Browse Source

Merge pull request #7 from Samourai-Wallet/feat_mydojo_bitcoind_tor_hs

support of inbound connections through Tor
umbrel
kenshin samourai 6 years ago
committed by GitHub
parent
commit
6ec589e39e
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      doc/DOCKER_setup.md
  2. 11
      docker/my-dojo/bitcoin/Dockerfile
  3. 22
      docker/my-dojo/bitcoin/bitcoin.conf
  4. 15
      docker/my-dojo/bitcoin/restart.sh
  5. 7
      docker/my-dojo/conf/docker-bitcoind.conf.tpl
  6. 7
      docker/my-dojo/docker-compose.yaml
  7. 17
      docker/my-dojo/dojo.sh
  8. 12
      docker/my-dojo/install/upgrade-scripts.sh
  9. 14
      docker/my-dojo/tor/Dockerfile
  10. 9
      docker/my-dojo/tor/restart.sh
  11. 17
      docker/my-dojo/tor/torrc

5
doc/DOCKER_setup.md

@ -21,7 +21,7 @@ MyDojo is a set of Docker containers providing a full Samourai backend composed
------------ ------------
| |
Host machine | (Tor - port 80) Host machine | (Tor hidden services)
______________________________ | _____________________________ ______________________________ | _____________________________
| | | | | |
| ------------------- | | ------------------- |
@ -78,6 +78,7 @@ This procedure allows to install a new Dojo from scratch.
* BITCOIND_RPC_USER = login protecting the access to the RPC API of your full node, * BITCOIND_RPC_USER = login protecting the access to the RPC API of your full node,
* BITCOIND_RPC_PASSWORD = password protecting the access to the RPC API of your full node. * BITCOIND_RPC_PASSWORD = password protecting the access to the RPC API of your full node.
* If your machine has a lot of RAM, it's recommended that you increase the value of BITCOIND_DB_CACHE for a faster Initial Block Download. * If your machine has a lot of RAM, it's recommended that you increase the value of BITCOIND_DB_CACHE for a faster Initial Block Download.
* By default, Dojo creates a new onion address for your full node at each startup. Set the value of BITCOIND_EPHEMERAL_HS to 'off' to keep a static address (not recommended).
* Edit docker-mysql.conf.tpl and provide a new value for the following parameters: * Edit docker-mysql.conf.tpl and provide a new value for the following parameters:
* MYSQL_ROOT_PASSWORD = password protecting the root account of MySQL, * MYSQL_ROOT_PASSWORD = password protecting the root account of MySQL,
@ -221,6 +222,6 @@ If OXT is selected as the default source for imports, OXT clearnet API is access
The maintenance tool is accessed as a Tor hidden service (static onion address). The maintenance tool is accessed as a Tor hidden service (static onion address).
The Bitcoin node only allows incoming connections from Tor (dynamic onion address). The Bitcoin node only allows incoming connections from Tor (static or dynamic onion address).
The Bitcoin node attempts outgoing connections to both Tor and clearrnet nodes (through the Tor local proxy). The Bitcoin node attempts outgoing connections to both Tor and clearrnet nodes (through the Tor local proxy).

11
docker/my-dojo/bitcoin/Dockerfile

@ -27,18 +27,17 @@ RUN set -ex && \
tar -xzvf bitcoin.tar.gz -C /usr/local --strip-components=1 --exclude=*-qt && \ tar -xzvf bitcoin.tar.gz -C /usr/local --strip-components=1 --exclude=*-qt && \
rm -rf /tmp/* rm -rf /tmp/*
# Create group & user bitcoin # Create groups bitcoin & tor
# Create user bitcoin and add it to groups
RUN addgroup --system -gid 1108 bitcoin && \ RUN addgroup --system -gid 1108 bitcoin && \
adduser --system --ingroup bitcoin -uid 1105 bitcoin addgroup --system -gid 1107 tor && \
adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
usermod -a -G tor bitcoin
# Create data directory # Create data directory
RUN mkdir "$BITCOIN_HOME/.bitcoin" && \ RUN mkdir "$BITCOIN_HOME/.bitcoin" && \
chown -h bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin" chown -h bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin"
# Copy bitcoin config file
COPY ./bitcoin.conf "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
RUN chown bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
# Copy restart script # Copy restart script
COPY ./restart.sh /restart.sh COPY ./restart.sh /restart.sh
RUN chown bitcoin:bitcoin /restart.sh && \ RUN chown bitcoin:bitcoin /restart.sh && \

