support of inbound connections through Tor

doc/DOCKER_setup.md

@@ -21,7 +21,7 @@ MyDojo is a set of Docker containers providing a full Samourai backend composed
 
                                           ------------
                                                 |
-                  Host machine                  | (Tor - port 80)
+                  Host machine                  | (Tor hidden services)
                  ______________________________ | _____________________________
                 |                               |                              |
                 |                      -------------------                     |
@@ -78,6 +78,7 @@ This procedure allows to install a new Dojo from scratch.
       * BITCOIND_RPC_USER = login protecting the access to the RPC API of your full node,
       * BITCOIND_RPC_PASSWORD = password protecting the access to the RPC API of your full node.
       * If your machine has a lot of RAM, it's recommended that you increase the value of BITCOIND_DB_CACHE for a faster Initial Block Download.
+      * By default, Dojo creates a new onion address for your full node at each startup. Set the value of BITCOIND_EPHEMERAL_HS to 'off' to keep a static address (not recommended).
 
   * Edit docker-mysql.conf.tpl and provide a new value for the following parameters:
       * MYSQL_ROOT_PASSWORD = password protecting the root account of MySQL,
@@ -221,6 +222,6 @@ If OXT is selected as the default source for imports, OXT clearnet API is access
 
 The maintenance tool is accessed as a Tor hidden service (static onion address).
 
-The Bitcoin node only allows incoming connections from Tor (dynamic onion address).
+The Bitcoin node only allows incoming connections from Tor (static or dynamic onion address).
 
 The Bitcoin node attempts outgoing connections to both Tor and clearrnet nodes (through the Tor local proxy).

docker/my-dojo/bitcoin/Dockerfile

@@ -27,18 +27,17 @@ RUN     set -ex && \
         tar -xzvf bitcoin.tar.gz -C /usr/local --strip-components=1 --exclude=*-qt && \
         rm -rf /tmp/*
 
-# Create group & user bitcoin
+# Create groups bitcoin & tor
+# Create user bitcoin and add it to groups
 RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin
+        addgroup --system -gid 1107 tor && \
+        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
+        usermod -a -G tor bitcoin
 
 # Create data directory
 RUN     mkdir "$BITCOIN_HOME/.bitcoin" && \
         chown -h bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin"
 
-# Copy bitcoin config file
-COPY    ./bitcoin.conf "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-RUN     chown bitcoin:bitcoin "$BITCOIN_HOME/.bitcoin/bitcoin.conf"
-
 # Copy restart script
 COPY    ./restart.sh /restart.sh
 RUN     chown bitcoin:bitcoin /restart.sh && \

docker/my-dojo/bitcoin/restart.sh

@@ -3,6 +3,18 @@ set -e
 
 echo "## Start bitcoind #############################"
 bitcoind -datadir=/home/bitcoin/.bitcoin \
+  -server=1 \
+  -listen=1 \
+  -bind=172.28.1.5 \
+  -port=8333 \
+  -proxy=172.28.1.4:9050 \
+  -rpcport=28256 \
+  -rpcallowip=::/0 \
+  -rpcbind=172.28.1.5 \
+  -txindex=1 \
+  -disablewallet=1 \
+  -zmqpubhashblock=tcp://0.0.0.0:9502 \
+  -zmqpubrawtx=tcp://0.0.0.0:9501 \
   -dbcache=$BITCOIND_DB_CACHE \
   -dnsseed=$BITCOIND_DNSSEED \
   -dns=$BITCOIND_DNS \
@@ -11,4 +23,5 @@ bitcoind -datadir=/home/bitcoin/.bitcoin \
   -maxconnections=$BITCOIND_MAX_CONNECTIONS \
   -maxmempool=$BITCOIND_MAX_MEMPOOL \
   -mempoolexpiry=$BITCOIND_MEMPOOL_EXPIRY \
-  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE
+  -minrelaytxfee=$BITCOIND_MIN_RELAY_TX_FEE \
+  -externalip=$(cat /var/lib/tor/hsv2bitcoind/hostname)

docker/my-dojo/conf/docker-bitcoind.conf.tpl

@@ -29,4 +29,9 @@ BITCOIND_MEMPOOL_EXPIRY=72
 
 # Min relay tx fee in BTC
 # Type: numeric
-BITCOIND_MIN_RELAY_TX_FEE=0.00001
+BITCOIND_MIN_RELAY_TX_FEE=0.00001
+
+# Generate a new onion address for bitcoind when Dojo is launched
+# Activation of this option is recommended for improved privacy.
+# Values: on | off
+BITCOIND_EPHEMERAL_HS=on

docker/my-dojo/docker-compose.yaml

@@ -30,11 +30,13 @@ services:
     restart: on-failure
     command: "/wait-for-it.sh tor:9050 --timeout=360 --strict -- /restart.sh"
     expose:
+      - "8333"
       - "28256"
       - "9501"
       - "9502"
     volumes:
       - data-bitcoind:/home/bitcoin/.bitcoin
+      - data-tor:/var/lib/tor
     depends_on:
       - db
       - tor
@@ -96,9 +98,7 @@ services:
     env_file:
       - ./.env
     restart: on-failure
-    command: tor
-    ports:
-      - "80:80"
+    command: /restart.sh
     volumes:
       - data-tor:/var/lib/tor
     networks:
@@ -124,7 +124,6 @@ networks:
 volumes:
   data-mysql:
   data-bitcoind:
-  data-bitcoind-tor:
   data-nodejs:
   data-nginx:
   data-tor:

docker/my-dojo/dojo.sh

@@ -18,6 +18,10 @@ start() {
 
 # Stop
 stop() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
   docker exec -it bitcoind  bitcoin-cli \
     -rpcconnect=bitcoind \
     --rpcport=28256 \
@@ -33,6 +37,10 @@ stop() {
 
