[tor-relays] Debian relay Puppet module

Alexander Fortin alexander.fortin at gmail.com
Mon Jun 16 06:56:20 UTC 2014


On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl <moritz at torservers.net> wrote:
> Thank you for this. I've come across several Puppet and Ansible recipes
> for Tor over time, but sadly have not found time to properly review or
> even use them for our own servers yet.

Thank you for the feedback. I'm new in the Tor land but I think a well
crafted CM module could definitely help the adoption, so I'm happy to
see there's some discussion here.

> https://github.com/shaftoe/puppet-tor/blob/fixes/manifests/apt.pp
> key               => '886DDD89'
>
> You should never rely on short key IDs for anything. They can be forged
> within minutes. When you look at
> https://www.torproject.org/docs/debian.html.en , it fetches the key
> using the short key ID, but only imports a key that matches the whole
> fingerprint.

Ok

> I found keys.gnupg.net to be unreliable sometimes, it would be good to
> have some fallback options.

Maybe add this fallback options to
https://www.torproject.org/docs/debian.html.en too?

> Tor generates key material, the default location is /var/lib/tor. I
> always wondered if it was possible to pregenerate the necessary files
> locally, and then push them to the relays, where /var/lib/tor is on a
> ramdisk.

I've been told on #tor that the secret_id key is more to be thought as
a 'state' more then as a configuration, and if a Tor relay has to be
moved on a different server, it's best practice to just start a new
one from fresh. Or better said, there's no actual need of keeping a
fingerprint consistent.

> Personally, I think it would be great to not only have puppet modules
> spread out somewhere across the Internet, but a full-fledged
> guide/wizard that makes it easy for people to locally configure relays
> without knowing anything about Tor configuration options. In my dream
> world, it would not only support Debian: Right now, most of the Tor
> network runs on Debian, which is not ideal. We need more *BSD and
> Solaris! And FreeDOS! :)

Yeah, I share the dream too :) It should be as easy as

include 'tor'

to install a relay with the most common configurations default (in my
case, a non exit relay), regardless of the platform.

-- 
http://about.me/alexanderfortin


More information about the tor-relays mailing list