment { "08.dns.${name}":
+      content => template('tor/torrc.dns.erb'),
+      order   => '08',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp
index 5f4d3e8..62876c7 100644
--- a/manifests/daemon/exit_policy.pp
+++ b/manifests/daemon/exit_policy.pp
@@ -1,15 +1,16 @@
 # exit policies
 define tor::daemon::exit_policy(
+  $ensure         = 'present',
   $accept         = [],
   $reject         = [],
   $reject_private = 1,
-  $ensure         = present ) {
-
-  concat::fragment { "07.exit_policy.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.exit_policy.erb'),
-    order   => '07',
-    target  => $tor::daemon::config_file,
+) {
+  if $ensure == 'present' {
+    concat::fragment { "07.exit_policy.${name}":
+      content => template('tor/torrc.exit_policy.erb'),
+      order   => '07',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp
index ac624a0..ca21ed9 100644
--- a/manifests/daemon/map_address.pp
+++ b/manifests/daemon/map_address.pp
@@ -1,14 +1,15 @@
 # map address definition
 define tor::daemon::map_address(
+  $ensure     = 'present',
   $address    = '',
   $newaddress = '',
-  $ensure     = 'present') {
-
-  concat::fragment { "08.map_address.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.map_address.erb'),
-    order   => '08',
-    target  => $tor::daemon::config_file,
+) {
+  if $ensure == 'present' {
+    concat::fragment { "08.map_address.${name}":
+      content => template('tor/torrc.map_address.erb'),
+      order   => '08',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/manifests/daemon/onion_service.pp b/manifests/daemon/onion_service.pp
index 2625521..9d12a3a 100644
--- a/manifests/daemon/onion_service.pp
+++ b/manifests/daemon/onion_service.pp
@@ -1,6 +1,6 @@
 # onion services definition
 define tor::daemon::onion_service(
-  $ensure                 = present,
+  $ensure                 = 'present',
   $ports                  = [],
   $data_dir               = $tor::daemon::data_dir,
   $private_key            = undef,
@@ -9,16 +9,17 @@ define tor::daemon::onion_service(
 ) {
 
   $data_dir_path = "${data_dir}/${name}"
-  include ::tor::daemon::params
-  concat::fragment { "05.onion_service.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.onion_service.erb'),
-    order   => '05',
-    target  => $tor::daemon::config_file,
+  if $ensure == 'present' {
+    include ::tor::daemon::params
+    concat::fragment { "05.onion_service.${name}":
+      content => template('tor/torrc.onion_service.erb'),
+      order   => '05',
+      target  => $tor::daemon::config_file,
+    }
   }
   if $private_key or ($private_key_name and $private_key_store_path) {
     if $private_key and ($private_key_name and $private_key_store_path) {
-      fail("Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them")
+      fail('Either private_key OR (private_key_name AND private_key_store_path) must be set, but not all three of them')
     }
     if $private_key_store_path and $private_key_name {
       $tmp = generate_onion_key($private_key_store_path,$private_key_name)
diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp
index 4fa303d..68e06ca 100644
--- a/manifests/daemon/relay.pp
+++ b/manifests/daemon/relay.pp
@@ -1,5 +1,6 @@
 # relay definition
 define tor::daemon::relay(
+  $ensure                  = 'present',
   $port                    = 0,
   $listen_addresses        = [],
   $outbound_bindaddresses  = [],
@@ -20,20 +21,21 @@ define tor::daemon::relay(
   $my_family               = '',
   $address                 = "tor.${::domain}",
   $bridge_relay            = 0,
-  $ensure                  = present ) {
+) {
 
-  $nickname = $name
+  if $ensure == 'present' {
+    $nickname = $name
 
-  if $outbound_bindaddresses == [] {
-    $real_outbound_bindaddresses = []
-  } else {
-    $real_outbound_bindaddresses = $outbound_bindaddresses
-  }
+    if $outbound_bindaddresses == [] {
+      $real_outbound_bindaddresses = []
+    } else {
+      $real_outbound_bindaddresses = $outbound_bindaddresses
+    }
 
