initial commit

Dockerfile

@@ -0,0 +1,36 @@
+ARG NODE_VERSION=14
+FROM node:${NODE_VERSION}-alpine
+RUN apk add --no-cache make pkgconfig gcc g++ python3 libx11-dev libxkbfile-dev libsecret-dev chromium
+ARG version=latest
+WORKDIR /home/theia
+ADD $version.package.json ./package.json
+ARG GITHUB_TOKEN
+RUN yarn --pure-lockfile && \
+    NODE_OPTIONS="--max_old_space_size=4096" yarn theia build && \
+    yarn theia download:plugins && \
+    yarn --production && \
+    yarn autoclean --init && \
+    echo *.ts >> .yarnclean && \
+    echo *.ts.map >> .yarnclean && \
+    echo *.spec.* >> .yarnclean && \
+    yarn autoclean --force && \
+    yarn cache clean
+
+FROM node:${NODE_VERSION}-alpine
+# See : https://github.com/theia-ide/theia-apps/issues/34
+RUN addgroup theia && \
+    adduser -G theia -s /bin/sh -D theia;
+RUN chmod g+rw /home && \
+    mkdir -p /home/project && \
+    chown -R theia:theia /home/theia && \
+    chown -R theia:theia /home/project;
+RUN apk add --no-cache git openssh bash libsecret chromium tor iptables
+ENV HOME /home/theia
+WORKDIR /home/theia
+COPY --from=0 --chown=theia:theia /home/theia /home/theia
+EXPOSE 3000
+ENV SHELL=/bin/bash \
+    THEIA_DEFAULT_PLUGINS=local-dir:/home/theia/plugins
+ENV USE_LOCAL_GIT true
+#USER theia
+ENTRYPOINT [ "node", "/home/theia/src-gen/backend/main.js", "/home/project", "--hostname=0.0.0.0" ]

README.md

@@ -0,0 +1,21 @@
+# docker-theia
+
+### Simple docker to start theia project with tor network
+
+## Install
+
+	$ git clone --recurse-submodules https://git.manalejandro.com/ale/docker-theia
+	$ cd docker-theia && cp Dockerfile theia-apps/theia-docker/
+	$ docker compose build
+
+## Start
+
+	$ docker compose up -d
+
+## Stop
+
+	$ docker compose down
+
+## License
+
+	MIT

docker-compose.yml

@@ -0,0 +1,30 @@
+services:
+    theia:
+        build: ./theia-apps/theia-docker
+        hostname: theia
+        container_name: theia
+        restart: always
+        entrypoint:
+            - /bin/bash
+            - /entrypoint.sh
+        mem_limit: 500000000
+        volumes:
+            - ./entrypoint.sh:/entrypoint.sh:ro
+            - ./torrc:/etc/tor/torrc:ro
+            - ./iptables.rules:/etc/iptables/iptables.rules:ro
+            - ./public-project:/home/project
+        expose:
+            - 3000
+        cap_add:
+            - NET_ADMIN
+        networks:
+            mynet:
+                ipv4_address: 172.16.16.101
+
+networks:
+  mynet:
+    driver: bridge
+    ipam:
+      config:
+      - subnet: 172.16.16.0/24
+

entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+iptables-restore /etc/iptables/iptables.rules
+su tor -s /bin/bash -c 'tor -f /etc/tor/torrc'
+su -c 'node /home/theia/src-gen/backend/main.js /home/project --hostname=0.0.0.0' theia

iptables.rules

@@ -0,0 +1,69 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# Allow related/established traffic
+-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow traffic on local loopback
+-A INPUT -i lo -j ACCEPT
+# Allow ICMP packets
+-A INPUT -p icmp -j ACCEPT
+# Allow connections to Tor Proxy
+-A INPUT -p tcp --dport 9050 -m state --state NEW -j ACCEPT
+-A INPUT -p udp --dport 5353 -m state --state NEW -j ACCEPT
+# Log dropped packets
+#-A INPUT -j LOG --log-prefix "Dropped INPUT packet: " --log-level 7 --log-uid
+-A INPUT -p tcp -d 172.16.16.101/32 --dport 3000 -m state --state NEW -j ACCEPT
+
+# Don't allow any packet forwarding
+
+# Block invalid traffic
+-A OUTPUT -m state --state INVALID -j DROP
+# Allow related/established traffic
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+# Allow outbound connection for the tor-router user to the Tor directory servers and network
+-A OUTPUT -m owner -o eth0 --uid-owner 100 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
+# Allow traffic on local loopback
+-A OUTPUT -d 127.0.0.1/32 -o lo -j ACCEPT
+# Allow connections to local transparent listener
+-A OUTPUT -d 127.0.0.1/32 -p tcp --syn --dport 9040 -j ACCEPT
+# Log all other dropped packets
+#-A OUTPUT -j LOG --log-prefix "Dropped OUTPUT packet: " --log-level 7 --log-uid
+-A OUTPUT -s 172.16.16.101/32 -p tcp --syn --sport 3000 -j ACCEPT
+
+COMMIT
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+
+# Skip pre-routing if interface is WAN or local
+-A PREROUTING -i eth0 -j RETURN
+-A PREROUTING -i lo -j RETURN
+# Redirect all .onion addresses
+-A PREROUTING -d 10.192.0.0/10 -p tcp --syn -j REDIRECT --to-ports 9040
+# Redirect UDP DNS traffic to internal DNS server
+-A PREROUTING -p udp --dport 5353 -j REDIRECT --to-ports 5353
+-A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 5353
+# Skip pre-routing if destination is private or reserved
+-A PREROUTING -d 0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j RETURN
+# Redirect remaining TCP traffic
+-A PREROUTING -p tcp --syn -j REDIRECT --to-ports 9040
+
+# Redirect all .onion addresses
+-A OUTPUT -d 10.192.0.0/10 -p tcp --syn -j REDIRECT --to-ports 9040
+# Redirect all DNS traffic
+-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
+# Allow the tor-router to bypass transparent routing
+-A OUTPUT -m owner --uid-owner 100 -j RETURN
+# Don't transparently redirect traffic out of the loopback
+-A OUTPUT -o lo -j RETURN
+# Don't redirect if destination is private or reserved
+-A OUTPUT -d 0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,255.255.255.255/32 -j RETURN
+# Redirect remaining TCP traffic
+-A OUTPUT -p tcp --syn -j REDIRECT --to-ports 9040
+
+COMMIT

theia-apps

@@ -0,0 +1 @@
+Subproject commit 2a18f975c3a0860ab3dcd3d9c0ce125259ff003a

torrc

@@ -0,0 +1,15 @@
+RunAsDaemon 1
+
+# Setup Tor SOCKS Proxy
+SocksPort 9050
+SocksListenAddress 0.0.0.0
+
+# Setup DNS server
+DNSPort 5353
+DNSListenAddress 0.0.0.0
+
+# Setup Tor Transparent Routing
+TransPort 9040
+TransListenAddress 0.0.0.0
+VirtualAddrNetworkIPv4 10.192.0.0/10
+AutomapHostsOnResolve 1