From d46e15fc9edead0044eb283fc6c5d57fc383bda3 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 29 Jul 2016 15:38:35 +0000 Subject: [PATCH] Add onion services for a bunch of static things --- hieradata/common.yaml | 7 ++++ modules/onion/manifests/service.pp | 42 ++++++++++++++-------- modules/roles/manifests/init.pp | 4 +-- modules/roles/manifests/onionbalance.pp | 35 ++++++++++++++++++ modules/roles/manifests/static_mirror.pp | 46 ++++++++++++++++++++++++ 5 files changed, 117 insertions(+), 17 deletions(-) create mode 100644 modules/roles/manifests/onionbalance.pp diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 443e4e0ff..bfa8a9c72 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -134,6 +134,11 @@ roles: - mirror-isc.debian.org - senfter.debian.org - santoro.debian.org + static_mirror_onion: + - klecker.debian.org + - mirror-anu.debian.org + - mirror-isc.debian.org + - senfter.debian.org # when adding a new static mirror, allow it to sync etc, but do not push to it and wait for it. For this, also add it to static_mirror_nopush. static_mirror_nopush: - dummy @@ -206,3 +211,5 @@ roles: - petrova.debian.org ports-master: - porta.debian.org + onionbalance: + - olin.debian.org diff --git a/modules/onion/manifests/service.pp b/modules/onion/manifests/service.pp index 71e8b6684..c8ea548e8 100644 --- a/modules/onion/manifests/service.pp +++ b/modules/onion/manifests/service.pp @@ -1,24 +1,36 @@ define onion::service ( $port, $target_address, - $target_port + $target_port, + $ensure = present ) { - include onion - - concat::fragment { "onion::torrc_onionservice::${name}": - target => "/etc/tor/torrc", - order => 50, - content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n", + if ($ensure == "ifstatic") { + $my_ensure = has_static_component($name) ? { + true => "present", + false => "absent" + } + } else { + $my_ensure = $ensure } - $onion_hn = onion_tor_service_hostname($name) - if $onion_hn { - $hostname_without_onion = regsubst($onion_hn, '\.onion$', '') - @@concat::fragment { "onion::balance::instance::$name::$fqdn": - target => "/etc/onionbalance/config.yaml", - content => " - address: ${hostname_without_onion}\n name: ${hostname}-${name}\n", - order => "50-${name}-20", - tag => "onion::balance::$name", + if ($my_ensure == "present") { + include onion + + concat::fragment { "onion::torrc_onionservice::${name}": + target => "/etc/tor/torrc", + order => 50, + content => "HiddenServiceDir /var/lib/tor/onion/${name}\nHiddenServicePort ${port} ${target_address}:${target_port}\n\n", + } + + $onion_hn = onion_tor_service_hostname($name) + if $onion_hn { + $hostname_without_onion = regsubst($onion_hn, '\.onion$', '') + @@concat::fragment { "onion::balance::instance::$name::$fqdn": + target => "/etc/onionbalance/config.yaml", + content => " - address: ${hostname_without_onion}\n name: ${hostname}-${name}\n", + order => "50-${name}-20", + tag => "onion::balance::$name", + } } } } diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index 5efac975e..2cd90de33 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -359,7 +359,7 @@ class roles { target_port => 81, } } - if $::hostname in [olin] { - onion::balance_service { 'ftp.debian.org': } + if has_role('onionbalance') { + include roles::onionbalance } } diff --git a/modules/roles/manifests/onionbalance.pp b/modules/roles/manifests/onionbalance.pp new file mode 100644 index 000000000..f36aac7f9 --- /dev/null +++ b/modules/roles/manifests/onionbalance.pp @@ -0,0 +1,35 @@ +class roles::onionbalance { + onion::balance_service { 'ftp.debian.org': } + onion::balance_service { 'dsa.debian.org': } + onion::balance_service { 'www.debian.org': } + onion::balance_service { 'rtc.debian.org': } + onion::balance_service { 'd-i.debian.org': } + + # do + onion::balance_service { 'appstream.debian.org': } + onion::balance_service { 'backports.debian.org': } + onion::balance_service { 'bits.debian.org': } + onion::balance_service { 'blends.debian.org': } + onion::balance_service { 'lintian.debian.org': } + onion::balance_service { 'release.debian.org': } + onion::balance_service { 'security-team.debian.org': } + onion::balance_service { 'www.ports.debian.org': } + # dn + onion::balance_service { 'news.debian.net': } + onion::balance_service { 'debaday.debian.net': } + onion::balance_service { 'timeline.debian.net': } + onion::balance_service { 'wnpp-by-tags.debian.net': } + # dc + onion::balance_service { 'debconf0.debconf.org': } + onion::balance_service { 'debconf1.debconf.org': } + onion::balance_service { 'debconf2.debconf.org': } + onion::balance_service { 'debconf3.debconf.org': } + onion::balance_service { 'debconf4.debconf.org': } + onion::balance_service { 'debconf5.debconf.org': } + onion::balance_service { 'debconf6.debconf.org': } + onion::balance_service { 'debconf7.debconf.org': } + onion::balance_service { '10years.debconf.org': } + onion::balance_service { 'es.debconf.org': } + onion::balance_service { 'fr.debconf.org': } + onion::balance_service { 'miniconf10.debconf.org': } +} diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index 50e3dfc61..eb2e125c3 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -31,6 +31,13 @@ class roles::static_mirror { content => "MAILTO=root\nPATH=/usr/local/bin:/usr/bin:/bin\n@reboot staticsync sleep 60; chronic static-mirror-run-all\n", } + $onion_v4_addr = $::hostname ? { + klecker => '130.89.148.14', + mirror-isc => '149.20.20.22', + mirror-anu => '150.203.164.62', + senfter => '5.153.231.4', + default => undef, + } $vhost_listen = $::hostname ? { klecker => '130.89.148.14:80 [2001:610:1908:b000::148:14]:80', mirror-isc => '149.20.20.22:80 [2001:4f8:8:36::1deb:22]:80', @@ -104,4 +111,43 @@ class roles::static_mirror { ssl::service { 'es.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } ssl::service { 'fr.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } ssl::service { 'miniconf10.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + + if has_role('static_mirror_onion') { + if ! $onion_v4_addr { + fail("Do not have an onion_v4_addr set for $::hostname.") + } + + onion::service { 'dsa.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'www.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'rtc.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'd-i.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + + # do + onion::service { 'appstream.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'backports.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'bits.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'blends.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'lintian.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'release.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'security-team.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'www.ports.debian.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + # dn + onion::service { 'news.debian.net' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debaday.debian.net' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'timeline.debian.net' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'wnpp-by-tags.debian.net' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + # dc + onion::service { 'debconf0.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf1.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf2.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf3.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf4.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf5.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf6.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'debconf7.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { '10years.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'es.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'fr.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + onion::service { 'miniconf10.debconf.org' : ensure => "ifstatic", port => 80, target_port => 81, target_address => $onion_v4_addr } + } } -- 2.20.1