 # Restart dojo
 restart() {
+  if [ "$BITCOIND_EPHEMERAL_HS" = "on" ]; then
+    docker exec -it tor rm -rf /var/lib/tor/hsv2bitcoind
+  fi
+
   docker exec -it bitcoind  bitcoin-cli \
     -rpcconnect=bitcoind \
     --rpcport=28256 \
@@ -96,7 +104,8 @@ upgrade() {
 
   if [ $launchUpgrade -eq 0 ]; then
     update_config_files
-    docker-compose build
+    cleanup
+    docker-compose build --no-cache
     docker-compose up -d --remove-orphans
     update_dojo_db
     docker-compose logs --tail=0 --follow
@@ -107,9 +116,11 @@ upgrade() {
 onion() {
   V2_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv2dojo/hostname )
   V3_ADDR=$( docker exec -it tor cat /var/lib/tor/hsv3dojo/hostname )
+  V2_ADDR_BTCD=$( docker exec -it tor cat /var/lib/tor/hsv2bitcoind/hostname )
 
-  echo "API Hidden Service address (v3) = $V3_ADDR"
-  echo "API Hidden Service address (v2) = $V2_ADDR"
+  echo "API hidden service address (v3) = $V3_ADDR"
+  echo "API hidden service address (v2) = $V2_ADDR"
+  echo "bitcoind hidden service address (v2) = $V2_ADDR_BTCD"
 }
 
 # Display the version of this dojo

docker/my-dojo/install/upgrade-scripts.sh

@@ -52,4 +52,14 @@ update_config_file() {
 # Update dojo database
 update_dojo_db() {
   docker exec -d db /update-db.sh
-}
+}
+
+# Clean-up
+cleanup() {
+  #################
+  # Clean-up v1.1.0
+  #################
+
+  # Remove deprecated bitcoin.conf file
+  rm ./bitcoin/bitcoin.conf
+}

docker/my-dojo/tor/Dockerfile

@@ -23,24 +23,26 @@ RUN     set -ex && \
 RUN     addgroup --system -gid 1107 tor && \
         adduser --system --ingroup tor -uid 1104 tor
 
-# Create group & user bitcoin and add user to tor group
-RUN     addgroup --system -gid 1108 bitcoin && \
-        adduser --system --ingroup bitcoin -uid 1105 bitcoin && \
-        usermod -a -G tor bitcoin
-
 # Create /etc/tor directory
 RUN     mkdir -p /etc/tor/ && \
         chown -Rv tor:tor /etc/tor
 
 # Create .tor subdirectory of TOR_HOME
 RUN     mkdir -p "$TOR_HOME/.tor" && \
         chown -Rv tor:tor "$TOR_HOME" && \
-        chmod -R 700 "$TOR_HOME"
+        chmod -R 750 "$TOR_HOME"
 
 # Copy Tor configuration file
 COPY    ./torrc /etc/tor/torrc
 RUN     chown tor:tor /etc/tor/torrc
 
+# Copy restart script
+COPY    ./restart.sh /restart.sh
+
+RUN     chown tor:tor /restart.sh && \
+        chmod u+x /restart.sh && \
+        chmod g+x /restart.sh
+
 # Copy wait-for-it script
 COPY    ./wait-for-it.sh /wait-for-it.sh
 

docker/my-dojo/tor/restart.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+
+# Set permissions for bitcoind
+echo "## Set permissions on /var/lib/tor dir ###"
+chmod 750 /var/lib/tor
+
+echo "## Start tor #############################"
+tor

docker/my-dojo/tor/torrc

@@ -19,17 +19,7 @@ SocksPolicy reject *
 ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
 
 DataDirectory /var/lib/tor/.tor
-
-## The port on which Tor will listen for local connections from Tor
-## controller applications, as documented in control-spec.txt.
-
-ControlPort 9051
-
-## If you enable the controlport, be sure to enable one of these
-## authentication methods, to prevent attackers from accessing it.
-
-CookieAuthentication 1
-CookieAuthFileGroupReadable 1
+DataDirectoryGroupReadable 1
 
 
 ############### This section is just for location-hidden services ###
@@ -47,3 +37,8 @@ HiddenServicePort 80 172.29.1.3:80
 HiddenServiceDir /var/lib/tor/hsv3dojo
 HiddenServiceVersion 3
 HiddenServicePort 80 172.29.1.3:80
+
+HiddenServiceDir /var/lib/tor/hsv2bitcoind
+HiddenServiceVersion 2
+HiddenServicePort 18333 172.28.1.5:18333
+HiddenServiceDirGroupReadable 1