22
docker/my-dojo/bitcoin/bitcoin.conf

@ -1,22 +0,0 @@
# Bitcoin Configuration
server=1
listen=1
bind=127.0.0.1
# Tor proxy through dojonet
proxy=172.28.1.4:9050
# Non-default RPC Port
rpcport=28256
rpcallowip=::/0
rpcbind=bitcoind
# Store transaction information for fully-spent txns
txindex=1
# No wallet
disablewallet=1
# ZeroMQ Notification Settings
zmqpubhashblock=tcp://0.0.0.0:9502
zmqpubrawtx=tcp://0.0.0.0:9501

15
docker/my-dojo/bitcoin/restart.sh

@ -3,6 +3,18 @@ set -e
echo "## Start bitcoind #############################" echo "## Start bitcoind #############################"
bitcoind -datadir=/home/bitcoin/.bitcoin \ bitcoind -datadir=/home/bitcoin/.bitcoin \
-server=1 \
-listen=1 \
-bind=172.28.1.5 \
-port=8333 \
-proxy=172.28.1.4:9050 \
-rpcport=28256 \
-rpcallowip=::/0 \
-rpcbind=172.28.1.5 \
-txindex=1 \
-disablewallet=1 \
-zmqpubhashblock=tcp://0.0.0.0:9502 \
-zmqpubrawtx=tcp://0.0.0.0:9501 \
-dbcache=$BITCOIND_DB_CACHE \ -dbcache=$BITCOIND_DB_CACHE \
-dnsseed=$BITCOIND_DNSSEED \ -dnsseed=$BITCOIND_DNSSEED \
-dns=$BITCOIND_DNS \ -dns=$BITCOIND_DNS \
@ -11,4 +23,5 @@ bitcoind -datadir=/home/bitcoin/.bitcoin \
-maxconnections=$BITCOIND_MAX_CONNECTIONS \ -maxconnections=$BITCOIND_MAX_CONNECTIONS \
-maxmempool=$BITCOIND_MAX_MEMPOOL \ -maxmempool=$BITCOIND_MAX_MEMPOOL \
-mempoolexpiry=$BITCOIND_MEMPOOL_EXPIRY \ -mempoolexpiry=$BITCOIND_MEMPOOL_EXPIRY \
-minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE \
-externalip=$(cat /var/lib/tor/hsv2bitcoind/hostname)

7
docker/my-dojo/conf/docker-bitcoind.conf.tpl

@ -29,4 +29,9 @@ BITCOIND_MEMPOOL_EXPIRY=72
# Min relay tx fee in BTC # Min relay tx fee in BTC
# Type: numeric # Type: numeric
BITCOIND_MIN_RELAY_TX_FEE=0.00001 BITCOIND_MIN_RELAY_TX_FEE=0.00001
# Generate a new onion address for bitcoind when Dojo is launched
# Activation of this option is recommended for improved privacy.
# Values: on | off
BITCOIND_EPHEMERAL_HS=on

7
docker/my-dojo/docker-compose.yaml

@ -30,11 +30,13 @@ services:
restart: on-failure restart: on-failure
command: "/wait-for-it.sh tor:9050 --timeout=360 --strict -- /restart.sh" command: "/wait-for-it.sh tor:9050 --timeout=360 --strict -- /restart.sh"
expose: expose:
- "8333"
- "28256" - "28256"
- "9501" - "9501"
- "9502" - "9502"
volumes: volumes:
- data-bitcoind:/home/bitcoin/.bitcoin - data-bitcoind:/home/bitcoin/.bitcoin
- data-tor:/var/lib/tor
depends_on: depends_on:
- db - db
- tor - tor
@ -96,9 +98,7 @@ services:
env_file: env_file:
- ./.env - ./.env
restart: on-failure restart: on-failure
command: tor command: /restart.sh
ports:
- "80:80"
volumes: volumes:
- data-tor:/var/lib/tor - data-tor:/var/lib/tor
networks: networks:
@ -124,7 +124,6 @@ networks:
volumes: volumes:
data-mysql: data-mysql:
data-bitcoind: data-bitcoind:
data-bitcoind-tor:
data-nodejs: data-nodejs:
data-nginx: data-nginx:
data-tor: data-tor:

