From b0a7d4aea1271d4942612665768b6052615e3f3e Mon Sep 17 00:00:00 2001 From: wander Date: Thu, 5 Feb 2026 21:54:18 -0500 Subject: [PATCH] add multi-arch support, and decouple vanguards --- Dockerfile | 95 +++++++++++++++++--------------------------- assets/entrypoint.sh | 25 ++++++++++++ docker-build.sh | 15 +++++++ docker-compose.yml | 35 ++++++++++++++++ requirements.txt | 9 +++++ setup.py | 14 +++++++ 6 files changed, 135 insertions(+), 58 deletions(-) create mode 100755 assets/entrypoint.sh create mode 100755 docker-build.sh create mode 100644 docker-compose.yml create mode 100644 requirements.txt create mode 100644 setup.py diff --git a/Dockerfile b/Dockerfile index fa44cc0..22ea00d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,68 +1,47 @@ -FROM python:3.10-alpine +FROM python:3.11-alpine -# if omitted, the versions are determined from the git tags -ARG tor_version -ARG torsocks_version +ENV HOME=/var/lib/tor +ENV VANGUARDS_CONFIG=/etc/tor/vanguards.conf -ENV HOME /var/lib/tor -ENV POETRY_VIRTUALENVS_CREATE=false +# Install runtime dependencies +# tor and torsocks are available in Alpine edge/community repos +RUN apk add --no-cache \ + tor \ + torsocks \ + libevent \ + openssl \ + ca-certificates \ + libffi \ + && mkdir -p /var/lib/tor/hidden_service/ \ + && chown -R tor:root /var/lib/tor -RUN apk add --no-cache git bind-tools cargo libevent-dev openssl-dev gnupg gcc make automake ca-certificates autoconf musl-dev coreutils libffi-dev zlib-dev && \ - mkdir -p /usr/local/src/ /var/lib/tor/ && \ - git clone https://git.torproject.org/tor.git /usr/local/src/tor && \ - cd /usr/local/src/tor && \ - TOR_VERSION=${tor_version=$(git tag | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -1)} && \ - git checkout tor-$TOR_VERSION && \ - ./autogen.sh && \ - ./configure \ - --disable-asciidoc \ - --sysconfdir=/etc \ - --disable-unittests && \ - make && make install && \ - cd .. && \ - rm -rf tor && \ - pip3 install --upgrade pip poetry && \ - apk del git libevent-dev openssl-dev gnupg cargo make automake autoconf musl-dev coreutils libffi-dev && \ - apk add --no-cache libevent openssl +WORKDIR /usr/local/src/onions -RUN apk add --no-cache git gcc make automake autoconf musl-dev libtool && \ - git clone https://git.torproject.org/torsocks.git /usr/local/src/torsocks && \ - cd /usr/local/src/torsocks && \ - TORSOCKS_VERSION=${torsocks_version=$(git tag | grep -oE 'v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -1)} && \ - git checkout $TORSOCKS_VERSION && \ - ./autogen.sh && \ - ./configure && \ - make && make install && \ - cd .. && \ - rm -rf torsocks && \ - apk del git gcc make automake autoconf musl-dev libtool +# Install Python dependencies +COPY requirements.txt . +RUN apk add --no-cache --virtual .build-deps \ + build-base \ + openssl-dev \ + libffi-dev \ + cargo \ + && pip install --no-cache-dir -r requirements.txt \ + && apk del .build-deps -RUN mkdir -p /etc/tor/ +# Install application +COPY setup.py . +COPY onions onions/ +RUN pip install --no-cache-dir . -COPY pyproject.toml /usr/local/src/onions/ +# Copy configuration and entrypoint +COPY assets/entrypoint-config.yml /entrypoint-config.yml +COPY assets/torrc /var/local/tor/torrc.tpl +COPY assets/vanguards.conf.tpl /var/local/tor/vanguards.conf.tpl +COPY assets/entrypoint.sh /entrypoint.sh -RUN cd /usr/local/src/onions && apk add --no-cache openssl-dev libffi-dev gcc libc-dev && \ - poetry install --no-dev --no-root && \ - apk del libffi-dev gcc libc-dev openssl-dev +RUN chmod +x /entrypoint.sh -COPY onions /usr/local/src/onions/onions -COPY poetry.lock /usr/local/src/onions/ -RUN cd /usr/local/src/onions && apk add --no-cache gcc libc-dev && \ - poetry install --no-dev && \ - apk del gcc libc-dev +VOLUME ["/var/lib/tor/hidden_service/"] -RUN mkdir -p ${HOME}/.tor && \ - addgroup -S -g 107 tor && \ - adduser -S -G tor -u 104 -H -h ${HOME} tor +ENTRYPOINT ["/entrypoint.sh"] -COPY assets/entrypoint-config.yml / -COPY assets/torrc /var/local/tor/torrc.tpl -COPY assets/vanguards.conf.tpl /var/local/tor/vanguards.conf.tpl - -ENV VANGUARDS_CONFIG /etc/tor/vanguards.conf - -VOLUME ["/var/lib/tor/hidden_service/"] - -ENTRYPOINT ["pyentrypoint"] - -CMD ["tor"] +CMD ["tor"] diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh new file mode 100755 index 0000000..09c7325 --- /dev/null +++ b/assets/entrypoint.