5 files changed, 308 insertions, 6 deletions

diff --git a/manifests/daemon.pp b/manifests/daemon.pp
new file mode 100644
index 0000000..07066c6
--- /dev/null
+++ b/manifests/daemon.pp
@@ -0,0 +1,269 @@
+# tor::daemon
+class tor::daemon inherits tor {
+
+  # config variables
+  $data_dir    = '/var/lib/tor'
+  $config_file = '/etc/tor/torrc'
+  $spool_dir   = '/var/lib/puppet/modules/tor'
+  $snippet_dir = "${spool_dir}/torrc.d"
+
+  # packages, user, group
+  Service['tor'] {
+    subscribe => File[$config_file],
+  }
+
+  Package[ 'tor' ] {
+    require => File[$data_dir],
+  }
+
+  group { 'debian-tor':
+    ensure    => present,
+    allowdupe => false,
+  }
+
+  user { 'debian-tor':
+    allowdupe => false,
+    comment   => 'tor user,,,',
+    ensure    => present,
+    home      => $data_dir,
+    shell     => '/bin/bash',
+    gid       => 'debian-tor',
+    require   => Group['debian-tor'], 
+  }
+
+  # directories
+  file { "${data_dir}":
+    ensure  => directory,
+    mode    => 0700,
+    owner   => 'debian-tor',
+    group   => 'debian-tor',
+    require => User['debian-tor'],
+  }
+
+  file { '/etc/tor':
+    ensure  => directory,
+    mode    => 0755,
+    owner   => 'debian-tor',
+    group   => 'debian-tor',
+    require => User['debian-tor'],
+  }
+
+  file { "${spool_dir}":
+    ensure => directory,
+    owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
+  }
+
+  file { "${snippet_dir}":
+    ensure => directory,
+    owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
+    require => File[$spool_dir],
+  }
+
+  # tor configuration file
+  concatenated_file { "${config_file}":
+    dir    => $snippet_dir,
+    mode   => 0600,
+    owner => 'debian-tor', group => 'debian-tor', 
+  }
+
+  # config file headers
+  concatenated_file_part { '00.header':
+    dir     => $snippet_dir,
+    content => template('tor/torrc.header.erb'),
+    owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+    ensure  => present,
+  }
+
+  # global configurations
+  define global_opts( $data_dir = $tor::daemon::data_dir,
+                      $log_rules = [ 'notice file /var/log/tor/notices.log' ],
+                      $use_bridges = 0,
+                      $automap_hosts_on_resolve = 0) {
+
+      concatenated_file_part { '01.global':
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.global.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+    }
+  }
+
+  # socks definition
+  define socks( $port = 0,
+                $listen_addresses = [],
+                $policies = [] ) {
+
+    concatenated_file_part { '02.socks':
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.socks.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+    }
+  }
+
+  # relay definition
+  define relay( $port                    = 0,
+                $listen_addresses        = [],
+                $outbound_bindaddresses  = $listen_addresses,
+                $bandwidth_rate          = '',    # KB/s, defaulting to using tor's default: 5120KB/s
+                $bandwidth_burst         = '',    # KB/s, defaulting to using tor's default: 10240KB/s
+                $relay_bandwidth_rate    = 0,     # KB/s, 0 for no limit.
+                $relay_bandwidth_burst   = 0,     # KB/s, 0 for no limit.
+                $accounting_max          = 0,     # GB, 0 for no limit.
+                $accounting_start        = [],
+                $contact_info            = '',
+                $my_family               = '', # TODO: autofill with other relays
+                $address                 = "tor.${domain}",
+                $bridge_relay            = 0,
+                $ensure                  = present ) {
+    $nickname = $name
+
+    if $outbound_bindaddresses == [] {
+      $real_outbound_bindaddresses = $listen_addresses
+    } else {
+      $real_outbound_bindaddresses = $outbound_bindaddresses
+    }
+
+    concatenated_file_part { '03.relay':
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.relay.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+      ensure  => $ensure,
+    }
+  } 
+
+  # control definition
+  define control( $port                            = 0,
+                  $hashed_control_password         = '',
+                  $cookie_authentication           = 0,
+                  $cookie_auth_file                = '',
+                  $cookie_auth_file_group_readable = '',
+                  $ensure                  = present ) {
+
+    if $cookie_authentication == '0' and $hashed_control_password == '' and $ensure != 'absent' {
+      fail("You need to define the tor control password")
+    }
+
+    if $cookie_authentication == 0 and ($cookie_auth_file != '' or $cookie_auth_file_group_readable != '') {
+      notice("You set a tor cookie authentication option, but do not have cookie_authentication on")
+    }
+    
+    concatenated_file_part { '04.control':
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.control.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0600, 
+      ensure  => $ensure,
+    }
+  } 
+
+  # hidden services definition
+  define hidden_service( $ports = [],
+                         $data_dir = $tor::daemon::data_dir,
+                         $ensure = present ) {
+
+    concatenated_file_part { "05.hidden_service.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.hidden_service.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+      ensure  => $ensure,
+    }
+  } 
+  
+  # directory advertising
+  define directory ( $port = 0,
+                     $listen_addresses = [],
+                     $port_front_page = '/etc/tor/tor.html',
+                     $ensure = present ) {
+
+    concatenated_file_part { '06.directory':
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.directory.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+      ensure  => $ensure,
+    }
+    
+    file { '/etc/tor/tor.html':
+      source  => "puppet:///modules/tor/tor.html",
+      require => File['/etc/tor'],
+      ensure  => $ensure,
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+    }
+  } 
+
+  # exit policies
+  define exit_policy( $accept = [],
+                      $reject = [],
+                      $reject_private = 1,
+                      $ensure = present ) {
+
+    concatenated_file_part { "07.exit_policy.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.exit_policy.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644, 
+      ensure  => $ensure,
+    }
+  } 
+
+  # DNS definition
+  define dns( $port = 0,
+              $listen_addresses = [],
+              $ensure = present ) {
+
+      concatenated_file_part { "08.dns.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.dns.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644,
+      ensure  => $ensure,
+    }
+  }
+
+  # Transparent proxy definition
+  define transparent( $port = 0,
+                      $listen_addresses = [],
+                      $ensure = present ) {
+
+      concatenated_file_part { "09.transparent.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.transparent.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644,
+      ensure  => $ensure,
+    }
+  }
+
+  # Bridge definition
+  define bridge( $ip,
+                 $port,
+                 $fingerprint = false,
+                 $ensure = present ) {
+
+    concatenated_file_part { "10.bridge.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.bridge.erb'),
+      owner => 'debian-tor', group => 'debian-tor', mode => 0644,
+      ensure  => $ensure,
+    }
+  }
+
+  # map address definition
+  define map_address( $address = '',
+                      $newaddress = '') {
+
+    concatenated_file_part { "08.map_address.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => template('tor/torrc.map_address.erb'),
+      owner   => 'debian-tor', group => 'debian-tor', mode => 0644,
+      ensure  => $ensure,
+    }
+  }
+
+  # Arbitrary torrc snippet definition
+  define snippet( $content = '',
+                  $ensure = present ) {
+
+    concatenated_file_part { "99.snippet.${name}":
+      dir     => $tor::daemon::snippet_dir,
+      content => $content,
+      owner   => 'debian-tor', group => 'debian-tor', mode => 0644,
+      ensure  => $ensure,
+    }
+  }
+
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 5d1c3d8..d916188 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -1,11 +1,20 @@
 class tor {
-  package {'tor':
-    ensure => installed,
+
+  if !$tor_ensure_version { $tor_ensure_version = 'installed' }
+  
+  package { [ "tor", "tor-geoipdb" ]:
+    ensure => $tor_ensure_version,
   }
 
