add tor infra

2025-02-20 12:54:28 +01:00 · 2019-01-18 14:57:15 -08:00 · 2019-01-18 14:57:15 -08:00 · a1fc28ebe4
commit a1fc28ebe4
parent d40d72eb2a
22 changed files with 684 additions and 28 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -29,7 +29,7 @@ build:
    - docker push us.gcr.io/blockstream-store/ionosphere-sse:$CI_COMMIT_SHA
    - docker push us.gcr.io/blockstream-store/ionosphere-sse:latest

-plan:
+plan_satapi:
  stage: plan
  only:
    - branches@satellite/ionosphere
@ -37,6 +37,7 @@ plan:
    - master@satellite/ionosphere
    - production@satellite/ionosphere
    - cleanup_staging@satellite/ionosphere
+    - /^misc_.*/
  script:
    - (cd terraform
       && terraform init -input=false
@ -56,6 +57,24 @@ plan:
         -var "rpcpass=$RPCPASS"
         -input=false)

+# this plan gets triggered only for miscellaneous branches/tags, so make sure the branch/tag name starts with misc_
+plan_misc:
+  stage: plan
+  only:
+    - /^misc_.*/
+  script:
+    - (echo -n "$V3_PK" > terraform/modules/tor/v3.pk)
+    - (echo -n "$V3_PUBK" > terraform/modules/tor/v3.pubk)
+    - (cd terraform
+      && terraform init -input=false
+      && terraform workspace select misc
+      && terraform plan
+        -var "region=$REGION"
+        -var "zone=$ZONE"
+        -var "tor_instance_type=$TOR_INSTANCE_TYPE"
+        -var "onion_host=$ONION_HOST"
+        -input=false)
+
 deploy_staging:
  stage: deploy
  only:
@ -102,6 +121,25 @@ deploy_production:
         -var "rpcpass=$RPCPASS"
         -input=false -auto-approve)

+# This deploys only tags/branches starting with misc_v
+deploy_misc:
+  stage: deploy
+  only:
+    - /^misc_v.*/
+  script:
+    - (echo -n "$V3_PK" > terraform/modules/tor/v3.pk)
+    - (echo -n "$V3_PUBK" > terraform/modules/tor/v3.pubk)
+    - (cd terraform
+      && terraform init -input=false
+      && terraform workspace select misc
+      && terraform plan
+        -var "region=$REGION"
+        -var "zone=$ZONE"
+        -var "tor_instance_type=$TOR_INSTANCE_TYPE"
+        -var "onion_host=$ONION_HOST"
+         -input=false -auto-approve)
+
+
 cleanup_staging:
  stage: deploy
  image:
--- a/terraform/data.tf
+++ b/terraform/data.tf
@ -0,0 +1,27 @@
+data "terraform_remote_state" "lightning-store-prod" {
+  backend = "gcs"
+
+  config {
+    bucket  = "tf-state-lightning-store"
+    prefix  = "terraform/state"
+    project = "blockstream-store"
+  }
+
+  workspace = "production"
+
+  defaults {
+    prometheus_service_account = "${var.prom_service_acct}"
+  }
+}
+
+data "terraform_remote_state" "blc-prod" {
+  backend = "gcs"
+
+  config {
+    bucket  = "tf-state-ionosphere"
+    prefix  = "terraform/state"
+    project = "blockstream-store"
+  }
+
+  workspace = "prod"
+}
--- a/terraform/kms.tf
+++ b/terraform/kms.tf
@ -0,0 +1,14 @@
+resource "google_kms_key_ring" "tor-key-ring" {
+  project  = "${var.project}"
+  name     = "${var.name}-keyring"
+  location = "${var.region}"
+
+  count = "${local.create_misc}"
+}
+
+resource "google_kms_crypto_key" "tor-crypto-key" {
+  name     = "${var.name}-crypto-key"
+  key_ring = "${google_kms_key_ring.tor-key-ring.id}"
+
+  count = "${local.create_misc}"
+}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -8,22 +8,6 @@ terraform {
  }
 }

