nusenu / ansible-relayor

An Ansible Role for Tor Relay Operators
GNU General Public License v3.0
248 stars 43 forks source link
ansible ansible-role tor tor-network tor-relay-operator

ansible-relayor

This is an ansible role for tor relay operators. An introduction to relayor can be found here.

Email Support: relayor-support AT riseup.net

The main focus of this role is to automate as many steps as possible for a tor relay operator including key management (OfflineMasterKey). Deploying a new tor server is as easy as adding a new host to the inventory, no further manual configuration is required.

This role only manages tor instances as per the current settings and variables. If you change the configuration after a complete playbook run, to reduce the number of tor instances, for example by reducing the value of tor_maxPublicIPs, this role will not remove the previously configured tor instances from your server. Tor instances on a server are identified by their IPv4 and ORPort combination. Changing the ORPort (using the tor_ports variable) after initial rollout, effectively means creating new tor instances (not changing them), this is the reason why changing the tor_ports variable should be avoided after the initial rollout.

Keeping the tor package updated (an important task of running a relay) is not in scope of this ansible role. We recommend you enable automatic updates to keep your relay well maintained if your OS supports that. The Tor Relay Guide contains instructions on how to enable automatic software updates for Debian/Ubuntu and FreeBSD.

This ansible role does not aim to support tor bridges.

Main benefits for a tor relay operator

Installation

This ansible role is available on galaxy https://galaxy.ansible.com/nusenu/relayor/

ansible-galaxy install nusenu.relayor

Requirements

Control Machine Requirements

Managed Node Requirements

Prometheus Server Requirements (only when using prometheus features of this role)

Supported Operating Systems

Supported Tor Releases

Example Playbook

A minimal playbook using ansible-relayor to setup non-exit relays could look like this:

---

- hosts: relays
  vars:
    tor_ContactInfo: relay-operator@example.com
  roles:
    - nusenu.relayor

For more examples see the playbook-examples folder.

Changed torrc defaults

This role changes the defaults of the following torrc options to use safer options by default but you can still explicitly configure them via tor_config:

Role Variables

All variables mentioned here are optional.

Prometheus Labels

When tor_enableMetricsPort is enabled we also populate the following prometheus labels:

You can add additional prometheus labels using tor_prom_labels.

Available Role Tags

Using ansible tags is optional but allows you to speed up playbook runs if you are managing many servers.

There are OS specific tags:

Task oriented tags:

So if you have a big family and you are about to add an OpenBSD host you typically make two steps

  1. install the new server by running only against the new server (-l) and only the os specific tag (openbsd)

    ansible-playbook yourplaybook.yml -l newserver --tags openbsd

  2. then reconfigure all servers (MyFamily) by running the 'reconfigure' tag against all servers.

    ansible-playbook yourplaybook.yml --tags reconfigure

Security Considerations

This ansible role makes use of tor's OfflineMasterKey feature without requiring any manual configuration.

The offline master key feature exposes only a temporary signing key to the relay (valid for 30 days by default). This allows to recover from a complete server compromise without losing a relay's reputation (no need to bootstrap a new permanent master key from scratch).

Every tor instance is run with a distinct system user. A per-instance user has only access to his own (temporary) keys, but not to those of other instances. We do not ultimately trust every tor relay we operate (we try to perform input validation when we use relay provided data on the ansible host or another relay).

Be aware that the ansible control machine stores ALL your relay keys (RSA and Ed25519) - apply security measures accordingly.

If you make use of the prometheus integration the ansible control machine will also store all your prometheus scrape credentials under ~/.tor/prometheus/. Rotating these credentials is very easy though: You can simply remove that folder and run ansible-playbook again.

Every tor server host gets its own set of prometheus credentials, so a compromised host should not allow them to scrape all other hosts.

Integration Testing

This ansible role comes with a .kitchen.yml file, that can be used to test relayor - using different configurations - against Vagrant Virtualbox machines. It is primarily used for development/integration testing (spot regressions) but you can also use it to get familiar with relayor in such a local playground environment. These tor relays will not join the network since they are only created for testing purposes.

kitchen will download Vagrant boxes from Vagrant cloud to create test VMs.

To get started install the required gem packages:

gem install test-kitchen kitchen-ansiblepush kitchen-vagrant

List available test instances with kitchen list.

Then you can run all tests or just select specific instances, for example: kitchen test t-guard-debian-10.

Note that to run tests, you also need Vagrant and VirtualBox.

Origins

https://github.com/david415/ansible-tor (changed significantly since then)