
Deploy a .onion Site in Less Than 5 minutes - freddiearch
https:&#x2F;&#x2F;github.com&#x2F;freddiebarrsmith&#x2F;Ansible-Hidden-Service-Deployment<p>Hi guys, worked on this last night. Thought it may be useful or cool to deploy a .onion url automatically in 7 commands.<p>I&#x27;m also aware it&#x27;s not particularly good formatting but should work fine.
======
Ao7bei3s
This is pretty badly done. Dear freddiearch, it's ok if you know that it's
low-quality and no real effort has gone into it (as you yourself have said),
but then please don't post it on HN and waste everyone elses time.

Notes/suggestions, in the interest of helping you get better at Ansible. I
hope you find them helpful:

* It leaves your Apache bound on all interfaces, exposing where your files are really hosted. Security fail. (And because of the port conflict I doubt it even works in its current state.)

* It doesn't even work, due to the double "command" in "add keys". Only the second one will actually be run. (It's obvious you never tested on a fresh system. Learn about Vagrant next. It also has super-easy ansible integration. That fits the scenario really well too. Wouldn't that be awesome? "vagrant up" from any machine, wait a minute, and you have an .onion server in the Tor network?)

* Please spend 10 minutes and read the module list at [https://docs.ansible.com/ansible/modules_by_category.html](https://docs.ansible.com/ansible/modules_by_category.html) completely and use them. If you have to use "command" tasks (seldom the case), at least implement "changed_when" and think about if you need "when" and "failed_when". Also consider --check mode. You used command in cases where you could have used: apt, apt_repository, apt_key, service,

* Use the long key id in the --recv command too. The short will work even when there are conflicts, but it'll leave the additional (probably malicious) key in your local keyring, which may or may not confuse you later.

* The apparmor restart should be done in a handler, conditionally the config actually being changed. It also should use the "service" task.

* /home isn't the right place. Read the Filesystem Hierarchy Standard. Put the directory somwhere under /var or /srv.

* Add some blank lines for readability.

* As it is, your play isn't really reusable and not modular at all. It's ok since your intention clearly was just to show how easy it was to get Tor running. But if you want you could still turn it into a role.

* "state=directory owner=debian-tor mode=0700 recurse=yes" isn't really a good idea; it'll make all files executable too.

Getting automation right (whether via ansible, puppet, or whatever) requires
careful attention to detail.

~~~
nerveband
"please don't post it on HN and waste everyone elses time."

I didn't know you policed HN and determined what was a waste of time. Last I
recall, Upvoting's purpose was that. Your arrogance is a detractor for others
to grow and clearly you invested so much time to critique that you wasted your
own time on something you didn't care about?

Kudos to you OP, you made something interesting and worth sharing. You've got
this guy's attention. Please don't let other detractors mute your hacking.

~~~
Ao7bei3s
You clearly misunderstood my post. It may have been badly phrased.

What I meant isn't "don't share it". I meant "get it right before you share
it".

I'd have thought the fact I spent a significant amount of time reviewing his
implementation and giving well-meant comments would have made that clear. I
have no interest in suppressing anyones development -- the more everyone
learns, the better for everyone. And do I care about that.

However:

1\. HN submissions are 1:many communication. Like, say, mailing lists. For
which I've been taught that the sender should make an effort to send a good
message. freddiearch didn't put in that effort (see post #11098621). I care
about HN, and I'd prefer to see high-quality articles here.

2\. Beginners learning about new techniques and then immediately going on to
write a low-quality tutorial is a very common phenomenon on the internet. It
makes it unnecessarily harder for other beginners, who can't tell. The code
didn't work and had several major flaws. It's just not good code to learn
Ansible from. (Except for freddiearch of course -- writing bad code, then
improving it, is part of learning. Nothing wrong with that! Everyone starts
small!)

(@freddiearch: If you read this: I really hope I didn't discourage you from
learning about Ansible or anything.)

------
hbz
Why even do this in ansible? Your heavy reliance on command instead of the
provided ansible modules makes it more of a bash script.

------
hjek
Nice idea. Looking at the script, it seems it's fetching packages specifically
for Ubuntu Trusty. If the script is only for a specific version of Ubuntu, it
might make sense to write that somewhere in the readme (or better, make it
work for a wider range of distros/OS's)

~~~
freddiearch
Seems reasonable. To be honest the script is really hacky and as i've said I
did pretty much just get the first working version committed.

Also rndmh3ro i'm just testing your pull request on a fresh ubuntu machine to
make sure it works but thanks for the improvements!

~~~
zufallsheld
If you want to get more into Ansible and write roles that work on many
different platforms, check out my test-framework:
[https://github.com/rndmh3ro/ansible-test-
framework](https://github.com/rndmh3ro/ansible-test-framework)

------
detaro
You really shouldn't use apache default configs, since they probably leak info
about your server and your users via /server-status

------
freddiearch
You make a good point. I did think that in retrospect. Just wanted to develop
my skills further in Ansible really.

~~~
zufallsheld
In fact almost all these tasks could be replaced by ansible modules (except
the last the 3 _lineinfile_ commands).

~~~
freddiearch
Fair enough, I was sort of sleep deprived and just wanted something that
actually worked as quickly as possible haha.

------
efesak
I use [https://hub.docker.com/r/goldy/tor-hidden-
service/](https://hub.docker.com/r/goldy/tor-hidden-service/) (just 2
commands) ... it just simply works

------
kripp78
Hello. OK I'm not up today in how all this works or if I'm down loading the
right things or not.I read it but I just don't get it. I just want to get to
the deep/dark website.would you help me on how to get there please. Thank you

------
r0muald
That's really cool. I think we need more of this kind of easily hackable
resources.

------
freddiearch
Efesak looks like a cool tool. Ryanlol also nifty script.

r0muald thanks!

Thanks for all the positive responses to this. Hopefully i'll have time to
work on some server hardening and similar improvements soon.

------
wehadfun
Could someone explain what this does. know apache know ubuntu Dont know .onion
Dont know yml Dont know ansible

~~~
ryanlol

      curl 'https://raw.githubusercontent.com/freddiebarrsmith/Ansible-Hidden-Service-Deployment/master/darkweb.yml' |grep -elinein -ecommand -e action|sed -e 's/command//' -e 's/action://' -e 's/  //g' -e 's/: //' -e 's/lineinfil.*t=/cat >>/' -e 's/line=/<<</' -e 's/ pkg=/-get -y --force-yes install /' -e 's/state=latest//' -e 's/t u/t-get -y u/' -e 's/_cache=yes//'
    

This should convert it to a working bash script.

