From d28eb5280911962c212f7b14db89d687e921680f Mon Sep 17 00:00:00 2001
From: Miraty <miraty@antopie.org>
Date: Thu, 5 May 2022 02:03:01 +0200
Subject: [PATCH] Tor setup 2

---
 mkosi.extra/etc/tor/{ => instances/niver}/torrc   |  0
 mkosi.postinst                                    | 11 +++++++++++
 mkosi.prepare                                     |  8 +++++++-
 .../system/php-fpm.service.d/override.conf        |  1 +
 .../systemd/system/tor.service.d/override.conf    |  4 ++++
 mkosi.skeleton/srv/php/niver                      |  2 +-
 .../usr/local/share/niver/knot.template           |  2 --
 .../usr/local/share/niver/nginx/dns.template      | 15 ---------------
 .../usr/local/share/niver/nginx/onion.template    |  9 ---------
 .../var/lib/tor-instances/niver/.gitkeep          |  0
 10 files changed, 24 insertions(+), 28 deletions(-)
 rename mkosi.extra/etc/tor/{ => instances/niver}/torrc (100%)
 create mode 100644 mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf
 delete mode 100644 mkosi.skeleton/usr/local/share/niver/knot.template
 delete mode 100644 mkosi.skeleton/usr/local/share/niver/nginx/dns.template
 delete mode 100644 mkosi.skeleton/usr/local/share/niver/nginx/onion.template
 create mode 100644 mkosi.skeleton/var/lib/tor-instances/niver/.gitkeep

diff --git a/mkosi.extra/etc/tor/torrc b/mkosi.extra/etc/tor/instances/niver/torrc
similarity index 100%
rename from mkosi.extra/etc/tor/torrc
rename to mkosi.extra/etc/tor/instances/niver/torrc
diff --git a/mkosi.postinst b/mkosi.postinst
index efe3215..cdba847 100755
--- a/mkosi.postinst
+++ b/mkosi.postinst
@@ -27,6 +27,9 @@ chmod -R u=rwX,g=,o= /etc/sftpgo
 chown -R sftpgo:php-niver /srv/ht
 chmod -R u=rwX,g=rwX,o=rX /srv/ht
 
+chown -R php-niver:tor /etc/tor/instances/niver
+chmod -R u=rwX,g=rX,o= /etc/tor/instances/niver
+
 chmod 555 /srv/php
 
 chown -R php-errors:nginx /srv/php/errors
@@ -45,6 +48,8 @@ chmod -R u=rw,g=rw,o= /srv/php/niver/auth.log
 # Load configuration in Knot database
 sudo -u knot knotc conf-import /etc/knot/knot.conf
 
+# PHP paths unification across distributions
+
 export PHP_INI=/etc/php/php.ini
 
 if [[ $ID = "debian" ]]; then
@@ -63,6 +68,12 @@ display_errors = On
 extension = pdo_sqlite
 EOF
 
+if [[ $ID = "arch" ]]; then
+	ln -s /etc/tor/instances/niver/torrc /etc/tor/torrc
+fi
+
+# Start SystemD services at startup
+
 systemctl enable sftpgo
 
 if [[ $ID = "arch" ]]; then
diff --git a/mkosi.prepare b/mkosi.prepare
index e0aa849..8b92435 100755
--- a/mkosi.prepare
+++ b/mkosi.prepare
@@ -1,9 +1,10 @@
 #!/usr/bin/bash
 source /etc/os-release
 
-# Clean configuration directories (will be filled with mkosi.extra/)
+# Clear configuration (will be filled with mkosi.extra/)
 rm -r /etc/nginx/*
 rm -r /etc/ssh/*
+rm /etc/tor/torrc
 if [[ $ID = "debian" ]]; then
 	rm -r /etc/php/7.4/fpm/pool.d
 	rm /usr/lib/tmpfiles.d/php7.4-fpm.conf
@@ -12,6 +13,11 @@ if [[ $ID = "arch" ]]; then
 	rm /etc/php/php-fpm.d/*
 fi
 