-  concat::fragment { '03.relay':
-    ensure  => $ensure,
-    content => template('tor/torrc.relay.erb'),
-    order   => '03',
-    target  => $tor::daemon::config_file,
+    concat::fragment { '03.relay':
+      content => template('tor/torrc.relay.erb'),
+      order   => '03',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp
index 1f22d0c..195ed77 100644
--- a/manifests/daemon/snippet.pp
+++ b/manifests/daemon/snippet.pp
@@ -1,13 +1,15 @@
 # Arbitrary torrc snippet definition
 define tor::daemon::snippet(
+  $ensure  = 'present',
   $content = '',
-  $ensure  = present ) {
+) {
 
-  concat::fragment { "99.snippet.${name}":
-    ensure  => $ensure,
-    content => $content,
-    order   => '99',
-    target  => $tor::daemon::config_file,
+  if $ensure == 'present' {
+    concat::fragment { "99.snippet.${name}":
+      content => $content,
+      order   => '99',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp
index 17ce40b..43256ae 100644
--- a/manifests/daemon/socks.pp
+++ b/manifests/daemon/socks.pp
@@ -2,8 +2,8 @@
 define tor::daemon::socks(
   $port = 0,
   $listen_addresses = [],
-  $policies = [] ) {
-
+  $policies = [],
+) {
   concat::fragment { '02.socks':
     content => template('tor/torrc.socks.erb'),
     order   => '02',
diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp
index 6ac7b44..49f9e70 100644
--- a/manifests/daemon/transparent.pp
+++ b/manifests/daemon/transparent.pp
@@ -1,14 +1,16 @@
 # Transparent proxy definition
 define tor::daemon::transparent(
+  $ensure           = 'present',
   $port             = 0,
   $listen_addresses = [],
-  $ensure           = present ) {
+) {
 
-  concat::fragment { "09.transparent.${name}":
-    ensure  => $ensure,
-    content => template('tor/torrc.transparent.erb'),
-    order   => '09',
-    target  => $tor::daemon::config_file,
+  if $ensure == 'present' {
+    concat::fragment { "09.transparent.${name}":
+      content => template('tor/torrc.transparent.erb'),
+      order   => '09',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
 
diff --git a/spec/defines/daemon_onion_service_spec.rb b/spec/defines/daemon_onion_service_spec.rb
index fba8efd..95be8c4 100644
--- a/spec/defines/daemon_onion_service_spec.rb
+++ b/spec/defines/daemon_onion_service_spec.rb
@@ -16,7 +16,6 @@ describe 'tor::daemon::onion_service', :type => 'define' do
     it { is_expected.to compile.with_all_deps }
 
     it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with(
-      :ensure  => 'present',
       :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
       :order   => '05',
       :target  => '/etc/tor/torrc',
@@ -32,7 +31,6 @@ describe 'tor::daemon::onion_service', :type => 'define' do
       }
       it { is_expected.to compile.with_all_deps }
       it { is_expected.to contain_concat__fragment('05.onion_service.test_os').with(
-        :ensure  => 'present',
         :content => /HiddenServiceDir \/var\/lib\/tor\/test_os/,
         :order   => '05',
         :target  => '/etc/tor/torrc',
-- 
cgit v1.2.3


From 48132d55bba99a4356d91ad13d8639755d9f9401 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Fri, 2 Feb 2018 13:45:12 -0500
Subject: replace the CI tests by the ones used in the backupninja module/

---
 .gitlab-ci.yml                       | 45 +++++++++++-------------------------
 Gemfile                              | 29 ++++++++---------------
 Rakefile                             | 25 +++++++-------------
 spec/acceptance/nodesets/default.yml | 19 ---------------
 spec/spec_helper.rb                  | 12 ----------
 spec/spec_helper_acceptance.rb       | 18 ---------------
 6 files changed, 31 insertions(+), 117 deletions(-)
 delete mode 100644 spec/acceptance/nodesets/default.yml
 delete mode 100644 spec/spec_helper.rb
 delete mode 100644 spec/spec_helper_acceptance.rb

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 611058c..e474dab 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,39 +1,22 @@
-image: ruby:2.1
-before_script:
-  - bundle install --jobs $(nproc) --without system_tests --path=/var/cache/gitlab-runner/ "${FLAGS[@]}"
+image: ruby:2.3
 
