Shard Tor hidden services across multiple daemons (#920)

getumbrel · Aug 20, 2021 · 576b608 · 576b608
1 parent a2676ff
commit 576b608
Show file tree

Hide file tree

Showing 8 changed files with 180 additions and 145 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -7,14 +7,33 @@ services:
                 user: toruser
                 restart: on-failure
                 volumes:
-                    - ${PWD}/tor/torrc:/etc/tor/torrc
+                    - ${PWD}/tor/torrc-umbrel:/etc/tor/torrc
                     - ${PWD}/tor/data:/var/lib/tor/
-                    - ${PWD}/tor/run:/var/run/tor/
                 ports:
                   - "127.0.0.1:$TOR_PROXY_PORT:$TOR_PROXY_PORT"
                 networks:
                     default:
                         ipv4_address: $TOR_PROXY_IP
+        app_tor:
+                image: lncm/tor:0.4.5.7@sha256:a83e0d9fd1a35adf025f2f34237ec1810e2a59765988dce1dfb222ca8ef6583c
+                user: toruser
+                restart: on-failure
+                volumes:
+                    - ${PWD}/tor/torrc-apps:/etc/tor/torrc
+                    - ${PWD}/tor/data:/var/lib/tor/
+                networks:
+                    default:
+                        ipv4_address: $APPS_TOR_IP
+        app_2_tor:
+                image: lncm/tor:0.4.5.7@sha256:a83e0d9fd1a35adf025f2f34237ec1810e2a59765988dce1dfb222ca8ef6583c
+                user: toruser
+                restart: on-failure
+                volumes:
+                    - ${PWD}/tor/torrc-apps-2:/etc/tor/torrc
+                    - ${PWD}/tor/data:/var/lib/tor/
+                networks:
+                    default:
+                        ipv4_address: $APPS_2_TOR_IP
         nginx:
                 container_name: nginx
                 image: nginx:1.17.8@sha256:380eb808e2a3b0dd954f92c1cae2f845e6558a15037efefcabc5b4e03d666d03

diff --git a/scripts/configure b/scripts/configure
@@ -71,7 +71,9 @@ echo
 NGINX_CONF_FILE="./templates/nginx.conf"
 BITCOIN_CONF_FILE="./templates/bitcoin.conf"
 LND_CONF_FILE="./templates/lnd.conf"
-TOR_CONF_FILE="./templates/torrc"
+APPS_TOR_CONF_FILE="./templates/torrc-apps"
+APPS_2_TOR_CONF_FILE="./templates/torrc-apps-2"
+UMBREL_TOR_CONF_FILE="./templates/torrc-umbrel"
 ELECTRS_CONF_FILE="./templates/electrs.toml"
 ENV_FILE="./templates/.env"
 
@@ -80,15 +82,19 @@ ENV_FILE="./templates/.env"
 [[ -f "$NGINX_CONF_FILE" ]] && rm -f "$NGINX_CONF_FILE"
 [[ -f "$BITCOIN_CONF_FILE" ]] && rm -f "$BITCOIN_CONF_FILE"
 [[ -f "$LND_CONF_FILE" ]] && rm -f "$LND_CONF_FILE"
-[[ -f "$TOR_CONF_FILE" ]] && rm -f "$TOR_CONF_FILE"
+[[ -f "$APPS_TOR_CONF_FILE" ]] && rm -f "$APPS_TOR_CONF_FILE"
+[[ -f "$APPS_2_TOR_CONF_FILE" ]] && rm -f "$APPS_2_TOR_CONF_FILE"
+[[ -f "$UMBREL_TOR_CONF_FILE" ]] && rm -f "$UMBREL_TOR_CONF_FILE"
 [[ -f "$ELECTRS_CONF_FILE" ]] && rm -f "$ELECTRS_CONF_FILE"
 [[ -f "$ENV_FILE" ]] && rm -f "$ENV_FILE"
 
