onionservice-cli

#!/usr/bin/env sh

## This file is part of OnionService, an easy to use Tor hidden services manager.
##
## Copyright (C) 2021 OnionService developers (GPLv3)
## Github:  https://github.com/nyxnor/onionservice
##
## This program is free software: you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
## the Free Software Foundation, either version 3 of the License, or
## (at your option) any later version.
##
## This program is distributed in the hope that it is useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with this program. If not, see <http://www.gnu.org/licenses/>.
##
## DESCRIPTION
## This file lets you manage your hidden services to all its capability
##
## SYNTAX
## sh onionservice-cli COMMAND [REQ_OPTION] <OPTIONAL>
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands.

[ -n "${ONIONSERVICE_PWD}" ] || { printf "\033[1;31mERROR: \${ONIONSERVICE_PWD} needs to be exported first!\033[0m\nRun: ./setup.sh\n"; exit 1; }
. "${ONIONSERVICE_PWD}"/.onionrc

## COMMAND INFO
usage(){
  ASCII="${ONIONSERVICE_PWD}/images/onion-ascii-closed.txt"
  if [ -f "${ASCII}" ]; then
    ASCII="$(while IFS= read -r line || [ -n "$line" ]; do printf '%s\n' "$line"; done < "${ASCII}")"
    printf %s"${FOREGROUND_MAGENTA} ${ASCII} ${UNSET_FORMAT}\n\n"
  fi

  printf "Configure an Onion Service
\nUsage: %s${0##*/} COMMAND [REQUIRED] <OPTIONAL>
\nOptions:
\n  setup torrc                                                                        restore latest torrc
\n  on tcp [VERSION] [SERV] [VIRTPORT] <TARGET> <VIRTPORT2> <TARGET2>                  enable a service targeting tcp socket
\n  on unix [VERSION] [SERV] [VIRTPORT] <VIRTPORT2>                                    enable a service targeting unix socket
\n  off [SERV1,SERV2,...] <purge>                                                      disable a service and optionally purge its directory
\n  list [all-services|SERV1,SERV2,...] <no-qr>                                        see credentials from indicated services
\n  renew [all-services|SERV1,SERV2,...]                                               renew indicated|all services addresses
\n  auth server on [SERV] [CLIENT] <CLIENT_PUB_KEY>                                    when auth content is especified, use the public key given by the client
\n  auth server on [all-services|SERV1,SERV2,...] [CLIENT1,CLIENT2,...]                add authorization of client access
\n  auth server off [all-services|SERV1,SERV2,...] [all-clients|CLIENT1,CLIENT2,...]   remove authorization of client access
\n  auth server list [all-services|SERV1,SERV2,...]                                    list clients for indicated service
\n  auth client on [ONION] <CLIENT_PRIV_KEY>                                           add your client key, if no key specified, will create one
\n  auth client off [ONION1,ONION2,...]                                                remote your client key
\n  auth client list                                                                   list your keys as a client
\n  web on [SERV] [FOLDER]                                                             start serving a website for certain service and its folder
\n  web off [SERV]                                                                     stop serving a website for certain service and its folder
\n  web list                                                                           list enabled websites
\n  location [nginx|apache|html] [SERV]                                                onion-location guide, no execution
\n  backup [create|integrate]                                                          create backup or import backup and integrate the files
\n  restore torrc                                                                      restore latest torrc backup
\n  vanguards [install|logs|upgrade|remove]                                            install, upgrade, remove or see logs for vanguards addon
\n  [-h|-help|--help|help]                                                             display this help message
\n\n'# Done': You should always see it at the end, else something unexpected occured.
It does not imply the code worked, you should always pay attention for errors in the logs.
If your services are unreacheable, restart tor.
\nReport bugs to: https://github.com/nyxnor/onionservice/issues\n"
  exit 1
}


#[ "${USER}" = "root" ]
[ "$(id -u)" -eq 0 ] && { printf %s"${FOREGROUND_RED}Do not run with the root user!!!\n${UNSET_FORMAT}" && exit 1; }


## display error message with instructions to use the script correctly.
error_msg(){
  [ -n "${1}" ] && printf %s"${FOREGROUND_RED}ERROR: ${1}${UNSET_FORMAT}\n"
  exit 1
  #usage
}


## check if variable is integer
is_integer(){ printf %d "${1}" >/dev/null 2>&1 || error_msg "Not an integer: ${1}" ; }


## checks if the TARGET is valid.
## Address range from 0.0.0.0 to 255.255.255.255. Port ranges from 0 to 65535
## accept localhos:port if port is valid.
## this is not perfect but it is better than nothing
is_addr_port(){
  ADDR_PORT=${1}
  PORT=${ADDR_PORT##*:}
  ADDR=${ADDR_PORT%%:*}
  ADDR_1=${ADDR%%.*}
  ADDR_MID=${ADDR##*${ADDR_1}.}
  ADDR_2=${ADDR_MID%%.*}
  ADDR_4=${ADDR_MID##*.}
  ADDR_MID=${ADDR_MID##*${ADDR_2}.}
  ADDR_3=${ADDR_MID%%.*}

  is_integer "${PORT}"; is_integer "${ADDR_1}"; is_integer "${ADDR_2}"; is_integer "${ADDR_3}"; is_integer "${ADDR_4}"

  { [ "${PORT}" -gt 0 ] && [ "${PORT}" -le 65535 ] ; } \
  || error_msg "PORT is not within range: 0 < PORT <= 65535: ${PORT}"

  { { [ "${ADDR_1}" -ge 0 ] && [ "${ADDR_1}" -le 255 ] ; } \
  && { [ "${ADDR_2}" -ge 0 ] && [ "${ADDR_2}" -le 255 ] ; } \
  && { [ "${ADDR_3}" -ge 0 ] && [ "${ADDR_3}" -le 255 ] ; } \
  && { [ "${ADDR_4}" -ge 0 ] && [ "${ADDR_4}" -le 255 ] ; } ; } \
  || error_msg "TARGET address is not within range: 0.0.0.0 to 255.255.255.255: ${ADDR}"
}


## test if service exists to continue the script or output error logs.
## if the service exists, will save the hostname for when requested.
test_service_exists(){
  SERVICE="${1}"
  ONION_HOSTNAME=$(sudo -u "${TOR_USER}" grep -s ".onion" "${DATA_DIR_SERVICES}"/"${SERVICE}"/hostname)
  [ -z "${ONION_HOSTNAME}" ] && { printf %s"${FOREGROUND_RED}ERROR: Service does not exist: ${SERVICE}\n${UNSET_FORMAT}"; exit 1; }
}


## save the clients names that are inside the <HiddenServiceDir>/authorized_clients/ in list format (CLIENT1,CLIENT2,...)
create_client_list(){
  SERVICE="${1}"
  CLIENT_NAME_LIST="$(printf %s"$(sudo -u "${TOR_USER}" ls "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/)" | sed "s/\.auth//g" | tr "\n" ",")"
  CLIENT_COUNT="$(printf %s"${CLIENT_NAME_LIST}" | tr -dc "," | wc -c)"
  CLIENT_COUNT=$((CLIENT_COUNT+1))
}


