-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
282 lines (257 loc) · 9.87 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
---
#
# Onionprobe Ansible role configuration
#
# Copyright (C) 2024 The Tor Project, Inc.
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Onionprobe installation mode: controls how it's installed.
#
# Available options:
#
# 'distro' : installs Onionprobe from a package, if available in the distro;
# this will be a system-wide installation, meaning that all users
# in the system with shell access will be able to run Onionprobe.
#
# Requirements:
#
# * The 'onionprobe' package must be available through the system's
# package manager.
#
# 'pip' : installs Onionprobe and it's dependencies using pip.
# this won't be a system-wide installation in the sense that other
# users with shell access won't have access to Onionprobe, since
# it's installed in a restricted virtualenv.
#
# Requirements (automatically handled on Debian-like systems):
#
# * Pip.
#
# * Virtualenv.
#
# 'repository': installs the needed dependencies and clone the Onionprobe repository.
#
# Any users in the system may read (and sometimes execute) most of the
# files in this working copy; in general no credentials are stored in
# this folder; while some files are protected with restrictive file
# permissions, others cannot otherwise they cannot be shared with
# containers in the standalone operation more described below.
#
# In general this should be safe, as Onionprobe by default does
# not need any credentials to be stored on it's configuration
# files.
#
# * Dependencies must be available in the distribution.
#
onionprobe_installation: repository
# Onionprobe operation mode: specifies how it should run.
#
# Available options:
#
# 'manual' : do not manage the way Onionprobe runs: this is left to the operator
# to configure elsewhere.
#
# 'single' : runs just the Onionprobe service, and nothing else.
#
# Requirements:
#
# * Systemd must be available in the system, and is used to
# manage the service.
#
# 'standalone': runs the full standalone monitoring monitoring node:
# https://onionservices.torproject.org/apps/web/onionprobe/standalone/
#
# Requirements:
#
# * Variable 'onionprobe_installation' must be set to
# 'repository', as the package usually don't ship the needed
# container configuration.
#
# * Docker Compose or Podman Compose must be installed and
# configured.
#
# * Systemd must be available in the system, as it's used to
# manage the service.
#
onionprobe_operation: standalone
# Onionprobe Project name
#
# This is mainly used as an identifier to configure and distinguish services.
onionprobe_project_name: onionprobe
# Onionprobe virtualenv
#
# Sets virtualenv location used by the 'pip' installation method.
onionprobe_virtualenv: "{{ onionprobe_path }}/venv"
# Repository version
#
# Ensure Onionprobe's repository version is set to a specific version.
#
# Allowed values are specified at
# https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html
#
# Having it set to 'HEAD' may not be alwayes considered a good practice:
# https://ansible.readthedocs.io/projects/lint/rules/latest/
#
#onionprobe_repository_version: 1.2.0
onionprobe_repository_version: HEAD
#
# User, group and folders
#
# In most situations, {{ onionprobe_home }} can also be set to the same value
# as {{ onionprobe_path }}, but note that this can lead to a git clone error
# when running as root, due to Ansible using `onionprobe_path` as a base for
# temporary files (and Git refuses to clone into non-empty folders).
#
# So, to be in the safe side, {{{ onionspray_home }} and {{ onionprobe_path }}
# defaults to different folders.
#
onionprobe_user : onionprobe
onionprobe_group : onionprobe
onionprobe_uid : 2000
onionprobe_gid : 2000
onionprobe_home : "/home/{{ onionprobe_user }}"
onionprobe_path : "/var/lib/{{ onionprobe_user }}"
#
# Repository location
#
# Defaults to the upstream Onionprobe repository, but can be overriden to
# point to a fork.
#
onionprobe_repo: https://gitlab.torproject.org/tpo/onion-services/onionprobe.git
#
# Service
#
# Service name
onionprobe_service: onionprobe
# Whether to automatically enable the service
#
# Systemd might not be available in some testing environments, where makes
# sense to keep the service disabled.
onionprobe_enable_service: true
# Daemon options not specified in the Onionprobe configuration
#
# This setting is ignored by the standalone operation mode
onionprobe_daemon_opts: ''
# Onionprobe configuration folder
#
# When empty, the configuration path is computed depending on the installation
# mode:
#
# 'distro' : config path is set to /etc/onionprobe
# 'pip' : config path is set to {{ onionprobe_virtualenv }}/share/onionprobe/configs
# 'repository': config path is set to configs, and is relative to the {{ onionprobe_path }}
#
# Examples:
#
# onionprobe_config_path: '{{ onionprobe_path }}'
# onionprobe_config_path: '{{ onionprobe_path }}/configs'
# onionprobe_config_path: '{{ onionprobe_path }}/contrib/configs'
#
onionprobe_config_path: ''