-.job_template: &job_definition
+# Test job template
+.test_template: &test_definition
+  stage: test
   script:
-    # don't fail on lint warnings
-    - bundle exec rake lint || /bin/true
-    - bundle exec rake syntax
-    - bundle exec rake validate
-    - bundle exec rake spec
+    - bundle install --jobs $(nproc) --without docs --path vendor
+    - bundle exec rake tests
+  except:
+      - legacy
 
-# Default debian jessie versions
-test:puppet37:
-  variables:
-    PUPPET_VERSION: "~> 3.7.2"
-    FACTER_VERSION: '~> 2.2.0'
-  <<: *job_definition
-
-test:puppet38_future_parser:
-  variables:
-    PUPPET_VERSION: '~> 3.8'
-    FACTER_VERSION: '~> 2.2.0'
-    FUTURE_PARSER:  'yes'
-  <<: *job_definition
-
-# Default debian stretch versions
+# Test with version present on Debian stable
 test:puppet48:
   variables:
     PUPPET_VERSION: "~> 4.8.2"
     FACTER_VERSION: '~> 2.4.6'
-  <<: *job_definition
+    HIERA_VERSION: '~> 3.2.0'
+  <<: *test_definition
 
-# Latest greatest
-test:puppet4x:
-  variables:
-    PUPPET_VERSION: "> 4"
-    FACTER_VERSION: '> 2'
-  <<: *job_definition
+# Test with latest Puppet release
+test:puppetlatest:
+  <<: *test_definition
diff --git a/Gemfile b/Gemfile
index 7a16b94..514f893 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,23 +1,12 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-group :development, :unit_tests do
-  gem "rake"
-  gem "rspec-puppet", "~> 2.1", :require => false
-  gem "rspec-core"
-  gem "puppetlabs_spec_helper"
-  gem "semantic_puppet"
-  gem "metadata-json-lint"
-  gem "rspec-puppet-facts"
-  gem "mocha"
-end
+gem 'rake'
+gem 'puppet', ENV['PUPPET_VERSION']
 
-group :system_tests do
-  gem 'beaker'
-  gem 'beaker-rspec'
-  gem 'beaker_spec_helper'
-  gem 'serverspec'
+group :tests do
+  gem 'facter', ENV['FACTER_VERSION']
+  gem 'hiera', ENV['HIERA_VERSION']
+  gem 'puppetlabs_spec_helper'
+  gem 'metadata-json-lint'
+  gem 'semantic_puppet'
 end
-
-gem "puppet", ENV['PUPPET_VERSION'] || ENV['GEM_PUPPET_VERSION'] || ENV['PUPPET_GEM_VERSION'] || '~> 3.7.0'
-gem "facter", ENV['FACTER_VERSION'] || ENV['GEM_FACTER_VERSION'] || ENV['FACTER_GEM_VERSION'] || '~> 2.2.0'
-
diff --git a/Rakefile b/Rakefile
index 85326bb..401002e 100644
--- a/Rakefile
+++ b/Rakefile
@@ -1,19 +1,10 @@
-require 'puppetlabs_spec_helper/rake_tasks'
-require 'puppet-lint/tasks/puppet-lint'
-PuppetLint.configuration.send('disable_80chars')
-PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
+task :tests do
+  require 'puppetlabs_spec_helper/rake_tasks'
 
-desc "Validate manifests, templates, and ruby files"
-task :validate do
-  Dir['manifests/**/*.pp'].each do |manifest|
-    sh "puppet parser validate --noop #{manifest}"
-  end
-  Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file|
-    sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/
-  end
-  Dir['templates/**/*.erb'].each do |template|
-    sh "erb -P -x -T '-' #{template} | ruby -c"
-  end
-end
+  # run syntax checks on manifests, templates and hiera data
+  # also runs :metadata_lint
+  Rake::Task[:validate].invoke
 
