aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2013-01-20 23:09:20 -0200
committerSilvio Rhatto <rhatto@riseup.net>2013-01-20 23:09:20 -0200
commitf252115be193d58d345b7d18228800c68a1e47aa (patch)
tree31c95ada21d54314ecb1650f2b19e8540386dd62
parent89d3242cc7d4607f5eb8f1df39985c3597ee428d (diff)
parenta780e84001177f10a86a7bf824589c0553f513a0 (diff)
downloadpuppet-tor-f252115be193d58d345b7d18228800c68a1e47aa.tar.gz
puppet-tor-f252115be193d58d345b7d18228800c68a1e47aa.tar.bz2
Merge branch 'master' of ssh://labs.riseup.net/shared-tor
Conflicts: manifests/daemon.pp
-rw-r--r--README207
-rw-r--r--files/polipo/polipo.conf (renamed from files/polipo.conf)0
-rwxr-xr-xfiles/polipo/polipo.cron (renamed from files/polipo.cron)0
-rw-r--r--manifests/base.pp14
-rw-r--r--manifests/compact.pp7
-rw-r--r--manifests/daemon.pp209
-rw-r--r--manifests/daemon/base.pp77
-rw-r--r--manifests/daemon/bridge.pp18
-rw-r--r--manifests/daemon/control.pp27
-rw-r--r--manifests/daemon/directory.pp27
-rw-r--r--manifests/daemon/dns.pp17
-rw-r--r--manifests/daemon/exit_policy.pp18
-rw-r--r--manifests/daemon/hidden_service.pp17
-rw-r--r--manifests/daemon/map_address.pp17
-rw-r--r--manifests/daemon/relay.pp41
-rw-r--r--manifests/daemon/snippet.pp16
-rw-r--r--manifests/daemon/socks.pp15
-rw-r--r--manifests/daemon/transparent.pp17
-rw-r--r--manifests/init.pp29
-rw-r--r--manifests/munin.pp34
-rw-r--r--manifests/polipo.pp46
-rw-r--r--manifests/polipo/base.pp22
-rw-r--r--manifests/polipo/debian.pp13
-rw-r--r--manifests/torsocks.pp9
-rw-r--r--templates/torrc.bridge.erb3
-rw-r--r--templates/torrc.control.erb10
-rw-r--r--templates/torrc.dns.erb5
-rw-r--r--templates/torrc.global.erb2
-rw-r--r--templates/torrc.relay.erb16
-rw-r--r--templates/torrc.transparent.erb5
30 files changed, 657 insertions, 281 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..c241118
--- /dev/null
+++ b/README
@@ -0,0 +1,207 @@
+puppet module for managing tor
+==============================
+
+This module tries to manage tor, making sure it is installed, running, has munin
+graphs if desired and allows for configuration of relays, hidden services, exit
+policies, etc.
+
+! Upgrade Notice !
+
+ the tor::relay{} variables $bandwidth_rate and $bandwidth_burst were previously
+ used for the tor configuration variables RelayBandwidthRate and
+ RelayBandwidthBurst, these have been renamed to $relay_bandwidth_rate and
+ $relay_bandwidth_burst. If you were using these, please rename your variables in
+ your configuration.
+
+ The variables $bandwidth_rate and $bandwidth_burst are now used for the tor
+ configuration variables BandwidthRate and BandwidthBurst. If you used
+ $bandwidth_rate or $bandwidth_burst please be aware that these values have
+ changed and adjust your configuration as necessary.
+
+ The $tor_ensure_version was converted to a parameter for the tor and
+ tor::daemon classes.
+
+ The $torsocks_ensure_version was converted to a parameter for the
+ tor::torsocks class.
+
+ The options that used to be settable with the
+ tor::daemon::global_opts define now are parameters for the
+ tor::daemon class, and tor::daemon::global_opts was
+ removed accordingly.
+
+
+Dependencies
+============
+
+This module needs:
+
+- the concat module: git://labs.riseup.net/shared-concat
+
+Usage
+=====
+
+Installing tor
+--------------
+
+To install tor, simply include the 'tor' class in your manifests:
+
+ class { 'tor': }
+
+You can specify the $ensure_version class parameter to get a specific
+version installed.
