Files
floonet-strfry/docker-compose.yml
T
2ro ab1a72d652 Retire the mixnet exit; document Tor as the transport
The Goblin wallet moved off the Nym mixnet to Tor: it now reaches relays
over a Tor circuit to their clearnet endpoint, so the co-located mixnet
exit this package bundled is retired.

- delete the vendored `mixexit/` crate and the hardened
  `deploy/systemd/floonet-mixexit.service` bare-metal unit
- docker-compose: drop the `mixexit` service (COMPOSE_PROFILES=exit) and
  its `mixexit-data` volume; fix the top-of-file service list
- .env.example: replace the "Mixnet exit" block (COMPOSE_PROFILES=exit,
  FLOONET_EXIT_UPSTREAM) with the Tor onion toggle
- README: replace the "Mixnet exit" section with "Tor onion", fix the
  feature table, deploy paths, and the COMPOSE_PROFILES reference row

Add Tor as the first-class replacement deploy option, the same recipe
already proven in production: an optional `tor` compose service
(COMPOSE_PROFILES=tor) plus deploy/tor/torrc, a stock system tor daemon
whose hidden service forwards straight to strfry's websocket listener
(no TLS on that hop, the onion is already encrypted end to end). strfry
core stays stock; this is packaging and docs, no relay patch.

The default stack is unchanged (the onion is opt-in, as the exit was).
name-authority builds green; cargo test and clippy pass. docker-compose
validated (structure + YAML).
2026-07-04 06:30:51 -04:00

115 lines
4.2 KiB
YAML

# A full, self-contained Floonet relay with automatic HTTPS.
#
# cp .env.example .env # edit FLOONET_DOMAIN etc.
# docker compose up -d
#
# gives you:
# - relay : stock strfry (built from source at a pinned ref) + the
# Floonet write policy plugin (default-deny kind whitelist,
# optional NIP-42 and paid-write gates)
# - authority : the bundled name authority (name@domain -> pubkey, with
# optional paid names / paid write access via GoblinPay)
# - caddy : auto-TLS reverse proxy terminating HTTPS for both
# - tor : OPTIONAL Tor onion in front of the relay
# (COMPOSE_PROFILES=tor), so wallets can reach it over Tor
# without a Tor exit hop. See deploy/tor/torrc.
#
# Set FLOONET_DOMAIN / FLOONET_BASE_URL / FLOONET_RELAYS in `.env` (copy
# .env.example) BEFORE bringing it up: Caddy obtains a certificate for
# FLOONET_DOMAIN, so DNS must already point at this host.
services:
relay:
build:
context: .
dockerfile: deploy/strfry/Dockerfile
image: floonet-strfry:latest
restart: unless-stopped
environment:
# Write policy plugin configuration (the plugin inherits strfry's
# environment). See plugin/floonet_writepolicy.py and .env.example.
FLOONET_ALLOWED_KINDS: ${FLOONET_ALLOWED_KINDS:-0,3,5,13,1059,10002,10050,27235}
FLOONET_REQUIRE_AUTH: ${FLOONET_REQUIRE_AUTH:-false}
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
FLOONET_AUTHORITY_URL: http://authority:8191
FLOONET_PAID_CACHE_SECS: ${FLOONET_PAID_CACHE_SECS:-60}
volumes:
- relay-data:/strfry-db
- ./deploy/strfry/strfry.conf:/app/strfry.conf:ro
expose:
- "7777"
# Bound the relay's footprint so an unauthenticated subscription/ingest
# flood can't starve the authority or proxy on the same host.
deploy:
resources:
limits:
memory: 512M
cpus: "1.0"
authority:
build: ./name-authority
image: floonet-name-authority:latest
restart: unless-stopped
environment:
# Identity. Override these in .env for your own deployment.
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
FLOONET_BASE_URL: ${FLOONET_BASE_URL:-https://floonet.example}
FLOONET_RELAYS: ${FLOONET_RELAYS:-wss://floonet.example}
# In-container paths (persisted on the named volume).
FLOONET_NAMES_BIND: 0.0.0.0:8191
FLOONET_NAMES_DB: /data/names.db
# Paid mode (all optional; free by default). See .env.example.
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
FLOONET_NAME_PRICE_GRIN: ${FLOONET_NAME_PRICE_GRIN:-0}
FLOONET_WRITE_PRICE_GRIN: ${FLOONET_WRITE_PRICE_GRIN:-0}
GOBLINPAY_URL: ${GOBLINPAY_URL:-}
GOBLINPAY_TOKEN: ${GOBLINPAY_TOKEN:-}
GOBLINPAY_WEBHOOK_SECRET: ${GOBLINPAY_WEBHOOK_SECRET:-}
volumes:
- authority-data:/data
expose:
- "8191"
caddy:
image: caddy:2
restart: unless-stopped
depends_on:
- authority
- relay
environment:
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
ports:
- "80:80"
- "443:443"
volumes:
- ./deploy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./deploy/landing:/srv/landing:ro
- caddy-data:/data
- caddy-config:/config
# Optional Tor onion service in front of the relay. Off unless the `tor`
# profile is active (set COMPOSE_PROFILES=tor in .env). It runs a plain
# system tor daemon whose hidden service forwards straight to the relay's
# websocket listener (no TLS on that hop: the onion transport is already
# encrypted and authenticated end to end). Wallets can then reach the relay
# over Tor without a Tor exit hop. The .onion address is derived from a key
# in the tor-data volume and printed to the tor logs on first start; back
# the volume up, since losing it rotates the address. See deploy/tor/torrc.
tor:
build: ./deploy/tor
image: floonet-tor:latest
restart: unless-stopped
profiles: ["tor"]
depends_on:
- relay
volumes:
- ./deploy/tor/torrc:/etc/tor/torrc:ro
- tor-data:/var/lib/tor
volumes:
relay-data:
authority-data:
caddy-data:
caddy-config:
tor-data: