- name: 'onion service container :{{ onion_service_virtual_port }} -> {{ onion_service_target }}' docker_container: name: '{{ onion_service_container_name }}' image: '{{ onion_service_container_image }}' env: VIRTUAL_PORT: '{{ onion_service_virtual_port | string }}' TARGET: '{{ onion_service_target }}' NON_ANONYMOUS_SINGLE_HOP_MODE: "{{ onion_service_non_anonymous_single_hop_mode | string }}" read_only: yes mounts: - type: volume source: '{{ onion_service_container_name }}_data' target: /var/lib/tor read_only: false - type: volume source: '{{ onion_service_container_name }}_key' target: /onion-service read_only: false - type: tmpfs target: /tmp # torrc # nosuid,nodev,noexec added by default tmpfs_mode: '1777' tmpfs_size: 4k networks: [name: '{{ onion_service_network_name }}'] purge_networks: yes cap_drop: [ALL] security_opts: [no-new-privileges] cpu_quota: 8000 cpu_period: 10000 memory: 128M restart_policy: unless-stopped healthcheck: "{{ {'test': ['NONE']} if onion_service_disable_healthcheck else omit }}" state: '{{ onion_service_container_state }}' register: _container - name: wait for onion service address wait_for: path: "{{ (_container.container.Mounts | items2dict(key_name='Destination', value_name='Source'))['/onion-service'] }}/hostname" register: _address_file when: _container.container.State.Running | default(False) - name: read onion service address slurp: src: '{{ _address_file.path }}' register: _address_base64 when: not (_address_file.skipped | default(False)) - name: decode onion service address set_fact: onion_service_address: '{{ _address_base64.content | b64decode | trim }}' when: not (_address_base64.skipped | default(False))