-task :test => [:lint, :syntax , :validate, :spec]
+  # runs puppet-lint
+  Rake::Task[:lint].invoke
+end
diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml
deleted file mode 100644
index f09ad62..0000000
--- a/spec/acceptance/nodesets/default.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-HOSTS:
-  debian-8-x64:
-    platform: debian-8-amd64
-    image: debian:8
-    hypervisor: docker
-    docker_preserve_image: true
-    docker_cmd: '["/sbin/init"]'
-    docker_image_commands:
-      - 'apt-get install -y wget locales-all puppet git'
-      - 'rm -f /usr/sbin/policy-rc.d'
-
-CONFIG:
-  type: foss
-  #log_level: verbose
-  #log_level: debug
-
-ssh:
-  password: root
-  auth_methods: ["password"]
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
deleted file mode 100644
index 3cca63a..0000000
--- a/spec/spec_helper.rb
+++ /dev/null
@@ -1,12 +0,0 @@
-# https://puppetlabs.com/blog/testing-modules-in-the-puppet-forge
-require 'puppetlabs_spec_helper/module_spec_helper'
-
-fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures'))
-
-RSpec.configure do |c|
-
-  c.manifest_dir = File.join(fixture_path, 'manifests')
-  c.module_path  = File.join(fixture_path, 'modules')
-
-  c.color = true
-end
diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb
deleted file mode 100644
index e6a2cd8..0000000
--- a/spec/spec_helper_acceptance.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require 'beaker-rspec'
-
-RSpec.configure do |c|
-  module_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
-  module_name = module_root.split('-').last
-
-  # Readable test descriptions
-  c.formatter = :documentation
-
-  # Configure all nodes in nodeset
-  c.before :suite do
-    # Install module and dependencies
-    puppet_module_install(:source => module_root, :module_name => module_name)
-    hosts.each do |host|
-      shell('git clone https://github.com/puppetlabs/puppetlabs-concat.git /etc/puppet/modules/concat')
-    end
-  end
-end
-- 
cgit v1.2.3


From 328f4d0dc3ca258a1b605b75fa9f285d34bc47d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Fri, 2 Feb 2018 13:45:52 -0500
Subject: [lint] single quotes should be used when no vars are present in a
 string

---
 manifests/daemon/relay.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp
index fa908f5..9ba2323 100644
--- a/manifests/daemon/relay.pp
+++ b/manifests/daemon/relay.pp
@@ -13,7 +13,7 @@ define tor::daemon::relay(
   $relay_bandwidth_burst   = 0,
   # GB, 0 for no limit
   $accounting_max          = 0,
-  $accounting_start        = "month 1 0:00",
+  $accounting_start        = 'month 1 0:00',
   $contact_info            = '',
   # TODO: autofill with other relays
   $my_family               = '',
-- 
cgit v1.2.3


From d0b3003bd94aca6022823cb79c3eee5a84724623 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Fri, 2 Feb 2018 14:20:02 -0500
Subject: we don't have a legacy branch

---
 .gitlab-ci.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e474dab..21907f7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,8 +6,6 @@ image: ruby:2.3
   script:
     - bundle install --jobs $(nproc) --without docs --path vendor
     - bundle exec rake tests
-  except:
-      - legacy
 
 # Test with version present on Debian stable
 test:puppet48:
-- 
cgit v1.2.3


From 228ae4a53999dbc49fa7c4d2883468dde10f19fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Fri, 2 Feb 2018 14:37:02 -0500
Subject: update metadata for new tag

---
 metadata.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/metadata.json b/metadata.json
index 72e3701..1f7b79d 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "smash-tor",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "author": "SMASH",
   "summary": "This project tracks the tor puppet module that manages the tor onion routing system.",
   "license": "GPL-3.0",
-- 
cgit v1.2.3


From 7e11328e61132438dac8a19a5caec24dc1f58257 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Tue, 13 Feb 2018 01:23:22 +0100
Subject: reduce output of empty lines

---
 templates/torrc.onion_service.erb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/templates/torrc.onion_service.erb b/templates/torrc.onion_service.erb
index db629fc..9b05c43 100644
--- a/templates/torrc.onion_service.erb
+++ b/templates/torrc.onion_service.erb
@@ -1,20 +1,20 @@
-<% if @single_hop != false %>
+<% if @single_hop != false -%>
 HiddenServiceSingleHopMode 1
 HiddenServiceNonAnonymousMode 1
 SOCKSPort 0
-<% end %>
 
