Tor Charm

Merge ~barryprice/charm-tor/+git/charm-tor:main into charm-tor:main

Proposed by Barry Price on 2022-06-27

Status:	Work in progress
Proposed branch:	~barryprice/charm-tor/+git/charm-tor:main
Merge into:	charm-tor:main
Diff against target:	2994 lines (+2405/-408) 15 files modified .gitignore (+6/-3) LICENSE (+674/-202) Makefile (+21/-0) README.md (+8/-16) charmcraft.yaml (+3/-3) config.yaml (+31/-12) dev/null (+0/-16) lib/charms/operator_libs_linux/v0/apt.py (+1329/-0) metadata.yaml (+12/-21) pyproject.toml (+38/-0) src/charm.py (+184/-82) templates/torrc (+12/-0) tests/__init__.py (+4/-0) tests/test_charm.py (+5/-53) tox.ini (+78/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Tor Charmers		2022-06-27	Pending
Review via email: mp+425423@code.launchpad.net

Commit message

WIP MP to replace the charmcraft boilerplate with a functional charm

~barryprice/charm-tor/+git/charm-tor:main updated on 2023-08-20

d39909c... by Barry Price on 2022-07-22: Add lib, pyproject, tox, refresh ,gitignore
47bd6c5... by Barry Price on 2022-07-22: Initial Makefile
6264307... by Barry Price on 2022-07-22: Add paths, lint target, run lint
1d7bc86... by Barry Price on 2022-07-22: Handle upstream torproject repo installation/removal
d762c48... by Barry Price on 2022-07-22: Ensure packages are installed on hooks, sort package defs
2892df0... by Barry Price on 2022-09-23: Bugfixes
6b266a9... by Barry Price on 2023-08-20: Still WIP but a clean deploy with multiple related services works after a fashion (but relation changes fail catastrophically)
05532b8... by Barry Price on 2023-08-20: Restore boilerplate

Unmerged commits

05532b8... by Barry Price on 2023-08-20: Restore boilerplate
6b266a9... by Barry Price on 2023-08-20: Still WIP but a clean deploy with multiple related services works after a fashion (but relation changes fail catastrophically)
2892df0... by Barry Price on 2022-09-23: Bugfixes
d762c48... by Barry Price on 2022-07-22: Ensure packages are installed on hooks, sort package defs
1d7bc86... by Barry Price on 2022-07-22: Handle upstream torproject repo installation/removal
6264307... by Barry Price on 2022-07-22: Add paths, lint target, run lint
47bd6c5... by Barry Price on 2022-07-22: Initial Makefile
d39909c... by Barry Price on 2022-07-22: Add lib, pyproject, tox, refresh ,gitignore
4220710... by Barry Price on 2022-06-27: Basic skeleton, remove most boilerplate, no functionality yet

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barry Price

Tor Charmers

 diff --git a/.gitignore b/.gitignore
 index 2c3f0e5..69a2281 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -1,7 +1,10 @@
--venv/
--build/
++/build
++/venv
++
  *.charm
++*.py[cod]
++*.swp
  .coverage
++.tox
  __pycache__/
--*.py[cod]
 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
 deleted file mode 100644
 index f5dac3b..0000000
 --- a/CONTRIBUTING.md
 +++ /dev/null
@@ -1,34 +0,0 @@
--# charm-tor
--
--## Developing
--
--Create and activate a virtualenv with the development requirements:
--
--    virtualenv -p python3 venv
--    source venv/bin/activate
--    pip install -r requirements-dev.txt
--
--## Code overview
--
--TEMPLATE-TODO:
--One of the most important things a consumer of your charm (or library)
--needs to know is what set of functionality it provides. Which categories
--does it fit into? Which events do you listen to? Which libraries do you
--consume? Which ones do you export and how are they used?
--
--## Intended use case
--
--TEMPLATE-TODO:
--Why were these decisions made? What's the scope of your charm?
--
--## Roadmap
--
--If this Charm doesn't fulfill all of the initial functionality you were
--hoping for or planning on, please add a Roadmap or TODO here
--
--## Testing
--
--The Python operator framework includes a very nice harness for testing
--operator behaviour without full deployment. Just `run_tests`:
--
--    ./run_tests
 diff --git a/LICENSE b/LICENSE
 index d645695..f288702 100644
 --- a/LICENSE
 +++ b/LICENSE
@@ -1,202 +1,674 @@
--
--                                 Apache License
--                           Version 2.0, January 2004
--                        http://www.apache.org/licenses/
--
--   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
--
--   1. Definitions.
--
--      "License" shall mean the terms and conditions for use, reproduction,
--      and distribution as defined by Sections 1 through 9 of this document.
--
--      "Licensor" shall mean the copyright owner or entity authorized by
--      the copyright owner that is granting the License.
--
--      "Legal Entity" shall mean the union of the acting entity and all
--      other entities that control, are controlled by, or are under common
--      control with that entity. For the purposes of this definition,
--      "control" means (i) the power, direct or indirect, to cause the
--      direction or management of such entity, whether by contract or
--      otherwise, or (ii) ownership of fifty percent (50%) or more of the
--      outstanding shares, or (iii) beneficial ownership of such entity.
--
--      "You" (or "Your") shall mean an individual or Legal Entity
--      exercising permissions granted by this License.
--
--      "Source" form shall mean the preferred form for making modifications,
--      including but not limited to software source code, documentation
--      source, and configuration files.
--
--      "Object" form shall mean any form resulting from mechanical
--      transformation or translation of a Source form, including but
--      not limited to compiled object code, generated documentation,
--      and conversions to other media types.
--
--      "Work" shall mean the work of authorship, whether in Source or
--      Object form, made available under the License, as indicated by a
--      copyright notice that is included in or attached to the work
--      (an example is provided in the Appendix below).
--
--      "Derivative Works" shall mean any work, whether in Source or Object
--      form, that is based on (or derived from) the Work and for which the
--      editorial revisions, annotations, elaborations, or other modifications
--      represent, as a whole, an original work of authorship. For the purposes
--      of this License, Derivative Works shall not include works that remain
--      separable from, or merely link (or bind by name) to the interfaces of,
--      the Work and Derivative Works thereof.
--
--      "Contribution" shall mean any work of authorship, including
--      the original version of the Work and any modifications or additions
--      to that Work or Derivative Works thereof, that is intentionally
--      submitted to Licensor for inclusion in the Work by the copyright owner
--      or by an individual or Legal Entity authorized to submit on behalf of
--      the copyright owner. For the purposes of this definition, "submitted"
--      means any form of electronic, verbal, or written communication sent
--      to the Licensor or its representatives, including but not limited to
--      communication on electronic mailing lists, source code control systems,
--      and issue tracking systems that are managed by, or on behalf of, the
--      Licensor for the purpose of discussing and improving the Work, but
--      excluding communication that is conspicuously marked or otherwise
--      designated in writing by the copyright owner as "Not a Contribution."
--
--      "Contributor" shall mean Licensor and any individual or Legal Entity
--      on behalf of whom a Contribution has been received by Licensor and
--      subsequently incorporated within the Work.
--
--   2. Grant of Copyright License. Subject to the terms and conditions of
--      this License, each Contributor hereby grants to You a perpetual,
--      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
--      copyright license to reproduce, prepare Derivative Works of,
--      publicly display, publicly perform, sublicense, and distribute the
--      Work and such Derivative Works in Source or Object form.
--
--   3. Grant of Patent License. Subject to the terms and conditions of
--      this License, each Contributor hereby grants to You a perpetual,
--      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
--      (except as stated in this section) patent license to make, have made,
--      use, offer to sell, sell, import, and otherwise transfer the Work,
--      where such license applies only to those patent claims licensable
--      by such Contributor that are necessarily infringed by their
--      Contribution(s) alone or by combination of their Contribution(s)
--      with the Work to which such Contribution(s) was submitted. If You
--      institute patent litigation against any entity (including a
--      cross-claim or counterclaim in a lawsuit) alleging that the Work
--      or a Contribution incorporated within the Work constitutes direct
--      or contributory patent infringement, then any patent licenses
--      granted to You under this License for that Work shall terminate
--      as of the date such litigation is filed.
--
--   4. Redistribution. You may reproduce and distribute copies of the
--      Work or Derivative Works thereof in any medium, with or without
--      modifications, and in Source or Object form, provided that You
--      meet the following conditions:
--
--      (a) You must give any other recipients of the Work or
--          Derivative Works a copy of this License; and
--
--      (b) You must cause any modified files to carry prominent notices
--          stating that You changed the files; and
--
--      (c) You must retain, in the Source form of any Derivative Works
--          that You distribute, all copyright, patent, trademark, and
--          attribution notices from the Source form of the Work,
--          excluding those notices that do not pertain to any part of
--          the Derivative Works; and
--
--      (d) If the Work includes a "NOTICE" text file as part of its
--          distribution, then any Derivative Works that You distribute must
--          include a readable copy of the attribution notices contained
--          within such NOTICE file, excluding those notices that do not
--          pertain to any part of the Derivative Works, in at least one
--          of the following places: within a NOTICE text file distributed
--          as part of the Derivative Works; within the Source form or
--          documentation, if provided along with the Derivative Works; or,
--          within a display generated by the Derivative Works, if and
--          wherever such third-party notices normally appear. The contents
--          of the NOTICE file are for informational purposes only and
--          do not modify the License. You may add Your own attribution
--          notices within Derivative Works that You distribute, alongside
--          or as an addendum to the NOTICE text from the Work, provided
--          that such additional attribution notices cannot be construed
--          as modifying the License.
--
--      You may add Your own copyright statement to Your modifications and
--      may provide additional or different license terms and conditions
--      for use, reproduction, or distribution of Your modifications, or
--      for any such Derivative Works as a whole, provided Your use,
--      reproduction, and distribution of the Work otherwise complies with
--      the conditions stated in this License.
--
--   5. Submission of Contributions. Unless You explicitly state otherwise,
--      any Contribution intentionally submitted for inclusion in the Work
--      by You to the Licensor shall be under the terms and conditions of
--      this License, without any additional terms or conditions.
--      Notwithstanding the above, nothing herein shall supersede or modify
--      the terms of any separate license agreement you may have executed
--      with Licensor regarding such Contributions.
--
--   6. Trademarks. This License does not grant permission to use the trade
--      names, trademarks, service marks, or product names of the Licensor,
--      except as required for reasonable and customary use in describing the
--      origin of the Work and reproducing the content of the NOTICE file.
--
--   7. Disclaimer of Warranty. Unless required by applicable law or
--      agreed to in writing, Licensor provides the Work (and each
--      Contributor provides its Contributions) on an "AS IS" BASIS,
--      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--      implied, including, without limitation, any warranties or conditions
--      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
--      PARTICULAR PURPOSE. You are solely responsible for determining the
--      appropriateness of using or redistributing the Work and assume any
--      risks associated with Your exercise of permissions under this License.
--
--   8. Limitation of Liability. In no event and under no legal theory,
--      whether in tort (including negligence), contract, or otherwise,
--      unless required by applicable law (such as deliberate and grossly
--      negligent acts) or agreed to in writing, shall any Contributor be
--      liable to You for damages, including any direct, indirect, special,
--      incidental, or consequential damages of any character arising as a
--      result of this License or out of the use or inability to use the
--      Work (including but not limited to damages for loss of goodwill,
--      work stoppage, computer failure or malfunction, or any and all
--      other commercial damages or losses), even if such Contributor
--      has been advised of the possibility of such damages.
