Changes since v24.0.0

• FreeBSD 14.1 is supported (drop support for FreeBSD 14.0)
• FreeBSD: use absolute path for sysctl (#246)
• README: tor 0.4.7.x reached end of life
• fix a minor Jinja warning

Changes since v23.2.0

• increase min. ansible version: 2.12 -> 2.16
• increase min. tor version 0.4.7 -> 0.4.8
• FreeBSD 14.0 is supported; drop support for 13.2
• OpenBSD 7.4 is supported
• drop support for Debian 11

Full Changelog: https://github.com/nusenu/ansible-relayor/compare/v23.2.0...v24.0.0

Changes since v23.1.0

Prometheus

Add prometheus alert rules:

• alert when the online certificate expires within 15 days (this requires tor 0.4.8)
• alert when the DNS timeout fraction on exit relays exceeds 1.5% for 15minutes
• alert when onionskins are dropped for 15 minutes

HowTo use relayor's Prometheus Integration

OS Support

• Debian 12 is supported
• FreeBSD 13.2 is supported
• drop support for FreeBSD 12

Changes since v23.0.0

This release contains backward incompatible changes for prometheus integration users. They are flagged with ⚠️
If you used prometheus integration with older releases, the easiest way to upgrade to v23.1.0 is to delete previously generated scrape configs and nginx config files and start with a minimal set of variables to make use of defaults as much as possible according to this guide.

Security: MetricsPort htpasswd Authentication Password Rollover (Low Risk)

Implement a workaround for https://github.com/ansible-collections/community.general/issues/5975 by moving from a random username to a static username. This change will be reverted once upstream implements the "exclusive" parameter.

This issue affects you if all of these points apply to your environment:

• you use relayor's prometheus integration and the htpasswd file generation for nginx
• you attempted to do a password rollover by removing the folder ~/.tor/prometheus/scrape-usernames or individual files in that folder without also removing ~/.tor/prometheus/metrics_path.

Impact: A new user gets added but the old user is not removed.

Manual steps recommended for all users of the htpasswd file feature: Update to v23.1.0 or newer, remove the htpasswd file and run your playbook again.

Prometheus Integration Changes

• usability improvements: simplification of how users enable prometheus integration
  • ship a default value for tor_prometheus_scrape_file and change its semantic from abs. filepath to filename ⚠️
  • simplify nginx config by shipping a default value for tor_metricsport_nginx_config_file
• implement conf.d style support for prometheus configuration and generate global prometheus.yml
• remove default value of tor_prometheus_host so we can use it as the signal to enable prometheus integration ⚠️
• remove the default of tor_blackbox_exporter_host so we can use it as a signal to enable blackbox_exporter integration ⚠️
  • tor_gen_blackbox_scrape_config is obsolete and ignored ⚠️
• ship some prometheus alert rules for tor relays (off by default)
• support user defined prometheus alert rules
• change default value of tor_gen_metricsport_htpasswd: False -> True ⚠️
• reload prometheus on config changes
• reload nginx on config changes
• add service label with value "torrelay"
• document prometheus security considerations
• rename tor_prometheus_scrape_file_group -> tor_prometheus_group ⚠️

Misc

• support more than two tor instances per IP address. We do not change the default of two tor instance per IP though. If you want to run more than two relays per IP set tor_ports accordingly. Make sure to not go over the limit at the time. The limit of relays per IP is at 4 as of this release and expected to increase in the near future. Check the linked gitlab issue.

• ⚠️ remove the tor_dedicatedExitIP feature. You can set OutboundBindAddressExit via
  the tor_config variable on a per server level.

• add some more example playbooks:

  • 4 tor instances per IP
  • prometheus integration

• README improvements

Known issue: Test-kitchen for prometheus suites fail due to the reload nginx handler.

Changes since relayor v22.2.1

Prometheus Integration

⚠️ NOTE: If you used relayor's prometheus support in previous relayor releases make sure to set tor_prometheus_scrape_file after upgrading to v23.0.0 and before running ansible-playbook with v23.0.0 for the first time, see the README for an example value.

