• intrigeri's avatar
    Switch to new Onion service v3 and deploy the corresponding files ourselves (#17110) · 87558706
    intrigeri authored
    The only reason why we deployed these files elsewhere in
    tails_secrets_whisperback before, and then bind-mounted the destination to the
    actual place where tor would look for these files, was to ensure we copied them
    to an encrypted filesystem, back when we had systems without FDE, with a small
    encrypted filesystem where we would store the secrets we thought about (while
    other secrets would be stored in cleartext). I'm reasonably certain we will
    not deploy tails::whisperback::relay on a system without FDE, without
    giving it a second thought, so let's simplify.
    Also, stop using tor::daemon::onion_service because its v3 support seems
    broken to the point I think nobody ever tested it.
    Finally, I initially wanted to distribute the Onion service secret and public
    keys via Hiera, so we could fully deprecate the tails_secrets_whisperback
    module, but their content is binary so I gave up on this.
    This requires upgrading tor to stretch-backports on the monitoring master,
    so that tails::monitoring::service::whisperback can connect to the v3 HS.