+<% end -%>
 # hidden service <%= @name %>
 HiddenServiceDir <%= @data_dir_path %>
 <% Array(@ports).each do |port| -%>
 HiddenServicePort <%= port =~ /^\d+$/ ? "#{port} 127.0.0.1:#{port}" : port %>
 <% end -%>
 
-<% if @v3 != false %>
+<% if @v3 != false -%>
 # hidden service v3 static
 HiddenServiceDir <%= @data_dir_path %>3
 HiddenServiceVersion 3
 <% Array(@ports).each do |port| -%>
 HiddenServicePort <%= port %>
-<% end -%>
-<% end -%>
+<% end
+end -%>
-- 
cgit v1.2.3


From 5347a783d2672a16c1c15f1efb0e99e15db9c1c8 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Wed, 21 Feb 2018 23:30:51 +0100
Subject: readd something we lost during merge

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index d51c0ba..e8928b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .tmp_*~
+*.swp
 .librarian
 .tmp
 spec/fixtures/modules
-- 
cgit v1.2.3


From 24c5d04259971af0033c86fdf90c6f9c22974600 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Wed, 21 Feb 2018 23:48:30 +0100
Subject: adjust to the common usage of version as param name

---
 README.md             | 6 ++----
 manifests/arm.pp      | 4 ++--
 manifests/torsocks.pp | 4 ++--
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 97213c4..dac7078 100644
--- a/README.md
+++ b/README.md
@@ -72,8 +72,7 @@ To install tor, simply include the 'tor' class in your manifests:
 
     class { 'tor': }
 
-You can specify the `$ensure_version` class parameter to get a specific
-version installed.
+You can specify the `$version` class parameter to get a specific version installed.
 
 However, if you want to make configuration changes to your tor daemon, you will
 want to instead include the `tor::daemon` class in your manifests, which will
@@ -127,8 +126,7 @@ To install torsocks, simply include the `torsocks` class in your manifests:
 
     class { 'tor::torsocks': }
 
-You can specify the `$ensure_version` class parameter to get a specific
-version installed.
+You can specify the `$version` class parameter to get a specific version installed.
 
 # Configuring relays<a name="configuring-relays"></a>
 
diff --git a/manifests/arm.pp b/manifests/arm.pp
index 44ddcbb..dfea7c8 100644
--- a/manifests/arm.pp
+++ b/manifests/arm.pp
@@ -1,9 +1,9 @@
 # manage tor-arm
 class tor::arm (
-  $ensure_version = 'installed'
+  $version = 'installed'
 ){
   include ::tor
   package{'tor-arm':
-    ensure => $ensure_version,
+    ensure => $version,
   }
 }
diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp
index 9f735d4..e1ba8a9 100644
--- a/manifests/torsocks.pp
+++ b/manifests/torsocks.pp
@@ -1,9 +1,9 @@
 # manage torsocks
 class tor::torsocks (
-  $ensure_version = 'installed'
+  $version = 'installed'
 ){
   include ::tor::daemon
   package{'torsocks':
-    ensure => $ensure_version,
+    ensure => $version,
   }
 }
-- 
cgit v1.2.3


From ff149a1c48e988f2c8ad8e69b582b0c6c0895401 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 23 Feb 2018 23:30:01 +0100
Subject: keep the syntax of config snippes consistent

