add a nice little readme

Dockerfile

@@ -1,5 +1,5 @@
 FROM ubuntu:22.04
-LABEL maintainer "Jake Jarvis <jake@jarv.is>" \
+LABEL maintainer="Jake Jarvis <jake@jarv.is>" \
       repository="https://github.com/jakejarvis/tor-docker" \
       # https://docs.github.com/en/free-pro-team@latest/packages/managing-container-images-with-github-container-registry/connecting-a-repository-to-a-container-image#connecting-a-repository-to-a-container-image-on-the-command-line
       org.opencontainers.image.source="https://github.com/jakejarvis/tor-docker"
@@ -34,13 +34,21 @@ deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torp
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
-# Copy entrypoint script
+# Copy a simple default config
+COPY torrc.default /etc/tor/torrc
+
+# Copy entrypoint script & ensure it's executable
 COPY ./entrypoint.sh /usr/local/bin/docker-entrypoint
+RUN chmod ugo+rx /usr/local/bin/docker-entrypoint
 
 # Tor data should be persisted on the host
 VOLUME /var/lib/tor
 
-# Run as non-root user
+# Make sure files are owned by the tor user
+RUN chown -R debian-tor /etc/tor \
+ && chown -R debian-tor /var/lib/tor
+
+# Run tor as a non-root user
 USER debian-tor
 
 ENTRYPOINT ["docker-entrypoint"]

LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2022 Jake Jarvis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,82 @@
+# 🧅 docker-tor
+
+A _very_ simple Docker image that runs the Tor daemon.
+
+> ⚠️ This image is designed for running hidden services, **not** for using Tor on your desktop via a SOCKS proxy, etc. You can still do this — there's nothing special about the Tor binary here — but there are plenty of [other Docker images](https://hub.docker.com/r/peterdavehello/tor-socks-proxy/) better suited for this use case!
+
+## Usage
+
+### CLI
+
+```bash
+# create a volume to persist Tor data between container restarts
+docker volume create tor-data
+
+# start a Tor container
+docker run --rm \
+  --name tor \
+  --volume tor-data:/var/lib/tor/ \
+  --volume ~/my-tor-stuff/torrc:/etc/tor/torrc:ro \
+  jakejarvis/tor:latest
+
+# optional: copy existing keys and hostname to volume (restart Tor container afterwards)
+docker cp ~/my-tor-stuff/keys/. tor:/var/lib/tor/hidden_service/
+```
+
+### `docker-compose.yml`
+
+Example of Tor in front of an nginx web server to run a hidden service:
+
+```yml
+version: "3.9"
+
+services:
+  tor:
+    image: jakejarvis/tor:latest
+    restart: unless-stopped
+    volumes:
+      - tor-data:/var/lib/tor/
+      - ./torrc:/etc/tor/torrc:ro
+    depends_on:
+      - web
+
+  web:
+    image: ubuntu/nginx:latest
+    restart: unless-stopped
+    volumes:
+      - ./my_website:/var/www/html
+      - ./nginx.conf:/etc/nginx/nginx.conf
+
+volumes:
+  tor-data:
+```
+
+### Starting a new hidden service
+
+If you don't copy/mount existing keys and a hostname to `/var/lib/tor/hidden_service/` (highly recommended, see next section!) Tor will automatically generate them along with a random `.onion` domain. To see this domain, run:
+
+```sh
+docker exec <container id> cat /var/lib/tor/hidden_service/hostname
+```
+
+You should be able to visit this `.onion` address immediately in the [Tor Browser](https://www.torproject.org/download/)!
+
+### Using existing Tor config/keys
+
+Simply mounting an existing `torrc` configuration and a folder of public/private keys to the container will tell it exactly how to behave on next start.
+
+```sh
+docker cp ~/my-tor-stuff/keys/. <container id>:/var/lib/tor/hidden_service/
+```
+
+A default `/etc/tor/torrc` file (see [`torrc.default`](torrc.default)) is already in the image, with a hidden service (whose keys are in `/var/lib/tor/hidden_service`) pointing to a container/server named `web` on port 80 (`http://web:80`).
+
+To override any of this, create your own `torrc` file and mount it to `/etc/tor/torrc` (see above).
+
+## Examples
+
+- [jarvis2i2vp4j4tbxjogsnqdemnte5xhzyi7hziiyzxwge3hzmh57zad.onion](http://jarvis2i2vp4j4tbxjogsnqdemnte5xhzyi7hziiyzxwge3hzmh57zad.onion): A mirror of my clearnet website at [jarv.is](https://jarv.is/)
+
+## License
+
+[MIT](LICENSE)

entrypoint.sh

@@ -2,8 +2,7 @@
 set -o errexit
 
 # fix permissions
-find /var/lib/tor -type d -exec chmod -v 700 {} \;
-find /var/lib/tor -type f -exec chmod -v 600 {} \;
-chown -R debian-tor /var/lib/tor
+find /var/lib/tor -type d -exec chmod 700 {} \;
+find /var/lib/tor -type f -exec chmod 600 {} \;
 
 exec "$@"

torrc.default

@@ -0,0 +1,11 @@
+# Exposing a proxy is unnecessary if we're running a hidden service.
+SocksPort 0
+
+# This folder contains the public and private keys of the hidden
+# service, probably provided by the host but can also be generated
+# by Tor if it's missing.
+HiddenServiceDir /var/lib/tor/hidden_service/
+
+# Point the hidden service to a web server (in this case, the web
+# server container listening on port 80). See README.
+HiddenServicePort 80 web:80