From d91cb373032c6ced2ee9dac3fe2d4a5a6a326942 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Sat, 10 Feb 2024 20:03:04 +0100
Subject: [PATCH] Add Tor

---
 group_vars/publicservers/vars.yml             |  4 +++
 group_vars/publicservers/vault.yml            | 29 ++++++++++++-------
 roles/apps/defaults/main.yml                  |  8 +++++
 roles/apps/tasks/main.yml                     |  6 ++++
 roles/apps/templates/caddy/Caddyfile.j2       | 10 ++++---
 .../templates/compose-files/nextcloud.yml.j2  |  4 ++-
 roles/apps/templates/compose-files/tor.yml.j2 | 22 ++++++++++++++
 .../templates/compose-files/website.yml.j2    |  9 ++++++
 .../apps/templates/nginx/conf.d/ipfs.conf.j2  |  4 +--
 .../templates/nginx/conf.d/monerod.conf.j2    |  2 +-
 .../templates/nginx/conf.d/nextcloud.conf.j2  |  2 +-
 11 files changed, 81 insertions(+), 19 deletions(-)
 create mode 100644 roles/apps/templates/compose-files/tor.yml.j2

diff --git a/group_vars/publicservers/vars.yml b/group_vars/publicservers/vars.yml
index 9676e2d..baf39b3 100644
--- a/group_vars/publicservers/vars.yml
+++ b/group_vars/publicservers/vars.yml
@@ -5,6 +5,10 @@ apps_include:
   - caddy
   - searxng
   - website
+  - tor
   - watchtower
 
 searxng_secret_key: "{{ vault_searxng_secret_key }}"
+
+tor_keys:
+  website: "{{ vault_tor_keys.website }}"
diff --git a/group_vars/publicservers/vault.yml b/group_vars/publicservers/vault.yml
index 088fabf..7050435 100644
--- a/group_vars/publicservers/vault.yml
+++ b/group_vars/publicservers/vault.yml
@@ -1,11 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
-61623537323039313538373562663036346638653365326439373333333236613163633764343665
-3434613163333131343732316662303065646462343135300a613630313234316663336437643662
-61323861313833383830303732306433653339326231313466643131616438353836666661306564
-6535383837633264650a393133636536643434326537636633366665313164373463633862343034
-36613030393538373464353166616164363430663361343534623135376563303663633266666332
-32383336326563333535646265643638376661356631356434303963646532356133306266353736
-37363639613166353038383736633034656637623638656662393539633538663432346665316136
-63653130303762323562663562623065326263356561626330636337366164353634323062303062
-66356531636261313462656265343731396333393263653733333530386439356665323765393030
-3231663733393164383865336531333932393863666636336539
+39313134383263306437313135636165303961346434393336396463376463646236316231343062
+3263336330376430646239383932333030333332333937320a326537393533633133663939666463
+37376165336632383734386366336536366638646338316361643339383933613731323834313835
+3433613962613932660a663135343061346363313561396532376137366262633732323664343538
+38656230366438356531336266346663633361633838383136663465343563326539313139656465
+38396437656362623235646134636663393835336633326635633332656331356635313930333336
+38643131383263373535323832346361336337336632343561323033636630393037356137353736
+61343139666435393533396464643633613066303738643866393164333630623765306134323436
+31636266393337353461616565653537356136623030383132373130313365343639316164356430
+39353739346638636132336636303134306533613364636362646135636265393337623431643431
+35363739393832646535623938623434643765633039313335626433376630633932336231366331
+34373362353965373636326563323238366664663431363634303735613366373164336363646466
+30356336343434393564396135333366623463623162623565353336353239343235383235646238
+34623134313431363438373766386533316663323330666138636135386364663034623362366337
+39346233376336626131366635336332636164373637633736303835613335343666653765333666
+36653135386262393832636235386462663832666365306364396537363763656135636434666536
+32643030373564646138393362613835646236323038613366336163373863366536316635373635
+33336231313963386438396131386335333163343766323931376662396534356566373061366462
+393562646466376565653062366130376135
diff --git a/roles/apps/defaults/main.yml b/roles/apps/defaults/main.yml
index 1db4f70..9bc944d 100644
--- a/roles/apps/defaults/main.yml
+++ b/roles/apps/defaults/main.yml
@@ -6,6 +6,7 @@ apps_base_domain: "{{ base_domain }}"
 apps_local_domain: local.{{ apps_base_domain }}
 apps_shared_docker_network: apps_network
 apps_postfix_docker_network: postfix_network
+apps_tor_docker_network: tor_network
 
 apps_vars:
   caddy:
@@ -35,6 +36,8 @@ apps_vars:
     extra_tasks: true
     domain: ipfs.{{ apps_local_domain }}
     gateway_domain: ipfs-gateway.{{ apps_base_domain }}
+    port: 5001
+    gateway_port: 8080
     version: v0.25.0
 
   monerod:
@@ -42,6 +45,7 @@ apps_vars:
     sender: false
     extra_tasks: true
     domain: xmr.{{ apps_local_domain }}
+    port: 18089
     version: latest
 
   nextcloud:
@@ -49,6 +53,7 @@ apps_vars:
     sender: true
     extra_tasks: true
     domain: cloud.{{ apps_base_domain }}
+    port: 80
     version: 28-apache
     redis_version: 7-alpine
 