--
--   9. Accepting Warranty or Additional Liability. While redistributing
--      the Work or Derivative Works thereof, You may choose to offer,
--      and charge a fee for, acceptance of support, warranty, indemnity,
--      or other liability obligations and/or rights consistent with this
--      License. However, in accepting such obligations, You may act only
--      on Your own behalf and on Your sole responsibility, not on behalf
--      of any other Contributor, and only if You agree to indemnify,
--      defend, and hold each Contributor harmless for any liability
--      incurred by, or claims asserted against, such Contributor by reason
--      of your accepting any such warranty or additional liability.
--
--   END OF TERMS AND CONDITIONS
--
--   APPENDIX: How to apply the Apache License to your work.
--
--      To apply the Apache License to your work, attach the following
--      boilerplate notice, with the fields enclosed by brackets "[]"
--      replaced with your own identifying information. (Don't include
--      the brackets!)  The text should be enclosed in the appropriate
--      comment syntax for the file format. We also recommend that a
--      file or class name and description of purpose be included on the
--      same "printed page" as the copyright notice for easier
--      identification within third-party archives.
--
--   Copyright [yyyy] [name of copyright owner]
--
--   Licensed under the Apache License, Version 2.0 (the "License");
--   you may not use this file except in compliance with the License.
--   You may obtain a copy of the License at
--
--       http://www.apache.org/licenses/LICENSE-2.0
--
--   Unless required by applicable law or agreed to in writing, software
--   distributed under the License is distributed on an "AS IS" BASIS,
--   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--   See the License for the specific language governing permissions and
--   limitations under the License.
++                    GNU GENERAL PUBLIC LICENSE
++                       Version 3, 29 June 2007
++
++ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
++ Everyone is permitted to copy and distribute verbatim copies
++ of this license document, but changing it is not allowed.
++
++                            Preamble
++
++  The GNU General Public License is a free, copyleft license for
++software and other kinds of works.
++
++  The licenses for most software and other practical works are designed
++to take away your freedom to share and change the works.  By contrast,
++the GNU General Public License is intended to guarantee your freedom to
++share and change all versions of a program--to make sure it remains free
++software for all its users.  We, the Free Software Foundation, use the
++GNU General Public License for most of our software; it applies also to
++any other work released this way by its authors.  You can apply it to
++your programs, too.
++
++  When we speak of free software, we are referring to freedom, not
++price.  Our General Public Licenses are designed to make sure that you
++have the freedom to distribute copies of free software (and charge for
++them if you wish), that you receive source code or can get it if you
++want it, that you can change the software or use pieces of it in new
++free programs, and that you know you can do these things.
++
++  To protect your rights, we need to prevent others from denying you
++these rights or asking you to surrender the rights.  Therefore, you have
++certain responsibilities if you distribute copies of the software, or if
++you modify it: responsibilities to respect the freedom of others.
++
++  For example, if you distribute copies of such a program, whether
++gratis or for a fee, you must pass on to the recipients the same
++freedoms that you received.  You must make sure that they, too, receive
++or can get the source code.  And you must show them these terms so they
++know their rights.
++
++  Developers that use the GNU GPL protect your rights with two steps:
++(1) assert copyright on the software, and (2) offer you this License
++giving you legal permission to copy, distribute and/or modify it.
++
++  For the developers' and authors' protection, the GPL clearly explains
++that there is no warranty for this free software.  For both users' and
++authors' sake, the GPL requires that modified versions be marked as
++changed, so that their problems will not be attributed erroneously to
++authors of previous versions.
++
++  Some devices are designed to deny users access to install or run
++modified versions of the software inside them, although the manufacturer
++can do so.  This is fundamentally incompatible with the aim of
++protecting users' freedom to change the software.  The systematic
++pattern of such abuse occurs in the area of products for individuals to
++use, which is precisely where it is most unacceptable.  Therefore, we
++have designed this version of the GPL to prohibit the practice for those
++products.  If such problems arise substantially in other domains, we
++stand ready to extend this provision to those domains in future versions
++of the GPL, as needed to protect the freedom of users.
++
++  Finally, every program is threatened constantly by software patents.
++States should not allow patents to restrict development and use of
++software on general-purpose computers, but in those that do, we wish to
++avoid the special danger that patents applied to a free program could
++make it effectively proprietary.  To prevent this, the GPL assures that
++patents cannot be used to render the program non-free.
++
++  The precise terms and conditions for copying, distribution and
++modification follow.
++
++                       TERMS AND CONDITIONS
++
++  0. Definitions.
++
++  "This License" refers to version 3 of the GNU General Public License.
++
++  "Copyright" also means copyright-like laws that apply to other kinds of
++works, such as semiconductor masks.
++
++  "The Program" refers to any copyrightable work licensed under this
++License.  Each licensee is addressed as "you".  "Licensees" and
++"recipients" may be individuals or organizations.
++
++  To "modify" a work means to copy from or adapt all or part of the work
++in a fashion requiring copyright permission, other than the making of an
++exact copy.  The resulting work is called a "modified version" of the
++earlier work or a work "based on" the earlier work.
++
++  A "covered work" means either the unmodified Program or a work based
++on the Program.
++
++  To "propagate" a work means to do anything with it that, without
++permission, would make you directly or secondarily liable for
++infringement under applicable copyright law, except executing it on a
++computer or modifying a private copy.  Propagation includes copying,
++distribution (with or without modification), making available to the
++public, and in some countries other activities as well.
++
++  To "convey" a work means any kind of propagation that enables other
++parties to make or receive copies.  Mere interaction with a user through
++a computer network, with no transfer of a copy, is not conveying.
++
++  An interactive user interface displays "Appropriate Legal Notices"
++to the extent that it includes a convenient and prominently visible
++feature that (1) displays an appropriate copyright notice, and (2)
++tells the user that there is no warranty for the work (except to the
++extent that warranties are provided), that licensees may convey the
++work under this License, and how to view a copy of this License.  If
++the interface presents a list of user commands or options, such as a
++menu, a prominent item in the list meets this criterion.
++
++  1. Source Code.
++
++  The "source code" for a work means the preferred form of the work
++for making modifications to it.  "Object code" means any non-source
++form of a work.
++
++  A "Standard Interface" means an interface that either is an official
++standard defined by a recognized standards body, or, in the case of
++interfaces specified for a particular programming language, one that
++is widely used among developers working in that language.
++
++  The "System Libraries" of an executable work include anything, other
++than the work as a whole, that (a) is included in the normal form of
++packaging a Major Component, but which is not part of that Major
++Component, and (b) serves only to enable use of the work with that
++Major Component, or to implement a Standard Interface for which an
++implementation is available to the public in source code form.  A
++"Major Component", in this context, means a major essential component
++(kernel, window system, and so on) of the specific operating system
++(if any) on which the executable work runs, or a compiler used to
++produce the work, or an object code interpreter used to run it.
++
++  The "Corresponding Source" for a work in object code form means all
++the source code needed to generate, install, and (for an executable
++work) run the object code and to modify the work, including scripts to
++control those activities.  However, it does not include the work's
++System Libraries, or general-purpose tools or generally available free
++programs which are used unmodified in performing those activities but
++which are not part of the work.  For example, Corresponding Source
++includes interface definition files associated with source files for
++the work, and the source code for shared libraries and dynamically
++linked subprograms that the work is specifically designed to require,
++such as by intimate data communication or control flow between those
++subprograms and other parts of the work.
++
++  The Corresponding Source need not include anything that users
++can regenerate automatically from other parts of the Corresponding
++Source.
++
++  The Corresponding Source for a work in source code form is that
++same work.
++
++  2. Basic Permissions.
++
++  All rights granted under this License are granted for the term of
++copyright on the Program, and are irrevocable provided the stated
++conditions are met.  This License explicitly affirms your unlimited
++permission to run the unmodified Program.  The output from running a
++covered work is covered by this License only if the output, given its
++content, constitutes a covered work.  This License acknowledges your
++rights of fair use or other equivalent, as provided by copyright law.
++
++  You may make, run and propagate covered works that you do not
++convey, without conditions so long as your license otherwise remains
++in force.  You may convey covered works to others for the sole purpose
++of having them make modifications exclusively for you, or provide you
++with facilities for running those works, provided that you comply with
++the terms of this License in conveying all material for which you do
++not control copyright.  Those thus making or running the covered works
++for you must do so exclusively on your behalf, under your direction
++and control, on terms that prohibit them from making any copies of
++your copyrighted material outside their relationship with you.
++
++  Conveying under any other circumstances is permitted solely under
++the conditions stated below.  Sublicensing is not allowed; section 10
++makes it unnecessary.
++
++  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
++
++  No covered work shall be deemed part of an effective technological
++measure under any applicable law fulfilling obligations under article
++11 of the WIPO copyright treaty adopted on 20 December 1996, or
++similar laws prohibiting or restricting circumvention of such
++measures.
++
++  When you convey a covered work, you waive any legal power to forbid
++circumvention of technological measures to the extent such circumvention
++is effected by exercising rights under this License with respect to
++the covered work, and you disclaim any intention to limit operation or
++modification of the work as a means of enforcing, against the work's
++users, your or third parties' legal rights to forbid circumvention of
++technological measures.
++
++  4. Conveying Verbatim Copies.
++
++  You may convey verbatim copies of the Program's source code as you
++receive it, in any medium, provided that you conspicuously and
++appropriately publish on each copy an appropriate copyright notice;
++keep intact all notices stating that this License and any
++non-permissive terms added in accord with section 7 apply to the code;
++keep intact all notices of the absence of any warranty; and give all
++recipients a copy of this License along with the Program.
++
++  You may charge any price or no price for each copy that you convey,
++and you may offer support or warranty protection for a fee.
++
++  5. Conveying Modified Source Versions.
++
++  You may convey a work based on the Program, or the modifications to
++produce it from the Program, in the form of source code under the
++terms of section 4, provided that you also meet all of these conditions:
++
++    a) The work must carry prominent notices stating that you modified
++    it, and giving a relevant date.
++
++    b) The work must carry prominent notices stating that it is
++    released under this License and any conditions added under section
++    7.  This requirement modifies the requirement in section 4 to
++    "keep intact all notices".
++
++    c) You must license the entire work, as a whole, under this
++    License to anyone who comes into possession of a copy.  This
++    License will therefore apply, along with any applicable section 7
++    additional terms, to the whole of the work, and all its parts,
++    regardless of how they are packaged.  This License gives no
++    permission to license the work in any other way, but it does not
++    invalidate such permission if you have separately received it.
++
++    d) If the work has interactive user interfaces, each must display
++    Appropriate Legal Notices; however, if the Program has interactive
++    interfaces that do not display Appropriate Legal Notices, your
++    work need not make them do so.
++
++  A compilation of a covered work with other separate and independent
++works, which are not by their nature extensions of the covered work,
++and which are not combined with it such as to form a larger program,
++in or on a volume of a storage or distribution medium, is called an
++"aggregate" if the compilation and its resulting copyright are not
++used to limit the access or legal rights of the compilation's users
++beyond what the individual works permit.  Inclusion of a covered work
++in an aggregate does not cause this License to apply to the other
++parts of the aggregate.
++
++  6. Conveying Non-Source Forms.
++
++  You may convey a covered work in object code form under the terms
++of sections 4 and 5, provided that you also convey the
++machine-readable Corresponding Source under the terms of this License,
++in one of these ways:
++
++    a) Convey the object code in, or embodied in, a physical product
++    (including a physical distribution medium), accompanied by the
++    Corresponding Source fixed on a durable physical medium
++    customarily used for software interchange.
