Running a Tor Exit Node on CentOS Stream 9 with Ansible

If you want to operate a Tor exit node properly, you should avoid doing it by hand.

You need a repeatable bootstrap, a hardened SSH configuration, a firewall that only exposes what you actually need, a local resolver, and a maintenance path that does not turn into improvisation after the first update cycle.

I still like CentOS Stream 9 for this kind of infrastructure work. I explained why in an earlier article here: Why I Continue To Advocate For CentOS Stream In Production Environments.

In this article, I will show a small Ansible setup that bootstraps a CentOS Stream 9 host, configures it as a Tor exit relay, adds a local Unbound resolver, hardens SSH, enables fail2ban, and gives you a minimal maintenance workflow.

All hostnames, IP addresses, nicknames, usernames and contact details below are sanitized examples, but the structure mirrors a real setup.

You Probably Want a Monorepo for Your Base Images

Most engineering teams do not start with an image governance problem.

They start with something humble: one Dockerfile for Python, one for Node.js, one for kubectl, maybe one for Maven or a Java runtime. Every repository looks small enough to be harmless. Then the small things start multiplying: slightly different labels, slightly different CI jobs, slightly different versioning schemes, slightly different ways to import internal certificate authorities, slightly different smoke tests, slightly different signing steps.

AES‑256 Is Enough. Your Secrets Workflow Isn’t

There is a strange little ritual in engineering teams.

Someone mentions encryption, someone else says “AES‑256,” and for a brief second the room relaxes. The magic number has been spoken. The vault door has appeared. The dragon is asleep.

Then the same team commits a decrypted .env file to Git. Or stores an age private key in a shared password note. Or lets CI print a production secret into a build log. Or keeps the only decryption key on one developer laptop, guarded by vibes, hope, and an unpaid backup plan.

The uncomfortable truth is this: AES‑256 is usually not the weak point. Your workflow is.

Routing All macOS Traffic Through the Tor Network

For certain tasks, I need to use macOS and sometimes prefer to route all my traffic through the Tor network. In this tutorial, I will guide you through the process.

While you can download and use the Tor Browser for enhanced anonymity, I find that simply routing traffic through Tor’s network suffices for my needs while maintaining a civilized workflow.

The Philosophical Dichotomy Between macOS and Linux

In the ongoing discourse surrounding operating systems, macOS and Linux occupy distinct philosophical and practical niches. Linux, with its open-source ethos, exemplifies adaptability and scalability. It operates seamlessly across commodity hardware, supports a diverse array of CPU architectures, and scales up to the formidable demands of supercomputing environments while also scaling down to function efficiently on cost-effective single-board computers (SBCs).