From 576b60874457385c41193ec33a37252833d99712 Mon Sep 17 00:00:00 2001
From: Luke Childs <lukechilds123@gmail.com>
Date: Fri, 20 Aug 2021 18:41:13 +0700
Subject: [PATCH] Shard Tor hidden services across multiple daemons (#920)

---
 docker-compose.yml            |  23 +++++-
 scripts/configure             |  28 +++++--
 scripts/update/.updateinclude |   4 +-
 templates/.env-sample         |   2 +
 templates/torrc-apps-2-sample |  55 ++++++++++++++
 templates/torrc-apps-sample   |  44 +++++++++++
 templates/torrc-sample        | 134 ----------------------------------
 templates/torrc-umbrel-sample |  35 +++++++++
 8 files changed, 180 insertions(+), 145 deletions(-)
 create mode 100644 templates/torrc-apps-2-sample
 create mode 100644 templates/torrc-apps-sample
 delete mode 100644 templates/torrc-sample
 create mode 100644 templates/torrc-umbrel-sample

diff --git a/docker-compose.yml b/docker-compose.yml
index 8b20a18b9..d26bb5412 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,14 +7,33 @@ services:
                 user: toruser
                 restart: on-failure
                 volumes:
-                    - ${PWD}/tor/torrc:/etc/tor/torrc
+                    - ${PWD}/tor/torrc-umbrel:/etc/tor/torrc
                     - ${PWD}/tor/data:/var/lib/tor/
-                    - ${PWD}/tor/run:/var/run/tor/
                 ports:
                   - "127.0.0.1:$TOR_PROXY_PORT:$TOR_PROXY_PORT"
                 networks:
                     default:
                         ipv4_address: $TOR_PROXY_IP
+        app_tor:
+                image: lncm/tor:0.4.5.7@sha256:a83e0d9fd1a35adf025f2f34237ec1810e2a59765988dce1dfb222ca8ef6583c
+                user: toruser
+                restart: on-failure
+                volumes:
+                    - ${PWD}/tor/torrc-apps:/etc/tor/torrc
+                    - ${PWD}/tor/data:/var/lib/tor/
+                networks:
+                    default:
+                        ipv4_address: $APPS_TOR_IP
+        app_2_tor:
+                image: lncm/tor:0.4.5.7@sha256:a83e0d9fd1a35adf025f2f34237ec1810e2a59765988dce1dfb222ca8ef6583c
+                user: toruser
+                restart: on-failure
+                volumes:
+                    - ${PWD}/tor/torrc-apps-2:/etc/tor/torrc
+                    - ${PWD}/tor/data:/var/lib/tor/
+                networks:
+                    default:
+                        ipv4_address: $APPS_2_TOR_IP
         nginx:
                 container_name: nginx
                 image: nginx:1.17.8@sha256:380eb808e2a3b0dd954f92c1cae2f845e6558a15037efefcabc5b4e03d666d03
diff --git a/scripts/configure b/scripts/configure
index 0c8d0957d..fe3a79aff 100755
--- a/scripts/configure
+++ b/scripts/configure
@@ -71,7 +71,9 @@ echo
 NGINX_CONF_FILE="./templates/nginx.conf"
 BITCOIN_CONF_FILE="./templates/bitcoin.conf"
 LND_CONF_FILE="./templates/lnd.conf"
-TOR_CONF_FILE="./templates/torrc"
+APPS_TOR_CONF_FILE="./templates/torrc-apps"
+APPS_2_TOR_CONF_FILE="./templates/torrc-apps-2"
+UMBREL_TOR_CONF_FILE="./templates/torrc-umbrel"
 ELECTRS_CONF_FILE="./templates/electrs.toml"
 ENV_FILE="./templates/.env"
 
@@ -80,7 +82,9 @@ ENV_FILE="./templates/.env"
 [[ -f "$NGINX_CONF_FILE" ]] && rm -f "$NGINX_CONF_FILE"
 [[ -f "$BITCOIN_CONF_FILE" ]] && rm -f "$BITCOIN_CONF_FILE"
 [[ -f "$LND_CONF_FILE" ]] && rm -f "$LND_CONF_FILE"
-[[ -f "$TOR_CONF_FILE" ]] && rm -f "$TOR_CONF_FILE"
+[[ -f "$APPS_TOR_CONF_FILE" ]] && rm -f "$APPS_TOR_CONF_FILE"
+[[ -f "$APPS_2_TOR_CONF_FILE" ]] && rm -f "$APPS_2_TOR_CONF_FILE"
+[[ -f "$UMBREL_TOR_CONF_FILE" ]] && rm -f "$UMBREL_TOR_CONF_FILE"
 [[ -f "$ELECTRS_CONF_FILE" ]] && rm -f "$ELECTRS_CONF_FILE"
 [[ -f "$ENV_FILE" ]] && rm -f "$ENV_FILE"
 
@@ -88,7 +92,9 @@ ENV_FILE="./templates/.env"
 [[ -f "./templates/nginx-sample.conf" ]] && cp "./templates/nginx-sample.conf" "$NGINX_CONF_FILE"
 [[ -f "./templates/bitcoin-sample.conf" ]] && cp "./templates/bitcoin-sample.conf" "$BITCOIN_CONF_FILE"
 [[ -f "./templates/lnd-sample.conf" ]] && cp "./templates/lnd-sample.conf" "$LND_CONF_FILE"
-[[ -f "./templates/torrc-sample" ]] && cp "./templates/torrc-sample" "$TOR_CONF_FILE"
+[[ -f "./templates/torrc-apps-sample" ]] && cp "./templates/torrc-apps-sample" "$APPS_TOR_CONF_FILE"
+[[ -f "./templates/torrc-apps-2-sample" ]] && cp "./templates/torrc-apps-2-sample" "$APPS_2_TOR_CONF_FILE"
+[[ -f "./templates/torrc-umbrel-sample" ]] && cp "./templates/torrc-umbrel-sample" "$UMBREL_TOR_CONF_FILE"
 [[ -f "./templates/electrs-sample.toml" ]] && cp "./templates/electrs-sample.toml" "$ELECTRS_CONF_FILE"
 [[ -f "./templates/.env-sample" ]] && cp "./templates/.env-sample" "$ENV_FILE"
 
@@ -122,6 +128,8 @@ LND_REST_PORT="8080"
 ELECTRUM_IP="10.21.21.10"
 ELECTRUM_PORT="50001"
 TOR_PROXY_IP="10.21.21.11"
+APPS_TOR_IP="10.21.21.47"
+APPS_2_TOR_IP="10.21.21.48"
 TOR_PROXY_PORT="9050"
 
 # Apps
@@ -243,8 +251,8 @@ fi
 # Update RPC, P2P and ZMQ Ports
 sed -i "s/rpcport=<port>/rpcport=$BITCOIN_RPC_PORT/g;" "$BITCOIN_CONF_FILE"
 sed -i "s/port=<port>/port=$BITCOIN_P2P_PORT/g;" "$BITCOIN_CONF_FILE"
-sed -i "s/<bitcoin-rpc-port>/$BITCOIN_RPC_PORT/g;" "$TOR_CONF_FILE"
-sed -i "s/<bitcoin-p2p-port>/$BITCOIN_P2P_PORT/g;" "$TOR_CONF_FILE"