+
+However, if you want to make configuration changes to your tor daemon, you will
+want to instead include the 'tor::daemon' class in your manifests, which will
+inherit the 'tor' class from above:
+
+ class { '::tor::daemon': }
+
+You have the following class parameters that you can specify:
+
+data_dir (default: '/var/lib/tor')
+config_file (default: '/etc/tor/torrc')
+use_bridges (default: 0)
+automap_hosts_on_resolve (default: 0)
+log_rules (default: ['notice file /var/log/tor/notices.log'])
+
+The data_dir will be used for the tor user's $HOME, and the tor DataDirectory
+value.
+
+The config_file will be managed and the daemon restarted when
+it changed.
+
+use_bridges and automap_hosts_on_resolve are used to set the
+UseBridges and AutomapHostsOnResolve torrc settings.
+
+The log_rules can be an array of different Log lines, each will be added to the
+config, for example the following will use syslog:
+
+ class { '::tor::daemon':
+ log_rules => [ 'notice syslog' ],
+ }
+
+If you want to set specific options for the tor class,
+you may pass them directly to the tor::daemon in your manifests,
+e.g.:
+
+ class { '::tor::daemon':
+ use_munin => true,
+ automap_hosts_on_resolve => 1,
+ }
+
+Configuring socks
+-----------------
+
+To configure tor socks support, you can do the following:
+
+ tor::daemon::socks { "listen_locally": listen_addresses => [ '127.0.0.1' ]; }
+
+this will setup the SocksListenAddress to be 127.0.0.1. You also can pass the
+following options to tor::daemon::socks:
+
+$port = 0 - SocksPort
+$listen_address - can pass multiple values to configure SocksListenAddress lines
+$policies - can pass multiple values to configure SocksPolicy lines
+
+Installing torsocks
+-------------------
+
+To install torsocks, simply include the 'torsocks' class in your manifests:
+
+ class { 'torsocks': }
+
+You can specify the $ensure_version class parameter to get a specific
+version installed.
+
+Configuring relays
+==================
+
+An example relay configuration:
+
+ tor::daemon::relay { "foobar":
+ port => 9001, listen_addresses => '192.168.0.1', address => '192.168.0.1',
+ bandwidth_rate => '256', bandwidth_burst => '256', contact_info => "Foo <collective at example dot com>",
+ my_family => '<long family string here>'
+ }
+
+You have the following options that can be passed to a relay, with the defaults shown:
+
+$port = 0,
+$listen_addresses = [],
+$bandwidth_rate = '', # KB/s, defaulting to using tor's default: 5120KB/s
+$bandwidth_burst = '', # KB/s, defaulting to using tor's default: 10240KB/s
+$relay_bandwidth_rate = 0, # KB/s, 0 for no limit.
+$relay_bandwidth_burst = 0, # KB/s, 0 for no limit.
+$accounting_max = 0, # GB, 0 for no limit.
+$accounting_start = [],
+$contact_info = '',
+$my_family = '', # TODO: autofill with other relays
+$address = "tor.${domain}",
+$bridge_relay = 0,
+$ensure = present
+$nickname = $name
+
+Configuring the control
+-----------------------
+
+To pass parameters to configure the ControlPort and the HashedControlPassword,
+you would do something like this:
+
+ tor::daemon::control { "foo-control":
+ port => '80', hashed_control_password => '<somehash>',
+ ensure => present
+}
+
+Note: you must pass a hashed password to the control port, if you are going to
+use it.
+
+
+Configuring hidden services
+---------------------------
+
+To configure a tor hidden service you can do something like the following:
+
+ tor::daemon::hidden_service { "hidden_ssh": ports => 22 }
+
+The HiddenServiceDir is set to the ${data_dir}/${name}.
