From 8816208357fdeb4a055b801f14179a1e6dc34e0e Mon Sep 17 00:00:00 2001 From: Blallo Date: Sun, 21 Feb 2021 00:48:08 +0100 Subject: [PATCH] Init --- files/local_system_tor_apparmor | 2 + files/tor_unit_override.conf | 3 ++ tasks/main.yml | 87 +++++++++++++++++++++++++++++++ templates/hidden_services.conf.j2 | 8 +++ 4 files changed, 100 insertions(+) create mode 100644 files/local_system_tor_apparmor create mode 100644 files/tor_unit_override.conf create mode 100644 tasks/main.yml create mode 100644 templates/hidden_services.conf.j2 diff --git a/files/local_system_tor_apparmor b/files/local_system_tor_apparmor new file mode 100644 index 0000000..7cec38d --- /dev/null +++ b/files/local_system_tor_apparmor @@ -0,0 +1,2 @@ +# vim:syntax=apparmor + /etc/tor/** r, diff --git a/files/tor_unit_override.conf b/files/tor_unit_override.conf new file mode 100644 index 0000000..8a9dc20 --- /dev/null +++ b/files/tor_unit_override.conf @@ -0,0 +1,3 @@ +[Service] +Restart=always +RestartSec=60 diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b7ccdf6 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,87 @@ +--- +- name: Ensure tor is installed + apt: + name: tor + state: present + default_release: "{{ ansible_distribution_release }}-backports" + +- name: Ensure torrc.d directory is present + file: + path: /etc/tor/torrc.d/ + state: directory + owner: root + group: root + mode: 0755 + +- name: Include custom apparmor profile + copy: + src: local_system_tor_apparmor + dest: /etc/apparmor.d/local/system_tor + owner: root + group: root + mode: 0644 + force: yes + register: apparmor_profile + +- name: Ensure apparmor reads the latest config + systemd: + name: apparmor.service + state: reloaded + when: apparmor_profile is defined and apparmor_profile.changed + +- name: Ensure include directive is present in torrc + lineinfile: + path: /etc/tor/torrc + insertafter: EOF + line: "%include /etc/tor/torrc.d/*.conf" + +- name: Add hidden services to torrc + template: + src: hidden_services.conf.j2 + dest: /etc/tor/torrc.d/hidden_services.conf + owner: root + group: root + mode: 0644 + register: config + +- name: Ensure tor service is enabled and restarted + systemd: + name: tor.service + state: restarted + enabled: yes + when: config is defined and config.changed + +- name: Ensure tor@.service override directory is present + file: + state: directory + path: /etc/systemd/system/tor@.service.d/ + mode: 0700 + owner: root + group: root + +- name: Ensure tor@default unit is properly overloaded + copy: + src: tor_unit_override.conf + dest: /etc/systemd/system/tor@.service.d/override.conf + mode: 0600 + owner: root + group: root + register: override + +- name: Ensure tor@default.service is enabled and restarted + systemd: + name: tor@default.service + state: restarted + daemon_reload: yes + enabled: yes + when: override is defined and override.changed + +- name: Register each hidden service onion address + shell: "cat /var/lib/tor/{{ item.name }}/hostname" + loop: "{{ tor_node_services }}" + register: hostnames + +- name: Display hostnames + debug: + msg: "{{ dict(hostnames.results | map(attribute='item') | map(attribute='name') | zip(hostnames.results | map(attribute='stdout'))) }}" + diff --git a/templates/hidden_services.conf.j2 b/templates/hidden_services.conf.j2 new file mode 100644 index 0000000..b96a7c8 --- /dev/null +++ b/templates/hidden_services.conf.j2 @@ -0,0 +1,8 @@ +{% for srv in tor_node_services %} +HiddenServiceDir /var/lib/tor/{{ srv.name }}/ +{% if srv.full_service_port_line is defined %} +HiddenServicePort {{ srv.full_service_port_line }} +{% else %} +HiddenServicePort {{ srv.public_port }} 127.0.0.1:{{ srv.local_port }} +{% endif %} +{% endfor %}