+sed -i "s/<bitcoin-rpc-port>/$BITCOIN_RPC_PORT/g;" "$UMBREL_TOR_CONF_FILE"
+sed -i "s/<bitcoin-p2p-port>/$BITCOIN_P2P_PORT/g;" "$UMBREL_TOR_CONF_FILE"
 sed -i "/daemon_rpc_addr/s/<port>/$BITCOIN_RPC_PORT/g;" "$ELECTRS_CONF_FILE"
 sed -i "s/BITCOIN_RPC_PORT=<port>/BITCOIN_RPC_PORT=$BITCOIN_RPC_PORT/g;" "$ENV_FILE"
 sed -i "s/BITCOIN_P2P_PORT=<port>/BITCOIN_P2P_PORT=$BITCOIN_P2P_PORT/g;" "$ENV_FILE"
@@ -263,7 +271,7 @@ sed -i "s/BITCOIN_RPC_PASS=<password>/BITCOIN_RPC_PASS=$BITCOIN_RPC_PASS/g;" "$E
 sed -i "s/BITCOIN_NETWORK=<network>/BITCOIN_NETWORK=$BITCOIN_NETWORK/g;" "$ENV_FILE"
 
 # Add Tor password
-sed -i "s/HashedControlPassword <password>/HashedControlPassword $TOR_HASHED_PASSWORD/g;" "$TOR_CONF_FILE"
+sed -i "s/HashedControlPassword <password>/HashedControlPassword $TOR_HASHED_PASSWORD/g;" "$UMBREL_TOR_CONF_FILE"
 sed -i "s/torpassword=<password>/torpassword=$TOR_PASSWORD/g;" "$BITCOIN_CONF_FILE"
 sed -i "s/tor.password=<password>/tor.password=$TOR_PASSWORD/g;" "$LND_CONF_FILE"
 sed -i "s/TOR_PASSWORD=<password>/TOR_PASSWORD=$TOR_PASSWORD/g;" "$ENV_FILE"
@@ -292,7 +300,7 @@ if [[ "$BITCOIN_NETWORK" == "mainnet" ]] && [[ ! -f "${STATUS_DIR}/node-status-b
 fi
 
 # TODO: Update all the above code to use this simpler logic
-for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "${TOR_CONF_FILE}" "${ELECTRS_CONF_FILE}" "${ENV_FILE}"; do
+for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "${APPS_TOR_CONF_FILE}" "${APPS_2_TOR_CONF_FILE}" "${UMBREL_TOR_CONF_FILE}" "${ELECTRS_CONF_FILE}" "${ENV_FILE}"; do
   # Umbrel
   sed -i "s/<network-ip>/${NETWORK_IP}/g" "${template}"
   sed -i "s/<gateway-ip>/${GATEWAY_IP}/g" "${template}"
@@ -310,6 +318,8 @@ for template in "${NGINX_CONF_FILE}" "${BITCOIN_CONF_FILE}" "${LND_CONF_FILE}" "
   sed -i "s/<electrum-port>/${ELECTRUM_PORT}/g" "${template}"
   sed -i "s/<tor-proxy-ip>/${TOR_PROXY_IP}/g" "${template}"
   sed -i "s/<tor-proxy-port>/${TOR_PROXY_PORT}/g" "${template}"
+  sed -i "s/<apps-tor-ip>/${APPS_TOR_IP}/g" "${template}"
+  sed -i "s/<apps-2-tor-ip>/${APPS_2_TOR_IP}/g" "${template}"
   sed -i "s/<zmq-rawblock-port>/${BITCOIN_ZMQ_RAWBLOCK_PORT}/g;" "${template}"
   sed -i "s/<zmq-rawtx-port>/${BITCOIN_ZMQ_RAWTX_PORT}/g;" "${template}"
   sed -i "s/<zmq-hashblock-port>/${BITCOIN_ZMQ_HASHBLOCK_PORT}/g;" "${template}"
@@ -383,7 +393,9 @@ done
 
 mv -f "$NGINX_CONF_FILE" "./nginx/nginx.conf"
 mv -f "$BITCOIN_CONF_FILE" "./bitcoin/bitcoin.conf"
-mv -f "$TOR_CONF_FILE" "./tor/torrc"
+mv -f "$APPS_TOR_CONF_FILE" "./tor/torrc-apps"
+mv -f "$APPS_2_TOR_CONF_FILE" "./tor/torrc-apps-2"
