From 5120d0d0e954e957748ebe2d85c4c3edd8c0a513 Mon Sep 17 00:00:00 2001
From: "rE-Bo0t.bx1" <54429050+r3bo0tbx1@users.noreply.github.com>
Date: Sun, 21 Dec 2025 03:14:39 +0800
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20feat(v1.1.4):=20modernize=20templat?=
=?UTF-8?q?es,=20security,=20and=20build=20variants?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This update refines the Tor relay configuration and build process:
- Security: Disables DirPort and adopts ciissversion:2 for ContactInfo.
- Performance: Adds IPv6 support and hardware acceleration options.
- Builds: Establishes Stable vs. Edge variants for better testing cycles.
- Tooling: Integrates nyx.config and cleans up legacy tags.
- Sync: Aligns cosmos-compose and docker-compose templates.
- Update retention policy: Keep last 7 versions
No breaking changes introduced.
---
.github/workflows/cleanup.yml | 66 ++++++-
.github/workflows/release.yml | 39 +---
.github/workflows/validate.yml | 2 +-
.gitignore | 9 -
CHANGELOG.md | 36 +++-
Dockerfile | 3 +-
Dockerfile.edge | 3 +-
README.md | 179 +++++++++---------
SECURITY.md | 16 +-
docker-entrypoint.sh | 2 +-
examples/nyx.config | 23 +++
examples/relay-bridge.conf | 36 ++--
examples/relay-exit.conf | 127 +++++--------
examples/relay-guard.conf | 20 +-
templates/README.md | 16 +-
.../cosmos-bind-config-guard-relay.json | 2 +-
.../cosmos-bind-confing-bridge.json | 2 +-
.../cosmos-compose-bridge-official.json | 2 +-
.../cosmos-compose/cosmos-compose-bridge.json | 2 +-
.../cosmos-compose/cosmos-compose-exit.json | 6 +-
.../cosmos-compose/cosmos-compose-guard.json | 4 +-
.../cosmos-compose-multi-relay.json | 6 +-
.../docker-compose-bridge-official.yml | 2 +-
.../docker-compose/docker-compose-bridge.yml | 2 +-
.../docker-compose/docker-compose-exit.yml | 4 +-
.../docker-compose-guard-env.yml | 2 +-
26 files changed, 329 insertions(+), 282 deletions(-)
create mode 100644 examples/nyx.config
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
index 5f338c4..08f6a95 100644
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -4,12 +4,17 @@ on:
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:
+ push:
+ tags:
+ - 'v*.*.*'
permissions:
actions: write
+ packages: write
jobs:
clear-cache:
+ name: ðĨ Nuke Caches
runs-on: ubuntu-latest
steps:
- name: ðĨ Nuke GitHub Actions Cache
@@ -18,4 +23,63 @@ jobs:
run: |
echo "ð meaningful-text: check for caches..."
gh cache delete --all --repo ${{ github.repository }} || true
- echo "â
Cache storage is now empty."
\ No newline at end of file
+ echo "â
Cache storage is now empty."
+
+ prune-ghcr:
+ name: ð§ Prune GHCR
+ runs-on: ubuntu-latest
+ steps:
+ - name: ðïļ Delete old GHCR versions
+ uses: actions/delete-package-versions@v5
+ with:
+ package-name: 'onion-relay'
+ package-type: 'container'
+ min-versions-to-keep: 14
+ ignore-versions: '^(latest|edge)$'
+ delete-only-untagged-versions: 'false'
+
+ prune-dockerhub:
+ name: ð Prune Docker Hub
+ runs-on: ubuntu-latest
+ steps:
+ - name: ðĨ Checkout Repository
+ uses: actions/checkout@v5
+
+ - name: ðŠ Clean Docker Hub Tags
+ env:
+ DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+ DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+ REPOSITORY: "r3bo0tbx1/onion-relay"
+ run: |
+ set -e
+ echo "ð Authenticating with Docker Hub..."
+ TOKEN=$(curl -s -H "Content-Type: application/json" -X POST \
+ -d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" \
+ https://hub.docker.com/v2/users/login/ | jq -r .token)
+
+ if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then
+ echo "â Authentication failed. Check DOCKERHUB_TOKEN."
+ exit 1
+ fi
+
+ echo "ð Fetching tags for $REPOSITORY..."
+ ALL_TAGS=$(curl -s -H "Authorization: JWT $TOKEN" \
+ "https://hub.docker.com/v2/repositories/$REPOSITORY/tags/?page_size=100")
+
+ # Filter out moving tags and count only the real version tags
+ VERSION_TAGS=$(echo "$ALL_TAGS" | jq -r '.results | sort_by(.last_updated) | reverse | .[].name' | grep -E -v "^(latest|edge)$" || true)
+
+ COUNT=$(echo "$VERSION_TAGS" | wc -w)
+ echo "ð Found $COUNT versioned tags."
+
+ if [ "$COUNT" -gt 14 ]; then
+ OLD_TAGS=$(echo "$VERSION_TAGS" | awk 'NR>14')
+ for TAG in $OLD_TAGS; do
+ echo "ðïļ Deleting old versioned tag: $TAG"
+ curl -s -H "Authorization: JWT $TOKEN" -X DELETE \
+ "https://hub.docker.com/v2/repositories/$REPOSITORY/tags/$TAG/"
+ done
+ echo "â
Docker Hub cleanup complete."
+ else
+ echo "âĻ Current version count ($COUNT) is within the limit. No deletion needed."
+ fi
\ No newline at end of file
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 77a22dc..ee19e98 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -69,7 +69,7 @@ jobs:
run: |
set -e
echo "ð Determining version context..."
- BUILD_VARIANTS="both" # Default: build both variants
+ BUILD_VARIANTS="both"
if [[ "${GITHUB_REF}" == refs/tags/v* ]]; then
VERSION="${GITHUB_REF#refs/tags/v}"
@@ -83,14 +83,12 @@ jobs:
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
if [[ "${BUILD_MODE}" == "rebuild" ]]; then
- # Rebuild mode: Use last release version (same as weekly)
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="manual-rebuild"
IS_RELEASE="false"
echo "ð Manual rebuild of last release: ${VERSION} (with updated packages)"
echo " Variants: ${BUILD_VARIANTS}"
else
- # Version bump mode: Create new version with suffix
VERSION="${LATEST_TAG#v}-manual-${GITHUB_RUN_NUMBER}"
BUILD_TYPE="manual"
IS_RELEASE="false"
@@ -98,25 +96,21 @@ jobs:
echo " Variants: ${BUILD_VARIANTS}"
fi
elif [[ "${GITHUB_EVENT_NAME}" == "schedule" ]]; then
- # Scheduled rebuild: Determine which schedule based on time
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
IS_RELEASE="false"
CURRENT_HOUR=$(date -u +%H)
if [[ "${CURRENT_HOUR}" == "18" ]]; then
- # Weekly rebuild (Sundays 18:30 UTC): Build stable only
BUILD_TYPE="weekly"
BUILD_VARIANTS="latest"
echo "ð
Weekly rebuild of last release: ${VERSION} (stable variant with updated packages)"
else
- # Edge-only rebuild (Every 3 days at 12:00 UTC): Build edge only
BUILD_TYPE="edge-rebuild"
BUILD_VARIANTS="edge"
echo "⥠Edge-only rebuild of last release: ${VERSION} (edge variant with updated packages)"
fi
else
- # Fallback (shouldn't happen)
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v1.0.0")
VERSION="${LATEST_TAG#v}"
BUILD_TYPE="unknown"
@@ -179,7 +173,6 @@ jobs:
BUILD_VARIANTS="${{ needs.determine-version.outputs.build_variants }}"
VARIANT_NAME="${{ matrix.variant.name }}"
- # Determine if this variant should be built
SHOULD_BUILD="false"
if [ "$BUILD_VARIANTS" = "both" ]; then
@@ -306,32 +299,24 @@ jobs:
TAGS=()
- # Always add GHCR versioned tag
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:${VERSION}${SUFFIX}")
if [ "$BUILD_TYPE" = "release" ]; then
- # New release: Add special tags
if [ "$IS_LATEST" = "true" ]; then
- # Stable variant gets :latest
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
- # Edge variant gets :edge
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:edge")
fi
- # Add Docker Hub tags
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
- # Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
- # Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
elif [ "$BUILD_TYPE" = "weekly" ] || [ "$BUILD_TYPE" = "manual-rebuild" ] || [ "$BUILD_TYPE" = "edge-rebuild" ]; then
- # Weekly rebuild, manual rebuild, or edge-only rebuild: Update version tag with fresh packages
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.GHCR_REGISTRY }}/${{ env.GHCR_IMAGE_NAME }}:latest")
else
@@ -340,21 +325,17 @@ jobs:
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
- # Stable: versioned tag + :latest
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:latest")
else
- # Edge: only :edge (no versioned tag for Docker Hub)
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
else
- # Manual/validated builds: version tag only
if [ "$PUSH_DOCKERHUB" = "true" ]; then
if [ "$IS_LATEST" = "true" ]; then
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:${VERSION}")
else
- # Edge manual builds: only :edge for Docker Hub
TAGS+=("${{ env.DOCKERHUB_IMAGE_NAME }}:edge")
fi
fi
@@ -400,7 +381,6 @@ jobs:
echo "ââââââââââââââââââââââââââââââââââââââââââââââ"
echo ""
- # Install syft for SBOM generation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
VERSION="${{ needs.determine-version.outputs.version }}"
@@ -412,27 +392,22 @@ jobs:
echo " Image: ${IMAGE}"
echo ""
- # Generate CycloneDX JSON
echo "ð Generating CycloneDX JSON format..."