## save the service names that have a <HiddenServiceDir> in list format (SERV1,SERV2,...)
create_service_list(){ SERVICE_NAME_LIST=$(sudo -u "${TOR_USER}" ls "${DATA_DIR_SERVICES}"/ | tr " " ","); }


## loops the parameters
## $1 must be the function to loop
## $2 normally is service, but can be any other parameter (accepts list -> serv1,serv2,...)
## $3 normally is client, but can be any other (accepts list -> client1,client2...)
loop_list(){
  for ITEM in $(printf %s"${2}" | tr "," " "); do
    [ -z "${3}" ] && "${1}" "${ITEM}"
    [ -z "${3}" ] || for SUBITEM in $(printf %s"${3}" | tr "," " "); do "${1}" "${ITEM}" "${SUBITEM}"; done
  done
}


###########################
########## MAIN ###########
sudo sed -i'' 's/\/$//' "${TORRC}" ## no config should end with '/' to find exact match.

COMMAND="${1}"
case "${COMMAND}" in

  ## disabled the service wrongly and don't remember the ports? no worries, will restore the latest torrc.bak
  ## beaware this only works for the torrc, if you deleted your data directory with command "off" and "purge" option, the keys will not be restored, insteadm new ones will be created
  restore|RESTORE)
    ACTION="${2}"; [ -z "${ACTION}" ] && error_msg "ACTION is missing"
    case "${ACTION}" in

      torrc|TORRC)
        ## separate HiddenService liens to the end of the torrc
        printf '\n%s\n\n' "$(sudo sed -n "/HiddenServiceDir/,/^\s*$/{p}" "${TORRC}".bak)" | sudo tee "${TORRC}".tmp >/dev/null
        sudo sed "/HiddenServiceDir/,/^\s*$/{d}" "${TORRC}" | sudo tee "${TORRC}".mod >/dev/null
        sudo cat -s "${TORRC}".mod "${TORRC}".tmp | sudo tee "${TORRC}" >/dev/null
        printf "# Restored torrc with its latest backup\n"
        restarting_tor
        printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
      ;;

      *)
        error_msg "Invalid ${COMMAND} argument: ${ACTION}"
      ;;
    esac
  ;;


  ## disable a service by removing service torrc's block.
  ## it is raw, services variables should be separated by an empty line per service, else you might get other non-related configuration deleted.
  ## purge is optional, it deletes the <HiddenServiceDir>
  ## will not check if folder or configuration exist, this is cleanup mode
  ## will not use 'all-services'. Purge is dangerous, purging all service is even more dangerous. Always backup.
  off|OFF)
    SERVICE="${2}"; [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
    PURGE="${3}" ## optional
    delete_service(){
      SERVICE="${1}"
      PURGE="${2}"
      ## remove service service data
      if [ "${PURGE}" = "purge" ] || [ "${PURGE}" = "PURGE" ]; then
        printf %s"${FOREGROUND_RED}\n# Deleted Hidden Service data in ${DATA_DIR_SERVICES}/${SERVICE}\n${UNSET_FORMAT}"
        sudo rm -rfv "${DATA_DIR_SERVICES}"/"${SERVICE}"
      else
        printf "\n# HiddenServiceDiretory was kept\n"
      fi
      sudo cp "${TORRC}" "${TORRC}".bak
      ## remove service paragraph in torrc
      printf %s"# Deleted Hidden Service configuration in ${TORRC}\n"
      sudo sed -i'' "/HiddenServiceDir .*\/${SERVICE}$/,/^\s*$/{d}" "${TORRC}"
      ## substitute multiple sequential empty lines to a single one per sequence
      sudo cat -s "${TORRC}" | sudo tee "${TORRC}".tmp >/dev/null && sudo mv "${TORRC}".tmp "${TORRC}"
      printf %s"# Disabled service: ${SERVICE}\n\n"
    }
    loop_list delete_service "${SERVICE}" "${PURGE}"
    restarting_tor
    printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
  ;;


  ## enable a service by configure its own torrc's block, consequentially the <HiddenServiceDir> will be created.
  ## tcp-socket uses addr:port, which can be remote or localhost. It leaks onion address to the local network
  ## unix-socket uses unix:path, which is create a unique name for it. It does not leak onion address to the local network.
  ## VIRTPORT is the port to be used by the client when visiting the service.
  ## TARGET is where the incoming traffic from VIRTPORT gets redirected. This option is abscent on unix-socket because the script completes it.
  ##  if TARGET is not specified, will use the same port from VIRTPORT and bind to localhost.
  ##  if TARGET only contains the port number and not the address, will bind to localhost.
  ## VIRTPORT2 and TARGET 2 are optional
  on|ON)
    SOCKET="${2}"; [ -z "${SOCKET}" ] && error_msg "SOCKET is missing"
    VERSION="${3}"; [ -z "${VERSION}" ] && error_msg "VERSION is missing"
    SERVICE="${4}"; [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
    [ "${VERSION}" != "3" ] && error_msg "VERSION is not available" ## wait for v4 to change this

    finish_service_activation(){
      ## remove double empty lines
      sudo cat -s "${TORRC}" | sudo tee "${TORRC}".tmp >/dev/null && sudo mv "${TORRC}".tmp "${TORRC}"
      restarting_tor

      ## show the Hidden Service address
      test_service_exists "${SERVICE}"
      printf "\n# Hidden Service information:\n"
      qrencode -m 2 -t ANSIUTF8 "${ONION_HOSTNAME}"
      printf %s"Service name    = ${SERVICE}\n"
      printf %s"Service address = ${ONION_HOSTNAME}\n"
      printf %s"Virtual port    = ${VIRTPORT}\n"
      [ -n "${VIRTPORT2}" ] && printf %s"Virtual port    = ${VIRTPORT2}\n"
      printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
    }