+
+Configuring directories
+-----------------------
+
+An example directory configuration:
+
+ tor::daemon::directory { 'ssh_directory':
+ port => 80, listen_address => '192.168.0.1',
+ port_front_page => '/etc/tor/tor.html'
+ }
+
+Configuring exit policies
+--------------------------
+
+To configure exit policies, you can do the following:
+
+tor::daemon::exit_policy { "ssh_exit_policy":
+ accept => "192.168.0.1:22",
+ reject => "*:*";
+ }
+ }
+
+
+Polipo
+======
+
+Polipo support can be enabled by doing:
+
+ include tor::polipo
+
+this will inherit the tor class by default, remove privoxy if its installed, and
+install polipo, making sure it is running.
+
+
+Munin
+=====
+
+If you are using munin, and have the puppet munin module installed, you can set
+the use_munin parameter to true when defining the tor::daemon class to have
+graphs setup for you.
+
diff --git a/files/polipo.conf b/files/polipo/polipo.conf
index 12b10c4..12b10c4 100644
--- a/files/polipo.conf
+++ b/files/polipo/polipo.conf
diff --git a/files/polipo.cron b/files/polipo/polipo.cron
index aba88bc..aba88bc 100755
--- a/files/polipo.cron
+++ b/files/polipo/polipo.cron
diff --git a/manifests/base.pp b/manifests/base.pp
new file mode 100644
index 0000000..b98451b
--- /dev/null
+++ b/manifests/base.pp
@@ -0,0 +1,14 @@
+# basic management of resources for tor
+class tor::base {
+ package { [ 'tor', 'tor-geoipdb' ]:
+ ensure => $tor::ensure_version,
+ }
+
+ service { 'tor':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => Package['tor'],
+ }
+}
diff --git a/manifests/compact.pp b/manifests/compact.pp
new file mode 100644
index 0000000..c0f5919
--- /dev/null
+++ b/manifests/compact.pp
@@ -0,0 +1,7 @@
+# manage a complete tor
+# installation with all the basics
+class tor::compact {
+ include ::tor
+ include tor::polipo
+ include tor::torsocks
+}
diff --git a/manifests/daemon.pp b/manifests/daemon.pp
index d1d57df..2440180 100644
--- a/manifests/daemon.pp
+++ b/manifests/daemon.pp
@@ -1,200 +1,21 @@
-# tor::daemon
-class tor::daemon inherits tor {
+# manage a snippet based tor installation
+class tor::daemon (
+ $ensure_version = 'installed',
+ $use_munin = false,
+ $data_dir = '/var/lib/tor',
+ $config_file = '/etc/tor/torrc',
+ $use_bridges = 0,
+ $automap_hosts_on_resolve = 0,
+ $log_rules = [ 'notice file /var/log/tor/notices.log' ]
+) {
- # config variables
- $data_dir = '/var/lib/tor'
- $config_file = '/etc/tor/torrc'
- $spool_dir = '/var/lib/puppet/modules/tor'
- $snippet_dir = "${spool_dir}/torrc.d"
-
- # packages, user, group
- Service['tor'] {
- subscribe => File[$config_file],
- }
-
- Package[ 'tor', 'torsocks' ] {
- require => File[$data_dir],
- }
-
- group { 'debian-tor':
- ensure => present,
- allowdupe => false,
- }
-
- user { 'debian-tor':
- allowdupe => false,
- comment => 'tor user,,,',
- ensure => present,
- home => $data_dir,
- shell => '/bin/bash',
- gid => 'debian-tor',
- require => Group['debian-tor'],
- }
-
- # directories
- file { "${data_dir}":
- ensure => directory,
- mode => 0700,
- owner => 'debian-tor',
- group => 'debian-tor',
- require => User['debian-tor'],
- }
-
- file { '/etc/tor':
- ensure => directory,
- mode => 0755,
- owner => 'debian-tor',
- group => 'debian-tor',
- require => User['debian-tor'],
- }
-
- file { "${spool_dir}":
- ensure => directory,
- owner => 'debian-tor', group => 'debian-tor', mode => 0755,
- }
-
- file { "${snippet_dir}":
- ensure => directory,
- owner => 'debian-tor', group => 'debian-tor', mode => 0755,
- require => File[$spool_dir],
- }
-
- # tor configuration file
- concatenated_file { "${config_file}":
- dir => $snippet_dir,
- mode => 0600,
- owner => 'debian-tor', group => 'debian-tor',
+ class{'tor':
+ ensure_version => $ensure_version,
}
- # config file headers
- concatenated_file_part { '00.header':
- dir => $snippet_dir,
- content => template('tor/torrc.header.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => present,
- }
-
- # global configurations
- define global_opts( $data_dir = $tor::daemon::data_dir,
- $log_rules = [ 'notice file /var/log/tor/notices.log' ] ) {
-
- concatenated_file_part { '01.global':
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.global.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- }
- }
-
- # socks definition
- define socks( $port = 0,
- $listen_addresses = [],
- $policies = [] ) {
+ include tor::daemon::base
- concatenated_file_part { '02.socks':
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.socks.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- }
+ if $use_munin {
+ include tor::munin
}
-
- # relay definition
- define relay( $port = 0,
- $listen_addresses = [],
- $outbound_bindaddresses = $listen_addresses,
- $bandwidth_rate = 0, # KB/s, 0 for no limit.