syft "${IMAGE}" -o cyclonedx-json > "sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
echo " â
sbom-${VARIANT}-cyclonedx-v${VERSION}.json"
- # Generate CycloneDX XML
echo "ð Generating CycloneDX XML format..."
syft "${IMAGE}" -o cyclonedx-xml > "sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
echo " â
sbom-${VARIANT}-cyclonedx-v${VERSION}.xml"
- # Generate SPDX JSON
echo "ð Generating SPDX JSON format..."
syft "${IMAGE}" -o spdx-json > "sbom-${VARIANT}-spdx-v${VERSION}.json"
echo " â
sbom-${VARIANT}-spdx-v${VERSION}.json"
- # Generate SPDX tag-value
echo "ð Generating SPDX tag-value format..."
syft "${IMAGE}" -o spdx-tag-value > "sbom-${VARIANT}-spdx-v${VERSION}.spdx"
echo " â
sbom-${VARIANT}-spdx-v${VERSION}.spdx"
- # Generate human-readable table
echo "ð Generating human-readable table..."
syft "${IMAGE}" -o table > "sbom-${VARIANT}-table-v${VERSION}.txt"
echo " â
sbom-${VARIANT}-table-v${VERSION}.txt"
@@ -453,7 +428,7 @@ jobs:
sbom-${{ matrix.variant.name }}-*.xml
sbom-${{ matrix.variant.name }}-*.spdx
sbom-${{ matrix.variant.name }}-*.txt
- retention-days: 90
+ retention-days: 7
release-notes:
name: ð Generate Release Notes
@@ -478,7 +453,6 @@ jobs:
echo "âââââââââââââââââââââââââââââââââââââââââââââââ"
echo ""
- # Try to extract from CHANGELOG.md first
CHANGELOG_FOUND=0
if [ -f CHANGELOG.md ]; then
@@ -490,9 +464,10 @@ jobs:
p
' CHANGELOG.md > tmp_notes.txt
- sed -i '/^$/N;/^\n$/D' tmp_notes.txt 2>/dev/null || true
-
if [ -s tmp_notes.txt ]; then
+ sed -i '${/^---[[:space:]]*$/d;}' tmp_notes.txt
+ sed -i ':a; /^[ \n\r\t]*$/ { $d; N; ba }' tmp_notes.txt 2>/dev/null || true
+
echo "â
Found changelog section for v${VERSION} in CHANGELOG.md"
CHANGELOG_FOUND=1
@@ -506,17 +481,14 @@ jobs:
echo "â ïļ CHANGELOG.md not found"
fi
- # Fall back to auto-generated notes from commits
if [ "$CHANGELOG_FOUND" = "0" ]; then
echo "ð Auto-generating release notes from commits..."
