-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathmain.yaml
229 lines (206 loc) · 9.36 KB
/
main.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
---
# Default variable assignments for Tor role.
#
# This file provides defaults for variables used by the Ansible role.
# You can override any of these variables using Ansible's precendence
# rules by supplying new variables of the same name in your own plays.
# Tor configuration directives are almost one-to-one mappings between
# the variables in this dictionary and their `torrc` file counterparts
# described in the Tor manual. Exceptions are `HiddenService*` and the
# `HidServAuth` directives.
#
# When left undefined (commented out), no associated line will be
# written to the `torrc` configuration file. Directives that can be
# specified multiple times are written as YAML lists and their names
# have been pluralized.
#
# As this is a dictionary, if you want to override a single variable,
# you will need to use the `combine()` filter or configure Ansible to
# set `DEFAULT_HASH_BEHAVIOR` to `merge`. The recommended way to merge
# dictionaries is with the `combine()` filter. More infromation can be
# found in the Ansible documentation:
#
# https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-hash-behaviour
#
# Leaving the `torrc` dictionary undefined results in an error. Ensure
# it is present even if it is empty. An empty `torrc` dictionary means
# that the Tor software's default values will be used.
torrc:
# On startup, setuid to this user and setgid to their primary
# group. Effectively, the user under which Tor will run.
#User: toruser
# If 1 (true), Tor forks and daemonizes to the background. This
# has no effect on Windows; instead you should use the --service
# command-line option. (Default: 0)
#RunAsDaemon: false
# Directory in which Tor working data will be kept.
# See: https://www.torproject.org/docs/tor-manual.html#DataDirectory
#DataDirectory: "/var/lib/tor"
#DataDirectoryGroupReadable: false
#CacheDirectory: "/var/lib/tor"
#CacheDirectoryGroupReadable: false
# See: https://www.torproject.org/docs/tor-manual.html#SocksPort
#SocksPorts:
# - port: 9050
# addr: 127.0.0.1
# flags:
# - NoDNSRequest
# - OnionTrafficOnly
# isolation_flags:
# - IsolateClientAddr
# - IsolateSOCKSAuth
# - IsolateClientProtocol
# - IsolateDestPort
# - IsolateDestAddr
# - SessionGroup=INT
# See: https://www.torproject.org/docs/tor-manual.html#ControlPort
#ControlPort:
# port: 9051
# flags:
# - GroupWritable
# - WorldWritable
# - RelaxDirModeCheck
#ControlSocket: "/path/to/tor-control-socket"
#ControlSocketsGroupWritable: false
# Hashed passwords to for the HashedControlPassword directive. As
# this directive can be supplied more than once, this key is a list.
# Values herein are actually passwords, so they should be encrypted.
#
# Passwords can be hashed using `tor --hash-password "password"`.
# They should then be encrypted with `ansible-vault encrypt_string`.
# The full procedure might look like this:
#
# tor --hash-password "password" | ansible-vault encrypt_string
#
# See https://www.torproject.org/docs/tor-manual.html#HashedControlPassword
#HashedControlPasswords:
# - "ansible-vault encrypted and tor-hashed password here"
# See https://www.torproject.org/docs/tor-manual.html#CookieAuthentication
#CookieAuthentication: false
# See https://www.torproject.org/docs/tor-manual.html#CookieAuthFile
#CookieAuthFile: "/path/to/tor-auth-cookie"
# See https://www.torproject.org/docs/tor-manual.html#ControlPortWriteToFile
#ControlPortWriteToFile: "/path/to/file"
# See https://www.torproject.org/docs/tor-manual.html#ClientOnionAuthDir
#ClientOnionAuthDir: "{{ torrc.DataDirectory }}/onion_auth"
# Directory in which new versions of Tor source code will be compiled.
tor_package_build_dir: "/tmp/tor-package-source"
# Root (parent) directory of Onion service working data directories.
# If you have an Onion service named `ssh-saw`, its working directory
# will be `{{ tor_onion_services_dir }}/ssh-saw`.
tor_onion_services_dir: "{{ torrc.DataDirectory | default('/var/lib/tor') }}/onion-services"
# Location on the Ansible controller where the newly generated Onion
# service private keys (and possibly authenticated client keys) will
# be stored for backup purposes.
#
# If left undefined (commented out), no backup tasks will run. Another
# way to prevent backups is to pass `--skip-tags tor-backup` during an
# Ansible play(book)'s run.
#tor_onion_services_backup_dir: "{{ lookup('env', 'HOME') }}/onion-services-backups"
