ab1a72d652
The Goblin wallet moved off the Nym mixnet to Tor: it now reaches relays over a Tor circuit to their clearnet endpoint, so the co-located mixnet exit this package bundled is retired. - delete the vendored `mixexit/` crate and the hardened `deploy/systemd/floonet-mixexit.service` bare-metal unit - docker-compose: drop the `mixexit` service (COMPOSE_PROFILES=exit) and its `mixexit-data` volume; fix the top-of-file service list - .env.example: replace the "Mixnet exit" block (COMPOSE_PROFILES=exit, FLOONET_EXIT_UPSTREAM) with the Tor onion toggle - README: replace the "Mixnet exit" section with "Tor onion", fix the feature table, deploy paths, and the COMPOSE_PROFILES reference row Add Tor as the first-class replacement deploy option, the same recipe already proven in production: an optional `tor` compose service (COMPOSE_PROFILES=tor) plus deploy/tor/torrc, a stock system tor daemon whose hidden service forwards straight to strfry's websocket listener (no TLS on that hop, the onion is already encrypted end to end). strfry core stays stock; this is packaging and docs, no relay patch. The default stack is unchanged (the onion is opt-in, as the exit was). name-authority builds green; cargo test and clippy pass. docker-compose validated (structure + YAML).
115 lines
4.2 KiB
YAML
115 lines
4.2 KiB
YAML
# A full, self-contained Floonet relay with automatic HTTPS.
|
|
#
|
|
# cp .env.example .env # edit FLOONET_DOMAIN etc.
|
|
# docker compose up -d
|
|
#
|
|
# gives you:
|
|
# - relay : stock strfry (built from source at a pinned ref) + the
|
|
# Floonet write policy plugin (default-deny kind whitelist,
|
|
# optional NIP-42 and paid-write gates)
|
|
# - authority : the bundled name authority (name@domain -> pubkey, with
|
|
# optional paid names / paid write access via GoblinPay)
|
|
# - caddy : auto-TLS reverse proxy terminating HTTPS for both
|
|
# - tor : OPTIONAL Tor onion in front of the relay
|
|
# (COMPOSE_PROFILES=tor), so wallets can reach it over Tor
|
|
# without a Tor exit hop. See deploy/tor/torrc.
|
|
#
|
|
# Set FLOONET_DOMAIN / FLOONET_BASE_URL / FLOONET_RELAYS in `.env` (copy
|
|
# .env.example) BEFORE bringing it up: Caddy obtains a certificate for
|
|
# FLOONET_DOMAIN, so DNS must already point at this host.
|
|
|
|
services:
|
|
relay:
|
|
build:
|
|
context: .
|
|
dockerfile: deploy/strfry/Dockerfile
|
|
image: floonet-strfry:latest
|
|
restart: unless-stopped
|
|
environment:
|
|
# Write policy plugin configuration (the plugin inherits strfry's
|
|
# environment). See plugin/floonet_writepolicy.py and .env.example.
|
|
FLOONET_ALLOWED_KINDS: ${FLOONET_ALLOWED_KINDS:-0,3,5,13,1059,10002,10050,27235}
|
|
FLOONET_REQUIRE_AUTH: ${FLOONET_REQUIRE_AUTH:-false}
|
|
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
|
|
FLOONET_AUTHORITY_URL: http://authority:8191
|
|
FLOONET_PAID_CACHE_SECS: ${FLOONET_PAID_CACHE_SECS:-60}
|
|
volumes:
|
|
- relay-data:/strfry-db
|
|
- ./deploy/strfry/strfry.conf:/app/strfry.conf:ro
|
|
expose:
|
|
- "7777"
|
|
# Bound the relay's footprint so an unauthenticated subscription/ingest
|
|
# flood can't starve the authority or proxy on the same host.
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: "1.0"
|
|
|
|
authority:
|
|
build: ./name-authority
|
|
image: floonet-name-authority:latest
|
|
restart: unless-stopped
|
|
environment:
|
|
# Identity. Override these in .env for your own deployment.
|
|
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
|
|
FLOONET_BASE_URL: ${FLOONET_BASE_URL:-https://floonet.example}
|
|
FLOONET_RELAYS: ${FLOONET_RELAYS:-wss://floonet.example}
|
|
# In-container paths (persisted on the named volume).
|
|
FLOONET_NAMES_BIND: 0.0.0.0:8191
|
|
FLOONET_NAMES_DB: /data/names.db
|
|
# Paid mode (all optional; free by default). See .env.example.
|
|
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
|
|
FLOONET_NAME_PRICE_GRIN: ${FLOONET_NAME_PRICE_GRIN:-0}
|
|
FLOONET_WRITE_PRICE_GRIN: ${FLOONET_WRITE_PRICE_GRIN:-0}
|
|
GOBLINPAY_URL: ${GOBLINPAY_URL:-}
|
|
GOBLINPAY_TOKEN: ${GOBLINPAY_TOKEN:-}
|
|
GOBLINPAY_WEBHOOK_SECRET: ${GOBLINPAY_WEBHOOK_SECRET:-}
|
|
volumes:
|
|
- authority-data:/data
|
|
expose:
|
|
- "8191"
|
|
|
|
caddy:
|
|
image: caddy:2
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- authority
|
|
- relay
|
|
environment:
|
|
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./deploy/Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- ./deploy/landing:/srv/landing:ro
|
|
- caddy-data:/data
|
|
- caddy-config:/config
|
|
|
|
# Optional Tor onion service in front of the relay. Off unless the `tor`
|
|
# profile is active (set COMPOSE_PROFILES=tor in .env). It runs a plain
|
|
# system tor daemon whose hidden service forwards straight to the relay's
|
|
# websocket listener (no TLS on that hop: the onion transport is already
|
|
# encrypted and authenticated end to end). Wallets can then reach the relay
|
|
# over Tor without a Tor exit hop. The .onion address is derived from a key
|
|
# in the tor-data volume and printed to the tor logs on first start; back
|
|
# the volume up, since losing it rotates the address. See deploy/tor/torrc.
|
|
tor:
|
|
build: ./deploy/tor
|
|
image: floonet-tor:latest
|
|
restart: unless-stopped
|
|
profiles: ["tor"]
|
|
depends_on:
|
|
- relay
|
|
volumes:
|
|
- ./deploy/tor/torrc:/etc/tor/torrc:ro
|
|
- tor-data:/var/lib/tor
|
|
|
|
volumes:
|
|
relay-data:
|
|
authority-data:
|
|
caddy-data:
|
|
caddy-config:
|
|
tor-data:
|