chore: layout scripts/monitoring + tor configs; host README

This commit is contained in:
Hernâni Marques 2026-06-30 22:06:55 +02:00
parent 5920296ae4
commit 4180ca44c6
No known key found for this signature in database
12 changed files with 1007 additions and 0 deletions

20
configs/README.md Normal file
View file

@ -0,0 +1,20 @@
# Configs
| Path | Source on koopa |
|------|-----------------|
| `caddy/` | host `/etc/caddy` |
| `tor/` | host `/etc/tor` |
| `taler-exchange/` | container `taler-exchange-hacktivism`: overrides + coins |
| `taler-merchant/` | container `taler-hacktivism`: overrides + conf.d + nginx vhost |
| `taler-bank/` | container `taler-bank-hacktivism`: bank-overrides (libeufin) |
| `systemd/` | host proxy sockets / caddy drop-in |
| `firewalld/`, `ports.md` | host edge ports |
Package defaults are not mirrored; **site overrides** and relevant drop-ins only.
```
configs/taler-{exchange,merchant,bank}/
README.md
*-overrides.conf
```

12
configs/tor/torrc Normal file
View file

@ -0,0 +1,12 @@
Log notice file /var/log/tor/notices.log
Nickname KoopaRelay
ContactInfo info+koopa@hacktivism.ch
ORPort 8080
ControlPort 9051
ExitRelay 0
SocksPort 0
MyFamily 52BB94DDC1292F950CF728708AC48523E018A718
BandwidthRate 2000 MBytes
BandwidthBurst 2000 MBytes
RelayBandwidthRate 2000 MBytes
RelayBandwidthBurst 2000 MBytes

192
configs/tor/torrc.minimal Normal file
View file

@ -0,0 +1,192 @@
## Configuration file for a typical Tor user
## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://www.torproject.org/docs/faq#torrc
## Tor opens a socks proxy on port 9050 by default -- even if you don't
## configure one below. Set "SocksPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SocksPolicy is set, we accept
## all (and only) requests that reach a SocksPort. Untrusted users who
## can access your SocksPort may be able to learn about the connections
## you make.
#SocksPolicy accept 192.168.0.0/16
#SocksPolicy reject *
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
#RunAsDaemon 1
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
#DataDirectory /var/lib/tor
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
################ This section is just for relays #####################
#
## See https://www.torproject.org/docs/tor-doc-relay for details.
## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise
## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com
## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
# OutboundBindAddress 10.0.0.5
## A handle for your relay, so people don't have to refer to it by key.
#Nickname ididnteditheconfig
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 20 KB.
## Note that units for these config options are bytes per second, not bits
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "4 GB" may allow up to 8 GB total before
## hibernating.
##
## Set a maximum of 4 gigabytes each way per period.
#AccountingMax 4 GB
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00
## Administrative contact information for this relay or bridge. This line
## can be used to contact you if your relay or bridge is misconfigured or
## something else goes wrong. Note that we archive and publish all
## descriptors containing these lines and that Google indexes them, so
## spammers might also collect them. You may want to obscure the fact that
## it's an email address and/or generate a new address for this purpose.
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows. below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html
## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://www.torproject.org/docs/faq#MultipleRelays
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentionally reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins. If you want to _replace_
## the default exit policy, end this with either a reject *:* or an
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
## default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://www.torproject.org/documentation.html
##
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to your public IP address. See the man page entry
## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#PublishServerDescriptor 0