++
++    b) Convey the object code in, or embodied in, a physical product
++    (including a physical distribution medium), accompanied by a
++    written offer, valid for at least three years and valid for as
++    long as you offer spare parts or customer support for that product
++    model, to give anyone who possesses the object code either (1) a
++    copy of the Corresponding Source for all the software in the
++    product that is covered by this License, on a durable physical
++    medium customarily used for software interchange, for a price no
++    more than your reasonable cost of physically performing this
++    conveying of source, or (2) access to copy the
++    Corresponding Source from a network server at no charge.
++
++    c) Convey individual copies of the object code with a copy of the
++    written offer to provide the Corresponding Source.  This
++    alternative is allowed only occasionally and noncommercially, and
++    only if you received the object code with such an offer, in accord
++    with subsection 6b.
++
++    d) Convey the object code by offering access from a designated
++    place (gratis or for a charge), and offer equivalent access to the
++    Corresponding Source in the same way through the same place at no
++    further charge.  You need not require recipients to copy the
++    Corresponding Source along with the object code.  If the place to
++    copy the object code is a network server, the Corresponding Source
++    may be on a different server (operated by you or a third party)
++    that supports equivalent copying facilities, provided you maintain
++    clear directions next to the object code saying where to find the
++    Corresponding Source.  Regardless of what server hosts the
++    Corresponding Source, you remain obligated to ensure that it is
++    available for as long as needed to satisfy these requirements.
++
++    e) Convey the object code using peer-to-peer transmission, provided
++    you inform other peers where the object code and Corresponding
++    Source of the work are being offered to the general public at no
++    charge under subsection 6d.
++
++  A separable portion of the object code, whose source code is excluded
++from the Corresponding Source as a System Library, need not be
++included in conveying the object code work.
++
++  A "User Product" is either (1) a "consumer product", which means any
++tangible personal property which is normally used for personal, family,
++or household purposes, or (2) anything designed or sold for incorporation
++into a dwelling.  In determining whether a product is a consumer product,
++doubtful cases shall be resolved in favor of coverage.  For a particular
++product received by a particular user, "normally used" refers to a
++typical or common use of that class of product, regardless of the status
++of the particular user or of the way in which the particular user
++actually uses, or expects or is expected to use, the product.  A product
++is a consumer product regardless of whether the product has substantial
++commercial, industrial or non-consumer uses, unless such uses represent
++the only significant mode of use of the product.
++
++  "Installation Information" for a User Product means any methods,
++procedures, authorization keys, or other information required to install
++and execute modified versions of a covered work in that User Product from
++a modified version of its Corresponding Source.  The information must
++suffice to ensure that the continued functioning of the modified object
++code is in no case prevented or interfered with solely because
++modification has been made.
++
++  If you convey an object code work under this section in, or with, or
++specifically for use in, a User Product, and the conveying occurs as
++part of a transaction in which the right of possession and use of the
++User Product is transferred to the recipient in perpetuity or for a
++fixed term (regardless of how the transaction is characterized), the
++Corresponding Source conveyed under this section must be accompanied
++by the Installation Information.  But this requirement does not apply
++if neither you nor any third party retains the ability to install
++modified object code on the User Product (for example, the work has
++been installed in ROM).
++
++  The requirement to provide Installation Information does not include a
++requirement to continue to provide support service, warranty, or updates
++for a work that has been modified or installed by the recipient, or for
++the User Product in which it has been modified or installed.  Access to a
++network may be denied when the modification itself materially and
++adversely affects the operation of the network or violates the rules and
++protocols for communication across the network.
++
++  Corresponding Source conveyed, and Installation Information provided,
++in accord with this section must be in a format that is publicly
++documented (and with an implementation available to the public in
++source code form), and must require no special password or key for
++unpacking, reading or copying.
++
++  7. Additional Terms.
++
++  "Additional permissions" are terms that supplement the terms of this
++License by making exceptions from one or more of its conditions.
++Additional permissions that are applicable to the entire Program shall
++be treated as though they were included in this License, to the extent
++that they are valid under applicable law.  If additional permissions
++apply only to part of the Program, that part may be used separately
++under those permissions, but the entire Program remains governed by
++this License without regard to the additional permissions.
++
++  When you convey a copy of a covered work, you may at your option
++remove any additional permissions from that copy, or from any part of
++it.  (Additional permissions may be written to require their own
++removal in certain cases when you modify the work.)  You may place
++additional permissions on material, added by you to a covered work,
++for which you have or can give appropriate copyright permission.
++
++  Notwithstanding any other provision of this License, for material you
++add to a covered work, you may (if authorized by the copyright holders of
++that material) supplement the terms of this License with terms:
++
++    a) Disclaiming warranty or limiting liability differently from the
++    terms of sections 15 and 16 of this License; or
++
++    b) Requiring preservation of specified reasonable legal notices or
++    author attributions in that material or in the Appropriate Legal
++    Notices displayed by works containing it; or
++
++    c) Prohibiting misrepresentation of the origin of that material, or
++    requiring that modified versions of such material be marked in
++    reasonable ways as different from the original version; or
++
++    d) Limiting the use for publicity purposes of names of licensors or
++    authors of the material; or
++
++    e) Declining to grant rights under trademark law for use of some
++    trade names, trademarks, or service marks; or
++
++    f) Requiring indemnification of licensors and authors of that
++    material by anyone who conveys the material (or modified versions of
++    it) with contractual assumptions of liability to the recipient, for
++    any liability that these contractual assumptions directly impose on
++    those licensors and authors.
++
++  All other non-permissive additional terms are considered "further
++restrictions" within the meaning of section 10.  If the Program as you
++received it, or any part of it, contains a notice stating that it is
++governed by this License along with a term that is a further
++restriction, you may remove that term.  If a license document contains
++a further restriction but permits relicensing or conveying under this
++License, you may add to a covered work material governed by the terms
++of that license document, provided that the further restriction does
++not survive such relicensing or conveying.
++
++  If you add terms to a covered work in accord with this section, you
++must place, in the relevant source files, a statement of the
++additional terms that apply to those files, or a notice indicating
++where to find the applicable terms.
++
++  Additional terms, permissive or non-permissive, may be stated in the
++form of a separately written license, or stated as exceptions;
++the above requirements apply either way.
++
++  8. Termination.
++
++  You may not propagate or modify a covered work except as expressly
++provided under this License.  Any attempt otherwise to propagate or
++modify it is void, and will automatically terminate your rights under
++this License (including any patent licenses granted under the third
++paragraph of section 11).
++
++  However, if you cease all violation of this License, then your
++license from a particular copyright holder is reinstated (a)
++provisionally, unless and until the copyright holder explicitly and
++finally terminates your license, and (b) permanently, if the copyright
++holder fails to notify you of the violation by some reasonable means
++prior to 60 days after the cessation.
++
++  Moreover, your license from a particular copyright holder is
++reinstated permanently if the copyright holder notifies you of the
++violation by some reasonable means, this is the first time you have
++received notice of violation of this License (for any work) from that
++copyright holder, and you cure the violation prior to 30 days after
++your receipt of the notice.
++
++  Termination of your rights under this section does not terminate the
++licenses of parties who have received copies or rights from you under
++this License.  If your rights have been terminated and not permanently
++reinstated, you do not qualify to receive new licenses for the same
++material under section 10.
++
++  9. Acceptance Not Required for Having Copies.
++
++  You are not required to accept this License in order to receive or
++run a copy of the Program.  Ancillary propagation of a covered work
++occurring solely as a consequence of using peer-to-peer transmission
++to receive a copy likewise does not require acceptance.  However,
++nothing other than this License grants you permission to propagate or
++modify any covered work.  These actions infringe copyright if you do
++not accept this License.  Therefore, by modifying or propagating a
++covered work, you indicate your acceptance of this License to do so.
++
++  10. Automatic Licensing of Downstream Recipients.
++
++  Each time you convey a covered work, the recipient automatically
++receives a license from the original licensors, to run, modify and
++propagate that work, subject to this License.  You are not responsible
++for enforcing compliance by third parties with this License.
++
++  An "entity transaction" is a transaction transferring control of an
++organization, or substantially all assets of one, or subdividing an
++organization, or merging organizations.  If propagation of a covered
++work results from an entity transaction, each party to that
++transaction who receives a copy of the work also receives whatever
++licenses to the work the party's predecessor in interest had or could
++give under the previous paragraph, plus a right to possession of the
++Corresponding Source of the work from the predecessor in interest, if
++the predecessor has it or can get it with reasonable efforts.
++
++  You may not impose any further restrictions on the exercise of the
++rights granted or affirmed under this License.  For example, you may
++not impose a license fee, royalty, or other charge for exercise of
++rights granted under this License, and you may not initiate litigation
++(including a cross-claim or counterclaim in a lawsuit) alleging that
++any patent claim is infringed by making, using, selling, offering for
++sale, or importing the Program or any portion of it.
++
++  11. Patents.
++
++  A "contributor" is a copyright holder who authorizes use under this
++License of the Program or a work on which the Program is based.  The
++work thus licensed is called the contributor's "contributor version".
++
++  A contributor's "essential patent claims" are all patent claims
++owned or controlled by the contributor, whether already acquired or
++hereafter acquired, that would be infringed by some manner, permitted
++by this License, of making, using, or selling its contributor version,
++but do not include claims that would be infringed only as a
++consequence of further modification of the contributor version.  For
++purposes of this definition, "control" includes the right to grant
++patent sublicenses in a manner consistent with the requirements of
++this License.
++
++  Each contributor grants you a non-exclusive, worldwide, royalty-free
++patent license under the contributor's essential patent claims, to
++make, use, sell, offer for sale, import and otherwise run, modify and
++propagate the contents of its contributor version.
++
++  In the following three paragraphs, a "patent license" is any express
++agreement or commitment, however denominated, not to enforce a patent
++(such as an express permission to practice a patent or covenant not to
++sue for patent infringement).  To "grant" such a patent license to a
++party means to make such an agreement or commitment not to enforce a
++patent against the party.
++
++  If you convey a covered work, knowingly relying on a patent license,
++and the Corresponding Source of the work is not available for anyone
++to copy, free of charge and under the terms of this License, through a
++publicly available network server or other readily accessible means,
++then you must either (1) cause the Corresponding Source to be so
++available, or (2) arrange to deprive yourself of the benefit of the
++patent license for this particular work, or (3) arrange, in a manner
++consistent with the requirements of this License, to extend the patent
++license to downstream recipients.  "Knowingly relying" means you have
++actual knowledge that, but for the patent license, your conveying the
++covered work in a country, or your recipient's use of the covered work
++in a country, would infringe one or more identifiable patents in that
++country that you have reason to believe are valid.
++
++  If, pursuant to or in connection with a single transaction or
++arrangement, you convey, or propagate by procuring conveyance of, a
++covered work, and grant a patent license to some of the parties
++receiving the covered work authorizing them to use, propagate, modify
++or convey a specific copy of the covered work, then the patent license
++you grant is automatically extended to all recipients of the covered
++work and works based on it.
++
++  A patent license is "discriminatory" if it does not include within
++the scope of its coverage, prohibits the exercise of, or is
++conditioned on the non-exercise of one or more of the rights that are
++specifically granted under this License.  You may not convey a covered
++work if you are a party to an arrangement with a third party that is
++in the business of distributing software, under which you make payment
++to the third party based on the extent of your activity of conveying
++the work, and under which the third party grants, to any of the
++parties who would receive the covered work from you, a discriminatory
++patent license (a) in connection with copies of the covered work
++conveyed by you (or copies made from those copies), or (b) primarily
++for and in connection with specific products or compilations that
++contain the covered work, unless you entered into that arrangement,
++or that patent license was granted, prior to 28 March 2007.
++
++  Nothing in this License shall be construed as excluding or limiting
++any implied license or other defenses to infringement that may
++otherwise be available to you under applicable patent law.
