relayor v24.0.0

Changes since v23.2.0

• increase min. ansible version: 2.12 -> 2.16
• increase min. tor version 0.4.7 -> 0.4.8
• FreeBSD 14.0 is supported; drop support for 13.2
• OpenBSD 7.4 is supported
• drop support for Debian 11

Full Changelog: v23.2.0...v24.0.0

relayor v23.2.0

Changes since v23.1.0

Prometheus

Add prometheus alert rules:

• alert when the online certificate expires within 15 days (this requires tor 0.4.8)
• alert when the DNS timeout fraction on exit relays exceeds 1.5% for 15minutes
• alert when onionskins are dropped for 15 minutes

HowTo use relayor's Prometheus Integration

OS Support

• Debian 12 is supported
• FreeBSD 13.2 is supported
• drop support for FreeBSD 12

relayor v23.1.0

Changes since v23.0.0

This release contains backward incompatible changes for prometheus integration users. They are flagged with ⚠️
If you used prometheus integration with older releases, the easiest way to upgrade to v23.1.0 is to delete previously generated scrape configs and nginx config files and start with a minimal set of variables to make use of defaults as much as possible according to this guide.

Security: MetricsPort htpasswd Authentication Password Rollover (Low Risk)

Implement a workaround for ansible-collections/community.general#5975 by moving from a random username to a static username. This change will be reverted once upstream implements the "exclusive" parameter.

This issue affects you if all of these points apply to your environment:

• you use relayor's prometheus integration and the htpasswd file generation for nginx
• you attempted to do a password rollover by removing the folder ~/.tor/prometheus/scrape-usernames or individual files in that folder without also removing ~/.tor/prometheus/metrics_path.

Impact: A new user gets added but the old user is not removed.

Manual steps recommended for all users of the htpasswd file feature: Update to v23.1.0 or newer, remove the htpasswd file and run your playbook again.

Prometheus Integration Changes

• usability improvements: simplification of how users enable prometheus integration
  • ship a default value for tor_prometheus_scrape_file and change its semantic from abs. filepath to filename ⚠️
  • simplify nginx config by shipping a default value for tor_metricsport_nginx_config_file
• implement conf.d style support for prometheus configuration and generate global prometheus.yml
• remove default value of tor_prometheus_host so we can use it as the signal to enable prometheus integration ⚠️
• remove the default of tor_blackbox_exporter_host so we can use it as a signal to enable blackbox_exporter integration ⚠️
  • tor_gen_blackbox_scrape_config is obsolete and ignored ⚠️
• ship some prometheus alert rules for tor relays (off by default)
• support user defined prometheus alert rules
• change default value of tor_gen_metricsport_htpasswd: False -> True ⚠️
• reload prometheus on config changes
• reload nginx on config changes
• add service label with value "torrelay"
• document prometheus security considerations
• rename tor_prometheus_scrape_file_group -> tor_prometheus_group ⚠️

Misc

• support more than two tor instances per IP address. We do not change the default of two tor instance per IP though. If you want to run more than two relays per IP set tor_ports accordingly. Make sure to not go over the limit at the time. The limit of relays per IP is at 4 as of this release and expected to increase in the near future. Check the linked gitlab issue.

• ⚠️ remove the tor_dedicatedExitIP feature. You can set OutboundBindAddressExit via
  the tor_config variable on a per server level.

• add some more example playbooks:

  • 4 tor instances per IP
  • prometheus integration

• README improvements

Known issue: Test-kitchen for prometheus suites fail due to the reload nginx handler.

relayor v23.0.0

Changes since relayor v22.2.1

Prometheus Integration

⚠️ NOTE: If you used relayor's prometheus support in previous relayor releases make sure to set tor_prometheus_scrape_file after upgrading to v23.0.0 and before running ansible-playbook with v23.0.0 for the first time, see the README for an example value.