257
configs/tor/torrc.sample Normal file
View file

@ -0,0 +1,257 @@
## Configuration file for a typical Tor user
## Last updated 28 February 2019 for Tor 0.3.5.1-alpha.
## (may or may not work for much older or much newer versions of Tor.)
##
## Lines that begin with "## " try to explain what's going on. Lines
## that begin with just "#" are disabled commands: you can enable them
## by removing the "#" symbol.
##
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
## for more options you can use in this file.
##
## Tor will look for this file in various places based on your platform:
## https://support.torproject.org/tbb/tbb-editing-torrc/
## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
## as a relay, and not make any local application connections yourself.
#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
## Entry policies to allow/deny SOCKS requests based on IP address.
## First entry that matches wins. If no SOCKSPolicy is set, we accept
## all (and only) requests that reach a SOCKSPort. Untrusted users who
## can access your SOCKSPort may be able to learn about the connections
## you make.
#SOCKSPolicy accept 192.168.0.0/16
#SOCKSPolicy accept6 FC00::/7
#SOCKSPolicy reject *
## Logs go to stdout at level "notice" unless redirected by something
## else, like one of the below lines. You can have as many Log lines as
## you want.
##
## We advise using "notice" in most cases, since anything more verbose
## may provide sensitive information to an attacker who obtains the logs.
##
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
## Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
## Use the system log instead of Tor's logfiles
#Log notice syslog
## To send all messages to stderr:
#Log debug stderr
## Uncomment this to start the process in the background... or use
## --runasdaemon 1 on the command line. This is ignored on Windows;
## see the FAQ entry if you want Tor to run as an NT service.
#RunAsDaemon 1
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
#DataDirectory /var/lib/tor
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
#ControlPort 9051
## If you enable the controlport, be sure to enable one of these
## authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
################ This section is just for relays #####################
#
## See https://community.torproject.org/relay for details.
## Required: what port to advertise for incoming Tor connections.
#ORPort 9001
## If you want to listen on a port other than the one advertised in
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
## follows. You'll need to do ipchains or other port forwarding
## yourself to make this work.
#ORPort 443 NoListen
#ORPort 127.0.0.1:9090 NoAdvertise
## If you want to listen on IPv6 your numeric address must be explicitly
## between square brackets as follows. You must also listen on IPv4.
#ORPort [2001:DB8::1]:9050
## The IP address or full DNS name for incoming connections to your
## relay. Leave commented out and Tor will guess.
#Address noname.example.com
## If you have multiple network interfaces, you can specify one for
## outgoing traffic to use.
## OutboundBindAddressExit will be used for all exit traffic, while
## OutboundBindAddressOR will be used for all OR and Dir connections
## (DNS connections ignore OutboundBindAddress).
## If you do not wish to differentiate, use OutboundBindAddress to
## specify the same address for both in a single line.
#OutboundBindAddressExit 10.0.0.4
#OutboundBindAddressOR 10.0.0.5
## A handle for your relay, so people don't have to refer to it by key.
## Nicknames must be between 1 and 19 characters inclusive, and must
## contain only the characters [a-zA-Z0-9].
## If not set, "Unnamed" will be used.
#Nickname ididnteditheconfig
## Define these to limit how much relayed traffic you will allow. Your
## own traffic is still unthrottled. Note that RelayBandwidthRate must
## be at least 75 kilobytes per second.
## Note that units for these config options are bytes (per second), not
## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
## 2^20, etc.
#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
## Use these to restrict the maximum traffic per day, week, or month.
## Note that this threshold applies separately to sent and received bytes,
## not to their sum: setting "40 GB" may allow up to 80 GB total before
## hibernating.
##
## Set a maximum of 40 gigabytes each way per period.
#AccountingMax 40 GBytes
## Each period starts daily at midnight (AccountingMax is per day)
#AccountingStart day 00:00
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
## is per month)
#AccountingStart month 3 15:00
## Administrative contact information for this relay or bridge. This line
## can be used to contact you if your relay or bridge is misconfigured or
## something else goes wrong. Note that we archive and publish all
## descriptors containing these lines and that Google indexes them, so
## spammers might also collect them. You may want to obscure the fact that
## it's an email address and/or generate a new address for this purpose.
##
## If you are running multiple relays, you MUST set this option.
##
#ContactInfo Random Person <nobody AT example dot com>
