#!/usr/bin/env bash # SPDX-License-Identifier: AGPL-3.0-or-later # Install Tor, publish the relay onion service, and run the pvtcoms relay daemon as a # sandboxed systemd service bound to localhost. Run AFTER harden.sh: sudo bash setup-relay.sh set -euo pipefail RELAY_PORT="${RELAY_PORT:-9911}" # localhost port the daemon listens on ONION_PORT="${ONION_PORT:-9911}" # virtual port the onion exposes (maps to RELAY_PORT) ONION_DIR=/var/lib/tor/pvtcoms-relay BIN_SRC="${BIN_SRC:-/root/pvtcoms-deploy/pvtcoms-relay}" # the relay binary you uploaded BIN_DST=/usr/local/bin/pvtcoms-relay SERVICE=/etc/systemd/system/pvtcoms-relay.service log() { printf '\033[1;34m[relay]\033[0m %s\n' "$*"; } die() { printf '\033[1;31m[relay] %s\033[0m\n' "$*" >&2; exit 1; } [ "$(id -u)" -eq 0 ] || die "run with sudo/root" # --- Tor -------------------------------------------------------------------- log "Installing Tor…" export DEBIAN_FRONTEND=noninteractive apt-get update -y apt-get install -y tor openssl log "Configuring onion service (virtual port ${ONION_PORT} → 127.0.0.1:${RELAY_PORT})…" install -d -m 755 /etc/tor/torrc.d grep -q '^%include /etc/tor/torrc.d/' /etc/tor/torrc 2>/dev/null \ || echo '%include /etc/tor/torrc.d/*.conf' >> /etc/tor/torrc cat > /etc/tor/torrc.d/pvtcoms.conf <:/root/pvtcoms-deploy/pvtcoms-relay" log " (The current daemon entrypoint is 'pvtcoms-demo relay 127.0.0.1:${RELAY_PORT}'.)" fi # --- Dedicated service user + state dir ------------------------------------- id pvtcoms-relay &>/dev/null || useradd --system --no-create-home --shell /usr/sbin/nologin pvtcoms-relay install -d -m 700 -o pvtcoms-relay -g pvtcoms-relay /var/lib/pvtcoms-relay # --- Access policy: generate the shared access key once (gated mode) -------- # This 32-byte secret gates the relay to your invited circle. Distribute it to invited members # (it gets baked into their app build / shared out-of-band). Strangers without it are rejected, # yet the relay still cannot tell members apart (obliviousness preserved — see ADR-005). # To run an OPEN/public relay instead, set PVTCOMS_RELAY_KEY= (empty) in the env file below. ENV_FILE=/etc/pvtcoms-relay.env RELAY_POW="${RELAY_POW:-20}" RELAY_TTL="${RELAY_TTL:-1209600}" # 14 days if [ ! -f "$ENV_FILE" ]; then ACCESS_KEY="$(openssl rand -hex 32)" cat > "$ENV_FILE" < "$SERVICE" <