- $bandwidth_burst = 0, # KB/s, 0 for no limit.
- $accounting_max = 0, # GB, 0 for no limit.
- $accounting_start = [],
- $contact_info = '',
- $my_family = '', # TODO: autofill with other relays
- $address = "tor.${domain}",
- $bridge_relay = 0,
- $ensure = present ) {
- $nickname = $name
-
- concatenated_file_part { '03.relay':
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.relay.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => $ensure,
- }
- }
-
- # control definition
- define control( $port = 0,
- $hashed_control_password = '',
- $ensure = present ) {
-
- if $hashed_control_password == '' and $ensure != 'absent' {
- fail("You need to define the tor control password")
- }
-
- concatenated_file_part { '04.control':
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.control.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0600,
- ensure => $ensure,
- }
- }
-
- # hidden services definition
- define hidden_service( $ports = [],
- $data_dir = $tor::daemon::data_dir,
- $ensure = present ) {
-
- concatenated_file_part { "05.hidden_service.${name}":
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.hidden_service.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => $ensure,
- }
- }
-
- # directory advertising
- define directory ( $port = 0,
- $listen_addresses = [],
- $port_front_page = '/etc/tor/tor.html',
- $ensure = present ) {
-
- concatenated_file_part { '06.directory':
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.directory.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => $ensure,
- }
-
- file { '/etc/tor/tor.html':
- source => "puppet:///modules/tor/tor.html",
- require => File['/etc/tor'],
- ensure => $ensure,
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- }
- }
-
- # exit policies
- define exit_policy( $accept = [],
- $reject = [],
- $reject_private = 1,
- $ensure = present ) {
-
- concatenated_file_part { "07.exit_policy.${name}":
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.exit_policy.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => $ensure,
- }
- }
-
- # map address definition
- define map_address( $address = '',
- $newaddress = '') {
-
- concatenated_file_part { "08.map_address.${name}":
- dir => $tor::daemon::snippet_dir,
- content => template('tor/torrc.map_address.erb'),
- owner => 'debian-tor', group => 'debian-tor', mode => 0644,
- ensure => $ensure,
- }
- }
}
-
diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp
new file mode 100644
index 0000000..63d7bc4
--- /dev/null
+++ b/manifests/daemon/base.pp
@@ -0,0 +1,77 @@
+# extend basic tor things with a snippet based daemon configuration
+class tor::daemon::base inherits tor::base {
+ # packages, user, group
+ Service['tor'] {
+ subscribe => File[$tor::daemon::config_file],
+ }
+
+ Package[ 'tor' ] {
+ require => File[$tor::daemon::data_dir],
+ }
+
+ group { 'debian-tor':
+ ensure => present,
+ allowdupe => false,
+ }
+
+ user { 'debian-tor':
+ ensure => present,
+ allowdupe => false,
+ comment => 'tor user,,,',
+ home => $tor::daemon::data_dir,
+ shell => '/bin/false',
+ gid => 'debian-tor',
+ require => Group['debian-tor'],
+ }
+
+ # directories
+ file { $tor::daemon::data_dir:
+ ensure => directory,
+ mode => '0700',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ require => User['debian-tor'],
+ }
+
+ file { '/etc/tor':
+ ensure => directory,
+ mode => '0755',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ require => User['debian-tor'],
+ }
+
+ file { '/var/lib/puppet/modules/tor':
+ ensure => absent,
+ recurse => true,
+ force => true,
+ }
+
+ # tor configuration file
+ concat { $tor::daemon::config_file:
+ mode => '0600',
