feat: generate hidden services on demand

Dockerfile

@@ -7,10 +7,10 @@ ENV SUTTY="sutty.nl"
 ENV HTTP_BASIC_USER=""
 ENV HTTP_BASIC_PASSWORD=""
 
-RUN apk add --no-cache tor curl jq
+RUN apk add --no-cache tor sutty_tor_hidden_service daemonize
 COPY ./monit.conf /etc/monit.d/tor.conf
 COPY ./torrc /etc/tor/torrc
-COPY ./hidden_services.sh /usr/local/bin/hidden_services
+COPY ./hidden_servicesd.sh /usr/local/bin/hidden_servicesd
 RUN chmod 644 /etc/tor/torrc
 
 VOLUME /var/lib/tor

hidden_services.sh

@@ -1,53 +0,0 @@
-#!/bin/sh
-#
-# Get every website with hidden service (HS) enabled from Sutty's API
-# and generate a Tor configuration file for it.  We do it this way
-# because the original plan was to use Tor Control Protocol, but it only
-# allows to create ephemeral hidden services if you don't store the
-# private key separately.  HS are lost when Tor is restarted.  We don't
-# want Sutty to have access to HS' private keys nor we want to device
-# some algorithm to keep HS' alive when Tor restarts.
-#
-# So we did this that generates the persistent config file, reload Tor
-# to make it generate the HS and inform Sutty of the public key / onion
-# address.  This way private keys are only stored in Tor.
-
-set -e
-
-if test "$1" = "bootstrap" ; then
-  install -dm 2755 -o tor  -g root /var/lib/tor/hidden_services
-  install -dm 2755 -o root -g root /var/lib/tor/hidden_services/conf.d
-  exit 0
-fi
-
-# API client
-api_client () {
-  local _path="$1"; shift
-
-  curl --basic --user "${HTTP_BASIC_USER}:${HTTP_BASIC_PASSWORD}" \
-       $@ "https://api.${SUTTY}${_path}"
-}
-
-# Get all sites with HS enabled
-api_client "/v1/sites/hidden_services.json" | jq --raw-output .[] | while read name; do
-  conf_file="/var/lib/tor/hidden_services/conf.d/${name}.conf"
-  hs_dir="/var/lib/tor/hidden_services/${name}"
-
-  # The config file
-  echo "HiddenServiceDir ${hs_dir}" > "${conf_file}"
-  echo "HiddenServicePort 80 nginx:80" >> "${conf_file}"
-  echo "HiddenServiceEnableIntroDoSDefense 1" >> "${conf_file}"
-
-  chmod 644 "${conf_file}"
-
-  # Reload Tor
-  cat /var/lib/tor/tor.pid | xargs -r kill -SIGHUP
-
-  # Wait for the hidden service to be created
-  while ! test -f "${hs_dir}/hostname"; do sleep 1 ; done
-
-  # Inform the hidden service to Sutty
-  api_client "/v1/sites/add_onion.json" \
-             --data "name=${name}" \
-             --data-urlencode "onion@${hs_dir}/hostname"
-done

hidden_servicesd.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+
+dir=/var/empty
+pid=/run/hidden_services.pid
+usr=${USER:-tor}
+adr=${SERVICE:-nginx}
+prt=${PORT:-80}
+
+case $1 in
+  start)
+      daemonize -c ${dir} -p ${pid} -l ${pid} -u ${usr} /usr/local/bin/syslogize /usr/bin/sutty_tor_hidden_service -S ${adr} -P ${prt}
+    ;;
+  stop)
+    test -f ${pid} || exit 0
+
+    cat ${pid} | xargs -r kill
+  ;;
+esac

monit.conf

@@ -1,13 +1,7 @@
-check program hidden_services_bootstrap
-  with path "/usr/local/bin/hidden_services bootstrap"
-  every 1 cycle
-  if status = 0 then unmonitor
-
 check process tor with pidfile /var/lib/tor/tor.pid
   start program = "/usr/bin/tor"
   stop program = "/bin/sh -c 'cat /var/lib/tor/tor.pid | xargs -r kill'"
 
-check program hidden_services
-  with path "/usr/local/bin/hidden_services"
-  every 1 cycle
-  if status != 0 then alert
+check process hidden_services with pidfile /run/hidden_services.pid
+  start program = "/usr/local/bin/hidden_servicesd start"
+  stop program = "/usr/local/bin/hidden_servicesd stop"

torrc

@@ -5,4 +5,5 @@ PidFile /var/lib/tor/tor.pid
 NoExec 1
 Log notice syslog
 DataDirectory /var/lib/tor
+ControlPort 127.0.0.1:9051
 %include /var/lib/tor/hidden_services/conf.d/