    case "${SOCKET}" in

      tcp|TCP)
        ## tor-manual: By default, this option maps the virtual port to the same port on 127.0.0.1 over TCP
        ## Because of that, this project lets the user leave TARGET="" and write TARGET as 127.0.0.1:VIRTPORT
        ## Also, substitutes localhost:PORT for 127.0.0.1:PORT
        ## This measures avoid using the same local port for different services
        ## grep torrc TARGET to see if port is already in use and by which service, reading the file in reverse
        ## Required
        VIRTPORT="${5}"; [ -z "${VIRTPORT}" ] && error_msg "VIRTPORT is missing"
        TARGET="${6}" ## optional, if null then map to 127.0.0.1:VIRTPORT
        TARGET=${TARGET:-127.0.0.1:${VIRTPORT}}
        TARGET_ADDR=${TARGET%%:*}
        TARGET_PORT=${TARGET##*:}
        { [ "${TARGET_ADDR}" = "${TARGET_PORT}" ] || [ "${TARGET_ADDR}" = "localhost" ]; } && TARGET="127.0.0.1:${TARGET_PORT}"
        TARGET_ALREADY_INSERTED_BLOCK=$(sudo tac "${TORRC}" | sudo sed -n "/^HiddenServicePort .*${TARGET}$/,/^\s*$/{p}" | grep "^HiddenServiceDir")
        TARGET_ALREADY_INSERTED_SERVICE=${TARGET_ALREADY_INSERTED_BLOCK##*/}
        sudo grep -q "^HiddenServicePort .* ${TARGET}$" "${TORRC}" && error_msg "TARGET=${TARGET} is being used by the service: ${TARGET_ALREADY_INSERTED_SERVICE}\nINFO: Choose another port or disable the service that is using the wanted port"
        is_integer "${VIRTPORT}"; is_addr_port "${TARGET}" "TARGET"
        ## Optional
        VIRTPORT2="${7}"
        TARGET2="${8}"
        if [ -n "${VIRTPORT2}" ]; then
          TARGET2=${TARGET2:-127.0.0.1:${VIRTPORT2}}
          TARGET2_ADDR=${TARGET2%%:*}
          TARGET2_PORT=${TARGET2##*:}
          { [ "${TARGET2_ADDR}" = "${TARGET2_PORT}" ] || [ "${TARGET2_ADDR}" = "localhost" ]; } && TARGET2="127.0.0.1:${TARGET2_PORT}"
          [ "${TARGET}" = "${TARGET2}" ] && error_msg "TARGET is the same as TARGET2"
          TARGET2_ALREADY_INSERTED_BLOCK=$(sudo tac "${TORRC}" | sudo sed -n "/^HiddenServicePort .*${TARGET2}$/,/^\s*$/{p}" | grep "^HiddenServiceDir")
          TARGET2_ALREADY_INSERTED_SERVICE=${TARGET2_ALREADY_INSERTED_BLOCK##*/}
          sudo grep -q "^HiddenServicePort .* ${TARGET2}$" "${TORRC}" && error_msg "TARGET2=${TARGET2} is being used by the service: ${TARGET2_ALREADY_INSERTED_SERVICE}"
          is_integer "${VIRTPORT2}"; is_addr_port "${TARGET2}" "TARGET2"
        fi
        sudo cp "${TORRC}" "${TORRC}".bak
        ## delete any old entry for that servive
        sudo sed -i'' "/HiddenServiceDir .*\/${SERVICE}$/,/^\s*$/{d}" "${TORRC}"
        ## add configuration block, empty line after and before it
        printf %s"\n# Including Hidden Service configuration in ${TORRC}\n"
        [ -n "${VIRTPORT2}" ] && printf %s"\nHiddenServiceDir ${DATA_DIR_SERVICES}/${SERVICE}\nHiddenServiceVersion ${VERSION}\nHiddenServicePort ${VIRTPORT} ${TARGET}\nHiddenServicePort ${VIRTPORT2} ${TARGET2}\n\n" | sudo tee -a "${TORRC}"
        [ -n "${VIRTPORT2}" ] || printf %s"\nHiddenServiceDir ${DATA_DIR_SERVICES}/${SERVICE}\nHiddenServiceVersion ${VERSION}\nHiddenServicePort ${VIRTPORT} ${TARGET}\n\n" | sudo tee -a "${TORRC}"
        finish_service_activation
      ;;

      unix|UNIX)
        VIRTPORT="${5}"; [ -z "${VIRTPORT}" ] && error_msg "VIRTPORT is missing"
        VIRTPORT2="${6}"; [ -n "${VIRTPORT2}" ] && is_integer "${VIRTPORT2}" ## var not mandatory
        is_integer "${VIRTPORT}"
        sudo cp "${TORRC}" "${TORRC}".bak
        ## delete any old entry for that servive
        sudo sed -i'' "/HiddenServiceDir .*\/${SERVICE}$/,/^\s*$/{d}" "${TORRC}"
        ## add configuration block, empty line after and before it
        printf %s"\n# Including Hidden Service configuration in ${TORRC}\n"
        UNIX_PATH="unix:/var/run/${SERVICE}-onion"
        SOCK_FILE="${UNIX_PATH}-${VIRTPORT}.sock"
        SOCK2_FILE="${UNIX_PATH}-${VIRTPORT2}.sock"
        [ -n "${VIRTPORT2}" ] && printf %s"\nHiddenServiceDir ${DATA_DIR_SERVICES}/${SERVICE}\nHiddenServiceVersion ${VERSION}\nHiddenServicePort ${VIRTPORT} ${SOCK_FILE}\nHiddenServicePort ${VIRTPORT2} ${SOCK2_FILE}\n\n" | sudo tee -a "${TORRC}"
        [ -n "${VIRTPORT2}" ] || printf %s"\nHiddenServiceDir ${DATA_DIR_SERVICES}/${SERVICE}\nHiddenServiceVersion ${VERSION}\nHiddenServicePort ${VIRTPORT} ${SOCK_FILE}\n\n" | sudo tee -a "${TORRC}"
        finish_service_activation
      ;;

      *)
        error_msg "Invalid '${COMMAND}' argument: SOCKET=${SOCKET}"
    esac
  ;;


  ## manage client authorization server side (HiddenServiceDir/authorized_clients/) or client side (ClientOnionAuthDir)
  auth|AUTH)
    HOST="${2}"; [ -z "${HOST}" ] && error_msg "HOST is missing"
    STATUS="${3}"; [ -z "${STATUS}" ] && error_msg "STATUS is missing"
    case "${HOST}" in

      server|SERVER)
        is_service_dir_empty
        SERVICE="${4}"
        CLIENT="${5}"
        [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
        case "${STATUS}" in