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ }
+
+ # config file headers
+ concat::fragment { '00.header':
+ ensure => present,
+ content => template('tor/torrc.header.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 00,
+ target => $tor::daemon::config_file,
+ }
+
+ # global configurations
+ concat::fragment { '01.global':
+ content => template('tor/torrc.global.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 01,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp
new file mode 100644
index 0000000..063f565
--- /dev/null
+++ b/manifests/daemon/bridge.pp
@@ -0,0 +1,18 @@
+# Bridge definition
+define tor::daemon::bridge(
+ $ip,
+ $port,
+ $fingerprint = false,
+ $ensure = present ) {
+
+ concat::fragment { "10.bridge.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.bridge.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 10,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp
new file mode 100644
index 0000000..0172656
--- /dev/null
+++ b/manifests/daemon/control.pp
@@ -0,0 +1,27 @@
+# control definition
+define tor::daemon::control(
+ $port = 0,
+ $hashed_control_password = '',
+ $cookie_authentication = 0,
+ $cookie_auth_file = '',
+ $cookie_auth_file_group_readable = '',
+ $ensure = present ) {
+
+ if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' {
+ fail('You need to define the tor control password')
+ }
+
+ if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
+ notice('You set a tor cookie authentication option, but do not have cookie_authentication on')
+ }
+
+ concat::fragment { '04.control':
+ ensure => $ensure,
+ content => template('tor/torrc.control.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0600',
+ order => 04,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp
new file mode 100644
index 0000000..b71b6e6
--- /dev/null
+++ b/manifests/daemon/directory.pp
@@ -0,0 +1,27 @@
+# directory advertising
+define tor::daemon::directory (
+ $port = 0,
+ $listen_addresses = [],
+ $port_front_page = '/etc/tor/tor.html',
+ $ensure = present ) {
+
+ concat::fragment { '06.directory':
+ ensure => $ensure,
+ content => template('tor/torrc.directory.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 06,
+ target => $tor::daemon::config_file,
+ }
+
+ file { '/etc/tor/tor.html':
+ ensure => $ensure,
+ source => 'puppet:///modules/tor/tor.html',
+ require => File['/etc/tor'],
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ }
+}
+
diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp
new file mode 100644
index 0000000..f3a7027
--- /dev/null
+++ b/manifests/daemon/dns.pp
@@ -0,0 +1,17 @@
+# DNS definition
+define tor::daemon::dns(
+ $port = 0,
+ $listen_addresses = [],
+ $ensure = present ) {
+
+ concat::fragment { "08.dns.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.dns.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 08,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp
new file mode 100644
index 0000000..f459ece
--- /dev/null
+++ b/manifests/daemon/exit_policy.pp
@@ -0,0 +1,18 @@
+# exit policies
+define tor::daemon::exit_policy(
+ $accept = [],
+ $reject = [],
+ $reject_private = 1,
+ $ensure = present ) {
+
+ concat::fragment { "07.exit_policy.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.exit_policy.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 07,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp
new file mode 100644
index 0000000..c827211
--- /dev/null
+++ b/manifests/daemon/hidden_service.pp
@@ -0,0 +1,17 @@
+# hidden services definition
+define tor::daemon::hidden_service(
+ $ports = [],
+ $data_dir = $tor::daemon::data_dir,
+ $ensure = present ) {
+
