3 years ago · 8d6514c2bd
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
				 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
			
 
				 
			
 
				 ## [Unreleased]
			
 
				+### Added
			
 
				+- create mount point at `/var/lib/tor`
			
 
				+  to be able to make container's root filesystem read-only
			
 
				+
			
 
				+### Changed
			
 
				+- moved tor's data directory from `/home/onion/.tor` to `/var/lib/tor`
			
 
				+- run `tor` as user `tor` instead of `onion`
			
 
				+- ansible-playbook: read-only root filesystem
			
 
				 
			
 
				 ## [0.1.1] - 2020-09-27
			
 
				 ### Fixed
			
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,8 +3,7 @@ FROM alpine:3.12
 
				 
			
 
				 ARG TOR_PACKAGE_VERSION=0.4.3.5-r0
			
 
				 ARG OBFS4PROXY_PACKAGE_VERSION=0.0.11-r2
			
 
				-RUN adduser -S onion \
			
 
				-    && apk add --no-cache tor=$TOR_PACKAGE_VERSION \
			
 
				+RUN apk add --no-cache tor=$TOR_PACKAGE_VERSION \
			
 
				     && apk add --no-cache obfs4proxy=$OBFS4PROXY_PACKAGE_VERSION \
			
 
				         --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing
			
 
				 
			
@@ -21,6 +20,6 @@ COPY torrc.template entrypoint.sh /
 
				 RUN chmod -c a+rX /torrc.template /entrypoint.sh
			
 
				 ENTRYPOINT ["/entrypoint.sh"]
			
 
				 
			
 
				-USER onion
			
 
				-
			
 
				+USER tor
			
 
				+VOLUME /var/lib/tor
			
 
				 CMD ["tor", "-f", "/tmp/torrc"]
			
--- a/README.md
+++ b/README.md
@@ -18,6 +18,12 @@ docker run --name tor_obfs4_bridge \
 
				     fphammerle/tor-obfs4-bridge
			
 
				 ```
			
 
				 
			
 
				+add `-v tor_obfs4_bridge_data:/var/lib/tor` to keep server's identity key
			
 
				+when restarting the container
			
 
				+
			
 
				+additionally add `--read-only --tmpfs /tmp:rw,size=4k`
			
 
				+to make the container's root filesystem read only
			
 
				+
			
 
				 verify status of bridge at  https://metrics.torproject.org/rs.html
			
 
				 
			
 
				 ## further reading
			
--- a/ansible-playbook.yml
+++ b/ansible-playbook.yml
@@ -7,13 +7,23 @@
 
				   tasks:
			
 
				   - docker_container:
			
 
				       name: tor_obfs4_bridge
			
 
				-      image: fphammerle/tor-obfs4-bridge@sha256:80bd5004b44abb91f6c6385bd46fb5fe18d6baf6f5717253e2fa0b7cd8d52b5e
			
 
				+      # TODO replace tag with fingerprint
			
 
				+      image: fphammerle/tor-obfs4-bridge:1.0.0-tor0.4.3.5-obfs4proxy0.0.11-amd64
			
 
				       env:
			
 
				         OR_PORT: '{{ or_port }}'
			
 
				         PT_PORT: '{{ pt_port }}'
			
 
				         CONTACT_INFO: '{{ contact_info }}'
			
 
				+      volumes:
			
 
				+      - tor_obfs4_bridge:/var/lib/tor
			
 
				+      mounts:
			
 
				+      - type: tmpfs
			
 
				+        target: /tmp # torrc
			
 
				+        # nosuid,nodev,noexec added by default
			
 
				+        tmpfs_mode: '1777'
			
 
				+        tmpfs_size: 4k
			
 
				+      read_only: yes
			
 
				       ports:
			
 
				       - '{{ or_port }}:{{ or_port }}'
			
 
				       - '{{ pt_port }}:{{ pt_port }}'
			
 
				-      memory: 128M
			
 
				+      memory: 256M
			
 
				       restart_policy: unless-stopped
			
--- a/torrc.template
+++ b/torrc.template
@@ -1,5 +1,8 @@
 
				 Log notice stdout
			
 
				 
			
 
				+# default: ~/.tor
			
 
				+DataDirectory /var/lib/tor
			
 
				+
			
 
				 # disable socks proxy
			
 
				 SOCKSPort 0