Use default Tor instead of instances

This commit is contained in:
Miraty 2022-06-10 03:20:19 +02:00
parent 1a771c5c4c
commit 8d42174d35
7 changed files with 13 additions and 28 deletions

View File

@ -1 +1,2 @@
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/systemctl reload tor@niver,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$,/usr/bin/cat ^/var/lib/tor-instances/niver/keys/[a-z]{1,128}/hostname$
php-niver ALL= NOPASSWD: /usr/bin/systemctl reload nginx,/usr/bin/systemctl reload tor,/usr/bin/chgrp ^sftpgo /srv/ht/[a-z]{1,128}$
php-niver ALL=(tor) NOPASSWD: /usr/bin/cat ^/var/lib/tor/keys/[a-z]{1,128}/hostname$

View File

@ -29,13 +29,11 @@ chown -R php-niver:sftpgo /srv/ht
chmod -R u=rwX,g=rwX,o=rX /srv/ht
if [[ $ID = "debian" ]]; then
chown -R php-niver:_tor-niver /etc/tor/instances/niver
chown -R _tor-niver:_tor-niver /var/lib/tor-instances/niver
chown -R php-niver:debian-tor /etc/tor
else
chown -R php-niver:tor /etc/tor/instances/niver
chown -R tor:tor /var/lib/tor-instances/niver
chown -R php-niver:tor /etc/tor
fi
chmod -R u=rwX,g=rX,o= /etc/tor/instances/niver
chmod -R u=rwX,g=rX,o= /etc/tor
chmod u=rX,g=rX,o=rX /srv/php
@ -44,7 +42,7 @@ chmod -R u=rX,g=rX,o= /srv/php/errors
chown -R php-niver:nginx /srv/php/niver
chmod -R u=rX,g=rX,o=X /srv/php/niver
chmod -R u=rwX,g=,o= /srv/php/niver/db /srv/php/niver/niver.log
chmod -R u=rwX,g=,o= /srv/php/niver/db
# Load configuration in Knot database
sudo -u knot knotc conf-import /etc/knot/knot.conf
@ -69,22 +67,14 @@ display_errors = On
extension = pdo_sqlite
EOF
# Configure Tor properly
# Configure Tor
if [[ $ID = "debian" ]]; then
cat >> /etc/tor/instances/niver/torrc << EOF
User _tor-niver
DataDirectory /var/lib/tor-instances/niver
EOF
fi
if [[ $ID = "arch" ]]; then
ln -s /etc/tor/instances/niver/torrc /etc/tor/torrc
cat >> /etc/tor/instances/niver/torrc << EOF
User tor
DataDirectory /var/lib/tor
EOF
sed -i 's/User tor/User debian-tor/' /etc/tor/torrc
sed -i 's/reload tor/reload tor@default/' /etc/sudoers.d/niver
sed -i 's/ALL=(tor)/ALL=(debian-tor)/' /etc/sudoers.d/niver
sed -i 's/tor_service = "tor"/tor_service = "tor@default"/' /srv/php/niver/config.ini
sed -i 's/tor_user = "tor"/tor_user = "debian-tor"/' /srv/php/niver/config.ini
fi
# Start SystemD services at startup

View File

@ -13,11 +13,6 @@ if [[ $ID = "arch" ]]; then
rm /etc/php/php-fpm.d/*
fi
# Create dedicated Tor instance
if [[ $ID = "debian" ]]; then
tor-instance-create niver
fi
# Generate default self-signed TLS key pair
openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt

View File

@ -1,3 +1,3 @@
[Service]
ReadWritePaths=/etc/nginx/ht
ReadWritePaths=/etc/tor/instances/niver
ReadWritePaths=/etc/tor

View File

@ -1,4 +1,3 @@
[Service]
ReadWritePaths=/var/lib/tor-instances/niver/
# To allow reloading service on Arch Linux
CapabilityBoundingSet=CAP_KILL