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +# Defaults +ENABLE_VANGUARDS=${ENABLE_VANGUARDS:-true} +ENABLE_TOR=${ENABLE_TOR:-true} + +# If user specifically requests to disable Vanguards +if [ "$ENABLE_VANGUARDS" = "false" ]; then + echo "Disabling Vanguards service..." + sed -i '/- vanguards/d' /entrypoint-config.yml +fi + +# If user specifically requests to disable Tor (e.g. for sidecar mode) +if [ "$ENABLE_TOR" = "false" ]; then + echo "Disabling Tor service..." + sed -i '/- tor/d' /entrypoint-config.yml + + # In sidecar mode, we don't want to auto-resolve the control port using local defaults. + # We remove the line that sets TOR_CONTROL_PORT via 'onions --resolve-control-port' + # so that the environment variable passed to the container is preserved. + sed -i '/TOR_CONTROL_PORT: onions --resolve-control-port/d' /entrypoint-config.yml +fi + +# Pass control to pyentrypoint +exec pyentrypoint "$@" diff --git a/docker-build.sh b/docker-build.sh new file mode 100755 index 0000000..21414f4 --- /dev/null +++ b/docker-build.sh @@ -0,0 +1,15 @@ +#!/bin/sh +# Build script for multi-architecture support +# Requires docker buildx enabled + +IMAGE_NAME="cmehay/docker-tor-hidden-service" +TAG="latest" + +echo "Building multi-arch image (linux/amd64, linux/arm64)..." + +# Note: To push to a registry, add '--push' and ensure you are logged in. +# For local testing, you might need to build for a single arch or use '--load' (single arch). +docker buildx build \ + --platform linux/amd64,linux/arm64 \ + -t "${IMAGE_NAME}:${TAG}" \ + . diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..f07e720 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,35 @@ +version: '3.8' + +services: + # Tor Service - Runs Tor only + tor: + build: . + image: docker-tor-hidden-service:latest + container_name: tor-service + restart: unless-stopped + environment: + - ENABLE_VANGUARDS=false + - TOR_CONTROL_PASSWORD=secure_password + # Expose control port on all interfaces for sidecar access + - TOR_CONTROL_PORT=0.0.0.0:9051 + ports: + - "9051:9051" # Expose control port (ensure firewall protects this!) + volumes: + - tor-data:/var/lib/tor/hidden_service/ + + # Vanguards Service - Runs Vanguards only (Sidecar) + vanguards: + build: . + image: docker-tor-hidden-service:latest + container_name: vanguards-sidecar + restart: unless-stopped + environment: + - ENABLE_TOR=false + - TOR_CONTROL_PASSWORD=secure_password + - TOR_CONTROL_PORT=tor:9051 + depends_on: + - tor + # network_mode: "service:tor" # Optional: if you want them to share network stack (localhost access) + +volumes: + tor-data: diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..c903757 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,9 @@ +cryptography>=3.4.7 +stem>=1.8.0 +PyYAML>=6.0 +vanguards>=0.3.1 +pyentrypoint>=0.8.0 +Jinja2>=3.0 +importlib-metadata>=4.0; python_version < "3.10" +ipy>=1.00 +pytor>=0.1.9 diff --git a/setup.py b/setup.py new file mode 100644 index 0000000..496cca3 --- /dev/null +++ b/setup.py @@ -0,0 +1,14 @@ +from setuptools import setup, find_packages + +setup( + name='docker-tor-hidden-service', + version='0.7.1', + description='Display onion sites hosted', + author='Christophe Mehay', + packages=find_packages(), + entry_points={ + 'console_scripts': [ + 'onions=onions:main', + ], + }, +)