diff --git a/group_vars/tor.yml b/group_vars/tor.yml index 5c4b5271..95b512df 100644 --- a/group_vars/tor.yml +++ b/group_vars/tor.yml @@ -8,8 +8,8 @@ tor_control_socket: 0 tor_contact_info: webmaster(at)mgrote(dot)net tor_control_port: 9051 - tor_bandwidth_rate: 350 MBits - tor_bandwidth_burst: 350 MBits + tor_mode: bridge + tor_bridge_port: 5555 ### oefenweb.ufw ufw_rules: - rule: allow @@ -27,6 +27,11 @@ protocol: tcp comment: 'tor' from_ip: 0.0.0.0/0 + - rule: allow + to_port: "{{ tor_bridge_port }}" + protocol: tcp + comment: 'tor' + from_ip: 0.0.0.0/0 ### geerlingguy.munin-node munin_node_bind_port: "4949" munin_node_allowed_cidrs: [0.0.0.0/0] diff --git a/roles/mgrote.tor-node/README.md b/roles/mgrote.tor-node/README.md index 7e4b82ae..676fe363 100644 --- a/roles/mgrote.tor-node/README.md +++ b/roles/mgrote.tor-node/README.md @@ -1,7 +1,7 @@ ## mgrote.tor-node ### Beschreibung -Setzt ein tor-relay auf. +Setzt ein tor-relay ODER eine [tor-bridge](https://community.torproject.org/relay/setup/bridge/debian-ubuntu/) auf. ORPort muss in Firewall freigeschaltet sein. Es muss eine Portfreigabe im Router existieren. diff --git a/roles/mgrote.tor-node/defaults/main.yml b/roles/mgrote.tor-node/defaults/main.yml index b3c1149d..b184f1e8 100644 --- a/roles/mgrote.tor-node/defaults/main.yml +++ b/roles/mgrote.tor-node/defaults/main.yml @@ -11,3 +11,5 @@ # tor_my_family: name # tor_bandwidth_rate: # tor_bandwidth_burst: + tor_mode: relay # OR bridge + tor_bridge_port: 5555 diff --git a/roles/mgrote.tor-node/tasks/bridge.yml b/roles/mgrote.tor-node/tasks/bridge.yml new file mode 100644 index 00000000..263730cb --- /dev/null +++ b/roles/mgrote.tor-node/tasks/bridge.yml @@ -0,0 +1,34 @@ +--- + - name: install dependencies + become: yes + ansible.builtin.package: + name: apt-transport-https + state: present + + - name: add tor repo key + ansible.builtin.apt_key: + url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc + state: present + + - name: add tor repo + ansible.builtin.apt_repository: + repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main + state: present + filename: tor + + - name: install tor packages + become: yes + ansible.builtin.package: + name: + - tor + - deb.torproject.org-keyring + - obfs4proxy + state: present + notify: restart tor + + - name: templating torrc + become: yes + ansible.builtin.template: + src: "bridge_torrc" + dest: "/etc/tor/torrc" + notify: restart tor diff --git a/roles/mgrote.tor-node/tasks/main.yml b/roles/mgrote.tor-node/tasks/main.yml index 540e3b1f..939a1589 100644 --- a/roles/mgrote.tor-node/tasks/main.yml +++ b/roles/mgrote.tor-node/tasks/main.yml @@ -1,33 +1,10 @@ --- - - name: install dependencies - become: yes - ansible.builtin.package: - name: apt-transport-https - state: present + - name: include bridge tasks + include_tasks: bridge.yml + when: + - tor_mode == 'bridge' - - name: add tor repo key - ansible.builtin.apt_key: - url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc - state: present - - - name: add tor repo - ansible.builtin.apt_repository: - repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main - state: present - filename: tor - - - name: install tor packages - become: yes - ansible.builtin.package: - name: - - tor - - deb.torproject.org-keyring - state: present - notify: restart tor - - - name: templating torrc - become: yes - ansible.builtin.template: - src: "torrc" - dest: "/etc/tor/torrc" - notify: restart tor + - name: include