add persistent hidden service

README.md

@@ -6,7 +6,7 @@ Simple way to run a Monero node with some monitoring and anonymity tools package
 * [nodemapper](./dockerfiles/nodemapper.py) - gathers GeoIP data for peers
 * [Prometheus](https://prometheus.io/docs/introduction/overview/) - monitors the exporter
 * [Grafana](https://grafana.com/) - shows visualizations and dashboards
-* [tor](https://www.torproject.org/) - provides tx relays over tor proxy
+* [tor](https://www.torproject.org/) - provides tx relays over tor proxy and hidden service
 * [i2pd](https://i2pd.website/) - provides tx relays over i2p proxy
 
 
@@ -49,6 +49,8 @@ docker compose build
 docker compose up -d
 ```
 
+### Port Configurations
+
 The following ports will be bound for `monerod` by default, but you can override in `.env`:
 - 18080   # p2p
 - 18081   # restricted rpc
@@ -70,6 +72,20 @@ You will want to open/allow ports 18080 and 18081 in your firewall for usage as
 
 Also, you may want to setup a reverse proxy to Grafana if you would like to expose the visualizations for the world to see. Be sure to lock down the administrative settings or leave login disabled! You can see sample images below.
 
+### Onion Address
+
+Your `tor` container will be proxying outbound traffic (hiding transactions) and also allowing incoming connections to the Tor network (hidden service). A random onion address will be generated automatically. To view the address, either check the `monerod` container logs (it will be the first few lines), or read the file like so:
+
+```bash
+docker compose exec -ti tor cat /var/lib/tor/monerod/hostname
+```
+
+Load the URL in your Tor browser at port 18081 to confirm it's availability or for personal usage. http://<onion_address>:18081/get_info
+
+![](./static/tor.png)
+
+It may take a few minutes for it to be reachable. Check the tor container logs to monitor bootstrap progress.
+
 ## Usage
 
 It's fairly simple, use `docker compose` to bring the containers up and down and look at logs.

docker-compose.yaml

@@ -1,6 +1,7 @@
 volumes:
   grafana:
   prometheus:
+  tor:
 
 x-log-config: &log-config
   logging:
@@ -52,17 +53,17 @@ services:
       - ./files/grafana/dashboards:/var/lib/grafana/dashboards:ro
     environment:
       HOSTNAME: grafana
-      GF_SERVER_ROOT_URL: ${GRAFANA_URL}
+      GF_SERVER_ROOT_URL: ${GRAFANA_URL:-}
       GF_ANALYTICS_REPORTING_ENABLED: "false"
       GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
       GF_USERS_ALLOW_SIGN_UP: "false"
       GF_USERS_ALLOW_ORG_CREATE: "false"
-      GF_LOG_LEVEL: "debug"
+      GF_LOG_LEVEL: "info"
       GF_AUTH_ANONYMOUS_ENABLED: "${GF_AUTH_ANONYMOUS_ENABLED:-true}"
       GF_AUTH_BASIC_ENABLED: "${GF_AUTH_BASIC_ENABLED:-false}"
       GF_AUTH_DISABLE_LOGIN_FORM: "${GF_AUTH_DISABLE_LOGIN_FORM:-true}"
-      GF_SECURITY_ADMIN_PASSWORD: "${GF_SECURITY_ADMIN_PASSWORD}"
+      GF_SECURITY_ADMIN_PASSWORD: "${GF_SECURITY_ADMIN_PASSWORD:-}"
-      GF_SECURITY_ADMIN_USER: "${GF_SECURITY_ADMIN_USER}"
+      GF_SECURITY_ADMIN_USER: "${GF_SECURITY_ADMIN_USER:-}"
     networks:
       - tor_net
     <<: *log-config
@@ -110,6 +111,8 @@ services:
     restart: unless-stopped
     # ports:
       # - 127.0.0.1:9050:9050
+    volumes:
+      - tor:/var/lib/tor/monerod
     networks:
