From 115112552bbe3bffd5cd6a27a1fa2ad06f61c77f Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Fri, 6 Feb 2026 23:45:30 -0500
Subject: [PATCH 1/8] attempt to make this work for podman and docker

---
 assets/entrypoint.sh | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh
index 5d2aff0..d924a65 100755
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@@ -122,7 +122,15 @@ fi
 
 # 4. Ownership Fix (Crucial for Docker volumes)
 mkdir -p "$DATA_DIR/hidden_service/"
-chown -R tor:root "$DATA_DIR"
+# Ensure the current user owns the data directory (Fix for Podman/Docker permission mismatch)
+if [ "$(id -u)" = "0" ]; then
+    chown -R tor:root "$DATA_DIR"
+else
+    # Non-root (e.g. Podman rootless or user:1000), we just hope we have write access
+    # or that the volume was mounted with correct permissions.
+    # But let's try to be helpful if we are root-ish.
+    :
+fi
 chmod 700 "$DATA_DIR"
 chmod 700 "$DATA_DIR/hidden_service/"
 

From 775078870896cde3921af584e65554aae11a8df9 Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:09:16 -0500
Subject: [PATCH 2/8] Rename volume to tor-data-new to force permission reset

---
 docker-compose.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f1ced55..c2c6dc0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,10 +10,10 @@ services:
       - HIDDEN_SERVICE_HOSTS=80:web:80
       - TOR_CONTROL_PASSWORD=secure_password
     ports:
-      - "9051:9051" 
-      - "9050:9050" 
+      - "9051:9051"
+      - "9050:9050"
     volumes:
-      - tor-data:/var/lib/tor/
+      - tor-data-new:/var/lib/tor/:Z
     depends_on:
       - web
 
@@ -34,7 +34,7 @@ services:
     depends_on:
       - tor
     volumes:
-      - tor-data:/var/lib/tor/
+      - tor-data-new:/var/lib/tor/:Z
 
 volumes:
-  tor-data:
+  tor-data-new:

From deebc86b2f071f456022e5209f52056cf24a1188 Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:11:18 -0500
Subject: [PATCH 3/8] Fix SELinux label from :Z (private) to :z (shared)

---
 docker-compose.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index c2c6dc0..9a7a4e0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,7 @@ services:
       - "9051:9051"
       - "9050:9050"
     volumes:
-      - tor-data-new:/var/lib/tor/:Z
+      - tor-data-new:/var/lib/tor/:z
     depends_on:
       - web
 
@@ -28,13 +28,14 @@ services:
     build: .
     image: docker-tor-hidden-service:latest
     container_name: vanguards-sidecar
+    user: "0:0"
     restart: unless-stopped
     # The 'vanguards' first word triggers the logic in your entrypoint.sh
     command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
     depends_on:
       - tor
     volumes:
-      - tor-data-new:/var/lib/tor/:Z
+      - tor-data-new:/var/lib/tor/:z
 
 volumes:
   tor-data-new:

From 017b76f1361a1f67439b58e4f84913ad0c3ccc45 Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:15:13 -0500
Subject: [PATCH 4/8] Switch to bind mount ./tor-data for absolute permission
 control

---
 docker-compose.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 9a7a4e0..dc39467 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,7 @@ services:
       - "9051:9051"
       - "9050:9050"
     volumes:
-      - tor-data-new:/var/lib/tor/:z
+      - ./tor-data:/var/lib/tor/:z
     depends_on:
       - web
 
@@ -35,7 +35,7 @@ services:
     depends_on:
       - tor
     volumes:
-      - tor-data-new:/var/lib/tor/:z
+      - ./tor-data:/var/lib/tor/:z
 
 volumes:
   tor-data-new:

From a369dd48a4ac22ad420e866e7f11883a41052fd7 Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:26:21 -0500
Subject: [PATCH 5/8] Enable network_mode: host to fix connectivity issues

