feat: making the script insta fail if off

2026-02-06 20:38:19 -05:00 · 2026-02-06 20:38:19 -05:00 · aa6ce865a7
commit aa6ce865a7
parent dd338125f0
3 changed files with 78 additions and 66 deletions
--- a/47
+++ b/47
@ -1,47 +1,22 @@
-FROM python:3.10-alpine
+FROM python:3.11-alpine
-ENV HOME=/var/lib/tor
+# Install Tor and build dependencies
-ENV VANGUARDS_CONFIG=/etc/tor/vanguards.conf
+# We keep python base image for potential Vanguards support later (which is python based), 
-
+# but for now we are simplifying the build.
 # Install runtime dependencies
 # tor and torsocks are available in Alpine edge/community repos
 RUN apk add --no-cache \
    tor \
-    torsocks \
+    curl \
-    libevent \
+    build-base \
-    openssl \
+    libffi-dev \
-    ca-certificates \
+    openssl-dev \
-    libffi \
+    grep \
    && mkdir -p /var/lib/tor/hidden_service/ \
    && chown -R tor:root /var/lib/tor
-WORKDIR /usr/local/src/onions
+# Copy our Magic Script
 # Install Python dependencies
 COPY requirements.txt .
 RUN apk add --no-cache --virtual .build-deps \
    build-base \
    openssl-dev \
    libffi-dev \
    cargo \
    && pip install --no-cache-dir -r requirements.txt \
    && apk del .build-deps
 # Install application
 COPY setup.py .
 COPY onions onions/
 RUN pip install --no-cache-dir .
 # Copy configuration and entrypoint
 COPY assets/entrypoint-config.yml /entrypoint-config.yml
 COPY assets/torrc /var/local/tor/torrc.tpl
 COPY assets/vanguards.conf.tpl /var/local/tor/vanguards.conf.tpl
 COPY assets/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
-VOLUME ["/var/lib/tor/hidden_service/"]
+# Set the Magic Script as the entrypoint
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["tor"]
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@ -1,28 +1,67 @@
 #!/bin/sh
 set -e
-# Defaults
+# --- Configuration ---
-ENABLE_VANGUARDS=${ENABLE_VANGUARDS:-true}
+TOR_CONFIG="/etc/tor/torrc"
-ENABLE_TOR=${ENABLE_TOR:-true}
+# Default to /var/lib/tor if not set
 DATA_DIR="${TOR_DATA_DIR:-/var/lib/tor}"
-# Sync with internal variable used by Onions.py
+echo "Starting Tor Configuration..."
 export TOR_ENABLE_VANGUARDS="$ENABLE_VANGUARDS"
-# If user specifically requests to disable Vanguards
+# 1. Reset the Config File
-if [ "$ENABLE_VANGUARDS" = "false" ]; then
+echo "DataDirectory $DATA_DIR" > "$TOR_CONFIG"
-    echo "Disabling Vanguards service..."
+echo "User tor" >> "$TOR_CONFIG"
-    sed -i '/- vanguards/d' /entrypoint-config.yml
+
 # 2. Handle Control Password (The Magic Hashing)
 if [ -n "$TOR_CONTROL_PASSWORD" ]; then
    echo "Hashing provided control password..."
    # Generate the hash using Tor itself
    HASHED_PASSWORD=$(tor --quiet --hash-password "$TOR_CONTROL_PASSWORD" | tail -n 1)
    if [ -z "$HASHED_PASSWORD" ]; then
        echo "Error: Failed to hash password."
        exit 1
    fi
    echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG"
    echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG"
    echo "Control Password set."
 else
    echo "Warning: No TOR_CONTROL_PASSWORD set. Control port disabled."
 fi
-# If user specifically requests to disable Tor (e.g. for sidecar mode)
+# 3. Handle Hidden Services (The Magic Parsing)
-if [ "$ENABLE_TOR" = "false" ]; then
+# Expected Format: "80:container_name:80 22:container_name:22"
-    echo "Disabling Tor service..."