---
 manifests/daemon/socks.pp            | 13 ++++++++-----
 manifests/daemon/transport_plugin.pp | 15 +++++++++------
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp
index 76c1703..e36d91e 100644
--- a/manifests/daemon/socks.pp
+++ b/manifests/daemon/socks.pp
@@ -1,11 +1,14 @@
 # socks definition
 define tor::daemon::socks(
-  $port = 0,
+  $ensure   = 'present',
+  $port     = 0,
   $policies = [],
 ) {
-  concat::fragment { '02.socks':
-    content => template('tor/torrc.socks.erb'),
-    order   => '02',
-    target  => $tor::daemon::config_file,
+  if $ensure == 'present' {
+    concat::fragment { '02.socks':
+      content => template('tor/torrc.socks.erb'),
+      order   => '02',
+      target  => $tor::daemon::config_file,
+    }
   }
 }
diff --git a/manifests/daemon/transport_plugin.pp b/manifests/daemon/transport_plugin.pp
index 1921282..4f7bbf2 100644
--- a/manifests/daemon/transport_plugin.pp
+++ b/manifests/daemon/transport_plugin.pp
@@ -1,13 +1,16 @@
 # transport plugin
 define tor::daemon::transport_plugin(
+  $ensure                     = 'present',
   $servertransport_plugin     = '',
   $servertransport_listenaddr = '',
   $servertransport_options    = '',
-  $ext_port                   = '' ) {
-
-  concat::fragment { '11.transport_plugin':
-    content => template('tor/torrc.transport_plugin.erb'),
-    order   => 11,
-    target  => $tor::daemon::config_file,
+  $ext_port                   = '',
+) {
+  if $ensure == 'present' {
+    concat::fragment { '11.transport_plugin':
+      content => template('tor/torrc.transport_plugin.erb'),
+      order   => 11,
+      target  => $tor::daemon::config_file,
+    }
   }
 }
-- 
cgit v1.2.3


From 6ebebe3ab04e8ba3d4b651e49012646046642160 Mon Sep 17 00:00:00 2001
From: mh <mh@immerda.ch>
Date: Fri, 23 Feb 2018 23:46:51 +0100
Subject: update version requirements to pass validation

---
 metadata.json | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/metadata.json b/metadata.json
index c512129..399a3dc 100644
--- a/metadata.json
+++ b/metadata.json
@@ -29,18 +29,21 @@
   "requirements": [
     {
       "name": "puppet",
-      "version_requirement": ">=4.0.0"
+       "version_requirement": ">= 4.7.0 < 6.0.0"
     }
   ],
   "dependencies": [
     {
-      "name": "puppetlabs-stdlib"
+      "name": "puppetlabs/stdlib",
+      "version_requirement": ">= 4.24.0 < 5.0.0"
     },
     {
-      "name": "puppetlabs-concat"
+      "name": "puppetlabs/concat",
+      "version_requirement": ">= 4.2.0 < 5.0.0"
     },
     {
-      "name": "puppetlabs-apt"
+      "name": "puppetlabs/apt",
+      "version_requirement": ">= 4.5.1 < 5.0.0"
     }
   ],
   "description": "This module tries to manage tor, making sure it is installed, running, has  munin graphs if desired and allows for configuration of relays, hidden services, exit policies, etc."
-- 
cgit v1.2.3


From 6796ab9a974fb9566ddfb0df6b197dc068781a8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Tue, 6 Mar 2018 12:34:07 -0500
Subject: update version to 1.1.0 after immerda merge

---
 metadata.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/metadata.json b/metadata.json
index 399a3dc..b5a2d9f 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "smash-tor",
-  "version": "1.0.1",
+  "version": "1.1.0",
   "author": "SMASH",
   "summary": "This project tracks the tor puppet module that manages the tor onion routing system.",
   "license": "GPL-3.0",
-- 
cgit v1.2.3


From a126312584199726a90c3dd7144abba48a8bd1b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Tue, 19 Jun 2018 12:49:49 -0400
Subject: remove polipo support

---
 README.md                  |  10 ---
 files/polipo/polipo.conf   | 164 ---------------------------------------------
 manifests/compact.pp       |   3 -
 manifests/polipo.pp        |   9 ---
 manifests/polipo/base.pp   |  22 ------
 manifests/polipo/debian.pp |   7 --
 6 files changed, 215 deletions(-)
 delete mode 100644 files/polipo/polipo.conf
 delete mode 100644 manifests/polipo.pp
 delete mode 100644 manifests/polipo/base.pp
 delete mode 100644 manifests/polipo/debian.pp

diff --git a/README.md b/README.md
index dac7078..b4ea4de 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,6 @@
   * [Configuring exit policies](#configuring-exit-policies)
   * [Configuring transport plugins](#configuring-transport-plugins)
 * [Functions](#functions)
-* [Polipo](#polipo)
 * [Munin](#munin)
 
 # Overview<a name="overview"></a>
@@ -244,15 +243,6 @@ This function takes a 1024bit RSA private key as an argument and returns the oni
 
 This function takes a path (on the puppetmaster!) and an identifier for a key and returns an array containing the matching onion address and the private key. The private key either exists under the supplied `path/key_identifier` or is being generated on the fly and stored under that path for the next execution.
 
