diff --git a/configs/README.md b/configs/README.md new file mode 100644 index 0000000..39db0b6 --- /dev/null +++ b/configs/README.md @@ -0,0 +1,20 @@ +# Configs + +| Path | Source on koopa | +|------|-----------------| +| `caddy/` | host `/etc/caddy` | +| `tor/` | host `/etc/tor` | +| `taler-exchange/` | container `taler-exchange-hacktivism`: overrides + coins | +| `taler-merchant/` | container `taler-hacktivism`: overrides + conf.d + nginx vhost | +| `taler-bank/` | container `taler-bank-hacktivism`: bank-overrides (libeufin) | +| `systemd/` | host proxy sockets / caddy drop-in | +| `firewalld/`, `ports.md` | host edge ports | + +Package defaults are not mirrored; **site overrides** and relevant drop-ins only. + +``` +configs/taler-{exchange,merchant,bank}/ + README.md + *-overrides.conf + … +``` diff --git a/configs/tor/torrc b/configs/tor/torrc new file mode 100644 index 0000000..47a0e5e --- /dev/null +++ b/configs/tor/torrc @@ -0,0 +1,12 @@ +Log notice file /var/log/tor/notices.log +Nickname KoopaRelay +ContactInfo info+koopa@hacktivism.ch +ORPort 8080 +ControlPort 9051 +ExitRelay 0 +SocksPort 0 +MyFamily 52BB94DDC1292F950CF728708AC48523E018A718 +BandwidthRate 2000 MBytes +BandwidthBurst 2000 MBytes +RelayBandwidthRate 2000 MBytes +RelayBandwidthBurst 2000 MBytes diff --git a/configs/tor/torrc.minimal b/configs/tor/torrc.minimal new file mode 100644 index 0000000..a05f52c --- /dev/null +++ b/configs/tor/torrc.minimal @@ -0,0 +1,192 @@ +## Configuration file for a typical Tor user +## Last updated 9 October 2013 for Tor 0.2.5.2-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KB. +## Note that units for these config options are bytes per second, not bits +## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc. +#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +#AccountingMax 4 GB +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentionally reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + diff --git a/configs/tor/torrc.sample b/configs/tor/torrc.sample new file mode 100644 index 0000000..7be6773 --- /dev/null +++ b/configs/tor/torrc.sample @@ -0,0 +1,257 @@ +## Configuration file for a typical Tor user +## Last updated 28 February 2019 for Tor 0.3.5.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://support.torproject.org/tbb/tbb-editing-torrc/ + +## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't +## configure one below. Set "SOCKSPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. +#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SOCKSPolicy is set, we accept +## all (and only) requests that reach a SOCKSPort. Untrusted users who +## can access your SOCKSPort may be able to learn about the connections +## you make. +#SOCKSPolicy accept 192.168.0.0/16 +#SOCKSPolicy accept6 FC00::/7 +#SOCKSPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://community.torproject.org/relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise +## If you want to listen on IPv6 your numeric address must be explicitly +## between square brackets as follows. You must also listen on IPv4. +#ORPort [2001:DB8::1]:9050 + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +## OutboundBindAddressExit will be used for all exit traffic, while +## OutboundBindAddressOR will be used for all OR and Dir connections +## (DNS connections ignore OutboundBindAddress). +## If you do not wish to differentiate, use OutboundBindAddress to +## specify the same address for both in a single line. +#OutboundBindAddressExit 10.0.0.4 +#OutboundBindAddressOR 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +## Nicknames must be between 1 and 19 characters inclusive, and must +## contain only the characters [a-zA-Z0-9]. +## If not set, "Unnamed" will be used. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 75 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "40 GB" may allow up to 80 GB total before +## hibernating. +## +## Set a maximum of 40 gigabytes each way per period. +#AccountingMax 40 GBytes +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +## +## If you are running multiple relays, you MUST set this option. +## +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://support.torproject.org/relay-operators/multiple-relays/ +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +## +## If you are running multiple relays, you MUST set this option. +## +## Note: do not use MyFamily on bridge relays. +#MyFamily $keyid,$keyid,... + +## Uncomment this if you want your relay to be an exit, with the default +## exit policy (or whatever exit policy you set below). +## (If ReducedExitPolicy, ExitPolicy, or IPv6Exit are set, relays are exits. +## If none of these options are set, relays are non-exits.) +#ExitRelay 1 + +## Uncomment this if you want your relay to allow IPv6 exit traffic. +## (Relays do not allow any exit traffic by default.) +#IPv6Exit 1 + +## Uncomment this if you want your relay to be an exit, with a reduced set +## of exit ports. +#ReducedExitPolicy 1 + +## Uncomment these lines if you want your relay to be an exit, with the +## specified set of exit IPs and ports. +## +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. +## +## If you want to allow the same ports on IPv4 and IPv6, write your rules +## using accept/reject *. If you want to allow different ports on IPv4 and +## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules +## using accept/reject *4. +## +## If you want to _replace_ the default exit policy, end this with either a +## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) +## the default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://support.torproject.org/relay-operators +## +## Look at https://support.torproject.org/abuse/exit-relay-expectations/ +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to the configured primary public IPv4 and IPv6 addresses, +## and any public IPv4 and IPv6 addresses on any interface on the relay. +## See the man page entry for ExitPolicyRejectPrivate if you want to allow +## "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy +#ExitPolicy reject *:* # no exits allowed + +## Uncomment this if you want your exit relay to reevaluate its exit policy on +## existing connections when the exit policy is modified. +#ReevaluateExitPolicy 1 + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +## +## Warning: when running your Tor as a bridge, make sure than MyFamily is +## NOT configured. +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#BridgeDistribution none + +## Configuration options can be imported from files or folders using the %include +## option with the value being a path. This path can have wildcards. Wildcards are +## expanded first, using lexical order. Then, for each matching file or folder, the following +## rules are followed: if the path is a file, the options from the file will be parsed as if +## they were written where the %include option is. If the path