+if [ -n "$HIDDEN_SERVICE_HOSTS" ]; then
-    sed -i '/- tor/d' /entrypoint-config.yml
+    echo "HiddenServiceDir $DATA_DIR/hidden_service/" >> "$TOR_CONFIG"
    echo "HiddenServiceVersion 3" >> "$TOR_CONFIG"
-    # In sidecar mode, we don't want to auto-resolve the control port using local defaults.
+    # Split the string by spaces
-    # We remove the line that sets TOR_CONTROL_PORT via 'onions --resolve-control-port'
+    for rule in $HIDDEN_SERVICE_HOSTS; do
-    # so that the environment variable passed to the container is preserved.
+        # Validate format: Port:Host:Port (using grep regex)
-    sed -i '/TOR_CONTROL_PORT: onions --resolve-control-port/d' /entrypoint-config.yml
+        if ! echo "$rule" | grep -qE '^[0-9]+:[a-zA-Z0-9.-]+:[0-9]+$'; then
            echo "CRITICAL ERROR: Invalid format in HIDDEN_SERVICE_HOSTS: '$rule'"
            echo "Expected format: ExternalPort:ContainerHost:InternalPort (e.g., 80:my-web:80)"
            exit 1
        fi
        # Extract parts
        EXT_PORT=$(echo "$rule" | cut -d: -f1)
        HOST=$(echo "$rule" | cut -d: -f2)
        INT_PORT=$(echo "$rule" | cut -d: -f3)
        echo "Adding Hidden Service Rule: Onion:$EXT_PORT -> $HOST:$INT_PORT"
        echo "HiddenServicePort $EXT_PORT $HOST:$INT_PORT" >> "$TOR_CONFIG"
    done
 else
    echo "Error: HIDDEN_SERVICE_HOSTS is empty. Tor has nothing to serve."
    exit 1
 fi
-# Pass control to pyentrypoint
+# 4. Ownership Fix (Crucial for Docker volumes)
-exec pyentrypoint "$@"
+mkdir -p "$DATA_DIR/hidden_service/"
 chown -R tor:root "$DATA_DIR"
 chmod 700 "$DATA_DIR"
 echo "Configuration successful. Starting Tor..."
 exec tor -f "$TOR_CONFIG"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,21 +1,20 @@
 version: '3.8'
 services:
-  # Tor Service - Runs Tor only
+  # Tor Service - Runs Tor with Strict Validation
  tor:
    build: .
    image: docker-tor-hidden-service:latest
    container_name: tor-service
    restart: unless-stopped
    environment:
-      - ENABLE_VANGUARDS=false
+      # Format: ExternalPort:ContainerName:InternalPort
      - HIDDEN_SERVICE_HOSTS=80:my-website:80
      - TOR_CONTROL_PASSWORD=secure_password
      # Expose control port on all interfaces for sidecar access
      - TOR_CONTROL_PORT=0.0.0.0:9051
    ports:
-      - "9051:9051" # Expose control port (ensure firewall protects this!)
+      - "9051:9051" # Expose control port
    volumes:
-      - tor-data:/var/lib/tor/hidden_service/
+      - tor-data:/var/lib/tor/
  # Vanguards Service - Runs Vanguards only (Sidecar)
  vanguards:
@ -23,13 +22,12 @@ services:
    image: docker-tor-hidden-service:latest
    container_name: vanguards-sidecar
    restart: unless-stopped
    command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
    environment:
-      - ENABLE_TOR=false
+      # Placeholder to ensure no tor starts here
-      - TOR_CONTROL_PASSWORD=secure_password
+      - HIDDEN_SERVICE_HOSTS=""
      - TOR_CONTROL_PORT=tor:9051
    depends_on:
      - tor
    # network_mode: "service:tor" # Optional: if you want them to share network stack (localhost access)
 volumes:
  tor-data: