various fixes and tweaks

cozybear-dev · Feb 14, 2024 · ebac9f3 · ebac9f3
1 parent 3a60273
commit ebac9f3
Show file tree

Hide file tree

Showing 8 changed files with 147 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ This GitHub repository is my personal development environment for automated stat
 
 Do not run anything in this repo blindly. It'd made for personal use. SSH key is hardcoded.
 
-My fleet can be found here; https://metrics.torproject.org/rs.html#search/cozybear
+My fleet can be found here; https://metrics.torproject.org/rs.html#search/cozybear or https://nusenu.github.io/OrNetStats/shadowbrokers.eu.html
 
 There is already a great repository here with way better support and e.g. key management; 
 
@@ -48,6 +48,8 @@ My personal priority was to have a fleet that is well positioned geopolitically,
 - https://veesp.com/
     -   Reliable, fast speed, privacy friendly, accept crypto, bit more expensive
     -   Primary downside, no exits allowed
+- https://4vps.su/
+    -   Still evaluating, but they seem ok. They have high performance servers in lots of unique places. Pricing and hardware is good. Good value in general.
 
 Using these hosters, my relays are distributed across the following locations, routing through interesting cables over the world; 
 

diff --git a/roles/ip-tables/tasks/main.yml b/roles/ip-tables/tasks/main.yml
@@ -0,0 +1,93 @@
+- name: Ensure iptables is installed # well aware nftables is a thing
+  become: yes
+  ansible.builtin.apt:
+    name: "{{ item.package }}"
+    state: present
+    update_cache: yes
+  when:
+    - tor_exit_enabled | bool
+  loop:
+    - package: iptables-persistent
+    - package: iptables
+
+- name: Drop outbound tcp ports - ipv4
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    jump: DROP
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+  loop:
+    - port: 2525
+    - port: 587
+    - port: 465
+    - port: 25
+    - port: 22
+  when:
+    - (tor_exit_enabled | bool) and (not ipv6_enabled | bool)
+  become: yes
+
+- name: Drop outbound udp ports - ipv4
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    jump: DROP
+    protocol: udp
+    destination_port: "{{ item.port }}"
+  loop:
+    - port: 2525
+    - port: 587
+    - port: 465
+    - port: 25
+    - port: 22
+  become: yes
+  when:
+    - (tor_exit_enabled | bool) and (not ipv6_enabled | bool)
+
+- name: Drop outbound tcp ports - ipv6
+  ansible.builtin.iptables:
+    ip_version: ipv6
+    chain: OUTPUT
+    jump: DROP
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+  loop:
+    - port: 2525
+    - port: 587
+    - port: 465
+    - port: 25
+    - port: 22
+  when:
+    - (tor_exit_enabled | bool) and (ipv6_enabled | bool)
+  become: yes
+
+- name: Drop outbound udp ports - ipv6
+  ansible.builtin.iptables:
+    ip_version: ipv6
+    chain: OUTPUT
+    jump: DROP
+    protocol: udp
+    destination_port: "{{ item.port }}"
+  loop:
+    - port: 2525
+    - port: 587
+    - port: 465
+    - port: 25
+    - port: 22
+  become: yes
+  when:
+    - (tor_exit_enabled | bool) and (ipv6_enabled | bool)
+
+- name: Save current state of the firewall in system file - ipv4
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v4
+  become: yes
+  when:
+    - (tor_exit_enabled | bool) and (not ipv6_enabled | bool)
+
+- name: Save current state of the firewall in system file - ipv6
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v6
+  become: yes
+  when:
+    - (tor_exit_enabled | bool) and (ipv6_enabled | bool)
diff --git a/roles/update-upgrade-all/tasks/main.yml b/roles/update-upgrade-all/tasks/main.yml
@@ -7,7 +7,7 @@
 
 - name: Check if a reboot is needed
   register: reboot_required_file
-  stat: path=/var/run/reboot-required get_md5=no
+  stat: path=/var/run/reboot-required
 
 - name: Reboot the box if required
   reboot:

diff --git a/roles/upgrade-bookworm-from-bullseye/tasks/main.yml b/roles/upgrade-bookworm-from-bullseye/tasks/main.yml
@@ -40,9 +40,9 @@
   become: true
   shell: sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list
 
-- name: Switch Tor sources from bullseye to bookworm
-  become: true
-  shell: sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/tor.list
+# - name: Switch Tor sources from bullseye to bookworm
+#   become: true
+#   shell: sed -i 's/bullseye/bookworm/g' /etc/apt/sources.list.d/tor.list
 
 - name: Update
   become: true

diff --git a/set-family.yml b/set-family.yml
@@ -27,6 +27,9 @@
       3EBDF7359190ACC0E23E5BA3B9C046668DF85114,
       EE50AAEA83AA7EDAF0A35E4E8EA4976483ABCCDD,
       8F013AB2708FB36FA5F9594DC97701E64545ADEF,
-      8B31226353E33A49D43A0140F05AA056337E8578
+      8B31226353E33A49D43A0140F05AA056337E8578,
+      D1D4115C77FD8C5F8BBD1CFA8F938F0143AE8E5B,
+      AA5C46F66CB5863FA379F18081F9BEDC130AD601,
+      15C364DEF4D6A045D55F97FB3FB31EE8635AF780
   roles:
     - set-family
diff --git a/setup-tor-node.yml b/setup-tor-node.yml
@@ -1,6 +1,6 @@
 ---
-# - hosts: tor-fleet-managed
-- hosts: setup
+- hosts: tor-fleet-managed
+# - hosts: setup
   vars:
     contact_info: "email:tor[]shadowbrokers.eu url:shadowbrokers.eu proof:dns-rsa btc:bc1qu9m2sy836pmyku0t3vnmpjxfjds8p2x5psyl6y ciissversion:2"
     tor_contact_email: tor@shadowbrokers.eu
@@ -35,13 +35,17 @@
       3EBDF7359190ACC0E23E5BA3B9C046668DF85114,
       EE50AAEA83AA7EDAF0A35E4E8EA4976483ABCCDD,
       8F013AB2708FB36FA5F9594DC97701E64545ADEF,
-      8B31226353E33A49D43A0140F05AA056337E8578
+      8B31226353E33A49D43A0140F05AA056337E8578,
+      D1D4115C77FD8C5F8BBD1CFA8F938F0143AE8E5B,
+      AA5C46F66CB5863FA379F18081F9BEDC130AD601,
+      15C364DEF4D6A045D55F97FB3FB31EE8635AF780
   roles:
-    - setup-manjaro-user
-    - setup-apparmor
-    - restrict-kernel
-    - setup-dns
-    - install-and-configure-tor
-    - install-netdata-agent
-    - set-ssh-config #any reboots after this role, will fail during very first setup with root user
-    - get-node-hash
+    # - setup-manjaro-user
+    # - setup-apparmor
+    # - restrict-kernel
+    # - setup-dns
+    # - install-and-configure-tor
+    # - install-netdata-agent
+    # - set-ssh-config #any reboots after this role, will fail during very first setup with root user
+    - ip-tables
+    # - get-node-hash
diff --git a/testing.yml b/testing.yml
@@ -1,22 +1,23 @@
 ---
-- hosts: testnode
+- hosts:
+    - testnode4
   vars:
-    contact_info: "email:tor[]shadowbrokers.eu - testing automation"
+    contact_info: "email:tor[]shadowbrokers.eu url:shadowbrokers.eu proof:dns-rsa btc:bc1qu9m2sy836pmyku0t3vnmpjxfjds8p2x5psyl6y ciissversion:2 - EXPERIMENTAL NODE"
     tor_contact_email: tor@shadowbrokers.eu
     hostname: "{{ inventory_hostname }}"
     ipv6_enabled: "{{ ipv6_enabled_conf | default('yes') }}"
     tor_exit_enabled: "{{ tor_exit_enabled_conf | default('no') }}"
     kilobytes_burst: "{{ kilobytes_burst_conf | default('') }}"
     kilobytes_rate: "{{ kilobytes_rate_conf | default('') }}"
     tor_family: > 
-      testing
+      none
   roles:
-    - setup-manjaro-user
-    - setup-apparmor
-    - restrict-kernel
-    - setup-dns
-    - install-and-configure-tor
-    # - install-netdata-agent
-    - set-ssh-config #any reboots after this role, will fail during very first setup with root user
-    - get-node-hash
     - upgrade-bookworm-from-bullseye
+    # - setup-manjaro-user
+    # - setup-apparmor
+    # - restrict-kernel
+    # - setup-dns
+    # - install-and-configure-tor
+    # - install-netdata-agent
+    # - set-ssh-config
+    # - get-node-hash
diff --git a/tor-hosts b/tor-hosts
@@ -1,9 +1,15 @@
-[testnode]
+[testnode2]
+tor.testing2.shadowbrokers.eu
 
+[testnode3]
+tor.testing3.shadowbrokers.eu ipv6_enabled_conf=no
+
+[testnode4]
+tor.testing4.shadowbrokers.eu ipv6_enabled_conf=no
 
 [tor-fleet-managed]
 tor.node1.shadowbrokers.eu tor_exit_enabled_conf=yes kilobytes_rate_conf=3600 kilobytes_burst_conf=15000
-tor.node2.shadowbrokers.eu tor_exit_enabled_conf=yes 
+tor.node2.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node3.shadowbrokers.eu tor_exit_enabled_conf=yes kilobytes_rate_conf=5500 kilobytes_burst_conf=15000
 tor.node4.shadowbrokers.eu tor_exit_enabled_conf=yes kilobytes_rate_conf=5500 kilobytes_burst_conf=15000
 tor.node5.shadowbrokers.eu tor_exit_enabled_conf=yes kilobytes_rate_conf=5500 kilobytes_burst_conf=15000
@@ -13,23 +19,26 @@ tor.node8.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node9.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node10.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node11.shadowbrokers.eu tor_exit_enabled_conf=yes
-tor.node12.shadowbrokers.eu tor_exit_enabled_conf=yes 
+tor.node12.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node13.shadowbrokers.eu tor_exit_enabled_conf=yes 
 tor.node14.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node15.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node16.shadowbrokers.eu
 tor.node17.shadowbrokers.eu tor_exit_enabled_conf=yes 
 tor.node18.shadowbrokers.eu
-tor.node19.shadowbrokers.eu tor_exit_enabled_conf=yes 
+tor.node19.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node20.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
-tor.node21.shadowbrokers.eu tor_exit_enabled_conf=yes
-tor.node22.shadowbrokers.eu tor_exit_enabled_conf=yes
+tor.node21.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
+tor.node22.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node23.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node24.shadowbrokers.eu tor_exit_enabled_conf=yes
 tor.node25.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 tor.node26.shadowbrokers.eu tor_exit_enabled_conf=yes
+tor.node27.shadowbrokers.eu
+tor.node28.shadowbrokers.eu ipv6_enabled_conf=no
+tor.node29.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 
 [setup]
-tor.node26.shadowbrokers.eu tor_exit_enabled_conf=yes
+tor.node29.shadowbrokers.eu tor_exit_enabled_conf=yes ipv6_enabled_conf=no
 
 [migrate]