is a folder, all files on that +## folder will be parsed following lexical order. Files starting with a dot are ignored. Files +## on subfolders are ignored. +## The %include option can be used recursively. +#%include /etc/torrc.d/*.conf + diff --git a/host/README.md b/host/README.md new file mode 100644 index 0000000..79c7694 --- /dev/null +++ b/host/README.md @@ -0,0 +1,16 @@ +# openSUSE host `koopa` + +OS: **openSUSE Tumbleweed** · hostname **koopa** · LAN `192.168.100.95/24` · public AAAA on `eno1` + +This directory holds **host-level** config only (systemd, firewalld, Caddy, network). +Application configs stay under `configs/taler-*` and `scripts/`. + +| Path | Content | +|------|---------| +| `overview/` | Service map (diagram + table) | +| `systemd/` | socket proxies + caddy drop-in | +| `firewalld/` | public zone dump | +| `caddy/` | live Caddyfile | +| `network/` | addressing notes | + +Edge router: **VeciGate** (`../vecigate-admin-log`). diff --git a/host/network/README.md b/host/network/README.md new file mode 100644 index 0000000..eeed5bc --- /dev/null +++ b/host/network/README.md @@ -0,0 +1,10 @@ +# Network + +| Interface | Address | Role | +|-----------|---------|------| +| eno1 | 192.168.100.95/24 | LAN (default route via VeciGate) | +| eno1 | 2a02:168:53a8::/64 (dynamic) | Global IPv6 (AAAA for taler/exchange) | +| lo | 127.0.0.1 | local | + +SSH: LAN `:22`, WAN via VeciGate `23235` → `:22`. +Tor ORPort: `:8080` (WAN DNAT on VeciGate). diff --git a/scripts/README.md b/scripts/README.md new file mode 100644 index 0000000..9ca86eb --- /dev/null +++ b/scripts/README.md @@ -0,0 +1,50 @@ +# Scripts + +| Dir | Source on koopa | +|-----|-----------------| +| `taler-merchant/` | podman `taler-hacktivism`: `/root`, `/usr/local/bin` | +| `taler-exchange/` | podman `taler-exchange-hacktivism`: `/root`, `/usr/local/bin` | +| `taler-bank/` | podman `taler-bank-hacktivism`: `/root`, `/usr/local/bin` | +| `taler-sanity/` | host root checks (stack, settlement, helpers) | +| `taler-monitoring/` | **outside-in** public URL walk (`/config` → keys/terms/integration/webui) | +| `ops/` | host hygiene (`cleanup-root-scratch.sh`) | +| `monitoring/` | host `/home/hernani/scripts` (tor relay stats) | +| `taler-wallet-cli/` | thin wrappers; **benchmarks live in** `../benchmarks/` | +| `castopod/` | host `hernani` podman-compose `~/koopa-castopod` — see `castopod/README.md` | + +**Scratch:** one-off probes live in **local** `koopa-admin-log/.tmp/` (gitignored). See `ops/ROOT_HYGIENE.md`. + +**Secrets:** never in this tree — sibling **`../koopa-admin-secrets`** (`koopa/host-root//` ↔ `/root/` on host; `containers/…/secrets/` for in-container). + +## Manual start model (all three) + +1. **root** runs `/root/start_base_services_for_taler_*.sh` + → Debian-style postgres perms + start (`pg_ctlcluster` / `init.d`) + → (+ exchange: secmods/helpers; merchant: nginx) + → interactive shell as service user + → automation: add **`--no-shell`** then run step 2 via `runuser` +2. **service user** runs `/usr/local/bin/start_*.sh` [ `--restart` ] + → application process only + +Postgres ownership (Debian defaults, if cluster was root-owned after bad ops): + +```text +chown -R root:postgres /etc/postgresql +chmod confs 640 / dirs 755 +chown -R postgres:postgres /var/lib/postgresql /var/log/postgresql /var/run/postgresql +# only remove postmaster.pid / socket locks when pg_isready fails and no live postgres +pg_ctlcluster 