+ concat::fragment { "05.hidden_service.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.hidden_service.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 05,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp
new file mode 100644
index 0000000..e970fe5
--- /dev/null
+++ b/manifests/daemon/map_address.pp
@@ -0,0 +1,17 @@
+# map address definition
+define tor::daemon::map_address(
+ $address = '',
+ $newaddress = ''
+ $ensure = 'present') {
+
+ concat::fragment { "08.map_address.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.map_address.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 08,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp
new file mode 100644
index 0000000..d5296de
--- /dev/null
+++ b/manifests/daemon/relay.pp
@@ -0,0 +1,41 @@
+# relay definition
+define tor::daemon::relay(
+ $port = 0,
+ $listen_addresses = [],
+ $outbound_bindaddresses = [],
+ # KB/s, defaulting to using tor's default: 5120KB/s
+ $bandwidth_rate = '',
+ # KB/s, defaulting to using tor's default: 10240KB/s
+ $bandwidth_burst = '',
+ # KB/s, 0 for no limit
+ $relay_bandwidth_rate = 0,
+ # KB/s, 0 for no limit
+ $relay_bandwidth_burst = 0,
+ # GB, 0 for no limit
+ $accounting_max = 0,
+ $accounting_start = [],
+ $contact_info = '',
+ # TODO: autofill with other relays
+ $my_family = '',
+ $address = "tor.${::domain}",
+ $bridge_relay = 0,
+ $ensure = present ) {
+
+ $nickname = $name
+
+ if $outbound_bindaddresses == [] {
+ $real_outbound_bindaddresses = $listen_addresses
+ } else {
+ $real_outbound_bindaddresses = $outbound_bindaddresses
+ }
+
+ concat::fragment { '03.relay':
+ ensure => $ensure,
+ content => template('tor/torrc.relay.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 03,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp
new file mode 100644
index 0000000..b9089b4
--- /dev/null
+++ b/manifests/daemon/snippet.pp
@@ -0,0 +1,16 @@
+# Arbitrary torrc snippet definition
+define tor::daemon::snippet(
+ $content = '',
+ $ensure = present ) {
+
+ concat::fragment { "99.snippet.${name}":
+ ensure => $ensure,
+ content => $content,
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 99,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp
new file mode 100644
index 0000000..910461c
--- /dev/null
+++ b/manifests/daemon/socks.pp
@@ -0,0 +1,15 @@
+# socks definition
+define tor::daemon::socks(
+ $port = 0,
+ $listen_addresses = [],
+ $policies = [] ) {
+
+ concat::fragment { '02.socks':
+ content => template('tor/torrc.socks.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 02,
+ target => $tor::daemon::config_file,
+ }
+}
diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp
new file mode 100644
index 0000000..74fed4f
--- /dev/null
+++ b/manifests/daemon/transparent.pp
@@ -0,0 +1,17 @@
+# Transparent proxy definition
+define tor::daemon::transparent(
+ $port = 0,
+ $listen_addresses = [],
+ $ensure = present ) {
+
+ concat::fragment { "09.transparent.${name}":
+ ensure => $ensure,
+ content => template('tor/torrc.transparent.erb'),
+ owner => 'debian-tor',
+ group => 'debian-tor',
+ mode => '0644',
+ order => 09,
+ target => $tor::daemon::config_file,
+ }
+}
+
diff --git a/manifests/init.pp b/manifests/init.pp
index 0c38073..9c19c64 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,25 +1,6 @@
-class tor {
-
- if !$tor_ensure_version { $tor_ensure_version = 'installed' }
- if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed'}
-
- package { [ "tor", "tor-geoipdb" ]:
- ensure => $tor_ensure_version,
- }
-
- package { "torsocks":
- ensure => $torsocks_ensure_version,
- }
-
- service { 'tor':
- ensure => running,
- enable => true,
- hasrestart => true,
- hasstatus => true,
- require => Package['tor'],
- }
-
- if $use_munin {
