[tor-relays] Debian relay Puppet module
Alexander Fortin
alexander.fortin at gmail.com
Mon Jun 16 06:56:20 UTC 2014
On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl <moritz at torservers.net> wrote:
> Thank you for this. I've come across several Puppet and Ansible recipes
> for Tor over time, but sadly have not found time to properly review or
> even use them for our own servers yet.
Thank you for the feedback. I'm new in the Tor land but I think a well
crafted CM module could definitely help the adoption, so I'm happy to
see there's some discussion here.
> https://github.com/shaftoe/puppet-tor/blob/fixes/manifests/apt.pp
> key => '886DDD89'
>
> You should never rely on short key IDs for anything. They can be forged
> within minutes. When you look at
> https://www.torproject.org/docs/debian.html.en , it fetches the key
> using the short key ID, but only imports a key that matches the whole
> fingerprint.
Ok
> I found keys.gnupg.net to be unreliable sometimes, it would be good to
> have some fallback options.
Maybe add this fallback options to
https://www.torproject.org/docs/debian.html.en too?
> Tor generates key material, the default location is /var/lib/tor. I
> always wondered if it was possible to pregenerate the necessary files
> locally, and then push them to the relays, where /var/lib/tor is on a
> ramdisk.
I've been told on #tor that the secret_id key is more to be thought as
a 'state' more then as a configuration, and if a Tor relay has to be
moved on a different server, it's best practice to just start a new
one from fresh. Or better said, there's no actual need of keeping a
fingerprint consistent.
> Personally, I think it would be great to not only have puppet modules
> spread out somewhere across the Internet, but a full-fledged
> guide/wizard that makes it easy for people to locally configure relays
> without knowing anything about Tor configuration options. In my dream
> world, it would not only support Debian: Right now, most of the Tor
> network runs on Debian, which is not ideal. We need more *BSD and
> Solaris! And FreeDOS! :)
Yeah, I share the dream too :) It should be as easy as
include 'tor'
to install a relay with the most common configurations default (in my
case, a non exit relay), regardless of the platform.
--
http://about.me/alexanderfortin
More information about the tor-relays
mailing list