• 🎉 automatically populate some new labels (relaytype, tor_nickname, ...) depending on your tor configuration. As an example, these are handy when generating bandwidth graphs with exit vs non-exit traffic.
• add support for custom user-defined labels
• scrape file: move from one global scrape file for all hosts to one file per host to support running with ansible-playbook's --limit option without unintentionally removing all other hosts not included in the playbook run
• support custom scrape config file group setting (tor_prometheus_scrape_file_group)
• bugfix: properly quote IPv6 IPs in blackbox scrape configs

Version Requirements

• require tor 0.4.7.x (drop support for tor 0.4.5)

OS Support

• add FreeBSD 12.4 support

Test-Kitchen

• set host specific paths to avoid idempotency test failures
• remove temporary workaround for hashicorp/vagrant/pull/12584
• avoid creating hostnames > 63 chars
• we do not need alpha versions for MetricsPort tests: added tests for stable

relayor v22.2.1

Changes since relayor v22.2.0-rc

Bugfixes

• previously we failed to generate a valid torrc file on exits with dirport 0 using tor_dedicatedExitIP (reported by @appliedprivacy)

Minor

• tor_htpasswd_dependency on FreeBSD: py38-passlib => py39-passlib

relayor v22.2.0-rc

Changes since relayor v22.1.0-rc

Bugfixes

• fix prometheus scrape config generation

Version Requirements

• increase min. ansible version from 2.9.x to ansible-core 2.12.x (ansible 5.x) - ansible 2.9 reached end-of-life in May 2022
  • remove a long term ansible filter bug workaround (from 2016) no no longer required with ansible 2.12.x (#80)
• increase min. tor version from 0.4.5.x to 0.4.7.x (for MetricsPort)

Misc

• support control machines where the tor binary is not named 'tor' (#229)
• Clarify note regarding port changes (patch by Stefan Leibfarth)
• Fix repo name for tor nightly releases (patch by Sean Stiglitz)
• add kitchen test case for nightly repo
• introduce a new tag for prometheus tasks: promconfig
• remove vars: tor_prometheus_scrape_username and tor_prometheus_scrape_metrics_path

OS Support Changes

• add Ubuntu 22.04 support (drop 20.04)
• add OpenBSD 7.1 support (drop 6.9)
• add FreeBSD 13.1 support
• drop support for Debian oldstable (buster)

relayor v22.1.0-rc

Changes since relayor v22.0.0-rc:

• add support for prometheus blackbox_exporter scrape configuration generation
  • this feature generates a prometheus scrape config for blackbox_exporter to monitor the reachability of all your ORPorts/DirPorts on IPv4 and IPv6
  • blackbox exporter behind HTTP basic auth is supported
  • this feature does not depend on MetricsPort support and can be used on all tor relays even those that do not support MetricsPort (like current stable tor versions)
• prometheus MetricsPort security support improvements:
  • randomize metrics_path
  • randomize HTTP basic auth username
• kitchen: add test for blackbox_exporter scenario

relayor v22.0.0-rc

Changes since relayor v21.2.0-rc:

• MetricsPort support improvements:
  • generate nginx reverse server config for remote prometheus scraping on the relay
  • generate htpasswd file for HTTP basic auth on the relay
• debian/ubuntu: upstream changed the tor alpha packages repo name to a generic name (branch name is no longer included in the name).
• FreeBSD 12.3 is supported (remove 12.2)
• kitchen integration testing: MetricsPort tests no longer require nightly builds (use alpha release now)

relayor v21.2.0-rc

NOTE: This release contains a backwards incompatible change, if you upgrade from an older release please read the upgrade guide before upgrading.

Changes since relayor v21.1.0

• major new features:
  • add support for tor's prometheus exporter (MetricsPort)
    • this is a relayor beta feature requiring tor >=0.4.7.2-alpha) #217
    • generates prometheus scrape, nginx reverse and htpasswd config files on the control node for easy copy paste into your prometheus/nginx configuration
    • every tor instance gets a prometheus ID label (IP_ORPort)
  • support arbitrary torrc options #192
• fix broken debian tag - reported by @jn9999 #224
• fix broken link - PR by @jn9999 #223
• README:
  • make clear that we do not remove previously managed tor instances on config change - reported by @tsekityam
  • update OfflineMasterKeys link
• make apt update_cache configurable
• drop support for Debian 9
• increase min. ansible version 2.9.23 -> 2.9.27

relayor v21.1.0

changes since relayor v21.0.1

• generate ContactInfo v2 proof files for easy publishing (if enabled via variable tor_gen_ciiss_proof_files)
• update apt cache if it is older than one day before installing dependencies (patch by @tsekityam) #219 #220
• increase min. ansible version 2.9.13 -> 2.9.23
• increase min. tor version 0.3.5 -> 0.4.5
• Debian 11, FreeBSD 13 and OpenBSD 6.9 are supported
• kitchen.yml: add debian-11 and Freebsd 13 platforms and remove fedora/centos