+mv -f "$UMBREL_TOR_CONF_FILE" "./tor/torrc-umbrel"
 mv -f "$ELECTRS_CONF_FILE" "./electrs/electrs.toml"
 mv -f "$ENV_FILE" "./.env"
 
diff --git a/scripts/update/.updateinclude b/scripts/update/.updateinclude
index 70981eb8b..7aaf1ebaf 100644
--- a/scripts/update/.updateinclude
+++ b/scripts/update/.updateinclude
@@ -1,4 +1,6 @@
 .env
 bitcoin/bitcoin.conf
-tor/torrc
+tor/torrc-apps
+tor/torrc-apps-2
+tor/torrc-umbrel
 electrs/electrs.toml
diff --git a/templates/.env-sample b/templates/.env-sample
index 062307475..b5390884b 100644
--- a/templates/.env-sample
+++ b/templates/.env-sample
@@ -26,6 +26,8 @@ TOR_PROXY_IP=<tor-proxy-ip>
 TOR_PROXY_PORT=<tor-proxy-port>
 TOR_PASSWORD=<password>
 TOR_HASHED_PASSWORD=<password>
+APPS_TOR_IP=<apps-tor-ip>
+APPS_2_TOR_IP=<apps-2-tor-ip>
 DOCKER_BINARY=<path>
 
 # Apps
diff --git a/templates/torrc-apps-2-sample b/templates/torrc-apps-2-sample
new file mode 100644
index 000000000..0181cf226
--- /dev/null
+++ b/templates/torrc-apps-2-sample
@@ -0,0 +1,55 @@
+# Apps 2
+
+# samourai-server dojo Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server-dojo
+HiddenServicePort 80 <app-samourai-server-ip>:80
+
+# samourai-server connect Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server
+HiddenServicePort 80 <app-samourai-server-ip>:8081
+
+# samourai-server whirlpool Hidden Service
+HiddenServiceDir /var/lib/tor/app-samourai-server-whirlpool
+HiddenServicePort 80 <app-samourai-server-whirlpool-ip>:<app-samourai-server-whirlpool-port>
+
+# LndHub Hidden Service
+HiddenServiceDir /var/lib/tor/app-bluewallet
+HiddenServicePort 80 <app-bluewallet-lndhub-ip>:<app-bluewallet-lndhub-port>
+
+# nextcloud Hidden Service
+HiddenServiceDir /var/lib/tor/app-nextcloud
+HiddenServicePort 80 <app-nextcloud-ip>:80
+
+# pi-hole Hidden Service
+HiddenServiceDir /var/lib/tor/app-pi-hole
+HiddenServicePort 80 <app-pi-hole-ip>:80
+
+# home-assistant Hidden Service
+HiddenServiceDir /var/lib/tor/app-home-assistant
+HiddenServicePort 80 <app-home-assistant-ip>:8123
+
+# gitea Hidden Service
+HiddenServiceDir /var/lib/tor/app-gitea
+HiddenServicePort 80 <app-gitea-ip>:<app-gitea-port>
+HiddenServicePort 22 <app-gitea-ip>:<app-gitea-ssh-port>
+
+# simple-torrent Hidden Service
+HiddenServiceDir /var/lib/tor/app-simple-torrent
+HiddenServicePort 80 <app-simple-torrent-ip>:<app-simple-torrent-port>
+
+# synapse Hidden Service
+HiddenServiceDir /var/lib/tor/app-synapse
+HiddenServicePort 80 <app-synapse-ip>:<app-synapse-port>
+HiddenServicePort <app-synapse-port> <app-synapse-ip>:<app-synapse-port>
+
+# element Hidden Service
+HiddenServiceDir /var/lib/tor/app-element