## You might also include your PGP or GPG fingerprint if you have one:
#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
## Uncomment this to mirror directory information for others. Please do
## if you have enough bandwidth.
#DirPort 9030 # what port to advertise for directory connections
## If you want to listen on a port other than the one advertised in
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
## follows. below too. You'll need to do ipchains or other port
## forwarding yourself to make this work.
#DirPort 80 NoListen
#DirPort 127.0.0.1:9091 NoAdvertise
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
## can explain what Tor is if anybody wonders why your IP address is
## contacting them. See contrib/tor-exit-notice.html in Tor's source
## distribution for a sample.
#DirPortFrontPage /etc/tor/tor-exit-notice.html
## Uncomment this if you run more than one Tor relay, and add the identity
## key fingerprint of each Tor relay you control, even if they're on
## different networks. You declare it here so Tor clients can avoid
## using more than one of your relays in a single circuit. See
## https://support.torproject.org/relay-operators/multiple-relays/
## However, you should never include a bridge's fingerprint here, as it would
## break its concealability and potentially reveal its IP/TCP address.
##
## If you are running multiple relays, you MUST set this option.
##
## Note: do not use MyFamily on bridge relays.
#MyFamily $keyid,$keyid,...
## Uncomment this if you want your relay to be an exit, with the default
## exit policy (or whatever exit policy you set below).
## (If ReducedExitPolicy, ExitPolicy, or IPv6Exit are set, relays are exits.
## If none of these options are set, relays are non-exits.)
#ExitRelay 1
## Uncomment this if you want your relay to allow IPv6 exit traffic.
## (Relays do not allow any exit traffic by default.)
#IPv6Exit 1
## Uncomment this if you want your relay to be an exit, with a reduced set
## of exit ports.
#ReducedExitPolicy 1
## Uncomment these lines if you want your relay to be an exit, with the
## specified set of exit IPs and ports.
##
## A comma-separated list of exit policies. They're considered first
## to last, and the first match wins.
##
## If you want to allow the same ports on IPv4 and IPv6, write your rules
## using accept/reject *. If you want to allow different ports on IPv4 and
## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
## using accept/reject *4.
##
## If you want to _replace_ the default exit policy, end this with either a
## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
## the default exit policy. Leave commented to just use the default, which is
## described in the man page or at
## https://support.torproject.org/relay-operators
##
## Look at https://support.torproject.org/abuse/exit-relay-expectations/
## for issues you might encounter if you use the default exit policy.
##
## If certain IPs and ports are blocked externally, e.g. by your firewall,
## you should update your exit policy to reflect this -- otherwise Tor
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
## networks, including to the configured primary public IPv4 and IPv6 addresses,
## and any public IPv4 and IPv6 addresses on any interface on the relay.
## See the man page entry for ExitPolicyRejectPrivate if you want to allow
## "exit enclaving".
##
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Uncomment this if you want your exit relay to reevaluate its exit policy on
## existing connections when the exit policy is modified.
#ReevaluateExitPolicy 1
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
## won't be able to block all the bridges. Also, websites won't treat you
## differently because they won't know you're running Tor. If you can
## be a real relay, please do; but if not, be a bridge!
##
## Warning: when running your Tor as a bridge, make sure than MyFamily is
## NOT configured.
#BridgeRelay 1
## By default, Tor will advertise your bridge to users through various
## mechanisms like https://bridges.torproject.org/. If you want to run
## a private bridge, for example because you'll give out your bridge
## address manually to your friends, uncomment this line:
#BridgeDistribution none
## Configuration options can be imported from files or folders using the %include
## option with the value being a path. This path can have wildcards. Wildcards are
## expanded first, using lexical order. Then, for each matching file or folder, the following
## rules are followed: if the path is a file, the options from the file will be parsed as if
## they were written where the %include option is. If the path is a folder, all files on that
## folder will be parsed following lexical order. Files starting with a dot are ignored. Files
## on subfolders are ignored.
## The %include option can be used recursively.
#%include /etc/torrc.d/*.conf

