Releases: nusenu/ansible-relayor
relayor v24.0.2
Changes since v24.0.1
- Ubuntu 24.04 is supported
- FreeBSD 14.2 is supported
- README: require ansible-utils >=v4.0.0 or newer when using netaddr >=v1.0.0 (related to #245)
relayor v24.0.1
Changes since v24.0.0
- FreeBSD 14.1 is supported (drop support for FreeBSD 14.0)
- FreeBSD: use absolute path for sysctl (#246)
- README: tor 0.4.7.x reached end of life
- fix a minor Jinja warning
relayor v24.0.0
relayor v23.2.0
Changes since v23.1.0
Prometheus
Add prometheus alert rules:
- alert when the online certificate expires within 15 days (this requires tor 0.4.8)
- alert when the DNS timeout fraction on exit relays exceeds 1.5% for 15minutes
- alert when onionskins are dropped for 15 minutes
HowTo use relayor's Prometheus Integration
OS Support
- Debian 12 is supported
- FreeBSD 13.2 is supported
- drop support for FreeBSD 12
relayor v23.1.0
Changes since v23.0.0
This release contains backward incompatible changes for prometheus integration users. They are flagged with
If you used prometheus integration with older releases, the easiest way to upgrade to v23.1.0 is to delete previously generated scrape configs and nginx config files and start with a minimal set of variables to make use of defaults as much as possible according to this guide.
Security: MetricsPort htpasswd Authentication Password Rollover (Low Risk)
Implement a workaround for ansible-collections/community.general#5975 by moving from a random username to a static username. This change will be reverted once upstream implements the "exclusive" parameter.
This issue affects you if all of these points apply to your environment:
- you use relayor's prometheus integration and the htpasswd file generation for nginx
- you attempted to do a password rollover by removing the folder
~/.tor/prometheus/scrape-usernames
or individual files in that folder without also removing~/.tor/prometheus/metrics_path
.
Impact: A new user gets added but the old user is not removed.
Manual steps recommended for all users of the htpasswd file feature: Update to v23.1.0 or newer, remove the htpasswd file and run your playbook again.
Prometheus Integration Changes
- usability improvements: simplification of how users enable prometheus integration
- ship a default value for
tor_prometheus_scrape_file
and change its semantic from abs. filepath to filename⚠️ - simplify nginx config by shipping a default value for
tor_metricsport_nginx_config_file
- ship a default value for
- implement conf.d style support for prometheus configuration and generate global
prometheus.yml
- remove default value of
tor_prometheus_host
so we can use it as the signal to enable prometheus integration⚠️ - remove the default of
tor_blackbox_exporter_host
so we can use it as a signal to enable blackbox_exporter integration⚠️ tor_gen_blackbox_scrape_config
is obsolete and ignored⚠️
- ship some prometheus alert rules for tor relays (off by default)
- support user defined prometheus alert rules
- change default value of
tor_gen_metricsport_htpasswd
: False -> True⚠️ - reload prometheus on config changes
- reload nginx on config changes
- add service label with value "torrelay"
- document prometheus security considerations
- rename
tor_prometheus_scrape_file_group
->tor_prometheus_group
⚠️
Misc
-
support more than two tor instances per IP address. We do not change the default of two tor instance per IP though. If you want to run more than two relays per IP set
tor_ports
accordingly. Make sure to not go over the limit at the time. The limit of relays per IP is at 4 as of this release and expected to increase in the near future. Check the linked gitlab issue. -
⚠️ remove the tor_dedicatedExitIP feature. You can setOutboundBindAddressExit
via
thetor_config
variable on a per server level. -
add some more example playbooks:
- 4 tor instances per IP
- prometheus integration
-
README improvements
Known issue: Test-kitchen for prometheus suites fail due to the reload nginx
handler.
relayor v23.0.0
Changes since relayor v22.2.1
Prometheus Integration
tor_prometheus_scrape_file
after upgrading to v23.0.0 and before running ansible-playbook
with v23.0.0 for the first time, see the README for an example value.
- 🎉 automatically populate some new labels (
relaytype
,tor_nickname
, ...) depending on your tor configuration. As an example, these are handy when generating bandwidth graphs with exit vs non-exit traffic. - add support for custom user-defined labels
- scrape file: move from one global scrape file for all hosts to one file per host to support running with ansible-playbook's
--limit
option without unintentionally removing all other hosts not included in the playbook run - support custom scrape config file group setting (
tor_prometheus_scrape_file_group
) - bugfix: properly quote IPv6 IPs in blackbox scrape configs
Version Requirements
- require tor 0.4.7.x (drop support for tor 0.4.5)
OS Support
- add FreeBSD 12.4 support
Test-Kitchen
- set host specific paths to avoid idempotency test failures
- remove temporary workaround for hashicorp/vagrant/pull/12584
- avoid creating hostnames > 63 chars
- we do not need alpha versions for MetricsPort tests: added tests for stable
relayor v22.2.1
Changes since relayor v22.2.0-rc
Bugfixes
- previously we failed to generate a valid torrc file on exits with
dirport 0
usingtor_dedicatedExitIP
(reported by @appliedprivacy)
Minor
- tor_htpasswd_dependency on FreeBSD: py38-passlib => py39-passlib
relayor v22.2.0-rc
Changes since relayor v22.1.0-rc
Bugfixes
Version Requirements
- increase min. ansible version from 2.9.x to ansible-core 2.12.x (ansible 5.x) - ansible 2.9 reached end-of-life in May 2022
- remove a long term ansible filter bug workaround (from 2016) no no longer required with ansible 2.12.x (#80)
- increase min. tor version from 0.4.5.x to 0.4.7.x (for MetricsPort)
Misc
- support control machines where the tor binary is not named 'tor' (#229)
- Clarify note regarding port changes (patch by Stefan Leibfarth)
- Fix repo name for tor nightly releases (patch by Sean Stiglitz)
- add kitchen test case for nightly repo
- introduce a new tag for prometheus tasks: promconfig
- remove vars:
tor_prometheus_scrape_username
andtor_prometheus_scrape_metrics_path
OS Support Changes
- add Ubuntu 22.04 support (drop 20.04)
- add OpenBSD 7.1 support (drop 6.9)
- add FreeBSD 13.1 support
- drop support for Debian oldstable (buster)
relayor v22.1.0-rc
Changes since relayor v22.0.0-rc:
- add support for prometheus blackbox_exporter scrape configuration generation
- this feature generates a prometheus scrape config for blackbox_exporter to monitor the reachability of all your ORPorts/DirPorts on IPv4 and IPv6
- blackbox exporter behind HTTP basic auth is supported
- this feature does not depend on MetricsPort support and can be used on all tor relays even those that do not support MetricsPort (like current stable tor versions)
- prometheus MetricsPort security support improvements:
- randomize metrics_path
- randomize HTTP basic auth username
- kitchen: add test for blackbox_exporter scenario
relayor v22.0.0-rc
Changes since relayor v21.2.0-rc:
- MetricsPort support improvements:
- generate nginx reverse server config for remote prometheus scraping on the relay
- generate htpasswd file for HTTP basic auth on the relay
- debian/ubuntu: upstream changed the tor alpha packages repo name to a generic name (branch name is no longer included in the name).
- FreeBSD 12.3 is supported (remove 12.2)
- kitchen integration testing: MetricsPort tests no longer require nightly builds (use alpha release now)