[TOR] init new addon

.github/paths-filter.yml

@@ -90,6 +90,7 @@ spotweb: spotweb/config.* # Image : yes
 tandoor_recipes: tandoor_recipes/config.* # Image : yes
 tdarr: tdarr/config.* # Image : yes
 teamspeak: teamspeak/config.* # Image : yes
+tor: tor/config.* # Image : yes
 transmission: transmission/config.* # Image : yes
 transmission_openvpn: transmission_openvpn/config.* # Image : yes
 ubooquity: ubooquity/config.* # Image : yes

README.md

@@ -793,6 +793,13 @@ If you want to do add the repository manually, please follow the procedure highl
 ![amd64][amd64-badge]
 ![armv7][armv7-badge]
 
+✓ [Tor with bridges](tor/) : Copy of official comunity addon with additional bridges supporting
+
+  ![Version](https://img.shields.io/badge/dynamic/json?label=Version&query=%24.version&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ftor%2Fconfig.json)
+![aarch64][aarch64-badge]
+![amd64][amd64-badge]
+![armv7][armv7-badge]
+
 ✓ ![image](https://api.iconify.design/mdi/transmission-tower.svg) [Transmission](transmission/) : Bittorrent client based on linuxserver image
 
   ![Version](https://img.shields.io/badge/dynamic/json?label=Version&query=%24.version&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ftransmission%2Fconfig.json)

tor/Dockerfile

@@ -0,0 +1,92 @@
+ARG BUILD_FROM=ghcr.io/hassio-addons/base:16.2.0
+# hadolint ignore=DL3006
+FROM ${BUILD_FROM}
+
+# Set shell
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Copy root filesystem
+COPY rootfs /
+
+# Setup base
+RUN \
+    apk add --no-cache \
+        coreutils=9.5-r1 \
+        openssl=3.3.1-r3 \
+        tor=0.4.8.12-r0 \
+        go=1.22.5-r0 \
+        git=2.45.2-r0 \
+        ca-certificates=20240705-r0 \
+        libcap=2.70-r0
+
+# Download pluggable-transports sources
+WORKDIR /go
+ARG OBFS_VERSION=obfs4proxy-0.0.14
+ARG SNOWFLAKE_VERSION=v2.9.2
+ARG WEBTUNNEL_VERSION=e64b1b3562f3ab50d06141ecd513a21ec74fe8c6
+RUN git clone -b ${OBFS_VERSION} --single-branch --depth 1 https://github.com/Yawning/obfs4.git \
+    && git clone -b ${SNOWFLAKE_VERSION} --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git \
+    && git clone --single-branch --depth 1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel.git
+
+# Build obfs4proxy
+WORKDIR /go/obfs4
+RUN go build -o /usr/local/bin/obfs4proxy ./obfs4proxy
+
+# Build snowflake
+WORKDIR /go/snowflake/client
+RUN go get \
+    && go build -o /usr/local/bin/snowflake
+
+# Build webtunnel
+WORKDIR /go/webtunnel/main/client
+RUN git reset --hard ${WEBTUNNEL_VERSION} \
+    && go build -ldflags="-s -w" -o /usr/local/bin/webtunnel
+
+# Clean up after build
+WORKDIR /
+RUN rm -rf /go
+
+# Give transports clients the capability to bind privileged port.
+RUN setcap 'cap_net_bind_service=+ep' /usr/local/bin/obfs4proxy \
+    && setcap 'cap_net_bind_service=+ep'  /usr/local/bin/snowflake \
+    && setcap 'cap_net_bind_service=+ep'  /usr/local/bin/webtunnel
+
+HEALTHCHECK \
+    --start-period=60m \
+    --interval=60s \
+    --timeout=30s \
+    CMD curl \
+        --silent \
+        --location \
+        --socks5-hostname localhost:9050 \
+        https://check.torproject.org/?lang=en_US \
+        | grep -qm1 Congratulations
+
+# Build arguments
+ARG BUILD_ARCH
+ARG BUILD_DATE
+ARG BUILD_DESCRIPTION
+ARG BUILD_NAME
+ARG BUILD_REF
+ARG BUILD_REPOSITORY
+ARG BUILD_VERSION
+
+# Labels
+LABEL \
+    io.hass.name="${BUILD_NAME}" \
+    io.hass.description="${BUILD_DESCRIPTION}" \
+    io.hass.arch="${BUILD_ARCH}" \
+    io.hass.type="addon" \
+    io.hass.version=${BUILD_VERSION} \
+    maintainer="Franck Nijhof <[email protected]>" \
+    org.opencontainers.image.title="${BUILD_NAME}" \
+    org.opencontainers.image.description="${BUILD_DESCRIPTION}" \
+    org.opencontainers.image.vendor="Home Assistant Community Add-ons" \
+    org.opencontainers.image.authors="Franck Nijhof <[email protected]>" \
+    org.opencontainers.image.licenses="MIT" \
+    org.opencontainers.image.url="https://addons.community" \
+    org.opencontainers.image.source="https://github.com/${BUILD_REPOSITORY}" \
+    org.opencontainers.image.documentation="https://github.com/${BUILD_REPOSITORY}/blob/main/README.md" \
+    org.opencontainers.image.created=${BUILD_DATE} \
+    org.opencontainers.image.revision=${BUILD_REF} \
+    org.opencontainers.image.version=${BUILD_VERSION}