16
host/README.md Normal file
View file

@ -0,0 +1,16 @@
# openSUSE host `koopa`
OS: **openSUSE Tumbleweed** · hostname **koopa** · LAN `192.168.100.95/24` · public AAAA on `eno1`
This directory holds **host-level** config only (systemd, firewalld, Caddy, network).
Application configs stay under `configs/taler-*` and `scripts/`.
| Path | Content |
|------|---------|
| `overview/` | Service map (diagram + table) |
| `systemd/` | socket proxies + caddy drop-in |
| `firewalld/` | public zone dump |
| `caddy/` | live Caddyfile |
| `network/` | addressing notes |
Edge router: **VeciGate** (`../vecigate-admin-log`).

10
host/network/README.md Normal file
View file

@ -0,0 +1,10 @@
# Network
| Interface | Address | Role |
|-----------|---------|------|
| eno1 | 192.168.100.95/24 | LAN (default route via VeciGate) |
| eno1 | 2a02:168:53a8::/64 (dynamic) | Global IPv6 (AAAA for taler/exchange) |
| lo | 127.0.0.1 | local |
SSH: LAN `:22`, WAN via VeciGate `23235``:22`.
Tor ORPort: `:8080` (WAN DNAT on VeciGate).

50
scripts/README.md Normal file
View file

@ -0,0 +1,50 @@
# Scripts
| Dir | Source on koopa |
|-----|-----------------|
| `taler-merchant/` | podman `taler-hacktivism`: `/root`, `/usr/local/bin` |
| `taler-exchange/` | podman `taler-exchange-hacktivism`: `/root`, `/usr/local/bin` |
| `taler-bank/` | podman `taler-bank-hacktivism`: `/root`, `/usr/local/bin` |
| `taler-sanity/` | host root checks (stack, settlement, helpers) |
| `taler-monitoring/` | **outside-in** public URL walk (`/config` → keys/terms/integration/webui) |
| `ops/` | host hygiene (`cleanup-root-scratch.sh`) |
| `monitoring/` | host `/home/hernani/scripts` (tor relay stats) |
| `taler-wallet-cli/` | thin wrappers; **benchmarks live in** `../benchmarks/` |
| `castopod/` | host `hernani` podman-compose `~/koopa-castopod` — see `castopod/README.md` |
**Scratch:** one-off probes live in **local** `koopa-admin-log/.tmp/` (gitignored). See `ops/ROOT_HYGIENE.md`.
**Secrets:** never in this tree — sibling **`../koopa-admin-secrets`** (`koopa/host-root/<service>/``/root/` on host; `containers/…/secrets/` for in-container).
## Manual start model (all three)
1. **root** runs `/root/start_base_services_for_taler_*.sh`
→ Debian-style postgres perms + start (`pg_ctlcluster` / `init.d`)
→ (+ exchange: secmods/helpers; merchant: nginx)
→ interactive shell as service user
→ automation: add **`--no-shell`** then run step 2 via `runuser`
2. **service user** runs `/usr/local/bin/start_*.sh` [ `--restart` ]
→ application process only
Postgres ownership (Debian defaults, if cluster was root-owned after bad ops):
```text
chown -R root:postgres /etc/postgresql
chmod confs 640 / dirs 755
chown -R postgres:postgres /var/lib/postgresql /var/log/postgresql /var/run/postgresql
# only remove postmaster.pid / socket locks when pg_isready fails and no live postgres
pg_ctlcluster 17 main start
```
| Container | Root base | App start | App user |
|-----------|-----------|-----------|----------|
| `taler-hacktivism` | `start_base_services_for_taler.sh` | `start_merchant.sh` | `taler-merchant-httpd` |
| `taler-exchange-hacktivism` | `start_base_services_for_taler_exchange.sh` | `start_exchange.sh` | `taler-exchange-httpd` |
Exchange one-shots (root, offline / wire):
`taler-exchange/wire-enable-and-upload.sh`, `offline-sign-upload-keys.sh`, `start_wire_helpers.sh`
| `taler-bank-hacktivism` | `start_base_services_for_taler_bank.sh` | `start_bank.sh` | `libeufin-bank` |
`runuser -u USER -- bash` (never `-u` with `-s` on util-linux).
SMS helper symlinks into `/var/taler-src/...` are not copied (merchant only).

