This playbook creates a bash script to deploy totp.maverickgeek.xyz as a Tor Onion Service.
TOTP Generator Onion: totpmgx6wksbquraailhqzyaue6e6k47zcvvxkknsdm5puwavc4kegqd.onion
Assumption: The instance runs in Google Cloud using the Terraform script below,
- terraform__gcloud-instance
bin/deploy.sh
uses an Ansible ad-hoc task to run deploy_totp_tor.sh
on the instance.
- GitHub: github.com/k3karthic/ansible__totp-generator-tor
- Codeberg: codeberg.org/k3karthic/ansible__totp-generator-tor
Install the following before running the playbook,
$ ansible-galaxy collection install community.general
$ ansible-galaxy collection install ansible.posix
$ pip install google-auth requests
$ ansible-galaxy collection install google.cloud
The Google Ansible Inventory Plugin populates public FreeBSD instances.
The target FreeBSD instance must have the labels os: freebsd
and tor_service: yes
.
- Create
inventory/google.gcp_compute.yml
based oninventory/google.gcp_compute.yml.sample
,- Specify the project ID
- Specify the zone where you have deployed your server on Google Cloud
- Configure the authentication,
- Application Default Credentials (
auth_kind: application
)- Import credentials from the Google Cloud Environment (e.g, Google Cloud Shell)
- Import credentials from Google Cloud SDK if installed
- Service Account (
auth_kind: serviceaccount
)- Use a service account for authentication. Refer cloud.google.com/docs/authentication/production#create_service_account.
- Set
service_account_file
to the credential file orservice_account_contents
to the json content
- Machine Account (
auth_kind: machineaccount
)- When running on Compute Engine, use the service account attached to the instance
- Application Default Credentials (
- Set username and SSH authentication in
inventory/group_vars/
- Create
roles/tor/files/torrc
fromroles/tor/files/torrc.sample
An onion service requires an ed25519 keypair. Tor derives the public hostname from the keypair. One can create a vanity onion hostname using cathugger/mkp224o.
After generating a keypair copy the following into roles/tor/files/hidden_service__totp
,
hostname
hs_ed25519_public_key
hs_ed25519_secret_key
Run the playbook using the following command,
$ ./bin/apply.sh
Encrypt sensitive files (onion service keypair and SSH private keys) before saving them. .gitignore
must contain the unencrypted file paths.
Use the following command to decrypt the files after cloning the repository,
$ ./bin/decrypt.sh
Use the following command after running terraform to update the encrypted files,
$ ./bin/encrypt.sh <gpg key id>