Initial commit

config.example.toml

@@ -0,0 +1,92 @@
+# Onion-Transit configuration
+# ============================
+#
+# WARNING: Onion-Transit centralizes Tor traffic through a single node.
+# The transit node CAN SEE destination .onion addresses.
+# Anonymity assumptions differ significantly from Tor Browser.
+
+# ---------------------------------------------------------------------------
+# Deployment mode
+# ---------------------------------------------------------------------------
+# "gateway"      - Network-facing SOCKS5 for multiple LAN/VPN clients (default)
+# "app-embedded" - Binds 127.0.0.1 only, sidecar for a single application
+mode = "gateway"
+
+# ---------------------------------------------------------------------------
+# Trust domain  (controls warning verbosity and default ACL suggestions)
+# ---------------------------------------------------------------------------
+# "lab"      - Relaxed defaults, wider subnets, minimal warnings
+# "team"     - Moderate warnings, expects auth enabled
+# "personal" - Strictest (localhost-only ACL), prominent startup warnings
+trust_domain = "team"
+
+# ---------------------------------------------------------------------------
+# SOCKS5 proxy
+# ---------------------------------------------------------------------------
+[proxy]
+socks5_listen = "0.0.0.0:1080"
+
+# Connection timeouts (seconds)
+handshake_timeout_secs = 10
+idle_timeout_secs = 300
+
+[proxy.auth]
+enabled = false
+username = ""
+password = ""
+
+# ---------------------------------------------------------------------------
+# Transparent proxy  (requires `tproxy` feature + iptables REDIRECT rule)
+# ---------------------------------------------------------------------------
+[proxy.transparent]
+enabled = false
+listen = "0.0.0.0:9040"
+# Maximum concurrent connections (backpressure beyond this limit)
+max_connections = 4096
+
+# ---------------------------------------------------------------------------
+# Tor / Arti engine
+# ---------------------------------------------------------------------------
+[tor]
+# Arti data directory (directory cache, guard state, keys)
+# Uses Arti's native layout so upstream changes don't break things.
+data_dir = "/var/lib/onion-transit/arti"
+bootstrap_timeout_secs = 120
+
+# ---------------------------------------------------------------------------
+# Connection profiles
+# ---------------------------------------------------------------------------
+# OnionStrict   - Full 3-hop circuit, stream isolation per destination (default)
+# OnionFast     - Reduced isolation, shared circuits where possible
+# ClearnetDefault - Standard Tor exit policy
+[tor.profiles]
+default_onion = "OnionStrict"
+default_clearnet = "ClearnetDefault"
+
+# ---------------------------------------------------------------------------
+# Security
+# ---------------------------------------------------------------------------
+[security]
+# "standard" = full 3-hop circuits (recommended, always available)
+# "reduced"  = REQUIRES: cargo feature `reduced-security` + --i-know-what-im-doing flag
+mode = "standard"
+
+# Restrict which client IPs can connect (CIDR notation)
+allowed_clients = ["10.0.0.0/8", "192.168.0.0/16", "127.0.0.0/8"]
+
+# Restrict which .onion addresses can be accessed (empty = allow all)
+allowed_onions = []
+
+# Allow legacy v2 .onion addresses (16-char, deprecated, TEST ONLY)
+allow_legacy_onion = false
+
+# ---------------------------------------------------------------------------
+# Logging
+# ---------------------------------------------------------------------------
+[logging]
+# "info", "debug", "warn", "error", "trace"
+level = "info"
+# "stdout", "syslog", "file"
+target = "stdout"
+# Only used when target = "file"
+file_path = "/var/log/onion-transit/onion-transit.log"