diff options
author | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 23:09:20 -0200 |
---|---|---|
committer | Silvio Rhatto <rhatto@riseup.net> | 2013-01-20 23:09:20 -0200 |
commit | f252115be193d58d345b7d18228800c68a1e47aa (patch) | |
tree | 31c95ada21d54314ecb1650f2b19e8540386dd62 | |
parent | 89d3242cc7d4607f5eb8f1df39985c3597ee428d (diff) | |
parent | a780e84001177f10a86a7bf824589c0553f513a0 (diff) | |
download | puppet-tor-f252115be193d58d345b7d18228800c68a1e47aa.tar.gz puppet-tor-f252115be193d58d345b7d18228800c68a1e47aa.tar.bz2 |
Merge branch 'master' of ssh://labs.riseup.net/shared-tor
Conflicts:
manifests/daemon.pp
30 files changed, 657 insertions, 281 deletions
@@ -0,0 +1,207 @@ +puppet module for managing tor +============================== + +This module tries to manage tor, making sure it is installed, running, has munin +graphs if desired and allows for configuration of relays, hidden services, exit +policies, etc. + +! Upgrade Notice ! + + the tor::relay{} variables $bandwidth_rate and $bandwidth_burst were previously + used for the tor configuration variables RelayBandwidthRate and + RelayBandwidthBurst, these have been renamed to $relay_bandwidth_rate and + $relay_bandwidth_burst. If you were using these, please rename your variables in + your configuration. + + The variables $bandwidth_rate and $bandwidth_burst are now used for the tor + configuration variables BandwidthRate and BandwidthBurst. If you used + $bandwidth_rate or $bandwidth_burst please be aware that these values have + changed and adjust your configuration as necessary. + + The $tor_ensure_version was converted to a parameter for the tor and + tor::daemon classes. + + The $torsocks_ensure_version was converted to a parameter for the + tor::torsocks class. + + The options that used to be settable with the + tor::daemon::global_opts define now are parameters for the + tor::daemon class, and tor::daemon::global_opts was + removed accordingly. + + +Dependencies +============ + +This module needs: + +- the concat module: git://labs.riseup.net/shared-concat + +Usage +===== + +Installing tor +-------------- + +To install tor, simply include the 'tor' class in your manifests: + + class { 'tor': } + +You can specify the $ensure_version class parameter to get a specific +version installed. + +However, if you want to make configuration changes to your tor daemon, you will +want to instead include the 'tor::daemon' class in your manifests, which will +inherit the 'tor' class from above: + + class { '::tor::daemon': } + +You have the following class parameters that you can specify: + +data_dir (default: '/var/lib/tor') +config_file (default: '/etc/tor/torrc') +use_bridges (default: 0) +automap_hosts_on_resolve (default: 0) +log_rules (default: ['notice file /var/log/tor/notices.log']) + +The data_dir will be used for the tor user's $HOME, and the tor DataDirectory +value. + +The config_file will be managed and the daemon restarted when +it changed. + +use_bridges and automap_hosts_on_resolve are used to set the +UseBridges and AutomapHostsOnResolve torrc settings. + +The log_rules can be an array of different Log lines, each will be added to the +config, for example the following will use syslog: + + class { '::tor::daemon': + log_rules => [ 'notice syslog' ], + } + +If you want to set specific options for the tor class, +you may pass them directly to the tor::daemon in your manifests, +e.g.: + + class { '::tor::daemon': + use_munin => true, + automap_hosts_on_resolve => 1, + } + +Configuring socks +----------------- + +To configure tor socks support, you can do the following: + + tor::daemon::socks { "listen_locally": listen_addresses => [ '127.0.0.1' ]; } + +this will setup the SocksListenAddress to be 127.0.0.1. You also can pass the +following options to tor::daemon::socks: + +$port = 0 - SocksPort +$listen_address - can pass multiple values to configure SocksListenAddress lines +$policies - can pass multiple values to configure SocksPolicy lines + +Installing torsocks +------------------- + +To install torsocks, simply include the 'torsocks' class in your manifests: + + class { 'torsocks': } + +You can