tor/README.md

@@ -0,0 +1,107 @@
+# Hass.io Add-ons: Tor with bridges
+
+[![Donate][donation-badge]](https://www.buymeacoffee.com/alexbelgium)
+[![Donate][paypal-badge]](https://www.paypal.com/donate/?hosted_button_id=DZFULJZTP3UQA)
+
+![Version](https://img.shields.io/badge/dynamic/json?label=Version&query=%24.version&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ftor%2Fconfig.json)
+![Ingress](https://img.shields.io/badge/dynamic/json?label=Ingress&query=%24.ingress&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ftor%2Fconfig.json)
+![Arch](https://img.shields.io/badge/dynamic/json?color=success&label=Arch&query=%24.arch&url=https%3A%2F%2Fraw.githubusercontent.com%2Falexbelgium%2Fhassio-addons%2Fmaster%2Ftor%2Fconfig.json)
+
+[![Codacy Badge](https://app.codacy.com/project/badge/Grade/9c6cf10bdbba45ecb202d7f579b5be0e)](https://www.codacy.com/gh/alexbelgium/hassio-addons/dashboard?utm_source=github.com&utm_medium=referral&utm_content=alexbelgium/hassio-addons&utm_campaign=Badge_Grade)
+[![GitHub Super-Linter](https://img.shields.io/github/actions/workflow/status/alexbelgium/hassio-addons/weekly-supelinter.yaml?label=Lint%20code%20base)](https://github.com/alexbelgium/hassio-addons/actions/workflows/weekly-supelinter.yaml)
+[![Builder](https://img.shields.io/github/actions/workflow/status/alexbelgium/hassio-addons/onpush_builder.yaml?label=Builder)](https://github.com/alexbelgium/hassio-addons/actions/workflows/onpush_builder.yaml)
+
+[donation-badge]: https://img.shields.io/badge/Buy%20me%20a%20coffee%20(no%20paypal)-%23d32f2f?logo=buy-me-a-coffee&style=flat&logoColor=white
+[paypal-badge]: https://img.shields.io/badge/Buy%20me%20a%20coffee%20with%20Paypal-0070BA?logo=paypal&style=flat&logoColor=white
+
+_Thanks to everyone having starred my repo! To star it click on the image below, then it will be on top right. Thanks!_
+
+[![Stargazers repo roster for @alexbelgium/hassio-addons](https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.github/stars2.svg)](https://github.com/alexbelgium/hassio-addons/stargazers)
+
+![downloads evolution](https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/tor/stats.png)
+
+## About
+
+Extended version of the [Tor addon from Home Assistant Community repository](https://github.com/hassio-addons/addon-tor) by supporting multiples bridges protocols WebTunnel, Snowflake and OBFS.
+
+## Installation
+
+The installation of this add-on is pretty straightforward and not different in comparison to installing any other add-on.
+
+1. Add my add-ons repository to your home assistant instance (in supervisor addons store at top right, or click button below if you have configured my HA)
+   [![Open your Home Assistant instance and show the add add-on repository dialog with a specific repository URL pre-filled.](https://my.home-assistant.io/badges/supervisor_add_addon_repository.svg)](https://my.home-assistant.io/redirect/supervisor_add_addon_repository/?repository_url=https%3A%2F%2Fgithub.com%2Falexbelgium%2Fhassio-addons)
+1. Install this add-on.
+1. Click the `Save` button to store your configuration.
+1. Set the add-on options to your preferences
+1. Start the add-on.
+1. Check the logs of the add-on to see if everything went well.
+1. Open the webUI and adapt the software options
+
+## Configuration
+
+You should follow to the initial guide for configuring base addon options. Here will described only extra options in comparisons with base:
+
+### Option: `bridges`
+
+> Ensure the option value is clear to avoid unintended use of transport plugins and bridges.
+
+Bridges are Tor relays that help you circumvent censorship.
+Access to bridges is provided by supported transport plugins:
+
+#### OBFS
+
+Because bridge addresses are not public, you will need to request them yourself. You have a few options:
+
+- Visit [Tor][tor-bridges-obfs4] project and follow the instructions, or
+- Email `[email protected]` from a Gmail, or Riseup email address
+- Send a message to @GetBridgesBot on Telegram. Tap on 'Start' or write /start or /bridges in the chat.
+
+For example:
+
+```yaml
+bridges:
+  - >-
+    obfs4 123.45.67.89:443 EFC6A00EE6272355C023862378AC77F935F091E4
+    cert=KkdWiWlfetJG9SFrzX8g1teBbgxtsc0zPiN5VLxqNNH+iudVW48CoH/XVXPQntbivXIqZA
+    iat-mode=0
+```
+
+#### Webtunnel
+
+Visit [Tor][tor-bridges-webtunnel] project and follow the instructions
+
+For example:
+
+```yaml
+bridges:
+  - >-
+    webtunnel 192.0.2.3:1
+    DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
+    url=https://akbwadp9lc5fyyz0cj4d76z643pxgbfh6oyc-167-71-71-157.sslip.io/5m9yq0j4ghkz0fz7qmuw58cvbjon0ebnrsp0
+    ver=0.0.1
+```
+
+#### Snowflake
+
+What is [snowflake][what-is-snowflake], example:
+
+```yaml
+bridges:
+  - >-
+    snowflake 192.0.2.3:80 2B280B23E1107BB62ABFC40DDCC8824814F80A72
+    fingerprint=2B280B23E1107BB62ABFC40DDCC8824814F80A72
+    url=https://snowflake-broker.torproject.net/
+    ampcache=https://cdn.ampproject.org/
+    front=www.google.com
+    ice=stun:stun.l.google.com:19302,stun:stun.antisip.com:3478,stun:stun.bluesip.net:3478,stun:stun.dus.net:3478,stun:stun.epygi.com:3478,stun:stun.sonetel.com:3478,stun:stun.uls.co.za:3478,stun:stun.voipgate.com:3478,stun:stun.voys.nl:3478
+    utls-imitate=hellorandomizedalpn
+```
+
+## Support
+
+If you have in issue with your installation, please be sure to checkout github.
+
+[tor-hidden-service]: https://www.torproject.org/docs/hidden-services.html.en
+[tor-bridges-obfs4]: https://bridges.torproject.org/bridges/?transport=obfs4
+[tor-bridges-webtunnel]: https://bridges.torproject.org/bridges/?transport=webtunnel
+[what-is-snowflake]: https://support.torproject.org/censorship/what-is-snowflake/

