ansible-honeybadger

Because Honeybadger don't give a sh*t!

What's it do?

Honeybadger sets up tor and/or bitcoind on your cheap spare VPS boxes. You can think of it as an extended and improved version of Tor Cloud. We handle the grunt work so you can get on with your life. Set it and forget it.

Tor and Bitcoin are dependent on their P2P networks to function. These P2P nodes are often difficult to run, but they're important to many people. Tor is heavily used in countries like China and Russia, where there is no freedom of speech. Bitcoin promises both the technical and social benefits of a currency outside the control of any state or central bank.

Primary Services

tor installed fresh from the torproject.org repository
bitcoind with included monit scripts

Support Services

unattended-upgrades for automatic updates
monit to recover from application crashes
ufw will agressively block any unused ports
nginx proxies tor's DirPort to port 80, while allowing the port to still be used for monitoring tools

Monitoring Tools

tor-arm is a cli monitor for tor
htop provides a nice UI for monitoring system load
aptitude is a better version of apt-get, with a curses UI

Configuration

passwordless ssh improves security against weak passwords
passwordless sudo yields convenience, utilizing our safe ssh config
ssh command users eg. ssh [email protected]

Goals

Easy as possible — The hardest part is figuring out how much bandwidth to allocate.
Safe defaults — Tor isn't configured to run as an exit node by default. You may configure this, but by default you should never receive any abuse complaints.
Services are dumb relays — As the person running this, you get nothing out of it, except a warm fuzzy feeling in your heart.
Zero-consequence — Since you don't depend on it, and since P2P networks like tor and bitcoin are resilient, it shouldn't matter if things go down. We make it easy to re-deploy if a box catches fire.
Easy monitoring — Running a headless box is no fun without lots of numbers and graphs to show for it!
Battle tested — I've thrown these scripts on as many boxes as I can find. If you find a hosting provider with a configuration that breaks Honeybadger, it's our bug, and we'll work around it.

You can buy shitty, unreliable VPSes, and throw Honeybadger on them! If your host oversells their RAM and kills your processes, monit will start them back up. If your provider is run by a 12-year-old and your VPS goes offline each week, Honeybadger will ensure everything works when it comes back up. If your harddrive dies in a fire — just re-run Honeybadger.

Requirements

The target server should be running Ubuntu 16.04 LTS. Right now, this is our only deployment target, but almost every hosting provider supports it.
Honeybadger assumes it's the only thing on your server, so don't put it next to your corporate email!
If you want to enable bitcoind, you'll need enough disk space to store the blockchain, with some room to grow. Bitcoind also needs more than 256mb of RAM.
Tor runs poorly with 96mb of RAM, okay with 128mb of RAM, and can probably steadily max out an unmetered 100mbit port with 256mb of RAM. Keep in mind that budget OpenVZ providers will often oversell RAM. A 32-bit distribution will reduce RAM consumption. A 64-bit distribution may reduce CPU usage.

Running

Deployment instructions are dependent on your desktop computer's setup.

If someone's not running the above platforms and can translate the instructions and autosetup tools for their platform, the help would be greatly appreciated.

Updating

Always check the upgrade documentation before updating.

Monitoring Tools

We set up a number of ssh users that can be used to conveniently access monitoring and maintenance tools:

These save you a bit of typing and give you some cool geek cred. They copy the ssh authorized_keys files from the root user, so if you add any more ssh keys, simply re-run ansible-honeybadger.

We also set up a page on port 80 for you using nginx (example). This doesn't inhibit Tor from using port 80 however, because we can proxy the DirPort.

Bandwidth Throttling

While Honeybadger is a great way to ~~abuse~~ fully utilize an unmetered bandwidth plan, many providers limit your monthly bandwidth usage.

There's no easy way to throttle bitcoind, although there are workarounds using iptables. If you're on a metered plan, it's suggested you disable bitcoind.

It's easy to throttle tor. Simply set the tor_bandwidth_rate and tor_bandwidth_burst variables.

Backing up Tor's `secret_id_key`

Tor's secret_id_key gets backed up to secrets/tor/example.com_secret_id_key, where example.com is the inventory hostname. Saving this file, along with your hosts, host_vars, and group_vars config files will allow you to restore a tor relay if the original host goes down. Honeybadger will find a secret_key_id if it's in the right location, and restore it automatically.

Restoring a Tor relay allows you to avoid Tor's multiple-month-long bandwidth discovery process, and works even if your IP changes.

Known Issues

UFW Doesn't Always Work on OpenVZ

If you're on OpenVZ, you might see something like:

msg: ERROR: problem running ufw-init
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab090.5/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_ftp not found.
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab090.5/modules.builtin.bin'
modprobe: FATAL: Module nf_nat_ftp not found.
modprobe: ERROR: ../libkmod/libkmod.c:507 kmod_lookup_alias_from_builtin_file() could not open builtin file '/lib/modules/2.6.32-042stab090.5/modules.builtin.bin'
modprobe: FATAL: Module nf_conntrack_netbios_ns not found.
ip6tables-restore: line 4 failed
ip6tables-restore: line 73 failed
ip6tables-restore: line 30 failed
sysctl: permission denied on key 'net.ipv4.tcp_sack'

Problem running '/etc/ufw/before6.rules'
Problem running '/lib/ufw/user6.rules'

This is because UFW has compatibility issues with some OpenVZ setups. You can simply turn off UFW in your hosts file:

example.com  ufw=False

"I think my provider is killing `tor`"

Some OpenVZ providers will automatically run killall tor instead of simply disallowing Tor in the AUP or opening a ticket. This is a sleazy thing to do, but we have our own sleazy workaround. You can simply change the process name in the appropriate host_vars file:

tor_procname: nginx

This uses LD_PRELOAD to inject a library overwrites the process name, and reconfigures monit appropriately.

Keep in mind that this trick doesn't make Tor invisible to your provider, but will at least prevent their scripts from working.

License

Unless otherwise noted in the files themselves, all files in this repository are licensed under the MIT license.

bgw / ansible-honeybadger Goto Github PK