if [ -x scripts/release/generate-release-notes.sh ]; then
- # Use auto-generation script
chmod +x scripts/release/generate-release-notes.sh
./scripts/release/generate-release-notes.sh --format github "${VERSION}" > release_notes.md
echo "â
Auto-generated release notes from conventional commits"
else
- # Simple fallback
echo "## ð§
Tor Guard Relay v${VERSION}" > release_notes.md
echo "" >> release_notes.md
echo "### Changes" >> release_notes.md
@@ -529,7 +501,6 @@ jobs:
fi
fi
- # Append Docker images and SBOM info
echo "" >> release_notes.md
echo "---" >> release_notes.md
echo "" >> release_notes.md
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 0e68782..8507f57 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -508,7 +508,7 @@ jobs:
with:
name: trivy-security-report
path: trivy-full-report.json
- retention-days: 30
+ retention-days: 7
continue-on-error: true
- name: ð Generate Security Summary
diff --git a/.gitignore b/.gitignore
index 9b32c98..b7c3d97 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,21 +1,12 @@
-# Act secrets file
.secrets
-
-# Docker volumes
tor-data/
tor-logs/
-
-# IDE
.vscode/
.idea/
*.swp
*.swo
*~
-
-# OS
.DS_Store
Thumbs.db
-
-# Temporary files
*.tmp
*.log
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2dc9b86..a9840ac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,33 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
---
+## [1.1.4] - 2025-12-21
+
+### ðïļ Build Variants
+
+| Variant | Base Image | Tags | Registries | Notes |
+| :--- | :--- | :--- | :--- | :--- |
+| **ðĒ Stable** | Alpine 3.23.2 | `:latest`, `:1.1.4` | Docker Hub, GHCR | **Recommended** for production. |
+| **â ïļ Edge** | Alpine Edge | `:edge`, `:1.1.4-edge` | GHCR Only | Testing only; not for production. |
+
+### âïļ Changed (Refactor)
+* **Tor Configuration:** Modernized relay templates and hardened security defaults.
+* **Networking:** Disabled `DirPort` (set to `0`) across all relay types and compose templates.
+* **Metadata:** Updated `ContactInfo` to follow the `ciissversion:2` format.
+* **Policy Refinement:** Enhanced exit policies and security for Exit, Guard, and Bridge roles.
+* **Synchronization:** Unified configurations across `cosmos-compose` and `docker-compose`.
+
+### â Added
+* **Monitoring:** Integrated `nyx.config` for enhanced relay visualization.
+* **Performance:** Added support for **IPv6** and hardware acceleration.
+
+### ðïļ Removed
+* **Maintenance:** Updated retention policy to keep the last **7 releases** (14 tags) and purge legacy build artifacts.
+
+> **BREAKING CHANGES:** None.
+
+---
+
## [1.1.3] - 2025-12-05
### ⥠Optimization & Tooling Update
@@ -406,15 +433,16 @@ BREAKING CHANGES: None
| Version | Status | Support Level |
| --------- | --------------------- | ------------------------------------------- |
-| **1.1.3** | ðĒ ðĄïļ **Active** | Full support (current stable) |
-| **1.1.1** | ðĄ ð§ **Maintenance** | Security + critical fixes only |
-| **1.0.8** | ð â ïļ **Legacy** | Security patches only â upgrade recommended |
-| **1.0.9** | ðī â **EOL** | No support â upgrade immediately |
+| **1.1.4** | ðĒ ðĄïļ **Active** | Full support (current stable) |
+| **1.1.3** | ðĄ ð§ **Maintenance** | Security + critical fixes only |
+| **1.1.2** | ð â ïļ **Legacy** | Security patches only â upgrade recommended |
+| **< 1.1.2** | ðī â **EOL** | No support â upgrade immediately |
---
## ð Release Links
+[1.1.4]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.4
[1.1.3]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.3
[1.1.2]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.2
[1.1.1]: https://github.com/r3bo0tbx1/tor-guard-relay/releases/tag/v1.1.1
diff --git a/Dockerfile b/Dockerfile
index d75bd62..6091969 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -76,7 +76,6 @@ ENV TOR_DATA_DIR=/var/lib/tor \
TOR_NICKNAME="" \
TOR_CONTACT_INFO="" \
TOR_ORPORT=9001 \
- TOR_DIRPORT=9030 \
TOR_OBFS4_PORT=9002 \
TOR_BANDWIDTH_RATE="" \
TOR_BANDWIDTH_BURST="" \
@@ -87,7 +86,7 @@ RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/*
USER tor
-EXPOSE 9001 9030 9002
+EXPOSE 9001 9002
HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \
CMD /usr/local/bin/healthcheck.sh
diff --git a/Dockerfile.edge b/Dockerfile.edge
index 0f864da..cd92f69 100644
--- a/Dockerfile.edge
+++ b/Dockerfile.edge
@@ -76,7 +76,6 @@ ENV TOR_DATA_DIR=/var/lib/tor \
TOR_NICKNAME="" \
TOR_CONTACT_INFO="" \
TOR_ORPORT=9001 \
- TOR_DIRPORT=9030 \
TOR_OBFS4_PORT=9002 \
TOR_BANDWIDTH_RATE="" \
TOR_BANDWIDTH_BURST="" \
@@ -87,7 +86,7 @@ RUN rm -rf /usr/share/man /tmp/* /var/tmp/* /root/.cache/*
USER tor
-EXPOSE 9001 9030 9002
+EXPOSE 9001 9002
HEALTHCHECK --interval=10m --timeout=15s --start-period=30s --retries=3 \
CMD /usr/local/bin/healthcheck.sh
diff --git a/README.md b/README.md
index f5a8fba..70a4cac 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
-
@@ -14,13 +13,13 @@
**A hardened, production-ready Tor relay with built-in diagnostics and monitoring**
-[Quick Start](#-quick-start) âĒ [Features](#-key-features) âĒ [Documentation](#-documentation) âĒ [FAQ](docs/FAQ.md) âĒ [Architecture](docs/ARCHITECTURE.md) âĒ [Tools](#-diagnostic-tools) âĒ [Contributing](#-contributing)
+[Quick Start](#quick-start) âĒ [Features](#key-features) âĒ [Documentation](#documentation) âĒ [FAQ](docs/FAQ.md) âĒ [Architecture](docs/ARCHITECTURE.md) âĒ [Tools](#diagnostic-tools) âĒ [Contributing](#contributing)
-
+---
-â ð What is This?