17 main start +``` + +| Container | Root base | App start | App user | +|-----------|-----------|-----------|----------| +| `taler-hacktivism` | `start_base_services_for_taler.sh` | `start_merchant.sh` | `taler-merchant-httpd` | +| `taler-exchange-hacktivism` | `start_base_services_for_taler_exchange.sh` | `start_exchange.sh` | `taler-exchange-httpd` | + +Exchange one-shots (root, offline / wire): +`taler-exchange/wire-enable-and-upload.sh`, `offline-sign-upload-keys.sh`, `start_wire_helpers.sh` +| `taler-bank-hacktivism` | `start_base_services_for_taler_bank.sh` | `start_bank.sh` | `libeufin-bank` | + +`runuser -u USER -- bash` (never `-u` with `-s` on util-linux). + +SMS helper symlinks into `/var/taler-src/...` are not copied (merchant only). diff --git a/scripts/monitoring/countries.txt b/scripts/monitoring/countries.txt new file mode 100755 index 0000000..9177e28 --- /dev/null +++ b/scripts/monitoring/countries.txt @@ -0,0 +1,249 @@ +AF=Afghanistan +AX=Åland Islands +AL=Albania +DZ=Algeria +AS=American Samoa +AD=Andorra +AO=Angola +AI=Anguilla +AQ=Antarctica +AG=Antigua and Barbuda +AR=Argentina +AM=Armenia +AW=Aruba +AU=Australia +AT=Austria +AZ=Azerbaijan +BS=Bahamas +BH=Bahrain +BD=Bangladesh +BB=Barbados +BY=Belarus +BE=Belgium +BZ=Belize +BJ=Benin +BM=Bermuda +BT=Bhutan +BO=Bolivia +BQ=Bonaire, Sint Eustatius and Saba +BA=Bosnia and Herzegovina +BW=Botswana +BV=Bouvet Island +BR=Brazil +IO=British Indian Ocean Territory +BN=Brunei Darussalam +BG=Bulgaria +BF=Burkina Faso +BI=Burundi +KH=Cambodia +CM=Cameroon +CA=Canada +CV=Cabo Verde +KY=Cayman Islands +CF=Central African Republic +TD=Chad +CL=Chile +CN=China +CX=Christmas Island +CC=Cocos (Keeling) Islands +CO=Colombia +KM=Comoros +CG=Congo +CD=Congo (DRC) +CK=Cook Islands +CR=Costa Rica +CI=Côte d'Ivoire +HR=Croatia +CU=Cuba +CW=Curaçao +CY=Cyprus +CZ=Czechia +DK=Denmark +DJ=Djibouti +DM=Dominica +DO=Dominican Republic +EC=Ecuador +EG=Egypt +SV=El Salvador +GQ=Equatorial Guinea +ER=Eritrea +EE=Estonia +SZ=Eswatini +ET=Ethiopia +FK=Falkland Islands +FO=Faroe Islands +FJ=Fiji +FI=Finland +FR=France +GF=French Guiana +PF=French Polynesia +TF=French Southern Territories +GA=Gabon +GM=Gambia +GE=Georgia +DE=Germany +GH=Ghana +GI=Gibraltar +GR=Greece +GL=Greenland +GD=Grenada +GP=Guadeloupe +GU=Guam +GT=Guatemala +GG=Guernsey +GN=Guinea +GW=Guinea-Bissau +GY=Guyana +HT=Haiti +HM=Heard Island and McDonald Islands +VA=Holy See +HN=Honduras +HK=Hong Kong +HU=Hungary +IS=Iceland +IN=India +ID=Indonesia +IR=Iran +IQ=Iraq +IE=Ireland +IM=Isle of Man +IL=Israel +IT=Italy +JM=Jamaica +JP=Japan +JE=Jersey +JO=Jordan +KZ=Kazakhstan +KE=Kenya +KI=Kiribati +KP=North Korea +KR=South Korea +KW=Kuwait +KG=Kyrgyzstan +LA=Laos +LV=Latvia +LB=Lebanon +LS=Lesotho +LR=Liberia +LY=Libya +LI=Liechtenstein +LT=Lithuania +LU=Luxembourg +MO=Macao +MG=Madagascar +MW=Malawi +MY=Malaysia +MV=Maldives +ML=Mali +MT=Malta +MH=Marshall Islands +MQ=Martinique +MR=Mauritania +MU=Mauritius +YT=Mayotte +MX=Mexico +FM=Micronesia +MD=Moldova +MC=Monaco +MN=Mongolia +ME=Montenegro +MS=Montserrat +MA=Morocco +MZ=Mozambique +MM=Myanmar +NA=Namibia +NR=Nauru +NP=Nepal +NL=Netherlands +NC=New Caledonia +NZ=New Zealand +NI=Nicaragua +NE=Niger +NG=Nigeria +NU=Niue +NF=Norfolk Island +MK=North Macedonia +MP=Northern Mariana Islands +NO=Norway +OM=Oman +PK=Pakistan +PW=Palau +PS=Palestine +PA=Panama +PG=Papua New Guinea +PY=Paraguay +PE=Peru +PH=Philippines +PN=Pitcairn +PL=Poland +PT=Portugal +PR=Puerto Rico +QA=Qatar +RE=Réunion +RO=Romania +RU=Russia +RW=Rwanda +BL=Saint Barthélemy +SH=Saint Helena +KN=Saint Kitts and Nevis +LC=Saint Lucia +MF=Saint Martin +PM=Saint Pierre and Miquelon +VC=Saint Vincent and the Grenadines +WS=Samoa +SM=San Marino +ST=Sao Tome and Principe +SA=Saudi Arabia +SN=Senegal +RS=Serbia +SC=Seychelles +SL=Sierra Leone +SG=Singapore +SX=Sint Maarten +SK=Slovakia +SI=Slovenia +SB=Solomon Islands +SO=Somalia +ZA=South Africa +GS=South Georgia and the South Sandwich Islands +SS=South Sudan +ES=Spain +LK=Sri Lanka +SD=Sudan +SR=Suriname +SJ=Svalbard and Jan Mayen +SE=Sweden +CH=Switzerland +SY=Syria +TW=Taiwan +TJ=Tajikistan +TZ=Tanzania +TH=Thailand +TL=Timor-Leste +TG=Togo +TK=Tokelau +TO=Tonga +TT=Trinidad and Tobago +TN=Tunisia +TR=Türkiye +TM=Turkmenistan +TC=Turks and Caicos Islands +TV=Tuvalu +UG=Uganda +UA=Ukraine +AE=United Arab Emirates +GB=United Kingdom +US=United States +UM=U.S. Minor Outlying Islands +UY=Uruguay +UZ=Uzbekistan +VU=Vanuatu +VE=Venezuela +VN=Vietnam +VG=Virgin Islands (British) +VI=Virgin Islands (U.S.) +WF=Wallis and Futuna +EH=Western Sahara +YE=Yemen +ZM=Zambia +ZW=Zimbabwe diff --git a/scripts/monitoring/tor_inbound_connects.sh b/scripts/monitoring/tor_inbound_connects.sh new file mode 100755 index 0000000..168e6fc --- /dev/null +++ b/scripts/monitoring/tor_inbound_connects.sh @@ -0,0 +1,8 @@ +#!/bin/sh +for ((;;)) + do + date && + echo -n "Tor IPv4 inbound connects: "; ss -s -4 | grep 192.168.100.95:https | wc -l && + echo -n "Tor IPv6 inbound connects: "; ss -s -6 | grep -E '::1]:https' | wc -l && + sleep 3600 + done diff --git a/scripts/monitoring/tor_show_relays--koopa+firecuda.sh b/scripts/monitoring/tor_show_relays--koopa+firecuda.sh new file mode 100755 index 0000000..07799a6 --- /dev/null +++ b/scripts/monitoring/tor_show_relays--koopa+firecuda.sh @@ -0,0 +1,2 @@ +#!/bin/bash + for ((;;)); do date && time ./tor_show_relays.sh -5000 | grep '|' | cat -n | grep -Ei 'koopa|firecuda' && sleep 86400; done diff --git a/scripts/monitoring/tor_show_relays.sh b/scripts/monitoring/tor_show_relays.sh new file mode 100755 index 0000000..116fe9b --- /dev/null +++ b/scripts/monitoring/tor_show_relays.sh @@ -0,0 +1,108 @@ +#!/bin/bash + +CACHE_DIR="cache" +COUNTRY_FILE="countries.txt" +DEFAULT_TOP=100 +TOPN=$DEFAULT_TOP + +mkdir -p "$CACHE_DIR" + +# Parse -N flag +if [[ "$1" =~ ^-([0-9]+)$ ]]; then + TOPN="${BASH_REMATCH[1]}" +fi + +# =========================== +# LOAD COUNTRY NAMES +# =========================== + +declare -A COUNTRY_NAME +while IFS='=' read -r ISO NAME; do + [[ -z "$ISO" ]] && continue + COUNTRY_NAME["$ISO"]="$NAME" +done < "$COUNTRY_FILE" + +# =========================== +# SMART FETCH (ETag-based) +# =========================== + +fetch_if_new() { + local url="$1" + local outfile="$2" + local etagfile="${outfile}.etag" + + echo "→ Checking $outfile" + curl -s \ + --etag-save "$etagfile" \ + --etag-compare "$etagfile" \ + -o "$outfile" \ + "$url" + + echo " Size: $(du -h "$outfile" | cut -f1)" +} + +DETAILS_JSON="$CACHE_DIR/details.json" +BANDWIDTH_JSON="$CACHE_DIR/bandwidth.json" +MERGED="$CACHE_DIR/merged.txt" + +echo "=== STEP 1: Downloading (if new) ===" +fetch_if_new \ + "https://onionoo.torproject.org/details?type=relay&fields=fingerprint,country,nickname" \ + "$DETAILS_JSON" + +fetch_if_new \ + "https://onionoo.torproject.org/bandwidth?type=relay&fields=fingerprint,write_history" \ + "$BANDWIDTH_JSON" + +# =========================== +# STEP 2: MERGE EVERYTHING IN ONE jq PASS +# =========================== + +echo +echo "=== STEP 2: Merging in jq (single pass) ===" + +jq -s -r ' + # Build index of details by fingerprint + (.