• 🎉 automatically populate some new labels (relaytype, tor_nickname, ...) depending on your tor configuration. As an example, these are handy when generating bandwidth graphs with exit vs non-exit traffic.
• add support for custom user-defined labels
• scrape file: move from one global scrape file for all hosts to one file per host to support running with ansible-playbook's --limit option without unintentionally removing all other hosts not included in the playbook run
• support custom scrape config file group setting (tor_prometheus_scrape_file_group)
• bugfix: properly quote IPv6 IPs in blackbox scrape configs

Version Requirements

• require tor 0.4.7.x (drop support for tor 0.4.5)

OS Support

• add FreeBSD 12.4 support

Test-Kitchen

• set host specific paths to avoid idempotency test failures
• remove temporary workaround for hashicorp/vagrant/pull/12584
• avoid creating hostnames > 63 chars
• we do not need alpha versions for MetricsPort tests: added tests for stable

Changes since relayor v22.2.0-rc

Bugfixes

• previously we failed to generate a valid torrc file on exits with dirport 0 using tor_dedicatedExitIP (reported by @appliedprivacy)

Minor

• tor_htpasswd_dependency on FreeBSD: py38-passlib => py39-passlib

Changes since relayor v22.1.0-rc

Bugfixes

• fix prometheus scrape config generation

Version Requirements

• increase min. ansible version from 2.9.x to ansible-core 2.12.x (ansible 5.x) - ansible 2.9 reached end-of-life in May 2022
  • remove a long term ansible filter bug workaround (from 2016) no no longer required with ansible 2.12.x (#80)
• increase min. tor version from 0.4.5.x to 0.4.7.x (for MetricsPort)

Misc

• support control machines where the tor binary is not named 'tor' (#229)
• Clarify note regarding port changes (patch by Stefan Leibfarth)
• Fix repo name for tor nightly releases (patch by Sean Stiglitz)
• add kitchen test case for nightly repo
• introduce a new tag for prometheus tasks: promconfig
• remove vars: tor_prometheus_scrape_username and tor_prometheus_scrape_metrics_path

OS Support Changes

• add Ubuntu 22.04 support (drop 20.04)
• add OpenBSD 7.1 support (drop 6.9)
• add FreeBSD 13.1 support
• drop support for Debian oldstable (buster)

Changes since relayor v22.0.0-rc:

• add support for prometheus blackbox_exporter scrape configuration generation
  • this feature generates a prometheus scrape config for blackbox_exporter to monitor the reachability of all your ORPorts/DirPorts on IPv4 and IPv6
  • blackbox exporter behind HTTP basic auth is supported
  • this feature does not depend on MetricsPort support and can be used on all tor relays even those that do not support MetricsPort (like current stable tor versions)
• prometheus MetricsPort security support improvements:
  • randomize metrics_path
  • randomize HTTP basic auth username
• kitchen: add test for blackbox_exporter scenario

Changes since relayor v21.2.0-rc:

• MetricsPort support improvements:
  • generate nginx reverse server config for remote prometheus scraping on the relay
  • generate htpasswd file for HTTP basic auth on the relay
• debian/ubuntu: upstream changed the tor alpha packages repo name to a generic name (branch name is no longer included in the name).
• FreeBSD 12.3 is supported (remove 12.2)
• kitchen integration testing: MetricsPort tests no longer require nightly builds (use alpha release now)

NOTE: This release contains a backwards incompatible change, if you upgrade from an older release please read the upgrade guide before upgrading.

