• Verify the local ports are available for Dash to run on.
• If the project running on that port already is dash, close it.
• Allow the user to automatically spin up a separate dash instance for each project (in the background).
• Close the dash apps if the code is done running.
• Optionally: Include graceful exit, if the code throws an error, still close the dash apps.

Ubuntu

• Store the root ca in the certificates/root/ directory of the client, instead of the root directory of the repository of the client.
• Get the public root ca file from the server into the client and automatically add it to Ubuntu when it is retrieved.
• Verify Ubuntu acknowledges the root CA

Then check if (apt and snap) Firefox and Brave browser and Tor browser automatically accept the root ca, If not:

APT Firefox

• Automatically add the root CA file to apt firefox.
• Verify apt Firefox acknowledges the root CA

• Integrate with: https://github.com/TruCol/Self-host-GitLab-CI-for-GitHub
• #28
• #29

Suppose the onion domain is used quite extensively in some other software, or if it takes long to embed the onion domain in some server and/or client, a user may simply want to re-use an existing/previously used onion domain, without having to update all of its clients.

• Allow users to include a private key that is used to generate the <some_code>.onion domain for specific project(s).

Source: https://stackoverflow.com/questions/64646146/how-can-i-have-multiple-tor-onions-pointing-to-the-same-listening-port

It is possible to create multiple onion services that point to the same port/application. To do this, create multiple HiddenService configurations with different data directories pointing to the same port:

torrc

# Hidden service instance 1
HiddenServiceDir /var/lib/tor/hs-1/
HiddenServiceVersion 3
HiddenServicePort 80 127.0.0.1:8080

# Hidden service instance 2
HiddenServiceDir /var/lib/tor/hs-2/
HiddenServiceVersion 3
HiddenServicePort 80 127.0.0.1:8080

For each HiddenServiceDir/HiddenServicePort combination you create that points to the same port, you will get a different onion address which ultimately point to the same service.

• Allow the user to specify the projects in CLI args as: <local_port_nr>:<project_name>:<external_port_nr>-<local_port_nr>:<project_name>:<external_port_nr> etc.
• Then split those into a list of projects.
• Give the user the option: one domain per project (or not) as boolean cli arg.
• If one domain per project: loop over the code, generate the hostnames/onion domains, and then
• if one domain for all projects, generate the hostname with <project_name_0>_<project_name_1> etc.
• add the accumulated data into torrc. (Distinguish in the project names end content based on the one-domain-per-service or not boolean).

Then also generate mutliple ssl certs per service.

• Store the root CA in certificates/root
• Store the <service_name> certificates in certificates/<service_name>.

Getting the root CA from the server into the client is still a verbose process.

• Resolve the error message: cat: write error: Broken pipe.
• remove the need to say "yes" to the question "Do you want to add your fingerprint"?
• Silence all other output of these procedures.
• Create a green message or red message that tells the user whether or not the target file has been retrieved from the server into the client successfully or not.

Tor Browser

• Automatically add the root CA file to tor browser.
• Verify tor browser acknowledges the root CA

Snap Firefox

• Automatically add the root CA file to snap firefox.
• Verify snap Firefox acknowledges the root CA

Perhaps also check whether adding to snap Brave solves the issue.

The following output is still generated upon running the main/single command:

dpkg-query: no packages found matching net-tools
dpkg-query: no packages found matching httping
Ensuring Firefox is installed with apt instead of snap.
src/firefox_version/firefox_version.sh: line 43: snap: command not found
src/firefox_version/firefox_version.sh: line 43: snap: command not found

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001
Unattended-Upgrade::Allowed-Origins:: "LP-PPA-mozillateam:${distro_codename}";

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Firefox is installed successfully using ppa and apt.
Firefox is now installed with apt instead of snap.

dpkg-query: no packages found matching net-tools
dpkg-query: no packages found matching httping
Generating your onion domain for:gitlab
HiddenServiceDir /var/lib/tor/gitlab/
HiddenServicePort 8070 127.0.0.1:8050
Now starting tor, and waiting (max) 260 seconds to generate onion url locally.

Generating your onion domain for:dash
HiddenServiceDir /var/lib/tor/dash/
HiddenServicePort 9002 127.0.0.1:9001
Now starting tor, and waiting (max) 260 seconds to generate onion url locally.

Generating your onion domain for:ssh
HiddenServiceDir /var/lib/tor/ssh/
HiddenServicePort 22 127.0.0.1:22
Now starting tor, and waiting (max) 260 seconds to generate onion url locally.

