ATOR-173 - Bandwidth authority setup, docker support and CI (#1)

.github/actions/build-and-push/action.yml

@@ -0,0 +1,34 @@
+name: Build and Push Docker Image
+inputs:
+  docker-username:
+    required: true
+  docker-password:
+    required: true
+  docker-tag:
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Log in to Docker Hub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ inputs.docker-username }}
+        password: ${{ inputs.docker-password }}
+
+    - name: Build and push Docker image of scanner
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./docker/scanner/Dockerfile
+        push: true
+        tags: ${{ inputs.docker-username }}/sbws-scanner:${{ github.sha }},${{ inputs.docker-username }}/sbws-scanner:${{ inputs.docker-tag }}
+
+    - name: Build and push Docker image of destination
+      uses: docker/build-push-action@v2
+      with:
+        context: ./docker/destination
+        file: ./docker/destination/Dockerfile
+        push: true
+        tags: ${{ inputs.docker-username }}/sbws-destination:${{ github.sha }},${{ inputs.docker-username }}/sbws-destination:${{ inputs.docker-tag }}
+

.github/actions/deploy/action.yml

@@ -0,0 +1,24 @@
+name: 'Deploy new version'
+inputs:
+  environment:
+    required: true
+  nomad-cacert:
+    required: true
+  nomad-token:
+    required: true
+  nomad-addr:
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Deploy new version
+      shell: bash
+      env:
+        NOMAD_CACERT: ${{ inputs.nomad-cacert }}
+        NOMAD_TOKEN: ${{ inputs.nomad-token }}
+        NOMAD_ADDR: ${{ inputs.nomad-addr }}
+      run: |
+        curl -L https://releases.hashicorp.com/nomad/1.6.3/nomad_1.6.3_linux_amd64.zip -o nomad.zip
+        unzip nomad.zip
+        ./nomad job run operations/deploy-${{ inputs.environment }}.hcl

.github/workflows/dev-deploy.yml

@@ -0,0 +1,28 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - development
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Build and push
+        uses: ./.github/actions/build-and-push
+        with:
+          docker-username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          docker-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          docker-tag: latest-dev
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          environment: dev
+          nomad-cacert: operations/admin-ui-ca.crt
+          nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }}
+          nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }}

.github/workflows/stage-deploy.yml

@@ -0,0 +1,28 @@
+name: Build and Push Docker Image
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Build and push
+        uses: ./.github/actions/build-and-push
+        with:
+          docker-username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          docker-password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          docker-tag: latest
+      - name: Deploy
+        uses: ./.github/actions/deploy
+        with:
+          environment: stage
+          nomad-cacert: operations/admin-ui-ca.crt
+          nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }}
+          nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }}

.gitignore

@@ -13,3 +13,5 @@ dist
 build
 *.lockfile
 chutney
+.idea
+docker/data

docker/destination/Dockerfile

@@ -0,0 +1,7 @@
+FROM nginx
+
+WORKDIR /app/destination
+
+COPY docker-entrypoint.sh /app/destination
+
+ENTRYPOINT [ "sh", "docker-entrypoint.sh" ]

docker/destination/default.conf

@@ -0,0 +1,16 @@
+server {
+
+  root /app/destination/data;
+
+  autoindex on;
+
+  listen 0.0.0.0:80;
+
+  location / {
+    try_files $uri $uri/ =404;
+  }
+
+  location ~/\.ht {
+    deny all;
+  }
+}

docker/destination/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+mkdir -p data && cd data
+
+head -c $((1024*1024*1024)) /dev/urandom > 1GiB
+
+nginx -g 'daemon off;'

docker/docker-compose.yml

@@ -0,0 +1,42 @@
+version: '2.2'
+services:
+  sbws-relay:
+    image: svforte/anon-dev
+    restart: always
+    expose:
+      - "9051"
+    volumes:
+      - ./data/:/var/lib/anon
+      - ./relay/anonrc:/etc/anon/anonrc
+    networks:
+      local:
+        ipv4_address: 172.18.0.2
+  sbws-scanner:
+    image: sbws-scanner
+    restart: always
+    depends_on:
+      - sbws-relay
+    volumes:
+      - ./scanner/.sbws.ini:/root/.sbws.ini
+      - ./data:/root/.sbws
+    networks:
+      local:
+        ipv4_address: 172.18.0.3
+  sbws-destination:
+    image: sbws-destination
+    restart: always
+    ports:
+      - "8888:80"
+    volumes:
+      - ./destination/default.conf:/etc/nginx/conf.d/default.conf
+    networks:
+      local:
+        ipv4_address: 172.18.0.4
+
+networks:
+  local:
+    ipam:
+      driver: default
+      config:
+        - subnet: "172.18.0.0/24"
+          gateway: "172.18.0.1"

