mirror of
https://github.com/r3bo0tbx1/tor-guard-relay.git
synced 2026-04-06 00:32:04 +02:00
be4f2bc125
🔧 New tool: gen-family - generate/view Happy Family keys - Supports --force flag to overwrite existing keys without backup prompt 🐳 Dockerfiles: gen-family in both Dockerfile and Dockerfile.edge 🔧 Entrypoint: - Phase 2: detect *.secret_family_key, log found keys (informational only) - Guard/exit config gen: append FamilyId + MyFamily from ENV vars - Bridge intentionally excluded 📊 Status tool: show family key count + Happy Family config state 📚 Docs: - README: Happy Family section (generate / import), persistence table, flowchart - ARCHITECTURE: all mermaid diagrams updated (Phase 2, config gen, tools, dirs) - TOOLS: full gen-family reference with examples and exit codes - DEPLOYMENT, MIGRATION, MIGRATION-V1.1.X, TROUBLESHOOTING: 5 -> 6 tools - FAQ, example configs: version bump + FamilyId/MyFamily placeholders - Directory authority voting: how 9 dirauths vote on relay flags (5/9 consensus) - CIISS v2 ContactInfo: field reference, generator link, proof:uri-rsa verification - All TOR_CONTACT_INFO examples updated to CIISS v2 format across templates and docs 📋 Templates: - Guard/exit/multi-relay compose: TOR_FAMILY_ID + TOR_MY_FAMILY env vars - All cosmos-compose + docker-compose versions -> 1.1.7 👷 CI: validate.yml gen-family in 8 spots (threshold 6), security tests, quick-test 🛡️ SECURITY.md: 1.1.7 active, 1.1.6 maintenance, gen-family in tools list 🔖 Version bump 1.1.6 -> 1.1.7 across 30+ files, tool count 5 -> 6, CHANGELOG entry No breaking changes. TOR_FAMILY_ID and TOR_MY_FAMILY are optional.
160 lines
4.0 KiB
YAML
160 lines
4.0 KiB
YAML
version: '3.8'
|
|
|
|
# Happy Family Setup (Tor 0.4.9+):
|
|
#
|
|
# Option A - Generate a new key:
|
|
# 1. Start relay-1, then run: docker exec guard-relay-1 gen-family MyRelays
|
|
# 2. Copy the .secret_family_key to all relay volumes:
|
|
# docker cp guard-relay-1:/var/lib/tor/keys/MyRelays.secret_family_key .
|
|
# docker cp MyRelays.secret_family_key guard-relay-2:/var/lib/tor/keys/
|
|
# docker cp MyRelays.secret_family_key guard-relay-3:/var/lib/tor/keys/
|
|
# 3. Fix ownership: docker exec -u 0 <container> chown 100:101 /var/lib/tor/keys/MyRelays.secret_family_key
|
|
# 4. Add 'FamilyId <value>' to each relay's torrc
|
|
# 5. Keep MyFamily lines during the transition period
|
|
# 6. Restart all relays
|
|
#
|
|
# Option B - Import an existing key from a non-Docker setup:
|
|
# 1. Copy your .secret_family_key to the Docker host
|
|
# 2. docker cp MyRelays.secret_family_key guard-relay-1:/var/lib/tor/keys/
|
|
# (repeat for each relay container)
|
|
# 3. Fix ownership: docker exec -u 0 <container> chown 100:101 /var/lib/tor/keys/MyRelays.secret_family_key
|
|
# 4. Add 'FamilyId <value>' to each relay's torrc
|
|
# 5. Restart all relays
|
|
|
|
services:
|
|
tor-relay-1:
|
|
image: r3bo0tbx1/onion-relay:latest
|
|
container_name: guard-relay-1
|
|
restart: unless-stopped
|
|
network_mode: host
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
- CHOWN
|
|
- SETUID
|
|
- SETGID
|
|
- DAC_OVERRIDE
|
|
cap_drop:
|
|
- ALL
|
|
volumes:
|
|
- ./relays/relay1.conf:/etc/tor/torrc:ro
|
|
- tor-guard-data-1:/var/lib/tor
|
|
- tor-guard-logs-1:/var/log/tor
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
|
|
interval: 10m
|
|
timeout: 15s
|
|
start_period: 30s
|
|
retries: 3
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1.5'
|
|
memory: 768M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 512M
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
tor-relay-2:
|
|
image: r3bo0tbx1/onion-relay:latest
|
|
container_name: guard-relay-2
|
|
restart: unless-stopped
|
|
network_mode: host
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
- CHOWN
|
|
- SETUID
|
|
- SETGID
|
|
- DAC_OVERRIDE
|
|
cap_drop:
|
|
- ALL
|
|
volumes:
|
|
- ./relays/relay2.conf:/etc/tor/torrc:ro
|
|
- tor-guard-data-2:/var/lib/tor
|
|
- tor-guard-logs-2:/var/log/tor
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
|
|
interval: 10m
|
|
timeout: 15s
|
|
start_period: 30s
|
|
retries: 3
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1.5'
|
|
memory: 768M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 512M
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
tor-relay-3:
|
|
image: r3bo0tbx1/onion-relay:latest
|
|
container_name: guard-relay-3
|
|
restart: unless-stopped
|
|
network_mode: host
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
- CHOWN
|
|
- SETUID
|
|
- SETGID
|
|
- DAC_OVERRIDE
|
|
cap_drop:
|
|
- ALL
|
|
volumes:
|
|
- ./relays/relay3.conf:/etc/tor/torrc:ro
|
|
- tor-guard-data-3:/var/lib/tor
|
|
- tor-guard-logs-3:/var/log/tor
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "/usr/local/bin/healthcheck.sh"]
|
|
interval: 10m
|
|
timeout: 15s
|
|
start_period: 30s
|
|
retries: 3
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1.5'
|
|
memory: 768M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 512M
|
|
logging:
|
|
driver: json-file
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
|
|
volumes:
|
|
tor-guard-data-1:
|
|
name: tor-guard-data-1
|
|
driver: local
|
|
tor-guard-logs-1:
|
|
name: tor-guard-logs-1
|
|
driver: local
|
|
tor-guard-data-2:
|
|
name: tor-guard-data-2
|
|
driver: local
|
|
tor-guard-logs-2:
|
|
name: tor-guard-logs-2
|
|
driver: local
|
|
tor-guard-data-3:
|
|
name: tor-guard-data-3
|
|
driver: local
|
|
tor-guard-logs-3:
|
|
name: tor-guard-logs-3
|
|
driver: local |