add security headers, and add tor and i2p containers

docker-compose.yml

@@ -19,8 +19,12 @@ services:
     container_name: kycnotme-website
     build: ./src
     networks:
-      caddy: {}
-      default: {}
+      caddy:
+        aliases:
+          - "website"
+      default:
+        aliases:
+          - "website"
     volumes:
       - ./src/frontend/templates:/app/frontend/templates
     env_file:
@@ -28,6 +32,10 @@ services:
     labels:
       caddy: "${WEB_DOMAIN}"
       caddy.reverse_proxy: "{{upstreams 4488}}"
+      caddy.header.Referrer-Policy: "no-referrer"
+      caddy.header.Strict-Transport-Security: "max-age=31536000; includeSubdomains; preload;"
+      caddy.encode: zstd gzip
+      caddy.header.Onion-Location: ${ONION_ADDRESS}.onion{path}
 
   pocketbase:
     image: spectado/pocketbase:latest
@@ -51,3 +59,33 @@ services:
       interval: 5s
       timeout: 5s
       retries: 5
+
+  tor:
+    build:
+      context: ./docker/tor/
+    profiles: ["tor"]
+    container_name: kycnotme-tor
+    restart: unless-stopped
+    networks:
+      caddy: {}
+    volumes:
+      - ./docker/tor/data:/var/lib/tor
+    labels:
+      caddy: ${ONION_ADDRESS}
+      caddy.reverse_proxy: "website:4488"
+
+  i2pd:
+    build:
+      context: ./docker/i2p/
+    profiles: ["i2p"]
+    container_name: kycnotme-i2p
+    restart: unless-stopped
+    networks:
+      caddy: {}
+    #ports:
+    #  - ":14447" # socks
+    volumes:
+      - ./docker/i2p/data:/root/.i2pd
+    labels:
+      caddy: ${I2P_ADDRESS}
+      caddy.reverse_proxy: "website:4488"

docker/i2p/Dockerfile

@@ -0,0 +1,10 @@
+FROM alpine:latest
+
+RUN apk --update --no-cache add i2pd && rm -rf /var/cache/apk/*
+
+COPY i2pd.conf /i2p/i2pd.conf
+COPY tunnels.conf /i2p/tunnels.conf
+
+#EXPOSE 14447
+
+ENTRYPOINT ["i2pd", "--conf=/i2p/i2pd.conf"]

docker/i2p/i2pd.conf

@@ -0,0 +1,12 @@
+ipv4 = true
+ipv6 = false
+
+bandwidth = P
+
+daemon = false
+
+tunconf = /i2p/tunnels.conf
+
+log = file
+logfile = /i2p/log
+logclftime = true

docker/i2p/tunnels.conf

@@ -0,0 +1,11 @@
+[KYCNotMeServer]
+type = http
+host = caddy
+port = 80
+keys = KYCNotMe.dat
+
+#[SOCKS]
+#type = socks
+#address = localhost
+#port = 14447
+#keys = SOCKS.dat

docker/tor/Dockerfile

@@ -0,0 +1,7 @@
+FROM alpine:latest
+
+RUN apk --update --no-cache add tor && rm -rf /var/cache/apk/*
+
+COPY torrc /etc/torrc
+
+ENTRYPOINT ["/usr/bin/tor", "--hush", "-f", "/etc/torrc"]

docker/tor/torrc

@@ -0,0 +1,9 @@
+HiddenServiceDir /var/lib/tor/hidden_service/
+HiddenServicePort 80 caddy:80
+BridgeRelay 0
+ExitRelay 0
+Log notice stderr
+DataDirectory /var/lib/tor
+RunAsDaemon 0
+SOCKSPort 0 
+SafeLogging 1

score.md

@@ -0,0 +1,28 @@
+# What makes a good non-kyc service?
+
+1. Accepts at least one anonymous payment method:
+    - Bitcoin
+    - Cash
+    - Monero (even better)
+
+
+2. KYC Level
+	0. BEST
+	1. ACCEPTABLE
+	2. NOT GOOD
+	3. BAD
+
+3. Verified
+	1. Better if it is
+
+4. TosReviews
+   1. As few as possible warnings.
+
+5. Onion available
+   1. Good to have
+
+6. Attributes
+   - GOOD: bonus
+   - INFO: nothing
+   - WARNING: penalty
+   - BAD: penalty