tor/apparmor.txt

@@ -0,0 +1,66 @@
+#include <tunables/global>
+
+profile tor_addon flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  capability,
+  file,
+  signal,
+  mount,
+  umount,
+  remount,
+  network udp,
+  network tcp,
+  network dgram,
+  network stream,
+  network inet,
+  network inet6,
+  network netlink raw,
+  network unix dgram,
+
+  capability setgid,
+  capability setuid,
+  capability sys_admin,
+  capability dac_read_search,
+  # capability dac_override,
+  # capability sys_rawio,
+
+# S6-Overlay
+  /init ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /usr/lib/bashio/** ix,
+  /etc/s6/** rix,
+  /run/s6/** rix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /init rix,
+  /var/run/** mrwkl,
+  /var/run/ mrwkl,
+  /dev/i2c-1 mrwkl,
+  # Files required
+  /dev/fuse mrwkl,
+  /dev/sda1 mrwkl,
+  /dev/sdb1 mrwkl,
+  /dev/nvme0 mrwkl,
+  /dev/nvme1 mrwkl,
+  /dev/mmcblk0p1 mrwkl,
+  /dev/* mrwkl,
+  /tmp/** mrkwl,
+
+  # Data access
+  /data/** rw,
+
+  # suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
+  ptrace (trace,read) peer=docker-default,
+
+  # docker daemon confinement requires explict allow rule for signal
+  signal (receive) set=(kill,term) peer=/usr/bin/docker,
+
+}

tor/build.json

@@ -0,0 +1,11 @@
+{
+  "build_from": {
+    "aarch64": "ghcr.io/hassio-addons/base:16.2.0",
+    "amd64": "ghcr.io/hassio-addons/base:16.2.0",
+    "armv7": "ghcr.io/hassio-addons/base:16.2.0"
+  },
+  "codenotary": {
+    "base_image": "[email protected]",
+    "signer": "[email protected]"
+  }
+}

tor/config.json

@@ -0,0 +1,50 @@
+{
+  "arch": [
+    "aarch64",
+    "amd64",
+    "armv7"
+  ],
+  "codenotary": "[email protected]",
+  "description": "Protect your privacy and access Home Assistant via Tor",
+  "init": false,
+  "map": [
+    "ssl:rw"
+  ],
+  "name": "Tor with bridges",
+  "ports": {
+    "9050/tcp": 9050
+  },
+  "ports_description": {
+    "9050/tcp": "Tor SOCKS proxy port"
+  },
+  "slug": "tor",
+  "url": "https://github.com/alexbelgium/hassio-addons",
+  "version": "dev",
+  "startup": "services",
+  "options": {
+    "socks": false,
+    "hidden_services": true,
+    "stealth": false,
+    "client_names": [],
+    "ports": [
+      "8123",
+      "8123:80"
+    ],
+    "bridges": []
+  },
+  "schema": {
+    "log_level": "list(trace|debug|info|notice|warning|error|fatal)?",
+    "socks": "bool",
+    "hidden_services": "bool",
+    "stealth": "bool",
+    "client_names": [
+      "match(^[A-Za-z0-9+-_]{1,16}$)"
+    ],
+    "ports": [
+      "match(^(.*:)?(?:[0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])?$)"
+    ],
+    "bridges":[
+      "str"
+    ]
+  }
+}