Github Action for copying files and artifacts via Rsync to an Onion service.

Copy files and artifacts via Rsync:

name: Rsync files
on: [push]

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

      - name: Rsync to Onion
        uses: oktupol/[email protected]
        with:
          source_dir: ./dist/
          destination_dir: /var/www/htdocs
          ssh_user: ${{ secrets.SSH_USER }}
          ssh_privatekey: ${{ secrets.SSH_PRIVATEKEY }}
          ssh_host_fingerprint: ${{ secrets.SSH_HOST_FINGERPRINT }}
          onion_host: ${{ secrets.ONION_HOST }}
          onion_client_auth_privatekey: ${{ secret.ONION_CLIENT_AUTH_PRIVATEKEY}}
          delete: true
          before_rsync_command: 'systemctl stop myapplication'
          after_rsync_command: 'systemctl start myapplication'

• source_dir - Source directory in the Workflow.
• destination_dir - Destination dir on the remote onion service.
• ssh_user - SSH username for remote authentication.
• ssh_privatekey - SSH private key for remote authentication. Currently, only keys without passphrases are supported.
• Either of:
  • ssh_host_fingerprint - Fingerprint of the SSH host's key. Use the same format as in the ~/.ssh/known_hosts file.
    Example: xjocx3[...]czad.onion ecdsa-sha2-nistp256 AAAAE2VjZHNh[...]qhCg=
  • ssh_disable_strict_host_key_checking - Set this to true to disable host key checking. This is less secure.
• onion_host - The hostname of the onion service WITHOUT the .onion suffix.
  For duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion, this would therefore be duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.

• ssh_port - SSH port. Default: 22
• onion_client_auth_privatekey - Private key for Client Authorization. If enabled in the onion service, this value is required.
• delete - Set this to true to delete extraneous files from the destination dir.
• before_rsync_command - Execute a command on the remote machine before rsync starts.
• after_rsync_command - Execute a command on the remote machine after rsync finishes.

Currently, no password authentication is supported.

Let's say you're running a Reddit bot or Discord bot on a Raspberry Pi in your home and want to update it automatically on every push to a repository, without having to do any of the following:

• Periodically polling for changes
• Opening and forwarding a port on your home router, potentially exposing your device to attackers.
• Setting up DynDNS or similar if your home network doesn't have a static IP address.

Instead, you set up an SSH server and an onion service on the same port, allowing you to SSH into your Raspberry Pi from anywhere over Tor. The way onion services function allows them to be reachable even behind NAT setups and firewalls.

I recommend setting up Client Authorization as well. That way, even if someone other than you found out your device's onion url, they wouldn't be able to resolve and connect to it due to not having the correct private key.

Want to see a real world example? Click here!

This action is intended for people who want to upload files onto a remote server based on a Workflow, without having to expose it to the "open" Internet. If you're running a web server, this is probably a bit excessive, since your web server is either not managed by yourself, or already known to public (or both). But if you are running a hobby project on a home computer, this might be for you.

It shouldn't be necessary to state the obvious: Do not use this for uploading files to your illegal site on the Dark Web. Using this action will link your onion service with your Github username. This action is primarily an utility for hobby projects. Privacy and anonymity were not considered while creating it.