-
intrigeri authored
The only reason why we deployed these files elsewhere in tails_secrets_whisperback before, and then bind-mounted the destination to the actual place where tor would look for these files, was to ensure we copied them to an encrypted filesystem, back when we had systems without FDE, with a small encrypted filesystem where we would store the secrets we thought about (while other secrets would be stored in cleartext). I'm reasonably certain we will not deploy tails::whisperback::relay on a system without FDE, without giving it a second thought, so let's simplify. Also, stop using tor::daemon::onion_service because its v3 support seems broken to the point I think nobody ever tested it. Finally, I initially wanted to distribute the Onion service secret and public keys via Hiera, so we could fully deprecate the tails_secrets_whisperback module, but their content is binary so I gave up on this. This requires upgrading tor to stretch-backports on the monitoring master, so that tails::monitoring::service::whisperback can connect to the v3 HS.
87558706