       tor_net:
         ipv4_address: 172.31.255.250
@@ -137,30 +140,12 @@ services:
     restart: unless-stopped
     volumes:
       - ${DATA_DIR:-./data}:/data
+      - tor:/var/lib/tor/monerod:ro
     ports:
       - ${P2P_PORT:-18080}:18080                    # p2p
       - ${RESTRICTED_PORT:-18081}:18081             # restricted rpc
       - 127.0.0.1:${ZMQ_PORT:-18082}:18082          # zmq
       - 127.0.0.1:${UNRESTRICTED_PORT:-18083}:18083 # unrestricted rpc
-    command:
-      - monerod
-      - --data-dir=/data
-      - --p2p-bind-ip=0.0.0.0
-      - --p2p-bind-port=18080
-      - --rpc-restricted-bind-ip=0.0.0.0
-      - --rpc-restricted-bind-port=18081
-      - --zmq-rpc-bind-ip=0.0.0.0
-      - --zmq-rpc-bind-port=18082
-      - --rpc-bind-ip=0.0.0.0
-      - --rpc-bind-port=18083
-      - --non-interactive
-      - --confirm-external-bind
-      - --public-node
-      - --log-level=0
-      - --rpc-ssl=disabled
-      - --ban-list=/ban_list.txt
-      - --tx-proxy=tor,172.31.255.250:9050,disable_noise,24
-      - --tx-proxy=i2p,172.31.255.251:4447,disable_noise,24
     networks:
       - tor_net
     <<: *log-config

dockerfiles/monero

@@ -58,6 +58,10 @@ COPY --from=og /usr/local/bin/monerod /usr/local/bin/monerod
 COPY --from=og /usr/local/bin/monero-wallet-cli /usr/local/bin/monero-wallet-cli
 COPY --from=og /usr/local/bin/monero-wallet-rpc /usr/local/bin/monero-wallet-rpc
 COPY --from=og /tmp/ban_list.txt /ban_list.txt
+COPY ./dockerfiles/monerod_entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]
 
 EXPOSE 18080
 EXPOSE 18081

dockerfiles/monerod_entrypoint.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+while [ ! -f /var/lib/tor/monerod/hostname ]; do
+    echo -e "[+] Waiting for onion address to be generated"
+    sleep 1
+done
+
+export ONION_ADDRESS=$(cat /var/lib/tor/monerod/hostname)
+
+echo "=========================================="
+echo "Your Monero RPC Onion address is: ${ONION_ADDRESS}"
+echo "=========================================="
+
+sleep 3
+
+monerod \
+    --data-dir=/data \
+    --p2p-bind-ip=0.0.0.0 \
+    --p2p-bind-port=18080 \
+    --rpc-restricted-bind-ip=0.0.0.0 \
+    --rpc-restricted-bind-port=18081 \
+    --zmq-rpc-bind-ip=0.0.0.0 \
+    --zmq-rpc-bind-port=18082 \
+    --rpc-bind-ip=0.0.0.0 \
+    --rpc-bind-port=18083 \
+    --non-interactive \
+    --confirm-external-bind \
+    --public-node \
+    --log-level=0 \
+    --rpc-ssl=disabled \
+    --ban-list=/ban_list.txt \
+    --anonymous-inbound=${ONION_ADDRESS}:18081,127.0.0.1:18089,24 \
+    --tx-proxy=tor,172.31.255.250:9050,disable_noise,24 \
+    --tx-proxy=i2p,172.31.255.251:4447,disable_noise,24

dockerfiles/tor

@@ -2,9 +2,9 @@ FROM ubuntu:22.04
 
 RUN apt-get update && apt-get install tor -y
 
-RUN mkdir -p /run/tor \
+RUN mkdir -p /run/tor /var/lib/tor/monerod \
-  && chown -R debian-tor:debian-tor /run/tor \
+  && chown -R debian-tor:debian-tor /run/tor /var/lib/tor/monerod \
-  && chmod 700 -R /run/tor
+  && chmod 700 -R /run/tor /var/lib/tor/monerod
 
 COPY dockerfiles/tor-config /etc/tor/torrc
 

dockerfiles/tor-config

@@ -5,3 +5,5 @@ IPv6Exit 0
 Log notice stdout
 PublishServerDescriptor 0
 SOCKSPort 0.0.0.0:9050
+HiddenServiceDir /var/lib/tor/monerod
+HiddenServicePort 18081 monerod:18081