++
++  12. No Surrender of Others' Freedom.
++
++  If conditions are imposed on you (whether by court order, agreement or
++otherwise) that contradict the conditions of this License, they do not
++excuse you from the conditions of this License.  If you cannot convey a
++covered work so as to satisfy simultaneously your obligations under this
++License and any other pertinent obligations, then as a consequence you may
++not convey it at all.  For example, if you agree to terms that obligate you
++to collect a royalty for further conveying from those to whom you convey
++the Program, the only way you could satisfy both those terms and this
++License would be to refrain entirely from conveying the Program.
++
++  13. Use with the GNU Affero General Public License.
++
++  Notwithstanding any other provision of this License, you have
++permission to link or combine any covered work with a work licensed
++under version 3 of the GNU Affero General Public License into a single
++combined work, and to convey the resulting work.  The terms of this
++License will continue to apply to the part which is the covered work,
++but the special requirements of the GNU Affero General Public License,
++section 13, concerning interaction through a network will apply to the
++combination as such.
++
++  14. Revised Versions of this License.
++
++  The Free Software Foundation may publish revised and/or new versions of
++the GNU General Public License from time to time.  Such new versions will
++be similar in spirit to the present version, but may differ in detail to
++address new problems or concerns.
++
++  Each version is given a distinguishing version number.  If the
++Program specifies that a certain numbered version of the GNU General
++Public License "or any later version" applies to it, you have the
++option of following the terms and conditions either of that numbered
++version or of any later version published by the Free Software
++Foundation.  If the Program does not specify a version number of the
++GNU General Public License, you may choose any version ever published
++by the Free Software Foundation.
++
++  If the Program specifies that a proxy can decide which future
++versions of the GNU General Public License can be used, that proxy's
++public statement of acceptance of a version permanently authorizes you
++to choose that version for the Program.
++
++  Later license versions may give you additional or different
++permissions.  However, no additional obligations are imposed on any
++author or copyright holder as a result of your choosing to follow a
++later version.
++
++  15. Disclaimer of Warranty.
++
++  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
++APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
++HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
++OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
++IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
++ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
++
++  16. Limitation of Liability.
++
++  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
++WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
++THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
++GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
++USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
++DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
++PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
++EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
++SUCH DAMAGES.
++
++  17. Interpretation of Sections 15 and 16.
++
++  If the disclaimer of warranty and limitation of liability provided
++above cannot be given local legal effect according to their terms,
++reviewing courts shall apply local law that most closely approximates
++an absolute waiver of all civil liability in connection with the
++Program, unless a warranty or assumption of liability accompanies a
++copy of the Program in return for a fee.
++
++                     END OF TERMS AND CONDITIONS
++
++            How to Apply These Terms to Your New Programs
++
++  If you develop a new program, and you want it to be of the greatest
++possible use to the public, the best way to achieve this is to make it
++free software which everyone can redistribute and change under these terms.
++
++  To do so, attach the following notices to the program.  It is safest
++to attach them to the start of each source file to most effectively
++state the exclusion of warranty; and each file should have at least
++the "copyright" line and a pointer to where the full notice is found.
++
++    <one line to give the program's name and a brief idea of what it does.>
++    Copyright (C) <year>  <name of author>
++
++    This program is free software: you can redistribute it and/or modify
++    it under the terms of the GNU General Public License as published by
++    the Free Software Foundation, either version 3 of the License, or
++    (at your option) any later version.
++
++    This program is distributed in the hope that it will be useful,
++    but WITHOUT ANY WARRANTY; without even the implied warranty of
++    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++    GNU General Public License for more details.
++
++    You should have received a copy of the GNU General Public License
++    along with this program.  If not, see <https://www.gnu.org/licenses/>.
++
++Also add information on how to contact you by electronic and paper mail.
++
++  If the program does terminal interaction, make it output a short
++notice like this when it starts in an interactive mode:
++
++    <program>  Copyright (C) <year>  <name of author>
++    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
++    This is free software, and you are welcome to redistribute it
++    under certain conditions; type `show c' for details.
++
++The hypothetical commands `show w' and `show c' should show the appropriate
++parts of the General Public License.  Of course, your program's commands
++might be different; for a GUI interface, you would use an "about box".
++
++  You should also get your employer (if you work as a programmer) or school,
++if any, to sign a "copyright disclaimer" for the program, if necessary.
++For more information on this, and how to apply and follow the GNU GPL, see
++<https://www.gnu.org/licenses/>.
++
++  The GNU General Public License does not permit incorporating your program
++into proprietary programs.  If your program is a subroutine library, you
++may consider it more useful to permit linking proprietary applications with
++the library.  If this is what you want to do, use the GNU Lesser General
++Public License instead of this License.  But first, please read
++<https://www.gnu.org/licenses/why-not-lgpl.html>.
 diff --git a/Makefile b/Makefile
 new file mode 100644
 index 0000000..8c14478
 --- /dev/null
 +++ b/Makefile
@@ -0,0 +1,21 @@
++METADATA_FILE="metadata.yaml"
++PROJECTPATH=$(dir $(realpath $(MAKEFILE_LIST)))
++
++ifndef CHARM_BUILD_DIR
++	CHARM_BUILD_DIR=${PROJECTPATH}/../builds
++endif
++
++CHARM_NAME=$(shell cat ${PROJECTPATH}/${METADATA_FILE} | grep -E "^name:" | awk '{print $$2}')
++
++clean:
++	@echo "Cleaning files"
++	@git clean -ffXd -e '!.idea'
++	@echo "Cleaning existing build"
++	@rm -rf ${CHARM_BUILD_DIR}/${CHARM_NAME}
++
++lint:
++	@echo "Running lint checks"
++	@cd src && tox -e lint
++
++# The targets below don't depend on a file
++.PHONY: clean lint
 diff --git a/README.md b/README.md
 index 148c70d..a53a7ed 100644
 --- a/README.md
 +++ b/README.md
@@ -1,24 +1,16 @@
--# charm-tor
++# charm-tor-hidden-service
  ## Description
--TODO: Describe your charm in a few paragraphs of Markdown
++This charm enables Tor hidden services
  ## Usage
--TODO: Provide high-level usage, such as required config or relations
++The charm relates to any number of services (e.g. ch:apache2) over the
++`reverseproxy` relation, and serves up a proxied version of that site on a
++.onion (v3) hostname.
++If you require a specific .onion hostname (or multiple)  we suggest using the
++mkp224o tool to create them, and configuring the charm with those private keys.
--## Relations
--
--TODO: Provide any relations which are provided or required by your charm
--
--## OCI Images
--
--TODO: Include a link to the default image your charm uses
--
--## Contributing
--
--Please see the [Juju SDK docs](https://juju.is/docs/sdk) for guidelines
--on enhancements to this charm following best practice guidelines, and
--`CONTRIBUTING.md` for developer guidance.
++TODO
 diff --git a/actions.yaml b/actions.yaml
 deleted file mode 100644
 index 7cda621..0000000
 --- a/actions.yaml
 +++ /dev/null
@@ -1,16 +0,0 @@
--# Copyright 2022 Barry Price
--# See LICENSE file for licensing details.
--#
--# TEMPLATE-TODO: change this example to suit your needs.
--# If you don't need actions, you can remove the file entirely.
--# It ties in to the example _on_fortune_action handler in src/charm.py
--#
--# Learn more about actions at: https://juju.is/docs/sdk/actions
--
--fortune:
--  description: Returns a pithy phrase.
--  params:
--    fail:
--      description: "Fail with this message"
--      type: string
--      default: ""
 diff --git a/charmcraft.yaml b/charmcraft.yaml
 index 048d454..0d1497e 100644
 --- a/charmcraft.yaml
 +++ b/charmcraft.yaml
@@ -1,10 +1,10 @@
--# Learn more about charmcraft.yaml configuration at:
--# https://juju.is/docs/sdk/charmcraft-config
  type: "charm"
  bases:
    - build-on:
      - name: "ubuntu"
--      channel: "20.04"
++      channel: "22.04"
      run-on:
      - name: "ubuntu"
        channel: "20.04"
++    - name: "ubuntu"
++      channel: "22.04"
 diff --git a/config.yaml b/config.yaml
 index 65fb1ce..35643c0 100644
 --- a/config.yaml
 +++ b/config.yaml
@@ -1,14 +1,33 @@
--# Copyright 2022 Barry Price
--# See LICENSE file for licensing details.
--#
--# TEMPLATE-TODO: change this example to suit your needs.
--# If you don't need a config, you can remove the file entirely.
--# It ties in to the example _on_config_changed handler in src/charm.py
--#
--# Learn more about config at: https://juju.is/docs/sdk/config
--
  options:
--  thing:
--    default: 🎁
--    description: A thing used by the charm.
++  hidden_keys_base64:
++    default: ""
++    description: |
++        Optional pre-generated tor private keys to run your service. The
++        .onion hostname(s) will be derived from this value.
++
++        Since the key is a binary file, this field expects a YAML formattaed
++        list of source hostnames (passed via the reverseproxy relation and
++        visible in the Message column via `juju status`) with corresponding
++        base-64 encoded strings, via e.g. `base64 -w0 path/to/secretkey`.
++
++        If left unconfigured, a random key (and address) will be generated for
++        each site.
++
++        e.g.
++        example1.com: ZXhhbXBsZTEK
++        example2.internal: ZXhhbXBsZTIK
++        10.0.0.1: ZXhhbXBsZTMK # example3
++    type: string
++  socks5_port:
++    description: SOCKS5 proxy port on which to listen
++    type: int
++    default: 9050
++  tor_source:
++    default: torproject
++    description: |
++        Source from which tor will be installed.
++        Options are "torproject" (default), which will use the packages from
++        deb.torproject.org, or "ubuntu" which will use the package in ubuntu's
++        universe component (this option may be outdated/insecure, but is the
++        only current option for architectures other than amd64/arm64).
      type: string
 diff --git a/lib/charms/operator_libs_linux/v0/apt.py b/lib/charms/operator_libs_linux/v0/apt.py
 new file mode 100644
 index 0000000..2b5c8f2
 --- /dev/null
 +++ b/lib/charms/operator_libs_linux/v0/apt.py
@@ -0,0 +1,1329 @@
++# Copyright 2021 Canonical Ltd.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++"""Abstractions for the system's Debian/Ubuntu package information and repositories.
++
++This module contains abstractions and wrappers around Debian/Ubuntu-style repositories and
++packages, in order to easily provide an idiomatic and Pythonic mechanism for adding packages and/or
++repositories to systems for use in machine charms.
++
++A sane default configuration is attainable through nothing more than instantiation of the
++appropriate classes. `DebianPackage` objects provide information about the architecture, version,
++name, and status of a package.
++
++`DebianPackage` will try to look up a package either from `dpkg -L` or from `apt-cache` when
++provided with a string indicating the package name. If it cannot be located, `PackageNotFoundError`
++will be returned, as `apt` and `dpkg` otherwise return `100` for all errors, and a meaningful error
++message if the package is not known is desirable.
++
++To install packages with convenience methods:
++
++```python
++try:
++    # Run `apt-get update`
++    apt.update()
++    apt.add_package("zsh")
++    apt.add_package(["vim", "htop", "wget"])
++except PackageNotFoundError:
++    logger.error("a specified package not found in package cache or on system")
++except PackageError as e:
++    logger.error("could not install package. Reason: %s", e.message)
++````
++
++To find details of a specific package:
++
++```python
++try:
++    vim = apt.DebianPackage.from_system("vim")
++
++    # To find from the apt cache only
++    # apt.DebianPackage.from_apt_cache("vim")
++
++    # To find from installed packages only
++    # apt.DebianPackage.from_installed_package("vim")
++
++    vim.ensure(PackageState.Latest)
++    logger.info("updated vim to version: %s", vim.fullversion)
++except PackageNotFoundError:
++    logger.error("a specified package not found in package cache or on system")
++except PackageError as e:
++    logger.error("could not install package. Reason: %s", e.message)
++```
++
++
++`RepositoryMapping` will return a dict-like object containing enabled system repositories
++and their properties (available groups, baseuri. gpg key). This class can add, disable, or
++manipulate repositories. Items can be retrieved as `DebianRepository` objects.