-# Polipo<a name="polipo"></a>
-
-Polipo support can be enabled by doing:
-
-    include tor::polipo
-
-This will inherit the `tor` class by default, remove `privoxy` if it's
-installed, and install `polipo`, making sure it is running.
-  
 # Munin<a name="munin"></a>
 
 If you are using `munin`, and have the puppet munin module installed, you can
diff --git a/files/polipo/polipo.conf b/files/polipo/polipo.conf
deleted file mode 100644
index 12b10c4..0000000
--- a/files/polipo/polipo.conf
+++ /dev/null
@@ -1,164 +0,0 @@
-# Polipo Configuration from https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/config/polipo.conf
-# Managed by puppet.
-
-### Basic configuration
-### *******************
-
-# Uncomment one of these if you want to allow remote clients to
-# connect:
-
-# proxyAddress = "::0"        # both IPv4 and IPv6
-# proxyAddress = "0.0.0.0"    # IPv4 only
-
-proxyAddress = "127.0.0.1"
-proxyPort = 8118
-
-# If you do that, you'll want to restrict the set of hosts allowed to
-# connect:
-
-# allowedClients = "127.0.0.1, 134.157.168.57"
-# allowedClients = "127.0.0.1, 134.157.168.0/24"
-
-allowedClients = 127.0.0.1
-allowedPorts = 1-65535
-
-# Uncomment this if you want your Polipo to identify itself by
-# something else than the host name:
-
-proxyName = "localhost"
-
-# Uncomment this if there's only one user using this instance of Polipo:
-
-cacheIsShared = false
-
-# Uncomment this if you want to use a parent proxy:
-
-# parentProxy = "squid.example.org:3128"
-
-# Uncomment this if you want to use a parent SOCKS proxy:
-
-socksParentProxy = "localhost:9050"
-socksProxyType = socks5
-
-
-### Memory
-### ******
-
-# Uncomment this if you want Polipo to use a ridiculously small amount
-# of memory (a hundred C-64 worth or so):
-
-# chunkHighMark = 819200
-# objectHighMark = 128
-
-# Uncomment this if you've got plenty of memory:
-
-# chunkHighMark = 50331648
-# objectHighMark = 16384
-
-chunkHighMark = 67108864
-
-### On-disk data
-### ************
-
-# Uncomment this if you want to disable the on-disk cache:
-
-diskCacheRoot = ""
-
-# Uncomment this if you want to put the on-disk cache in a
-# non-standard location:
-
-# diskCacheRoot = "~/.polipo-cache/"
-
-# Uncomment this if you want to disable the local web server:
-
-localDocumentRoot = ""
-
-# Uncomment this if you want to enable the pages under /polipo/index?
-# and /polipo/servers?.  This is a serious privacy leak if your proxy
-# is shared.
-
-# disableIndexing = false
-# disableServersList = false
-
-disableLocalInterface = true
-disableConfiguration = true
-
-### Domain Name System
-### ******************
-
-# Uncomment this if you want to contact IPv4 hosts only (and make DNS
-# queries somewhat faster):
-#
-# dnsQueryIPv6 = no
-
-# Uncomment this if you want Polipo to prefer IPv4 to IPv6 for
-# double-stack hosts:
-#
-# dnsQueryIPv6 = reluctantly
-
-# Uncomment this to disable Polipo's DNS resolver and use the system's
-# default resolver instead.  If you do that, Polipo will freeze during
-# every DNS query:
-
-dnsUseGethostbyname = yes
-
-
-### HTTP
-### ****
-
-# Uncomment this if you want to enable detection of proxy loops.
-# This will cause your hostname (or whatever you put into proxyName
-# above) to be included in every request:
-
-disableVia = true
-
-# Uncomment this if you want to slightly reduce the amount of
-# information that you leak about yourself:
-
-# censoredHeaders = from, accept-language
-# censorReferer = maybe
-
-censoredHeaders = from,accept-language,x-pad,link