-data "terraform_remote_state" "lightning-store-prod" {
-  backend = "gcs"
-
-  config {
-    bucket  = "tf-state-lightning-store"
-    prefix  = "terraform/state"
-    project = "blockstream-store"
-  }
-
-  workspace = "staging"
-
-  defaults {
-    prometheus_service_account = "${var.prom_service_acct}"
-  }
-}
-
 provider "google" {
  project = "${var.project}"
 }
@ -43,6 +27,8 @@ module "blc" {
  net                   = "testnet"
  env                   = "${local.env}"

+  create_resources = "${local.create_satapi}"
+
  # CI vars
  region            = "${var.region}"
  zone              = "${var.zone}"
@ -55,3 +41,27 @@ module "blc" {
  rpcuser           = "${var.rpcuser}"
  rpcpass           = "${var.rpcpass}"
 }
+
+module "tor" {
+  source = "modules/tor"
+
+  project              = "${var.project}"
+  network              = "default"
+  name                 = "satapi-tor"
+  gcloud_docker        = "${var.gcloud_docker}"
+  tor_docker           = "${var.tor_docker}"
+  node_exporter_docker = "${var.node_exporter_docker}"
+  kms_key              = "${element(concat(google_kms_crypto_key.tor-crypto-key.*.name, list("")), 0)}"
+  kms_key_ring         = "${element(concat(google_kms_key_ring.tor-key-ring.*.name, list("")), 0)}"
+  kms_key_link         = "${element(concat(google_kms_crypto_key.tor-crypto-key.*.self_link, list("")), 0)}"
+  tor_lb               = "${element(concat(google_compute_global_address.tor-lb.*.address, list("")), 0)}"
+
+  create_resources = "${local.create_misc}"
+
+  #CI vars
+  region            = "${var.region}"
+  zone              = "${var.zone}"
+  tor_instance_type = "${var.tor_instance_type}"
+  onion_host        = "${var.onion_host}"
+  prom_service_acct = "${data.terraform_remote_state.lightning-store-prod.prometheus_service_account}"
+}
--- a/terraform/modules/blc/data.tf
+++ b/terraform/modules/blc/data.tf
@ -5,10 +5,12 @@ data "google_compute_network" "blc" {
 data "google_compute_image" "blc" {
  family  = "satapi-data-${var.env}"
  project = "${var.project}"
+  count   = "${var.create_resources}"
 }

 data "template_file" "blc" {
  template = "${file("${path.module}/cloud-init/blc.yaml")}"
+  count    = "${var.create_resources}"

  vars {
    rpcuser               = "${var.rpcuser}"
@ -33,6 +35,7 @@ data "template_file" "blc" {
 data "template_cloudinit_config" "blc" {
  gzip          = false
  base64_encode = false
+  count         = "${var.create_resources}"

  part {
    content_type = "text/cloud-config"
--- a/terraform/modules/blc/iam.tf
+++ b/terraform/modules/blc/iam.tf
@ -1,10 +1,12 @@
 resource "google_service_account" "blc" {
  account_id   = "${var.name}-${var.env}"
  display_name = "${var.name}-${var.env}"
+  count        = "${var.create_resources}"
 }

 resource "google_project_iam_member" "blc" {
  project = "${var.project}"
  role    = "roles/editor"
  member  = "serviceAccount:${google_service_account.blc.email}"
+  count   = "${var.create_resources}"
 }
--- a/terraform/modules/blc/lb.tf
+++ b/terraform/modules/blc/lb.tf
@ -5,6 +5,7 @@ resource "google_compute_global_forwarding_rule" "rule-https" {
  port_range  = "443"
  ip_protocol = "TCP"
  ip_address  = "${google_compute_global_address.lb.address}"
+  count       = "${var.create_resources}"
 }

 resource "google_compute_global_forwarding_rule" "rule-http" {
@ -13,24 +14,28 @@ resource "google_compute_global_forwarding_rule" "rule-http" {
  port_range  = "80"
  ip_protocol = "TCP"
  ip_address  = "${google_compute_global_address.lb.address}"
+  count       = "${var.create_resources}"
 }

