On Mon, Jun 16, 2014 at 4:40 AM, Moritz Bartl moritz@torservers.net wrote:
Thank you for this. I've come across several Puppet and Ansible recipes for Tor over time, but sadly have not found time to properly review or even use them for our own servers yet.
Thank you for the feedback. I'm new in the Tor land but I think a well crafted CM module could definitely help the adoption, so I'm happy to see there's some discussion here.
https://github.com/shaftoe/puppet-tor/blob/fixes/manifests/apt.pp key => '886DDD89'
You should never rely on short key IDs for anything. They can be forged within minutes. When you look at https://www.torproject.org/docs/debian.html.en , it fetches the key using the short key ID, but only imports a key that matches the whole fingerprint.
Ok
I found keys.gnupg.net to be unreliable sometimes, it would be good to have some fallback options.
Maybe add this fallback options to https://www.torproject.org/docs/debian.html.en too?
Tor generates key material, the default location is /var/lib/tor. I always wondered if it was possible to pregenerate the necessary files locally, and then push them to the relays, where /var/lib/tor is on a ramdisk.
I've been told on #tor that the secret_id key is more to be thought as a 'state' more then as a configuration, and if a Tor relay has to be moved on a different server, it's best practice to just start a new one from fresh. Or better said, there's no actual need of keeping a fingerprint consistent.
Personally, I think it would be great to not only have puppet modules spread out somewhere across the Internet, but a full-fledged guide/wizard that makes it easy for people to locally configure relays without knowing anything about Tor configuration options. In my dream world, it would not only support Debian: Right now, most of the Tor network runs on Debian, which is not ideal. We need more *BSD and Solaris! And FreeDOS! :)
Yeah, I share the dream too :) It should be as easy as
include 'tor'
to install a relay with the most common configurations default (in my case, a non exit relay), regardless of the platform.