From 71f040014d900d636eeeda62c4bb7ea8ea84e309 Mon Sep 17 00:00:00 2001
From: drebs <drebs@riseup.net>
Date: Wed, 11 Jan 2012 01:33:12 -0200
Subject: many small fixes

---
 files/tor-exit-notice.html | 144 +++++++++++++++++++++++++++++++++++++++++++++
 manifests/daemon.pp        |  66 +++++++++++----------
 templates/torrc.relay.erb  |   2 +-
 3 files changed, 181 insertions(+), 31 deletions(-)
 create mode 100644 files/tor-exit-notice.html

diff --git a/files/tor-exit-notice.html b/files/tor-exit-notice.html
new file mode 100644
index 0000000..de3be17
--- /dev/null
+++ b/files/tor-exit-notice.html
@@ -0,0 +1,144 @@
+<?xml version="1.0"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<title>This is a Tor Exit Router</title>
+
+<!--
+
+This notice is intended to be placed on a virtual host for a domain that
+your Tor exit node IP reverse resolves to so that people who may be about
+to file an abuse complaint would check it first before bothering you or
+your ISP. Ex:
+http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org.
+
+This type of setup has proven very effective at reducing abuse complaints
+for exit node operators.
+
+There are a few places in this document that you may want to customize.
+They are marked with FIXME.
+
+-->
+
+</head>
+<body>
+
+<p style="text-align:center; font-size:xx-large; font-weight:bold">This is a
+Tor Exit Router</p>
+
+<p>
+Most likely you are accessing this website because you had some issue with
+the traffic coming from this IP. This router is part of the <a
+href="https://www.torproject.org/">Tor Anonymity Network</a>, which is
+dedicated to <a href="https://www.torproject.org/about/overview">providing
+privacy</a> to people who need it most: average computer users. This
+router IP should be generating no other traffic, unless it has been
+compromised.</p>
+
+
+<!-- FIXME: you should probably grab your own copy of how_tor_works_thumb.png
+     and serve it locally -->
+
+<p style="text-align:center">
+<a href="https://www.torproject.org/about/overview">
+<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/>
+</a></p>
+
+<p>
+Tor sees use by <a href="https://www.torproject.org/about/torusers">many
+important segments of the population</a>, including whistle blowers,
+journalists, Chinese dissidents skirting the Great Firewall and oppressive
+censorship, abuse victims, stalker targets, the US military, and law
+enforcement, just to name a few.  While Tor is not designed for malicious
+computer users, it is true that they can use the network for malicious ends.
+In reality however, the actual amount of <a
+href="https://www.torproject.org/docs/faq-abuse">abuse</a> is quite low. This
+is largely because criminals and hackers have significantly better access to
+privacy and anonymity than do the regular users whom they prey upon. Criminals
+can and do <a
+href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html">build,
+sell, and trade</a> far larger and <a
+href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html">more
+powerful networks</a> than Tor on a daily basis. Thus, in the mind of this
+operator, the social need for easily accessible censorship-resistant private,
+anonymous communication trumps the risk of unskilled bad actors, who are
+almost always more easily uncovered by traditional police work than by
+extensive monitoring and surveillance anyway.</p>
+
+<p>
+In terms of applicable law, the best way to understand Tor is to consider it a
+network of routers operating as common carriers, much like the Internet
+backbone. However, unlike the Internet backbone routers, Tor routers
+explicitly do not contain identifiable routing information about the source of
+a packet, and no single Tor node can determine both the origin and destination
+of a given transmission.</p>
+
+<p>
+As such, there is little the operator of this router can do to help you track
+the connection further. This router maintains no logs of any of the Tor
+traffic, so there is little that can be done to trace either legitimate or
+illegitimate traffic (or to filter one from the other).  Attempts to
+seize this router will accomplish nothing.</p>
+
+<!-- FIXME: US-Only section. Remove if you are a non-US operator -->
+
+<p>
+Furthermore, this machine also serves as a carrier of email, which means that
+its contents are further protected under the ECPA. <a
+href="http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002707----000-.html">18
+USC 2707</a> explicitly allows for civil remedies ($1000/account
+<i><b>plus</b></i>  legal fees)
+in the event of a seizure executed without good faith or probable cause (it
+should be clear at this point that traffic with an originating IP address of
+FIXME_DNS_NAME should not constitute probable cause to seize the
+machine). Similar considerations exist for 1st amendment content on this
+machine.</p>
+
+<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in
+     fact reported DMCA harassment... -->
+
+<p>
+If you are a representative of a company who feels that this router is being
+used to violate the DMCA, please be aware that this machine does not host or
+contain any illegal content. Also be aware that network infrastructure
+maintainers are not liable for the type of content that passes over their
+equipment, in accordance with <a
+href="http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html">DMCA
+"safe harbor" provisions</a>. In other words, you will have just as much luck
+sending a takedown notice to the Internet backbone providers. Please consult
+<a href="https://www.torproject.org/eff/tor-dmca-response">EFF's prepared
+response</a> for more information on this matter.</p>
+
+<p>For more information, please consult the following documentation:</p>
+
+<ol>
+<li><a href="https://www.torproject.org/about/overview">Tor Overview</a></li>
+<li><a href="https://www.torproject.org/docs/faq-abuse">Tor Abuse FAQ</a></li>
+<li><a href="https://www.torproject.org/eff/tor-legal-faq">Tor Legal FAQ</a></li>
+</ol>
+
+<p>
+That being said, if you still have a complaint about the router,  you may
+email the <a href="mailto:FIXME_YOUR_EMAIL_ADDRESS">maintainer</a>. If
+complaints are related to a particular service that is being abused, I will
+consider removing that service from my exit policy, which would prevent my
+router from allowing that traffic to exit through it. I can only do this on an
+IP+destination port basis, however. Common P2P ports are
+already blocked.</p>
+
+<p>
+You also have the option of blocking this IP address and others on
+the Tor network if you so desire. The Tor project provides a <a
+href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">web service</a>
+to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a
+specified IP:port combination, and an official <a
+href="https://www.torproject.org/tordnsel/dist/">DNSRBL</a> is also available to
+determine if a given IP address is actually a Tor exit server. Please
+be considerate
+when using these options. It would be unfortunate to deny all Tor users access
+to your site indefinitely simply because of a few bad apples.</p>
+
+</body>
+</html>
diff --git a/manifests/daemon.pp b/manifests/daemon.pp
index 80da4c7..ad84589 100644
--- a/manifests/daemon.pp
+++ b/manifests/daemon.pp
@@ -50,7 +50,7 @@ class tor::daemon inherits tor {
   }
 
   # tor configuration file
-  concatenated_file { '${config_file}':
+  concatenated_file { "${config_file}":
     dir    => $spool_dir,
     header => "${spool_dir}/00.header"
     mode   => 0600,
@@ -59,10 +59,10 @@ class tor::daemon inherits tor {
   }
 
   # config file headers
-  file { '${spool_dir}/00.header':
+  file { "${spool_dir}/00.header":
     content => template('tor/header.erb'),
-    require => File['${spool_dir}'],
-    notify  => Exec['concat_${config_file}'],
+    require => File["${spool_dir}"],
+    notify  => Exec["concat_${config_file}"],
     ensure  => present,
     owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
   }
@@ -70,10 +70,10 @@ class tor::daemon inherits tor {
   # global configurations
   define tor::global_opts( $log_rules = [ 'notice file /var/log/tor/notices.log' ],
                            $ensure = present ) {
-    file { '${spool_dir}/01.global':
+    file { "${spool_dir}/01.global":
       content => template('tor/global.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -83,10 +83,10 @@ class tor::daemon inherits tor {
   define tor::socks( $socks_port = 0,
                      $socks_listen_addresses = [],
                      $socks_policies = [] ) {
-    file { '${spool_dir}/02.socks':
+    file { "${spool_dir}/02.socks":
       content => template('tor/socks.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -95,21 +95,21 @@ class tor::daemon inherits tor {
   # relay definition
   define tor::relay( $port                  = 0,
                      $listen_addresses      = [],
-                     $nickname              = '',
-                     $address               = $hostname,
                      $relay_bandwidth_rate  = 0,  # KB/s, 0 for no limit.
-                     $relay_bandwidth_burst = 0, # KB/s, 0 for no limit.
-                     $accounting_max        = 0,       # GB, 0 for no limit.
+                     $relay_bandwidth_burst = 0,  # KB/s, 0 for no limit.
+                     $accounting_max        = 0,  # GB, 0 for no limit.
                      $accounting_start      = [],
                      $contact_info          = '',
-                     $my_family             = '',
+                     $my_family             = '', # TODO: autofill with other relays
                      $bridge_reay           = 0,
                      $ensure                = present ) {
+    $nickname = $name
+    $address = $hostname
 
-    file { '${spool_dir}/03.relay':
+    file { "${spool_dir}/03.relay":
       content => template('tor/relay.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -119,10 +119,10 @@ class tor::daemon inherits tor {
   define tor::control( $port                    = 0,
                        $hashed_control_password = '',
                        $ensure                  = present ) {
-    file { '${spool_dir}/04.control':
+    file { "${spool_dir}/04.control":
       content => template('tor/control.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -131,10 +131,10 @@ class tor::daemon inherits tor {
   # hidden services definition
   define tor::hidden_service( $ports = [],
                               $ensure = present ) {
-    file { '${spool_dir}/05.hidden_service.${name}':
+    file { "${spool_dir}/05.hidden_service.${name}":
       content => template('tor/hidden_service.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -145,10 +145,16 @@ class tor::daemon inherits tor {
                           $listen_addresses = [],
                           $port_front_page = '',
                           $ensure = present ) {
-    file { '${spool_dir}/06.directory':
+    file { "${spool_dir}/06.directory":
       content => template('tor/directory.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => [ File["${spool_dir}"], File['/etc/tor/tor-exit-notice.html'] ],
+      notify  => Exec["concat_${config_file}"],
+      ensure  => $ensure,
+      owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
+    }
+    file { '/etc/tor/tor-exit-notice.html':
+      source  => "puppet://$server/modules/tor/tor-exit-notice",
+      require => File['/etc/tor'],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
@@ -158,10 +164,10 @@ class tor::daemon inherits tor {
   define tor::exit_policy( $accept = [],
                            $reject = [],
                            $ensure = present ) {
-    file { '${spool_dir}/07.exit_policy.${name}':
+    file { "${spool_dir}/07.exit_policy.${name}":
       content => template('tor/exit_policy.erb'),
-      require => File['${spool_dir}'],
-      notify  => Exec['concat_${config_file}'],
+      require => File["${spool_dir}"],
+      notify  => Exec["concat_${config_file}"],
       ensure  => $ensure,
       owner => 'debian-tor', group => 'debian-tor', mode => 0755, 
     }
diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb
index d9f06ae..95496d6 100644
--- a/templates/torrc.relay.erb
+++ b/templates/torrc.relay.erb
@@ -19,7 +19,7 @@ RelayBandwidthBurst <%= relay_bandwidth_burst %> KB
 <%-   end -%>
 <%-   if accounting_max != '0' then -%>
 AccountingMax <%= accounting_max %> GB
-<%-     for accounting in accounting_start -%>
+<%-     if accounting_start then -%>
 AccountingStart <%= accounting_start %>
 <%-     end -%>
 <%-   end -%>
-- 
cgit v1.2.3