-censorReferer = maybe
-
-# Uncomment this if you're paranoid.  This will break a lot of sites,
-# though:
-
-# censoredHeaders = set-cookie, cookie, cookie2, from, accept-language
-# censorReferer = true
-
-# Uncomment this if you want to use Poor Man's Multiplexing; increase
-# the sizes if you're on a fast line.  They should each amount to a few
-# seconds' worth of transfer; if pmmSize is small, you'll want
-# pmmFirstSize to be larger.
-
-# Note that PMM is somewhat unreliable.
-
-# pmmFirstSize = 16384
-# pmmSize = 8192
-
-# Uncomment this if your user-agent does something reasonable with
-# Warning headers (most don't):
-
-# relaxTransparency = maybe
-
-# Uncomment this if you never want to revalidate instances for which
-# data is available (this is not a good idea):
-
-# relaxTransparency = yes
-
-# Uncomment this if you have no network:
-
-# proxyOffline = yes
-
-# Uncomment this if you want to avoid revalidating instances with a
-# Vary header (this is not a good idea):
-
-# mindlesslyCacheVary = true
-
-# Suggestions from Incognito configuration
-maxConnectionAge = 5m
-maxConnectionRequests = 120
-serverMaxSlots = 8
-serverSlots = 2
-tunnelAllowedPorts = 1-65535
diff --git a/manifests/compact.pp b/manifests/compact.pp
index 901dd8b..56e74cc 100644
--- a/manifests/compact.pp
+++ b/manifests/compact.pp
@@ -3,7 +3,4 @@
 class tor::compact {
   include ::tor
   include tor::torsocks
-  if $facts['osfamily'] == 'Debian' {
-    include tor::polipo
-  }
 }
diff --git a/manifests/polipo.pp b/manifests/polipo.pp
deleted file mode 100644
index 73dc226..0000000
--- a/manifests/polipo.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# manage the polipo proxy service
-class tor::polipo {
-  include ::tor
-
-  case $::operatingsystem {
-    'debian': { include tor::polipo::debian }
-    default:  { include tor::polipo::base   }
-  }
-}
diff --git a/manifests/polipo/base.pp b/manifests/polipo/base.pp
deleted file mode 100644
index df2d6ea..0000000
--- a/manifests/polipo/base.pp
+++ /dev/null
@@ -1,22 +0,0 @@
-# manage polipo resources
-class tor::polipo::base {
-  package{'polipo':
-    ensure => present,
-  }
-
-  file { '/etc/polipo/config':
-    ensure  => present,
-    owner   => root,
-    group   => root,
-    mode    => '0644',
-    source  => 'puppet:///modules/tor/polipo/polipo.conf',
-    require => Package['polipo'],
-    notify  => Service['polipo'],
-  }
-
-  service { 'polipo':
-    ensure  => running,
-    enable  => true,
-    require => [ Package['polipo'], Service['tor'] ],
-  }
-}
diff --git a/manifests/polipo/debian.pp b/manifests/polipo/debian.pp
deleted file mode 100644
index 607b361..0000000
--- a/manifests/polipo/debian.pp
+++ /dev/null
@@ -1,7 +0,0 @@
-# manage polipo on debian
-class tor::polipo::debian inherits tor::polipo::base {
-  Service['polipo'] {
-    hasstatus => false,
-    pattern   => '/usr/bin/polipo',
-  }
-}
-- 
cgit v1.2.3


From 21481ba6a39c61b6fb838a524c7b5a6b7605036b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Louis-Philippe=20V=C3=A9ronneau?= <pollito@riseup.net>
Date: Tue, 19 Jun 2018 12:51:12 -0400
Subject: remove 'compact' class

---
 manifests/compact.pp | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 manifests/compact.pp

diff --git a/manifests/compact.pp b/manifests/compact.pp
deleted file mode 100644
index 56e74cc..0000000
--- a/manifests/compact.pp
+++ /dev/null
@@ -1,6 +0,0 @@
-# manage a complete tor
-# installation with all the basics
-class tor::compact {
-  include ::tor
-  include tor::torsocks
-}
-- 
cgit v1.2.3