Add standalone Tor deployment
ClusterIP SOCKS5 proxy on 9050 for pod outbound via Tor, plus hidden service for monerod (P2P 18080 + restricted RPC 18089). PVC holds /var/lib/tor so the onion hostname persists across restarts. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Samantha Atkins
parent
19b69c88ad
commit
0dac270e53
1 changed files with 110 additions and 0 deletions
110
k3s/tor/tor.yaml
Normal file
110
k3s/tor/tor.yaml
Normal file
|
|
@ -0,0 +1,110 @@
|
|||
# Tor — standalone cluster Tor daemon
|
||||
#
|
||||
# Two jobs:
|
||||
# 1. Hidden services for internal cluster services (start: monerod).
|
||||
# 2. SOCKS5 proxy on ClusterIP:9050 for pods that want outbound via Tor.
|
||||
#
|
||||
# PVC holds /var/lib/tor — hidden service keys. Losing this = new .onion.
|
||||
# Uses local-path (fine: keys are tiny; node loss means regenerate onion,
|
||||
# not end-of-world). Switch to nas-nfs later if that matters.
|
||||
#
|
||||
# After apply, read the onion:
|
||||
# kubectl exec -n default deploy/tor -- cat /var/lib/tor/monerod/hostname
|
||||
#
|
||||
# Deploy:
|
||||
# kubectl apply -f tor.yaml
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: tor-config
|
||||
namespace: default
|
||||
data:
|
||||
torrc: |
|
||||
DataDirectory /var/lib/tor
|
||||
Log notice stdout
|
||||
|
||||
SOCKSPort 0.0.0.0:9050
|
||||
SOCKSPolicy accept 10.0.0.0/8
|
||||
SOCKSPolicy accept 172.16.0.0/12
|
||||
SOCKSPolicy accept 192.168.0.0/16
|
||||
SOCKSPolicy reject *
|
||||
|
||||
HiddenServiceDir /var/lib/tor/monerod/
|
||||
HiddenServicePort 18080 monerod.default.svc.cluster.local:18080
|
||||
HiddenServicePort 18089 monerod.default.svc.cluster.local:18089
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: tor-data
|
||||
namespace: default
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: local-path
|
||||
resources:
|
||||
requests:
|
||||
storage: 100Mi
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: tor
|
||||
namespace: default
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: tor
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: tor
|
||||
spec:
|
||||
initContainers:
|
||||
- name: chown-data
|
||||
image: busybox:1.36
|
||||
command: ["sh", "-c", "chown -R 100:100 /var/lib/tor && chmod 700 /var/lib/tor"]
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/tor
|
||||
containers:
|
||||
- name: tor
|
||||
image: osminogin/tor-simple:latest
|
||||
command: ["tor", "-f", "/etc/tor/torrc"]
|
||||
ports:
|
||||
- name: socks
|
||||
containerPort: 9050
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/tor
|
||||
- name: data
|
||||
mountPath: /var/lib/tor
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: tor-config
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: tor-data
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: tor
|
||||
namespace: default
|
||||
spec:
|
||||
selector:
|
||||
app: tor
|
||||
ports:
|
||||
- name: socks
|
||||
port: 9050
|
||||
targetPort: 9050
|
||||
type: ClusterIP
|
||||
Loading…
Reference in a new issue