+## ð What is This?
**Tor Guard Relay** is a production-ready, self-healing Tor relay container designed for privacy advocates who want to contribute to the Tor network securely and efficiently.
@@ -28,7 +27,7 @@
### Why Choose This Project?
-- ðĄïļ **Security-First** - Hardened Alpine Linux, non-root operation
+- ðĄïļ **Security-First** - Hardened Alpine Linux, non-root operation, and minimized port exposure
- ðŠķ **Very light** - Ultra-minimal 16.8 MB image
- ðŊ **Simple** - One command to deploy, minimal configuration needed
- ð **Observable** - 5 busybox-only diagnostic tools with JSON health API
@@ -37,29 +36,29 @@
- ð **Documented** - Comprehensive guides for deployment, monitoring, backup, and more
- ðïļ **Multi-Arch** - Native support for AMD64 and ARM64 (Raspberry Pi, AWS Graviton, etc.)
-
+---
-â ð Security Model
+## ð Security Model
-**Port Exposure Policy**
+### Port Exposure Policy
- **9001** ORPort, public
-- **9030** DirPort, public for guard and exit
+- **9030** DirPort, **Disabled (0)** by default in v1.1.4
- **9002** obfs4 for bridge mode
-**Environment Variables**
+### Environment Variables
- `TOR_ORPORT` default 9001
-- `TOR_DIRPORT` default 9030
+- `TOR_DIRPORT` default 0 (Disabled)
- `TOR_OBFS4_PORT` default 9002
Diagnostics are run only through `docker exec`, with no exposed monitoring ports.
Minimal surface area, roughly 16.8 MB.
-
+---
-â ⥠Quick Start
+## ⥠Quick Start
### System Requirements
@@ -77,7 +76,7 @@ Minimal surface area, roughly 16.8 MB.
### Network Security Notes
â ïļ **Port Exposure:**
-- **Guard/Middle/Exit:** Ports 9001 (ORPort) and 9030 (DirPort) should be publicly accessible
+- **Guard/Middle/Exit:** Port 9001 (ORPort) should be publicly accessible
- **Bridge:** Ports 9001 (ORPort) and 9002 (obfs4) should be publicly accessible
- **No monitoring ports** - all diagnostics via `docker exec` commands only
- Use `--network host` for best IPv6 support (Tor recommended practice)
@@ -109,7 +108,7 @@ curl -o relay.conf https://raw.githubusercontent.com/r3bo0tbx1/tor-guard-relay/r
nano relay.conf
```
-### **Step 2:** Run (Docker Hub)
+**Step 2:** Run (Docker Hub)
```bash
docker run -d \
@@ -123,7 +122,8 @@ docker run -d \
r3bo0tbx1/onion-relay:latest
```
-### **Step 3:** Verify it's running:
+**Step 3:** Verify it's running:
+
```bash
# Check status
docker exec tor-relay status
@@ -139,15 +139,15 @@ docker logs -f tor-relay
> ð **Need more?** See our comprehensive [Deployment Guide](docs/DEPLOYMENT.md) for Docker Compose, Cosmos Cloud, Portainer, and advanced setups.
-
+---
-â ðŊ Choosing a Variant
+## ðŊ Choosing a Variant
We offer **two build variants** to match your risk tolerance and requirements:
### Stable Variant (Recommended)
-**Base:** Alpine 3.23.0 | **Recommended for:** Production relays
+**Base:** Alpine 3.23.2 | **Recommended for:** Production relays
- â
Battle-tested Alpine stable release
- â
Weekly automated rebuilds with latest security patches
@@ -157,11 +157,11 @@ We offer **two build variants** to match your risk tolerance and requirements:
```bash
# Pull from Docker Hub (easiest)
docker pull r3bo0tbx1/onion-relay:latest
-docker pull r3bo0tbx1/onion-relay:1.1.3
+docker pull r3bo0tbx1/onion-relay:1.1.4
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:latest
-docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3
+docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.4
```
### Edge Variant (Testing Only)
@@ -180,7 +180,7 @@ docker pull r3bo0tbx1/onion-relay:edge
# Pull from GHCR
docker pull ghcr.io/r3bo0tbx1/onion-relay:edge
-docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3-edge
+docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.4-edge
```
**When to use edge:**
@@ -195,16 +195,16 @@ docker pull ghcr.io/r3bo0tbx1/onion-relay:1.1.3-edge
|---------|--------|------|
| Production ready | â
Yes | â No |
| Breaking changes | â Rare | â ïļ Possible |
-| Security updates | Weekly | Weekly (newer packages) |
-| Package versions | Proven | Bleeding edge |
+| Security updates | Weekly | Every 3 days |
+| Package versions | 3.23.2 | Bleeding edge |
| Docker Hub | â
Yes | â
Yes |
| GHCR | â
Yes | â
Yes |
> ðĄ **Our recommendation:** Use **stable** for production relays, **edge** only for testing or when you specifically need the latest package versions.
-
+---
-â ðïļ Deployment Methods
+## ðïļ Deployment Methods
Choose the method that fits your workflow.
@@ -226,11 +226,11 @@ Running multiple relays? We have templates for that:
See [Deployment Guide](docs/DEPLOYMENT.md) for complete instructions.
-
+---
-â ð§ Diagnostic Tools
+## ð§ Diagnostic Tools
-Version >=v1.1.1 includes five busybox-only tools.
+Version >v1.1.1 includes five busybox-only tools.
| Tool | Purpose | Usage |
|------|---------|--------|
@@ -263,9 +263,9 @@ Example JSON:
> ð **Complete reference:** See [Tools Documentation](docs/TOOLS.md) for all 5 tools with examples, JSON schema, and integration guides.
-
+---
-â ð Monitoring and Observability
+## ð Monitoring and Observability
@@ -273,17 +273,17 @@ Example JSON:
-**>=v1.1.2 supports both real-time CLI monitoring and external observability** for minimal image size and maximum security.
+**>v1.1.2 supports both real-time CLI monitoring and external observability** for minimal image size and maximum security.
### Real-Time Monitoring (Nyx)
You can connect Nyx (formerly arm) to your relay securely using the Control Port.
-1. Generate credentials: docker exec tor-relay gen-auth
-2. Add the hash to your config.
-3. Connect via local socket or TCP.
+1. Generate credentials: `docker exec tor-relay gen-auth`
+2. Add the hash to your config
+3. Connect via local socket or TCP
-> ð Full Setup: See the [Control Port Guide](docs/CONTROL-PORT.md) for step-by-step Nyx configuration.
+> ð **Full Setup:** See the [Control Port Guide](docs/CONTROL-PORT.md) for step-by-step Nyx configuration.
### JSON Health API
@@ -324,9 +324,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
> ð **Complete guide:** See [Monitoring Documentation](docs/MONITORING.md) for Prometheus, Grafana, alert integration, and observability setup.
