From 928d4a420b464f762cd2bda3781f6605e9ed52ca Mon Sep 17 00:00:00 2001 From: pluja Date: Mon, 19 Feb 2024 17:27:07 +0100 Subject: [PATCH] add security headers, and add tor and i2p containers --- docker-compose.yml | 42 +++++++++++++++++++++++++++++++++++++++-- docker/i2p/Dockerfile | 10 ++++++++++ docker/i2p/i2pd.conf | 12 ++++++++++++ docker/i2p/tunnels.conf | 11 +++++++++++ docker/tor/Dockerfile | 7 +++++++ docker/tor/torrc | 9 +++++++++ score.md | 28 +++++++++++++++++++++++++++ 7 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 docker/i2p/Dockerfile create mode 100644 docker/i2p/i2pd.conf create mode 100644 docker/i2p/tunnels.conf create mode 100644 docker/tor/Dockerfile create mode 100644 docker/tor/torrc create mode 100644 score.md diff --git a/docker-compose.yml b/docker-compose.yml index 0dbafe4..5f288e8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -19,8 +19,12 @@ services: container_name: kycnotme-website build: ./src networks: - caddy: {} - default: {} + caddy: + aliases: + - "website" + default: + aliases: + - "website" volumes: - ./src/frontend/templates:/app/frontend/templates env_file: @@ -28,6 +32,10 @@ services: labels: caddy: "${WEB_DOMAIN}" caddy.reverse_proxy: "{{upstreams 4488}}" + caddy.header.Referrer-Policy: "no-referrer" + caddy.header.Strict-Transport-Security: "max-age=31536000; includeSubdomains; preload;" + caddy.encode: zstd gzip + caddy.header.Onion-Location: ${ONION_ADDRESS}.onion{path} pocketbase: image: spectado/pocketbase:latest @@ -51,3 +59,33 @@ services: interval: 5s timeout: 5s retries: 5 + + tor: + build: + context: ./docker/tor/ + profiles: ["tor"] + container_name: kycnotme-tor + restart: unless-stopped + networks: + caddy: {} + volumes: + - ./docker/tor/data:/var/lib/tor + labels: + caddy: ${ONION_ADDRESS} + caddy.reverse_proxy: "website:4488" + + i2pd: + build: + context: ./docker/i2p/ + profiles: ["i2p"] + container_name: kycnotme-i2p + restart: unless-stopped + networks: + caddy: {} + #ports: + # - ":14447" # socks + volumes: + - ./docker/i2p/data:/root/.i2pd + labels: + caddy: ${I2P_ADDRESS} + caddy.reverse_proxy: "website:4488" diff --git a/docker/i2p/Dockerfile b/docker/i2p/Dockerfile new file mode 100644 index 0000000..faca1b4 --- /dev/null +++ b/docker/i2p/Dockerfile @@ -0,0 +1,10 @@ +FROM alpine:latest + +RUN apk --update --no-cache add i2pd && rm -rf /var/cache/apk/* + +COPY i2pd.conf /i2p/i2pd.conf +COPY tunnels.conf /i2p/tunnels.conf + +#EXPOSE 14447 + +ENTRYPOINT ["i2pd", "--conf=/i2p/i2pd.conf"] diff --git a/docker/i2p/i2pd.conf b/docker/i2p/i2pd.conf new file mode 100644 index 0000000..a7c944c --- /dev/null +++ b/docker/i2p/i2pd.conf @@ -0,0 +1,12 @@ +ipv4 = true +ipv6 = false + +bandwidth = P + +daemon = false + +tunconf = /i2p/tunnels.conf + +log = file +logfile = /i2p/log +logclftime = true diff --git a/docker/i2p/tunnels.conf b/docker/i2p/tunnels.conf new file mode 100644 index 0000000..4659b31 --- /dev/null +++ b/docker/i2p/tunnels.conf @@ -0,0 +1,11 @@ +[KYCNotMeServer] +type = http +host = caddy +port = 80 +keys = KYCNotMe.dat + +#[SOCKS] +#type = socks +#address = localhost +#port = 14447 +#keys = SOCKS.dat \ No newline at end of file diff --git a/docker/tor/Dockerfile b/docker/tor/Dockerfile new file mode 100644 index 0000000..d05db03 --- /dev/null +++ b/docker/tor/Dockerfile @@ -0,0 +1,7 @@ +FROM alpine:latest + +RUN apk --update --no-cache add tor && rm -rf /var/cache/apk/* + +COPY torrc /etc/torrc + +ENTRYPOINT ["/usr/bin/tor", "--hush", "-f", "/etc/torrc"] \ No newline at end of file diff --git a/docker/tor/torrc b/docker/tor/torrc new file mode 100644 index 0000000..3d33505 --- /dev/null +++ b/docker/tor/torrc @@ -0,0 +1,9 @@ +HiddenServiceDir /var/lib/tor/hidden_service/ +HiddenServicePort 80 caddy:80 +BridgeRelay 0 +ExitRelay 0 +Log notice stderr +DataDirectory /var/lib/tor +RunAsDaemon 0 +SOCKSPort 0 +SafeLogging 1 \ No newline at end of file diff --git a/score.md b/score.md new file mode 100644 index 0000000..d60d2ab --- /dev/null +++ b/score.md @@ -0,0 +1,28 @@ +# What makes a good non-kyc service? + +1. Accepts at least one anonymous payment method: + - Bitcoin + - Cash + - Monero (even better) + + +2. KYC Level + 0. BEST + 1. ACCEPTABLE + 2. NOT GOOD + 3. BAD + +3. Verified + 1. Better if it is + +4. TosReviews + 1. As few as possible warnings. + +5. Onion available + 1. Good to have + +6. Attributes + - GOOD: bonus + - INFO: nothing + - WARNING: penalty + - BAD: penalty \ No newline at end of file