- include tor::munin
- }
+# manage a basic tor installation
+class tor (
+ $ensure_version = 'installed'
+){
+ include tor::base
}
diff --git a/manifests/munin.pp b/manifests/munin.pp
index ac2630a..4412337 100644
--- a/manifests/munin.pp
+++ b/manifests/munin.pp
@@ -1,23 +1,21 @@
+# munin plugins for puppet
class tor::munin {
-
- file {
- "/usr/local/share/munin-plugins/tor_connections":
- source => "puppet:///modules/tor/munin/tor_connections",
- mode => 0755, owner => root, group => root;
-
- "/usr/local/share/munin-plugins/tor_routers":
- source => "puppet:///modules/tor/munin/tor_routers",
- mode => 0755, owner => root, group => root;
-
- "/usr/local/share/munin-plugins/tor_traffic":
- source => "puppet:///modules/tor/munin/tor_traffic",
- mode => 0755, owner => root, group => root;
+ tor::daemon::control{
+ 'control_port_for_munin':
+ port => 19051,
+ cookie_authentication => 1,
+ cookie_auth_file => '/var/run/tor/control.authcookie',
}
- munin::plugin {
- [ "tor_connections", "tor_routers", "tor_traffic" ]:
- ensure => present,
- config => "user debian-tor\n env.cookiefile /var/lib/tor/control_auth_cookie",
- script_path_in => "/usr/local/share/munin-plugins";
+ Munin::Plugin::Deploy {
+ config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051"
+ }
+ munin::plugin::deploy {
+ 'tor_connections':
+ source => 'tor/munin/tor_connections';
+ 'tor_routers':
+ source => 'tor/munin/tor_routers';
+ 'tor_traffic':
+ source => 'tor/munin/tor_traffic';
}
}
diff --git a/manifests/polipo.pp b/manifests/polipo.pp
index 73eaea2..73dc226 100644
--- a/manifests/polipo.pp
+++ b/manifests/polipo.pp
@@ -1,43 +1,9 @@
-class tor::polipo inherits tor {
+# manage the polipo proxy service
+class tor::polipo {
+ include ::tor
- package { "privoxy":
- ensure => absent,
+ case $::operatingsystem {
+ 'debian': { include tor::polipo::debian }
+ default: { include tor::polipo::base }
}
-
- package { "polipo":
- ensure => installed,
- }
-
- service { "polipo":
- ensure => running,
- require => [ Package["polipo"], Service["tor"] ],
- }
-
- file { "/etc/polipo":
- ensure => directory,
- owner => root,
- group => root,
- mode => 0755,
- }
-
- file { "/etc/polipo/config":
- ensure => present,
- owner => root,
- group => root,
- mode => 0644,
- source => "puppet:///modules/tor/polipo.conf",
- notify => Service["polipo"],
- require => File["/etc/polipo"],
- }
-
- # TODO: restore file to original state after the following bug is solved:
- # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434
- file { "/etc/cron.daily/polipo":
- ensure => present,
- owner => root,
- group => root,
- mode => 0755,
- source => "puppet:///modules/tor/polipo.cron",
- }
-
}
diff --git a/manifests/polipo/base.pp b/manifests/polipo/base.pp
new file mode 100644
index 0000000..df2d6ea
--- /dev/null
+++ b/manifests/polipo/base.pp
@@ -0,0 +1,22 @@
+# manage polipo resources
+class tor::polipo::base {
+ package{'polipo':
+ ensure => present,
+ }
+
+ file { '/etc/polipo/config':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0644',
+ source => 'puppet:///modules/tor/polipo/polipo.conf',
+ require => Package['polipo'],
+ notify => Service['polipo'],
+ }
+
+ service { 'polipo':
+ ensure => running,
+ enable => true,
+ require => [ Package['polipo'], Service['tor'] ],
+ }
+}
diff --git a/manifests/polipo/debian.pp b/manifests/polipo/debian.pp
new file mode 100644
index 0000000..e39f603
--- /dev/null
+++ b/manifests/polipo/debian.pp
@@ -0,0 +1,13 @@
+# manage polipo on debian
+class tor::polipo::debian inherits tor::polipo::base {
+ # TODO: restore file to original state after the following bug is solved:
+ # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434