+HiddenServicePort 80 <app-element-ip>:80
+
+# vaultwarden Hidden Service
+HiddenServiceDir /var/lib/tor/app-vaultwarden
+HiddenServicePort 80 <app-vaultwarden-ip>:<app-vaultwarden-port>
+
+# code-server Hidden Service
+HiddenServiceDir /var/lib/tor/app-code-server
+HiddenServicePort 80 <app-code-server-ip>:8080
diff --git a/templates/torrc-apps-sample b/templates/torrc-apps-sample
new file mode 100644
index 000000000..a96c76b99
--- /dev/null
+++ b/templates/torrc-apps-sample
@@ -0,0 +1,44 @@
+# Apps
+
+# btc-rpc-explorer Hidden Service
+HiddenServiceDir /var/lib/tor/app-btc-rpc-explorer
+HiddenServicePort 80 <app-btc-rpc-explorer-ip>:<app-btc-rpc-explorer-port>
+
+# thunderhub Hidden Service
+HiddenServiceDir /var/lib/tor/app-thunderhub
+HiddenServicePort 80 <app-thunderhub-ip>:<app-thunderhub-port>
+
+# sphinx-relay Hidden Service
+# We expose 80 for the connection string UI and <app-sphinx-relay-port> for the
+# actual server connection
+HiddenServiceDir /var/lib/tor/app-sphinx-relay
+HiddenServicePort 80 <app-sphinx-relay-ip>:<app-sphinx-relay-port>
+HiddenServicePort <app-sphinx-relay-port> <app-sphinx-relay-ip>:<app-sphinx-relay-port>
+
+# ride-the-lightning Hidden Service
+HiddenServiceDir /var/lib/tor/app-ride-the-lightning
+HiddenServicePort 80 <app-ride-the-lightning-ip>:<app-ride-the-lightning-port>
+
+# lightning-terminal Hidden Service
+HiddenServiceDir /var/lib/tor/app-lightning-terminal
+HiddenServicePort 80 <app-lightning-terminal-ip>:<app-lightning-terminal-port>
+
+# specter-desktop Hidden Service
+HiddenServiceDir /var/lib/tor/app-specter-desktop
+HiddenServicePort 80 <app-specter-desktop-ip>:<app-specter-desktop-port>
+
+# btcpay-server Hidden Service
+HiddenServiceDir /var/lib/tor/app-btcpay-server
+HiddenServicePort 80 <app-btcpay-server-ip>:<app-btcpay-server-port>
+
+# lnbits Hidden Service
+HiddenServiceDir /var/lib/tor/app-lnbits
+HiddenServicePort 80 <app-lnbits-ip>:<app-lnbits-port>
+
+# photoprism Hidden Service
+HiddenServiceDir /var/lib/tor/app-photoprism
+HiddenServicePort 80 <app-photoprism-ip>:<app-photoprism-port>
+
+# mempool Hidden Service
+HiddenServiceDir /var/lib/tor/app-mempool
+HiddenServicePort 80 <app-mempool-ip>:<app-mempool-port>
diff --git a/templates/torrc-sample b/templates/torrc-sample
deleted file mode 100644
index 1b841d347..000000000
--- a/templates/torrc-sample
+++ /dev/null
@@ -1,134 +0,0 @@
-# Warning: it's not recommended to modify these files directly. Any
-# modifications you make can break the functionality of your umbrel. These files
-# are automatically reset with every Umbrel update.
