Init

files/local_system_tor_apparmor

@@ -0,0 +1,2 @@
+# vim:syntax=apparmor
+  /etc/tor/** r,

files/tor_unit_override.conf

@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RestartSec=60

tasks/main.yml

@@ -0,0 +1,87 @@
+---
+- name: Ensure tor is installed
+  apt:
+    name: tor
+    state: present
+    default_release: "{{ ansible_distribution_release }}-backports"
+
+- name: Ensure torrc.d directory is present
+  file:
+    path: /etc/tor/torrc.d/
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Include custom apparmor profile
+  copy:
+    src: local_system_tor_apparmor
+    dest: /etc/apparmor.d/local/system_tor
+    owner: root
+    group: root
+    mode: 0644
+    force: yes
+  register: apparmor_profile
+
+- name: Ensure apparmor reads the latest config
+  systemd:
+    name: apparmor.service
+    state: reloaded
+  when: apparmor_profile is defined and apparmor_profile.changed
+
+- name: Ensure include directive is present in torrc
+  lineinfile:
+    path: /etc/tor/torrc
+    insertafter: EOF
+    line: "%include /etc/tor/torrc.d/*.conf"
+
+- name: Add hidden services to torrc
+  template:
+    src: hidden_services.conf.j2
+    dest: /etc/tor/torrc.d/hidden_services.conf
+    owner: root
+    group: root
+    mode: 0644
+  register: config
+
+- name: Ensure tor service is enabled and restarted
+  systemd:
+    name: tor.service
+    state: restarted
+    enabled: yes
+  when: config is defined and config.changed
+
+- name: Ensure tor@.service override directory is present
+  file:
+    state: directory
+    path: /etc/systemd/system/tor@.service.d/
+    mode: 0700
+    owner: root
+    group: root
+
+- name: Ensure tor@default unit is properly overloaded
+  copy:
+    src: tor_unit_override.conf
+    dest: /etc/systemd/system/tor@.service.d/override.conf
+    mode: 0600
+    owner: root
+    group: root
+  register: override
+
+- name: Ensure tor@default.service is enabled and restarted
+  systemd:
+    name: tor@default.service
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+  when: override is defined and override.changed
+
+- name: Register each hidden service onion address
+  shell: "cat /var/lib/tor/{{ item.name }}/hostname"
+  loop: "{{ tor_node_services }}"
+  register: hostnames
+
+- name: Display hostnames
+  debug:
+    msg: "{{ dict(hostnames.results | map(attribute='item') | map(attribute='name') | zip(hostnames.results | map(attribute='stdout')))  }}"
+

templates/hidden_services.conf.j2

@@ -0,0 +1,8 @@
+{% for srv in tor_node_services %}
+HiddenServiceDir /var/lib/tor/{{ srv.name }}/
+{% if srv.full_service_port_line is defined %}
+HiddenServicePort {{ srv.full_service_port_line }}
+{% else %}
+HiddenServicePort {{ srv.public_port }} 127.0.0.1:{{ srv.local_port }}
+{% endif %}
+{% endfor %}