++
++In order add a new repository with explicit details for fields, a new `DebianRepository` can
++be added to `RepositoryMapping`
++
++`RepositoryMapping` provides an abstraction around the existing repositories on the system,
++and can be accessed and iterated over like any `Mapping` object, to retrieve values by key,
++iterate, or perform other operations.
++
++Keys are constructed as `{repo_type}-{}-{release}` in order to uniquely identify a repository.
++
++Repositories can be added with explicit values through a Python constructor.
++
++Example:
++
++```python
++repositories = apt.RepositoryMapping()
++
++if "deb-example.com-focal" not in repositories:
++    repositories.add(DebianRepository(enabled=True, repotype="deb",
++                     uri="https://example.com", release="focal", groups=["universe"]))
++```
++
++Alternatively, any valid `sources.list` line may be used to construct a new
++`DebianRepository`.
++
++Example:
++
++```python
++repositories = apt.RepositoryMapping()
++
++if "deb-us.archive.ubuntu.com-xenial" not in repositories:
++    line = "deb http://us.archive.ubuntu.com/ubuntu xenial main restricted"
++    repo = DebianRepository.from_repo_line(line)
++    repositories.add(repo)
++```
++"""
++
++import fileinput
++import glob
++import logging
++import os
++import re
++import subprocess
++from collections.abc import Mapping
++from enum import Enum
++from subprocess import PIPE, CalledProcessError, check_call, check_output
++from typing import Iterable, List, Optional, Tuple, Union
++from urllib.parse import urlparse
++
++logger = logging.getLogger(__name__)
++
++# The unique Charmhub library identifier, never change it
++LIBID = "7c3dbc9c2ad44a47bd6fcb25caa270e5"
++
++# Increment this major API version when introducing breaking changes
++LIBAPI = 0
++
++# Increment this PATCH version before using `charmcraft publish-lib` or reset
++# to 0 if you are raising the major API version
++LIBPATCH = 7
++
++
++VALID_SOURCE_TYPES = ("deb", "deb-src")
++OPTIONS_MATCHER = re.compile(r"\[.*?\]")
++
++
++class Error(Exception):
++    """Base class of most errors raised by this library."""
++
++    def __repr__(self):
++        """String representation of Error."""
++        return "<{}.{} {}>".format(type(self).__module__, type(self).__name__, self.args)
++
++    @property
++    def name(self):
++        """Return a string representation of the model plus class."""
++        return "<{}.{}>".format(type(self).__module__, type(self).__name__)
++
++    @property
++    def message(self):
++        """Return the message passed as an argument."""
++        return self.args[0]
++
++
++class PackageError(Error):
++    """Raised when there's an error installing or removing a package."""
++
++
++class PackageNotFoundError(Error):
++    """Raised when a requested package is not known to the system."""
++
++
++class PackageState(Enum):
++    """A class to represent possible package states."""
++
++    Present = "present"
++    Absent = "absent"
++    Latest = "latest"
++    Available = "available"
++
++
++class DebianPackage:
++    """Represents a traditional Debian package and its utility functions.
++
++    `DebianPackage` wraps information and functionality around a known package, whether installed
++    or available. The version, epoch, name, and architecture can be easily queried and compared
++    against other `DebianPackage` objects to determine the latest version or to install a specific
++    version.
++
++    The representation of this object as a string mimics the output from `dpkg` for familiarity.
++
++    Installation and removal of packages is handled through the `state` property or `ensure`
++    method, with the following options:
++
++        apt.PackageState.Absent
++        apt.PackageState.Available
++        apt.PackageState.Present
++        apt.PackageState.Latest
++
++    When `DebianPackage` is initialized, the state of a given `DebianPackage` object will be set to
++    `Available`, `Present`, or `Latest`, with `Absent` implemented as a convenience for removal
++    (though it operates essentially the same as `Available`).
++    """
++
++    def __init__(
++        self, name: str, version: str, epoch: str, arch: str, state: PackageState
++    ) -> None:
++        self._name = name
++        self._arch = arch
++        self._state = state
++        self._version = Version(version, epoch)
++
++    def __eq__(self, other) -> bool:
++        """Equality for comparison.
++
++        Args:
++          other: a `DebianPackage` object for comparison
++
++        Returns:
++          A boolean reflecting equality
++        """
++        return isinstance(other, self.__class__) and (
++            self._name,
++            self._version.number,
++        ) == (other._name, other._version.number)
++
++    def __hash__(self):
++        """A basic hash so this class can be used in Mappings and dicts."""
++        return hash((self._name, self._version.number))
++
++    def __repr__(self):
++        """A representation of the package."""
++        return "<{}.{}: {}>".format(self.__module__, self.__class__.__name__, self.__dict__)
++
++    def __str__(self):
++        """A human-readable representation of the package."""
++        return "<{}: {}-{}.{} -- {}>".format(
++            self.__class__.__name__,
++            self._name,
++            self._version,
++            self._arch,
++            str(self._state),
++        )
++
++    @staticmethod
++    def _apt(
++        command: str,
++        package_names: Union[str, List],
++        optargs: Optional[List[str]] = None,
++    ) -> None:
++        """Wrap package management commands for Debian/Ubuntu systems.
++
++        Args:
++          command: the command given to `apt-get`
++          package_names: a package name or list of package names to operate on
++          optargs: an (Optional) list of additioanl arguments
++
++        Raises:
++          PackageError if an error is encountered
++        """
++        optargs = optargs if optargs is not None else []
++        if isinstance(package_names, str):
++            package_names = [package_names]
++        _cmd = ["apt-get", "-y", *optargs, command, *package_names]
++        try:
++            check_call(_cmd, stderr=PIPE, stdout=PIPE)
++        except CalledProcessError as e:
++            raise PackageError(
++                "Could not {} package(s) [{}]: {}".format(command, [*package_names], e.output)
++            ) from None
++
++    def _add(self) -> None:
++        """Add a package to the system."""
++        self._apt(
++            "install",
++            "{}={}".format(self.name, self.version),
++            optargs=["--option=Dpkg::Options::=--force-confold"],
++        )
++
++    def _remove(self) -> None:
++        """Removes a package from the system. Implementation-specific."""
++        return self._apt("remove", "{}={}".format(self.name, self.version))
++
++    @property
++    def name(self) -> str:
++        """Returns the name of the package."""
++        return self._name
++
++    def ensure(self, state: PackageState):
++        """Ensures that a package is in a given state.
++
++        Args:
++          state: a `PackageState` to reconcile the package to
++
++        Raises:
++          PackageError from the underlying call to apt
++        """
++        if self._state is not state:
++            if state not in (PackageState.Present, PackageState.Latest):
++                self._remove()
++            else:
++                self._add()
++        self._state = state
++
++    @property
++    def present(self) -> bool:
++        """Returns whether or not a package is present."""
++        return self._state in (PackageState.Present, PackageState.Latest)
++
++    @property
++    def latest(self) -> bool:
++        """Returns whether the package is the most recent version."""
++        return self._state is PackageState.Latest
++
++    @property
++    def state(self) -> PackageState:
++        """Returns the current package state."""
++        return self._state
++
++    @state.setter
++    def state(self, state: PackageState) -> None:
++        """Sets the package state to a given value.
++
++        Args:
++          state: a `PackageState` to reconcile the package to
++
++        Raises:
++          PackageError from the underlying call to apt
++        """
++        if state in (PackageState.Latest, PackageState.Present):
++            self._add()
++        else:
++            self._remove()
++        self._state = state
++
++    @property
++    def version(self) -> "Version":
++        """Returns the version for a package."""
++        return self._version
++
++    @property
++    def epoch(self) -> str:
++        """Returns the epoch for a package. May be unset."""
++        return self._version.epoch
++
++    @property
++    def arch(self) -> str:
++        """Returns the architecture for a package."""
++        return self._arch
++
++    @property
++    def fullversion(self) -> str:
++        """Returns the name+epoch for a package."""
++        return "{}.{}".format(self._version, self._arch)
++
++    @staticmethod
++    def _get_epoch_from_version(version: str) -> Tuple[str, str]:
++        """Pull the epoch, if any, out of a version string."""
++        epoch_matcher = re.compile(r"^((?P<epoch>\d+):)?(?P<version>.*)")
++        matches = epoch_matcher.search(version).groupdict()
++        return matches.get("epoch", ""), matches.get("version")
++
++    @classmethod
++    def from_system(
++        cls, package: str, version: Optional[str] = "", arch: Optional[str] = ""
++    ) -> "DebianPackage":
++        """Locates a package, either on the system or known to apt, and serializes the information.
++
++        Args:
++            package: a string representing the package
++            version: an optional string if a specific version isr equested
++            arch: an optional architecture, defaulting to `dpkg --print-architecture`. If an
++                architecture is not specified, this will be used for selection.
++
++        """
++        try:
++            return DebianPackage.from_installed_package(package, version, arch)
++        except PackageNotFoundError:
++            logger.debug(
++                "package '%s' is not currently installed or has the wrong architecture.", package
++            )
++
++        # Ok, try `apt-cache ...`
++        try:
++            return DebianPackage.from_apt_cache(package, version, arch)
++        except (PackageNotFoundError, PackageError):
++            # If we get here, it's not known to the systems.
++            # This seems unnecessary, but virtually all `apt` commands have a return code of `100`,
++            # and providing meaningful error messages without this is ugly.
++            raise PackageNotFoundError(
++                "Package '{}{}' could not be found on the system or in the apt cache!".format(
++                    package, ".{}".format(arch) if arch else ""
++                )
++            ) from None
++
++    @classmethod
++    def from_installed_package(
++        cls, package: str, version: Optional[str] = "", arch: Optional[str] = ""
++    ) -> "DebianPackage":
++        """Check whether the package is already installed and return an instance.
++
++        Args:
++            package: a string representing the package
++            version: an optional string if a specific version isr equested
++            arch: an optional architecture, defaulting to `dpkg --print-architecture`.
++                If an architecture is not specified, this will be used for selection.
++        """
++        system_arch = check_output(
++            ["dpkg", "--print-architecture"], universal_newlines=True
++        ).strip()
++        arch = arch if arch else system_arch
++
++        # Regexps are a really terrible way to do this. Thanks dpkg
++        output = ""
++        try:
++            output = check_output(["dpkg", "-l", package], stderr=PIPE, universal_newlines=True)
++        except CalledProcessError:
++            raise PackageNotFoundError("Package is not installed: {}".format(package)) from None
++
++        # Pop off the output from `dpkg -l' because there's no flag to
++        # omit it`
++        lines = str(output).splitlines()[5:]
++
++        dpkg_matcher = re.compile(
++            r"""
++        ^(?P<package_status>\w+?)\s+
++        (?P<package_name>.*?)(?P<throwaway_arch>:\w+?)?\s+
++        (?P<version>.*?)\s+
++        (?P<arch>\w+?)\s+
++        (?P<description>.*)
++        """,
++            re.VERBOSE,
++        )
++
++        for line in lines:
++            try:
++                matches = dpkg_matcher.search(line).groupdict()
++                package_status = matches["package_status"]
++
++                if not package_status.endswith("i"):
++                    logger.debug(
++                        "package '%s' in dpkg output but not installed, status: '%s'",
++                        package,
++                        package_status,
++                    )
++                    break
++
++                epoch, split_version = DebianPackage._get_epoch_from_version(matches["version"])
++                pkg = DebianPackage(
++                    matches["package_name"],
++                    split_version,
++                    epoch,
++                    matches["arch"],
++                    PackageState.Present,
++                )
++                if (pkg.arch == "all" or pkg.arch == arch) and (
++                    version == "" or str(pkg.version) == version
++                ):
++                    return pkg
++            except AttributeError:
++                logger.warning("dpkg matcher could not parse line: %s", line)
++
++        # If we didn't find it, fail through
++        raise PackageNotFoundError("Package {}.{} is not installed!".format(package, arch))
++
++    @classmethod
++    def from_apt_cache(
++        cls, package: str, version: Optional[str] = "", arch: Optional[str] = ""
++    ) -> "DebianPackage":
++        """Check whether the package is already installed and return an instance.
