Add onion services for a bunch of static things

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 443e4e0..bfa8a9c 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -134,6 +134,11 @@ roles:
     - mirror-isc.debian.org
     - senfter.debian.org
     - santoro.debian.org
+  static_mirror_onion:
+    - klecker.debian.org
+    - mirror-anu.debian.org
+    - mirror-isc.debian.org
+    - senfter.debian.org
   # when adding a new static mirror, allow it to sync etc, but do not push to it and wait for it.  For this, also add it to static_mirror_nopush.
   static_mirror_nopush:
     - dummy
@@ -206,3 +211,5 @@ roles:
     - petrova.debian.org
   ports-master:
     - porta.debian.org
+  onionbalance:
+    - olin.debian.org

diff --git a/modules/onion/manifests/service.pp b/modules/onion/manifests/service.pp
index 71e8b66..c8ea548 100644 (file)
--- a/modules/onion/manifests/service.pp
+++ b/modules/onion/manifests/service.pp
@@ -1,24 +1,36 @@
 define onion::service (
        $port,
        $target_address,
-       $target_port
+       $target_port,
+       $ensure = present
 ) {
-       include onion
-
-       concat::fragment { "onion::torrc_onionservice::${name}":
-               target  => "/etc/tor/torrc",
-               order   => 50,
-               content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n",
+       if ($ensure == "ifstatic") {
+               $my_ensure = has_static_component($name) ? {
+                       true => "present",
+                       false => "absent"
+               }
+       } else {
+               $my_ensure = $ensure
        }
 
-       $onion_hn = onion_tor_service_hostname($name)
-       if $onion_hn {
-               $hostname_without_onion = regsubst($onion_hn, '\.onion$', '')
-               @@concat::fragment { "onion::balance::instance::$name::$fqdn":
-                       target  => "/etc/onionbalance/config.yaml",
-                       content => "      - address: ${hostname_without_onion}\n        name: ${hostname}-${name}\n",
-                       order   => "50-${name}-20",
-                       tag     => "onion::balance::$name",
+       if ($my_ensure == "present") {
+               include onion
+
+               concat::fragment { "onion::torrc_onionservice::${name}":
+                       target  => "/etc/tor/torrc",
+                       order   => 50,
+                       content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n",
+               }
+
+               $onion_hn = onion_tor_service_hostname($name)
+               if $onion_hn {
+                       $hostname_without_onion = regsubst($onion_hn, '\.onion$', '')
+                       @@concat::fragment { "onion::balance::instance::$name::$fqdn":
+                               target  => "/etc/onionbalance/config.yaml",
+                               content => "      - address: ${hostname_without_onion}\n        name: ${hostname}-${name}\n",
+                               order   => "50-${name}-20",
+                               tag     => "onion::balance::$name",
+                       }
                }
        }
 }

diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index 5efac97..2cd90de 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -359,7 +359,7 @@ class roles {
                        target_port => 81,
                }
        }
-       if $::hostname in [olin] {
-               onion::balance_service { 'ftp.debian.org': }
+       if has_role('onionbalance') {
+               include roles::onionbalance
        }
 }

diff --git a/modules/roles/manifests/onionbalance.pp b/modules/roles/manifests/onionbalance.pp
new file mode 100644 (file)
index 0000000..f36aac7
--- /dev/null
+++ b/modules/roles/manifests/onionbalance.pp
@@ -0,0 +1,35 @@
+class roles::onionbalance {
+       onion::balance_service { 'ftp.debian.org': }
+       onion::balance_service { 'dsa.debian.org': }
+       onion::balance_service { 'www.debian.org': }
+       onion::balance_service { 'rtc.debian.org': }
+       onion::balance_service { 'd-i.debian.org': }
+
+       # do
+       onion::balance_service { 'appstream.debian.org': }
+       onion::balance_service { 'backports.debian.org': }
+       onion::balance_service { 'bits.debian.org': }
+       onion::balance_service { 'blends.debian.org': }
+       onion::balance_service { 'lintian.debian.org': }
+       onion::balance_service { 'release.debian.org': }
+       onion::balance_service { 'security-team.debian.org': }
+       onion::balance_service { 'www.ports.debian.org': }
+       # dn
+       onion::balance_service { 'news.debian.net': }
+       onion::balance_service { 'debaday.debian.net': }
+       onion::balance_service { 'timeline.debian.net': }
+       onion::balance_service { 'wnpp-by-tags.debian.net': }
+       # dc
+       onion::balance_service { 'debconf0.debconf.org': }
+       onion::balance_service { 'debconf1.debconf.org': }
+       onion::balance_service { 'debconf2.debconf.org': }
+       onion::balance_service { 'debconf3.debconf.org': }
+       onion::balance_service { 'debconf4.debconf.org': }
+       onion::balance_service { 'debconf5.debconf.org': }
+       onion::balance_service { 'debconf6.debconf.org': }
+       onion::balance_service { 'debconf7.debconf.org': }
+       onion::balance_service { '10years.debconf.org': }
+       onion::balance_service { 'es.debconf.org': }
+       onion::balance_service { 'fr.debconf.org': }
+       onion::balance_service { 'miniconf10.debconf.org': }
+}

diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp
index 50e3dfc..eb2e125 100644 (file)
--- a/modules/roles/manifests/static_mirror.pp
+++ b/modules/roles/manifests/static_mirror.pp
@@ -31,6 +31,13 @@ class roles::static_mirror {
                        content => "MAILTO=root\nPATH=/usr/local/bin:/usr/bin:/bin\n@reboot staticsync sleep 60; chronic static-mirror-run-all\n",
        }
 
+       $onion_v4_addr = $::hostname ? {
+               klecker    => '130.89.148.14',
+               mirror-isc => '149.20.20.22',
+               mirror-anu => '150.203.164.62',
+               senfter    => '5.153.231.4',
+               default    => undef,
+       }
        $vhost_listen = $::hostname ? {
                klecker    => '130.89.148.14:80 [2001:610:1908:b000::148:14]:80',
                mirror-isc => '149.20.20.22:80 [2001:4f8:8:36::1deb:22]:80',
@@ -104,4 +111,43 @@ class roles::static_mirror {
        ssl::service { 'es.debconf.org'                : ensure => "ifstatic", notify => Service['apache2'], key => true, }
        ssl::service { 'fr.debconf.org'                : ensure => "ifstatic", notify => Service['apache2'], key => true, }
        ssl::service { 'miniconf10.debconf.org'        : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+
+       if has_role('static_mirror_onion') {
+               if ! $onion_v4_addr {
+                       fail("Do not have an onion_v4_addr set for $::hostname.")
+               }
+
+               onion::service { 'dsa.debian.org'      : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'www.debian.org'      : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'rtc.debian.org'      : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'd-i.debian.org'      : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+
+               # do
+               onion::service { 'appstream.debian.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'backports.debian.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'bits.debian.org'               : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'blends.debian.org'             : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'lintian.debian.org'            : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'release.debian.org'            : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'security-team.debian.org'      : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'www.ports.debian.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               # dn
+               onion::service { 'news.debian.net'               : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debaday.debian.net'            : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'timeline.debian.net'           : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'wnpp-by-tags.debian.net'       : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               # dc
+               onion::service { 'debconf0.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf1.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf2.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf3.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf4.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf5.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf6.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'debconf7.debconf.org'          : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { '10years.debconf.org'           : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'es.debconf.org'                : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'fr.debconf.org'                : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+               onion::service { 'miniconf10.debconf.org'        : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr }
+       }
 }