-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi David,
thanks for creating ansible-tor. I added two features that are crucial
to me and maybe useful for others as well. If you like it, feel free
to merge - this is my first ansible experience and it is lightly tested.
Example:
lets say you have added a new server to your inventory. The server has
3 public IP addresses (1.1.1.1, 2.2.2.2, 3.3.3.3). After running
ansible-tor with the new changes you will have the following 6 tor
instances/ORPorts running (without manually specifying IP addresses
first):
1.1.1.1:80
1.1.1.1:443
2.2.2.2:80
2.2.2.2:443
3.3.3.3:80
3.3.3.3:443
including MyFamily configuration across all servers/instances.
regards,
Nusenu
changes
=======
- - auto instance deployment without manual IP/ORPort configuration (new)
starts 2 tor instances per available IP address by default
makes manually specifying IP addresses and ORPorts via
proc_instances obsolete
ORPorts default to 80 and 443 (DirPort not added yet)
replace "single.yml" + "instances.yml" -> instance.yml only
(handles both cases dynamically)
- - MyFamily autogeneration (new)
Keeping all relay fingerprints in sync is probably one
of the most annoying tasks for a relay operator
managing multiple relays, now ansible takes care of this
(all relays need to be in the 'relays' group)
- - directory structure (changed)
defaults:
configs -> /etc/tor/<ip>_<orport>.torrc
log dir -> /var/log/tor/<ip>_<orport>.log
datadir -> /var/lib/tor/<ip>_<orport>/
pid dir -> /var/run/tor/<ip>_<orport>.pid
(previously everything was located in /etc)
- - added torrc sanity check (tor --verify-config ) (new)
- - torrc files are owned by root (previously owned by $tor_user)
- - the pid file check has been removed since the file is not required
to exist
(it will be created when tor starts)
open
- -----
- - it does not take care of instance removals yet
(in case IPs are no longer available or amount of ORPorts have been
reduced)
- - allow opt-out -> only 1 tor instance per host
(even if there are more IPs available)
- - DirPort support
- - detect RFC1918 IPs (opt-in)
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJU4i+CAAoJEFv7XvVCELh0y+kP/i4Mn/XClgXYloGdgWU9UPR+
Y8yZv97FvJOMPI40tccPKcNPcLQFRvGFYkR96sAOGoMfbJT/tQeH2dOxwAEF31mv
afFkLsVPAOpNzlyO2qP1mkLtB/aYXtZ6jb2+JtpAhVBLKOVFBN2nNRiwdgFYZFGy
f0ZIp7xyR9XcAhXo4nc0hlETREAnbMOgFGM6vqqIpJfimF3liE6va5HNw2CD+7Zd
MmeIOuVNvQh09SiYf48AJpBeBRoybOvmFIPphtXEYlC/y6cd/IyUIYdOBuaLa5td
vQnrQOC7TUgp74uarl0yaatOYOEagl0lrNeN6+Vgy5e0e12TgVccWW5ZosM1PBXG
VH2FTfjHXUO+VN0p4xn6AS0dhWTRKb7isj3jpznTMsiq0AcvXM6DZjkzkcCPChVz
jptdUbNvgpdP7j5X11iZniGpxVe7aFo2wCzgZORY1xMysiigJsL4M/nonr4YO4G9
w7kyNcco9gStklJSvOJXbfX4HrOCuWdq8hp4xubyON+5jpEUgMmG1o/v5NJANV4C
CLzlz4kf9l9o351Z7DJQzilxzDEwe6oZwSWnsq+yB65Mgj5sUJnchi40iPLOHSUr
DaVSSUxoZ8VVNYqqvGYb2fysYa7DsCgofsF/eXP4QyJp1WFNwc0ft6qIhyAGIDwx
RfwQHrA+Lg95mdXDyr0B
=QHkD
-----END PGP SIGNATURE-----
diff --git a/defaults/main.yml b/defaults/main.yml index ca5ad28..5f1f92c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,14 +1,32 @@ --- -tor_instance_parent_dir: /etc/tor/instances tor_user: debian-tor -tor_DataDirectory: /var/lib/tor -tor_PidFile: /var/run/tor/tor.pid +tor_ConfDir: /etc/tor + +# Attention: we will run chown tor_user on these folders +tor_PidDir: /var/run/tor +tor_LogDir: /var/log/tor +tor_DataDir: /var/lib/tor + +tor_LogLevel: notice tor_RunAsDaemon: 1 -tor_Log: "notice file /var/log/tor/log" tor_hidden_services_parent_dir: /var/lib/tor/services tor_wait_for_hidden_services: no +# The tor_ORPort array defines how