Synchronizing state of ssh.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable ssh
TODO: assert_root_ca_files_exist
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Certificate request self-signature ok
subject=CN = yourcn
certificates/ssl_cert/gitlab/cert.pem: OK
Running dash in the background now.
Dash is running in the background for: gitlab at port:8050. Proceeding.

https://fzcrfwemptbv7fwfhqzqfhe2ifimckw5pyvsm4333aryrkrnxoweread.onion:8070
Auto enabling SSL due to https-URL
Certificate request self-signature ok
subject=CN = yourcn
certificates/ssl_cert/dash/cert.pem: OK
Running dash in the background now.
Dash is running in the background for: dash at port:9001. Proceeding.

https://eocgteprq3i4r4thgdnhmjiujqioslu3wlztgbszxxrk6bnjs4zrlaad.onion:9002
Auto enabling SSL due to https-URL
1681669453 PERROR torsocks[8493]: socks5 libc connect: Connection refused (in socks5_connect() at socks5.c:202)
Auto enabling SSL due to https-URL
1681669468 ERROR torsocks[8503]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:539)
Auto enabling SSL due to https-URL
Certificate request self-signature ok
subject=CN = yourcn
certificates/ssl_cert/ssh/cert.pem: OK
Adding your SSL certificates to firefox.

• Make the explicit statements that tell the user what the code is doing, purple.
• Remove all other verbosity/output.

Source: HiveMinds/Collabora-Online#32

• Allow starting tor without terminating tor.
• First include check to see if onion domain is reachable:

curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org/

Already wrote that function search for "congratulations" in code.

• Optionally, include check to see if tor log has reached 100% bootstrapping.
• Then write function to check if own http://onion is available online over tor.
• Then write function to check if own https://onion is available online over tor.

Using the Ubuntu username password over ssh is unsafe. I was surprised it works. I expect it is slightly less worse than having a normal ssh port open with password, because the onion domain is hidden by default. Still it is better to use ssh keys.

https://apple.stackexchange.com/a/285807

• Automatically generate the relevant ssh private and public keys in the server and client to allow ssh without manual Ubuntu password entering.

Brave Browser

• Automatically add the root CA file to brave browser.
• Verify brave browser acknowledges the root CA
  Perhaps also check whether adding root ca to snap Firefox provides insight in effective strategy.

qemu-system-x86_64 --enable-kvm -m 4096 -machine smm=off -boot order=d ubuntu22_1.img -smp 4 \
  -chardev qemu-vdagent,id=ch1,name=vdagent,clipboard=on \
  -device virtio-serial-pci \
  -device virtserialport,chardev=ch1,id=ch1,name=com.redhat.spice.0

After starting QEMU and creating the ssl cert for the onion with:

python3 src/*/*.py
# To access a local project running on localhost:8050 via: <code>.onion:443
./src/main.sh -mo -n gitlab -lpp 8050 -ppo 443
./src/main.sh -ms -n gitlab -sp somepassword
# Remove tor and accompanying files.
./src/main.sh -do -n gitlab

One gets the ssl record too long when one visits:
https:localhost:443

Resolve it, then test the onion domain again.

The default usage should be:

./src/main.sh --services 8050:gitlab:8070/9001:dash:9002/22:ssh:22

And that should:

Checks

• check if there already exist any onion domains.
• Check if the ssl certificates for that/those services already exist.
• check if the services are up and running.
• check if the root ca already has been added to Ubuntu
• check if the root ca already has been added to apt Firefox
• check if the root ca already has been added to snap Firefox
• check if the root ca already has been added to Brave
• check if the root ca already has been added to Tor

Delete args

If (any) of those data types already exists, and the user did not specify the "delete" command for that type of data, throw an error.

One should be able to give 1 command -da, --delete-all to automatically delete all the pre-existing:

• onion domains
• ssl certificates

One should be able to give 1 command: -do, --delete-onions to automatically delete the pre-existing:

• onion domains.

One should be able to give 1 command: -dsc --delete-service-certificates to automatically delete the pre-existing:

• ssl certificates from the services that are given in the --services command. (Do not delete the root ca in this case).

One should be able to give 1 command: -drc --delete-root-certificate to automatically delete the pre-existing:

• root ca certificates

Perform intended command

• apply those certificates to the services
• Add that certificate to Ubuntu
• Add that certificate to firefox (if it is installed)
• Add that certificate to Brave (if it is installed).
• Add that certificate to Tor (if it is installed).

It has become the default and currently only supported method.

When re-running

./src/main.sh \
 --1-domain-1-service \
 --setup-ssh-client \
 --set-server-username <Ubuntu username of your server> \
 --set-server-ssh-onion <server ssh onion>.onion \
 --get-server-gif

The pre-requisites generate a new private-public key pair and add it to the server. To allow that, the server asks the client the server password. This may only be done once, and then the server should not allow password login anymore.

• Actively disable password login on server after client has received ssh access with private-public key pair.

• Integrate with: github.com/TruCol/Self-host-GitLab-CI-for-GitHub (In essence add the self-signed certificate to Nextcloud)
• And verify the Nextcloud server is reachable over https locally and over tor.
• And verify the Nextcloud server is reachable over https locally and over tor in paralell with GitLab.

CLI calendar and Phone

The Nextcloud installation also sets up a CLI calendar (I believe Khal) over tor, and sets up a phone sync over tor. Update both of these procedures to use the SSL certs generated using this repo.

• Allow users to specify the desired first n characters of their onion domain, and let it run.
• Ideally also create a safe storage for the respective private keys.