specify the $ensure_version class parameter to get a specific +version installed. + +Configuring relays +================== + +An example relay configuration: + + tor::daemon::relay { "foobar": + port => 9001, listen_addresses => '192.168.0.1', address => '192.168.0.1', + bandwidth_rate => '256', bandwidth_burst => '256', contact_info => "Foo <collective at example dot com>", + my_family => '<long family string here>' + } + +You have the following options that can be passed to a relay, with the defaults shown: + +$port = 0, +$listen_addresses = [], +$bandwidth_rate = '', # KB/s, defaulting to using tor's default: 5120KB/s +$bandwidth_burst = '', # KB/s, defaulting to using tor's default: 10240KB/s +$relay_bandwidth_rate = 0, # KB/s, 0 for no limit. +$relay_bandwidth_burst = 0, # KB/s, 0 for no limit. +$accounting_max = 0, # GB, 0 for no limit. +$accounting_start = [], +$contact_info = '', +$my_family = '', # TODO: autofill with other relays +$address = "tor.${domain}", +$bridge_relay = 0, +$ensure = present +$nickname = $name + +Configuring the control +----------------------- + +To pass parameters to configure the ControlPort and the HashedControlPassword, +you would do something like this: + + tor::daemon::control { "foo-control": + port => '80', hashed_control_password => '<somehash>', + ensure => present +} + +Note: you must pass a hashed password to the control port, if you are going to +use it. + + +Configuring hidden services +--------------------------- + +To configure a tor hidden service you can do something like the following: + + tor::daemon::hidden_service { "hidden_ssh": ports => 22 } + +The HiddenServiceDir is set to the ${data_dir}/${name}. + +Configuring directories +----------------------- + +An example directory configuration: + + tor::daemon::directory { 'ssh_directory': + port => 80, listen_address => '192.168.0.1', + port_front_page => '/etc/tor/tor.html' + } + +Configuring exit policies +-------------------------- + +To configure exit policies, you can do the following: + +tor::daemon::exit_policy { "ssh_exit_policy": + accept => "192.168.0.1:22", + reject => "*:*"; + } + } + + +Polipo +====== + +Polipo support can be enabled by doing: + + include tor::polipo + +this will inherit the tor class by default, remove privoxy if its installed, and +install polipo, making sure it is running. + + +Munin +===== + +If you are using munin, and have the puppet munin module installed, you can set +the use_munin parameter to true when defining the tor::daemon class to have +graphs setup for you. + diff --git a/files/polipo.conf b/files/polipo/polipo.conf index 12b10c4..12b10c4 100644 --- a/files/polipo.conf +++ b/files/polipo/polipo.conf diff --git a/files/polipo.cron b/files/polipo/polipo.cron index aba88bc..aba88bc 100755 --- a/files/polipo.cron +++ b/files/polipo/polipo.cron diff --git a/manifests/base.pp b/manifests/base.pp new file mode 100644 index 0000000..b98451b --- /dev/null +++ b/manifests/base.pp @@ -0,0 +1,14 @@ +# basic management of resources for tor +class tor::base { + package { [ 'tor', 'tor-geoipdb' ]: + ensure => $tor::ensure_version, + } + + service { 'tor': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => Package['tor'], + } +} diff --git a/manifests/compact.pp b/manifests/compact.pp new file mode 100644 index 0000000..c0f5919 --- /dev/null +++ b/manifests/compact.pp @@ -0,0 +1,7 @@ +# manage a complete tor +# installation with all the basics +class tor::compact { + include ::tor + include tor::polipo + include tor::torsocks +} diff --git a/manifests/daemon.pp b/manifests/daemon.pp index d1d57df..2440180 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -1,200 +1,21 @@ -# tor::daemon -class tor::daemon inherits tor { +# manage a snippet based tor installation +class tor::daemon ( + $ensure_version = 'installed', + $use_munin = false, + $data_dir = '/var/lib/tor', + $config_file = '/etc/tor/torrc', + $use_bridges = 0, + $automap_hosts_on_resolve = 0, + $log_rules = [ 'notice file /var/log/tor/notices.log' ] +) { - # config variables - $data_dir = '/var/lib/tor' - $config_file = '/etc/tor/torrc' - $spool_dir = '/var/lib/puppet/modules/tor' - $snippet_dir = "${spool_dir}/torrc.d" - - # packages, user, group - Service['tor'] { - subscribe => File[$config_file], - } - - Package[ 'tor', 'torsocks' ] { - require => File[$data_dir], - } - - group { 'debian-tor': - ensure => present, - allowdupe => false, - } - - user { 'debian-tor': - allowdupe => false, - comment => 'tor user,,,', - ensure => present, - home => $data_dir, - shell => '/bin/bash', - gid => 'debian-tor', - require => Group['debian-tor'], - } - - # directories - file { "${data_dir}": - ensure => directory, - mode => 0700, - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { '/etc/tor': - ensure => directory, - mode => 0755, - owner => 'debian-tor', - group => 'debian-tor', - require => User['debian-tor'], - } - - file { "${spool_dir}": - ensure => directory, - owner => 'debian-tor', group => 'debian-tor', mode => 0755, - } - - file { "${snippet_dir}": - ensure => directory, - owner => 'debian-tor', group => 'debian-tor', mode => 0755, - require => File[$spool_dir], - } - - # tor configuration file - concatenated_file { "${config_file}": - dir => $snippet_dir, - mode => 0600, - owner => 'debian-tor', group => 'debian-tor', + class{'tor': + ensure_version => $ensure_version, } - # config file headers - concatenated_file_part { '00.header': - dir => $snippet_dir, - content => template('tor/torrc.header.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => present, - } - - # global configurations - define global_opts( $data_dir = $tor::daemon::data_dir, - $log_rules = [ 'notice file /var/log/tor/notices.log' ] ) { - - concatenated_file_part { '01.global': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.global.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } - } - - # socks definition - define socks( $port = 0, - $listen_addresses = [], - $policies = [] ) { + include tor::daemon::base - concatenated_file_part { '02.socks': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.socks.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } + if $use_munin { + include tor::munin } - - # relay definition - define relay( $port = 0, - $listen_addresses = [], - $outbound_bindaddresses = $listen_addresses, - $bandwidth_rate = 0, # KB/s, 0 for no limit. - $bandwidth_burst = 0, # KB/s, 0 for no limit. - $accounting_max = 0, # GB, 0 for no limit. - $accounting_start = [], - $contact_info = '', - $my_family = '', # TODO: autofill with other relays - $address = "tor.${domain}", - $bridge_relay = 0, - $ensure = present ) { - $nickname = $name - - concatenated_file_part { '03.relay': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.relay.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # control definition - define control( $port = 0, - $hashed_control_password = '', - $ensure = present ) { - - if $hashed_control_password == '' and $ensure != 'absent' { - fail("You need to define the tor control password") - } - - concatenated_file_part { '04.control': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.control.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0600, - ensure => $ensure, - } - } - - # hidden services definition - define hidden_service( $ports = [], - $data_dir = $tor::daemon::data_dir, - $ensure = present ) { - - concatenated_file_part { "05.hidden_service.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.hidden_service.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # directory advertising - define directory ( $port = 0, - $listen_addresses = [], - $port_front_page = '/etc/tor/tor.html', - $ensure = present ) { - - concatenated_file_part { '06.directory': - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.directory.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - - file { '/etc/tor/tor.html': - source => "puppet:///modules/tor/tor.html", - require => File['/etc/tor'], - ensure => $ensure, - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - } - } - - # exit policies - define exit_policy( $accept = [], - $reject = [], - $reject_private = 1, - $ensure = present ) { - - concatenated_file_part { "07.exit_policy.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.exit_policy.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } - - # map address definition - define map_address( $address = '', - $newaddress = '') { - - concatenated_file_part { "08.map_address.${name}": - dir => $tor::daemon::snippet_dir, - content => template('tor/torrc.map_address.erb'), - owner => 'debian-tor', group => 'debian-tor', mode => 0644, - ensure => $ensure, - } - } } - diff --git a/manifests/daemon/base.pp b/manifests/daemon/base.pp new file mode 100644 index 0000000..63d7bc4 --- /dev/null +++ b/manifests/daemon/base.pp @@ -0,0 +1,77 @@ +# extend basic tor things with a snippet based daemon configuration +class tor::daemon::base inherits tor::base { + # packages, user, group + Service['tor'] { + subscribe => File[$tor::daemon::config_file], + } + + Package[ 'tor' ] { + require => File[$tor::daemon::data_dir], + } + + group { 'debian-tor': + ensure => present, + allowdupe => false, + } + + user { 'debian-tor': + ensure => present, + allowdupe => false, + comment => 'tor user,,,', + home => $tor::daemon::data_dir, + shell => '/bin/false', + gid => 'debian-tor', + require => Group['debian-tor'], + } + + # directories + file { $tor::daemon::data_dir: + ensure => directory, + mode => '0700', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/etc/tor': + ensure => directory, + mode => '0755', + owner => 'debian-tor', + group => 'debian-tor', + require => User['debian-tor'], + } + + file { '/var/lib/puppet/modules/tor': + ensure => absent, + recurse => true, + force => true, + } + + # tor configuration file + concat { $tor::daemon::config_file: + mode => '0600', + owner => 'debian-tor', + group => 'debian-tor', + } + + # config file headers + concat::fragment { '00.header': + ensure => present, + content => template('tor/torrc.header.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 00, + target => $tor::daemon::config_file, + } + + # global configurations + concat::fragment { '01.global': + content => template('tor/torrc.global.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 01, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/bridge.pp b/manifests/daemon/bridge.pp new file mode 100644 index 0000000..063f565 --- /dev/null +++ b/manifests/daemon/bridge.pp @@ -0,0 +1,18 @@ +# Bridge definition +define tor::daemon::bridge( + $ip, + $port, + $fingerprint = false, + $ensure = present ) { + + concat::fragment { "10.bridge.${name}": + ensure => $ensure, + content => template('tor/torrc.bridge.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 10, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/control.pp b/manifests/daemon/control.pp new file mode 100644 index 0000000..0172656 --- /dev/null +++ b/manifests/daemon/control.pp @@ -0,0 +1,27 @@ +# control definition +define tor::daemon::control( + $port = 0, + $hashed_control_password = '', + $cookie_authentication = 0, + $cookie_auth_file = '', + $cookie_auth_file_group_readable = '', + $ensure = present ) { + + if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' { + fail('You need to define the tor control password') + } + + if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') { + notice('You set a tor cookie authentication option, but do not have cookie_authentication on') + } + + concat::fragment { '04.control': + ensure => $ensure, + content => template('tor/torrc.control.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0600', + order => 04, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/directory.pp b/manifests/daemon/directory.pp new file mode 100644 index 0000000..b71b6e6 --- /dev/null +++ b/manifests/daemon/directory.pp @@ -0,0 +1,27 @@ +# directory advertising +define tor::daemon::directory ( + $port = 0, + $listen_addresses = [], + $port_front_page = '/etc/tor/tor.html', + $ensure = present ) { + + concat::fragment { '06.directory': + ensure => $ensure, + content => template('tor/torrc.directory.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 06, + target => $tor::daemon::config_file, + } + + file { '/etc/tor/tor.html': + ensure => $ensure, + source => 'puppet:///modules/tor/tor.html', + require => File['/etc/tor'], + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + } +} + diff --git a/manifests/daemon/dns.pp b/manifests/daemon/dns.pp new file mode 100644 index 0000000..f3a7027 --- /dev/null +++ b/manifests/daemon/dns.pp @@ -0,0 +1,17 @@ +# DNS definition +define tor::daemon::dns( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "08.dns.