+# Create dedicated Tor instance
+if [[ $ID = "debian" ]]; then
+	tor-instance-create niver
+fi
+
 # Generate default self-signed TLS key pair
 openssl req -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/niver.key -out /etc/ssl/certs/niver.crt
 
diff --git a/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf
index 3841dd7..a09fa28 100644
--- a/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf
+++ b/mkosi.skeleton/etc/systemd/system/php-fpm.service.d/override.conf
@@ -1,2 +1,3 @@
 [Service]
 ReadWritePaths=/etc/nginx/ht
+ReadWritePaths=/etc/tor/instances/niver
diff --git a/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf b/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf
new file mode 100644
index 0000000..b491542
--- /dev/null
+++ b/mkosi.skeleton/etc/systemd/system/tor.service.d/override.conf
@@ -0,0 +1,4 @@
+[Service]
+ReadWritePaths=/var/lib/tor-instances/niver/
+# To allow reloading service on Arch Linux
+CapabilityBoundingSet=CAP_KILL
diff --git a/mkosi.skeleton/srv/php/niver b/mkosi.skeleton/srv/php/niver
index e60f9c9..91441c5 160000
--- a/mkosi.skeleton/srv/php/niver
+++ b/mkosi.skeleton/srv/php/niver
@@ -1 +1 @@
-Subproject commit e60f9c929259f684ac97a28a54bc7f253004fb3a
+Subproject commit 91441c5f1d30125d9e15bea810a3d2faaa603dc0
diff --git a/mkosi.skeleton/usr/local/share/niver/knot.template b/mkosi.skeleton/usr/local/share/niver/knot.template
deleted file mode 100644
index 11577c8..0000000
--- a/mkosi.skeleton/usr/local/share/niver/knot.template
+++ /dev/null
@@ -1,2 +0,0 @@
-DOMAIN 3600 SOA ns1.niver.test. admin.niver.test. 1 21600 7200 3628800 3600
-DOMAIN 86400 NS ns1.niver.test.
diff --git a/mkosi.skeleton/usr/local/share/niver/nginx/dns.template b/mkosi.skeleton/usr/local/share/niver/nginx/dns.template
deleted file mode 100644
index f429a91..0000000
--- a/mkosi.skeleton/usr/local/share/niver/nginx/dns.template
+++ /dev/null
@@ -1,15 +0,0 @@
-server {
-	listen [::]:{{HTTPS_PORT}} ssl http2;
-	listen 0.0.0.0:{{HTTPS_PORT}} ssl http2;
-	server_name {{DOMAIN}};
-	root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
-
-	ssl_certificate /etc/ssl/certs/niver.crt;
-	ssl_certificate_key /etc/ssl/private/niver.key;
-
-	include inc/tls.conf;
-
-	location / {
-		try_files $uri $uri.html $uri/ =404;
-	}
-}
diff --git a/mkosi.skeleton/usr/local/share/niver/nginx/onion.template b/mkosi.skeleton/usr/local/share/niver/nginx/onion.template
deleted file mode 100644
index 5307d2b..0000000
--- a/mkosi.skeleton/usr/local/share/niver/nginx/onion.template
+++ /dev/null
@@ -1,9 +0,0 @@
-server {
-	listen [::1]:{{INTERNAL_ONION_HTTP_PORT}};
-	server_name {{DOMAIN}};
-	root {{HT_PATH}}/{{USERNAME}}/{{DIR}};
-
-	location / {
-		try_files $uri $uri.html $uri/ =404;
-	}
-}
diff --git a/mkosi.skeleton/var/lib/tor-instances/niver/.gitkeep b/mkosi.skeleton/var/lib/tor-instances/niver/.gitkeep
new file mode 100644
index 0000000..e69de29