Merge pull request #7 from Samourai-Wallet/feat_mydojo_bitcoind_tor_hs

support of inbound connections through Tor
6 years ago · 6ec589e39e
11 changed files with 79 additions and 57 deletions
--- a/doc/DOCKER_setup.md
+++ b/doc/DOCKER_setup.md
@ -21,7 +21,7 @@ MyDojo is a set of Docker containers providing a full Samourai backend composed

                                          ------------
                                                |
-                  Host machine                  | (Tor - port 80)
+                  Host machine                  | (Tor hidden services)
                 ______________________________ | _____________________________
                |                               |                              |
                |                      -------------------                     |
@ -78,6 +78,7 @@ This procedure allows to install a new Dojo from scratch.
      * BITCOIND_RPC_USER = login protecting the access to the RPC API of your full node,
      * BITCOIND_RPC_PASSWORD = password protecting the access to the RPC API of your full node.
      * If your machine has a lot of RAM, it's recommended that you increase the value of BITCOIND_DB_CACHE for a faster Initial Block Download.
+      * By default, Dojo creates a new onion address for your full node at each startup. Set the value of BITCOIND_EPHEMERAL_HS to 'off' to keep a static address (not recommended).

  * Edit docker-mysql.conf.tpl and provide a new value for the following parameters:
      * MYSQL_ROOT_PASSWORD = password protecting the root account of MySQL,
@ -221,6 +222,6 @@ If OXT is selected as the default source for imports, OXT clearnet API is access

 The maintenance tool is accessed as a Tor hidden service (static onion address).

-The Bitcoin node only allows incoming connections from Tor (dynamic onion address).
+The Bitcoin node only allows incoming connections from Tor (static or dynamic onion address).

 The Bitcoin node attempts outgoing connections to both Tor and clearrnet nodes (through the Tor local proxy).
--- a/docker/my-dojo/bitcoin/Dockerfile
+++ b/docker/my-dojo/bitcoin/Dockerfile
@ -27,18 +27,17 @@ RUN     set -ex && \
        tar -xzvf bitcoin.tar.gz -C /usr/local --strip-components=1 --exclude=*-qt && \
        rm -rf /tmp/*

-# Create group & user bitcoin
+# Create groups bitcoin & tor
+# Create user bitcoin and add it to groups
 RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin
+        addgroup --system -gid 1107 tor && \
+        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
+        usermod -a -G tor bitcoin

 # Create data directory
 RUN     mkdir "$BITCOIN_HOME/.bitcoin" && \
        chown -h bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin"

-# Copy bitcoin config file
-COPY    ./bitcoin.conf "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-RUN     chown bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-
 # Copy restart script
 COPY    ./restart.sh /restart.sh
 RUN     chown bitcoin:bitcoin /restart.sh && \
--- a/docker/my-dojo/bitcoin/bitcoin.conf
+++ b/docker/my-dojo/bitcoin/bitcoin.conf
@ -1,22 +0,0 @@
-# Bitcoin Configuration
-server=1
-listen=1
-bind=127.0.0.1
-
-# Tor proxy through dojonet
-proxy=172.28.1.4:9050
-
-# Non-default RPC Port
-rpcport=28256
-rpcallowip=::/0
-rpcbind=bitcoind
-
-# Store transaction information for fully-spent txns
-txindex=1
-
-# No wallet
-disablewallet=1
-
-# ZeroMQ Notification Settings
-zmqpubhashblock=tcp://0.0.0.0:9502
-zmqpubrawtx=tcp://0.0.0.0:9501
--- a/docker/my-dojo/bitcoin/restart.sh
+++ b/docker/my-dojo/bitcoin/restart.sh
@ -3,6 +3,18 @@ set -e

 echo "## Start bitcoind #############################"
 bitcoind -datadir=/home/bitcoin/.bitcoin \
+  -server=1 \
+  -listen=1 \
+  -bind=172.28.1.5 \
+  -port=8333 \
+  -proxy=172.28.1.4:9050 \
+  -rpcport=28256 \
+  -rpcallowip=::/0 \
+  -rpcbind=172.28.1.5 \
+  -txindex=1 \
+  -disablewallet=1 \
+  -zmqpubhashblock=tcp://0.0.0.0:9502 \
+  -zmqpubrawtx=tcp://0.0.0.0:9501 \
  -dbcache=$BITCOIND_DB_CACHE \
  -dnsseed=$BITCOIND_DNSSEED \
  -dns=$BITCOIND_DNS \
@ -11,4 +23,5 @@ bitcoind -datadir=/home/bitcoin/.bitcoin \
  -maxconnections=$BITCOIND_MAX_CONNECTIONS \
  -maxmempool=$BITCOIND_MAX_MEMPOOL \
  -mempoolexpiry=$BITCOIND_MEMPOOL_EXPIRY \
-  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE
+  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE \
+  -externalip=$(cat /var/lib/tor/hsv2bitcoind/hostname)
--- a/docker/my-dojo/conf/docker-bitcoind.conf.tpl
+++ b/docker/my-dojo/conf/docker-bitcoind.conf.tpl
@ -29,4 +29,9 @@ BITCOIND_MEMPOOL_EXPIRY=72