# Password with which to encrypt backups of the Onion service secrets.
# This password itself should be encrypted. Safely making a password
# will look something like this:
#
# $ openssl rand -base64 48 | ansible-vault encrypt_string > /tmp/vault-pass.out
# New Vault password:
# Confirm New Vault password:
#
# Then take the contents of `/tmp/vault-pass.out` and paste it as the
# value of the value of this variable. For more info please read docs:
# https://docs.ansible.com/ansible/latest/user_guide/vault.html#encrypt-string-for-use-in-yaml
#
# An unencrypted value here is possible, but strongly discouraged.
#tor_onion_services_backup_password:
# Ansible Vault ID label to use when creating encrypted backups of Tor
# Onion service secrets. Using a Vault ID makes it possible to have
# separate passwords for decrypting Tor secrets than the password used
# to decrypt different roles's or playbooks's secrets.
#
# If left undefined (commented out), this defaults to `''`, i.e., the
# empty string, which is equivalent to the "default" Ansible Vault ID.
#tor_onion_services_backup_vault_id: "tor-backup"
# Vanguards is a Tor controller add-on that implements numerous Onion
# service defenses ahead of their implementation in Tor-core. For more
# information, see the project development page:
#
# https://github.com/mikeperry-tor/vanguards/#readme
#
# These options are intended for Onions which require the highest
# possible level of security as soon as possible.
#tor_onion_services_vanguards:
# version: "v0.2.2" # Git branch, tag, or commit hash to checkout.
# # The `args` dict is required even if it's left empty (no args).
# args: # Command-line arguments to pass to the Vanguards script.
# config: "/etc/tor/vanguards.conf"
# disable_vanguards: false
# disable_bandguards: true
# enable_cbtverify: true
# config: # Configuration file options.
# control_ip: "{{ inventory_hostname }}"
# control_port: "{{ torrc.ControlPort.port }}"
# control_socket: "{{ torrc.ControlSocket }}"
# control_pass: "{{ torrc.HashedControlPasswords[0] }}"
# loglevel: NOTICE
# logfile: "/var/log/tor/vanguards.log"
# state_file: vanguards.state
# rend_use_max_consensus_weight_churn: 1.0
# rend_close_circuits_on_overuse: true
# rend_use_global_start_count: 1000
# rend_use_relay_start_count: 100
# rend_use_scale_at_count: 20000
# List of authentication credentials for connecting to authenticated
# Onion services as a Tor client. For more detailed information, see:
#
# https://github.com/AnarchoTechNYC/meta/wiki/Connecting-to-an-authenticated-Onion-service
#
# When left undefined (commented), no credentials are written to host.
#
# This list holds both v3 and v2 Onion credentials.
#onion_services_client_credentials:
#
# # Newer v3 Onions have 56 character long domain names and use a
# # specially encoded private key.
# - name: someone
# domain: rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd.onion
# keyType: x25519 # This is the only permitted value.
# privkey: ZDUVQQ7IKBXSGR2WWOBNM3VP5ELNOYSSINDK7CAUN2WD7A3EKZWQ
#
# # Older v2 Onions use a "cookie" value.
# - domain: example.onion
# cookie: an_auth_value
# comment: Example Onion credential.
# Define the Onion services you want available on the managed host.
#onion_services:
# # This Onion service is used primarily for NAT punching.
# - name: onion-ssh # The name of the Onion service directory.
# version: 3 # The Onion service protocol version.
# virtports: # The virtual port(s) to expose on the Onion.
# - port_number: 22 # Port to open on public Onion side.
# target_addr: 127.0.0.1 # The target address of the service.
# target_port: 22 # The target port of the service.
# clients: # A list of clients to authenticate.
# - admin # Client values for Version 2 Onions are simply
# # a string representing a client identity.
# # Version 3 Onion service clients are a dictionary with the
# # following structure indicating their name and key details.
# - name: someone
# pubkey: N2NU7BSRL6YODZCYPN4CREB54TYLKGIE2KYOQWLFYC23ZJVCE5DQ
# keyType: x25519 # This is the only valid keyType for now.
# state: present # Or `absent`.
#
# Publish: true # See `PublishHidServDescriptors`
# DirGroupReadable: false
# NumIntroductionPoints: 3
# MaxStreams: 0
# MaxStreamsCloseCircuit: false
# AllowUnknownPorts: false
# RendPostPeriod:
# n: 1
# unit: hour
#
# # The following values are only supported for Version 2 Onions:
# auth_type: stealth # The Onion's authentication type. This
# # can be `stealth`, `basic`, or `false`.
# # This is ignored for version 3 Onions as
# # all v3 Onions are always `stealth`.
# client_keys_file: /path/to/file/containing/client/secret/keys