Changes since relayor v21.1.0

• major new features:
  • add support for tor's prometheus exporter (MetricsPort)
    • this is a relayor beta feature requiring tor >=0.4.7.2-alpha) #217
    • generates prometheus scrape, nginx reverse and htpasswd config files on the control node for easy copy paste into your prometheus/nginx configuration
    • every tor instance gets a prometheus ID label (IP_ORPort)
  • support arbitrary torrc options #192
• fix broken debian tag - reported by @jn9999 #224
• fix broken link - PR by @jn9999 #223
• README:
  • make clear that we do not remove previously managed tor instances on config change - reported by @tsekityam
  • update OfflineMasterKeys link
• make apt update_cache configurable
• drop support for Debian 9
• increase min. ansible version 2.9.23 -> 2.9.27

changes since relayor v21.0.1

• generate ContactInfo v2 proof files for easy publishing (if enabled via variable tor_gen_ciiss_proof_files)
• update apt cache if it is older than one day before installing dependencies (patch by @tsekityam) #219 #220
• increase min. ansible version 2.9.13 -> 2.9.23
• increase min. tor version 0.3.5 -> 0.4.5
• Debian 11, FreeBSD 13 and OpenBSD 6.9 are supported
• kitchen.yml: add debian-11 and Freebsd 13 platforms and remove fedora/centos

changes since relayor v21.0.0

• install the gpg package by default on debian based systems (patch by @anadahz)
• reload tor when the tor-exit-notice html file is changed (patch by @anadahz)

changes since relayor v20.1.0

• replace the expired GPG signing key used for debian packages from deb.torproject.org
  • it is now fetched directly from the authoritative source (https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc) to avoid expiring GPG keys in the future
• update tor_alpha_version 0.4.4.x -> 0.4.5.x
• FreeBSD 12.2 is supported
• OpenBSD 6.8 is supported

The ansible-relayor signing key has been updated
https://keys.openpgp.org/search?q=A7B5DB91CE04C9E0BE66446B8CBE52BD4D705DE9

changes since v20.0.2:

• bugfix: restart tor instead of reloading it when the configuration changed (reloading is not supported by tor in all cases) (#189)
• make tor_ContactInfo variable mandatory
• update tor alpha version: 0.4.3 -> 0.4.4
• add support for FreeBSD 11.4 (drop 11.3)
• increase min. ansible version from 2.9.7 to 2.9.12

changes since v20.0.1

• increase min supported tor version 0.2.9 -> 0.3.5
• increase min. ansible version from 2.9.1 to 2.9.7
• add support for OpenBSD 6.7
• add support for Ubuntu 20.04 (drop 18.04)
• add example playbook to README (#210)

changes since v20.0.0:

• update tor alpha version: 0.4.2 -> 0.4.3

changes since relayor v19.1.7:

• add support for per-instance exit policies (#186)
• kitchen: update platform strings in test/integration/default/vars/exit-conf for t-mixed kitchen playbooks

changes since relayor v19.0.0:

OS support

• added:
  • Debian 10
  • OpenBSD 6.6
  • FreeBSD 12.1
• removed support for CentOS and Fedora (b60553955408ecb5e93aa77d3e84e82dc6538aa5)

Requirements

• increase min. tor version to 0.3.5.x (from 0.2.9.x)
• increase min. ansible version to 2.9.1

Misc

• README: move "Reporting Security Bugs" section into separate SECURITY.md file
• Update tor_dnsresolver_blacklist (e88caa652ac704e20b7ac2e187c8c371d0e11059)
• fix broken URLs in the tor-exit-notice HTML file

test kitchen/ansible-lint/travis-ci

• show file diff in kitchen ansible output
• fix multiple ansible-lint warnings (#193)
• add Travis CI config with ansible-lint check

changes since relayor v18.1.1:

• torrc:
  • enable tor's Sandbox feature by default on Ubuntu (where it was previously disabled as a workaround for #160 )
  • don't set tor RelayBandwidthBurst if the input field is empty
• increase tor_alpha_version 0.3.4.x -> 0.4.0.x
• increase min ansible version 2.6.2 -> 2.7.8
• add support for OpenBSD 6.4
• add support for FreeBSD 12 (drop 10.x)
• README: mark CentOS/Fedora as currently broken due to upstream package issues #185
• test-kitchen:
  • add OpenBSD support
  • add guard-alpha test-suite