@@ -57,6 +62,7 @@ apps_vars:
     sender: false
     extra_tasks: true
     domain: search.{{ apps_base_domain }}
+    port: 8080
     version: latest
     redis_version: 7-alpine
 
@@ -78,6 +84,7 @@ apps_vars:
     extra_tasks: false
     domain: samsapti.dev
     onion: mldhltdackluvnqso7vk2azcg3ghjxbpw4im6alubymqkonb4kppqcqd.onion
+    port: 80
     version: latest
 
   restic:
@@ -95,4 +102,5 @@ apps_vars:
 apps_include: "{{ apps_vars | dict2items | map(attribute='key') | list }}"
 apps_backup: "{{ apps_vars | dict2items | selectattr('value.backup', 'true') | map(attribute='key') | list | intersect(apps_include) }}"
 apps_proxied: "{{ apps_vars | dict2items | selectattr('value.domain', 'defined') | map(attribute='key') | list | intersect(apps_include) }}"
+apps_torified: "{{ apps_vars | dict2items | selectattr('value.onion', 'defined') | map(attribute='key') | list | intersect(apps_include) }}"
 apps_senders: "{{ apps_vars | dict2items | selectattr('key', 'in', apps_include) | selectattr('value.sender', 'true') | map(attribute='value.domain') | list }}"
diff --git a/roles/apps/tasks/main.yml b/roles/apps/tasks/main.yml
index 5dcc86c..a3be64d 100644
--- a/roles/apps/tasks/main.yml
+++ b/roles/apps/tasks/main.yml
@@ -16,6 +16,12 @@
     state: present
   when: "'postfix' in apps_include"
 
+- name: Create Docker network for Tor
+  community.docker.docker_network:
+    name: "{{ apps_tor_docker_network }}"
+    state: present
+  when: "'tor' in apps_include"
+
 - name: Create base directory for apps
   ansible.builtin.file:
     path: "{{ apps_data_root }}"
diff --git a/roles/apps/templates/caddy/Caddyfile.j2 b/roles/apps/templates/caddy/Caddyfile.j2
index 66a5f1c..42bc8d6 100644
--- a/roles/apps/templates/caddy/Caddyfile.j2
+++ b/roles/apps/templates/caddy/Caddyfile.j2
@@ -1,7 +1,7 @@
 {# code: language=ansible-jinja #}
 # THIS FILE IS MANAGED BY ANSIBLE
 
-{% if 'searxng' in apps_include %}
+{% if 'searxng' in apps_proxied %}
 {{ apps_vars.searxng.domain }} {
     tls {{ tls_email }}
 
@@ -67,7 +67,7 @@
     handle {
         encode zstd gzip
 
-        reverse_proxy searxng:8080 {
+        reverse_proxy searxng:{{ apps_vars.searxng.port }} {
             header_up X-Forwarded-Port {http.request.port}
             header_up X-Forwarded-Proto {http.request.scheme}
             header_up X-Real-IP {remote_host}
@@ -76,7 +76,7 @@
 }
 {% endif %}
 
-{% if 'website' in apps_include %}
+{% if 'website' in apps_proxied %}
 {{ apps_base_domain }},
 www.{{ apps_base_domain }},
 www.{{ apps_vars.website.domain }} {
@@ -104,10 +104,12 @@ www.{{ apps_vars.website.domain }} {
 
     header {
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+{% if 'tor' in apps_include and 'website' in apps_torified %}
         Onion-Location "http://{{ apps_vars.website.onion }}{uri}"
+{% endif %}
     	-Server
     }
 