${name}": + ensure => $ensure, + content => template('tor/torrc.dns.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 08, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/exit_policy.pp b/manifests/daemon/exit_policy.pp new file mode 100644 index 0000000..f459ece --- /dev/null +++ b/manifests/daemon/exit_policy.pp @@ -0,0 +1,18 @@ +# exit policies +define tor::daemon::exit_policy( + $accept = [], + $reject = [], + $reject_private = 1, + $ensure = present ) { + + concat::fragment { "07.exit_policy.${name}": + ensure => $ensure, + content => template('tor/torrc.exit_policy.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 07, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/hidden_service.pp b/manifests/daemon/hidden_service.pp new file mode 100644 index 0000000..c827211 --- /dev/null +++ b/manifests/daemon/hidden_service.pp @@ -0,0 +1,17 @@ +# hidden services definition +define tor::daemon::hidden_service( + $ports = [], + $data_dir = $tor::daemon::data_dir, + $ensure = present ) { + + concat::fragment { "05.hidden_service.${name}": + ensure => $ensure, + content => template('tor/torrc.hidden_service.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 05, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/map_address.pp b/manifests/daemon/map_address.pp new file mode 100644 index 0000000..e970fe5 --- /dev/null +++ b/manifests/daemon/map_address.pp @@ -0,0 +1,17 @@ +# map address definition +define tor::daemon::map_address( + $address = '', + $newaddress = '' + $ensure = 'present') { + + concat::fragment { "08.map_address.${name}": + ensure => $ensure, + content => template('tor/torrc.map_address.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 08, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/relay.pp b/manifests/daemon/relay.pp new file mode 100644 index 0000000..d5296de --- /dev/null +++ b/manifests/daemon/relay.pp @@ -0,0 +1,41 @@ +# relay definition +define tor::daemon::relay( + $port = 0, + $listen_addresses = [], + $outbound_bindaddresses = [], + # KB/s, defaulting to using tor's default: 5120KB/s + $bandwidth_rate = '', + # KB/s, defaulting to using tor's default: 10240KB/s + $bandwidth_burst = '', + # KB/s, 0 for no limit + $relay_bandwidth_rate = 0, + # KB/s, 0 for no limit + $relay_bandwidth_burst = 0, + # GB, 0 for no limit + $accounting_max = 0, + $accounting_start = [], + $contact_info = '', + # TODO: autofill with other relays + $my_family = '', + $address = "tor.${::domain}", + $bridge_relay = 0, + $ensure = present ) { + + $nickname = $name + + if $outbound_bindaddresses == [] { + $real_outbound_bindaddresses = $listen_addresses + } else { + $real_outbound_bindaddresses = $outbound_bindaddresses + } + + concat::fragment { '03.relay': + ensure => $ensure, + content => template('tor/torrc.relay.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 03, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/snippet.pp b/manifests/daemon/snippet.pp new file mode 100644 index 0000000..b9089b4 --- /dev/null +++ b/manifests/daemon/snippet.pp @@ -0,0 +1,16 @@ +# Arbitrary torrc snippet definition +define tor::daemon::snippet( + $content = '', + $ensure = present ) { + + concat::fragment { "99.snippet.${name}": + ensure => $ensure, + content => $content, + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 99, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/daemon/socks.pp b/manifests/daemon/socks.pp new file mode 100644 index 0000000..910461c --- /dev/null +++ b/manifests/daemon/socks.pp @@ -0,0 +1,15 @@ +# socks definition +define tor::daemon::socks( + $port = 0, + $listen_addresses = [], + $policies = [] ) { + + concat::fragment { '02.socks': + content => template('tor/torrc.socks.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 02, + target => $tor::daemon::config_file, + } +} diff --git a/manifests/daemon/transparent.pp b/manifests/daemon/transparent.pp new file mode 100644 index 0000000..74fed4f --- /dev/null +++ b/manifests/daemon/transparent.pp @@ -0,0 +1,17 @@ +# Transparent proxy definition +define tor::daemon::transparent( + $port = 0, + $listen_addresses = [], + $ensure = present ) { + + concat::fragment { "09.transparent.