          ## as the onion service operator, make your onion authenticated by generating a pair or public and private keys,
          ## the client pub key is automatically saved inside <HiddenServiceDir>/authorized_clients/alice.auth
          ## the client private key is shown in the screen and the key file deleted
          ## the onion service operator should send the private key for the desired client
          on|ON)
            #printf "\n# Generating keys to access onion service (Client Authorization) ...\n"
            auth_server_add(){
              SERVICE="${1}"
              CLIENT="${2}"
              test_service_exists "${SERVICE}"
              ## Generate pem and derive pub and priv keys
              openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
              grep -v " PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail --bytes=32 | base32 | sed "s/=//g" > /tmp/k1.prv.key
              openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed "s/=//g" > /tmp/k1.pub.key
              ## save variables
              CLIENT_PUB_KEY=$(cat /tmp/k1.pub.key)
              CLIENT_PRIV_KEY=$(cat /tmp/k1.prv.key)
              ONION_HOSTNAME_WITHOUT_ONION=${ONION_HOSTNAME%.onion}
              CLIENT_PRIV_KEY_CONFIG="${ONION_HOSTNAME_WITHOUT_ONION}:descriptor:x25519:${CLIENT_PRIV_KEY}"
              CLIENT_PUB_KEY_CONFIG="descriptor:x25519:${CLIENT_PUB_KEY}"
              # Server side configuration
              printf %s"${CLIENT_PUB_KEY_CONFIG}\n" | sudo tee "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/"${CLIENT}".auth >/dev/null
              ## Client side configuration
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
              printf "# Declare the variables\n"
              printf %s"SERVICE=${SERVICE}\n"
              printf %s"CLIENT=${CLIENT}\n"
              printf %s"ONION_HOSTNAME=${ONION_HOSTNAME}\n"
              printf %s"CLIENT_PUB_KEY=${CLIENT_PUB_KEY}\n"
              printf %s"CLIENT_PUB_KEY_CONFIG=${CLIENT_PUB_KEY_CONFIG}\n"
              printf %s"CLIENT_PRIV_KEY=${CLIENT_PRIV_KEY}\n"
              printf %s"CLIENT_PRIV_KEY_CONFIG=${CLIENT_PRIV_KEY_CONFIG}\n"
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n\n"
              ## Delete pem and keys
              sudo rm -f /tmp/k1.pub.key /tmp/k1.prv.key /tmp/k1.prv.pem
            }
            instructions_auth(){
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
              printf "# Send these instructions to the client:\n"
              printf "\n"
              printf "# Check if <ClientOnionAuthDir> was configured in the <torrc>, if it was not, insert it: ClientOnionAuthDir /var/lib/tor/onion_auth\n"
              printf " [ \$(grep -c 'ClientOnionAuthDir' /etc/tor/torrc) -eq 0 ] && { printf 'ClientOnionAuthDir /var/lib/tor/onion_auth' | sudo tee -a /etc/tor/torrc ; }\n"
              printf "\n"
              printf "# Create a file with the suffix '.auth_private' inside <ClientOnionAuthDir>\n"
              printf " printf '\${CLIENT_PRIV_KEY_CONFIG}' | sudo tee /var/lib/tor/onion_auth/\${SERVICE}-\${ONION_HOSTNAME}.auth_private\n"
              printf "\n"
              printf "# Reload tor\n"
              printf " sudo chown -R debian-tor:debian-tor /var/lib/tor\n"
              printf " sudo systemctl reload-or-restart tor\n"
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
            }
            [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
            [ "${SERVICE}" = "all-services" ] && { create_service_list ; SERVICE="${SERVICE_NAME_LIST}" ; }
            [ "${CLIENT}" = "all-clients" ] && error_msg "Client name cannot be equal to: all-clients"
            CLIENT_PUB_KEY="${6}"
            if [ "${CLIENT_PUB_KEY}" != "" ]; then
              test_service_exists "${SERVICE}"
              ONION_HOSTNAME_WITHOUT_ONION=${ONION_HOSTNAME%.onion}
              CLIENT_PUB_KEY_CONFIG="descriptor:x25519:${CLIENT_PUB_KEY}"
              printf %s"${CLIENT_PUB_KEY_CONFIG}" | sudo tee "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/"${CLIENT}".auth >/dev/null
              printf "\n# Server side authorization configured\n\n"
              printf %s" CLIENT_PUB_KEY_CONFIG=${CLIENT_PUB_KEY_CONFIG}\n"
              printf "\n# As you inserted the public key manually, we expect that the client already has the private key\n"
            else
              loop_list auth_server_add "${SERVICE}" "${CLIENT}"
              #instructions_auth
            fi
            restarting_tor
            printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
          ;;

          ## as the onion service operator, after making your onion service authenticated, you can also remove a specific client authorization
          ## if no clients are present, the service will be available to anyone that has the onion service address
          off|OFF)
            { [ "${SERVICE}" = "" ] || [ "${CLIENT}" = "" ] ; } && error_msg "SERVICE name or CLIENT name is/are missing"
            auth_server_remove_clients(){
              SERVICE="${1}"
              CLIENT="${2}"
              printf %s"Service  = ${SERVICE}\n"
              if [ "${CLIENT}" = "all-clients" ]; then
                printf "Client   = all-clients\n\n"
                sudo rm -f "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/*.auth
              else
                printf %s"Client   = ${CLIENT}\n\n"
                sudo rm -f "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/"${CLIENT}".auth
              fi
            }
            [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
            if [ "${SERVICE}" = "all-services" ]; then
              printf "# Removing client authorization for all services.\n"
              create_service_list; SERVICE="${SERVICE_NAME_LIST}"
              [ "${CLIENT}" = "all-clients" ] \
              && printf "# Removing client authorization for all clients.\n# The service is now accessible for anyone with the onion address.\n\n" \
              || printf "# If any client remains, the service will still be authenticated.\n\n"
            else
              printf %s"# Removing client authorization for the services: ${SERVICE}\n"
              [ "${CLIENT}" = "all-clients" ] \
              && printf "# Removing client authorization for all clients.\n# The service is now accessible for anyone with the onion address.\n\n" \
              || printf "# If any client remains, the service will still be authenticated.\n\n"
            fi
            loop_list auth_server_remove_clients "${SERVICE}" "${CLIENT}"
            restarting_tor
            printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
          ;;

          list|LIST)
            auth_server_list(){
              SERVICE="${1}"
              test_service_exists "${SERVICE}"
              create_client_list "${SERVICE}"
              if [ -n "${CLIENT_COUNT}" ]; then
                printf %s"\nService  = ${SERVICE}\n"
                [ -n "${CLIENT_NAME_LIST}" ] && printf %s"Clients  = ${CLIENT_NAME_LIST} (${CLIENT_COUNT})\n"
                for AUTH in $(sudo -u "${TOR_USER}" ls "${DATA_DIR_SERVICES}/${SERVICE}/authorized_clients/"); do
                  printf %s"\n# File name: ${AUTH}\n"
                  printf %s"# Content:   $(sudo -u "${TOR_USER}" grep ":descriptor:x25519:" "${DATA_DIR_SERVICES}"/"${SERVICE}"/authorized_clients/"${AUTH}")\n"
                done
                printf "\n"
              else
                printf %s"\n# No clients for Hidden Service: ${SERVICE}\n\n"
              fi
            }
            printf "# Authorized clients for Hidden Services\n"
            [ "${SERVICE}" = "all-services" ] && { create_service_list; SERVICE="${SERVICE_NAME_LIST}"; }
            loop_list auth_server_list "${SERVICE}"
            printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
          ;;