-    reverse_proxy website:80
+    reverse_proxy website:{{ apps_vars.website.port }}
 }
 {% endif %}
\ No newline at end of file
diff --git a/roles/apps/templates/compose-files/nextcloud.yml.j2 b/roles/apps/templates/compose-files/nextcloud.yml.j2
index 9d300f8..160c367 100644
--- a/roles/apps/templates/compose-files/nextcloud.yml.j2
+++ b/roles/apps/templates/compose-files/nextcloud.yml.j2
@@ -36,10 +36,12 @@ services:
       PHP_UPLOAD_LIMIT: 16G
     networks:
       default:
-      {{ apps_postfix_docker_network }}:
       {{ apps_shared_docker_network }}:
         aliases:
           - nextcloud
+{% if 'postfix' in apps_include %}
+      {{ apps_postfix_docker_network }}:
+{% endif %}
     volumes:
       - "./data/app:/var/www/html:rw"
       - "./data/apache2/remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro"
diff --git a/roles/apps/templates/compose-files/tor.yml.j2 b/roles/apps/templates/compose-files/tor.yml.j2
new file mode 100644
index 0000000..1b35a52
--- /dev/null
+++ b/roles/apps/templates/compose-files/tor.yml.j2
@@ -0,0 +1,22 @@
+{# code: language=ansible-jinja #}
+# THIS FILE IS MANAGED BY ANSIBLE
+
+version: "3.8"
+
+services:
+  app:
+    image: goldy/tor-hidden-service:{{ apps_vars.tor.version }}
+    restart: always
+    environment:
+{% for app in apps_torified|sort %}
+      {{ app | upper }}_TOR_SERVICE_HOSTS: 80:{{ app }}:{{ apps_vars[app].port }}
+      {{ app | upper }}_TOR_SERVICE_VERSION: '3'
+      {{ app | upper }}_TOR_SERVICE_KEY: |
+        {{ tor_keys[app] | indent(width=8) }}
+{% endfor %}
+    networks:
+      - {{ apps_tor_docker_network }}
+
+networks:
+  {{ apps_tor_docker_network }}:
+    external: true
diff --git a/roles/apps/templates/compose-files/website.yml.j2 b/roles/apps/templates/compose-files/website.yml.j2
index 208b268..397c3a7 100644
--- a/roles/apps/templates/compose-files/website.yml.j2
+++ b/roles/apps/templates/compose-files/website.yml.j2
@@ -11,7 +11,16 @@ services:
       {{ apps_shared_docker_network }}:
         aliases:
           - website
+{% if 'tor' in apps_include %}
+      {{ apps_tor_docker_network }}:
+        aliases:
+          - website
+{% endif %}
 
 networks:
   {{ apps_shared_docker_network }}:
     external: true
+{% if 'tor' in apps_include %}
+  {{ apps_tor_docker_network }}:
+    external: true
+{% endif %}
diff --git a/roles/apps/templates/nginx/conf.d/ipfs.conf.j2 b/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
index 3691f9d..8fde97b 100644
--- a/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/ipfs.conf.j2
@@ -5,7 +5,7 @@ server {
     server_name {{ apps_vars.ipfs.domain }};
     listen 8080;
 
-    set $upstream http://ipfs:5001;
+    set $upstream http://ipfs:{{ apps_vars.ipfs.port }};
 
     proxy_set_header Host              $host;
     proxy_set_header X-Real-IP         $remote_addr;
@@ -25,7 +25,7 @@ server {
     listen 8080;
     server_name ~^([\w-]+\.(ipfs|ipns)\.)?{{ apps_vars.ipfs.gateway_domain | replace('.', '\.') }}$;
 
-    set $upstream http://ipfs:8080;
+    set $upstream http://ipfs:{{ apps_vars.ipfs.gateway_port }};
 
     proxy_set_header Host              $host;
     proxy_set_header X-Real-IP         $remote_addr;
diff --git a/roles/apps/templates/nginx/conf.d/monerod.conf.j2 b/roles/apps/templates/nginx/conf.d/monerod.conf.j2
index 47f2a32..2a59fec 100644
--- a/roles/apps/templates/nginx/conf.d/monerod.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/monerod.conf.j2
@@ -5,7 +5,7 @@ server {
     server_name {{ apps_vars.monerod.domain }};
     listen 8080;
 
-    set $upstream http://monerod:18089;
+    set $upstream http://monerod:{{ apps_vars.monerod.port }};
 
     proxy_set_header Host              $host;
     proxy_set_header X-Real-IP         $remote_addr;
diff --git a/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2 b/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
index 957f2e1..fd8660e 100644
--- a/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
+++ b/roles/apps/templates/nginx/conf.d/nextcloud.conf.j2
@@ -5,7 +5,7 @@ server {
     server_name {{ apps_vars.nextcloud.domain }};
     listen 8080;
 
-    set $upstream http://nextcloud:80;
+    set $upstream http://nextcloud:{{ apps_vars.nextcloud.port }};
 
     proxy_set_header Host              $host;
     proxy_set_header X-Real-IP         $remote_addr;