ansible-role-onion-service/tasks/main.yml

- name: 'onion service container :{{ onion_service_virtual_port }} -> {{ onion_service_target }}'
  docker_container:
    name: '{{ onion_service_container_name }}'
    image: '{{ onion_service_container_image }}'
    env:
      VIRTUAL_PORT: '{{ onion_service_virtual_port | string }}'
      TARGET: '{{ onion_service_target }}'
      NON_ANONYMOUS_SINGLE_HOP_MODE: "{{ onion_service_non_anonymous_single_hop_mode | string }}"
    read_only: yes
    mounts:
    - type: volume
      source: '{{ onion_service_container_name }}_data'
      target: /var/lib/tor
      read_only: false
    - type: volume
      source: '{{ onion_service_container_name }}_key'
      target: /onion-service
      read_only: false
    - type: tmpfs
      target: /tmp # torrc
      # nosuid,nodev,noexec added by default
      tmpfs_mode: '1777'
      tmpfs_size: 4k
    networks: [name: '{{ onion_service_network_name }}']
    purge_networks: yes
    cap_drop: [ALL]
    security_opts: [no-new-privileges]
    cpu_quota: 8000
    cpu_period: 10000
    memory: 128M
    restart_policy: unless-stopped
    healthcheck: "{{ {'test': ['NONE']} if onion_service_disable_healthcheck else omit }}"
    state: '{{ onion_service_container_state }}'
  register: _container
- name: wait for onion service address
  wait_for:
    path: "{{ (_container.container.Mounts | items2dict(key_name='Destination', value_name='Source'))['/onion-service'] }}/hostname"
  register: _address_file
  when: _container.container.State.Running | default(False)
- name: read onion service address
  slurp:
    src: '{{ _address_file.path }}'
  register: _address_base64
  when: not (_address_file.skipped | default(False))
- name: decode onion service address
  set_fact:
    onion_service_address: '{{ _address_base64.content | b64decode | trim }}'
  when: not (_address_base64.skipped | default(False))