-
+---
-â ðŊ Key Features
+## ðŊ Key Features
### Security & Reliability
- â
Non-root execution (runs as `tor` user)
@@ -346,6 +346,7 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
- â
**Weekly security rebuilds** via GitHub Actions
- â
**Docker Compose templates** for single/multi-relay
- â
**Cosmos Cloud support** with one-click deploy
+- â
**Automated Maintenance:** Keeps last 7 releases in registry
### Developer Experience
- â
Comprehensive documentation (8 guides)
@@ -355,9 +356,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
- â
CI/CD validation and testing
- â
Multi-arch support (same command, any platform)
-
+---
-â ðžïļ Gallery
+## ðžïļ Gallery
| Cosmos Cloud Dashboard | Docker Logs (Bootstrapping) |
|:-----------------------:|:---------------------------:|
@@ -365,19 +366,18 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
| Relay Status Tool | Obfs4 Bridge Line |
|  |  |
+---
-
+## ð Documentation
-â ð Documentation
-
-**>=v1.1.1 includes comprehensive documentation** organized by topic:
+**>v1.1.1 includes comprehensive documentation** organized by topic:
### Getting Started
- **[FAQ](docs/FAQ.md)** - â **NEW!** Frequently asked questions with factual answers
- **[Quick Start Script](scripts/utilities/quick-start.sh)** - â **NEW!** Interactive relay deployment wizard
- **[Migration Assistant](scripts/migration/migrate-from-official.sh)** - â **NEW!** Automated migration from thetorproject/obfs4-bridge
- **[Deployment Guide](docs/DEPLOYMENT.md)** - âĻ **UPDATED!** Complete installation for Docker CLI, Compose, Cosmos Cloud, and Portainer
-- **[Migration Guide](docs/MIGRATION-V1.1.X.md)** - Upgrade to >=v1.1.1 or migrate from other Tor setups
+- **[Migration Guide](docs/MIGRATION-V1.1.X.md)** - Upgrade to > v1.1.1 or migrate from other Tor setups
### Technical Reference
- **[Architecture](docs/ARCHITECTURE.md)** - â **NEW!** Technical architecture with Mermaid diagrams
@@ -399,9 +399,9 @@ STATUS=$(echo "$HEALTH" | jq -r '.status')
> ðĄ **Tip:** Start with the [FAQ](docs/FAQ.md) for quick answers or [Documentation Index](docs/README.md) for complete navigation.
-
+---
-â ð ïļ Configuration
+## ð ïļ Configuration
### Minimal Configuration
@@ -436,9 +436,9 @@ Examples are found in the [`examples/`](examples/) directory for complete, annot
> ð **Configuration help:** See [Deployment Guide](docs/DEPLOYMENT.md#configuration) for complete reference.
-
+---
-â ð Monitoring Your Relay
+## ð Monitoring Your Relay
### Check Bootstrap Status
@@ -451,7 +451,6 @@ docker exec tor-relay health
# Parse specific field with jq (requires jq on host)
docker exec tor-relay health | jq .bootstrap
-```r exec tor-relay health | jq .bootstrap
```
### View on Tor Metrics
@@ -476,9 +475,9 @@ Search by:
> ð **Detailed monitoring:** See [Monitoring Guide](docs/MONITORING.md) for complete observability setup with Prometheus and Grafana.
-
+---
-â ð Troubleshooting
+## ð Troubleshooting
### Quick Diagnostics
@@ -510,9 +509,9 @@ docker exec tor-relay gen-auth
> ð **Full troubleshooting:** See [Tools Documentation](docs/TOOLS.md#troubleshooting) for detailed diagnostic procedures.
-
+---
-â ðĒ Architecture and Design
+## ðĒ Architecture and Design
> ð **NEW:** See the complete [Architecture Documentation](docs/ARCHITECTURE.md) for detailed technical design with Mermaid diagrams covering:
> - Container lifecycle and initialization flow (6 phases)
@@ -522,7 +521,7 @@ docker exec tor-relay gen-auth
> - Diagnostic tools architecture
> - Signal handling and graceful shutdown
-â ð Flowchart
+### Flowchart
```mermaid
flowchart TB
@@ -678,9 +677,9 @@ Verify what you got:
docker exec tor-relay cat /build-info.txt | grep Architecture
```
-
+---
-â ðĪ Contributing
+## ðĪ Contributing
Contributions are welcome.
@@ -707,19 +706,22 @@ docker run --rm tor-relay:dev status
See [Contributing Guide](CONTRIBUTING.md) for detailed instructions.
-
+---
-â ðĶ Templates and Examples
+## ðĶ Templates and Examples
All templates are in the [`templates/`](templates/) directory:
### Docker Compose
-- [docker-compose.yml](templates/docker-compose.yml) - Single relay
-- [docker-compose-multi-relay.yml](templates/docker-compose-multi-relay.yml) - 3 relays + monitoring
+- [docker-compose.yml](templates/docker-compose/docker-compose.yml) - Single relay
+- [docker-compose-multi-relay.yml](templates/docker-compose/docker-compose-multi-relay.yml) - 3 relays + monitoring
### Cosmos Cloud
-- [cosmos-compose.json](templates/cosmos-compose.json) - Single relay
-- [cosmos-compose-multi-relay.json](templates/cosmos-compose-multi-relay.json) - Multi-relay stack
+- [cosmos-compose.json](templates/cosmos-compose/cosmos-compose.json) - Single relay
+- [cosmos-compose-multi-relay.json](templates/cosmos-compose/cosmos-compose-multi-relay.json) - Multi-relay stack
+
+### Tor Exit Notice
+You can find them in [`templates/tor-exit-notice`](templates/tor-exit-notice) directory
### Monitoring
See [Monitoring Guide](docs/MONITORING.md) for external monitoring integration examples with Prometheus, Nagios, and other tools
@@ -727,9 +729,9 @@ See [Monitoring Guide](docs/MONITORING.md) for external monitoring integration e
### Configuration Examples
See [`examples/`](examples/) directory for relay configurations.