          *)
            error_msg "Invalid '${COMMAND} ${HOST}' argument: STATUS=${STATUS}"
        esac
      ;;


      client|CLIENT)
        ONION_HOSTNAME="${4}"
        case "${STATUS}" in

          ## as the onion service client, add a key given by the onion service operator to authenticate yourself inside ClientOnionAuthDir
          ## The suffix '.auth_private' should not be mentioned, it will be automatically inserted when mentioning the name of the file.
          ## private key format must be: <onion-addr-without-.onion-part>:descriptor:x25519:<private-key>
          ## use the onion hostname as the file name, this avoid overriding the file by mistake and it indicates outside of the file for which service it refers to (of course it is written inside also)
          ## adding to Tor Browser automatically not supported yet
          on|ON)
            [ -z "${ONION_HOSTNAME}" ] && error_msg "ONION_HOSTNAME is missing"
            CLIENT_PRIV_KEY="${5}" ## optional
            ONION_HOSTNAME_WITHOUT_ONION=${ONION_HOSTNAME%.onion}
            SUFFIX_ONION=${ONION_HOSTNAME##*.}
            [ "${ONION_HOSTNAME_WITHOUT_ONION%%*[^a-z2-7]*}" ] || error_msg "ONION_DOMAIN is invalid, it is not within base32 alphabet lower-case encoding [a-z][2-7]"
            [ "${#ONION_HOSTNAME}" = "62" ] || error_msg "ONION_DOMAIN is invalid, LENGTH=${#ONION_HOSTNAME} is different than 62 characters (<56-char-base32>.onion)"
            [ "${SUFFIX_ONION}" = "onion" ] || error_msg "ONION_DOMAIN is invalid, suffix is not '.onion'"
            sudo cp "${TORRC}" "${TORRC}".bak
            grep -q "ClientOnionAuthDir" "${TORRC}" && { printf %s"\nClientOnionAuthDir ${DATA_DIR_AUTH}\n\n" | sudo tee -a "${TORRC}"; }
            sudo -u "${TOR_USER}" mkdir -p "${DATA_DIR_AUTH}"
            if [ "${CLIENT_PRIV_KEY}" = "" ]; then
              ## Generate pem and derive pub and priv keys
              openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem
              grep -v "PRIVATE KEY" /tmp/k1.prv.pem | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key
              openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v "PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key
              ## save variables
              CLIENT_PUB_KEY=$(cat /tmp/k1.pub.key)
              CLIENT_PRIV_KEY=$(cat /tmp/k1.prv.key)
              ONION_HOSTNAME_WITHOUT_ONION=${ONION_HOSTNAME%.onion}
              CLIENT_PRIV_KEY_CONFIG="${ONION_HOSTNAME_WITHOUT_ONION}:descriptor:x25519:${CLIENT_PRIV_KEY}"
              CLIENT_PUB_KEY_CONFIG="descriptor:x25519:${CLIENT_PUB_KEY}"
              ## Delete pem and keys
              sudo rm -f /tmp/k1.pub.key /tmp/k1.prv.key /tmp/k1.prv.pem
              # Client side configuration
              printf %s"${CLIENT_PRIV_KEY_CONFIG}\n" | sudo tee "${DATA_DIR_AUTH}"/"${ONION_HOSTNAME}".auth_private >/dev/null
              printf "# Client side authorization configured\n"
              printf "# This is your private key, keep it safe, keep it hidden:\n\n"
              printf %s" CLIENT_PRIV_KEY=${CLIENT_PRIV_KEY}\n"
              printf %s" CLIENT_PRIV_KEY_CONFIG=${CLIENT_PRIV_KEY_CONFIG}\n"
              printf "\n# Now it depends on the service operator to authorize you client public key\n\n"
              ## Server side configuration
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
              printf "# Send the public key and instructions to the onion service operator\n\n"
              printf %s" ONION_HOSTNAME=${ONION_HOSTNAME}\n"
              printf %s" CLIENT_PUB_KEY=${CLIENT_PUB_KEY}\n"
              printf %s" CLIENT_PUB_KEY_CONFIG=descriptor:x25519:${CLIENT_PUB_KEY}\n\n"
              printf "# Create a file with the client name (eg. alice) using the suffix '.auth' (eg. alice.auth) inside the folder\n"
              printf %s"#  '<HiddenServiceDir>/authorized_clients/' where the service hostname is ${ONION_HOSTNAME}\n\n"
              printf %s" printf '${CLIENT_PUB_KEY_CONFIG}' | sudo tee /var/lib/tor/hidden_service/authorized_clients/alice.auth\n\n"
              printf "# Reload tor\n\n"
              printf " sudo chown -R debian-tor:debian-tor /var/lib/tor\n"
              printf " sudo systemctl reload-or-restart tor\n"
              printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
            else
              CLIENT_PRIV_KEY_CONFIG="${ONION_HOSTNAME_WITHOUT_ONION}:descriptor:x25519:${CLIENT_PRIV_KEY}"
              printf %s"${CLIENT_PRIV_KEY_CONFIG}\n" | sudo tee "${DATA_DIR_AUTH}"/"${ONION_HOSTNAME}".auth_private >/dev/null
              printf "\n# Client side authorization configured\n"
              printf %s"\n CLIENT_PRIV_KEY_CONFIG=${CLIENT_PRIV_KEY_CONFIG}\n"
              printf "\n# As you inserted the private key manually, we expect that you have already sent/received the public key to/from the onion service operator\n"
            fi
            printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
          ;;

          ## as the onion service client, delete '.auth_private' files from ClientOnionAuthDir that are not valid or has no use anymore
          off|OFF)
            auth_client_remove  (){
              ONION_HOSTNAME="${1}"
              printf %s"\n# Removing ${DATA_DIR_AUTH}/${ONION_HOSTNAME}.auth_private"
              sudo rm -fv "${DATA_DIR_AUTH}"/"${ONION_HOSTNAME}".auth_private
            }
            [ -z "${ONION_HOSTNAME}" ] && error_msg "ONION_HOSTNAME is missing"
            if [ "$(sudo -u "${TOR_USER}" ls "${DATA_DIR_AUTH}")" != "" ]; then
              loop_list auth_client_remove "${ONION_HOSTNAME}"
              printf "\n# Client side authorization removed\n"
              printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
            else
              printf %s"${FOREGROUND_RED}INFO: ClientOnionAuthDir is empty\n${UNSET_FORMAT}"
            fi
          ;;

          list|LIST)
            if [ "$(sudo -u "${TOR_USER}" ls "${DATA_DIR_AUTH}")" != "" ]; then
              printf %s"# ClientOnionAuthDir ${DATA_DIR_AUTH}\n"
              for AUTH in $(sudo -u "${TOR_USER}" ls "${DATA_DIR_AUTH}"); do
                printf %s"\n# File name: ${AUTH}\n"
                printf %s"# Content:   $(sudo -u "${TOR_USER}" grep "descriptor:x25519:" "${DATA_DIR_AUTH}"/"${AUTH}")"
              done
              printf "\n"
              printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
            else
              printf %s"${FOREGROUND_RED}INFO: ClientOnionAuthDir is empty\n${UNSET_FORMAT}"
            fi
          ;;

          *)
            error_msg "Invalid '${COMMAND} ${HOST}' argument: STATUS=${STATUS}"
        esac
      ;;

      *)
        error_msg "Invalid '${COMMAND}' argument: HOST=${HOST}"
    esac
  ;;