-
-# Bind only to "<tor-proxy-ip>" which is the tor IP within the container
-SocksPort   <tor-proxy-ip>:<tor-proxy-port>
-ControlPort <tor-proxy-ip>:29051
-
-# Umbrel
-
-# Dashboard Hidden Service
-HiddenServiceDir /var/lib/tor/web
-HiddenServicePort 80 <nginx-ip>:80
-
-# Bitcoin Core P2P Hidden Service
-HiddenServiceDir /var/lib/tor/bitcoin-p2p
-HiddenServicePort <bitcoin-p2p-port> <bitcoin-ip>:<bitcoin-p2p-port>
-
-# Bitcoin Core RPC Hidden Service
-HiddenServiceDir /var/lib/tor/bitcoin-rpc
-HiddenServicePort <bitcoin-rpc-port> <bitcoin-ip>:<bitcoin-rpc-port>
-
-# Electrum Hidden Service
-HiddenServiceDir /var/lib/tor/electrum
-HiddenServicePort <electrum-port> <electrum-ip>:<electrum-port>
-
-# LND REST Hidden Service
-HiddenServiceDir /var/lib/tor/lnd-rest
-HiddenServicePort <lnd-rest-port> <lnd-ip>:<lnd-rest-port>
-
-# LND gRPC Hidden Service
-HiddenServiceDir /var/lib/tor/lnd-grpc
-HiddenServicePort <lnd-grpc-port> <lnd-ip>:<lnd-grpc-port>
-
-# Apps
-
-# btc-rpc-explorer Hidden Service
-HiddenServiceDir /var/lib/tor/app-btc-rpc-explorer
-HiddenServicePort 80 <app-btc-rpc-explorer-ip>:<app-btc-rpc-explorer-port>
-
-# thunderhub Hidden Service
-HiddenServiceDir /var/lib/tor/app-thunderhub
-HiddenServicePort 80 <app-thunderhub-ip>:<app-thunderhub-port>
-
-# sphinx-relay Hidden Service
-# We expose 80 for the connection string UI and <app-sphinx-relay-port> for the
-# actual server connection
-HiddenServiceDir /var/lib/tor/app-sphinx-relay
-HiddenServicePort 80 <app-sphinx-relay-ip>:<app-sphinx-relay-port>
-HiddenServicePort <app-sphinx-relay-port> <app-sphinx-relay-ip>:<app-sphinx-relay-port>
-
-# ride-the-lightning Hidden Service
-HiddenServiceDir /var/lib/tor/app-ride-the-lightning
-HiddenServicePort 80 <app-ride-the-lightning-ip>:<app-ride-the-lightning-port>
-
-# lightning-terminal Hidden Service
-HiddenServiceDir /var/lib/tor/app-lightning-terminal
-HiddenServicePort 80 <app-lightning-terminal-ip>:<app-lightning-terminal-port>
-
-# specter-desktop Hidden Service
-HiddenServiceDir /var/lib/tor/app-specter-desktop
-HiddenServicePort 80 <app-specter-desktop-ip>:<app-specter-desktop-port>
-
-# btcpay-server Hidden Service
-HiddenServiceDir /var/lib/tor/app-btcpay-server
-HiddenServicePort 80 <app-btcpay-server-ip>:<app-btcpay-server-port>
-
-# lnbits Hidden Service
-HiddenServiceDir /var/lib/tor/app-lnbits
-HiddenServicePort 80 <app-lnbits-ip>:<app-lnbits-port>
-
-# photoprism Hidden Service
-HiddenServiceDir /var/lib/tor/app-photoprism
-HiddenServicePort 80 <app-photoprism-ip>:<app-photoprism-port>
-
-# mempool Hidden Service
-HiddenServiceDir /var/lib/tor/app-mempool
-HiddenServicePort 80 <app-mempool-ip>:<app-mempool-port>
-
-# samourai-server dojo Hidden Service
-HiddenServiceDir /var/lib/tor/app-samourai-server-dojo
-HiddenServicePort 80 <app-samourai-server-ip>:80
-
-# samourai-server connect Hidden Service
-HiddenServiceDir /var/lib/tor/app-samourai-server
-HiddenServicePort 80 <app-samourai-server-ip>:8081
-
-# samourai-server whirlpool Hidden Service