 # Target proxies
 resource "google_compute_target_http_proxy" "http-proxy" {
  name    = "${var.name}-http-proxy-${var.env}"
  url_map = "${google_compute_url_map.http.self_link}"
+  count   = "${var.create_resources}"
 }

 resource "google_compute_target_https_proxy" "https-proxy" {
  name             = "${var.name}-https-proxy-${var.env}"
  url_map          = "${google_compute_url_map.https.self_link}"
  ssl_certificates = ["${var.ssl_cert}"]
+  count            = "${var.create_resources}"
 }

 # URL maps
 resource "google_compute_url_map" "http" {
  name            = "${var.name}-http-urlmap-${var.env}"
  default_service = "${google_compute_backend_service.blc.self_link}"
+  count           = "${var.create_resources}"

  host_rule {
    hosts        = ["${var.host}"]
@ -51,6 +56,7 @@ resource "google_compute_url_map" "http" {
 resource "google_compute_url_map" "https" {
  name            = "${var.name}-https-urlmap-${var.env}"
  default_service = "${google_compute_backend_service.blc.self_link}"
+  count           = "${var.create_resources}"

  host_rule {
    hosts        = ["${var.host}"]
--- a/terraform/modules/blc/main.tf
+++ b/terraform/modules/blc/main.tf
@ -1,6 +1,7 @@
 # Instance group
 resource "google_compute_instance_group_manager" "blc" {
-  name = "${var.name}-ig-${var.env}"
+  name  = "${var.name}-ig-${var.env}"
+  count = "${var.create_resources}"

  base_instance_name = "${var.name}-ig-${var.env}-${count.index}"
  instance_template  = "${google_compute_instance_template.blc.self_link}"
@ -22,6 +23,7 @@ resource "google_compute_disk" "blc" {
  type  = "pd-standard"
  image = "${data.google_compute_image.blc.self_link}"
  zone  = "${var.zone}"
+  count = "${var.create_resources}"

  lifecycle {
    prevent_destroy = true
@ -35,6 +37,7 @@ resource "google_compute_instance_template" "blc" {
  description  = "This template is used to create ${var.name} ${var.env} instances."
  machine_type = "${var.instance_type}"
  region       = "${var.region}"
+  count        = "${var.create_resources}"

  labels {
    type = "lightning-app"
--- a/terraform/modules/blc/network.tf
+++ b/terraform/modules/blc/network.tf
@ -3,18 +3,20 @@ resource "google_compute_address" "blc" {
  name    = "${var.name}-external-ip-${var.env}-${count.index}"
  project = "${var.project}"
  region  = "${var.region}"
-  count   = 1
+  count   = "${var.create_resources}"
 }

 resource "google_compute_global_address" "lb" {
  name    = "${var.name}-client-lb-${var.env}"
  project = "${var.project}"
+  count   = "${var.create_resources}"
 }

 # FW rules
 resource "google_compute_firewall" "blc" {
  name    = "${var.name}-fw-rule-${var.env}"
  network = "${data.google_compute_network.blc.self_link}"
+  count   = "${var.create_resources}"

  allow {
    protocol = "tcp"
@ -29,6 +31,7 @@ resource "google_compute_firewall" "blc" {
 resource "google_compute_firewall" "blc-prom" {
  name    = "${var.name}-prometheus-access-${var.env}"
  network = "${data.google_compute_network.blc.self_link}"
+  count   = "${var.create_resources}"

  allow {
    protocol = "tcp"
@ -51,6 +54,7 @@ resource "google_compute_backend_service" "blc" {
  protocol    = "HTTP"
  port_name   = "http"
  timeout_sec = "${var.timeout}"
+  count       = "${var.create_resources}"

  backend {
    group = "${google_compute_instance_group_manager.blc.instance_group}"
@ -61,7 +65,8 @@ resource "google_compute_backend_service" "blc" {

