Dzahn has submitted this change and it was merged.
Change subject: Add puppet module for a tor relay
......................................................................
Add puppet module for a tor relay
RT: 7667
Change-Id: Ifcc6070f6ad62e5dbc03a09e4e6df6e0ae973532
---
A manifests/role/tor.pp
A modules/tor/manifests/init.pp
A modules/tor/templates/torrc.erb
3 files changed, 116 insertions(+), 0 deletions(-)
Approvals:
JanZerebecki: Looks good to me, but someone else must approve
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/manifests/role/tor.pp b/manifests/role/tor.pp
new file mode 100644
index 0000000..fcf665c
--- /dev/null
+++ b/manifests/role/tor.pp
@@ -0,0 +1,17 @@
+class role::tor {
+
+ system::role { 'tor':
+ description => 'Tor relay'
+ }
+
+ class { '::tor':
+ tor_controlport => '9051',
+ tor_orport => '443',
+ tor_dirport => '80',
+ tor_address => 'tor-eqiad-1.wikimedia.org',
+ tor_nickname => 'wikimedia-eqiad-1',
+ tor_contact => '[email protected]',
+ tor_exit_policy => 'reject *:*', # no exits allowed
+ }
+
+}
diff --git a/modules/tor/manifests/init.pp b/modules/tor/manifests/init.pp
new file mode 100644
index 0000000..2c6cc00
--- /dev/null
+++ b/modules/tor/manifests/init.pp
@@ -0,0 +1,38 @@
+# sets up a Tor relay
+class tor (
+ $tor_address,
+ $tor_nickname,
+ $tor_contact,
+ $tor_controlport = '9051',
+ $tor_orport = '443', # use 9001 if in use
+ $tor_dirport = '80', # use 9030 if in use
+ $tor_exit_policy = 'reject *:*',
+ ) {
+
+ # tor itself
+ package { 'tor':
+ ensure => 'present',
+ }
+
+ # status monitor for tor
+ # https://www.atagar.com/arm/
+ package { 'tor-arm':
+ ensure => 'present',
+ }
+
+ # main config file
+ file { '/etc/tor/torrc':
+ ensure => 'present',
+ mode => '0444',
+ owner => 'root',
+ group => 'root',
+ content => template('tor/torrc.erb'),
+ notify => Service['tor'],
+ require => Package['tor'],
+ }
+
+ service { 'tor':
+ ensure => 'running',
+ require => Package['tor'],
+ }
+}
diff --git a/modules/tor/templates/torrc.erb b/modules/tor/templates/torrc.erb
new file mode 100644
index 0000000..4abb8dc
--- /dev/null
+++ b/modules/tor/templates/torrc.erb
@@ -0,0 +1,61 @@
+######################################################################################
+## THIS FILE IS MANAGED BY PUPPET
#
+## config for a relay-only tor installation
#
+## https://www.torproject.org/docs/tor-doc-relay
#
+##
https://gitweb.torproject.org/tor.git/blob_plain/HEAD:/src/config/torrc.sample.in
#
+######################################################################################
+
+## do not open socks proxy by default, run as relay only
+SocksPort 0
+
+## self-explaining
+RunAsDemon 1
+
+## use /srv instead of $HOME/.tor
+DataDirectory /srv/tor/
+
+## log to its own file instead of syslog
+Log notice file /var/log/tor/tor.log
+
+## port for local connections from Tor controller
+ControlPort <%= @tor_controlport %>
+
+## password for connections on the control port, generate hash with 'tor
--hash-password'
+HashedControlPassword <%=
scope.lookupvar('passwords::tor::hashed_control_password') %>
+
+## port for incoming Tor connections
+ORPort <%= @tor_orport %>
+
+## if we have multiple NICs..
+#OutboundBindAddress 10.0.0.5
+
+## IP or DNS for incoming connections
+Address <%= @tor_address %>
+
+## if we want to throttle
+#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
+## (there are also Accounting* options for traffic per day/week/month)
+
+# mirror directory information ('please do if enough bandwidth')
+DirPort <%= @tor_dirport %>
+
+# this is what makes it a relay or an exit node
+ExitPolicy <%= @tor_exit_policy %>
+
+# handle for the relay, so people don't have to refer to it by key.
+Nickname <%= @tor_nickname %>
+
+# admin mail contact
+ContactInfo <%= @tor_contact %>
+
+# if we run more than one relay we should set this
+# get it from /var/lib/tor/fingerprint
+# "You should set MyFamily if you have administrative control
+# of the computers or of their network, even if they're not
+# all in the same geographic location."
+# MyFamily $fingerprint1,$fingerprint2,$fingerprint3
+
+# "try to write to disk less frequently than we would otherwise"
+# we enable this because we are on a box with SSD
+AvoidDiskWrites 1
--
To view, visit https://gerrit.wikimedia.org/r/140948
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ifcc6070f6ad62e5dbc03a09e4e6df6e0ae973532
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Alex Monk <[email protected]>
Gerrit-Reviewer: ArielGlenn <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