++
++        Args:
++            package: a string representing the package
++            version: an optional string if a specific version isr equested
++            arch: an optional architecture, defaulting to `dpkg --print-architecture`.
++                If an architecture is not specified, this will be used for selection.
++        """
++        system_arch = check_output(
++            ["dpkg", "--print-architecture"], universal_newlines=True
++        ).strip()
++        arch = arch if arch else system_arch
++
++        # Regexps are a really terrible way to do this. Thanks dpkg
++        keys = ("Package", "Architecture", "Version")
++
++        try:
++            output = check_output(
++                ["apt-cache", "show", package], stderr=PIPE, universal_newlines=True
++            )
++        except CalledProcessError as e:
++            raise PackageError(
++                "Could not list packages in apt-cache: {}".format(e.output)
++            ) from None
++
++        pkg_groups = output.strip().split("\n\n")
++        keys = ("Package", "Architecture", "Version")
++
++        for pkg_raw in pkg_groups:
++            lines = str(pkg_raw).splitlines()
++            vals = {}
++            for line in lines:
++                if line.startswith(keys):
++                    items = line.split(":", 1)
++                    vals[items[0]] = items[1].strip()
++                else:
++                    continue
++
++            epoch, split_version = DebianPackage._get_epoch_from_version(vals["Version"])
++            pkg = DebianPackage(
++                vals["Package"],
++                split_version,
++                epoch,
++                vals["Architecture"],
++                PackageState.Available,
++            )
++
++            if (pkg.arch == "all" or pkg.arch == arch) and (
++                version == "" or str(pkg.version) == version
++            ):
++                return pkg
++
++        # If we didn't find it, fail through
++        raise PackageNotFoundError("Package {}.{} is not in the apt cache!".format(package, arch))
++
++
++class Version:
++    """An abstraction around package versions.
++
++    This seems like it should be strictly unnecessary, except that `apt_pkg` is not usable inside a
++    venv, and wedging version comparisions into `DebianPackage` would overcomplicate it.
++
++    This class implements the algorithm found here:
++    https://www.debian.org/doc/debian-policy/ch-controlfields.html#version
++    """
++
++    def __init__(self, version: str, epoch: str):
++        self._version = version
++        self._epoch = epoch or ""
++
++    def __repr__(self):
++        """A representation of the package."""
++        return "<{}.{}: {}>".format(self.__module__, self.__class__.__name__, self.__dict__)
++
++    def __str__(self):
++        """A human-readable representation of the package."""
++        return "{}{}".format("{}:".format(self._epoch) if self._epoch else "", self._version)
++
++    @property
++    def epoch(self):
++        """Returns the epoch for a package. May be empty."""
++        return self._epoch
++
++    @property
++    def number(self) -> str:
++        """Returns the version number for a package."""
++        return self._version
++
++    def _get_parts(self, version: str) -> Tuple[str, str]:
++        """Separate the version into component upstream and Debian pieces."""
++        try:
++            version.rindex("-")
++        except ValueError:
++            # No hyphens means no Debian version
++            return version, "0"
++
++        upstream, debian = version.rsplit("-", 1)
++        return upstream, debian
++
++    def _listify(self, revision: str) -> List[str]:
++        """Split a revision string into a listself.
++
++        This list is comprised of  alternating between strings and numbers,
++        padded on either end to always be "str, int, str, int..." and
++        always be of even length.  This allows us to trivially implement the
++        comparison algorithm described.
++        """
++        result = []
++        while revision:
++            rev_1, remains = self._get_alphas(revision)
++            rev_2, remains = self._get_digits(remains)
++            result.extend([rev_1, rev_2])
++            revision = remains
++        return result
++
++    def _get_alphas(self, revision: str) -> Tuple[str, str]:
++        """Return a tuple of the first non-digit characters of a revision."""
++        # get the index of the first digit
++        for i, char in enumerate(revision):
++            if char.isdigit():
++                if i == 0:
++                    return "", revision
++                return revision[0:i], revision[i:]
++        # string is entirely alphas
++        return revision, ""
++
++    def _get_digits(self, revision: str) -> Tuple[int, str]:
++        """Return a tuple of the first integer characters of a revision."""
++        # If the string is empty, return (0,'')
++        if not revision:
++            return 0, ""
++        # get the index of the first non-digit
++        for i, char in enumerate(revision):
++            if not char.isdigit():
++                if i == 0:
++                    return 0, revision
++                return int(revision[0:i]), revision[i:]
++        # string is entirely digits
++        return int(revision), ""
++
++    def _dstringcmp(self, a, b):  # noqa: C901
++        """Debian package version string section lexical sort algorithm.
++
++        The lexical comparison is a comparison of ASCII values modified so
++        that all the letters sort earlier than all the non-letters and so that
++        a tilde sorts before anything, even the end of a part.
++        """
++        if a == b:
++            return 0
++        try:
++            for i, char in enumerate(a):
++                if char == b[i]:
++                    continue
++                # "a tilde sorts before anything, even the end of a part"
++                # (emptyness)
++                if char == "~":
++                    return -1
++                if b[i] == "~":
++                    return 1
++                # "all the letters sort earlier than all the non-letters"
++                if char.isalpha() and not b[i].isalpha():
++                    return -1
++                if not char.isalpha() and b[i].isalpha():
++                    return 1
++                # otherwise lexical sort
++                if ord(char) > ord(b[i]):
++                    return 1
++                if ord(char) < ord(b[i]):
++                    return -1
++        except IndexError:
++            # a is longer than b but otherwise equal, greater unless there are tildes
++            if char == "~":
++                return -1
++            return 1
++        # if we get here, a is shorter than b but otherwise equal, so check for tildes...
++        if b[len(a)] == "~":
++            return 1
++        return -1
++
++    def _compare_revision_strings(self, first: str, second: str):  # noqa: C901
++        """Compare two debian revision strings."""
++        if first == second:
++            return 0
++
++        # listify pads results so that we will always be comparing ints to ints
++        # and strings to strings (at least until we fall off the end of a list)
++        first_list = self._listify(first)
++        second_list = self._listify(second)
++        if first_list == second_list:
++            return 0
++        try:
++            for i, item in enumerate(first_list):
++                # explicitly raise IndexError if we've fallen off the edge of list2
++                if i >= len(second_list):
++                    raise IndexError
++                # if the items are equal, next
++                if item == second_list[i]:
++                    continue
++                # numeric comparison
++                if isinstance(item, int):
++                    if item > second_list[i]:
++                        return 1
++                    if item < second_list[i]:
++                        return -1
++                else:
++                    # string comparison
++                    return self._dstringcmp(item, second_list[i])
++        except IndexError:
++            # rev1 is longer than rev2 but otherwise equal, hence greater
++            # ...except for goddamn tildes
++            if first_list[len(second_list)][0][0] == "~":
++                return 1
++            return 1
++        # rev1 is shorter than rev2 but otherwise equal, hence lesser
++        # ...except for goddamn tildes
++        if second_list[len(first_list)][0][0] == "~":
++            return -1
++        return -1
++
++    def _compare_version(self, other) -> int:
++        if (self.number, self.epoch) == (other.number, other.epoch):
++            return 0
++
++        if self.epoch < other.epoch:
++            return -1
++        if self.epoch > other.epoch:
++            return 1
++
++        # If none of these are true, follow the algorithm
++        upstream_version, debian_version = self._get_parts(self.number)
++        other_upstream_version, other_debian_version = self._get_parts(other.number)
++
++        upstream_cmp = self._compare_revision_strings(upstream_version, other_upstream_version)
++        if upstream_cmp != 0:
++            return upstream_cmp
++
++        debian_cmp = self._compare_revision_strings(debian_version, other_debian_version)
++        if debian_cmp != 0:
++            return debian_cmp
++
++        return 0
++
++    def __lt__(self, other) -> bool:
++        """Less than magic method impl."""
++        return self._compare_version(other) < 0
++
++    def __eq__(self, other) -> bool:
++        """Equality magic method impl."""
++        return self._compare_version(other) == 0
++
++    def __gt__(self, other) -> bool:
++        """Greater than magic method impl."""
++        return self._compare_version(other) > 0
++
++    def __le__(self, other) -> bool:
++        """Less than or equal to magic method impl."""
++        return self.__eq__(other) or self.__lt__(other)
++
++    def __ge__(self, other) -> bool:
++        """Greater than or equal to magic method impl."""
++        return self.__gt__(other) or self.__eq__(other)
++
++    def __ne__(self, other) -> bool:
++        """Not equal to magic method impl."""
++        return not self.__eq__(other)
++
++
++def add_package(
++    package_names: Union[str, List[str]],
++    version: Optional[str] = "",
++    arch: Optional[str] = "",
++    update_cache: Optional[bool] = False,
++) -> Union[DebianPackage, List[DebianPackage]]:
++    """Add a package or list of packages to the system.
++
++    Args:
++        name: the name(s) of the package(s)
++        version: an (Optional) version as a string. Defaults to the latest known
++        arch: an optional architecture for the package
++        update_cache: whether or not to run `apt-get update` prior to operating
++
++    Raises:
++        PackageNotFoundError if the package is not in the cache.
++    """
++    cache_refreshed = False
++    if update_cache:
++        update()
++        cache_refreshed = True
++
++    packages = {"success": [], "retry": [], "failed": []}
++
++    package_names = [package_names] if type(package_names) is str else package_names
++    if not package_names:
++        raise TypeError("Expected at least one package name to add, received zero!")
++
++    if len(package_names) != 1 and version:
++        raise TypeError(
++            "Explicit version should not be set if more than one package is being added!"
++        )
++
++    for p in package_names:
++        pkg, success = _add(p, version, arch)
++        if success:
++            packages["success"].append(pkg)
++        else:
++            logger.warning("failed to locate and install/update '%s'", pkg)
++            packages["retry"].append(p)
++
++    if packages["retry"] and not cache_refreshed:
++        logger.info("updating the apt-cache and retrying installation of failed packages.")
++        update()
++
++        for p in packages["retry"]:
++            pkg, success = _add(p, version, arch)
++            if success:
++                packages["success"].append(pkg)
++            else:
++                packages["failed"].append(p)
++
++    if packages["failed"]:
++        raise PackageError("Failed to install packages: {}".format(", ".join(packages["failed"])))
++
++    return packages["success"] if len(packages["success"]) > 1 else packages["success"][0]
++
++
++def _add(
++    name: str,
++    version: Optional[str] = "",
++    arch: Optional[str] = "",
++) -> Tuple[Union[DebianPackage, str], bool]:
++    """Adds a package.