relay tasks + include_tasks: relay.yml + when: + - tor_mode == 'relay' diff --git a/roles/mgrote.tor-node/tasks/relay.yml b/roles/mgrote.tor-node/tasks/relay.yml new file mode 100644 index 00000000..9412edd0 --- /dev/null +++ b/roles/mgrote.tor-node/tasks/relay.yml @@ -0,0 +1,33 @@ +--- + - name: install dependencies + become: yes + ansible.builtin.package: + name: apt-transport-https + state: present + + - name: add tor repo key + ansible.builtin.apt_key: + url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc + state: present + + - name: add tor repo + ansible.builtin.apt_repository: + repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main + state: present + filename: tor + + - name: install tor packages + become: yes + ansible.builtin.package: + name: + - tor + - deb.torproject.org-keyring + state: present + notify: restart tor + + - name: templating torrc + become: yes + ansible.builtin.template: + src: "relay_torrc" + dest: "/etc/tor/torrc" + notify: restart tor diff --git a/roles/mgrote.tor-node/templates/bridge_torrc b/roles/mgrote.tor-node/templates/bridge_torrc new file mode 100644 index 00000000..44039a50 --- /dev/null +++ b/roles/mgrote.tor-node/templates/bridge_torrc @@ -0,0 +1,26 @@ +{{ file_header | default () }} + +Nickname {{ tor_relay_name }} +ContactInfo {{ tor_contact_info }} +ORPort {{ tor_or_port }} +ExitRelay 0 +SocksPort {{ tor_socks_port }} +BridgeRelay 1 +ExtORPort auto +Log notice syslog +ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy +ServerTransportListenAddr obfs4 0.0.0.0:{{ tor_bridge_port }} +ExitPolicy reject *:* +CookieAuthentication 1 + +{% if tor_bandwidth_rate is defined %} +BandwidthRate {{ tor_bandwidth_rate }} +{% endif %} + +{% if tor_bandwidth_burst is defined %} +BandwidthBurst {{ tor_bandwidth_burst }} +{% endif %} + +{% if tor_my_family is defined %} +MyFamily {{ tor_my_family }} +{% endif %} diff --git a/roles/mgrote.tor-node/templates/relay_torrc b/roles/mgrote.tor-node/templates/relay_torrc new file mode 100644 index 00000000..7b8b4a70 --- /dev/null +++ b/roles/mgrote.tor-node/templates/relay_torrc @@ -0,0 +1,23 @@ +{{ file_header | default () }} + +Nickname {{ tor_relay_name }} +ORPort {{ tor_or_port }} +ExitRelay 0 +SocksPort {{ tor_socks_port }} +ControlSocket {{ tor_control_socket }} +ContactInfo {{ tor_contact_info }} +ControlPort {{ tor_control_port }} +CookieAuthentication 1 +ExitPolicy reject *:* + +{% if tor_bandwidth_rate is defined %} +BandwidthRate {{ tor_bandwidth_rate }} +{% endif %} + +{% if tor_bandwidth_burst is defined %} +BandwidthBurst {{ tor_bandwidth_burst }} +{% endif %} + +{% if tor_my_family is defined %} +MyFamily {{ tor_my_family }} +{% endif %} diff --git a/roles/mgrote.tor-node/templates/torrc b/roles/mgrote.tor-node/templates/torrc deleted file mode 100644 index b433b731..00000000 --- a/roles/mgrote.tor-node/templates/torrc +++ /dev/null @@ -1,23 +0,0 @@ -{{ file_header | default () }} - -Nickname {{ tor_relay_name }} -ORPort {{ tor_or_port }} -ExitRelay 0 -SocksPort {{ tor_socks_port }} -ControlSocket {{ tor_control_socket }} -ContactInfo {{ tor_contact_info }} -ControlPort {{ tor_control_port }} -CookieAuthentication 1 -ExitPolicy reject *:* - -{% if tor_bandwidth_rate is defined %} -BandwidthRate {{ tor_bandwidth_rate }} -{% endif %} - -{% if tor_bandwidth_burst is defined %} -BandwidthBurst {{ tor_bandwidth_burst }} -{% endif %} - -{% if tor_my_family is defined %} -MyFamily {{ tor_my_family }} -{% endif %}