+ file { '/etc/cron.daily/polipo':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => '0755',
+ require => Package['polipo'],
+ source => 'puppet:///modules/tor/polipo/polipo.cron',
+ }
+}
diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp
new file mode 100644
index 0000000..e9fc75b
--- /dev/null
+++ b/manifests/torsocks.pp
@@ -0,0 +1,9 @@
+# manage torsocks
+class tor::torsocks (
+ $ensure_version = 'installed'
+){
+ include ::tor
+ package{'torsocks':
+ ensure => $ensure_version,
+ }
+}
diff --git a/templates/torrc.bridge.erb b/templates/torrc.bridge.erb
new file mode 100644
index 0000000..58ef70d
--- /dev/null
+++ b/templates/torrc.bridge.erb
@@ -0,0 +1,3 @@
+# Bridge <%= name%>
+Bridge <%= ip%>:<%= port%><%- if fingerprint -%> <%= fingerprint%><%- end -%>
+
diff --git a/templates/torrc.control.erb b/templates/torrc.control.erb
index df9513a..336c72d 100644
--- a/templates/torrc.control.erb
+++ b/templates/torrc.control.erb
@@ -1,6 +1,16 @@
# tor controller
<%- if port != '0' then -%>
ControlPort <%= port %>
+<%- if cookie_authentication != '0' then -%>
+CookieAuthentication 1
+<%- if cookie_auth_file != '' then -%>
+CookieAuthFile <%= cookie_auth_file %>
+<%- end -%>
+<%- if cookie_auth_file_group_readable != '' then -%>
+CookieAuthFileGroupReadable <%= cookie_auth_file_group_readable %>
+<%- end -%>
+<%- else -%>
HashedControlPassword <%= hashed_control_password %>
<%- end -%>
+<%- end -%>
diff --git a/templates/torrc.dns.erb b/templates/torrc.dns.erb
new file mode 100644
index 0000000..bd1e719
--- /dev/null
+++ b/templates/torrc.dns.erb
@@ -0,0 +1,5 @@
+# DNS
+DNSPort <%= port %>
+<%- for listen_address in listen_addresses -%>
+DNSListenAddress <%= listen_address %>
+<%- end -%>
diff --git a/templates/torrc.global.erb b/templates/torrc.global.erb
index 6ca49de..3a3b623 100644
--- a/templates/torrc.global.erb
+++ b/templates/torrc.global.erb
@@ -11,3 +11,5 @@ Log <%= log_rule %>
Log notice syslog
<%- end -%>
+AutomapHostsOnResolve <%= automap_hosts_on_resolve%>
+UseBridges <%= use_bridges%>
diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb
index 2ab34bf..85320d3 100644
--- a/templates/torrc.relay.erb
+++ b/templates/torrc.relay.erb
@@ -4,7 +4,7 @@ ORPort <%= port %>
<%- for listen_address in listen_addresses -%>
ORListenAddress <%= listen_address %>
<%- end -%>
-<%- for outbound_bindaddress in outbound_bindaddresses -%>
+<%- for outbound_bindaddress in real_outbound_bindaddresses -%>
OutboundBindAddress <%= outbound_bindaddress %>
<%- end -%>
<%- if nickname != '' then -%>
@@ -13,11 +13,17 @@ Nickname <%= nickname %>
<%- if address != '' then -%>
Address <%= address %>
<%- end -%>
-<%- if bandwidth_rate != '0' then -%>
-RelayBandwidthRate <%= bandwidth_rate %> KB
+<%- if bandwidth_rate != '' then -%>
+BandwidthRate <%= bandwidth_rate %> KB
<%- end -%>
-<%- if bandwidth_burst != '0' then -%>
-RelayBandwidthBurst <%= bandwidth_burst %> KB
+<%- if bandwidth_burst != '' then -%>
+BandwidthBurst <%= bandwidth_burst %> KB
+<%- end -%>
+<%- if relay_bandwidth_rate != '0' then -%>
+RelayBandwidthRate <%= relay_bandwidth_rate %> KB
+<%- end -%>
+<%- if relay_bandwidth_burst != '0' then -%>
+RelayBandwidthBurst <%= relay_bandwidth_burst %> KB
<%- end -%>
<%- if accounting_max != '0' then -%>
AccountingMax <%= accounting_max %> GB
diff --git a/templates/torrc.transparent.erb b/templates/torrc.transparent.erb
new file mode 100644
index 0000000..dae97dc
--- /dev/null
+++ b/templates/torrc.transparent.erb
@@ -0,0 +1,5 @@
+# Transparent proxy
+TransPort <%= port %>
+<%- for listen_address in listen_addresses -%>
+TransListenAddress <%= listen_address %>
+<%- end -%>