From 0f12a54eab89da8766bdb27b0308bca77c076d99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 30 Jul 2023 12:39:41 +0200
Subject: [PATCH] Refactor tor usage entirely

Use a custom resource and separate recipe for service configs with
pre-set keys and hostnames
---
 data_bags/credentials/tor.json                       |  6 +++---
 roles/openresty_proxy.rb                             |  7 -------
 site-cookbooks/kosmos-base/recipes/tor_services.rb   | 11 +++++++++++
 site-cookbooks/kosmos-base/resources/tor_service.rb  |  4 ++--
 site-cookbooks/kosmos-ejabberd/attributes/default.rb |  8 --------
 site-cookbooks/kosmos-ejabberd/recipes/default.rb    |  7 -------
 site-cookbooks/tor-full/recipes/default.rb           |  6 +-----
 site-cookbooks/tor-full/templates/default/torrc.erb  |  2 +-
 8 files changed, 18 insertions(+), 33 deletions(-)

diff --git a/data_bags/credentials/tor.json b/data_bags/credentials/tor.json
index d9ef877..d4ddf42 100644
--- a/data_bags/credentials/tor.json
+++ b/data_bags/credentials/tor.json
@@ -1,9 +1,9 @@
 {
   "id": "tor",
   "services": {
-    "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n",
-    "iv": "rj5lIBWPovDtMtnh\n",
-    "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n",
+    "encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n",
+    "iv": "qtzvl79A/PZc5JjE\n",
+    "auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb
index a3107f4..083ce41 100644
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@@ -4,13 +4,6 @@ override_attributes(
   'openresty' => {
     'server_names_hash_bucket_size' => 128
   },
-  'tor' => {
-    'HiddenServices' => {
-      'web' => {
-        'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443']
-      }
-    }
-  }
 )
 
 development_run_list = %w(
diff --git a/site-cookbooks/kosmos-base/recipes/tor_services.rb b/site-cookbooks/kosmos-base/recipes/tor_services.rb
index 448d4de..3b0d841 100644
--- a/site-cookbooks/kosmos-base/recipes/tor_services.rb
+++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb
@@ -5,6 +5,17 @@
 
 tor_services = data_bag_item('credentials', 'tor')['services']
 
+tor_service "ejabberd" do
+  hostname   tor_services['ejabberd']['hostname']
+  public_key tor_services['ejabberd']['public_key']
+  secret_key tor_services['ejabberd']['secret_key']
+  # TODO configure IP from node attribute
+  # (This is hardcoded for draco atm)
+  ports      [ "5222 148.251.237.73:5222",
+               "5223 148.251.237.73:5223",
+               "5269 148.251.237.73:5269" ]
+end
+
 tor_service "web" do
   hostname   tor_services['web']['hostname']
   public_key tor_services['web']['public_key']
diff --git a/site-cookbooks/kosmos-base/resources/tor_service.rb b/site-cookbooks/kosmos-base/resources/tor_service.rb
index 83cc032..bd53c8b 100644
--- a/site-cookbooks/kosmos-base/resources/tor_service.rb
+++ b/site-cookbooks/kosmos-base/resources/tor_service.rb
@@ -5,8 +5,8 @@ provides :tor_service
 
 property :name,       [String], name_property: true
 property :hostname,   [String], required: true
-property :public_key, [String], required: true
-property :secret_key, [String], required: true
+property :public_key, [String], required: true # base64 encoded content of generated key file
+property :secret_key, [String], required: true # base64 encoded content of generated key file
 property :ports,      [Array],  required: true
 
 default_action :create
diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
index b0c9ecb..922a35e 100644
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
 node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
 
-node.override["tor"]["HiddenServices"]["ejabberd"] = {
-  "HiddenServicePorts" => [
-    "5222 127.0.0.1:5222",
-    "5223 127.0.0.1:5223",
-    "5269 127.0.0.1:5269"
-  ]
-}
-
 node.default["kosmos-ejabberd"]["uploads"] = {
   "domain" => "uploads.kosmos.chat",
   "max_upload_size_mb" => "100",
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 7a6e588..5468f52 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do
   protocol :tcp
   command  :allow
 end
-
-#
-# Tor hidden service
-#
-# The attributes for the hidden service are set in attributes/default.rb, due
-# to the way the tor-full cookbook builds the path to the hidden service dir
-include_recipe "tor-full"
diff --git a/site-cookbooks/tor-full/recipes/default.rb b/site-cookbooks/tor-full/recipes/default.rb
index c8e7110..a16d021 100644
--- a/site-cookbooks/tor-full/recipes/default.rb
+++ b/site-cookbooks/tor-full/recipes/default.rb
@@ -85,7 +85,7 @@ ruby_block "read-hostnames" do
   block do
     # Set generated hostname for hidden services
     node['tor']['HiddenServices'].each do |name, service|
-      path = File.join(service['HiddenServiceDir'], "/hostname")
+      path = "/var/lib/tor/#{name}/hostname"
       node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip()
     end
   end
@@ -96,10 +96,6 @@ template '/etc/tor/torrc' do
   source 'torrc.erb'
   notifies :restart, 'service[tor]', :immediately
   notifies :run, "ruby_block[read-hostnames]"
-  # Set default HiddenServiceDir
-  node['tor']['HiddenServices'].each do |name, service|
-    node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/")
-  end
 end
 
 # Install exit policy notice
diff --git a/site-cookbooks/tor-full/templates/default/torrc.erb b/site-cookbooks/tor-full/templates/default/torrc.erb
index ca07818..1a7c033 100644
--- a/site-cookbooks/tor-full/templates/default/torrc.erb
+++ b/site-cookbooks/tor-full/templates/default/torrc.erb
@@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %>
 #HiddenServicePort 22 127.0.0.1:22
 <% node['tor']['HiddenServices'].each do |name, service| -%>
 
-HiddenServiceDir <%= service['HiddenServiceDir'] %>
+HiddenServiceDir /var/lib/tor/<%= name %>/
 	<% service['HiddenServicePorts'].each do |port| -%>
 HiddenServicePort <%= port %>
 	<% end -%>