 # Min relay tx fee in BTC
 # Type: numeric
-BITCOIND_MIN_RELAY_TX_FEE=0.00001
+BITCOIND_MIN_RELAY_TX_FEE=0.00001
+
+# Generate a new onion address for bitcoind when Dojo is launched
+# Activation of this option is recommended for improved privacy.
+# Values: on | off
+BITCOIND_EPHEMERAL_HS=on
--- a/docker/my-dojo/docker-compose.yaml
+++ b/docker/my-dojo/docker-compose.yaml
@ -30,11 +30,13 @@ services:
    restart: on-failure
    command: "/wait-for-it.sh tor:9050 --timeout=360 --strict -- /restart.sh"
    expose:
+      - "8333"
      - "28256"
      - "9501"
      - "9502"
    volumes:
      - data-bitcoind:/home/bitcoin/.bitcoin
+      - data-tor:/var/lib/tor
    depends_on:
      - db
      - tor
@ -96,9 +98,7 @@ services:
    env_file:
      - ./.env
    restart: on-failure
-    command: tor
-    ports:
-      - "80:80"
+    command: /restart.sh
    volumes:
      - data-tor:/var/lib/tor
    networks:
@ -124,7 +124,6 @@ networks:
 volumes:
  data-mysql:
  data-bitcoind:
-  data-bitcoind-tor:
  data-nodejs:
  data-nginx:
  data-tor:
--- a/docker/my-dojo/dojo.sh
+++ b/docker/my-dojo/dojo.sh
@ -18,6 +18,10 @@ start() {

 # Stop
 stop() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
  docker exec -it bitcoind  bitcoin-cli \
    -rpcconnect=bitcoind \
    --rpcport=28256 \
@ -33,6 +37,10 @@ stop() {

 # Restart dojo
 restart() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
  docker exec -it bitcoind  bitcoin-cli \
    -rpcconnect=bitcoind \
    --rpcport=28256 \
@ -96,7 +104,8 @@ upgrade() {

  if [ $launchUpgrade -eq 0 ]; then
    update_config_files
-    docker-compose build
+    cleanup
+    docker-compose build --no-cache
    docker-compose up -d --remove-orphans
    update_dojo_db
    docker-compose logs --tail=0 --follow
@ -107,9 +116,11 @@ upgrade() {
 onion() {
  V2_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv2dojo/hostname )
  V3_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv3dojo/hostname )
+  V2_ADDR_BTCD=$( docker exec -it tor cat /var/lib/tor/hsv2bitcoind/hostname )

-  echo "API Hidden Service address (v3) = $V3_ADDR"
-  echo "API Hidden Service address (v2) = $V2_ADDR"
+  echo "API hidden service address (v3) = $V3_ADDR"
+  echo "API hidden service address (v2) = $V2_ADDR"
+  echo "bitcoind hidden service address (v2) = $V2_ADDR_BTCD"
 }

 # Display the version of this dojo
--- a/docker/my-dojo/install/upgrade-scripts.sh
+++ b/docker/my-dojo/install/upgrade-scripts.sh
@ -52,4 +52,14 @@ update_config_file() {
 # Update dojo database
 update_dojo_db() {
  docker exec -d db /update-db.sh
-}
+}
+
+# Clean-up
+cleanup() {
+  #################
+  # Clean-up v1.1.0
+  #################
+
+  # Remove deprecated bitcoin.conf file
+  rm ./bitcoin/bitcoin.conf
+}
--- a/docker/my-dojo/tor/Dockerfile
+++ b/docker/my-dojo/tor/Dockerfile
@ -23,11 +23,6 @@ RUN     set -ex && \
 RUN     addgroup --system -gid 1107 tor && \
        adduser --system --ingroup tor -uid 1104 tor

-# Create group & user bitcoin and add user to tor group
-RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
-        usermod -a -G tor bitcoin
-
 # Create /etc/tor directory
 RUN     mkdir -p /etc/tor/ && \
        chown -Rv tor:tor /etc/tor
@ -35,12 +30,19 @@ RUN     mkdir -p /etc/tor/ && \
 # Create .tor subdirectory of TOR_HOME
 RUN     mkdir -p "$TOR_HOME/.tor" && \
        chown -Rv tor:tor "$TOR_HOME" && \
-        chmod -R 700 "$TOR_HOME"
+        chmod -R 750 "$TOR_HOME"

 # Copy Tor configuration file
 COPY    ./torrc /etc/tor/torrc
 RUN     chown tor:tor /etc/tor/torrc

+# Copy restart script
+COPY    ./restart.sh /restart.sh
+
+RUN     chown tor:tor /restart.sh && \
+        chmod u+x /restart.sh && \
+        chmod g+x /restart.sh
+
 # Copy wait-for-it script
 COPY    ./wait-for-it.sh /wait-for-it.sh

--- a/docker/my-dojo/tor/restart.sh
+++ b/docker/my-dojo/tor/restart.sh
@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+# Set permissions for bitcoind
+echo "## Set permissions on /var/lib/tor dir ###"
+chmod 750 /var/lib/tor
+
+echo "## Start tor #############################"
+tor
--- a/docker/my-dojo/tor/torrc
+++ b/docker/my-dojo/tor/torrc
@ -19,17 +19,7 @@ SocksPolicy reject *
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.

 DataDirectory /var/lib/tor/.tor
-
-## The port on which Tor will listen for local connections from Tor
-## controller applications, as documented in control-spec.txt.
-
-ControlPort 9051
-
-## If you enable the controlport, be sure to enable one of these
-## authentication methods, to prevent attackers from accessing it.
-
-CookieAuthentication 1
-CookieAuthFileGroupReadable 1
+DataDirectoryGroupReadable 1


 ############### This section is just for location-hidden services ###
@ -47,3 +37,8 @@ HiddenServicePort 80 172.29.1.3:80
 HiddenServiceDir /var/lib/tor/hsv3dojo
 HiddenServiceVersion 3
 HiddenServicePort 80 172.29.1.3:80
+
+HiddenServiceDir /var/lib/tor/hsv2bitcoind
+HiddenServiceVersion 2
+HiddenServicePort 18333 172.28.1.5:18333
+HiddenServiceDirGroupReadable 1