Allow multiple modular blocks/services to be added into the torrc file. Such that:

• Nextcloud can be added.
• Afterwards, GitLab can be added without overwriting/removing the Nextcloud block/entry/service from the torrc file.
• Nextcloud can be updated afterwards without changing the GitLab block in the torrc file.

• Also allow the user to copy their (ssh) onion domain through a qr code (in case copy pasting from server is difficult).
• Write adb script to get the onion domain from qr code on usb connected phone, then get the root ca and add it to the phone's trusted root ca's.
• Ideally, write an (android) app that directly gets the root ca from the qr code and adds it to the phone's trusted root ca's.

It may be convenient for users to be able to switch over their services from onion to clearnet in a single command.
In these cases, it may be desirable to have a root CA that is trusted by default/everyone, hence allow support for Lets encrypt for clearnet.

Move most of the prerequisites into the package itself. (e.g. pip instructions etc.).
Ideally from two separate Qemu instances.
Make sure the Readme is consistent with those instructions.

• Integrate with: https://github.com/HiveMinds/tw-install
• Replace the old ssl certificate generation procedure in that repository with this one.
• Include support for timewarrior

Currently, if the behaviour/verbosity of the system is updated, the gifs are manually created and retrieved from fresh Ubuntu installations in Qemu, through their onion domain and ssh copy.

• Write a command that (creates) and gets the server and client gif files automatically.

Ideally integrate this with (GitLab) CI and a production pipeline.

https://www.maths.tcd.ie/~fionn/misc/ssh_hidden_service/

HiddenServiceDir /var/lib/tor/ssh/
HiddenServicePort 22 127.0.0.1:22
HiddenServiceAuthorizeClient stealth clientname

• Include instruction to get the root certificate from the virtual machine/server into the normal/client device.

scp [email protected]:foobar.txt /local/dir

https://stackoverflow.com/questions/9427553/how-to-download-a-file-from-server-using-ssh

Optional

• Delete the special ssh onion_ssh keys if they already exists.
• Enable a specific ssh named ssh. (E.g. generate public and private ssh key).
• Specify a usename required for the ssh login.

Steps

• Get the onion domain for some project from CLI. (E.g. for project ssh).
• Give the command to ssh into the server. (Use ssl password for ssh access?)
• Give the command to copy the public root CA cert file from the server to its client.
• Simplify readme by using the example output from the single command to skip explaining how the user can get the torsocks ssh command.

• DO NOT Include:

set_nextcloud_port() {
  local nextcloud_port="$1"

  yellow_msg "\nConfiguring NextCloud:${nextcloud_port}, please wait...\n"
  sudo snap set nextcloud ports.http="${nextcloud_port}"
  # TODO: verify nextcloud port is set successfully.

  #The website should display:
  #Secure Connection Failed

  #An error occurred during a connection to localhost:81. SSL received a
  # record that exceeded the maximum permissible length.

  # Error code: SSL_ERROR_RX_RECORD_TOO_LONG

}

• Include:

add_onion_to_nextcloud_trusted_domain() {

  local onion_address
  onion_address=$(sudo cat "$NEXTCLOUD_HIDDEN_SERVICE_PATH/hostname")

  # TODO: verify format of incoming onion address.

  #add Hidden Service address like a trusted domain in NextCloud instance
  sudo /snap/bin/nextcloud.occ config:system:set trusted_domains 1 --value="$onion_address"
  printf "\nThe Hidden Service address has been added like trusted domain successfully.\n"

  # TODO: verify output:
  sudo /snap/bin/nextcloud.occ config:system:get trusted_domains
}

• Include:

dd_certs_to_nextcloud() {
  local ssl_public_key_filename="$1"
  local ssl_private_key_filename="$2"
  local merged_ca_ssl_cert_filename="$3"

  # First copy the files into nextcloud.
  # Source: https://github.com/nextcloud-snap/nextcloud-snap/issues/256
  # (see nextcloud.enable-https custom -h command).
  #sudo cp ca.pem /var/snap/nextcloud/current/ca.pem
  sudo cp "$ssl_public_key_filename" /var/snap/nextcloud/current/"$ssl_public_key_filename"
  sudo cp "$ssl_private_key_filename" /var/snap/nextcloud/current/"$ssl_private_key_filename"
  sudo cp "$merged_ca_ssl_cert_filename" /var/snap/nextcloud/current/"$merged_ca_ssl_cert_filename"
  read -p "Before enable"

  # CLI sudo /snap/bin/nextcloud.enable-https custom Says:
  sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/$ssl_public_key_filename" "/var/snap/nextcloud/current/$ssl_private_key_filename" "/var/snap/nextcloud/current/$merged_ca_ssl_cert_filename"
  #sudo /snap/bin/nextcloud.enable-https custom "/var/snap/nextcloud/current/cert.pem" "/var/snap/nextcloud/current/cert-key.pem" "/var/snap/nextcloud/current/fullchain.pem"
}

From here