propellor spin

2015-01-29 01:04:59 -04:00 · 2015-01-29 01:04:59 -04:00 · d7697a4b25
parent 7da64306a0
commit d7697a4b25
4 changed files with 1254 additions and 1200 deletions
--- a/config-joey.hs
+++ b/config-joey.hs
@ -86,7 +86,7 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64"
 	& Ssh.randomHostKeys
 	& Apt.unattendedUpgrades
 	& Network.ipv6to4
-	& Tor.isBridge
+	& Tor.isNamedBridge "kite1"
 	& Postfix.satellite

 	& Docker.configured
--- a/privdata.joey/privdata.gpg
+++ b/privdata.joey/privdata.gpg
--- a/src/Propellor/Property/Tor.hs
+++ b/src/Propellor/Property/Tor.hs
@ -7,19 +7,48 @@ import qualified Propellor.Property.Service as Service
 import Utility.FileMode

 import System.Posix.Files
+import Data.Char

 type HiddenServiceName = String

+type BridgeName = String
+
+-- | Sets up a tor bridge relay. (Not an exit node.)
 isBridge :: Property NoInfo
-isBridge = setup `requires` Apt.installed ["tor"]
+isBridge = isBridge' []
+
+isBridge' :: [String] -> Property NoInfo
+isBridge' extraconfig = setup
+	`requires` Apt.installed ["tor", "ntp"]
 	`describe` "tor bridge"
  where
-	setup = mainConfig `File.hasContent`
+	setup = mainConfig `File.hasContent` config
+		`onChange` restarted
+	config = 
 		[ "SocksPort 0"
 		, "ORPort 443"
 		, "BridgeRelay 1"
 		, "Exitpolicy reject *:*"
-		] `onChange` restarted
+		] ++ extraconfig
+
+-- | Sets up a tor bridge relay with a known name and private key.
+--
+-- This can be moved to a different IP without needing to wait to
+-- accumulate trust.
+--
+-- The isBridge property can be used to start 
+-- and then upgraded to this one later.
+isNamedBridge :: BridgeName -> Property HasInfo
+isNamedBridge bn = isBridge' ["Nickname " ++ saneNickname bn]
+	`requires` torPrivKey (Context ("tor bridge " ++ bn))
+
+torPrivKey :: Context -> Property HasInfo
+torPrivKey context = f `File.hasPrivContent` context
+	`onChange` File.ownerGroup f user user
+	-- install tor first, so the directory exists with right perms
+	`requires` Apt.installed ["tor"]
+  where
+	f = "/var/lib/tor/keys/secret_id_key"

 hiddenServiceAvailable :: HiddenServiceName -> Int -> Property NoInfo
 hiddenServiceAvailable hn port = hiddenServiceHostName prop
@ -80,3 +109,14 @@ varRun = "/var/run/tor"

 user :: UserName
 user = "debian-tor"
+
+type NickName = String
+
+-- | Convert String to a valid tor NickName.
+saneNickname :: String -> NickName
+saneNickname s 
+	| null n = "unnamed"
+	| otherwise = n
+  where
+	legal c = isNumber c || isAsciiUpper c || isAsciiLower c
+	n = take 19 $ filter legal s