many instances are created per +# available IP address. It does not make sense to specify +# more than two ports. If you want only one instance per IP use +# tor_ORPorts: 443 +tor_ORPorts: [ 80, 443 ] + +#XXX: not implemented yet +# the number of ORPorts and DirPorts must match +#tor_DirPorts: [ '8080', '8888' ] + +tor_SocksPort: 0 + +tor_ExitPolicy: "reject *:*" + tor_obfs4proxy_enabled: False tor_obfs4proxy_release: sid debian_repo: http://ftp.us.debian.org/debian/ diff --git a/tasks/configure_tor_instance.yml b/tasks/configure_tor_instance.yml index 5a12672..b2fbc0e 100644 --- a/tasks/configure_tor_instance.yml +++ b/tasks/configure_tor_instance.yml @@ -1,47 +1,89 @@ --- -- name: ensure tor instance parent dir exists +- name: ensure tor DataDir(s) exist file: > - path={{ tor_instance_parent_dir }} + path={{ tor_DataDir }}/{{ item[0] }}_{{ item[1] }} state=directory owner={{ tor_user }} + mode=0700 + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts -- name: ensure tor instances data dir exist +- name: ensure tor log file(s) are not world readable file: > - path="{{ tor_instance_parent_dir }}/{{ item.name }}/data" - state=directory - owner={{ tor_user }} - with_items: proc_instances - -- name: ensure tor instances log file exist - file: > - path="{{ tor_instance_parent_dir }}/{{ item.name }}/log" + path="{{ tor_LogDir }}/{{ item[0] }}_{{ item[1] }}.log" state=touch owner={{ tor_user }} - with_items: proc_instances + mode=600 + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts -- name: ensure tor instances pid file exist +- name: ensure tor pidDir is owned by tor_user file: > - path="{{ tor_instance_parent_dir }}/{{ item.name }}/tor.pid" - state=touch + path={{ tor_PidDir }} + state=directory owner={{ tor_user }} - with_items: proc_instances + mode=2750 -- name: ensure instances template torrc +- name: generating torrc file(s)... template: > src=torrc - dest="{{ tor_instance_parent_dir }}/{{ item.name }}/torrc" - owner={{ tor_user }} + dest="{{ tor_ConfDir }}/{{ item[0] }}_{{ item[1] }}.torrc" + owner=root mode=0644 - with_items: proc_instances - register: instances_status + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + register: instances -- name: "ensure tor instances are reloaded if its torrc changed" - shell: "kill -HUP `cat {{ tor_instance_parent_dir }}/{{ item.item.name }}/tor.pid`" +- name: ensure torrc files are sane + shell: "tor --verify-config -f {{ tor_ConfDir }}/{{ item[0] }}_{{ item[1] }}.torrc" + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + +- name: ensure tor instances are reloaded if its torrc changed + shell: "kill -HUP `cat {{ tor_PidDir }}/{{ item.item[0] }}_{{ item.item[1] }}.pid`" ignore_errors: yes - with_items: instances_status.results + with_items: instances.results when: item.changed == True - name: ensure tor instances are running - shell: "kill -0 `cat {{ tor_instance_parent_dir }}/{{ item.name }}/tor.pid` || tor -f {{ tor_instance_parent_dir }}/{{ item.name }}/torrc" - with_items: proc_instances + shell: "kill -0 `cat {{ tor_PidDir }}/{{ item[0] }}_{{ item[1] }}.pid` || tor -f {{ tor_ConfDir }}/{{ item[0] }}_{{ item[1] }}.torrc" + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + +# each tor instance has been started at least once +# now we can collect tor fingerprints +- name: gather relay fingerprints (for MyFamily) + shell: "cut -d' ' -f2 {{ tor_DataDir }}/{{ item[0] }}_{{ item[1] }}/fingerprint" + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + register: tor_fingerprints + +- name: generating torrc file(s) - this time with