---
 docker-compose.yml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index dc39467..ddc252f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,14 +4,18 @@ services:
     build: .
     image: docker-tor-hidden-service:latest
     container_name: tor-service
+    user: "0:0"
     restart: unless-stopped
+    network_mode: host
     environment:
       # Format: ExternalPort:ContainerName:InternalPort
-      - HIDDEN_SERVICE_HOSTS=80:web:80
+      # Since we are on host network, 'web' hostname won't resolve via Docker DNS.
+      # We must point to localhost if nginx is also on host network.
+      - HIDDEN_SERVICE_HOSTS=80:localhost:80
       - TOR_CONTROL_PASSWORD=secure_password
-    ports:
-      - "9051:9051"
-      - "9050:9050"
+    # ports:  <-- Not needed in host mode
+    #   - "9051:9051"
+    #   - "9050:9050"
     volumes:
       - ./tor-data:/var/lib/tor/:z
     depends_on:
@@ -22,6 +26,7 @@ services:
     image: nginx:alpine
     container_name: my-website
     restart: unless-stopped
+    network_mode: host
 
   # Vanguards Service - Sidecar
   vanguards:
@@ -30,8 +35,10 @@ services:
     container_name: vanguards-sidecar
     user: "0:0"
     restart: unless-stopped
+    network_mode: host
     # The 'vanguards' first word triggers the logic in your entrypoint.sh
-    command: vanguards --control_ip tor-service --control_port 9051 --control_pass secure_password
+    # Connect to localhost since we share the network stack
+    command: vanguards --control_ip localhost --control_port 9051 --control_pass secure_password
     depends_on:
       - tor
     volumes:

From f87ec7af08e1e5f1a0b7c8ffb10fab8384e56efb Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:30:14 -0500
Subject: [PATCH 6/8] Security Fix: Bind ControlPort to 127.0.0.1 for host
 network mode

---
 assets/entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh
index d924a65..a8c41e0 100755
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@@ -72,7 +72,7 @@ if [ -n "$TOR_CONTROL_PASSWORD" ]; then
         exit 1
     fi
     
-    echo "ControlPort 0.0.0.0:9051" >> "$TOR_CONFIG"
+    echo "ControlPort 127.0.0.1:9051" >> "$TOR_CONFIG"
     echo "HashedControlPassword $HASHED_PASSWORD" >> "$TOR_CONFIG"
     echo "Control Password set."
 else

From 13163d39f730d03ad878b9e926c5089fd36db360 Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 00:37:13 -0500
Subject: [PATCH 7/8] Fix Vanguards wait loop to respect --control_ip arg

---
 assets/entrypoint.sh | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/assets/entrypoint.sh b/assets/entrypoint.sh
index a8c41e0..aafd57e 100755
--- a/assets/entrypoint.sh
+++ b/assets/entrypoint.sh
@@ -7,10 +7,21 @@ if [ "$1" = "vanguards" ]; then
     echo "Starting Vanguards Sidecar Mode..."
     shift # remove 'vanguards' from the arguments
     
-    # Extract the hostname from the arguments? 
-    # For now, we assume 'tor-service' as per the standard docker-compose setup
-    TARGET_HOST="tor-service"
+    # Extract TARGET_HOST from arguments (looking for --control_ip)
+    TARGET_HOST="tor-service" # Default fallback
     TARGET_PORT=9051
+    
+    # Simple argument parsing to find control_ip
+    next_is_ip=0
+    for arg in "$@"; do
+        if [ "$next_is_ip" -eq 1 ]; then
+            TARGET_HOST="$arg"
+            next_is_ip=0
+        fi
+        if [ "$arg" = "--control_ip" ]; then
+            next_is_ip=1
+        fi
+    done
 
     echo "Waiting for Tor Control Port at $TARGET_HOST:$TARGET_PORT..."
     # Use Python to wait for the port (more reliable than Alpine's nc)

From a15bd524a0923d117cf88adefb49c206b4c87eaf Mon Sep 17 00:00:00 2001
From: wander <wander@unfilteredrealm.com>
Date: Sat, 7 Feb 2026 02:47:42 -0500
Subject: [PATCH 8/8] Configure Nginx Reverse Proxy for Netbird Forwarding

---
 docker-compose.yml |  2 ++
 nginx/default.conf | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 nginx/default.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index ddc252f..3d228aa 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,6 +27,8 @@ services:
     container_name: my-website
     restart: unless-stopped
     network_mode: host
+    volumes:
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
 
   # Vanguards Service - Sidecar
   vanguards:
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..6ee82e5
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,24 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    # Basic error logging
+    error_log /var/log/nginx/error.log warn;
+
+    location / {
+        # CHANGE THIS to your actual Netbird Service IP and Port
+        # Example: proxy_pass http://100.64.0.10:5000;
+        proxy_pass http://100.x.x.x:5000;
+        
+        # Standard Proxy Headers required for most apps
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket Support (if needed later)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}