Skip to content

Releases: nusenu/ansible-relayor

relayor v24.0.2

17 Dec 17:22
v24.0.2
Compare
Choose a tag to compare

Changes since v24.0.1

relayor v24.0.1

18 Aug 22:07
v24.0.1
Compare
Choose a tag to compare

Changes since v24.0.0

  • FreeBSD 14.1 is supported (drop support for FreeBSD 14.0)
  • FreeBSD: use absolute path for sysctl (#246)
  • README: tor 0.4.7.x reached end of life
  • fix a minor Jinja warning

relayor v24.0.0

24 Mar 13:33
v24.0.0
Compare
Choose a tag to compare

relayor v23.2.0

28 Aug 17:26
v23.2.0
Compare
Choose a tag to compare

Changes since v23.1.0

Prometheus

Add prometheus alert rules:

  • alert when the online certificate expires within 15 days (this requires tor 0.4.8)
  • alert when the DNS timeout fraction on exit relays exceeds 1.5% for 15minutes
  • alert when onionskins are dropped for 15 minutes

HowTo use relayor's Prometheus Integration

OS Support

  • Debian 12 is supported
  • FreeBSD 13.2 is supported
  • drop support for FreeBSD 12

relayor v23.1.0

12 Feb 16:39
v23.1.0
Compare
Choose a tag to compare

Changes since v23.0.0

This release contains backward incompatible changes for prometheus integration users. They are flagged with ⚠️
If you used prometheus integration with older releases, the easiest way to upgrade to v23.1.0 is to delete previously generated scrape configs and nginx config files and start with a minimal set of variables to make use of defaults as much as possible according to this guide.

Security: MetricsPort htpasswd Authentication Password Rollover (Low Risk)

Implement a workaround for ansible-collections/community.general#5975 by moving from a random username to a static username. This change will be reverted once upstream implements the "exclusive" parameter.

This issue affects you if all of these points apply to your environment:

  • you use relayor's prometheus integration and the htpasswd file generation for nginx
  • you attempted to do a password rollover by removing the folder ~/.tor/prometheus/scrape-usernames or individual files in that folder without also removing ~/.tor/prometheus/metrics_path.

Impact: A new user gets added but the old user is not removed.

Manual steps recommended for all users of the htpasswd file feature: Update to v23.1.0 or newer, remove the htpasswd file and run your playbook again.

Prometheus Integration Changes

  • usability improvements: simplification of how users enable prometheus integration
    • ship a default value for tor_prometheus_scrape_file and change its semantic from abs. filepath to filename ⚠️
    • simplify nginx config by shipping a default value for tor_metricsport_nginx_config_file
  • implement conf.d style support for prometheus configuration and generate global prometheus.yml
  • remove default value of tor_prometheus_host so we can use it as the signal to enable prometheus integration ⚠️
  • remove the default of tor_blackbox_exporter_host so we can use it as a signal to enable blackbox_exporter integration ⚠️
    • tor_gen_blackbox_scrape_config is obsolete and ignored ⚠️
  • ship some prometheus alert rules for tor relays (off by default)
  • support user defined prometheus alert rules
  • change default value of tor_gen_metricsport_htpasswd: False -> True ⚠️
  • reload prometheus on config changes
  • reload nginx on config changes
  • add service label with value "torrelay"
  • document prometheus security considerations
  • rename tor_prometheus_scrape_file_group -> tor_prometheus_group ⚠️

Misc

  • support more than two tor instances per IP address. We do not change the default of two tor instance per IP though. If you want to run more than two relays per IP set tor_ports accordingly. Make sure to not go over the limit at the time. The limit of relays per IP is at 4 as of this release and expected to increase in the near future. Check the linked gitlab issue.

  • ⚠️ remove the tor_dedicatedExitIP feature. You can set OutboundBindAddressExit via
    the tor_config variable on a per server level.

  • add some more example playbooks:

    • 4 tor instances per IP
    • prometheus integration
  • README improvements

Known issue: Test-kitchen for prometheus suites fail due to the reload nginx handler.

relayor v23.0.0

28 Jan 01:40
v23.0.0
Compare
Choose a tag to compare

Changes since relayor v22.2.1

Prometheus Integration

⚠️ NOTE: If you used relayor's prometheus support in previous relayor releases make sure to set tor_prometheus_scrape_file after upgrading to v23.0.0 and before running ansible-playbook with v23.0.0 for the first time, see the README for an example value.

