Refactor tor usage, set up new tor proxy on draco

2023-07-29 16:26:20 +02:00 · 2023-07-29 16:26:20 +02:00 · cb0fc27134
commit cb0fc27134
parent b149264919
9 changed files with 91 additions and 6 deletions
--- a/data_bags/credentials/tor.json
+++ b/data_bags/credentials/tor.json
@ -0,0 +1,10 @@
+{
+  "id": "tor",
+  "services": {
+    "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n",
+    "iv": "rj5lIBWPovDtMtnh\n",
+    "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -28,7 +28,8 @@
      "kvm_host",
      "openresty_proxy",
      "openresty",
-      "garage_gateway"
+      "garage_gateway",
+      "tor_proxy"
    ],
    "recipes": [
      "kosmos-base",
@ -58,6 +59,9 @@
      "kosmos-ipfs::nginx_public_gateway",
      "kosmos-mastodon::nginx",
      "remotestorage_discourse::nginx",
+      "kosmos-base::tor_services",
+      "tor-full",
+      "tor-full::default",
      "kosmos_encfs",
      "kosmos_encfs::default",
      "kosmos-ejabberd::firewall",
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@ -20,7 +20,6 @@ development_run_list = %w(

 default_run_list = %w(
  role[openresty]
-  tor-full
  kosmos-ejabberd::nginx
 )

@ -43,6 +42,7 @@ production_run_list = %w(
  kosmos-ipfs::nginx_public_gateway
  kosmos-mastodon::nginx
  remotestorage_discourse::nginx
+  role[tor_proxy]
 )

 env_run_lists(
--- a/roles/tor_proxy.rb
+++ b/roles/tor_proxy.rb
@ -0,0 +1,6 @@
+name "tor_proxy"
+
+run_list %w(
+  kosmos-base::tor_services
+  tor-full
+)
--- a/site-cookbooks/kosmos-base/recipes/tor_services.rb
+++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb
@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos-base
+# Recipe:: tor_services
+#
+
+tor_services = data_bag_item('credentials', 'tor')['services']
+
+tor_service "web" do
+  hostname   tor_services['web']['hostname']
+  public_key tor_services['web']['public_key']
+  secret_key tor_services['web']['secret_key']
+  ports      ['80 127.0.0.1:80', '443 127.0.0.1:443']
+end
--- a/site-cookbooks/kosmos-base/resources/tor_service.rb
+++ b/site-cookbooks/kosmos-base/resources/tor_service.rb
@ -0,0 +1,52 @@
+require "base64"
+
+resource_name :tor_service
+provides :tor_service
+
+property :name,       [String], name_property: true
+property :hostname,   [String], required: true
+property :public_key, [String], required: true
+property :secret_key, [String], required: true
+property :ports,      [Array],  required: true
+
+default_action :create
+
+action :create do
+  name = new_resource.name
+  ports = Array(new_resource.ports)
+  service_dir = "#{node['tor']['DataDirectory']}/#{name}"
+  user = "debian-tor"
+  group = "debian-tor"
+
+  node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports
+
+  directory service_dir do
+    recursive true
+    owner user
+    group group
+    mode '4700'
+  end
+
+  file "#{service_dir}/hostname" do
+    content new_resource.hostname
+    owner user
+    group group
+    mode '0600'
+  end
+
+  file "#{service_dir}/hs_ed25519_public_key" do
+    content Base64.decode64(new_resource.public_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+
+  file "#{service_dir}/hs_ed25519_secret_key" do
+    content Base64.decode64(new_resource.secret_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+end
--- a/site-cookbooks/kosmos-mastodon/metadata.rb
+++ b/site-cookbooks/kosmos-mastodon/metadata.rb
@ -11,7 +11,6 @@ depends 'elasticsearch'
 depends 'java'
 depends 'firewall'
 depends 'redisio'
-depends 'tor-full'
 depends 'postgresql'
 depends 'kosmos-nodejs'
 depends 'kosmos_openresty'
--- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb
@ -37,7 +37,8 @@ tls_cert_for server_name do
  action :create
 end

-onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
+tor_services = data_bag_item('credentials', 'tor')['services']
+onion_address = tor_services['web']['hostname']

 openresty_site server_name do
  template 'nginx_conf_mastodon.erb'
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
@ -36,12 +36,12 @@ server {

 <% if @onion_address %>
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen 127.0.0.1:80;
  server_name mastodon.<%= @onion_address %>;
  include <%= @shared_config_path %>;
 }
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 127.0.0.1:443 ssl http2;
  server_name mastodon.<%= @onion_address %>;
  include <%= @shared_config_path %>;