 # Copy template configs to intermediary configs
 [[ -f "./templates/nginx-sample.conf" ]] && cp "./templates/nginx-sample.conf" "$NGINX_CONF_FILE"
 [[ -f "./templates/bitcoin-sample.conf" ]] && cp "./templates/bitcoin-sample.conf" "$BITCOIN_CONF_FILE"
 [[ -f "./templates/lnd-sample.conf" ]] && cp "./templates/lnd-sample.conf" "$LND_CONF_FILE"
-[[ -f "./templates/torrc-sample" ]] && cp "./templates/torrc-sample" "$TOR_CONF_FILE"
+[[ -f "./templates/torrc-apps-sample" ]] && cp "./templates/torrc-apps-sample" "$APPS_TOR_CONF_FILE"
+[[ -f "./templates/torrc-apps-2-sample" ]] && cp "./templates/torrc-apps-2-sample" "$APPS_2_TOR_CONF_FILE"
+[[ -f "./templates/torrc-umbrel-sample" ]] && cp "./templates/torrc-umbrel-sample" "$UMBREL_TOR_CONF_FILE"
 [[ -f "./templates/electrs-sample.toml" ]] && cp "./templates/electrs-sample.toml" "$ELECTRS_CONF_FILE"
 [[ -f "./templates/.env-sample" ]] && cp "./templates/.env-sample" "$ENV_FILE"
 
@@ -122,6 +128,8 @@ LND_REST_PORT="8080"
 ELECTRUM_IP="10.21.21.10"
 ELECTRUM_PORT="50001"
 TOR_PROXY_IP="10.21.21.11"
+APPS_TOR_IP="10.21.21.47"
+APPS_2_TOR_IP="10.21.21.48"
 TOR_PROXY_PORT="9050"
 
 # Apps
@@ -243,8 +251,8 @@ fi
 # Update RPC, P2P and ZMQ Ports
 sed -i "s/rpcport=<port>/rpcport=$BITCOIN_RPC_PORT/g;" "$BITCOIN_CONF_FILE"
 sed -i "s/port=<port>/port=$BITCOIN_P2P_PORT/g;" "$BITCOIN_CONF_FILE"
-sed -i "s/<bitcoin-rpc-port>/$BITCOIN_RPC_PORT/g;" "$TOR_CONF_FILE"
-sed -i "s/<bitcoin-p2p-port>/$BITCOIN_P2P_PORT/g;" "$TOR_CONF_FILE"
+sed -i "s/<bitcoin-rpc-port>/$BITCOIN_RPC_PORT/g;" "$UMBREL_TOR_CONF_FILE"
+sed -i "s/<bitcoin-p2p-port>/$BITCOIN_P2P_PORT/g;" "$UMBREL_TOR_CONF_FILE"
 sed -i "/daemon_rpc_addr/s/<port>/$BITCOIN_RPC_PORT/g;" "$ELECTRS_CONF_FILE"
 sed -i "s/BITCOIN_RPC_PORT=<port>/BITCOIN_RPC_PORT=$BITCOIN_RPC_PORT/g;" "$ENV_FILE"
 sed -i "s/BITCOIN_P2P_PORT=<port>/BITCOIN_P2P_PORT=$BITCOIN_P2P_PORT/g;" "$ENV_FILE"
@@ -263,7 +271,7 @@ sed -i "s/BITCOIN_RPC_PASS=<password>/BITCOIN_RPC_PASS=$BITCOIN_RPC_PASS/g;" "$E
 sed -i "s/BITCOIN_NETWORK=<network>/BITCOIN_NETWORK=$BITCOIN_NETWORK/g;" "$ENV_FILE"
 
 # Add Tor password
-sed -i "s/HashedControlPassword <password>/HashedControlPassword $TOR_HASHED_PASSWORD/g;" "$TOR_CONF_FILE"
+sed -i "s/HashedControlPassword <password>/HashedControlPassword $TOR_HASHED_PASSWORD/g;" "$UMBREL_TOR_CONF_FILE"
 sed -i "s/torpassword=<password>/torpassword=$TOR_PASSWORD/g;" "$BITCOIN_CONF_FILE"
 sed -i "s/tor.password=<password>/tor.password=$TOR_PASSWORD/g;" "$LND_CONF_FILE"
 sed -i "s/TOR_PASSWORD=<password>/TOR_PASSWORD=$TOR_PASSWORD/g;" "$ENV_FILE"
@@ -292,7 +300,7 @@ if [[ "$BITCOIN_NETWORK" == "mainnet" ]] && [[ ! -f "${STATUS_DIR}/node-status-b
 fi
 