docker/relay/anonrc

@@ -0,0 +1,19 @@
+User anond
+
+Nickname AnonSBWS
+
+DataDirectory /var/lib/anon
+
+ControlPort 0.0.0.0:9051
+HashedControlPassword 16:3ACE689A3BC1B7D06025EA6BC9CB1C9B99EB21FE4877ECD803E6EAD9BE
+
+SocksPort auto
+SafeLogging 1
+UseEntryGuards 0
+ProtocolWarnings 1
+FetchDirInfoEarly 1
+LogTimeGranularity 1
+UseMicrodescriptors 0
+FetchDirInfoExtraEarly 1
+FetchUselessDescriptors 1
+LearnCircuitBuildTimeout 0

docker/scanner/.sbws.ini

@@ -0,0 +1,33 @@
+# Minimum configuration that needs to be customized
+[scanner]
+# ISO 3166-1 alpha-2 country code where the scanner is located.
+# Default AA, to detect it was not edited.
+country = ZZ
+# A human-readable string with chars in a-zA-Z0-9 to identify the dirauth
+# nickname that will publish the BandwidthFiles generated from this scanner.
+# Default to a non existing dirauth_nickname to detect it was not edited.
+dirauth_nickname = Anon
+
+[destinations]
+# With several destinations, the scanner can continue even if some of them
+# fail, which can be caused by a network problem on their side.
+# If all of them fail, the scanner will stop, which
+# will happen if there is network problem on the scanner side.
+
+# A destination can be disabled changing `on` by `off`
+foo = on
+
+[destinations.foo]
+# the domain and path to the 1GB file or POST URL.
+url = http://5.161.108.187:9177/1GiB
+# Whether to verify or not the TLS certificate. Default True
+verify = False
+# ISO 3166-1 alpha-2 country code where the Web server destination is located.
+# Default AA, to detect it was not edited.
+# Use ZZ if the location is unknown (for instance, a CDN).
+country = ZZ
+
+[tor]
+datadir = docker/data
+external_control_ip = 172.18.0.2
+external_control_port = 9051

docker/scanner/Dockerfile

@@ -0,0 +1,17 @@
+FROM debian:bookworm
+
+RUN apt update && \
+    DEBIAN_FRONTEND=noninteractive apt install -y \
+    python3-dateutil python3-stem pip cron
+
+WORKDIR /app/scanner
+
+ADD ../.. /app/scanner/temp
+
+RUN cd temp && ls -la && \
+    pip install . --break-system-packages && \
+    cp docker/scanner/docker-entrypoint.sh .. && \
+    cd .. && \
+    rm -rf temp
+
+ENTRYPOINT [ "sh", "docker-entrypoint.sh" ]

docker/scanner/docker-entrypoint.sh

@@ -0,0 +1,8 @@
+mkdir -p /root/.sbws/log
+
+crontab -l | { cat; echo "*/5 * * * * /usr/local/bin/sbws -c /root/.sbws.ini generate >> /root/.sbws/log/generate.log  2>&1"; } | crontab -
+crontab -l | { cat; echo "30  0 * * * /usr/local/bin/sbws -c /root/.sbws.ini cleanup >> /root/.sbws/log/cleanup.log  2>&1"; } | crontab -
+
+service cron start
+
+sbws scanner

docs/source/config_tor.rst

@@ -10,7 +10,8 @@ connection to an existing Tor daemon.
 Default configuration:
 
 - ``SocksPort auto``: To proxy requests over Tor.
-- ``CookieAuthentication 1``: The easiest way to authenticate to Tor.
+- ``CookieAuthentication 0``: The easiest way to authenticate to Tor.
+- ``HashedControlPassword``: The how to authenticate using password
 - ``UseEntryGuards 0``: To avoid path bias warnings.
 - ``UseMicrodescriptors 0``: Because full server descriptors are needed.
 - ``SafeLogging 0``: Useful for logging, since there's no need for anonymity.