17
docker/my-dojo/dojo.sh

@ -18,6 +18,10 @@ start() {
# Stop # Stop
stop() { stop() {
if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
fi
docker exec -it bitcoind bitcoin-cli \ docker exec -it bitcoind bitcoin-cli \
-rpcconnect=bitcoind \ -rpcconnect=bitcoind \
--rpcport=28256 \ --rpcport=28256 \
@ -33,6 +37,10 @@ stop() {
# Restart dojo # Restart dojo
restart() { restart() {
if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
fi
docker exec -it bitcoind bitcoin-cli \ docker exec -it bitcoind bitcoin-cli \
-rpcconnect=bitcoind \ -rpcconnect=bitcoind \
--rpcport=28256 \ --rpcport=28256 \
@ -96,7 +104,8 @@ upgrade() {
if [ $launchUpgrade -eq 0 ]; then if [ $launchUpgrade -eq 0 ]; then
update_config_files update_config_files
docker-compose build cleanup
docker-compose build --no-cache
docker-compose up -d --remove-orphans docker-compose up -d --remove-orphans
update_dojo_db update_dojo_db
docker-compose logs --tail=0 --follow docker-compose logs --tail=0 --follow
@ -107,9 +116,11 @@ upgrade() {
onion() { onion() {
V2_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv2dojo/hostname ) V2_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv2dojo/hostname )
V3_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv3dojo/hostname ) V3_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv3dojo/hostname )
V2_ADDR_BTCD=$( docker exec -it tor cat /var/lib/tor/hsv2bitcoind/hostname )
echo "API Hidden Service address (v3) = $V3_ADDR" echo "API hidden service address (v3) = $V3_ADDR"
echo "API Hidden Service address (v2) = $V2_ADDR" echo "API hidden service address (v2) = $V2_ADDR"
echo "bitcoind hidden service address (v2) = $V2_ADDR_BTCD"
} }
# Display the version of this dojo # Display the version of this dojo

12
docker/my-dojo/install/upgrade-scripts.sh

@ -52,4 +52,14 @@ update_config_file() {
# Update dojo database # Update dojo database
update_dojo_db() { update_dojo_db() {
docker exec -d db /update-db.sh docker exec -d db /update-db.sh
} }
# Clean-up
cleanup() {
#################
# Clean-up v1.1.0
#################
# Remove deprecated bitcoin.conf file
rm ./bitcoin/bitcoin.conf
}

14
docker/my-dojo/tor/Dockerfile

@ -23,11 +23,6 @@ RUN set -ex && \
RUN addgroup --system -gid 1107 tor && \ RUN addgroup --system -gid 1107 tor && \
adduser --system --ingroup tor -uid 1104 tor adduser --system --ingroup tor -uid 1104 tor
# Create group & user bitcoin and add user to tor group
RUN addgroup --system -gid 1108 bitcoin && \
adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
usermod -a -G tor bitcoin
# Create /etc/tor directory # Create /etc/tor directory
RUN mkdir -p /etc/tor/ && \ RUN mkdir -p /etc/tor/ && \
chown -Rv tor:tor /etc/tor chown -Rv tor:tor /etc/tor
@ -35,12 +30,19 @@ RUN mkdir -p /etc/tor/ && \
# Create .tor subdirectory of TOR_HOME # Create .tor subdirectory of TOR_HOME
RUN mkdir -p "$TOR_HOME/.tor" && \ RUN mkdir -p "$TOR_HOME/.tor" && \
chown -Rv tor:tor "$TOR_HOME" && \ chown -Rv tor:tor "$TOR_HOME" && \
chmod -R 700 "$TOR_HOME" chmod -R 750 "$TOR_HOME"
# Copy Tor configuration file # Copy Tor configuration file
COPY ./torrc /etc/tor/torrc COPY ./torrc /etc/tor/torrc
RUN chown tor:tor /etc/tor/torrc RUN chown tor:tor /etc/tor/torrc
# Copy restart script
COPY ./restart.sh /restart.sh
RUN chown tor:tor /restart.sh && \
chmod u+x /restart.sh && \
chmod g+x /restart.sh
# Copy wait-for-it script # Copy wait-for-it script
COPY ./wait-for-it.sh /wait-for-it.sh COPY ./wait-for-it.sh /wait-for-it.sh

9
docker/my-dojo/tor/restart.sh

@ -0,0 +1,9 @@
#!/bin/bash
set -e
# Set permissions for bitcoind
echo "## Set permissions on /var/lib/tor dir ###"
chmod 750 /var/lib/tor
echo "## Start tor #############################"
tor

17
docker/my-dojo/tor/torrc

@ -19,17 +19,7 @@ SocksPolicy reject *
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory /var/lib/tor/.tor DataDirectory /var/lib/tor/.tor
DataDirectoryGroupReadable 1
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
CookieAuthentication 1
CookieAuthFileGroupReadable 1
############### This section is just for location-hidden services ### ############### This section is just for location-hidden services ###
@ -47,3 +37,8 @@ HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv3dojo HiddenServiceDir /var/lib/tor/hsv3dojo
HiddenServiceVersion 3 HiddenServiceVersion 3
HiddenServicePort 80 172.29.1.3:80 HiddenServicePort 80 172.29.1.3:80
HiddenServiceDir /var/lib/tor/hsv2bitcoind
HiddenServiceVersion 2
HiddenServicePort 18333 172.28.1.5:18333
HiddenServiceDirGroupReadable 1

Loading…
Cancel
Save