  ## change service hostname by deleting its ed25519 pub and priv keys.
  ## <HiddenServiceDir>/authorized_clients/ because the would need to update their '.auth_private' file with the new onion address anyway and for security reasons.
  ## all-services will read through all services folders and execute the commands.
  renew|RENEW)
    is_service_dir_empty
    SERVICE="${2}"; [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
    renew_service_address(){
      SERVICE="${1}"
      test_service_exists "${SERVICE}"
      printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
      printf %s"\n# Renewing hostname (address) of the service: ${SERVICE}\n"
      OLD_HOSTNAME="${ONION_HOSTNAME}"
      ## delete service public and secret keys
      sudo rm -fv "${DATA_DIR_SERVICES}"/"${SERVICE}"/hs_ed25519_secret_key
      sudo rm -fv "${DATA_DIR_SERVICES}"/"${SERVICE}"/hs_ed25519_public_key
      sudo rm -fv "${DATA_DIR_SERVICES}"/"${SERVICE}"/hostname
      ## reload tor now so auth option can get the new hostname
      restarting_tor
      test_service_exists "${SERVICE}"
      NEW_HOSTNAME="${ONION_HOSTNAME}"
      if [ "${OLD_HOSTNAME}" != "${NEW_HOSTNAME}" ]; then
        printf %s"${FOREGROUND_BLUE}# Service renewed.\n${UNSET_FORMAT}"
        printf %s"\nOld = ${OLD_HOSTNAME}\n"
        printf %s"New = ${ONION_HOSTNAME}\n"
        printf "\n# Note: Remember to notify your clients about the new hostname and update their '.auth_private' files accordingly.\n"
        printf "\nService address QR encoded format:\n"
        qrencode -m 2 -t ANSIUTF8 "${NEW_HOSTNAME}"
      else
        printf %s"${FOREGROUND_RED}# Failed to renew service: ${SERVICE}\n${UNSET_FORMAT}"
      fi
      printf ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
    }
    [ "${SERVICE}" = "all-services" ] && { create_service_list; SERVICE="${SERVICE_NAME_LIST}"; }
    loop_list renew_service_address "${SERVICE}"
    printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
  ;;

  ## show all the necessary information to access the service such as the hostname and the QR encoded hostname to scan for Tor Browser Mobile
  ## show the clients names and quantity, as well as the service torrc's block
  ## all-services will read through all services folders and execute the commands
  list|LIST)
    is_service_dir_empty
    SERVICE="${2}"; [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
    get_service_info(){
      SERVICE="${1}"
      NO_QR="${2}"
      test_service_exists "${SERVICE}"
      ## save clients names that are inside <HiddenServiceDir>/authorized_clients/
      create_client_list "${SERVICE}"
      [ "${NO_QR}" = "no-qr" ] || { printf "\n"; qrencode -m 2 -t ANSIUTF8 "${ONION_HOSTNAME}"; }
      printf %s"\nAddress  = ${ONION_HOSTNAME}\n"
      printf %s"Service  = ${SERVICE}\n"
      [ -n "${CLIENT_NAME_LIST}" ] && printf %s"Clients  = ${CLIENT_NAME_LIST} (${CLIENT_COUNT})\n"
      if sudo grep -qc "^HiddenServiceDir .*/${SERVICE}$" "${TORRC}"; then
        printf "Status   = active\n" && sudo sed -n "/HiddenServiceDir .*\/${SERVICE}$/,/^\s*$/{p}" "${TORRC}" | sed "/^[[:space:]]*$/d"
      else
        printf "Status   = inactive\n"
      fi
      printf "\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
    }
    NO_QR="${3}"
    [ "${SERVICE}" = "all-services" ] && { create_service_list; SERVICE="${SERVICE_NAME_LIST}"; }
    loop_list get_service_info "${SERVICE}" "${NO_QR}"
    printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
  ;;

  ## start serving files with a webserver for a specific onion service and specific website folder
  web|WEB)
    [ -z "${WEBSERVER}" ] && error_msg "WEBSERVER variable is empty on .onionrc"
    STATUS="${2}"; [ -z "${STATUS}" ] && error_msg "STATUS is missing"
    SERVICE="${3}"; [ -z "${STATUS}" ] && error_msg "SERVICE is missing"
    case "${STATUS}" in

      on|ON)
        is_service_dir_empty
        test_service_exists "${SERVICE}"
        FOLDER="${4}"; [ -z "${FOLDER}" ] && error_msg "FOLDER is missing"
        VIRTPORT=$(sudo sed -n "/HiddenServiceDir .*\/${SERVICE}$/,/^\s*$/{p}" "${TORRC}" | grep "HiddenServicePort 80")
        [ "${VIRTPORT}" = "" ] && error_msg "At least one VIRTPORT of the service must be listening on port 80"
        TARGET=${VIRTPORT##* }
        printf %s"# Activating web server for the onion service: ${SERVICE}\n\n"
        cp -v "${ONIONSERVICE_PWD}"/etc/"${WEBSERVER}"/sites-available/sample-onion.conf /tmp/"${SERVICE}"-onion.conf
        sed -i'' "s|SERVICE|${SERVICE}|g" /tmp/"${SERVICE}"-onion.conf
        sed -i'' "s|TARGET|${TARGET}|g" /tmp/"${SERVICE}"-onion.conf
        ## If starts with '/', user specified the path, if started with anything else expect a folder inside ${WEBSITE_DIR}
        case "${FOLDER}" in
          /*) sed -i'' "s|FOLDER|${FOLDER}|" /tmp/"${SERVICE}"-onion.conf;;
          *) sed -i'' "s|FOLDER|${WEBSITE_DIR}/${FOLDER}|" /tmp/"${SERVICE}"-onion.conf
        esac
        sudo cp -v /tmp/"${SERVICE}"-onion.conf /etc/"${WEBSERVER}"/sites-available/
        sudo ln -sfv /etc/"${WEBSERVER}"/sites-available/"${SERVICE}"-onion.conf /etc/"${WEBSERVER}"/sites-enabled/
        printf "\n# Web server configuration:\n\n"
        #sudo cat /tmp/"${SERVICE}"-onion.conf
        while IFS= read -r line || [ -n "$line" ]; do printf '%s\n' "$line"; done < "/tmp/${SERVICE}-onion.conf"
        printf "\n# Reloading web server to apply new configuration\n"
        case "${WEBSERVER}" in
          nginx) sudo nginx -t && sudo nginx -s reload;;
          apache2) sudo apache2 -t && sudo apache -k graceful;;
        esac
        #sudo rm -f /tmp/"${SERVICE}"-onion.conf
        printf %s"\n# Address: ${ONION_HOSTNAME}\n"
        printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
      ;;

      off|OFF)
        disable_site(){
          SERVICE="${1}"
          printf %s"\n# Stopping website of the service: ${SERVICE}\n"
          sudo rm -fv /etc/"${WEBSERVER}"/sites-available/"${SERVICE}"-onion.conf ## for cleanliness
          sudo rm -fv /etc/"${WEBSERVER}"/sites-enabled/"${SERVICE}"-onion.conf
        }
        loop_list disable_site "${SERVICE}" 0
        printf "\n# Reloading web server to apply new configuration\n"
        case "${WEBSERVER}" in
          nginx) sudo nginx -t && sudo nginx -s reload;;
          apache2) sudo apache2 -t && sudo apache2 -k graceful;;
        esac
        printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
      ;;

      list|LIST)
        printf %s"# Web server = ${WEBSERVER}\n\n"
        printf "# Enabled websites:"
        SITES_ENABLED=$(sudo ls /etc/"${WEBSERVER}"/sites-enabled/ | sed "s/-onion.conf//g")
        [ -n "${SITES_ENABLED}" ] && printf %s"\n${SITES_ENABLED}\n" || printf " No website enabled\n"
      ;;

