# Tor — standalone cluster Tor daemon
#
# Two jobs:
#   1. Hidden services for internal cluster services (start: monerod).
#   2. SOCKS5 proxy on ClusterIP:9050 for pods that want outbound via Tor.
#
# PVC holds /var/lib/tor — hidden service keys. Losing this = new .onion.
# Uses local-path (fine: keys are tiny; node loss means regenerate onion,
# not end-of-world). Switch to nas-nfs later if that matters.
#
# After apply, read the onion:
#   kubectl exec -n default deploy/tor -- cat /var/lib/tor/monerod/hostname
#
# Deploy:
#   kubectl apply -f tor.yaml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: tor-config
  namespace: default
data:
  torrc: |
    DataDirectory /var/lib/tor
    Log notice stdout

    SOCKSPort 0.0.0.0:9050
    SOCKSPolicy accept 10.0.0.0/8
    SOCKSPolicy accept 172.16.0.0/12
    SOCKSPolicy accept 192.168.0.0/16
    SOCKSPolicy reject *

    HiddenServiceDir /var/lib/tor/monerod/
    HiddenServicePort 18080 monerod.default.svc.cluster.local:18080
    HiddenServicePort 18089 monerod.default.svc.cluster.local:18089

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tor-data
  namespace: default
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 100Mi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tor
  namespace: default
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: tor
  template:
    metadata:
      labels:
        app: tor
    spec:
      initContainers:
        - name: chown-data
          image: busybox:1.36
          command: ["sh", "-c", "chown -R 100:100 /var/lib/tor && chmod 700 /var/lib/tor"]
          volumeMounts:
            - name: data
              mountPath: /var/lib/tor
      containers:
        - name: tor
          image: osminogin/tor-simple:latest
          command: ["tor", "-f", "/etc/tor/torrc"]
          ports:
            - name: socks
              containerPort: 9050
          volumeMounts:
            - name: config
              mountPath: /etc/tor
            - name: data
              mountPath: /var/lib/tor
      volumes:
        - name: config
          configMap:
            name: tor-config
        - name: data
          persistentVolumeClaim:
            claimName: tor-data

---
apiVersion: v1
kind: Service
metadata:
  name: tor
  namespace: default
spec:
  selector:
    app: tor
  ports:
    - name: socks
      port: 9050
      targetPort: 9050
  type: ClusterIP