  • 🎉 automatically populate some new labels (relaytype, tor_nickname, ...) depending on your tor configuration. As an example, these are handy when generating bandwidth graphs with exit vs non-exit traffic.
  • add support for custom user-defined labels
  • scrape file: move from one global scrape file for all hosts to one file per host to support running with ansible-playbook's --limit option without unintentionally removing all other hosts not included in the playbook run
  • support custom scrape config file group setting (tor_prometheus_scrape_file_group)
  • bugfix: properly quote IPv6 IPs in blackbox scrape configs

Version Requirements

  • require tor 0.4.7.x (drop support for tor 0.4.5)

OS Support

  • add FreeBSD 12.4 support

Test-Kitchen

  • set host specific paths to avoid idempotency test failures
  • remove temporary workaround for hashicorp/vagrant/pull/12584
  • avoid creating hostnames > 63 chars
  • we do not need alpha versions for MetricsPort tests: added tests for stable

relayor v22.2.1

03 Dec 20:07
v22.2.1
Compare
Choose a tag to compare

Changes since relayor v22.2.0-rc

Bugfixes

  • previously we failed to generate a valid torrc file on exits with dirport 0 using tor_dedicatedExitIP (reported by @appliedprivacy)

Minor

  • tor_htpasswd_dependency on FreeBSD: py38-passlib => py39-passlib

relayor v22.2.0-rc

19 Jul 19:42
v22.2.0-rc
Compare
Choose a tag to compare

Changes since relayor v22.1.0-rc

Bugfixes

Version Requirements

  • increase min. ansible version from 2.9.x to ansible-core 2.12.x (ansible 5.x) - ansible 2.9 reached end-of-life in May 2022
    • remove a long term ansible filter bug workaround (from 2016) no no longer required with ansible 2.12.x (#80)
  • increase min. tor version from 0.4.5.x to 0.4.7.x (for MetricsPort)

Misc

  • support control machines where the tor binary is not named 'tor' (#229)
  • Clarify note regarding port changes (patch by Stefan Leibfarth)
  • Fix repo name for tor nightly releases (patch by Sean Stiglitz)
  • add kitchen test case for nightly repo
  • introduce a new tag for prometheus tasks: promconfig
  • remove vars: tor_prometheus_scrape_username and tor_prometheus_scrape_metrics_path

OS Support Changes

  • add Ubuntu 22.04 support (drop 20.04)
  • add OpenBSD 7.1 support (drop 6.9)
  • add FreeBSD 13.1 support
  • drop support for Debian oldstable (buster)

relayor v22.1.0-rc

09 Jan 17:26
v22.1.0-rc
Compare
Choose a tag to compare

Changes since relayor v22.0.0-rc:

  • add support for prometheus blackbox_exporter scrape configuration generation
    • this feature generates a prometheus scrape config for blackbox_exporter to monitor the reachability of all your ORPorts/DirPorts on IPv4 and IPv6
    • blackbox exporter behind HTTP basic auth is supported
    • this feature does not depend on MetricsPort support and can be used on all tor relays even those that do not support MetricsPort (like current stable tor versions)
  • prometheus MetricsPort security support improvements:
    • randomize metrics_path
    • randomize HTTP basic auth username
  • kitchen: add test for blackbox_exporter scenario

relayor v22.0.0-rc

03 Jan 22:39
v22.0.0-rc
Compare
Choose a tag to compare

Changes since relayor v21.2.0-rc:

  • MetricsPort support improvements:
    • generate nginx reverse server config for remote prometheus scraping on the relay
    • generate htpasswd file for HTTP basic auth on the relay
  • debian/ubuntu: upstream changed the tor alpha packages repo name to a generic name (branch name is no longer included in the name).
  • FreeBSD 12.3 is supported (remove 12.2)
  • kitchen integration testing: MetricsPort tests no longer require nightly builds (use alpha release now)