operations/admin-ui-ca.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFVzCCAz+gAwIBAgIUdUo5LO+M2vEiSyfvDSOhKxVBko0wDQYJKoZIhvcNAQEL
+BQAwOzELMAkGA1UEBhMCTk8xETAPBgNVBAoMCEF0b3IgTExDMRkwFwYDVQQDDBBB
+dG9yIEFkbWluIFVJIENBMB4XDTIzMDUxMDE0NTk0M1oXDTQzMDIyNDE0NTk0M1ow
+OzELMAkGA1UEBhMCTk8xETAPBgNVBAoMCEF0b3IgTExDMRkwFwYDVQQDDBBBdG9y
+IEFkbWluIFVJIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1gcK
+cqC81T4YHcu3DfoSA2ghART6ImQSStXhuJfWqJPjJG0PtT58t3OJ6jS84zxTWPoZ
+e2gfcA4VunW5+gTTQVra8gBdNthT4jOZJ9TYS54kSRJ9st7ZPctOYzD97NXeMeWp
+TCgtkoGhaVLBeFE2z8xI2V+coIs00WG+GyC1St4DlmbezKUrpODWdfiRZfYa3lNy
+uamPLY3nsDq8APVq4BKrauAxfnVmeItIdjC82KhCykeWyVVOrj7PeXbfWus79YON
+KuXsLbFnSR1xO5QEtaYk3A3XXN81Xe0i5qNoWJAczYIrPLAsjIo+fDw/8ENoC9+j
+SfS6gNdgd0A2Le31J5Bd76QZipDBa9+5EhZNGK/19qfypTzayRT4JpErAa8zKGIy
+V9csdacobuQ+0UuU+li8EavWl8vFUSb1Uh1cnhudhr2NbAiuqjwwffOmgcTnOESg
+cbAXPUhGWSQU2DyrFiDebo/HbiFZGzKxL7FcoK1j08gqcMzc+3gIF4uCKkMM+rk0
+5GWNsp3VoQv9E5ytYYbN8Lk1yxRY3KWhISiDmK/cS3FW4LRrcS2H+Se+hWLNyHDN
+P0yQXQh068DdCjZAQYOeXcQWKBAI1kcwu6KyidOpZKwhCZKbMGHsoURhKsfL9NEh
+HDjQXrPXJ7d++Akmek2Eu9tXz7sVFJE7mB3SE0cCAwEAAaNTMFEwHQYDVR0OBBYE
+FJAGJ5Vj7nX/cRLIKorIuudZoHcbMB8GA1UdIwQYMBaAFJAGJ5Vj7nX/cRLIKorI
+uudZoHcbMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFk8SYO0
+w0RHpCfrytF/rFTZUtIPNnol3/PRMq6WYT/fmTLhpt8S8+Yuz6YykRzVf4JI4LT8
+Y5nbZV/5fynbCfOP3pBWl/C7npdQtVsGVGVX7Hh1M+8Q9RKl+NA8gyHxKYfXJtEr
+c6sSewBJ62eARP4dztbO8T/ydvfI6VJyKbJhGeO7vU+p13qbYAVMYeQ3sUjpazKZ
+haqtTRp2lNDKK4SJ2mxW+pnac8S8E88+LP1O8U0hZphddfRgmwjuzeu+remwjkF8
+obreQRk2BR58v+tGTxfxHT0XJSK9b+G7QRmEKy+V4hXZPcynF5Xbdqu8fT7cVF6s
+TfL9dCDMQoBsiWElFllSmBruWvp5gv086fwObFeQfw94Y3qvFawLMPUdI76uYPlR
+3VuAs5MFncohOL12+/2o4nST2v4WKDLoWxcze49r6iCFMe2UEhhuydEXnQHp7el9
+w1NMfXxH6PzOAvMG1WtlkyT45agAIETW76/SSJH8e9j21m6cXcaaK6kJvhPga1X7
+Cd3XaiTg1r39S7Nxm/g8xDmVV738lguuj3TN5RwbNfR/rNcVUG5VUNDGea/bzQLl
+eyjkXk1rFn5mYTf8tCcFfvu7pcH0Ds902zZvdysvaMGCxQu3bVpdkSn+3/6dUNCA
+FFWzsbx0wrWxCyFPedz8OWgtdYu1TMtvXrWE
+-----END CERTIFICATE-----