#
# Onionprobe configuration file relative to {{ onionprobe_config_path }}
#
# Do not leave this empty.
#
onionprobe_config: 'tor.yaml'
# Path for a configuration file to be copied to the remote host
#
# This file should be stored in the Ansible configuration folder/repository,
# and it's copied to the remote host.
#
# Leaving this empty means that no configuration file will be copied to
# the remote host, but {{ onionprobe_config }} can still be used to
# point to an existing file in the remote host.
onionprobe_config_src: ''
# Path where a config generation script is stored
#
# When empty, the configuration path is computed depending on the installation
# mode:
#
# 'distro' : config path is set to /usr/share/onionprobe/examples
# 'pip' : config path is set to {{ onionprobe_virtualenv }}/share/onionprobe/examples
# 'repository': config path is set to {{ onionprobe_path }}/packages
#
# Examples:
#
# onionprobe_config_script_path: '/usr/share/onionprobe/examples'
# onionprobe_config_script_path: '{{ onionprobe_path }}/packages'
# onionprobe_config_script_path: '{{ onionprobe_path }}/contrib/configs'
# onionprobe_config_script_path: '{{ onionprobe_virtualenv }}/share/onionprobe/examples
#
onionprobe_config_script_path: ''
# Path for a config generation script to be copied to the remote host
#
# This script should be stored in the Ansible configuration folder/repository,
# and it's copied to the remote host.
#
# Leaving this empty disables the config generation script (for the single operation
# mode) or uses the default one (for the standalone mode).
onionprobe_config_script_src : ''
#
# Standalone monitor mode options
#
# The container runtime to use
#
# Note that this role won't manage the container runtime installation.
# That needs to be done elsewhere.
#
onionprobe_container_runtime: 'docker'
# Config script parameters
#
# Allow passing parameters to the config generation script.
#
# Example:
#
# onionprobe_config_script_params: >
# --loop --wait 3600
# --config_template /srv/onionprobe/configs/tor.yaml
# --config_overrides rounds=20 descriptor_max_retries=20
# descriptor_timeout=120 http_connect_timeout=120
# http_connect_max_retries=6 http_read_timeout=120
#
# For the standalone operation mode, it's recommended to set "--wait" and
# "rounds=" params, so the configuration container stops periodically, ensuring
# that whenever it restarts a fresh configuration is picked.
#
# The --output-folder option don't need to be set, as Ansible will automatically
# configure it in sync with {{ onionprobe_config_path }}.
#
# When using options such as --config_template in the standalone mode, note
# that the Onionprobe path inside the container will be different from
# {{ onionprobe_path }}. Usually, the Onionprobe path inside the container will be
# /srv/shared.
onionprobe_config_script_params: ''
# Prometheus options as documented at
# https://prometheus.io/docs/prometheus/latest/command-line/prometheus/
onionprobe_prometheus_web_external_url: 'http://localhost:9090'
# Alertmanager options as documented at
# https://prometheus.io/docs/alerting/latest/configuration/
onionprobe_alertmanager_template : alertmanager/alertmanager.yml.j2
onionprobe_smtp_smarthost : mail.example.org:587
onionprobe_smtp_email : [email protected]
onionprobe_smtp_username : changeme
onionprobe_smtp_auth_password : changeme
onionprobe_altermanager_default_recipient_email : [email protected]
# Sets the Alertmanager group ownership for the standalone monitor mode
#
# This depends on the UID and GID used by the Alertmanager container service:
# https://github.com/prometheus/alertmanager/blob/main/Dockerfile
#
# It may or may not match the default nobody/nogroup from your operating system.
#
# The default may for for most cases, so only customize these variables if you're
# having issues with the alertmanager container.
onionprobe_alertmanager_group: nogroup
# Grafana configuration
onionprobe_grafana_database_password: unsafe-password-please-change
# Grafana options as documented at
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/
onionprobe_grafana_smtp_enabled : false
onionprobe_grafana_smtp_host : localhost:25
onionprobe_grafana_smtp_user : ''
onionprobe_grafana_stmp_password : ''
onionprobe_grafana_smtp_starttls_policy : ''
onionprobe_grafana_server_domain : ''
onionprobe_grafana_server_root_url : ''
onionprobe_grafana_plugins_enable_alpha : false