249
scripts/monitoring/countries.txt Executable file
View file

@ -0,0 +1,249 @@
AF=Afghanistan
AX=Åland Islands
AL=Albania
DZ=Algeria
AS=American Samoa
AD=Andorra
AO=Angola
AI=Anguilla
AQ=Antarctica
AG=Antigua and Barbuda
AR=Argentina
AM=Armenia
AW=Aruba
AU=Australia
AT=Austria
AZ=Azerbaijan
BS=Bahamas
BH=Bahrain
BD=Bangladesh
BB=Barbados
BY=Belarus
BE=Belgium
BZ=Belize
BJ=Benin
BM=Bermuda
BT=Bhutan
BO=Bolivia
BQ=Bonaire, Sint Eustatius and Saba
BA=Bosnia and Herzegovina
BW=Botswana
BV=Bouvet Island
BR=Brazil
IO=British Indian Ocean Territory
BN=Brunei Darussalam
BG=Bulgaria
BF=Burkina Faso
BI=Burundi
KH=Cambodia
CM=Cameroon
CA=Canada
CV=Cabo Verde
KY=Cayman Islands
CF=Central African Republic
TD=Chad
CL=Chile
CN=China
CX=Christmas Island
CC=Cocos (Keeling) Islands
CO=Colombia
KM=Comoros
CG=Congo
CD=Congo (DRC)
CK=Cook Islands
CR=Costa Rica
CI=Côte d'Ivoire
HR=Croatia
CU=Cuba
CW=Curaçao
CY=Cyprus
CZ=Czechia
DK=Denmark
DJ=Djibouti
DM=Dominica
DO=Dominican Republic
EC=Ecuador
EG=Egypt
SV=El Salvador
GQ=Equatorial Guinea
ER=Eritrea
EE=Estonia
SZ=Eswatini
ET=Ethiopia
FK=Falkland Islands
FO=Faroe Islands
FJ=Fiji
FI=Finland
FR=France
GF=French Guiana
PF=French Polynesia
TF=French Southern Territories
GA=Gabon
GM=Gambia
GE=Georgia
DE=Germany
GH=Ghana
GI=Gibraltar
GR=Greece
GL=Greenland
GD=Grenada
GP=Guadeloupe
GU=Guam
GT=Guatemala
GG=Guernsey
GN=Guinea
GW=Guinea-Bissau
GY=Guyana
HT=Haiti
HM=Heard Island and McDonald Islands
VA=Holy See
HN=Honduras
HK=Hong Kong
HU=Hungary
IS=Iceland
IN=India
ID=Indonesia
IR=Iran
IQ=Iraq
IE=Ireland
IM=Isle of Man
IL=Israel
IT=Italy
JM=Jamaica
JP=Japan
JE=Jersey
JO=Jordan
KZ=Kazakhstan
KE=Kenya
KI=Kiribati
KP=North Korea
KR=South Korea
KW=Kuwait
KG=Kyrgyzstan
LA=Laos
LV=Latvia
LB=Lebanon
LS=Lesotho
LR=Liberia
LY=Libya
LI=Liechtenstein
LT=Lithuania
LU=Luxembourg
MO=Macao
MG=Madagascar
MW=Malawi
MY=Malaysia
MV=Maldives
ML=Mali
MT=Malta
MH=Marshall Islands
MQ=Martinique
MR=Mauritania
MU=Mauritius
YT=Mayotte
MX=Mexico
FM=Micronesia
MD=Moldova
MC=Monaco
MN=Mongolia
ME=Montenegro
MS=Montserrat
MA=Morocco
MZ=Mozambique
MM=Myanmar
NA=Namibia
NR=Nauru
NP=Nepal
NL=Netherlands
NC=New Caledonia
NZ=New Zealand
NI=Nicaragua
NE=Niger
NG=Nigeria
NU=Niue
NF=Norfolk Island
MK=North Macedonia
MP=Northern Mariana Islands
NO=Norway
OM=Oman
PK=Pakistan
PW=Palau
PS=Palestine
PA=Panama
PG=Papua New Guinea
PY=Paraguay
PE=Peru
PH=Philippines
PN=Pitcairn
PL=Poland
PT=Portugal
PR=Puerto Rico
QA=Qatar
RE=Réunion
RO=Romania
RU=Russia
RW=Rwanda
BL=Saint Barthélemy
SH=Saint Helena
KN=Saint Kitts and Nevis
LC=Saint Lucia
MF=Saint Martin
PM=Saint Pierre and Miquelon
VC=Saint Vincent and the Grenadines
WS=Samoa
SM=San Marino
ST=Sao Tome and Principe
SA=Saudi Arabia
SN=Senegal
RS=Serbia
SC=Seychelles
SL=Sierra Leone
SG=Singapore
SX=Sint Maarten
SK=Slovakia
SI=Slovenia
SB=Solomon Islands
SO=Somalia
ZA=South Africa
GS=South Georgia and the South Sandwich Islands
SS=South Sudan
ES=Spain
LK=Sri Lanka
SD=Sudan
SR=Suriname
SJ=Svalbard and Jan Mayen
SE=Sweden
CH=Switzerland
SY=Syria
TW=Taiwan
TJ=Tajikistan
TZ=Tanzania
TH=Thailand
TL=Timor-Leste
TG=Togo
TK=Tokelau
TO=Tonga
TT=Trinidad and Tobago
TN=Tunisia
TR=Türkiye
TM=Turkmenistan
TC=Turks and Caicos Islands
TV=Tuvalu
UG=Uganda
UA=Ukraine
AE=United Arab Emirates
GB=United Kingdom
US=United States
UM=U.S. Minor Outlying Islands
UY=Uruguay
UZ=Uzbekistan
VU=Vanuatu
VE=Venezuela
VN=Vietnam
VG=Virgin Islands (British)
VI=Virgin Islands (U.S.)
WF=Wallis and Futuna
EH=Western Sahara
YE=Yemen
ZM=Zambia
ZW=Zimbabwe