-
+---
-â ð Security
+## ð Security
### Best Practices
@@ -750,22 +752,22 @@ Images are automatically rebuilt on separate schedules to include security patch
**Stable Variant** (`:latest`)
- **Schedule:** Every Sunday at 18:30 UTC
-- **Includes:** Latest Tor + Alpine 3.23.0 updates
-- **Strategy:** Overwrites last release version (e.g., `:1.1.3`) with updated packages
-- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.3`)
+- **Includes:** Latest Tor + Alpine 3.23.2 updates
+- **Strategy:** Overwrites last release version (e.g., `:1.1.4`) with updated packages
+- **Tags Updated:** `:latest` and version tags (e.g., `:1.1.4`)
**Edge Variant** (`:edge`)
- **Schedule:** Every 3 days at 12:00 UTC (independent schedule)
- **Includes:** Latest Tor + Alpine edge (bleeding-edge) updates
-- **Strategy:** Overwrites last release version (e.g., `:1.1.3-edge`) with updated packages
-- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.3-edge`)
+- **Strategy:** Overwrites last release version (e.g., `:1.1.4-edge`) with updated packages
+- **Tags Updated:** `:edge` and version tags (e.g., `:1.1.4-edge`)
- **Frequency:** ~2-3x more frequent updates than stable
All images auto-published to Docker Hub and GitHub Container Registry
-
+---
-â ð Resources
+## ð Resources
### Container Registries
- ðģ [Docker Hub Repository](https://hub.docker.com/r/r3bo0tbx1/onion-relay)
@@ -781,11 +783,11 @@ All images auto-published to Docker Hub and GitHub Container Registry
- ð [Documentation](docs/README.md)
- ð [Issue Tracker](https://github.com/r3bo0tbx1/tor-guard-relay/issues)
- ðŽ [Discussions](https://github.com/r3bo0tbx1/tor-guard-relay/discussions)
-- ðĶ [Container Registry](https://github.com/r3bo0tbx1/tor-guard-relay/pkgs/container/onion-relay)
+- ðĶ [Container Registry](https://github.com/r3bo0tbx1/tor-guard-relay/pkgs/container/onion-relay)
-
+---
-â ð Project Status
+## ð Project Status
@@ -793,31 +795,31 @@ All images auto-published to Docker Hub and GitHub Container Registry
-**Current Version:** v1.1.3 âĒ **Status:** Production Ready
-**Image Size:** 16.8 MB âĒ **Rebuild:** Weekly
+**Current Version:** v1.1.4 âĒ **Status:** Production Ready
+**Image Size:** 16.8 MB âĒ **Retention:** Last 7 Releases
**Registries:** Docker Hub âĒ GHCR
-
+---
-â ð License
+## ð License
Project is licensed under the MIT License.
See [License](LICENSE.txt) for full details.
-
+---
-â ð Acknowledgments
+## ð Acknowledgments
- **The Tor Project** for maintaining the global privacy network
- **Alpine Linux** for a minimal and secure base image
- **azukaar** for Cosmos Cloud
- **All relay operators** supporting privacy and anti-censorship worldwide
-
+---
-â ð Support the Project
+## ð Support the Project
This project is open source. Your support helps sustainability and improvements.
@@ -843,9 +845,9 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
- ðĪ Submit patches
- ð§
Run a relay
-
+---
-â â Star History
+## â Star History
@@ -859,11 +861,11 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
-
+---
-
Made with ð for a freer, uncensored internet
+### Made with ð for a freer, uncensored internet
*Protecting privacy, one relay at a time* ðð§
âĻ
@@ -873,5 +875,4 @@ Or via **[AnonPay](https://trocador.app/anonpay?ticker_to=xmr&network_to=Mainnet
ð [Documentation](docs/README.md)
⎠[Back to top](#readme-top)
-