Table of Contents

  1. Description
  2. Setup
  3. Functions
  4. Facts
  5. Reference
  6. Development


This module manages tor and is mainly geared towards people running it on servers. With this module, you should be able to manage most, if not all of the functionalities provided by tor, such as:

  • relays
  • bridges and exit nodes
  • onion services
  • exit policies
  • transport plugins


Setup Requirements

This module needs:

Explicit dependencies can be found in the project's metadata.json file.

Getting started

class { 'tor': } will install tor with a default configuration. Chances are you will want to configure Tor in a certain way. This is accomplished declaring one or more of the tor::daemon defined types.

For example, this will configure a tor bridge relay running on port 8080:

  tor::daemon::relay {
      bridge_relay     => true,
      port             => 8080,
      address          => '',
      bandwidth_rate   => 12500,
      bandwidth_burst  => 12500,
      contact_info     => 'Foo Bar <>',

There are many more such snippets available in tor::daemon, for example, this will create a hidden service for the SSH daemon:

tor::daemon::onion_service { 'onion-ssh':
    ports => [ '22' ],

See the manifests/daemon directory for more examples.


This module comes with functions specific to tor support. They require the base32, ed25519 and sha3 gem to be installed on the master or wherever they are executed. For JRuby based installations such as puppetserver environments you can use the sha3-pure-ruby instead of the C based library.


This functions generates an onion v3 key pair if not already existing. As arguments, you need to pass a base directory and an identifier (name) of the key. The key pair will be looked up in a directory under <base_dir>/<name>.

As a result you will get a hash containing they secret key (hs_ed25519_secret_key), the public key (hs_ed25519_public_key) and the onion hostname (hostname). The latter will be without the .onion suffix.

If a key has already been created and exists under that directory, the content of these files will be returned.

Note that an easier way to use this function is to call tor::daemon::onion_service instead, as that will also take care of adding configuration to the Tor daemon.



This fact gives you a list of the hidden services you are running.


The full reference documentation for this module may be found at on GitLab Pages.

Alternatively, you may build yourself the documentation using the puppet strings generate command. See the documentation for Puppet Strings for more information.


This module's development is tracked on GitLab. Please submit issues and merge requests on the shared-puppet-modules-group/tor project page.