 # TODO: Update all the above code to use this simpler logic
-for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "${TOR_CONF_FILE}" "${ELECTRS_CONF_FILE}" "${ENV_FILE}"; do
+for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "${APPS_TOR_CONF_FILE}" "${APPS_2_TOR_CONF_FILE}" "${UMBREL_TOR_CONF_FILE}" "${ELECTRS_CONF_FILE}" "${ENV_FILE}"; do
   # Umbrel
   sed -i "s/<network-ip>/${NETWORK_IP}/g" "${template}"
   sed -i "s/<gateway-ip>/${GATEWAY_IP}/g" "${template}"
@@ -310,6 +318,8 @@ for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "
   sed -i "s/<electrum-port>/${ELECTRUM_PORT}/g" "${template}"
   sed -i "s/<tor-proxy-ip>/${TOR_PROXY_IP}/g" "${template}"
   sed -i "s/<tor-proxy-port>/${TOR_PROXY_PORT}/g" "${template}"
+  sed -i "s/<apps-tor-ip>/${APPS_TOR_IP}/g" "${template}"
+  sed -i "s/<apps-2-tor-ip>/${APPS_2_TOR_IP}/g" "${template}"
   sed -i "s/<zmq-rawblock-port>/${BITCOIN_ZMQ_RAWBLOCK_PORT}/g;" "${template}"
   sed -i "s/<zmq-rawtx-port>/${BITCOIN_ZMQ_RAWTX_PORT}/g;" "${template}"
   sed -i "s/<zmq-hashblock-port>/${BITCOIN_ZMQ_HASHBLOCK_PORT}/g;" "${template}"
@@ -383,7 +393,9 @@ done
 
 mv -f "$NGINX_CONF_FILE" "./nginx/nginx.conf"
 mv -f "$BITCOIN_CONF_FILE" "./bitcoin/bitcoin.conf"
-mv -f "$TOR_CONF_FILE" "./tor/torrc"
+mv -f "$APPS_TOR_CONF_FILE" "./tor/torrc-apps"
+mv -f "$APPS_2_TOR_CONF_FILE" "./tor/torrc-apps-2"
+mv -f "$UMBREL_TOR_CONF_FILE" "./tor/torrc-umbrel"
 mv -f "$ELECTRS_CONF_FILE" "./electrs/electrs.toml"
 mv -f "$ENV_FILE" "./.env"
 

diff --git a/scripts/update/.updateinclude b/scripts/update/.updateinclude
@@ -1,4 +1,6 @@
 .env
 bitcoin/bitcoin.conf
-tor/torrc
+tor/torrc-apps
+tor/torrc-apps-2
+tor/torrc-umbrel
 electrs/electrs.toml
diff --git a/templates/.env-sample b/templates/.env-sample
@@ -26,6 +26,8 @@ TOR_PROXY_IP=<tor-proxy-ip>
 TOR_PROXY_PORT=<tor-proxy-port>
 TOR_PASSWORD=<password>
 TOR_HASHED_PASSWORD=<password>
+APPS_TOR_IP=<apps-tor-ip>
+APPS_2_TOR_IP=<apps-2-tor-ip>
 DOCKER_BINARY=<path>
 
