From cb81b988bef96bacdfe3a31dd6a588150dd48f36 Mon Sep 17 00:00:00 2001
From: kenshin-samourai <kenshin_samourai@tutanota.com>
Date: Thu, 13 Jun 2019 11:24:17 +0200
Subject: [PATCH] support of inbound connections through Tor

---
 doc/DOCKER_setup.md                          |  5 +++--
 docker/my-dojo/bitcoin/Dockerfile            | 11 +++++-----
 docker/my-dojo/bitcoin/bitcoin.conf          | 22 --------------------
 docker/my-dojo/bitcoin/restart.sh            | 15 ++++++++++++-
 docker/my-dojo/conf/docker-bitcoind.conf.tpl |  7 ++++++-
 docker/my-dojo/docker-compose.yaml           |  7 +++----
 docker/my-dojo/dojo.sh                       | 17 ++++++++++++---
 docker/my-dojo/install/upgrade-scripts.sh    | 12 ++++++++++-
 docker/my-dojo/tor/Dockerfile                | 14 +++++++------
 docker/my-dojo/tor/restart.sh                |  9 ++++++++
 docker/my-dojo/tor/torrc                     | 17 ++++++---------
 11 files changed, 79 insertions(+), 57 deletions(-)
 delete mode 100644 docker/my-dojo/bitcoin/bitcoin.conf
 create mode 100644 docker/my-dojo/tor/restart.sh

diff --git a/doc/DOCKER_setup.md b/doc/DOCKER_setup.md
index 5b00d65..5ccf884 100644
--- a/doc/DOCKER_setup.md
+++ b/doc/DOCKER_setup.md
@@ -21,7 +21,7 @@ MyDojo is a set of Docker containers providing a full Samourai backend composed
 
                                           ------------
                                                 |
-                  Host machine                  | (Tor - port 80)
+                  Host machine                  | (Tor hidden services)
                  ______________________________ | _____________________________
                 |                               |                              |
                 |                      -------------------                     |
@@ -78,6 +78,7 @@ This procedure allows to install a new Dojo from scratch.
       * BITCOIND_RPC_USER = login protecting the access to the RPC API of your full node,
       * BITCOIND_RPC_PASSWORD = password protecting the access to the RPC API of your full node.
       * If your machine has a lot of RAM, it's recommended that you increase the value of BITCOIND_DB_CACHE for a faster Initial Block Download.
+      * By default, Dojo creates a new onion address for your full node at each startup. Set the value of BITCOIND_EPHEMERAL_HS to 'off' to keep a static address (not recommended).
 
   * Edit docker-mysql.conf.tpl and provide a new value for the following parameters:
       * MYSQL_ROOT_PASSWORD = password protecting the root account of MySQL,
@@ -221,6 +222,6 @@ If OXT is selected as the default source for imports, OXT clearnet API is access
 
 The maintenance tool is accessed as a Tor hidden service (static onion address).
 
-The Bitcoin node only allows incoming connections from Tor (dynamic onion address).
+The Bitcoin node only allows incoming connections from Tor (static or dynamic onion address).
 
 The Bitcoin node attempts outgoing connections to both Tor and clearrnet nodes (through the Tor local proxy).
diff --git a/docker/my-dojo/bitcoin/Dockerfile b/docker/my-dojo/bitcoin/Dockerfile
index 706238d..5f1c454 100644
--- a/docker/my-dojo/bitcoin/Dockerfile
+++ b/docker/my-dojo/bitcoin/Dockerfile
@@ -27,18 +27,17 @@ RUN     set -ex && \
         tar -xzvf bitcoin.tar.gz -C /usr/local --strip-components=1 --exclude=*-qt && \
         rm -rf /tmp/*
 
-# Create group & user bitcoin
+# Create groups bitcoin & tor
+# Create user bitcoin and add it to groups
 RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin
+        addgroup --system -gid 1107 tor && \
+        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
+        usermod -a -G tor bitcoin
 
 # Create data directory
 RUN     mkdir "$BITCOIN_HOME/.bitcoin" && \
         chown -h bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin"
 
-# Copy bitcoin config file
-COPY    ./bitcoin.conf "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-RUN     chown bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-
 # Copy restart script
 COPY    ./restart.sh /restart.sh
 RUN     chown bitcoin:bitcoin /restart.sh && \
diff --git a/docker/my-dojo/bitcoin/bitcoin.conf b/docker/my-dojo/bitcoin/bitcoin.conf
deleted file mode 100644
index fe7167d..0000000
--- a/docker/my-dojo/bitcoin/bitcoin.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Bitcoin Configuration
-server=1
-listen=1
-bind=127.0.0.1
-
-# Tor proxy through dojonet
-proxy=172.28.1.4:9050
-
-# Non-default RPC Port
-rpcport=28256
-rpcallowip=::/0
-rpcbind=bitcoind
-
-# Store transaction information for fully-spent txns
-txindex=1
-
-# No wallet
-disablewallet=1
-
-# ZeroMQ Notification Settings
-zmqpubhashblock=tcp://0.0.0.0:9502
-zmqpubrawtx=tcp://0.0.0.0:9501
diff --git a/docker/my-dojo/bitcoin/restart.sh b/docker/my-dojo/bitcoin/restart.sh
index 8a53527..69b0ae1 100644
--- a/docker/my-dojo/bitcoin/restart.sh
+++ b/docker/my-dojo/bitcoin/restart.sh
@@ -3,6 +3,18 @@ set -e
 
