A stack to deploy Tor relays or Snowflake

Quick start

To setup a new Tor public bridge (i.e. with the hostname my_bridge), do

1. clone this repo

   git clone https://github.com/toralf/tor-relays.git
   cd ./tor-relays

2. run once at your local machine: create seeds, local dirs ~/tmp and ./secrets and a self-signed CA:

   bash ./bin/base.sh
   ansible-playbook playbooks/ca.yaml -i ./inventory -e @secrets/local.yaml --tags ca

3. add the bridge to the group tor:

   ---
   tor:
     hosts:
       my_bridge:

like in this example for an Ansible inventory.

1. deploy it

   ./site-setup.yaml --limit my_bridge

2. enjoy it:

   ./site-info.yaml --limit my_bridge
   
   grep "my_bridge" ~/tmp/*

Details

The deployment is made by Ansible. See the section Metrics below how to scrape runtime metrics. The Ansible role expects a seed_address value to change the ipv6 address at a Hetzner system to a relyable randomized one (at IONOS a proposed one is displayed, but not set). For Tor servers the DDoS solution of torutils used. For Tor bridges and Snowflake a lightweight version of that is used..

The MyFamily value for Tor server is derived from the output of:

./site-info.yaml --tags wellknown --limit my_bridge

in the next run of the setup script:

./site-setup.yaml --tags config --limit my_bridge

(look here for details).

Additional software

To deploy additional software, define (i.e. for a Quassel server) it like:

hosts:
  my_system:
    additional_ports:
      - "4242"
    additional_software:
      - "quassel-core"

Compiling the Linux kernel, Tor, Lyrebird or Snowflake from source

As default HEAD (of the Git branch main) is taken. A branch can be defined by the variable <...>_git_version. Furthermore <...>_patches is a list of URIs to fetch additional patches from (appleid on top of the branch).

Metrics

If a Prometheus server is configured (prometheus_server) then inbound traffic from its ip to the local metrics port is allowed by a firewall rule (code). An Nginx is used to encrypt the metrics data transfer on transit (code) using the certificate of a self-signed CA (code). This CA key has to be put into the Prometheus config to enable the TLS traffic (example). Configure a metrics_port to expose several kind of metrics at https://address:metrics_port/metrics-node|snowflake|tor (i.e. the metrics port is pseudo-randomly choosen using seed_metrics):

snowflake:
  vars:
    metrics_port: "{{ range(16000,60999) | random(seed=seed_metrics + inventory_hostname + ansible_facts.default_ipv4.address + ansible_facts.default_ipv6.address) }}"
    snowflake_metrics: true
    prometheus_server: "1.2.3.4

In addition the Prometheus node exporter is deployed by: node_metrics: true. For more Prometheus config examples and Grafana dashboards take a look at this repository.

Misc

The targets lines for a static Prometheus inventory file can be created by:

./site-info.yaml --tags metrics-port

To create at Hetzner a new VPS with the hostname my_bridge in the project my_project, do:

hcloud context use my_project
./bin/create-server.sh my_bridge

The script ./bin/update-dns.sh expects unbound as a local DNS resolve and openrc as the init system, configured for the appropriate project:

include: "/etc/unbound/hetzner-<project>.conf"

(hcloud uses the term "context" for a project)

The scripts under ./bin work only for the Hetzner Cloud API.

Links

• https://bridges.torproject.org
• https://snowflake.torproject.org
• https://www.ansible.com
• https://github.com/prometheus/node_exporter
• https://grafana.com
• https://github.com/NLnetLabs/unbound