 # Apps

diff --git a/templates/torrc-apps-2-sample b/templates/torrc-apps-2-sample
@@ -0,0 +1,55 @@
+# Apps 2
+
+# samourai-server dojo Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server-dojo
+HiddenServicePort 80 <app-samourai-server-ip>:80
+
+# samourai-server connect Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server
+HiddenServicePort 80 <app-samourai-server-ip>:8081
+
+# samourai-server whirlpool Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server-whirlpool
+HiddenServicePort 80 <app-samourai-server-whirlpool-ip>:<app-samourai-server-whirlpool-port>
+
+# LndHub Hidden Service
+HiddenServiceDir /var/lib/tor/app-bluewallet
+HiddenServicePort 80 <app-bluewallet-lndhub-ip>:<app-bluewallet-lndhub-port>
+
+# nextcloud Hidden Service
+HiddenServiceDir /var/lib/tor/app-nextcloud
+HiddenServicePort 80 <app-nextcloud-ip>:80
+
+# pi-hole Hidden Service
+HiddenServiceDir /var/lib/tor/app-pi-hole
+HiddenServicePort 80 <app-pi-hole-ip>:80
+
+# home-assistant Hidden Service
+HiddenServiceDir /var/lib/tor/app-home-assistant
+HiddenServicePort 80 <app-home-assistant-ip>:8123
+
+# gitea Hidden Service
+HiddenServiceDir /var/lib/tor/app-gitea
+HiddenServicePort 80 <app-gitea-ip>:<app-gitea-port>
+HiddenServicePort 22 <app-gitea-ip>:<app-gitea-ssh-port>
+
+# simple-torrent Hidden Service
+HiddenServiceDir /var/lib/tor/app-simple-torrent
+HiddenServicePort 80 <app-simple-torrent-ip>:<app-simple-torrent-port>
+
+# synapse Hidden Service
+HiddenServiceDir /var/lib/tor/app-synapse
+HiddenServicePort 80 <app-synapse-ip>:<app-synapse-port>
+HiddenServicePort <app-synapse-port> <app-synapse-ip>:<app-synapse-port>
+
+# element Hidden Service
+HiddenServiceDir /var/lib/tor/app-element
+HiddenServicePort 80 <app-element-ip>:80
+
+# vaultwarden Hidden Service
+HiddenServiceDir /var/lib/tor/app-vaultwarden
+HiddenServicePort 80 <app-vaultwarden-ip>:<app-vaultwarden-port>
+
+# code-server Hidden Service
+HiddenServiceDir /var/lib/tor/app-code-server
+HiddenServicePort 80 <app-code-server-ip>:8080
diff --git a/templates/torrc-apps-sample b/templates/torrc-apps-sample
@@ -0,0 +1,44 @@
+# Apps
+
+# btc-rpc-explorer Hidden Service
+HiddenServiceDir /var/lib/tor/app-btc-rpc-explorer
+HiddenServicePort 80 <app-btc-rpc-explorer-ip>:<app-btc-rpc-explorer-port>
+
+# thunderhub Hidden Service
+HiddenServiceDir /var/lib/tor/app-thunderhub
+HiddenServicePort 80 <app-thunderhub-ip>:<app-thunderhub-port>
+
+# sphinx-relay Hidden Service
+# We expose 80 for the connection string UI and <app-sphinx-relay-port> for the
+# actual server connection
+HiddenServiceDir /var/lib/tor/app-sphinx-relay
+HiddenServicePort 80 <app-sphinx-relay-ip>:<app-sphinx-relay-port>
+HiddenServicePort <app-sphinx-relay-port> <app-sphinx-relay-ip>:<app-sphinx-relay-port>
+
+# ride-the-lightning Hidden Service
+HiddenServiceDir /var/lib/tor/app-ride-the-lightning
+HiddenServicePort 80 <app-ride-the-lightning-ip>:<app-ride-the-lightning-port>
+
+# lightning-terminal Hidden Service
+HiddenServiceDir /var/lib/tor/app-lightning-terminal
+HiddenServicePort 80 <app-lightning-terminal-ip>:<app-lightning-terminal-port>
+
+# specter-desktop Hidden Service
+HiddenServiceDir /var/lib/tor/app-specter-desktop
+HiddenServicePort 80 <app-specter-desktop-ip>:<app-specter-desktop-port>
+
+# btcpay-server Hidden Service
+HiddenServiceDir /var/lib/tor/app-btcpay-server
+HiddenServicePort 80 <app-btcpay-server-ip>:<app-btcpay-server-port>
+
+# lnbits Hidden Service
+HiddenServiceDir /var/lib/tor/app-lnbits
+HiddenServicePort 80 <app-lnbits-ip>:<app-lnbits-port>
+
+# photoprism Hidden Service
+HiddenServiceDir /var/lib/tor/app-photoprism
+HiddenServicePort 80 <app-photoprism-ip>:<app-photoprism-port>
+
+# mempool Hidden Service
+HiddenServiceDir /var/lib/tor/app-mempool
+HiddenServicePort 80 <app-mempool-ip>:<app-mempool-port>
diff --git a/templates/torrc-sample b/templates/torrc-sample