 echo "## Start bitcoind #############################"
 bitcoind -datadir=/home/bitcoin/.bitcoin \
+  -server=1 \
+  -listen=1 \
+  -bind=172.28.1.5 \
+  -port=8333 \
+  -proxy=172.28.1.4:9050 \
+  -rpcport=28256 \
+  -rpcallowip=::/0 \
+  -rpcbind=172.28.1.5 \
+  -txindex=1 \
+  -disablewallet=1 \
+  -zmqpubhashblock=tcp://0.0.0.0:9502 \
+  -zmqpubrawtx=tcp://0.0.0.0:9501 \
   -dbcache=$BITCOIND_DB_CACHE \
   -dnsseed=$BITCOIND_DNSSEED \
   -dns=$BITCOIND_DNS \
@@ -11,4 +23,5 @@ bitcoind -datadir=/home/bitcoin/.bitcoin \
   -maxconnections=$BITCOIND_MAX_CONNECTIONS \
   -maxmempool=$BITCOIND_MAX_MEMPOOL \
   -mempoolexpiry=$BITCOIND_MEMPOOL_EXPIRY \
-  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE
+  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE \
+  -externalip=$(cat /var/lib/tor/hsv2bitcoind/hostname)
\ No newline at end of file
diff --git a/docker/my-dojo/conf/docker-bitcoind.conf.tpl b/docker/my-dojo/conf/docker-bitcoind.conf.tpl
index 9957409..0202c87 100644
--- a/docker/my-dojo/conf/docker-bitcoind.conf.tpl
+++ b/docker/my-dojo/conf/docker-bitcoind.conf.tpl
@@ -29,4 +29,9 @@ BITCOIND_MEMPOOL_EXPIRY=72
 
 # Min relay tx fee in BTC
 # Type: numeric
-BITCOIND_MIN_RELAY_TX_FEE=0.00001
\ No newline at end of file
+BITCOIND_MIN_RELAY_TX_FEE=0.00001
+
+# Generate a new onion address for bitcoind when Dojo is launched
+# Activation of this option is recommended for improved privacy.
+# Values: on | off
+BITCOIND_EPHEMERAL_HS=on
\ No newline at end of file
diff --git a/docker/my-dojo/docker-compose.yaml b/docker/my-dojo/docker-compose.yaml
index 0b23996..b214e77 100644
--- a/docker/my-dojo/docker-compose.yaml
+++ b/docker/my-dojo/docker-compose.yaml
@@ -30,11 +30,13 @@ services:
     restart: on-failure
     command: "/wait-for-it.sh tor:9050 --timeout=360 --strict -- /restart.sh"
     expose:
+      - "8333"
       - "28256"
       - "9501"
       - "9502"
     volumes:
       - data-bitcoind:/home/bitcoin/.bitcoin
+      - data-tor:/var/lib/tor
     depends_on:
       - db
       - tor
@@ -96,9 +98,7 @@ services:
     env_file:
       - ./.env
     restart: on-failure
-    command: tor
-    ports:
-      - "80:80"
+    command: /restart.sh
     volumes:
       - data-tor:/var/lib/tor
     networks:
@@ -124,7 +124,6 @@ networks:
 volumes:
   data-mysql:
   data-bitcoind:
-  data-bitcoind-tor:
   data-nodejs:
   data-nginx:
   data-tor:
diff --git a/docker/my-dojo/dojo.sh b/docker/my-dojo/dojo.sh
index f9265fb..a49fe1a 100755
--- a/docker/my-dojo/dojo.sh
+++ b/docker/my-dojo/dojo.sh
@@ -18,6 +18,10 @@ start() {
 
 # Stop
 stop() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
   docker exec -it bitcoind  bitcoin-cli \
     -rpcconnect=bitcoind \
     --rpcport=28256 \
@@ -33,6 +37,10 @@ stop() {
 