[0].relays + | map({ + fp: .fingerprint, + country: (.country // "??"), + nickname: (.nickname // "UnknownRelay") + }) + | INDEX(.fp) + ) as $d + + # Iterate over bandwidth relays + | .[1].relays[] + | .fingerprint as $fp + | ($d[$fp].country) as $cc + | ($d[$fp].nickname) as $nick + | (.write_history["1_month"].factor // 0) as $bw + + # Output: bw fp cc nickname + | "\($bw) \($fp) \($cc) \($nick)" +' "$DETAILS_JSON" "$BANDWIDTH_JSON" > "$MERGED" + +echo " Merged lines: $(wc -l < "$MERGED")" + +# =========================== +# STEP 3: SORT + PRINT +# =========================== + +echo +echo "=== STEP 3: Sorting and printing ===" +echo +echo "=== Top $TOPN Tor Relays (by 1-month write factor) ===" +echo + +sort -nr "$MERGED" | head -n "$TOPN" | while read -r BW FP CC NICK; do + CC_UP=$(echo "$CC" | tr '[:lower:]' '[:upper:]') + FULL="${COUNTRY_NAME[$CC_UP]}" + [[ -z "$FULL" ]] && FULL="$NICK" + + printf "%-40s | %12.2f | %-20s | %2s (%s)\n" "$FP" "$BW" "$NICK" "$CC_UP" "$FULL" + +done + +echo +echo "Done." diff --git a/scripts/monitoring/tor_stats_per_country.sh b/scripts/monitoring/tor_stats_per_country.sh new file mode 100755 index 0000000..b7e99cc --- /dev/null +++ b/scripts/monitoring/tor_stats_per_country.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +PORT=8080 +DB="/usr/share/GeoIP/GeoLite2-Country.mmdb" +LOGFILE="/dev/null" +COUNTRY_FILE="countries.txt" + +declare -A COUNTRY_COUNT +declare -A SEEN +declare -A COUNTRY_NAME + +# --- Parse -N flag (e.g. -10 means show top 10) --- +TOPN=0 +if [[ "$1" =~ ^-([0-9]+)$ ]]; then + TOPN="${BASH_REMATCH[1]}" +fi + +# --- Load external country list --- +while IFS='=' read -r ISO NAME; do + [[ -z "$ISO" ]] && continue + COUNTRY_NAME["$ISO"]="$NAME" +done < "$COUNTRY_FILE" + +echo "Monitoring port $PORT..." +echo "Updating table every 5 seconds." +[[ $TOPN -gt 0 ]] && echo "Showing only Top $TOPN countries." + +LAST_REFRESH=0 + +while true; do + # FAST LOOP: collect new connections + IPS=$(ss -tn sport = :$PORT | awk 'NR>1 {print $5}' | cut -d: -f1) + + for IP in $IPS; do + [[ "$IP" == "127.0.0.1" ]] && continue + + if [[ -z "${SEEN[$IP]}" ]]; then + SEEN[$IP]=1 + + RAW=$(mmdblookup --file "$DB" --ip "$IP" country iso_code 2>/dev/null) + ISO=$(echo "$RAW" | grep -oE '[A-Z]{2}') + [[ -z "$ISO" ]] && ISO="UNKNOWN" + + COUNTRY_COUNT["$ISO"]=$(( COUNTRY_COUNT["$ISO"] + 1 )) + + NAME="${COUNTRY_NAME[$ISO]}" + [[ -z "$NAME" ]] && NAME="Unknown Country" + + echo "$(date '+%F %T') - $IP - $ISO ($NAME)" >> "$LOGFILE" + fi + done + + # SLOW LOOP: refresh display every 5 seconds + NOW=$(date +%s) + if (( NOW - LAST_REFRESH >= 5 )); then + LAST_REFRESH=$NOW + + clear + echo "=== Live GeoIP Stats (Port $PORT) ===" + echo "(Updated: $(date '+%H:%M:%S'))" + echo + + # Sort by count (descending) + SORTED=$(for ISO in "${!COUNTRY_COUNT[@]}"; do + echo "${COUNTRY_COUNT[$ISO]} $ISO" + done | sort -rn) + + COUNT=0 + while read -r LINE; do + NUM=$(echo "$LINE" | awk '{print $1}') + ISO=$(echo "$LINE" | awk '{print $2}') + NAME="${COUNTRY_NAME[$ISO]}" + [[ -z "$NAME" ]] && NAME="Unknown Country" + + echo "$ISO ($NAME): $NUM" + + ((COUNT++)) + [[ $TOPN -gt 0 && $COUNT -ge $TOPN ]] && break + done <<< "$SORTED" + fi + + sleep 0.1 +done