feat: secret key store for service and client auth keys (#9)

refactor: config conversion, use secret store

chore: use xdg config dir for secrets, set umask

chore: update tests

chore: use remote service name from cli parser

Cargo.toml

@@ -32,3 +32,6 @@ tokio-socks = "0.5.1"
 regex = "1.7.0"
 clap = { version = "4.1.4", features = ["env", "derive"] }
 nom = "7.1.3"
+crypto_box = "0.8.2"
+libc = "0.2.142"
+dirs = "5.0.0"

README.md

@@ -63,6 +63,12 @@ Local addresses may be bound. This forwards a specific interface address to an o
 onionpipe 10.0.0.7:8443~443
 ```
 
+### Persistent onion addresses
+
+```
+onionpipe 8000@my-app
+```
+
 ### Import onion services
 
 
@@ -90,7 +96,6 @@ onionpipe --config config.json
 
 - Security review. Rust code review, I'm kind of new to the language.
 - CLI compatibility with the [Go implementation](https://github.com/cmars/onionpipe). What's still missing?
-  - Onion service key management
   - Client authentication & key management
   - More Tor options like anonymous vs fast, bridge support. Vanguard integration.
   - UNIX socket support. Doable but a dependency will need some enhancement (torut)

examples/config-services.json

@@ -0,0 +1,11 @@
+{
+  "exports": [{
+    "local_addr": "127.0.0.1:8080",
+    "service_name": "test",
+    "remote_ports": [80]
+  }],
+  "imports": [{
+    "remote_addr": "2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion:80",
+    "local_addr": "127.0.0.1:8080"
+  }]
+}

src/bin/main.rs

@@ -29,7 +29,17 @@ async fn main() {
 }
 
 async fn run(cli: Cli) -> Result<()> {
+    unsafe {
+        libc::umask(0o077);
+    }
+
     let mut pipe_builder = OnionPipe::defaults();
+
+    if let Some(config_dir) = dirs::config_dir() {
+        let secrets_dir = config_dir.join("onionpipe");
+        pipe_builder = pipe_builder.secrets_dir(secrets_dir.to_str().unwrap());
+    }
+
     let cfg: config::Config;
     if let Some(config_path) = cli.config.as_ref() {
         let mut config_file = File::open(config_path)?;