Refactor tor usage, set up new tor proxy on draco

site-cookbooks/kosmos-base/recipes/tor_services.rb

@@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos-base
+# Recipe:: tor_services
+#
+
+tor_services = data_bag_item('credentials', 'tor')['services']
+
+tor_service "web" do
+  hostname   tor_services['web']['hostname']
+  public_key tor_services['web']['public_key']
+  secret_key tor_services['web']['secret_key']
+  ports      ['80 127.0.0.1:80', '443 127.0.0.1:443']
+end

site-cookbooks/kosmos-base/resources/tor_service.rb

@@ -0,0 +1,52 @@
+require "base64"
+
+resource_name :tor_service
+provides :tor_service
+
+property :name,       [String], name_property: true
+property :hostname,   [String], required: true
+property :public_key, [String], required: true
+property :secret_key, [String], required: true
+property :ports,      [Array],  required: true
+
+default_action :create
+
+action :create do
+  name = new_resource.name
+  ports = Array(new_resource.ports)
+  service_dir = "#{node['tor']['DataDirectory']}/#{name}"
+  user = "debian-tor"
+  group = "debian-tor"
+
+  node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports
+
+  directory service_dir do
+    recursive true
+    owner user
+    group group
+    mode '4700'
+  end
+
+  file "#{service_dir}/hostname" do
+    content new_resource.hostname
+    owner user
+    group group
+    mode '0600'
+  end
+
+  file "#{service_dir}/hs_ed25519_public_key" do
+    content Base64.decode64(new_resource.public_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+
+  file "#{service_dir}/hs_ed25519_secret_key" do
+    content Base64.decode64(new_resource.secret_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+end

site-cookbooks/kosmos-mastodon/metadata.rb

@@ -11,7 +11,6 @@ depends 'elasticsearch'
 depends 'java'
 depends 'firewall'
 depends 'redisio'
-depends 'tor-full'
 depends 'postgresql'
 depends 'kosmos-nodejs'
 depends 'kosmos_openresty'

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -37,7 +37,8 @@ tls_cert_for server_name do
   action :create
 end
 
-onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
+tor_services = data_bag_item('credentials', 'tor')['services']
+onion_address = tor_services['web']['hostname']
 
 openresty_site server_name do
   template 'nginx_conf_mastodon.erb'

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -36,12 +36,12 @@ server {
 
 <% if @onion_address %>
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen 127.0.0.1:80;
   server_name mastodon.<%= @onion_address %>;
   include <%= @shared_config_path %>;
 }
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 127.0.0.1:443 ssl http2;
   server_name mastodon.<%= @onion_address %>;
   include <%= @shared_config_path %>;