From bffaf777b501377e79e1edc39b73e1be9f1a2f2e Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Mon, 6 Feb 2023 22:34:49 +0100 Subject: [PATCH] Manage hidden services Add support for managing hidden services using pillar data. Signed-off-by: Georg Pfuetzenreuter --- pillar-example.sls | 12 ++++++++- tor/config.sls | 3 +++ tor/defaults.yaml | 3 +++ tor/files/ini.jinja | 6 +++++ tor/init.sls | 1 + tor/services.sls | 62 +++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 tor/services.sls diff --git a/pillar-example.sls b/pillar-example.sls index ed87bbe..7021679 100644 --- a/pillar-example.sls +++ b/pillar-example.sls @@ -42,4 +42,14 @@ tor: szdklfjskldjfl;kasjdfl;jasdl;fajdfkjdkfjsdkjfkjdfadfjsdkfjlakdjf -----END RSA PRIVATE KEY----- - + hidden_services: + mywebsite: + virtport: 80 + target: '[::1]:8080' + # this cannot "create" a new service - it is intended to install a service with an existing hostname and keypair + hostname: baz.onion + hs_ed25519_public_key: | + Zm9vCg== + hs_ed25519_secret_key: | + YmFyCg== + diff --git a/tor/config.sls b/tor/config.sls index 133e901..4f9a295 100644 --- a/tor/config.sls +++ b/tor/config.sls @@ -13,6 +13,9 @@ deploy_tor_torrc: - template: jinja - defaults: config: {{ map.torrc }} + - context: + hsmap: {{ map.hidden_services }} + hsdir: {{ map.hs_directory }} - require: - pkg: install_tor - watch_in: diff --git a/tor/defaults.yaml b/tor/defaults.yaml index 6e4cb11..4513bba 100644 --- a/tor/defaults.yaml +++ b/tor/defaults.yaml @@ -4,6 +4,9 @@ tor: service: tor config_torrc: '/etc/tor/torrc' config_torsocks: '/etc/tor/torsocks.conf' + hs_directory: '/var/lib/tor/services' torrc: DataDirectory: '/var/lib/tor' + + hidden_services: {} diff --git a/tor/files/ini.jinja b/tor/files/ini.jinja index 07a4cce..2072ea1 100644 --- a/tor/files/ini.jinja +++ b/tor/files/ini.jinja @@ -27,3 +27,9 @@ {{ set_config(config) }} {% endif -%} +{%- if hsmap | length %} +{%- for hs, config in hsmap.items() %} +HiddenServiceDir {{ hsdir }}/{{ hs }} +HiddenServicePort {{ config['virtport'] }} {{ config['target'] }} +{%- endfor %} +{%- endif %} diff --git a/tor/init.sls b/tor/init.sls index 02b3c5e..013e13d 100644 --- a/tor/init.sls +++ b/tor/init.sls @@ -1,3 +1,4 @@ include: - tor.install - tor.config + - tor.services diff --git a/tor/services.sls b/tor/services.sls new file mode 100644 index 0000000..560fa84 --- /dev/null +++ b/tor/services.sls @@ -0,0 +1,62 @@ +{%- from "tor/map.jinja" import map with context -%} +{%- set services = map.hidden_services -%} +{%- set servicedir = map.hs_directory ~ '/' -%} + +{%- macro permissions(type='f') -%} + - user: tor + - group: tor + {%- if type == 'f' %} + - mode: 600 + {%- elif type == 'd' %} + - mode: 700 + {%- endif %} +{%- endmacro -%} + +tor_hs_directory: + file.directory: + - name: {{ servicedir }} + {{ permissions('d') }} + - require: + - pkg: install_tor + +{%- for service, config in services.items() %} +{%- set myservicedir = servicedir ~ service ~ '/' %} + +tor_hs_{{ service }}_directory: + file.directory: + - name: {{ myservicedir }} + {{ permissions('d') }} + - require: + - file: tor_hs_directory + +{%- for binfile in ['hs_ed25519_public_key', 'hs_ed25519_secret_key'] %} +tor_hs_{{ service }}_{{ binfile }}: + file.decode: + - name: {{ myservicedir }}{{ binfile }} + - contents_pillar: tor:hidden_services:{{ service }}:{{ binfile }} + - encoding_type: base64 + - require: + - file: tor_hs_{{ service }}_directory + - watch_in: + - service: install_tor + +tor_hs_{{ service }}_{{ binfile }}_permissions: + file.managed: + - name: {{ myservicedir }}{{ binfile }} + {{ permissions() }} + - require: + - file: tor_hs_{{ service }}_{{ binfile }} + - watch_in: + - service: install_tor +{%- endfor %} + +tor_hs_{{ service }}_hostname: + file.managed: + - name: {{ myservicedir }}hostname + {{ permissions() }} + - contents: {{ config['hostname'] }} + - require: + - file: tor_hs_{{ service }}_directory + - watch_in: + - service: install_tor +{%- endfor %}