From 0b7e7faac5ee0999b25e49602419f397e5e9be5b Mon Sep 17 00:00:00 2001 From: Someone Date: Mon, 5 Aug 2024 19:34:51 +0200 Subject: [PATCH] [roles/base/tor] install tor with hidden sshd service, possibly copy private key --- roles/base/tor/defaults/main.yml | 13 ++++++ roles/base/tor/files/default/torrc | 22 +++++++++++ roles/base/tor/handlers/main.yml | 13 ++++++ roles/base/tor/tasks/configure-hidserv.yml | 31 +++++++++++++++ roles/base/tor/tasks/main.yml | 46 ++++++++++++++++++++++ 5 files changed, 125 insertions(+) create mode 100644 roles/base/tor/defaults/main.yml create mode 100644 roles/base/tor/files/default/torrc create mode 100644 roles/base/tor/handlers/main.yml create mode 100644 roles/base/tor/tasks/configure-hidserv.yml create mode 100644 roles/base/tor/tasks/main.yml diff --git a/roles/base/tor/defaults/main.yml b/roles/base/tor/defaults/main.yml new file mode 100644 index 0000000..b588f99 --- /dev/null +++ b/roles/base/tor/defaults/main.yml @@ -0,0 +1,13 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +setup_tor: False + +hidden_services: + - sshd diff --git a/roles/base/tor/files/default/torrc b/roles/base/tor/files/default/torrc new file mode 100644 index 0000000..d27155a --- /dev/null +++ b/roles/base/tor/files/default/torrc @@ -0,0 +1,22 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# + +PIDFile /var/run/tor/tor.pid +Log notice syslog +SafeLogging 0 +ControlPort 9051 +CookieAuthentication 1 +#DisableDebuggerAttachment 0 +HiddenServiceStatistics 0 +SocksPort 127.0.0.2:9050 + +LongLivedPorts 2,22,80,443,6667,6697 +ExitPolicy reject *:* + +HiddenServiceDir /var/lib/tor/hidden_sshd +HiddenServicePort 2 127.0.0.2:2 diff --git a/roles/base/tor/handlers/main.yml b/roles/base/tor/handlers/main.yml new file mode 100644 index 0000000..24f4b67 --- /dev/null +++ b/roles/base/tor/handlers/main.yml @@ -0,0 +1,13 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: restart tor.service + systemd: + name: tor.service + daemon_reload: yes + state: restarted + ignore_errors: yes diff --git a/roles/base/tor/tasks/configure-hidserv.yml b/roles/base/tor/tasks/configure-hidserv.yml new file mode 100644 index 0000000..380b5eb --- /dev/null +++ b/roles/base/tor/tasks/configure-hidserv.yml @@ -0,0 +1,31 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: create service-dir for hidden service {{hs}} + file: + path: "/var/lib/tor/hidden_{{hs}}" + state: directory + recurse: yes + mode: "u=rwX,go-rwx" + owner: "debian-tor" + group: "debian-tor" + + +- name: copy hidden service {{hs}} private key + copy: + src: "{{item}}" + dest: "/var/lib/tor/hidden_{{hs}}/hs_ed25519_secret_key" + mode: 0600 + owner: "debian-tor" + group: "debian-tor" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/hs_ed25519_secret_key_{{hs}}" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/hs_ed25519_secret_key_{{hs}}" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/hs_ed25519_secret_key_{{hs}}" + - "default/hs_ed25519_secret_key_{{hs}}" + notify: restart tor.service + ignore_errors: yes diff --git a/roles/base/tor/tasks/main.yml b/roles/base/tor/tasks/main.yml new file mode 100644 index 0000000..26fef2f --- /dev/null +++ b/roles/base/tor/tasks/main.yml @@ -0,0 +1,46 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# 2017 by someone +# +--- +- name: install tor + apt: + pkg: + - tor + state: present + policy_rc_d: 101 + when: setup_tor | bool + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: copy torrc + copy: + src: "{{item}}" + dest: "/etc/tor/torrc" + mode: 0600 + owner: "debian-tor" + group: "debian-tor" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/torrc" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/torrc" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/torrc" + - "default/torrc" + when: setup_tor | bool + notify: restart tor.service + + +# for each hidserv do a with first found. +- include_tasks: configure-hidserv.yml + with_items: "{{hidden_services}}" + loop_control: + loop_var: hs + when: setup_tor | bool + + +- name: enable and start tor.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: tor.service + when: setup_tor | bool -- 2.43.0