MyFamily... + template: > + src=torrc + dest="{{ tor_ConfDir }}/{{ item[0] }}_{{ item[1] }}.torrc" + owner=root + mode=0644 + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + register: instances + +- name: ensure torrc files are still sane (after adding MyFamily) + shell: "tor --verify-config -f {{ tor_ConfDir }}/{{ item[0] }}_{{ item[1] }}.torrc" + with_nested: + - "{{ ansible_all_ipv4_addresses }}" + - tor_ORPorts + +- name: ensure tor instances are reloaded if its torrc changed + shell: "kill -HUP `cat {{ tor_PidDir }}/{{ item.item[0] }}_{{ item.item[1] }}.pid`" + ignore_errors: yes + with_items: instances.results + when: item.changed == True diff --git a/tasks/main.yml b/tasks/main.yml index 54aceb1..e639115 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,11 +20,7 @@ - include: hidden_services.yml when: tor_hidden_services is defined -- include: configure_apt_single.yml - when: proc_instances is not defined - - include: configure_tor_instance.yml - when: proc_instances is defined ## wait for hidden services - include: wait_for_hidden_services.yml diff --git a/templates/torrc b/templates/torrc index a5cdca3..10fa10f 100644 --- a/templates/torrc +++ b/templates/torrc @@ -1,31 +1,32 @@ # ansible generated torrc -{% if proc_instances is defined and item is defined %} -RunAsDaemon 1 -User {{ tor_user }} -PidFile {{ tor_instance_parent_dir }}/{{ item.name }}/tor.pid -Log warn file {{ tor_instance_parent_dir }}/{{ item.name }}/log -DataDirectory {{ tor_instance_parent_dir }}/{{ item.name }}/data -{% else %} -DataDirectory {{ tor_DataDirectory }} -PidFile {{ tor_PidFile }} RunAsDaemon {{ tor_RunAsDaemon }} -Log {{ tor_Log }} -{% endif %} -{% if tor_Syslog is defined %} -Log {{ tor_Syslog }} syslog +User {{ tor_user }} + +PidFile {{ tor_PidDir }}/{{ item[0] }}_{{ item[1] }}.pid +Log {{ tor_LogLevel }} file {{ tor_LogDir }}/{{ item[0] }}_{{ item[1] }}.log +DataDirectory {{ tor_DataDir }}/{{ item[0] }}_{{ item[1] }} + +Address {{ item[0] }} +ORPort {{ item[1] }} +ORListenAddress {{ item[0] }} +OutboundBindAddress {{ item[0] }} +SocksPort {{ tor_SocksPort }} + +{% if tor_ContactInfo is defined %} +ContactInfo {{ tor_ContactInfo }} {% endif %} {% if tor_Nickname is defined %} Nickname {{ tor_Nickname }} {% endif %} -{% if tor_ContactInfo is defined %} -ContactInfo {{ tor_ContactInfo }} -{% endif %} -{% if tor_ExitPolicy is defined %} + ExitPolicy {{ tor_ExitPolicy }} + +{% if tor_fingerprints is defined %} +MyFamily {% for host in groups['relays'] %}{% for item in hostvars[host]['tor_fingerprints']['results'] -%}${{ item.stdout }},{%- endfor %}{% endfor %} {% endif %} -{% if tor_ORPort is defined %} -ORPort {{ tor_ORPort }} -{% endif %} + + + {% if tor_ExtORPort is defined %} ExtORPort {{ tor_ExtORPort }} {% endif %} @@ -47,18 +48,12 @@ ServerTransportPlugin {{ tor_ServerTransportPlugin }} {% if tor_ServerTransportOptions is defined %} ServerTransportOptions {{ tor_ServerTransportOptions }} {% endif %} -{% if tor_MyFamily is defined %} -MyFamily {{ tor_MyFamily }} -{% endif %} {% if tor_ReachableAddresses is defined %} ReachableAddresses {{ tor_ReachableAddresses }} {% endif %} {% if tor_SafeLogging is defined %} SafeLogging {{ tor_SafeLogging }} {% endif %} -{% if tor_SocksPort is defined %} -SocksPort {{ tor_SocksPort }} -{% endif %} {% if tor_hidden_services is defined %} {% for service in tor_hidden_services %} HiddenServiceDir {{ tor_hidden_services_parent_dir }}/{{ service.dir }}
ansible-tor.patch.sig
Description: PGP signature
_______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
