tor: bridge statt relay (#246)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: mg/ansible#246
Co-authored-by: mg <michael.grote@posteo.de>
Co-committed-by: mg <michael.grote@posteo.de>

group_vars/tor.yml

@@ -8,8 +8,8 @@
   tor_control_socket: 0
   tor_contact_info: webmaster(at)mgrote(dot)net
   tor_control_port: 9051
-  tor_bandwidth_rate: 350 MBits
+  tor_mode: bridge
-  tor_bandwidth_burst: 350 MBits
+  tor_bridge_port: 5555
   ### oefenweb.ufw
   ufw_rules:
     - rule: allow
@@ -27,6 +27,11 @@
       protocol: tcp
       comment: 'tor'
       from_ip: 0.0.0.0/0
+    - rule: allow
+      to_port: "{{ tor_bridge_port }}"
+      protocol: tcp
+      comment: 'tor'
+      from_ip: 0.0.0.0/0
   ### geerlingguy.munin-node
   munin_node_bind_port: "4949"
   munin_node_allowed_cidrs: [0.0.0.0/0]

roles/mgrote.tor-node/README.md

@@ -1,7 +1,7 @@
 ## mgrote.tor-node
 
 ### Beschreibung
-Setzt ein tor-relay auf.
+Setzt ein tor-relay ODER eine [tor-bridge](https://community.torproject.org/relay/setup/bridge/debian-ubuntu/) auf.
 ORPort muss in Firewall freigeschaltet sein.
 Es muss eine Portfreigabe im Router existieren.
 

roles/mgrote.tor-node/defaults/main.yml

@@ -11,3 +11,5 @@
   # tor_my_family: name
   # tor_bandwidth_rate:
   # tor_bandwidth_burst:
+  tor_mode: relay # OR bridge
+  tor_bridge_port: 5555

roles/mgrote.tor-node/tasks/bridge.yml

@@ -0,0 +1,34 @@
+---
+  - name: install dependencies
+    become: yes
+    ansible.builtin.package:
+      name: apt-transport-https
+      state: present
+
+  - name: add tor repo key
+    ansible.builtin.apt_key:
+      url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
+      state: present
+
+  - name: add tor repo
+    ansible.builtin.apt_repository:
+      repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main
+      state: present
+      filename: tor
+
+  - name: install tor packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - tor
+        - deb.torproject.org-keyring
+        - obfs4proxy
+      state: present
+    notify: restart tor
+
+  - name: templating torrc
+    become: yes
+    ansible.builtin.template:
+      src: "bridge_torrc"
+      dest: "/etc/tor/torrc"
+    notify: restart tor

roles/mgrote.tor-node/tasks/main.yml

@@ -1,33 +1,10 @@
 ---
-  - name: install dependencies
+  - name: include bridge tasks
-    become: yes
+    include_tasks: bridge.yml
-    ansible.builtin.package:
+    when:
-      name: apt-transport-https
+      - tor_mode == 'bridge'
-      state: present
 
-  - name: add tor repo key
+  - name: include relay tasks
-    ansible.builtin.apt_key:
+    include_tasks: relay.yml
-      url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
+    when:
-      state: present
+      - tor_mode == 'relay'
-
-  - name: add tor repo
-    ansible.builtin.apt_repository:
-      repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main
-      state: present
-      filename: tor
-
-  - name: install tor packages
-    become: yes
-    ansible.builtin.package:
-      name:
-        - tor
-        - deb.torproject.org-keyring
-      state: present
-    notify: restart tor
-
-  - name: templating torrc
-    become: yes
-    ansible.builtin.template:
-      src: "torrc"
-      dest: "/etc/tor/torrc"
-    notify: restart tor

roles/mgrote.tor-node/tasks/relay.yml

@@ -0,0 +1,33 @@
+---
+  - name: install dependencies
+    become: yes
+    ansible.builtin.package:
+      name: apt-transport-https
+      state: present
+
+  - name: add tor repo key
+    ansible.builtin.apt_key:
+      url: https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
+      state: present
+
+  - name: add tor repo
+    ansible.builtin.apt_repository:
+      repo: deb https://deb.torproject.org/torproject.org {{ ansible_distribution_release }} main
+      state: present
+      filename: tor
+
+  - name: install tor packages
+    become: yes
+    ansible.builtin.package:
+      name:
+        - tor
+        - deb.torproject.org-keyring
+      state: present
+    notify: restart tor
+
+  - name: templating torrc
+    become: yes
+    ansible.builtin.template:
+      src: "relay_torrc"
+      dest: "/etc/tor/torrc"
+    notify: restart tor

roles/mgrote.tor-node/templates/bridge_torrc

@@ -0,0 +1,26 @@
+{{ file_header | default () }}
+
+Nickname                  {{ tor_relay_name }}
+ContactInfo               {{ tor_contact_info }}
+ORPort                    {{ tor_or_port }}
+ExitRelay                 0
+SocksPort                 {{ tor_socks_port }}
+BridgeRelay               1
+ExtORPort                 auto
+Log notice                syslog
+ServerTransportPlugin     obfs4 exec /usr/bin/obfs4proxy
+ServerTransportListenAddr obfs4 0.0.0.0:{{ tor_bridge_port }}
+ExitPolicy                reject *:*
+CookieAuthentication      1
+
+{% if tor_bandwidth_rate is defined %}
+BandwidthRate             {{ tor_bandwidth_rate }}
+{% endif %}
+
+{% if tor_bandwidth_burst is defined %}
+BandwidthBurst            {{ tor_bandwidth_burst }}
+{% endif %}
+
+{% if tor_my_family is defined %}
+MyFamily                  {{ tor_my_family }}
+{% endif %}

roles/mgrote.tor-node/templates/relay_torrc

@@ -0,0 +1,23 @@
+{{ file_header | default () }}
+
+Nickname                {{ tor_relay_name }}
+ORPort                  {{ tor_or_port }}
+ExitRelay               0
+SocksPort               {{ tor_socks_port }}
+ControlSocket           {{ tor_control_socket }}
+ContactInfo             {{ tor_contact_info }}
+ControlPort             {{ tor_control_port }}
+CookieAuthentication    1
+ExitPolicy              reject *:*
+
+{% if tor_bandwidth_rate is defined %}
+BandwidthRate           {{ tor_bandwidth_rate }}
+{% endif %}
+
+{% if tor_bandwidth_burst is defined %}
+BandwidthBurst          {{ tor_bandwidth_burst }}
+{% endif %}
+
+{% if tor_my_family is defined %}
+MyFamily                {{ tor_my_family }}
+{% endif %}

roles/mgrote.tor-node/templates/torrc

@@ -1,23 +0,0 @@
-{{ file_header | default () }}
-
-Nickname {{ tor_relay_name }}
-ORPort {{ tor_or_port }}
-ExitRelay 0
-SocksPort {{ tor_socks_port }}
-ControlSocket {{ tor_control_socket }}
-ContactInfo {{ tor_contact_info }}
-ControlPort {{ tor_control_port }}
-CookieAuthentication 1
-ExitPolicy reject *:*
-
-{% if tor_bandwidth_rate is defined %}
-BandwidthRate {{ tor_bandwidth_rate }}
-{% endif %}
-
-{% if tor_bandwidth_burst is defined %}
-BandwidthBurst {{ tor_bandwidth_burst }}
-{% endif %}
-
-{% if tor_my_family is defined %}
-MyFamily {{ tor_my_family }}
-{% endif %}