-HiddenServiceDir /var/lib/tor/app-samourai-server-whirlpool
-HiddenServicePort 80 <app-samourai-server-whirlpool-ip>:<app-samourai-server-whirlpool-port>
-
-# LndHub Hidden Service
-HiddenServiceDir /var/lib/tor/app-bluewallet
-HiddenServicePort 80 <app-bluewallet-lndhub-ip>:<app-bluewallet-lndhub-port>
-
-# nextcloud Hidden Service
-HiddenServiceDir /var/lib/tor/app-nextcloud
-HiddenServicePort 80 <app-nextcloud-ip>:80
-
-# pi-hole Hidden Service
-HiddenServiceDir /var/lib/tor/app-pi-hole
-HiddenServicePort 80 <app-pi-hole-ip>:80
-
-# home-assistant Hidden Service
-HiddenServiceDir /var/lib/tor/app-home-assistant
-HiddenServicePort 80 <app-home-assistant-ip>:8123
-
-# gitea Hidden Service
-HiddenServiceDir /var/lib/tor/app-gitea
-HiddenServicePort 80 <app-gitea-ip>:<app-gitea-port>
-HiddenServicePort 22 <app-gitea-ip>:<app-gitea-ssh-port>
-
-# simple-torrent Hidden Service
-HiddenServiceDir /var/lib/tor/app-simple-torrent
-HiddenServicePort 80 <app-simple-torrent-ip>:<app-simple-torrent-port>
-
-# synapse Hidden Service
-HiddenServiceDir /var/lib/tor/app-synapse
-HiddenServicePort 80 <app-synapse-ip>:<app-synapse-port>
-HiddenServicePort <app-synapse-port> <app-synapse-ip>:<app-synapse-port>
-
-# element Hidden Service
-HiddenServiceDir /var/lib/tor/app-element
-HiddenServicePort 80 <app-element-ip>:80
-
-# vaultwarden Hidden Service
-HiddenServiceDir /var/lib/tor/app-vaultwarden
-HiddenServicePort 80 <app-vaultwarden-ip>:<app-vaultwarden-port>
-
-# code-server Hidden Service
-HiddenServiceDir /var/lib/tor/app-code-server
-HiddenServicePort 80 <app-code-server-ip>:8080
-
-HashedControlPassword <password>
diff --git a/templates/torrc-umbrel-sample b/templates/torrc-umbrel-sample
new file mode 100644
index 000000000..a339fd4ca
--- /dev/null
+++ b/templates/torrc-umbrel-sample
@@ -0,0 +1,35 @@
+# Warning: it's not recommended to modify these files directly. Any
+# modifications you make can break the functionality of your umbrel. These files
+# are automatically reset with every Umbrel update.
+
+# Bind only to "<tor-proxy-ip>" which is the tor IP within the container
+SocksPort   <tor-proxy-ip>:<tor-proxy-port>
+ControlPort <tor-proxy-ip>:29051
+
+# Umbrel
+
+# Dashboard Hidden Service
+HiddenServiceDir /var/lib/tor/web
+HiddenServicePort 80 <nginx-ip>:80
+
+# Bitcoin Core P2P Hidden Service
+HiddenServiceDir /var/lib/tor/bitcoin-p2p
+HiddenServicePort <bitcoin-p2p-port> <bitcoin-ip>:<bitcoin-p2p-port>
+
+# Bitcoin Core RPC Hidden Service
+HiddenServiceDir /var/lib/tor/bitcoin-rpc
+HiddenServicePort <bitcoin-rpc-port> <bitcoin-ip>:<bitcoin-rpc-port>
+
+# Electrum Hidden Service
+HiddenServiceDir /var/lib/tor/electrum
+HiddenServicePort <electrum-port> <electrum-ip>:<electrum-port>
+
+# LND REST Hidden Service
+HiddenServiceDir /var/lib/tor/lnd-rest
+HiddenServicePort <lnd-rest-port> <lnd-ip>:<lnd-rest-port>
+
+# LND gRPC Hidden Service
+HiddenServiceDir /var/lib/tor/lnd-grpc
+HiddenServicePort <lnd-grpc-port> <lnd-ip>:<lnd-grpc-port>
+
+HashedControlPassword <password>