++
++    Args:
++        name: the name(s) of the package(s)
++        version: an (Optional) version as a string. Defaults to the latest known
++        arch: an optional architecture for the package
++
++    Returns: a tuple of `DebianPackage` if found, or a :str: if it is not, and
++        a boolean indicating success
++    """
++    try:
++        pkg = DebianPackage.from_system(name, version, arch)
++        pkg.ensure(state=PackageState.Present)
++        return pkg, True
++    except PackageNotFoundError:
++        return name, False
++
++
++def remove_package(
++    package_names: Union[str, List[str]]
++) -> Union[DebianPackage, List[DebianPackage]]:
++    """Removes a package from the system.
++
++    Args:
++        package_names: the name of a package
++
++    Raises:
++        PackageNotFoundError if the package is not found.
++    """
++    packages = []
++
++    package_names = [package_names] if type(package_names) is str else package_names
++    if not package_names:
++        raise TypeError("Expected at least one package name to add, received zero!")
++
++    for p in package_names:
++        try:
++            pkg = DebianPackage.from_installed_package(p)
++            pkg.ensure(state=PackageState.Absent)
++            packages.append(pkg)
++        except PackageNotFoundError:
++            logger.info("package '%s' was requested for removal, but it was not installed.", p)
++
++    # the list of packages will be empty when no package is removed
++    logger.debug("packages: '%s'", packages)
++    return packages[0] if len(packages) == 1 else packages
++
++
++def update() -> None:
++    """Updates the apt cache via `apt-get update`."""
++    check_call(["apt-get", "update"], stderr=PIPE, stdout=PIPE)
++
++
++class InvalidSourceError(Error):
++    """Exceptions for invalid source entries."""
++
++
++class GPGKeyError(Error):
++    """Exceptions for GPG keys."""
++
++
++class DebianRepository:
++    """An abstraction to represent a repository."""
++
++    def __init__(
++        self,
++        enabled: bool,
++        repotype: str,
++        uri: str,
++        release: str,
++        groups: List[str],
++        filename: Optional[str] = "",
++        gpg_key_filename: Optional[str] = "",
++        options: Optional[dict] = None,
++    ):
++        self._enabled = enabled
++        self._repotype = repotype
++        self._uri = uri
++        self._release = release
++        self._groups = groups
++        self._filename = filename
++        self._gpg_key_filename = gpg_key_filename
++        self._options = options
++
++    @property
++    def enabled(self):
++        """Return whether or not the repository is enabled."""
++        return self._enabled
++
++    @property
++    def repotype(self):
++        """Return whether it is binary or source."""
++        return self._repotype
++
++    @property
++    def uri(self):
++        """Return the URI."""
++        return self._uri
++
++    @property
++    def release(self):
++        """Return which Debian/Ubuntu releases it is valid for."""
++        return self._release
++
++    @property
++    def groups(self):
++        """Return the enabled package groups."""
++        return self._groups
++
++    @property
++    def filename(self):
++        """Returns the filename for a repository."""
++        return self._filename
++
++    @filename.setter
++    def filename(self, fname: str) -> None:
++        """Sets the filename used when a repo is written back to diskself.
++
++        Args:
++            fname: a filename to write the repository information to.
++        """
++        if not fname.endswith(".list"):
++            raise InvalidSourceError("apt source filenames should end in .list!")
++
++        self._filename = fname
++
++    @property
++    def gpg_key(self):
++        """Returns the path to the GPG key for this repository."""
++        return self._gpg_key_filename
++
++    @property
++    def options(self):
++        """Returns any additional repo options which are set."""
++        return self._options
++
++    def make_options_string(self) -> str:
++        """Generate the complete options string for a a repository.
++
++        Combining `gpg_key`, if set, and the rest of the options to find
++        a complex repo string.
++        """
++        options = self._options if self._options else {}
++        if self._gpg_key_filename:
++            options["signed-by"] = self._gpg_key_filename
++
++        return (
++            "[{}] ".format(" ".join(["{}={}".format(k, v) for k, v in options.items()]))
++            if options
++            else ""
++        )
++
++    @staticmethod
++    def prefix_from_uri(uri: str) -> str:
++        """Get a repo list prefix from the uri, depending on whether a path is set."""
++        uridetails = urlparse(uri)
++        path = (
++            uridetails.path.lstrip("/").replace("/", "-") if uridetails.path else uridetails.netloc
++        )
++        return "/etc/apt/sources.list.d/{}".format(path)
++
++    @staticmethod
++    def from_repo_line(repo_line: str, write_file: Optional[bool] = True) -> "DebianRepository":
++        """Instantiate a new `DebianRepository` a `sources.list` entry line.
++
++        Args:
++            repo_line: a string representing a repository entry
++            write_file: boolean to enable writing the new repo to disk
++        """
++        repo = RepositoryMapping._parse(repo_line, "UserInput")
++        fname = "{}-{}.list".format(
++            DebianRepository.prefix_from_uri(repo.uri), repo.release.replace("/", "-")
++        )
++        repo.filename = fname
++
++        options = repo.options if repo.options else {}
++        if repo.gpg_key:
++            options["signed-by"] = repo.gpg_key
++
++        # For Python 3.5 it's required to use sorted in the options dict in order to not have
++        # different results in the order of the options between executions.
++        options_str = (
++            "[{}] ".format(" ".join(["{}={}".format(k, v) for k, v in sorted(options.items())]))
++            if options
++            else ""
++        )
++
++        if write_file:
++            with open(fname, "wb") as f:
++                f.write(
++                    (
++                        "{}".format("#" if not repo.enabled else "")
++                        + "{} {}{} ".format(repo.repotype, options_str, repo.uri)
++                        + "{} {}\n".format(repo.release, " ".join(repo.groups))
++                    ).encode("utf-8")
++                )
++
++        return repo
++
++    def disable(self) -> None:
++        """Remove this repository from consideration.
++
++        Disable it instead of removing from the repository file.
++        """
++        searcher = "{} {}{} {}".format(
++            self.repotype, self.make_options_string(), self.uri, self.release
++        )
++        for line in fileinput.input(self._filename, inplace=True):
++            if re.match(r"^{}\s".format(re.escape(searcher)), line):
++                print("# {}".format(line), end="")
++            else:
++                print(line, end="")
++
++    def import_key(self, key: str) -> None:
++        """Import an ASCII Armor key.
++
++        A Radix64 format keyid is also supported for backwards
++        compatibility. In this case Ubuntu keyserver will be
++        queried for a key via HTTPS by its keyid. This method
++        is less preferrable because https proxy servers may
++        require traffic decryption which is equivalent to a
++        man-in-the-middle attack (a proxy server impersonates
++        keyserver TLS certificates and has to be explicitly
++        trusted by the system).
++
++        Args:
++          key: A GPG key in ASCII armor format,
++                      including BEGIN and END markers or a keyid.
++
++        Raises:
++          GPGKeyError if the key could not be imported
++        """
++        key = key.strip()
++        if "-" in key or "\n" in key:
++            # Send everything not obviously a keyid to GPG to import, as
++            # we trust its validation better than our own. eg. handling
++            # comments before the key.
++            logger.debug("PGP key found (looks like ASCII Armor format)")
++            if (
++                "-----BEGIN PGP PUBLIC KEY BLOCK-----" in key
++                and "-----END PGP PUBLIC KEY BLOCK-----" in key
++            ):
++                logger.debug("Writing provided PGP key in the binary format")
++                key_bytes = key.encode("utf-8")
++                key_name = self._get_keyid_by_gpg_key(key_bytes)
++                key_gpg = self._dearmor_gpg_key(key_bytes)
++                self._gpg_key_filename = "/etc/apt/trusted.gpg.d/{}.gpg".format(key_name)
++                self._write_apt_gpg_keyfile(key_name=self._gpg_key_filename, key_material=key_gpg)
++            else:
++                raise GPGKeyError("ASCII armor markers missing from GPG key")
++        else:
++            logger.warning(
++                "PGP key found (looks like Radix64 format). "
++                "SECURELY importing PGP key from keyserver; "
++                "full key not provided."
++            )
++            # as of bionic add-apt-repository uses curl with an HTTPS keyserver URL
++            # to retrieve GPG keys. `apt-key adv` command is deprecated as is
++            # apt-key in general as noted in its manpage. See lp:1433761 for more
++            # history. Instead, /etc/apt/trusted.gpg.d is used directly to drop
++            # gpg
++            key_asc = self._get_key_by_keyid(key)
++            # write the key in GPG format so that apt-key list shows it
++            key_gpg = self._dearmor_gpg_key(key_asc.encode("utf-8"))
++            self._gpg_key_filename = "/etc/apt/trusted.gpg.d/{}.gpg".format(key)
++            self._write_apt_gpg_keyfile(key_name=key, key_material=key_gpg)
++
++    @staticmethod
++    def _get_keyid_by_gpg_key(key_material: bytes) -> str:
++        """Get a GPG key fingerprint by GPG key material.
++
++        Gets a GPG key fingerprint (40-digit, 160-bit) by the ASCII armor-encoded
++        or binary GPG key material. Can be used, for example, to generate file
++        names for keys passed via charm options.
++        """
++        # Use the same gpg command for both Xenial and Bionic
++        cmd = ["gpg", "--with-colons", "--with-fingerprint"]
++        ps = subprocess.run(
++            cmd,
++            stdout=PIPE,
++            stderr=PIPE,
++            input=key_material,
++        )
++        out, err = ps.stdout.decode(), ps.stderr.decode()
++        if "gpg: no valid OpenPGP data found." in err:
++            raise GPGKeyError("Invalid GPG key material provided")
++        # from gnupg2 docs: fpr :: Fingerprint (fingerprint is in field 10)
++        return re.search(r"^fpr:{9}([0-9A-F]{40}):$", out, re.MULTILINE).group(1)
++
++    @staticmethod
++    def _get_key_by_keyid(keyid: str) -> str:
++        """Get a key via HTTPS from the Ubuntu keyserver.
++
++        Different key ID formats are supported by SKS keyservers (the longer ones
++        are more secure, see "dead beef attack" and https://evil32.com/). Since
++        HTTPS is used, if SSLBump-like HTTPS proxies are in place, they will
++        impersonate keyserver.ubuntu.com and generate a certificate with
++        keyserver.ubuntu.com in the CN field or in SubjAltName fields of a
++        certificate. If such proxy behavior is expected it is necessary to add the
++        CA certificate chain containing the intermediate CA of the SSLBump proxy to
++        every machine that this code runs on via ca-certs cloud-init directive (via
++        cloudinit-userdata model-config) or via other means (such as through a
++        custom charm option). Also note that DNS resolution for the hostname in a
++        URL is done at a proxy server - not at the client side.
++        8-digit (32 bit) key ID
++        https://keyserver.ubuntu.com/pks/lookup?search=0x4652B4E6
++        16-digit (64 bit) key ID
++        https://keyserver.ubuntu.com/pks/lookup?search=0x6E85A86E4652B4E6
++        40-digit key ID:
++        https://keyserver.ubuntu.com/pks/lookup?search=0x35F77D63B5CEC106C577ED856E85A86E4652B4E6
++
++        Args:
++          keyid: An 8, 16 or 40 hex digit keyid to find a key for
++
++        Returns:
++          A string contining key material for the specified GPG key id
++
++
++        Raises:
++          subprocess.CalledProcessError
++        """
++        # options=mr - machine-readable output (disables html wrappers)
++        keyserver_url = (
++            "https://keyserver.ubuntu.com" "/pks/lookup?op=get&options=mr&exact=on&search=0x{}"
++        )
++        curl_cmd = ["curl", keyserver_url.format(keyid)]
++        # use proxy server settings in order to retrieve the key
++        return check_output(curl_cmd).decode()
++
++    @staticmethod
++    def _dearmor_gpg_key(key_asc: bytes) -> bytes:
++        """Converts a GPG key in the ASCII armor format to the binary format.
