Hacker News new | past | comments | ask | show | jobs | submit login
Deploy a .onion Site in Less Than 5 minutes
73 points by freddiearch on Feb 14, 2016 | hide | past | favorite | 20 comments

Hi guys, worked on this last night. Thought it may be useful or cool to deploy a .onion url automatically in 7 commands.

I'm also aware it's not particularly good formatting but should work fine.

This is pretty badly done. Dear freddiearch, it's ok if you know that it's low-quality and no real effort has gone into it (as you yourself have said), but then please don't post it on HN and waste everyone elses time.

Notes/suggestions, in the interest of helping you get better at Ansible. I hope you find them helpful:

* It leaves your Apache bound on all interfaces, exposing where your files are really hosted. Security fail. (And because of the port conflict I doubt it even works in its current state.)

* It doesn't even work, due to the double "command" in "add keys". Only the second one will actually be run. (It's obvious you never tested on a fresh system. Learn about Vagrant next. It also has super-easy ansible integration. That fits the scenario really well too. Wouldn't that be awesome? "vagrant up" from any machine, wait a minute, and you have an .onion server in the Tor network?)

* Please spend 10 minutes and read the module list at https://docs.ansible.com/ansible/modules_by_category.html completely and use them. If you have to use "command" tasks (seldom the case), at least implement "changed_when" and think about if you need "when" and "failed_when". Also consider --check mode. You used command in cases where you could have used: apt, apt_repository, apt_key, service,

* Use the long key id in the --recv command too. The short will work even when there are conflicts, but it'll leave the additional (probably malicious) key in your local keyring, which may or may not confuse you later.

* The apparmor restart should be done in a handler, conditionally the config actually being changed. It also should use the "service" task.

* /home isn't the right place. Read the Filesystem Hierarchy Standard. Put the directory somwhere under /var or /srv.

* Add some blank lines for readability.

* As it is, your play isn't really reusable and not modular at all. It's ok since your intention clearly was just to show how easy it was to get Tor running. But if you want you could still turn it into a role.

* "state=directory owner=debian-tor mode=0700 recurse=yes" isn't really a good idea; it'll make all files executable too.

Getting automation right (whether via ansible, puppet, or whatever) requires careful attention to detail.

"please don't post it on HN and waste everyone elses time."

I didn't know you policed HN and determined what was a waste of time. Last I recall, Upvoting's purpose was that. Your arrogance is a detractor for others to grow and clearly you invested so much time to critique that you wasted your own time on something you didn't care about?

Kudos to you OP, you made something interesting and worth sharing. You've got this guy's attention. Please don't let other detractors mute your hacking.

You clearly misunderstood my post. It may have been badly phrased.

What I meant isn't "don't share it". I meant "get it right before you share it".

I'd have thought the fact I spent a significant amount of time reviewing his implementation and giving well-meant comments would have made that clear. I have no interest in suppressing anyones development -- the more everyone learns, the better for everyone. And do I care about that.


1. HN submissions are 1:many communication. Like, say, mailing lists. For which I've been taught that the sender should make an effort to send a good message. freddiearch didn't put in that effort (see post #11098621). I care about HN, and I'd prefer to see high-quality articles here.

2. Beginners learning about new techniques and then immediately going on to write a low-quality tutorial is a very common phenomenon on the internet. It makes it unnecessarily harder for other beginners, who can't tell. The code didn't work and had several major flaws. It's just not good code to learn Ansible from. (Except for freddiearch of course -- writing bad code, then improving it, is part of learning. Nothing wrong with that! Everyone starts small!)

(@freddiearch: If you read this: I really hope I didn't discourage you from learning about Ansible or anything.)

It's a pity you spoiled with unnecessary poison (irony, indirect insults) an otherwise very well structured and constructive comment.

Why even do this in ansible? Your heavy reliance on command instead of the provided ansible modules makes it more of a bash script.

Nice idea. Looking at the script, it seems it's fetching packages specifically for Ubuntu Trusty. If the script is only for a specific version of Ubuntu, it might make sense to write that somewhere in the readme (or better, make it work for a wider range of distros/OS's)

Seems reasonable. To be honest the script is really hacky and as i've said I did pretty much just get the first working version committed.

Also rndmh3ro i'm just testing your pull request on a fresh ubuntu machine to make sure it works but thanks for the improvements!

If you want to get more into Ansible and write roles that work on many different platforms, check out my test-framework: https://github.com/rndmh3ro/ansible-test-framework

Also thanks for saying it's a nice idea!

You really shouldn't use apache default configs, since they probably leak info about your server and your users via /server-status

You make a good point. I did think that in retrospect. Just wanted to develop my skills further in Ansible really.

In fact almost all these tasks could be replaced by ansible modules (except the last the 3 lineinfile commands).

Fair enough, I was sort of sleep deprived and just wanted something that actually worked as quickly as possible haha.

I'd also prefer those be replaced with a template. IMO, reading a config file with placeholders is much easier than concatenating it in my mind as a series of _lineinfile_ commands.

I use https://hub.docker.com/r/goldy/tor-hidden-service/ (just 2 commands) ... it just simply works

Hello. OK I'm not up today in how all this works or if I'm down loading the right things or not.I read it but I just don't get it. I just want to get to the deep/dark website.would you help me on how to get there please. Thank you

That's really cool. I think we need more of this kind of easily hackable resources.

Efesak looks like a cool tool. Ryanlol also nifty script.

r0muald thanks!

Thanks for all the positive responses to this. Hopefully i'll have time to work on some server hardening and similar improvements soon.

Could someone explain what this does. know apache know ubuntu Dont know .onion Dont know yml Dont know ansible

  curl 'https://raw.githubusercontent.com/freddiebarrsmith/Ansible-Hidden-Service-Deployment/master/darkweb.yml' |grep -elinein -ecommand -e action|sed -e 's/command//' -e 's/action://' -e 's/  //g' -e 's/: //' -e 's/lineinfil.*t=/cat >>/' -e 's/line=/<<</' -e 's/ pkg=/-get -y --force-yes install /' -e 's/state=latest//' -e 's/t u/t-get -y u/' -e 's/_cache=yes//'
This should convert it to a working bash script.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact