Refactor tor usage, set up new tor proxy on draco

data_bags/credentials/tor.json

@@ -0,0 +1,10 @@
+{
+  "id": "tor",
+  "services": {
+    "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n",
+    "iv": "rj5lIBWPovDtMtnh\n",
+    "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

nodes/draco.kosmos.org.json

@@ -28,7 +28,8 @@
       "kvm_host",
       "openresty_proxy",
       "openresty",
-      "garage_gateway"
+      "garage_gateway",
+      "tor_proxy"
     ],
     "recipes": [
       "kosmos-base",
@@ -58,6 +59,9 @@
       "kosmos-ipfs::nginx_public_gateway",
       "kosmos-mastodon::nginx",
       "remotestorage_discourse::nginx",
+      "kosmos-base::tor_services",
+      "tor-full",
+      "tor-full::default",
       "kosmos_encfs",
       "kosmos_encfs::default",
       "kosmos-ejabberd::firewall",

roles/openresty_proxy.rb

@@ -20,7 +20,6 @@ development_run_list = %w(
 
 default_run_list = %w(
   role[openresty]
-  tor-full
   kosmos-ejabberd::nginx
 )
 
@@ -43,6 +42,7 @@ production_run_list = %w(
   kosmos-ipfs::nginx_public_gateway
   kosmos-mastodon::nginx
   remotestorage_discourse::nginx
+  role[tor_proxy]
 )
 
 env_run_lists(

roles/tor_proxy.rb

@@ -0,0 +1,6 @@
+name "tor_proxy"
+
+run_list %w(
+  kosmos-base::tor_services
+  tor-full
+)

site-cookbooks/kosmos-base/recipes/tor_services.rb

@@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos-base
+# Recipe:: tor_services
+#
+
+tor_services = data_bag_item('credentials', 'tor')['services']
+
+tor_service "web" do
+  hostname   tor_services['web']['hostname']
+  public_key tor_services['web']['public_key']
+  secret_key tor_services['web']['secret_key']
+  ports      ['80 127.0.0.1:80', '443 127.0.0.1:443']
+end

site-cookbooks/kosmos-base/resources/tor_service.rb

@@ -0,0 +1,52 @@
+require "base64"
+
+resource_name :tor_service
+provides :tor_service
+
+property :name,       [String], name_property: true
+property :hostname,   [String], required: true
+property :public_key, [String], required: true
+property :secret_key, [String], required: true
+property :ports,      [Array],  required: true
+
+default_action :create
+
+action :create do
+  name = new_resource.name
+  ports = Array(new_resource.ports)
+  service_dir = "#{node['tor']['DataDirectory']}/#{name}"
+  user = "debian-tor"
+  group = "debian-tor"
+
+  node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports
+
+  directory service_dir do
+    recursive true
+    owner user
+    group group
+    mode '4700'
+  end
+
+  file "#{service_dir}/hostname" do
+    content new_resource.hostname
+    owner user
+    group group
+    mode '0600'
+  end
+
+  file "#{service_dir}/hs_ed25519_public_key" do
+    content Base64.decode64(new_resource.public_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+
+  file "#{service_dir}/hs_ed25519_secret_key" do
+    content Base64.decode64(new_resource.secret_key)
+    owner user
+    group group
+    mode '0600'
+    sensitive true
+  end
+end

site-cookbooks/kosmos-mastodon/metadata.rb

@@ -11,7 +11,6 @@ depends 'elasticsearch'
 depends 'java'
 depends 'firewall'
 depends 'redisio'
-depends 'tor-full'
 depends 'postgresql'
 depends 'kosmos-nodejs'
 depends 'kosmos_openresty'

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -37,7 +37,8 @@ tls_cert_for server_name do
   action :create
 end
 
-onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
+tor_services = data_bag_item('credentials', 'tor')['services']
+onion_address = tor_services['web']['hostname']
 
 openresty_site server_name do
   template 'nginx_conf_mastodon.erb'

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -36,12 +36,12 @@ server {
 
 <% if @onion_address %>
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen 127.0.0.1:80;
   server_name mastodon.<%= @onion_address %>;
   include <%= @shared_config_path %>;
 }
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 127.0.0.1:443 ssl http2;
   server_name mastodon.<%= @onion_address %>;
   include <%= @shared_config_path %>;