      *)
        error_msg "Invalid '${COMMAND}' argument: ${STATUS}"
    esac
  ;;


  ## guide to add onion-location to redirect tor users when using your plainnet site to the onion service address
  ## https://matt.traudt.xyz/posts/website-setup/
  location|LOCATION)
    is_service_dir_empty
    ACTION="${2}"; [ -z "${ACTION}" ] && error_msg "ACTION is missing"
    SERVICE="${3}"; [ -z "${SERVICE}" ] && error_msg "SERVICE is missing"
    test_service_exists "${SERVICE}"

    start_location(){
    printf "# Onion-Location guided steps
\n* The below output is printing text, no file was modified by this script, therefore, user needs to manually configure.
* For web servers, include header line inside the plainnet ssl block (port 443).
* It assumes you know how to run a plainnet server, configuration is an example and should be adapted to your needs.
\n# Add to your \"%s${ACTION}\" configuration:\n"
}

  finish_location(){
  printf "\n# Test redirection
\n* Open the web site in Tor Browser and a purple pill will appear in the address bar; or
* Fetch the web site HTTP headers and look for onion-location entry and the onion service address:
\n\twget --server-response --spider your-website.tld\n"
}

    case "${ACTION}" in

      nginx|NGINX)
        start_location
        printf "
server {\n\tlisten 443 ssl http2;\n\tadd_header Onion-Location http://""%s${ONION_HOSTNAME}""\$request_uri;\n}
\n# Reload web server:\n\n\tsudo nginx -t && sudo nginx -s reload\n"
        finish_location
      ;;

      apache|APACHE)
        start_location
        printf "
<VirtualHost *:443>\n\tHeader set Onion-Location \"http://%s${ONION_HOSTNAME}%%{REQUEST_URI}s\"\n</Virtualhost>
\n# Enable headers and rewrite modules:\n\n\tsudo a2enmod headers rewrite
\n# Reload web server:\n\n\tsudo apache2 -t && sudo apache2 -k graceful\n"
        finish_location
      ;;

      html|HTML)
        start_location
        printf "
<meta http-equiv=\"onion-location\" content=\"http://%s${ONION_HOSTNAME}\"/>
\n# Reload web server that you use:\n\n\tsudo nginx -t && sudo nginx -s reload\n\t# or\n\tsudo apache2 -t && sudo apache2 -k graceful\n"
        finish_location
      ;;

      *)
        error_msg "Invalid '${COMMAND}' argument: ${ACTION}"
    esac
  ;;


  backup|BACKUP)
    ACTION="${2}"; [ -z "${ACTION}" ] && error_msg "ACTION is missing"
    case "${ACTION}" in

      ## restore backup
      ## backup tar file will be extracted and integrated into their respective tor folders
      ## scp instructions to import backup from remote host
      integrate|INTEGRATE)
        # shellcheck disable=SC2153,SC2154
        sudo -u "${USER}" mkdir -p "${HS_BK_DIR}"/integrate
        HS_BK_TAR=$(sudo -u "${USER}" ls "${HS_BK_DIR}" | grep ".tar.gz" | tail -n -1)
        printf %s"# Integrating backup from file: ${HS_BK_TAR}\n\n"
        printf "# Extracting the archive\n\n"
        sudo tar -xpzvf "${HS_BK_DIR}"/"${HS_BK_TAR}" -C "${HS_BK_DIR}"/integrate
        sudo chown -R "${USER}:${USER}" "${HS_BK_DIR}"
        sudo cp -rf "${HS_BK_DIR}"/integrate"${DATA_DIR_SERVICES}"/* "${DATA_DIR_SERVICES}"/
        sudo cp -rf "${HS_BK_DIR}"/integrate"${DATA_DIR_AUTH}"/* "${DATA_DIR_AUTH}"/
        DATA_DIR_AUTH_BK="$(sudo grep "ClientOnionAuthDir" "${HS_BK_DIR}"/integrate"${TORRC}")"
        if [ -n "${DATA_DIR_AUTH_BK}" ]; then
          sudo sed -i'' "/ClientOnionAuthDir .*/d" "${TORRC}"
          printf '\n%s\n\n' "${DATA_DIR_AUTH_BK}" | sudo tee -a "${TORRC}" >/dev/null
          sudo sed -i'' "/ClientOnionAuthDir .*/d" "${HS_BK_DIR}"/integrate"${TORRC}"
        fi
        sudo cat -s "${TORRC}" "${HS_BK_DIR}"/integrate"${TORRC}" | sudo tee "${TORRC}".tmp >/dev/null
        sudo mv "${TORRC}".tmp "${TORRC}"
        ## avoid duplication of services, it will keep the current machine config lines for safety
        # for SERVICE in $(sudo grep "HiddenServiceDir" "${TORRC}" | cut -d " " -f2); do
        #   SERVICE_NAME=$(printf %s"${SERVICE##*/}")
        #   sudo sed -n "/HiddenServiceDir .*\/${SERVICE_NAME}$/,/^\s*$/{p}" "${TORRC}" > "${TORRC}".tmp
        #   sudo sed -i'' "/HiddenServiceDir .*\/${SERVICE_NAME}$/,/^\s*$/{d}" "${TORRC}"
        #   sudo sed '/^\s*$/Q' "${TORRC}".tmp > "${TORRC}".mod
        #   sudo sed -i'' '1 i \ ' "${TORRC}".mod; sudo sed -i'' "\$a\ " "${TORRC}".mod
        #   sudo cat "${TORRC}".mod | sudo tee -a "${TORRC}" >/dev/null
        # done
        # sudo rm -f "${TORRC}".tmp "${TORRC}".mod
        #sudo cat -s "${TORRC}" | sudo tee "${TORRC}".tmp >/dev/null && sudo mv "${TORRC}".tmp "${TORRC}"
        sudo rm -rf "${HS_BK_DIR}"/integrate
        ## RESTORE BACKUP FROM REMOTE
        printf "\n# Restore your configuration importing from a remote machine.\n\n"
        ## upload from remote to this instane
        printf "# Import backup file uploading to remote. On the remote terminal, run:\n"
        printf %s"\tsudo scp -r ${HS_BK_TAR} ${USER}@${LOCAL_IP}:${HS_BK_DIR}/\n\n" #### remove HS_BK_TAR
        ## download from this instance
        printf "# Import backup file downloading from remote. On this terminal instance, run:\n"
        printf %s"\tsudo scp -r ${SCP_TARGET_FULL} ${HS_BK_DIR}/${HS_BK_TAR}\n" #### remove HS_BK_TAR
        #restarting_tor
      ;;