-  service { "tor":
+  service { 'tor':
     ensure  => running,
-    enable  => true,
+    enable => true,
+    hasrestart => true,
+    hasstatus => true,
     require => Package['tor'],
   }
+
+  if $use_munin {
+    include tor::munin
+  }
 }
diff --git a/manifests/munin.pp b/manifests/munin.pp
new file mode 100644
index 0000000..8504f89
--- /dev/null
+++ b/manifests/munin.pp
@@ -0,0 +1,23 @@
+class tor::munin {
+
+  file {
+    "/usr/local/share/munin-plugins/tor_connections":
+      source => "puppet:///modules/tor/munin/tor_connections",
+      mode => 0755, owner => root, group => root;
+    
+    "/usr/local/share/munin-plugins/tor_routers":
+      source => "puppet:///modules/tor/munin/tor_routers",
+      mode => 0755, owner => root, group => root;
+
+    "/usr/local/share/munin-plugins/tor_traffic":
+      source => "puppet:///modules/tor/munin/tor_traffic",
+      mode => 0755, owner => root, group => root;
+  }
+
+  munin::plugin {
+    [ "tor_connections", "tor_routers", "tor_traffic" ]:
+      ensure => present,
+      config => "user debian-tor\n env.cookiefile /var/run/tor/control.authcookie",
+      script_path_in => "/usr/local/share/munin-plugins";
+  }
+}
diff --git a/manifests/polipo/base.pp b/manifests/polipo/base.pp
index a634920..fca4b21 100644
--- a/manifests/polipo/base.pp
+++ b/manifests/polipo/base.pp
@@ -11,11 +11,11 @@ class tor::polipo::base {
     source  => "puppet:///modules/tor/polipo/polipo.conf",
     require => Package["polipo"],
     notify  => Service["polipo"],
-    before  => Service["tor"],
   }
 
   service { "polipo":
     ensure  => running,
     enable  => true,
+    require => [ Package["polipo"], Service["tor"] ],
   }
 }
diff --git a/manifests/torsocks.pp b/manifests/torsocks.pp
index e3221c9..7bb51ee 100644
--- a/manifests/torsocks.pp
+++ b/manifests/torsocks.pp
@@ -1,6 +1,7 @@
 class tor::torsocks {
+  if !$torsocks_ensure_version { $torsocks_ensure_version = 'installed' }
   include ::tor
   package{'torsocks':
-    ensure => present,
+    ensure => $torsocks_ensure_version,
   }
 }