${name}": + ensure => $ensure, + content => template('tor/torrc.transparent.erb'), + owner => 'debian-tor', + group => 'debian-tor', + mode => '0644', + order => 09, + target => $tor::daemon::config_file, + } +} + diff --git a/manifests/init.pp b/manifests/init.pp index 0c38073..9c19c64 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,25 +1,6 @@ -class tor { - - if !$tor_ensure_version { $tor_ensure_version = 'installed' } - if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed'} - - package { [ "tor", "tor-geoipdb" ]: - ensure => $tor_ensure_version, - } - - package { "torsocks": - ensure => $torsocks_ensure_version, - } - - service { 'tor': - ensure => running, - enable => true, - hasrestart => true, - hasstatus => true, - require => Package['tor'], - } - - if $use_munin { - include tor::munin - } +# manage a basic tor installation +class tor ( + $ensure_version = 'installed' +){ + include tor::base } diff --git a/manifests/munin.pp b/manifests/munin.pp index ac2630a..4412337 100644 --- a/manifests/munin.pp +++ b/manifests/munin.pp @@ -1,23 +1,21 @@ +# munin plugins for puppet class tor::munin { - - file { - "/usr/local/share/munin-plugins/tor_connections": - source => "puppet:///modules/tor/munin/tor_connections", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/tor_routers": - source => "puppet:///modules/tor/munin/tor_routers", - mode => 0755, owner => root, group => root; - - "/usr/local/share/munin-plugins/tor_traffic": - source => "puppet:///modules/tor/munin/tor_traffic", - mode => 0755, owner => root, group => root; + tor::daemon::control{ + 'control_port_for_munin': + port => 19051, + cookie_authentication => 1, + cookie_auth_file => '/var/run/tor/control.authcookie', } - munin::plugin { - [ "tor_connections", "tor_routers", "tor_traffic" ]: - ensure => present, - config => "user debian-tor\n env.cookiefile /var/lib/tor/control_auth_cookie", - script_path_in => "/usr/local/share/munin-plugins"; + Munin::Plugin::Deploy { + config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie\n env.port 19051" + } + munin::plugin::deploy { + 'tor_connections': + source => 'tor/munin/tor_connections'; + 'tor_routers': + source => 'tor/munin/tor_routers'; + 'tor_traffic': + source => 'tor/munin/tor_traffic'; } } diff --git a/manifests/polipo.pp b/manifests/polipo.pp index 73eaea2..73dc226 100644 --- a/manifests/polipo.pp +++ b/manifests/polipo.pp @@ -1,43 +1,9 @@ -class tor::polipo inherits tor { +# manage the polipo proxy service +class tor::polipo { + include ::tor - package { "privoxy": - ensure => absent, + case $::operatingsystem { + 'debian': { include tor::polipo::debian } + default: { include tor::polipo::base } } - - package { "polipo": - ensure => installed, - } - - service { "polipo": - ensure => running, - require => [ Package["polipo"], Service["tor"] ], - } - - file { "/etc/polipo": - ensure => directory, - owner => root, - group => root, - mode => 0755, - } - - file { "/etc/polipo/config": - ensure => present, - owner => root, - group => root, - mode => 0644, - source => "puppet:///modules/tor/polipo.conf", - notify => Service["polipo"], - require => File["/etc/polipo"], - } - - # TODO: restore file to original state after the following bug is solved: - # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434 - file { "/etc/cron.daily/polipo": - ensure => present, - owner => root, - group => root, - mode => 0755, - source => "puppet:///modules/tor/polipo.cron", - } - } diff --git a/manifests/polipo/base.pp b/manifests/polipo/base.pp new file mode 100644 index 0000000..df2d6ea --- /dev/null +++ b/manifests/polipo/base.pp @@ -0,0 +1,22 @@ +# manage polipo resources +class tor::polipo::base { + package{'polipo': + ensure => present, + } + + file { '/etc/polipo/config': + ensure => present, + owner => root, + group => root, + mode => '0644', + source => 'puppet:///modules/tor/polipo/polipo.conf', + require => Package['polipo'], + notify => Service['polipo'], + } + + service { 'polipo': + ensure => running, + enable => true, + require => [ Package['polipo'], Service['tor'] ], + } +} diff --git a/manifests/polipo/debian.pp b/manifests/polipo/debian.pp new file mode 100644 index 0000000..e39f603 --- /dev/null +++ b/manifests/polipo/debian.pp @@ -0,0 +1,13 @@ +# manage polipo on debian +class tor::polipo::debian inherits tor::polipo::base { + # TODO: restore file to original state after the following bug is solved: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580434 + file { '/etc/cron.daily/polipo': + ensure => present, + owner => root, + group => root, + mode => '0755', + require => Package['polipo'], + source => 'puppet:///modules/tor/polipo/polipo.cron', + } +} diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp new file mode 100644 index 0000000..e9fc75b --- /dev/null +++ b/manifests/torsocks.pp @@ -0,0 +1,9 @@ +# manage torsocks +class tor::torsocks ( + $ensure_version = 'installed' +){ + include ::tor + package{'torsocks': + ensure => $ensure_version, + } +} diff --git a/templates/torrc.bridge.erb b/templates/torrc.bridge.erb new file mode 100644 index 0000000..58ef70d --- /dev/null +++ b/templates/torrc.bridge.erb @@ -0,0 +1,3 @@ +# Bridge <%= name%> +Bridge <%= ip%>:<%= port%><%- if fingerprint -%> <%= fingerprint%><%- end -%> + diff --git a/templates/torrc.control.erb b/templates/torrc.control.erb index df9513a..336c72d 100644 --- a/templates/torrc.control.erb +++ b/templates/torrc.control.erb @@ -1,6 +1,16 @@ # tor controller <%- if port != '0' then -%> ControlPort <%= port %> +<%- if cookie_authentication != '0' then -%> +CookieAuthentication 1 +<%- if cookie_auth_file != '' then -%> +CookieAuthFile <%= cookie_auth_file %> +<%- end -%> +<%- if cookie_auth_file_group_readable != '' then -%> +CookieAuthFileGroupReadable <%= cookie_auth_file_group_readable %> +<%- end -%> +<%- else -%> HashedControlPassword <%= hashed_control_password %> <%- end -%> +<%- end -%> diff --git a/templates/torrc.dns.erb b/templates/torrc.dns.erb new file mode 100644 index 0000000..bd1e719 --- /dev/null +++ b/templates/torrc.dns.erb @@ -0,0 +1,5 @@ +# DNS +DNSPort <%= port %> +<%- for listen_address in listen_addresses -%> +DNSListenAddress <%= listen_address %> +<%- end -%> diff --git a/templates/torrc.global.erb b/templates/torrc.global.erb index 6ca49de..3a3b623 100644 --- a/templates/torrc.global.erb +++ b/templates/torrc.global.erb @@ -11,3 +11,5 @@ Log <%= log_rule %> Log notice syslog <%- end -%> +AutomapHostsOnResolve <%= automap_hosts_on_resolve%> +UseBridges <%= use_bridges%> diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index 2ab34bf..85320d3 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -4,7 +4,7 @@ ORPort <%= port %> <%- for listen_address in listen_addresses -%> ORListenAddress <%= listen_address %> <%- end -%> -<%- for outbound_bindaddress in outbound_bindaddresses -%> +<%- for outbound_bindaddress in real_outbound_bindaddresses -%> OutboundBindAddress <%= outbound_bindaddress %> <%- end -%> <%- if nickname != '' then -%> @@ -13,11 +13,17 @@ Nickname <%= nickname %> <%- if address != '' then -%> Address <%= address %> <%- end -%> -<%- if bandwidth_rate != '0' then -%> -RelayBandwidthRate <%= bandwidth_rate %> KB +<%- if bandwidth_rate != '' then -%> +BandwidthRate <%= bandwidth_rate %> KB <%- end -%> -<%- if bandwidth_burst != '0' then -%> -RelayBandwidthBurst <%= bandwidth_burst %> KB +<%- if bandwidth_burst != '' then -%> +BandwidthBurst <%= bandwidth_burst %> KB +<%- end -%> +<%- if relay_bandwidth_rate != '0' then -%> +RelayBandwidthRate <%= relay_bandwidth_rate %> KB +<%- end -%> +<%- if relay_bandwidth_burst != '0' then -%> +RelayBandwidthBurst <%= relay_bandwidth_burst %> KB <%- end -%> <%- if accounting_max != '0' then -%> AccountingMax <%= accounting_max %> GB diff --git a/templates/torrc.transparent.erb b/templates/torrc.transparent.erb new file mode 100644 index 0000000..dae97dc --- /dev/null +++ b/templates/torrc.transparent.erb @@ -0,0 +1,5 @@ +# Transparent proxy +TransPort <%= port %> +<%- for listen_address in listen_addresses -%> +TransListenAddress <%= listen_address %> +<%- end -%> |