Manage hidden services

Add support for managing hidden services using pillar data.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

pillar-example.sls

@@ -42,4 +42,14 @@ tor:
     szdklfjskldjfl;kasjdfl;jasdl;fajdfkjdkfjsdkjfkjdfadfjsdkfjlakdjf
     -----END RSA PRIVATE KEY-----
 
-  
+  hidden_services:
+    mywebsite:
+      virtport: 80
+      target: '[::1]:8080'
+      # this cannot "create" a new service - it is intended to install a service with an existing hostname and keypair
+      hostname: baz.onion
+      hs_ed25519_public_key: |
+        Zm9vCg==
+      hs_ed25519_secret_key: |
+        YmFyCg==
+

tor/config.sls

@@ -13,6 +13,9 @@ deploy_tor_torrc:
     - template: jinja
     - defaults:
       config: {{ map.torrc }}
+    - context:
+      hsmap: {{ map.hidden_services }}
+      hsdir: {{ map.hs_directory }}
     - require:
       - pkg: install_tor
     - watch_in:

tor/defaults.yaml

@@ -4,6 +4,9 @@ tor:
   service: tor
   config_torrc: '/etc/tor/torrc'
   config_torsocks: '/etc/tor/torsocks.conf'
+  hs_directory: '/var/lib/tor/services'
 
   torrc:
     DataDirectory: '/var/lib/tor'
+
+  hidden_services: {}

tor/files/ini.jinja

@@ -27,3 +27,9 @@
 {{ set_config(config) }}
 {% endif -%}
 
+{%- if hsmap | length %}
+{%- for hs, config in hsmap.items() %}
+HiddenServiceDir {{ hsdir }}/{{ hs }}
+HiddenServicePort {{ config['virtport'] }} {{ config['target'] }}
+{%- endfor %}
+{%- endif %}

tor/init.sls

@@ -1,3 +1,4 @@
 include:
   - tor.install
   - tor.config
+  - tor.services

tor/services.sls

@@ -0,0 +1,62 @@
+{%- from "tor/map.jinja" import map with context -%}
+{%- set services = map.hidden_services -%}
+{%- set servicedir = map.hs_directory ~ '/' -%}
+
+{%- macro permissions(type='f') -%}
+    - user: tor
+    - group: tor
+    {%- if type == 'f' %}
+    - mode: 600
+    {%- elif type == 'd' %}
+    - mode: 700
+    {%- endif %}
+{%- endmacro -%}
+
+tor_hs_directory:
+  file.directory:
+    - name: {{ servicedir }}
+    {{ permissions('d') }}
+    - require:
+      - pkg: install_tor
+
+{%- for service, config in services.items() %}
+{%- set myservicedir = servicedir ~ service ~ '/' %}
+
+tor_hs_{{ service }}_directory:
+  file.directory:
+    - name: {{ myservicedir }}
+    {{ permissions('d') }}
+    - require:
+      - file: tor_hs_directory
+
+{%- for binfile in ['hs_ed25519_public_key', 'hs_ed25519_secret_key'] %}
+tor_hs_{{ service }}_{{ binfile }}:
+  file.decode:
+    - name: {{ myservicedir }}{{ binfile }}
+    - contents_pillar: tor:hidden_services:{{ service }}:{{ binfile }}
+    - encoding_type: base64
+    - require:
+      - file: tor_hs_{{ service }}_directory
+    - watch_in:
+      - service: install_tor
+
+tor_hs_{{ service }}_{{ binfile }}_permissions:
+  file.managed:
+    - name: {{ myservicedir }}{{ binfile }}
+    {{ permissions() }}
+    - require:
+      - file: tor_hs_{{ service }}_{{ binfile }}
+    - watch_in:
+      - service: install_tor
+{%- endfor %}
+
+tor_hs_{{ service }}_hostname:
+  file.managed:
+    - name: {{ myservicedir }}hostname
+    {{ permissions() }}
+    - contents: {{ config['hostname'] }}
+    - require:
+      - file: tor_hs_{{ service }}_directory
+    - watch_in:
+      - service: install_tor
+{%- endfor %}