 # Health checks
 resource "google_compute_health_check" "blc" {
-  name = "${var.name}-health-check-${var.env}"
+  name  = "${var.name}-health-check-${var.env}"
+  count = "${var.create_resources}"

  check_interval_sec = 5
  timeout_sec        = 3
@ -72,7 +77,8 @@ resource "google_compute_health_check" "blc" {
 }

 resource "google_compute_http_health_check" "blc-http" {
-  name = "${var.name}-health-check-${var.env}"
+  name  = "${var.name}-health-check-${var.env}"
+  count = "${var.create_resources}"

  timeout_sec        = 5
  check_interval_sec = 10
--- a/terraform/modules/blc/output.tf
+++ b/terraform/modules/blc/output.tf
@ -0,0 +1,3 @@
+output "backend_service" {
+  value = "${element(concat(google_compute_backend_service.blc.*.self_link, list("")), 0)}"
+}
--- a/terraform/modules/blc/variables.tf
+++ b/terraform/modules/blc/variables.tf
@ -8,14 +8,16 @@ variable "boot_image" {
  default = "cos-cloud/cos-stable"
 }

+variable "create_resources" {
+  type = "string"
+}
+
 variable "rpcuser" {
-  type    = "string"
-  default = ""
+  type = "string"
 }

 variable "rpcpass" {
-  type    = "string"
-  default = ""
+  type = "string"
 }

 variable "env" {
--- a/terraform/modules/tor/cloud-init/tor.yaml
+++ b/terraform/modules/tor/cloud-init/tor.yaml
@ -0,0 +1,161 @@
+users:
+  - name: bs
+    uid: 2000
+
+write_files:
+  - path: /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64
+    permissions: 0600
+    owner: root
+    content: |
+        ${v3_pubk}
+
+  - path: /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64
+    permissions: 0600
+    owner: root
+    content: |
+        ${v3_pk}
+
+  - path: /home/bs/torrc
+    permissions: 0644
+    owner: root
+    content: |
+        DataDirectory /home/tor/tor
+        PidFile /var/run/tor/tor.pid
+
+        ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
+        ControlSocketsGroupWritable 1
+        SocksPort unix:/var/run/tor/socks WorldWritable
+        SocksPort 9050
+
+        CookieAuthentication 1
+        CookieAuthFileGroupReadable 1
+        CookieAuthFile /var/run/tor/control.authcookie
+
+        Log [handshake]debug [*]notice stderr
+
+        HiddenServiceDir /home/tor/tor/hidden_service_v3/
+        HiddenServiceVersion 3
+        HiddenServicePort 80 ${tor_lb}:80
+
+  - path: /home/bs/tor/hidden_service_v3/hostname
+    permissions: 0600
+    owner: root
+    content: |
+        ${v3_host}
+
+  - path: /etc/systemd/system/decrypt.service
+    permissions: 0644
+    owner: root
+    content: |
+        [Unit]
+        Description=decrypt secrets against KMS
+        Wants=gcr-online.target
+        After=gcr-online.target
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=true
+        Environment=HOME=/home/bs
+        ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+        ExecStartPre=/usr/bin/docker pull ${gcloud_docker}
+        ExecStart=/usr/bin/docker run \
+            --name=decrypt \
+            --rm \
+            -v /home/bs/tor/hidden_service_v3/:/root/secrets:rw \
+            "${gcloud_docker}" gcloud kms decrypt \
+                --location=${kms_location} \
+                --keyring=${kms_key_ring} \
+                --key=${kms_key} \
+                --ciphertext-file=/root/secrets/hs_ed25519_public_key.enc \
+                --plaintext-file=/root/secrets/hs_ed25519_public_key
+        ExecStart=/usr/bin/docker run \
+            --name=decrypt \
+            --rm \
+            -v /home/bs/tor/hidden_service_v3/:/root/secrets:rw \
+            "${gcloud_docker}" gcloud kms decrypt \
+                --location=${kms_location} \
+                --keyring=${kms_key_ring} \
+                --key=${kms_key} \
+                --ciphertext-file=/root/secrets/hs_ed25519_secret_key.enc \
+                --plaintext-file=/root/secrets/hs_ed25519_secret_key
+        ExecStartPost=-/bin/rm /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64
+        ExecStartPost=-/bin/rm /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64