View file

@ -0,0 +1,8 @@
#!/bin/sh
for ((;;))
do
date &&
echo -n "Tor IPv4 inbound connects: "; ss -s -4 | grep 192.168.100.95:https | wc -l &&
echo -n "Tor IPv6 inbound connects: "; ss -s -6 | grep -E '::1]:https' | wc -l &&
sleep 3600
done

View file

@ -0,0 +1,2 @@
#!/bin/bash
for ((;;)); do date && time ./tor_show_relays.sh -5000 | grep '|' | cat -n | grep -Ei 'koopa|firecuda' && sleep 86400; done

View file

@ -0,0 +1,108 @@
#!/bin/bash
CACHE_DIR="cache"
COUNTRY_FILE="countries.txt"
DEFAULT_TOP=100
TOPN=$DEFAULT_TOP
mkdir -p "$CACHE_DIR"
# Parse -N flag
if [[ "$1" =~ ^-([0-9]+)$ ]]; then
TOPN="${BASH_REMATCH[1]}"
fi
# ===========================
# LOAD COUNTRY NAMES
# ===========================
declare -A COUNTRY_NAME
while IFS='=' read -r ISO NAME; do
[[ -z "$ISO" ]] && continue
COUNTRY_NAME["$ISO"]="$NAME"
done < "$COUNTRY_FILE"
# ===========================
# SMART FETCH (ETag-based)
# ===========================
fetch_if_new() {
local url="$1"
local outfile="$2"
local etagfile="${outfile}.etag"
echo "→ Checking $outfile"
curl -s \
--etag-save "$etagfile" \
--etag-compare "$etagfile" \
-o "$outfile" \
"$url"
echo " Size: $(du -h "$outfile" | cut -f1)"
}
DETAILS_JSON="$CACHE_DIR/details.json"
BANDWIDTH_JSON="$CACHE_DIR/bandwidth.json"
MERGED="$CACHE_DIR/merged.txt"
echo "=== STEP 1: Downloading (if new) ==="
fetch_if_new \
"https://onionoo.torproject.org/details?type=relay&fields=fingerprint,country,nickname" \
"$DETAILS_JSON"
fetch_if_new \
"https://onionoo.torproject.org/bandwidth?type=relay&fields=fingerprint,write_history" \
"$BANDWIDTH_JSON"
# ===========================
# STEP 2: MERGE EVERYTHING IN ONE jq PASS
# ===========================
echo
echo "=== STEP 2: Merging in jq (single pass) ==="
jq -s -r '
# Build index of details by fingerprint
(.[0].relays
| map({
fp: .fingerprint,
country: (.country // "??"),
nickname: (.nickname // "UnknownRelay")
})
| INDEX(.fp)
) as $d
# Iterate over bandwidth relays
| .[1].relays[]
| .fingerprint as $fp
| ($d[$fp].country) as $cc
| ($d[$fp].nickname) as $nick
| (.write_history["1_month"].factor // 0) as $bw
# Output: bw fp cc nickname
| "\($bw) \($fp) \($cc) \($nick)"
' "$DETAILS_JSON" "$BANDWIDTH_JSON" > "$MERGED"
echo " Merged lines: $(wc -l < "$MERGED")"
# ===========================
# STEP 3: SORT + PRINT
# ===========================
echo
echo "=== STEP 3: Sorting and printing ==="
echo
echo "=== Top $TOPN Tor Relays (by 1-month write factor) ==="
echo
sort -nr "$MERGED" | head -n "$TOPN" | while read -r BW FP CC NICK; do
CC_UP=$(echo "$CC" | tr '[:lower:]' '[:upper:]')
FULL="${COUNTRY_NAME[$CC_UP]}"
[[ -z "$FULL" ]] && FULL="$NICK"
printf "%-40s | %12.2f | %-20s | %2s (%s)\n" "$FP" "$BW" "$NICK" "$CC_UP" "$FULL"
done
echo
echo "Done."

