This update refines the Tor relay configuration and build process:
- Security: Disables DirPort and adopts ciissversion:2 for ContactInfo.
- Performance: Adds IPv6 support and hardware acceleration options.
- Builds: Establishes Stable vs. Edge variants for better testing cycles.
- Tooling: Integrates nyx.config and cleans up legacy tags.
- Sync: Aligns cosmos-compose and docker-compose templates.
- Update retention policy: Keep last 7 versions
No breaking changes introduced.
- Updates the trap command to use 'TERM/INT' instead of 'SIGTERM/SIGINT'. The 'SIG' prefix is undefined in POSIX sh (ShellCheck SC3048), which could prevent graceful shutdown in environments using dash/ash.
Major refactor of Docker Compose configurations and tooling enhancements.
- ✨ Add `gen-auth` script for generating Tor Control Port credentials
- 🐳 Refactor Docker Compose templates:
- Add native healthcheck configurations to all relay/bridge files
- Standardize security capabilities (drop ALL, add SETUID/SETGID)
- Remove verbose comments to streamline template usage
- Update volume definitions for better data persistence
- 🔧 Update base dependencies:
- Alpine Linux -> 3.23.0
- Golang -> 1.25.5-alpine
- 🧹 Standardize ENV variable names across all configurations
Recent Alpine base images introduce a 'klogd' user at UID 100, which forced
the 'tor' package to install as UID 101. This caused "Permission denied"
errors for existing data volumes owned by UID 100.
This fix:
- Removes the conflicting 'klogd' user
- Manually creates the 'tor' user with fixed UID 100 / GID 101
- Ensures compatibility with existing persistent volumes
This commit addresses high-severity vulnerabilities detected by Docker Scout in both the Lyrebird binary and the Alpine base image.
Changes:
- Lyrebird: Implemented a multi-stage build using golang:1.24-alpine. This compiles Lyrebird from source to resolve "baked-in" Go runtime and dependency vulnerabilities (stdlib, crypto, pion) found in the upstream Alpine package.
- Base OS: Added apk upgrade --no-cache to force the installation of the latest system libraries, patching active CVEs in musl and openssl.
Resolves: CVE-2025-9230 (openssl), CVE-2025-26519 (musl), and multiple Go runtime CVEs.
This commit addresses high-severity vulnerabilities detected by Docker Scout in both the Lyrebird binary and the Alpine base image.
Changes:
- Lyrebird: Implemented a multi-stage build using golang:1.24-alpine. This compiles Lyrebird from source to resolve "baked-in" Go runtime and dependency vulnerabilities (stdlib, crypto, pion) found in the upstream Alpine package.
- Base OS: Added apk upgrade --no-cache to force the installation of the latest system libraries, patching active CVEs in musl and openssl.
Resolves: CVE-2025-9230 (openssl), CVE-2025-26519 (musl), and multiple Go runtime CVEs.
- Implements multi-stage build in `Dockerfile` and `Dockerfile.edge` using `golang:1.24-alpine` to compile `lyrebird` from official source.
- Resolves high-severity vulnerabilities in `stdlib`, `crypto`, and `pion` by enforcing latest Go runtime and dependency updates (`go get -u`).
- Maintains minimal image footprint by discarding the build toolchain and copying only the stripped binary to the final Alpine image.
