add security headers, and add tor and i2p containers

2024-12-28 00:19:29 -05:00 · 2024-02-19 17:27:07 +01:00 · 2024-02-19 17:27:07 +01:00 · 928d4a420b
commit 928d4a420b
parent effece1749
7 changed files with 117 additions and 2 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -19,8 +19,12 @@ services:
    container_name: kycnotme-website
    build: ./src
    networks:
-      caddy: {}
+      caddy:
-      default: {}
+        aliases:
          - "website"
      default:
        aliases:
          - "website"
    volumes:
      - ./src/frontend/templates:/app/frontend/templates
    env_file:
@ -28,6 +32,10 @@ services:
    labels:
      caddy: "${WEB_DOMAIN}"
      caddy.reverse_proxy: "{{upstreams 4488}}"
      caddy.header.Referrer-Policy: "no-referrer"
      caddy.header.Strict-Transport-Security: "max-age=31536000; includeSubdomains; preload;"
      caddy.encode: zstd gzip
      caddy.header.Onion-Location: ${ONION_ADDRESS}.onion{path}
  pocketbase:
    image: spectado/pocketbase:latest
@ -51,3 +59,33 @@ services:
      interval: 5s
      timeout: 5s
      retries: 5
  tor:
    build:
      context: ./docker/tor/
    profiles: ["tor"]
    container_name: kycnotme-tor
    restart: unless-stopped
    networks:
      caddy: {}
    volumes:
      - ./docker/tor/data:/var/lib/tor
    labels:
      caddy: ${ONION_ADDRESS}
      caddy.reverse_proxy: "website:4488"
  i2pd:
    build:
      context: ./docker/i2p/
    profiles: ["i2p"]
    container_name: kycnotme-i2p
    restart: unless-stopped
    networks:
      caddy: {}
    #ports:
    #  - ":14447" # socks
    volumes:
      - ./docker/i2p/data:/root/.i2pd
    labels:
      caddy: ${I2P_ADDRESS}
      caddy.reverse_proxy: "website:4488"
--- a/docker/i2p/Dockerfile
+++ b/docker/i2p/Dockerfile
@ -0,0 +1,10 @@
 FROM alpine:latest
 RUN apk --update --no-cache add i2pd && rm -rf /var/cache/apk/*
 COPY i2pd.conf /i2p/i2pd.conf
 COPY tunnels.conf /i2p/tunnels.conf
 #EXPOSE 14447
 ENTRYPOINT ["i2pd", "--conf=/i2p/i2pd.conf"]
--- a/docker/i2p/i2pd.conf
+++ b/docker/i2p/i2pd.conf
@ -0,0 +1,12 @@
 ipv4 = true
 ipv6 = false
 bandwidth = P
 daemon = false
 tunconf = /i2p/tunnels.conf
 log = file
 logfile = /i2p/log
 logclftime = true
--- a/docker/i2p/tunnels.conf
+++ b/docker/i2p/tunnels.conf
@ -0,0 +1,11 @@
 [KYCNotMeServer]
 type = http
 host = caddy
 port = 80
 keys = KYCNotMe.dat
 #[SOCKS]
 #type = socks
 #address = localhost
 #port = 14447
 #keys = SOCKS.dat
--- a/docker/tor/Dockerfile
+++ b/docker/tor/Dockerfile
@ -0,0 +1,7 @@
 FROM alpine:latest
 RUN apk --update --no-cache add tor && rm -rf /var/cache/apk/*
 COPY torrc /etc/torrc
 ENTRYPOINT ["/usr/bin/tor", "--hush", "-f", "/etc/torrc"]
--- a/docker/tor/torrc
+++ b/docker/tor/torrc
@ -0,0 +1,9 @@
 HiddenServiceDir /var/lib/tor/hidden_service/
 HiddenServicePort 80 caddy:80
 BridgeRelay 0
 ExitRelay 0
 Log notice stderr
 DataDirectory /var/lib/tor
 RunAsDaemon 0
 SOCKSPort 0 
 SafeLogging 1
--- a/score.md
+++ b/score.md
@ -0,0 +1,28 @@
 # What makes a good non-kyc service?
 1. Accepts at least one anonymous payment method:
    - Bitcoin
    - Cash
    - Monero (even better)
 2. KYC Level
 	0. BEST
 	1. ACCEPTABLE
 	2. NOT GOOD
 	3. BAD
 3. Verified
 	1. Better if it is
 4. TosReviews
   1. As few as possible warnings.
 5. Onion available
   1. Good to have
 6. Attributes
   - GOOD: bonus
   - INFO: nothing
   - WARNING: penalty
   - BAD: penalty