+
+  - path: /etc/systemd/system/tor.service
+    permissions: 0644
+    owner: root
+    content: |
+        [Unit]
+        Description=tor node
+        Wants=gcr-online.target docker.service decrypt.service
+        After=gcr-online.service docker.service decrypt.service
+
+        [Service]
+        Restart=always
+        RestartSec=1
+        Environment=HOME=/home/bs
+        ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+        ExecStartPre=/usr/bin/docker pull ${tor_docker}
+        ExecStartPre=-/bin/chown -R bs:bs /home/bs/tor/
+        ExecStartPre=-/bin/chmod -R 2700 /home/bs/tor/
+        ExecStartPre=-/bin/chmod 0644 /home/bs/tor/hidden_service_v3/hs_ed25519_public_key
+        ExecStartPre=-/bin/chmod 0600 /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key
+        ExecStartPre=/sbin/iptables -A INPUT -m tcp -p tcp --dport 9050 -j ACCEPT
+        ExecStart=/usr/bin/docker run \
+            --network=host \
+            --pid=host \
+            --name=tor \
+            --tmpfs /tmp/ \
+            -v /home/bs/torrc:/home/tor/torrc:ro \
+            -v /home/bs/tor:/home/tor/tor:rw \
+            "${tor_docker}" tor -f /home/tor/torrc
+        ExecStop=/usr/bin/docker stop tor
+        ExecStopPost=/usr/bin/docker rm tor
+        ExecStopPost=/sbin/iptables -D INPUT -m tcp -p tcp --dport 9050 -j ACCEPT
+
+        [Install]
+        WantedBy=multi-user.target
+
+  - path: /etc/systemd/system/node-exporter.service
+    permissions: 0644
+    owner: root
+    content: |
+        [Unit]
+        Description=prometheus node-exporter
+        Wants=gcr-online.target docker.service
+        After=gcr-online.service docker.service
+
+        [Service]
+        Restart=always
+        RestartSec=1
+        Environment=HOME=/home/exec
+        ExecStartPre=/usr/bin/docker-credential-gcr configure-docker
+        ExecStartPre=/usr/bin/docker pull ${node_exporter_docker}
+        ExecStartPre=/sbin/iptables -A INPUT -m tcp -p tcp --dport 9100 -j ACCEPT
+        ExecStart=/usr/bin/docker run \
+            --name=node-exporter \
+            --network=host \
+            --read-only \
+            -v /proc:/host/proc:ro \
+            -v /sys:/host/sys:ro \
+            -v /:/rootfs:ro \
+            -v metrics:/metrics:ro \
+            -v /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket:ro \
+            "${node_exporter_docker}" --path.procfs /host/proc --path.sysfs /host/sys --collector.textfile.directory /metrics --collector.filesystem.ignored-mount-points "^/(sys|proc|dev|host|etc($|/))" --collector.systemd
+        ExecStop=/usr/bin/docker stop node-exporter
+        ExecStopPost=/usr/bin/docker rm node-exporter
+        ExecStopPost=/sbin/iptables -D INPUT -m tcp -p tcp --dport 9100 -j ACCEPT
+
+        [Install]
+        WantedBy=multi-user.target
+
+runcmd:
+  - systemctl daemon-reload
+  - base64 -d /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc.b64 > /home/bs/tor/hidden_service_v3/hs_ed25519_public_key.enc
+  - base64 -d /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc.b64 > /home/bs/tor/hidden_service_v3/hs_ed25519_secret_key.enc
+  - systemctl enable tor.service
+  - systemctl enable decrypt.service
+  - systemctl start decrypt.service
+  - systemctl start tor.service
+  - systemctl enable node-exporter.service
+  - systemctl start node-exporter.service
--- a/terraform/modules/tor/data.tf
+++ b/terraform/modules/tor/data.tf
@ -0,0 +1,31 @@
+data "google_compute_network" "default" {
+  name = "default"
+}
+
+data "template_file" "tor" {
+  template = "${file("${path.module}/cloud-init/tor.yaml")}"
+
+  vars {
+    tor_lb  = "${var.tor_lb}"
+    v3_host = "${var.onion_host}"
+    v3_pk   = "${file("${path.module}/v3.pk")}"
+    v3_pubk = "${file("${path.module}/v3.pubk")}"
+
+    tor_docker           = "${var.tor_docker}"
+    gcloud_docker        = "${var.gcloud_docker}"
+    node_exporter_docker = "${var.node_exporter_docker}"