      ## full backup needede to restore all of your hidden services and client keys
      ## folders/files included: <torrc>, <DataDir>/services/, <DataDir>/onion_auth/
      ## scp instructions to export backup to remote host
      create|CREATE)
        HS_BK_TAR="tor-hs-$(date +%Y-%m-%d-%H'h'-%M'm').tar.gz"
        printf "# Backing up the services dir, onion_auth dir and the torrc\n\n"
        mkdir -p "${HS_BK_DIR}"
        ## these lines are necessary to copy the full path when creating the compressed archive
        sudo cp "${TORRC}" "${TORRC}".rest
        printf '\n%s\n\n' "$(sudo grep "ClientOnionAuthDir" "${TORRC}")" | sudo tee "${TORRC}".tmp >/dev/null
        printf '\n%s\n\n' "$(sudo sed -n "/HiddenServiceDir/,/^\s*$/{p}" "${TORRC}")" | sudo tee -a "${TORRC}".tmp >/dev/null
        sudo mv "${TORRC}".tmp "${TORRC}"
        sudo tar -cpzvf "${HS_BK_DIR}"/"${HS_BK_TAR}" "${DATA_DIR_SERVICES}" "${DATA_DIR_AUTH}" "${TORRC}" 2>/dev/null
        sudo mv "${TORRC}".rest "${TORRC}"
        sudo chown -R "${USER}:${USER}" "${HS_BK_DIR}"
        set_owner_permission
        printf %s"\nsha256sum=$(sha256sum "${HS_BK_DIR}"/"${HS_BK_TAR}")\n\n"
        ## upload to remote
        printf "# Export backup file uploading to remote. On this terminal instance, run:\n"
        printf %s"\tsudo scp -r ${HS_BK_DIR}/${HS_BK_TAR} ${SCP_TARGET_FULL}\n\n"
        ## download from this instance on remote
        printf "# Export backup file downloading from remote. On the remote terminal, run:\n"
        printf %s"\tsudo scp -r ${USER}@${LOCAL_IP}:${HS_BK_DIR}/${HS_BK_TAR} .\n"
      ;;

      *)
        error_msg "Invalid '${COMMAND}' argument: ${ACTION}"
    esac
  ;;


  ## This addon protects against guard discovery and related traffic analysis attacks.
  ## A guard discovery attack enables an adversary to determine the guard node(s) that are in use by a Tor client and/or Tor onion service.
  ## Once the guard node is known, traffic analysis attacks that can deanonymize an onion service (or onion service user) become easier.
  ##  TODO: hardening (as in $ sytemctl cat tor@default), but got permission denied :unable to read '/run/tor/control.authcookie'
  vanguards|VANGUARDS)
    ACTION="${2}"; [ -z "${ACTION}" ] && error_msg "ACTION is missing"

    vanguards_config(){
      ## TODO: Better detection if using socket or control ip and port.
      #sudo sed -i'' "s|^control_socket =.*|control_socket = ${CONTROL_SOCKET}|" "${DATA_DIR}"/vanguards/vanguards.conf
      #sudo sed -i'' "s|^control_port =.*|control_port = ${CONTROL_PORT}|" "${DATA_DIR}"/vanguards/vanguards.conf
      sudo -u "${TOR_USER}" cp "${DATA_DIR}"/vanguards/vanguards-example.conf "${DATA_DIR}"/vanguards/vanguards.conf
      sudo -u "${TOR_USER}" sed -i'' "s|^logfile =.*|logfile = /var/log/tor/vanguards.log|" "${DATA_DIR}"/vanguards/vanguards.conf
      sudo cp "${TORRC}" "${TORRC}".bak
      grep -q "ControlPort" "${TORRC}" || { printf %s"\nControlPort ${CONTROL_PORT}\n\n" | sudo tee -a "${TORRC}" >/dev/null; }
      { grep -q "CookieAuthentication" "${TORRC}" || grep -q "HashedControlPassword" "${TORRC}"; } || { printf "\nCookieAuthentication 1\n\n" | sudo tee -a "${TORRC}"  >/dev/null; }
      set_owner_permission
      cp -v "${ONIONSERVICE_PWD}"/etc/systemd/system/vanguards@default.service /tmp/vanguards@default.service
      sed -i'' "s/TOR_SERVICE/${TOR_SERVICE}/g" /tmp/vanguards@default.service
      sed -i'' "s|DATA_DIR|${DATA_DIR}|g" /tmp/vanguards@default.service
      sed -i'' "s/CONTROL_PORT/${CONTROL_PORT}/g" /tmp/vanguards@default.service
      sed -i'' "s/TOR_USER/${TOR_USER}/g" /tmp/vanguards@default.service
      sudo cp -v /tmp/vanguards@default.service /etc/systemd/system/
      printf "\n>>>>>>>>>>>>>>>>>>>\n"
      while IFS= read -r line || [ -n "$line" ]; do printf '%s\n' "$line"; done < "/tmp/vanguards@default.service"
      #cat /tmp/vanguards@default.service
      printf ">>>>>>>>>>>>>>>>>>>\n\n"
      sudo systemctl daemon-reload
      sudo systemctl enable vanguards@default.service
      sudo systemctl restart vanguards@default.service
      sudo systemctl status vanguards@default.service --no-pager
      printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
    }

    case "${ACTION}" in
      install|INSTALL)
        printf "# Installing Vanguards...\n\n"
        sudo -u "${TOR_USER}" git clone https://github.com/mikeperry-tor/vanguards.git "${DATA_DIR}/vanguards"
        sudo chown -R "${TOR_USER}:${TOR_USER}" "${DATA_DIR}"
        sudo -u "${TOR_USER}" git -C "${DATA_DIR}"/vanguards reset --hard "${VANGUARDS_COMMIT_HASH}"
        vanguards_config
      ;;

      upgrade|UPGRADE)
        printf "# Upgrading Vanguards...\n\n"
        sudo -u "${TOR_USER}" git -C "${DATA_DIR}"/vanguards pull -p
        sudo -u "${TOR_USER}" git -C "${DATA_DIR}"/vanguards reset --hard "${VANGUARDS_COMMIT_HASH}"
        sudo -u "${TOR_USER}" git -C "${DATA_DIR}"/vanguards show
        vanguards_config
      ;;

      remove|REMOVE)
        printf "# Removing Vanguards...\n\n"
        sudo rm -rfv "${DATA_DIR}"/vanguards
        printf %s"${FOREGROUND_GREEN}\n# Done\n${UNSET_FORMAT}"
      ;;

      logs|LOGS)
        sudo tail -f -n 25 /var/log/tor/vanguards.log
      ;;

      *)
        error_msg "Invalid ${COMMAND} argument: ${ACTION}"
    esac
  ;;

  *) usage

esac