Add wg-quick@wgtor0 as dependency to tor

Otherwise tor could not bind ports on wgtor0 ip addresses as it wasn't
up yet.

2 files changed, 38 insertions, 0 deletions

diff --git a/roles/tor/files/tor.service b/roles/tor/files/tor.service
new file mode 100644
index 0000000..d41767b
--- /dev/null
+++ b/roles/tor/files/tor.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=Anonymizing overlay network for TCP
+After=network.target nss-lookup.target wg-quick@wgtor0.service
+
+[Service]
+Type=notify
+NotifyAccess=all
+ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
+ExecStart=/usr/bin/tor -f /etc/tor/torrc
+ExecReload=/bin/kill -HUP ${MAINPID}
+KillSignal=SIGINT
+TimeoutSec=60
+Restart=on-failure
+WatchdogSec=1m
+LimitNOFILE=32768
+
+# Hardening
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHome=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=-/var/lib/tor
+ReadWriteDirectories=-/var/log/tor
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/tor/tasks/main.yml b/roles/tor/tasks/main.yml
index 5aa1076..cbe4db6 100644
--- a/roles/tor/tasks/main.yml
+++ b/roles/tor/tasks/main.yml
@@ -34,8 +34,17 @@
   notify:
     - Reload tor
 
+- name: Configure tor systemd service
+  ansible.builtin.copy:
+    src: files/tor.service
+    dest: /usr/lib/systemd/system/tor.service
+    owner: root
+    group: root
+    mode: u+rw,g+r,o+r
+
 - name: Enable tor systemd service
   ansible.builtin.service:
     name: tor
     enabled: yes
     state: started
+    daemon_reload: true