+    kms_key              = "${var.kms_key}"
+    kms_key_ring         = "${var.kms_key_ring}"
+    kms_location         = "${var.region}"
+  }
+}
+
+data "template_cloudinit_config" "tor" {
+  gzip          = false
+  base64_encode = false
+
+  part {
+    content_type = "text/cloud-config"
+    content      = "${data.template_file.tor.rendered}"
+  }
+}
--- a/terraform/modules/tor/firewall.tf
+++ b/terraform/modules/tor/firewall.tf
@ -0,0 +1,37 @@
+resource "google_compute_firewall" "tor-healthcheck" {
+  name    = "${var.name}-healthcheck"
+  network = "${data.google_compute_network.default.self_link}"
+
+  count = "${var.create_resources}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["9050"]
+  }
+
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16", "10.0.0.0/8"]
+
+  target_service_accounts = [
+    "${google_service_account.tor.email}",
+  ]
+}
+
+resource "google_compute_firewall" "prom-traffic" {
+  name    = "${var.name}-prometheus-access"
+  network = "${data.google_compute_network.default.self_link}"
+
+  count = "${var.create_resources}"
+
+  allow {
+    protocol = "tcp"
+    ports    = ["9100"]
+  }
+
+  source_service_accounts = [
+    "${var.prom_service_acct}",
+  ]
+
+  target_service_accounts = [
+    "${google_service_account.tor.email}",
+  ]
+}
--- a/terraform/modules/tor/iam.tf
+++ b/terraform/modules/tor/iam.tf
@ -0,0 +1,25 @@
+resource "google_service_account" "tor" {
+  account_id   = "${var.name}"
+  display_name = "${var.name}"
+
+  count = "${var.create_resources}"
+}
+
+resource "google_project_iam_member" "tor" {
+  project = "${var.project}"
+  role    = "roles/editor"
+  member  = "serviceAccount:${google_service_account.tor.email}"
+
+  count = "${var.create_resources}"
+}
+
+resource "google_kms_crypto_key_iam_binding" "crypto-key" {
+  crypto_key_id = "${var.kms_key_link}"
+  role          = "roles/cloudkms.cryptoKeyDecrypter"
+
+  count = "${var.create_resources}"
+
+  members = [
+    "serviceAccount:${google_service_account.tor.email}",
+  ]
+}
--- a/terraform/modules/tor/main.tf
+++ b/terraform/modules/tor/main.tf
@ -0,0 +1,73 @@
+resource "google_compute_health_check" "tor" {
+  name               = "${var.name}-health-check"
+  timeout_sec        = 5
+  check_interval_sec = 10
+
+  count = "${var.create_resources}"
+
+  tcp_health_check {
+    port = "9050"
+  }
+}
+
+resource "google_compute_region_instance_group_manager" "tor" {
+  name   = "${var.name}-ig"
+  count  = "${var.create_resources}"
+  region = "${var.region}"
+
+  base_instance_name = "${var.name}"
+  instance_template  = "${google_compute_instance_template.tor.self_link}"
+  target_size        = 1
+
+  auto_healing_policies {
+    health_check      = "${google_compute_health_check.tor.self_link}"
+    initial_delay_sec = "120"
+  }
+}
+
+resource "google_compute_instance_template" "tor" {
+  name_prefix  = "${var.name}-template-"
+  description  = "This template is used to create ${var.name} instances."
+  machine_type = "${var.tor_instance_type}"
+  count        = "${var.create_resources}"
+
+  labels {
+    type    = "tor"
+    name    = "${var.name}"
+    network = "${var.network}"
+  }
+
+  disk {
+    source_image = "${var.boot_image}"
+    boot         = true
+    auto_delete  = true
+    disk_type    = "pd-ssd"
+    device_name  = "boot"
+    disk_size_gb = "20"
+  }
+
+  network_interface {
+    network = "${data.google_compute_network.default.self_link}"
+
+    access_config {}
+  }
+
+  metadata {
+    google-logging-enabled = "true"
+    "user-data"            = "${data.template_cloudinit_config.tor.rendered}"
+  }
+
+  service_account {
+    email = "${google_service_account.tor.email}"
+
+    scopes = [
+      "https://www.googleapis.com/auth/cloudkms",
+      "compute-ro",
+      "storage-ro",
+    ]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
--- a/terraform/modules/tor/v3.pk
+++ b/terraform/modules/tor/v3.pk
@ -0,0 +1 @@
+overwritten_by_ci
--- a/terraform/modules/tor/v3.pubk
+++ b/terraform/modules/tor/v3.pubk
@ -0,0 +1 @@
+overwritten_by_ci
--- a/terraform/modules/tor/variables.tf
+++ b/terraform/modules/tor/variables.tf
@ -0,0 +1,70 @@
+variable "boot_image" {
+  type    = "string"
+  default = "cos-cloud/cos-stable"
+}
+
+variable "region" {
+  type = "string"
+}
+
+variable "project" {
+  type = "string"
+}
+
+variable "name" {
+  type = "string"
+}
+
+variable "network" {
+  type    = "string"
+  default = "default"
+}
+
+variable "zone" {
+  type = "string"
+}
+
+variable "tor_instance_type" {
+  type = "string"
+}
+
+variable "tor_lb" {
+  type = "string"
+}
+
+variable "onion_host" {
+  type = "string"
+}
+
+variable "create_resources" {
+  type = "string"
+}
+
+variable "prom_service_acct" {
+  type = "string"
+}
+
+variable "kms_key_link" {
+  type = "string"
+}
+
+variable "kms_key" {
+  type = "string"
+}
+
+variable "kms_key_ring" {
+  type    = "string"
+  default = ""
+}
+
+variable "tor_docker" {
+  type = "string"
+}
+
+variable "node_exporter_docker" {
+  type = "string"
+}
+
+variable "gcloud_docker" {
+  type = "string"
+}
--- a/terraform/network-tor.tf
+++ b/terraform/network-tor.tf
@ -0,0 +1,87 @@
+resource "google_compute_global_address" "tor-lb" {
+  name    = "${var.name}-lb"
+  project = "${var.project}"
+  count   = "${local.create_misc}"
+}
+
+resource "google_compute_global_forwarding_rule" "tor-rule" {
+  name        = "${var.name}-forwarding-rule"
+  target      = "${google_compute_target_http_proxy.tor-proxy.self_link}"
+  port_range  = "80"
+  ip_protocol = "TCP"
+  ip_address  = "${google_compute_global_address.tor-lb.address}"
+
+  count = "${local.create_misc}"
+}
+
+resource "google_compute_target_http_proxy" "tor-proxy" {
+  name    = "${var.name}-http-proxy"
+  url_map = "${google_compute_url_map.tor-proxy.self_link}"
+
+  count = "${local.create_misc}"
+}
+
+resource "google_compute_url_map" "tor-proxy" {
+  name            = "${var.name}-urlmap"
+  default_service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}"
+
+  count = "${local.create_misc}"
+
+  host_rule {
+    hosts        = ["*"]
+    path_matcher = "deadpaths"
+  }
+
+  path_matcher {
+    name            = "deadpaths"
+    default_service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}"
+
+    path_rule {
+      paths   = ["/*"]
+      service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}"
+    }
+  }
+
+  host_rule {
+    hosts        = ["${var.onion_host}"]
+    path_matcher = "allpaths"
+  }
+
+  path_matcher {
+    name            = "allpaths"
+    default_service = "${data.terraform_remote_state.blc-prod.blc_backend_service}"
+
+    path_rule {
+      paths   = ["/*"]
+      service = "${data.terraform_remote_state.blc-prod.blc_backend_service}"
+    }
+  }
+
+  test {
+    service = "${data.terraform_remote_state.blc-prod.blc_backend_service}"
+    host    = "${var.onion_host}"
+    path    = "/api"
+  }
+
+  test {
+    service = "${google_compute_backend_bucket.tor_deadhole_backend.self_link}"
+    host    = "${google_compute_global_address.tor-lb.address}"
+    path    = "/api"
+  }
+}
+
+resource "google_compute_backend_bucket" "tor_deadhole_backend" {
+  name        = "${var.name}-deadhole-backend-bucket"
+  description = "Unmatched hosts end up in this deadhole"
+  bucket_name = "${google_storage_bucket.tor_deadhole.name}"
+  enable_cdn  = false
+
+  count = "${local.create_misc}"
+}
+
+resource "google_storage_bucket" "tor_deadhole" {
+  name     = "${var.name}-deadhole-bucket"
+  location = "US"
+
+  count = "${local.create_misc}"
+}
--- a/terraform/output.tf
+++ b/terraform/output.tf
@ -0,0 +1,3 @@
+output "blc_backend_service" {
+  value = "${module.blc.backend_service}"
+}
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@ -1,15 +1,38 @@
 locals {
  context_variables = {
    "staging" = {
-      env = "staging"
+      env             = "staging"
+      create_satapi   = 1
+      create_misc     = 0
+      create_builders = 0
    }

    "prod" = {
-      env = "prod"
+      env             = "prod"
+      create_satapi   = 1
+      create_misc     = 0
+      create_builders = 0
+    }
+
+    "misc" = {
+      env             = ""
+      create_misc     = 1
+      create_satapi   = 0
+      create_builders = 0
+    }
+
+    "builders" = {
+      env             = ""
+      create_builders = 1
+      create_satapi   = 0
+      create_misc     = 0
    }
  }

-  env = "${lookup(local.context_variables[terraform.workspace], "env")}"
+  env             = "${lookup(local.context_variables[terraform.workspace], "env")}"
+  create_satapi   = "${lookup(local.context_variables[terraform.workspace], "create_satapi")}"
+  create_misc     = "${lookup(local.context_variables[terraform.workspace], "create_misc")}"
+  create_builders = "${lookup(local.context_variables[terraform.workspace], "create_builders")}"
 }

 variable "project" {
@ -17,6 +40,16 @@ variable "project" {
  default = "blockstream-store"
 }

+variable "name" {
+  type    = "string"
+  default = "satapi-tor"
+}
+
+variable "create_resources" {
+  type    = "string"
+  default = ""
+}
+
 variable "ssl_cert" {
  type    = "string"
  default = ""
@ -37,6 +70,11 @@ variable "host" {
  default = ""
 }

+variable "onion_host" {
+  type    = "string"
+  default = ""
+}
+
 variable "region" {
  type    = "string"
  default = ""
@ -52,6 +90,11 @@ variable "instance_type" {
  default = ""
 }

+variable "tor_instance_type" {
+  type    = "string"
+  default = ""
+}
+
 variable "timeout" {
  type    = "string"
  default = 15
@ -98,3 +141,13 @@ variable "charge_docker" {
  type    = "string"
  default = "us.gcr.io/blockstream-store/charged@sha256:669893e02a14863f469498a40626e46de3ec67ff2ee4d7443cd56bc6ba3a8f3a"
 }
+
+variable "tor_docker" {
+  type    = "string"
+  default = "blockstream/gcloud-tor@sha256:be56a33b3010ac4c85037899714979bb4eb6c15fe85114bd009501750320617f"
+}
+
+variable "gcloud_docker" {
+  type    = "string"
+  default = "google/cloud-sdk@sha256:b0d0555efef6a566f42fc4f0d89be9e1d74aff4565e27bbd206405f759d3f2b0"
+}