Manage hidden services

Add support for managing hidden services using pillar data. Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-02-06 22:34:49 +01:00 · 2023-02-06 22:34:49 +01:00 · bffaf777b5
parent fc2ca10200
commit bffaf777b5
6 changed files with 86 additions and 1 deletions
--- a/pillar-example.sls
+++ b/pillar-example.sls
@ -42,4 +42,14 @@ tor:
    szdklfjskldjfl;kasjdfl;jasdl;fajdfkjdkfjsdkjfkjdfadfjsdkfjlakdjf
    -----END RSA PRIVATE KEY-----

-  
+  hidden_services:
+    mywebsite:
+      virtport: 80
+      target: '[::1]:8080'
+      # this cannot "create" a new service - it is intended to install a service with an existing hostname and keypair
+      hostname: baz.onion
+      hs_ed25519_public_key: |
+        Zm9vCg==
+      hs_ed25519_secret_key: |
+        YmFyCg==
+
--- a/tor/config.sls
+++ b/tor/config.sls
@ -13,6 +13,9 @@ deploy_tor_torrc:
    - template: jinja
    - defaults:
      config: {{ map.torrc }}
+    - context:
+      hsmap: {{ map.hidden_services }}
+      hsdir: {{ map.hs_directory }}
    - require:
      - pkg: install_tor
    - watch_in:
--- a/tor/defaults.yaml
+++ b/tor/defaults.yaml
@ -4,6 +4,9 @@ tor:
  service: tor
  config_torrc: '/etc/tor/torrc'
  config_torsocks: '/etc/tor/torsocks.conf'
+  hs_directory: '/var/lib/tor/services'

  torrc:
    DataDirectory: '/var/lib/tor'
+
+  hidden_services: {}
--- a/tor/files/ini.jinja
+++ b/tor/files/ini.jinja
@ -27,3 +27,9 @@
 {{ set_config(config) }}
 {% endif -%}

+{%- if hsmap | length %}
+{%- for hs, config in hsmap.items() %}
+HiddenServiceDir {{ hsdir }}/{{ hs }}
+HiddenServicePort {{ config['virtport'] }} {{ config['target'] }}
+{%- endfor %}
+{%- endif %}
--- a/tor/init.sls
+++ b/tor/init.sls
@ -1,3 +1,4 @@
 include:
  - tor.install
  - tor.config
+  - tor.services
--- a/tor/services.sls
+++ b/tor/services.sls
@ -0,0 +1,62 @@
+{%- from "tor/map.jinja" import map with context -%}
+{%- set services = map.hidden_services -%}
+{%- set servicedir = map.hs_directory ~ '/' -%}
+
+{%- macro permissions(type='f') -%}
+    - user: tor
+    - group: tor
+    {%- if type == 'f' %}
+    - mode: 600
+    {%- elif type == 'd' %}
+    - mode: 700
+    {%- endif %}
+{%- endmacro -%}
+
+tor_hs_directory:
+  file.directory:
+    - name: {{ servicedir }}
+    {{ permissions('d') }}
+    - require:
+      - pkg: install_tor
+
+{%- for service, config in services.items() %}
+{%- set myservicedir = servicedir ~ service ~ '/' %}
+
+tor_hs_{{ service }}_directory:
+  file.directory:
+    - name: {{ myservicedir }}
+    {{ permissions('d') }}
+    - require:
+      - file: tor_hs_directory
+
+{%- for binfile in ['hs_ed25519_public_key', 'hs_ed25519_secret_key'] %}
+tor_hs_{{ service }}_{{ binfile }}:
+  file.decode:
+    - name: {{ myservicedir }}{{ binfile }}
+    - contents_pillar: tor:hidden_services:{{ service }}:{{ binfile }}
+    - encoding_type: base64
+    - require:
+      - file: tor_hs_{{ service }}_directory
+    - watch_in:
+      - service: install_tor
+
+tor_hs_{{ service }}_{{ binfile }}_permissions:
+  file.managed:
+    - name: {{ myservicedir }}{{ binfile }}
+    {{ permissions() }}
+    - require:
+      - file: tor_hs_{{ service }}_{{ binfile }}
+    - watch_in:
+      - service: install_tor
+{%- endfor %}
+
+tor_hs_{{ service }}_hostname:
+  file.managed:
+    - name: {{ myservicedir }}hostname
+    {{ permissions() }}
+    - contents: {{ config['hostname'] }}
+    - require:
+      - file: tor_hs_{{ service }}_directory
+    - watch_in:
+      - service: install_tor
+{%- endfor %}