Add standalone Tor deployment

ClusterIP SOCKS5 proxy on 9050 for pod outbound via Tor, plus hidden
service for monerod (P2P 18080 + restricted RPC 18089). PVC holds
/var/lib/tor so the onion hostname persists across restarts.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

k3s/tor/tor.yaml

@@ -0,0 +1,110 @@
+# Tor — standalone cluster Tor daemon
+#
+# Two jobs:
+#   1. Hidden services for internal cluster services (start: monerod).
+#   2. SOCKS5 proxy on ClusterIP:9050 for pods that want outbound via Tor.
+#
+# PVC holds /var/lib/tor — hidden service keys. Losing this = new .onion.
+# Uses local-path (fine: keys are tiny; node loss means regenerate onion,
+# not end-of-world). Switch to nas-nfs later if that matters.
+#
+# After apply, read the onion:
+#   kubectl exec -n default deploy/tor -- cat /var/lib/tor/monerod/hostname
+#
+# Deploy:
+#   kubectl apply -f tor.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tor-config
+  namespace: default
+data:
+  torrc: |
+    DataDirectory /var/lib/tor
+    Log notice stdout
+
+    SOCKSPort 0.0.0.0:9050
+    SOCKSPolicy accept 10.0.0.0/8
+    SOCKSPolicy accept 172.16.0.0/12
+    SOCKSPolicy accept 192.168.0.0/16
+    SOCKSPolicy reject *
+
+    HiddenServiceDir /var/lib/tor/monerod/
+    HiddenServicePort 18080 monerod.default.svc.cluster.local:18080
+    HiddenServicePort 18089 monerod.default.svc.cluster.local:18089
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tor-data
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 100Mi
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: tor
+  namespace: default
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: tor
+  template:
+    metadata:
+      labels:
+        app: tor
+    spec:
+      initContainers:
+        - name: chown-data
+          image: busybox:1.36
+          command: ["sh", "-c", "chown -R 100:100 /var/lib/tor && chmod 700 /var/lib/tor"]
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/tor
+      containers:
+        - name: tor
+          image: osminogin/tor-simple:latest
+          command: ["tor", "-f", "/etc/tor/torrc"]
+          ports:
+            - name: socks
+              containerPort: 9050
+          volumeMounts:
+            - name: config
+              mountPath: /etc/tor
+            - name: data
+              mountPath: /var/lib/tor
+      volumes:
+        - name: config
+          configMap:
+            name: tor-config
+        - name: data
+          persistentVolumeClaim:
+            claimName: tor-data
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: tor
+  namespace: default
+spec:
+  selector:
+    app: tor
+  ports:
+    - name: socks
+      port: 9050
+      targetPort: 9050
+  type: ClusterIP