View file

@ -0,0 +1,83 @@
#!/bin/bash
PORT=8080
DB="/usr/share/GeoIP/GeoLite2-Country.mmdb"
LOGFILE="/dev/null"
COUNTRY_FILE="countries.txt"
declare -A COUNTRY_COUNT
declare -A SEEN
declare -A COUNTRY_NAME
# --- Parse -N flag (e.g. -10 means show top 10) ---
TOPN=0
if [[ "$1" =~ ^-([0-9]+)$ ]]; then
TOPN="${BASH_REMATCH[1]}"
fi
# --- Load external country list ---
while IFS='=' read -r ISO NAME; do
[[ -z "$ISO" ]] && continue
COUNTRY_NAME["$ISO"]="$NAME"
done < "$COUNTRY_FILE"
echo "Monitoring port $PORT..."
echo "Updating table every 5 seconds."
[[ $TOPN -gt 0 ]] && echo "Showing only Top $TOPN countries."
LAST_REFRESH=0
while true; do
# FAST LOOP: collect new connections
IPS=$(ss -tn sport = :$PORT | awk 'NR>1 {print $5}' | cut -d: -f1)
for IP in $IPS; do
[[ "$IP" == "127.0.0.1" ]] && continue
if [[ -z "${SEEN[$IP]}" ]]; then
SEEN[$IP]=1
RAW=$(mmdblookup --file "$DB" --ip "$IP" country iso_code 2>/dev/null)
ISO=$(echo "$RAW" | grep -oE '[A-Z]{2}')
[[ -z "$ISO" ]] && ISO="UNKNOWN"
COUNTRY_COUNT["$ISO"]=$(( COUNTRY_COUNT["$ISO"] + 1 ))
NAME="${COUNTRY_NAME[$ISO]}"
[[ -z "$NAME" ]] && NAME="Unknown Country"
echo "$(date '+%F %T') - $IP - $ISO ($NAME)" >> "$LOGFILE"
fi
done
# SLOW LOOP: refresh display every 5 seconds
NOW=$(date +%s)
if (( NOW - LAST_REFRESH >= 5 )); then
LAST_REFRESH=$NOW
clear
echo "=== Live GeoIP Stats (Port $PORT) ==="
echo "(Updated: $(date '+%H:%M:%S'))"
echo
# Sort by count (descending)
SORTED=$(for ISO in "${!COUNTRY_COUNT[@]}"; do
echo "${COUNTRY_COUNT[$ISO]} $ISO"
done | sort -rn)
COUNT=0
while read -r LINE; do
NUM=$(echo "$LINE" | awk '{print $1}')
ISO=$(echo "$LINE" | awk '{print $2}')
NAME="${COUNTRY_NAME[$ISO]}"
[[ -z "$NAME" ]] && NAME="Unknown Country"
echo "$ISO ($NAME): $NUM"
((COUNT++))
[[ $TOPN -gt 0 && $COUNT -ge $TOPN ]] && break
done <<< "$SORTED"
fi
sleep 0.1
done