diff --git a/data_bags/credentials/tor.json b/data_bags/credentials/tor.json new file mode 100644 index 0000000..d9ef877 --- /dev/null +++ b/data_bags/credentials/tor.json @@ -0,0 +1,10 @@ +{ + "id": "tor", + "services": { + "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n", + "iv": "rj5lIBWPovDtMtnh\n", + "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 01dc32d..ac1ee25 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -28,7 +28,8 @@ "kvm_host", "openresty_proxy", "openresty", - "garage_gateway" + "garage_gateway", + "tor_proxy" ], "recipes": [ "kosmos-base", @@ -58,6 +59,9 @@ "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", + "kosmos-base::tor_services", + "tor-full", + "tor-full::default", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 8195e6e..f9f5a7d 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -20,7 +20,6 @@ development_run_list = %w( default_run_list = %w( role[openresty] - tor-full kosmos-ejabberd::nginx ) @@ -43,6 +42,7 @@ production_run_list = %w( kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx + role[tor_proxy] ) env_run_lists( diff --git a/roles/tor_proxy.rb b/roles/tor_proxy.rb new file mode 100644 index 0000000..53acee6 --- /dev/null +++ b/roles/tor_proxy.rb @@ -0,0 +1,6 @@ +name "tor_proxy" + +run_list %w( + kosmos-base::tor_services + tor-full +) diff --git a/site-cookbooks/kosmos-base/recipes/tor_services.rb b/site-cookbooks/kosmos-base/recipes/tor_services.rb new file mode 100644 index 0000000..448d4de --- /dev/null +++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb @@ -0,0 +1,13 @@ +# +# Cookbook Name:: kosmos-base +# Recipe:: tor_services +# + +tor_services = data_bag_item('credentials', 'tor')['services'] + +tor_service "web" do + hostname tor_services['web']['hostname'] + public_key tor_services['web']['public_key'] + secret_key tor_services['web']['secret_key'] + ports ['80 127.0.0.1:80', '443 127.0.0.1:443'] +end diff --git a/site-cookbooks/kosmos-base/resources/tor_service.rb b/site-cookbooks/kosmos-base/resources/tor_service.rb new file mode 100644 index 0000000..83cc032 --- /dev/null +++ b/site-cookbooks/kosmos-base/resources/tor_service.rb @@ -0,0 +1,52 @@ +require "base64" + +resource_name :tor_service +provides :tor_service + +property :name, [String], name_property: true +property :hostname, [String], required: true +property :public_key, [String], required: true +property :secret_key, [String], required: true +property :ports, [Array], required: true + +default_action :create + +action :create do + name = new_resource.name + ports = Array(new_resource.ports) + service_dir = "#{node['tor']['DataDirectory']}/#{name}" + user = "debian-tor" + group = "debian-tor" + + node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports + + directory service_dir do + recursive true + owner user + group group + mode '4700' + end + + file "#{service_dir}/hostname" do + content new_resource.hostname + owner user + group group + mode '0600' + end + + file "#{service_dir}/hs_ed25519_public_key" do + content Base64.decode64(new_resource.public_key) + owner user + group group + mode '0600' + sensitive true + end + + file "#{service_dir}/hs_ed25519_secret_key" do + content Base64.decode64(new_resource.secret_key) + owner user + group group + mode '0600' + sensitive true + end +end diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index c020afc..1f31d47 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -11,7 +11,6 @@ depends 'elasticsearch' depends 'java' depends 'firewall' depends 'redisio' -depends 'tor-full' depends 'postgresql' depends 'kosmos-nodejs' depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index f19e052..405be3a 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -37,7 +37,8 @@ tls_cert_for server_name do action :create end -onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil +tor_services = data_bag_item('credentials', 'tor')['services'] +onion_address = tor_services['web']['hostname'] openresty_site server_name do template 'nginx_conf_mastodon.erb' diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index d3c45d8..11d23a3 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -36,12 +36,12 @@ server { <% if @onion_address %> server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80; + listen 127.0.0.1:80; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; } server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen 127.0.0.1:443 ssl http2; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>;