 # Restart dojo
 restart() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
   docker exec -it bitcoind  bitcoin-cli \
     -rpcconnect=bitcoind \
     --rpcport=28256 \
@@ -96,7 +104,8 @@ upgrade() {
 
   if [ $launchUpgrade -eq 0 ]; then
     update_config_files
-    docker-compose build
+    cleanup
+    docker-compose build --no-cache
     docker-compose up -d --remove-orphans
     update_dojo_db
     docker-compose logs --tail=0 --follow
@@ -107,9 +116,11 @@ upgrade() {
 onion() {
   V2_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv2dojo/hostname )
   V3_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv3dojo/hostname )
+  V2_ADDR_BTCD=$( docker exec -it tor cat /var/lib/tor/hsv2bitcoind/hostname )
 
-  echo "API Hidden Service address (v3) = $V3_ADDR"
-  echo "API Hidden Service address (v2) = $V2_ADDR"
+  echo "API hidden service address (v3) = $V3_ADDR"
+  echo "API hidden service address (v2) = $V2_ADDR"
+  echo "bitcoind hidden service address (v2) = $V2_ADDR_BTCD"
 }
 
 # Display the version of this dojo
diff --git a/docker/my-dojo/install/upgrade-scripts.sh b/docker/my-dojo/install/upgrade-scripts.sh
index 45f0e18..0ac4071 100755
--- a/docker/my-dojo/install/upgrade-scripts.sh
+++ b/docker/my-dojo/install/upgrade-scripts.sh
@@ -52,4 +52,14 @@ update_config_file() {
 # Update dojo database
 update_dojo_db() {
   docker exec -d db /update-db.sh
-}
\ No newline at end of file
+}
+
+# Clean-up
+cleanup() {
+  #################
+  # Clean-up v1.1.0
+  #################
+
+  # Remove deprecated bitcoin.conf file
+  rm ./bitcoin/bitcoin.conf
+}
diff --git a/docker/my-dojo/tor/Dockerfile b/docker/my-dojo/tor/Dockerfile
index 60cd36d..59578f2 100644
--- a/docker/my-dojo/tor/Dockerfile
+++ b/docker/my-dojo/tor/Dockerfile
@@ -23,11 +23,6 @@ RUN     set -ex && \
 RUN     addgroup --system -gid 1107 tor && \
         adduser --system --ingroup tor -uid 1104 tor
 
-# Create group & user bitcoin and add user to tor group
-RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
-        usermod -a -G tor bitcoin
-
 # Create /etc/tor directory
 RUN     mkdir -p /etc/tor/ && \
         chown -Rv tor:tor /etc/tor
@@ -35,12 +30,19 @@ RUN     mkdir -p /etc/tor/ && \
 # Create .tor subdirectory of TOR_HOME
 RUN     mkdir -p "$TOR_HOME/.tor" && \
         chown -Rv tor:tor "$TOR_HOME" && \
-        chmod -R 700 "$TOR_HOME"
+        chmod -R 750 "$TOR_HOME"
 
 # Copy Tor configuration file
 COPY    ./torrc /etc/tor/torrc
 RUN     chown tor:tor /etc/tor/torrc
 
+# Copy restart script
+COPY    ./restart.sh /restart.sh
+
+RUN     chown tor:tor /restart.sh && \
+        chmod u+x /restart.sh && \
+        chmod g+x /restart.sh
+
 # Copy wait-for-it script
 COPY    ./wait-for-it.sh /wait-for-it.sh
 
diff --git a/docker/my-dojo/tor/restart.sh b/docker/my-dojo/tor/restart.sh
new file mode 100644
index 0000000..24921ba
--- /dev/null
+++ b/docker/my-dojo/tor/restart.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+# Set permissions for bitcoind
+echo "## Set permissions on /var/lib/tor dir ###"
+chmod 750 /var/lib/tor
+
+echo "## Start tor #############################"
+tor
\ No newline at end of file
diff --git a/docker/my-dojo/tor/torrc b/docker/my-dojo/tor/torrc
index a04fbdc..f4ef057 100644
--- a/docker/my-dojo/tor/torrc
+++ b/docker/my-dojo/tor/torrc
@@ -19,17 +19,7 @@ SocksPolicy reject *
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 
 DataDirectory /var/lib/tor/.tor
-
-## The port on which Tor will listen for local connections from Tor
-## controller applications, as documented in control-spec.txt.
-
-ControlPort 9051
-
-## If you enable the controlport, be sure to enable one of these
-## authentication methods, to prevent attackers from accessing it.
-
-CookieAuthentication 1
-CookieAuthFileGroupReadable 1
+DataDirectoryGroupReadable 1
 
 
 ############### This section is just for location-hidden services ###
@@ -47,3 +37,8 @@ HiddenServicePort 80 172.29.1.3:80
 HiddenServiceDir /var/lib/tor/hsv3dojo
 HiddenServiceVersion 3
 HiddenServicePort 80 172.29.1.3:80
+
+HiddenServiceDir /var/lib/tor/hsv2bitcoind
+HiddenServiceVersion 2
+HiddenServicePort 18333 172.28.1.5:18333
+HiddenServiceDirGroupReadable 1