++
++        Args:
++          key_asc: A GPG key in ASCII armor format.
++
++        Returns:
++          A GPG key in binary format as a string
++
++        Raises:
++          GPGKeyError
++        """
++        ps = subprocess.run(["gpg", "--dearmor"], stdout=PIPE, stderr=PIPE, input=key_asc)
++        out, err = ps.stdout, ps.stderr.decode()
++        if "gpg: no valid OpenPGP data found." in err:
++            raise GPGKeyError(
++                "Invalid GPG key material. Check your network setup"
++                " (MTU, routing, DNS) and/or proxy server settings"
++                " as well as destination keyserver status."
++            )
++        else:
++            return out
++
++    @staticmethod
++    def _write_apt_gpg_keyfile(key_name: str, key_material: bytes) -> None:
++        """Writes GPG key material into a file at a provided path.
++
++        Args:
++          key_name: A key name to use for a key file (could be a fingerprint)
++          key_material: A GPG key material (binary)
++        """
++        with open(key_name, "wb") as keyf:
++            keyf.write(key_material)
++
++
++class RepositoryMapping(Mapping):
++    """An representation of known repositories.
++
++    Instantiation of `RepositoryMapping` will iterate through the
++    filesystem, parse out repository files in `/etc/apt/...`, and create
++    `DebianRepository` objects in this list.
++
++    Typical usage:
++
++        repositories = apt.RepositoryMapping()
++        repositories.add(DebianRepository(
++            enabled=True, repotype="deb", uri="https://example.com", release="focal",
++            groups=["universe"]
++        ))
++    """
++
++    def __init__(self):
++        self._repository_map = {}
++        # Repositories that we're adding -- used to implement mode param
++        self.default_file = "/etc/apt/sources.list"
++
++        # read sources.list if it exists
++        if os.path.isfile(self.default_file):
++            self.load(self.default_file)
++
++        # read sources.list.d
++        for file in glob.iglob("/etc/apt/sources.list.d/*.list"):
++            self.load(file)
++
++    def __contains__(self, key: str) -> bool:
++        """Magic method for checking presence of repo in mapping."""
++        return key in self._repository_map
++
++    def __len__(self) -> int:
++        """Return number of repositories in map."""
++        return len(self._repository_map)
++
++    def __iter__(self) -> Iterable[DebianRepository]:
++        """Iterator magic method for RepositoryMapping."""
++        return iter(self._repository_map.values())
++
++    def __getitem__(self, repository_uri: str) -> DebianRepository:
++        """Return a given `DebianRepository`."""
++        return self._repository_map[repository_uri]
++
++    def __setitem__(self, repository_uri: str, repository: DebianRepository) -> None:
++        """Add a `DebianRepository` to the cache."""
++        self._repository_map[repository_uri] = repository
++
++    def load(self, filename: str):
++        """Load a repository source file into the cache.
++
++        Args:
++          filename: the path to the repository file
++        """
++        parsed = []
++        skipped = []
++        with open(filename, "r") as f:
++            for n, line in enumerate(f):
++                try:
++                    repo = self._parse(line, filename)
++                except InvalidSourceError:
++                    skipped.append(n)
++                else:
++                    repo_identifier = "{}-{}-{}".format(repo.repotype, repo.uri, repo.release)
++                    self._repository_map[repo_identifier] = repo
++                    parsed.append(n)
++                    logger.debug("parsed repo: '%s'", repo_identifier)
++
++        if skipped:
++            skip_list = ", ".join(str(s) for s in skipped)
++            logger.debug("skipped the following lines in file '%s': %s", filename, skip_list)
++
++        if parsed:
++            logger.info("parsed %d apt package repositories", len(parsed))
++        else:
++            raise InvalidSourceError("all repository lines in '{}' were invalid!".format(filename))
++
++    @staticmethod
++    def _parse(line: str, filename: str) -> DebianRepository:
++        """Parse a line in a sources.list file.
++
++        Args:
++          line: a single line from `load` to parse
++          filename: the filename being read
++
++        Raises:
++          InvalidSourceError if the source type is unknown
++        """
++        enabled = True
++        repotype = uri = release = gpg_key = ""
++        options = {}
++        groups = []
++
++        line = line.strip()
++        if line.startswith("#"):
++            enabled = False
++            line = line[1:]
++
++        # Check for "#" in the line and treat a part after it as a comment then strip it off.
++        i = line.find("#")
++        if i > 0:
++            line = line[:i]
++
++        # Split a source into substrings to initialize a new repo.
++        source = line.strip()
++        if source:
++            # Match any repo options, and get a dict representation.
++            for v in re.findall(OPTIONS_MATCHER, source):
++                opts = dict(o.split("=") for o in v.strip("[]").split())
++                # Extract the 'signed-by' option for the gpg_key
++                gpg_key = opts.pop("signed-by", "")
++                options = opts
++
++            # Remove any options from the source string and split the string into chunks
++            source = re.sub(OPTIONS_MATCHER, "", source)
++            chunks = source.split()
++
++            # Check we've got a valid list of chunks
++            if len(chunks) < 3 or chunks[0] not in VALID_SOURCE_TYPES:
++                raise InvalidSourceError("An invalid sources line was found in %s!", filename)
++
++            repotype = chunks[0]
++            uri = chunks[1]
++            release = chunks[2]
++            groups = chunks[3:]
++
++            return DebianRepository(
++                enabled, repotype, uri, release, groups, filename, gpg_key, options
++            )
++        else:
++            raise InvalidSourceError("An invalid sources line was found in %s!", filename)
++
++    def add(self, repo: DebianRepository, default_filename: Optional[bool] = False) -> None:
++        """Add a new repository to the system.
++
++        Args:
++          repo: a `DebianRepository` object
++          default_filename: an (Optional) filename if the default is not desirable
++        """
++        new_filename = "{}-{}.list".format(
++            DebianRepository.prefix_from_uri(repo.uri), repo.release.replace("/", "-")
++        )
++
++        fname = repo.filename or new_filename
++
++        options = repo.options if repo.options else {}
++        if repo.gpg_key:
++            options["signed-by"] = repo.gpg_key
++
++        with open(fname, "wb") as f:
++            f.write(
++                (
++                    "{}".format("#" if not repo.enabled else "")
++                    + "{} {}{} ".format(repo.repotype, repo.make_options_string(), repo.uri)
++                    + "{} {}\n".format(repo.release, " ".join(repo.groups))
++                ).encode("utf-8")
++            )
++
++        self._repository_map["{}-{}-{}".format(repo.repotype, repo.uri, repo.release)] = repo
++
++    def disable(self, repo: DebianRepository) -> None:
++        """Remove a repository. Disable by default.
++
++        Args:
++          repo: a `DebianRepository` to disable
++        """
++        searcher = "{} {}{} {}".format(
++            repo.repotype, repo.make_options_string(), repo.uri, repo.release
++        )
++
++        for line in fileinput.input(repo.filename, inplace=True):
++            if re.match(r"^{}\s".format(re.escape(searcher)), line):
++                print("# {}".format(line), end="")
++            else:
++                print(line, end="")
++
++        self._repository_map["{}-{}-{}".format(repo.repotype, repo.uri, repo.release)] = repo
 diff --git a/metadata.yaml b/metadata.yaml
 index de1439f..5becf33 100644
 --- a/metadata.yaml
 +++ b/metadata.yaml
@@ -1,23 +1,14 @@
--# Copyright 2022 Barry Price
--# See LICENSE file for licensing details.
--
--# For a complete list of supported options, see:
--# https://juju.is/docs/sdk/metadata-reference
--name: charm-tor
--display-name: |
--  TEMPLATE-TODO: fill out a display name for the Charmcraft store
++name: charm-tor-hidden-service
++display-name: Tor Hidden Service Charmed Operator
++summary: Tor Hidden Service Charmed Operator
  description: |
--  TEMPLATE-TODO: fill out the charm's description
--summary: |
--  TEMPLATE-TODO: fill out the charm's summary
--
--# TEMPLATE-TODO: replace with containers for your workload (delete for non-k8s)
--containers:
--  httpbin:
--    resource: httpbin-image
++    Tor is free software and an open network that helps you defend against
++    traffic analysis, a form of network surveillance that threatens personal
++    freedom and privacy, confidential business activities and relationships, and
++    state security.
++requires:
++  reverseproxy:
++    interface: http
++series:
++  - jammy
--# TEMPLATE-TODO: each container defined above must specify an oci-image resource
--resources:
--  httpbin-image:
--    type: oci-image
--    description: OCI image for httpbin (kennethreitz/httpbin)
 diff --git a/pyproject.toml b/pyproject.toml
 new file mode 100644
 index 0000000..177269a
 --- /dev/null
 +++ b/pyproject.toml
@@ -0,0 +1,38 @@
++# Copyright 2022 Canonical Ltd.
++# See LICENSE file for licensing details.
++
++# Testing tools configuration
++[tool.coverage.run]
++branch = true
++
++[tool.coverage.report]
++show_missing = true
++
++[tool.pytest.ini_options]
++minversion = "6.0"
++log_cli_level = "INFO"
++
++# Formatting tools configuration
++[tool.black]
++line-length = 99
++target-version = ["py310"]
++
++[tool.isort]
++profile = "black"
++
++# Linting tools configuration
++[tool.flake8]
++max-line-length = 99
++max-doc-length = 99
++max-complexity = 10
++exclude = [".git", "__pycache__", ".tox", "build", "dist", "*.egg_info", "venv"]
++select = ["E", "W", "F", "C", "N", "R", "D", "H"]
++# Ignore D107 Missing docstring in __init__
++ignore = ["D107"]
++# D100, D101, D102, D103: Ignore missing docstrings in tests
++per-file-ignores = ["tests/*:D100,D101,D102,D103,D104"]
++docstring-convention = "google"
++# Check for properly formatted copyright header in each file
++copyright-check = "True"
++copyright-author = "Canonical Ltd."
++copyright-regexp = "Copyright\\s\\d{4}([-,]\\d{4})*\\s+%(author)s"
 diff --git a/src/charm.py b/src/charm.py
 index 2cac651..73b10fa 100755
 --- a/src/charm.py
 +++ b/src/charm.py
@@ -1,104 +1,206 @@
  #!/usr/bin/env python3
--# Copyright 2022 Barry Price
++# Copyright 2022 Canonical Ltd.
  # See LICENSE file for licensing details.
--#
--# Learn more at: https://juju.is/docs/sdk
--"""Charm the service.
--
--Refer to the following post for a quick-start guide that will help you
--develop a new k8s charm using the Operator Framework:
--
--    https://discourse.charmhub.io/t/4208
--"""
++"""Charmed Operator to provide Tor hidden services."""
  import logging
--
--from ops.charm import CharmBase
++import os
++import shutil
++import subprocess
++import urllib.request
++
++import jinja2
++
++from charms.operator_libs_linux.v0 import apt
++from ops.charm import (
++    CharmBase,
++    RelationChangedEvent,
++)
  from ops.framework import StoredState
  from ops.main import main
--from ops.model import ActiveStatus
++from ops.model import (
++    BlockedStatus,
++    Unit,
++)
  logger = logging.getLogger(__name__)
--class CharmTorCharm(CharmBase):
--    """Charm the service."""
++def get_series():
++    """Return the installed Ubuntu series (e.g. "jammy")."""
++    return subprocess.check_output(["lsb_release", "-sc"]).decode('utf-8').strip()
--    _stored = StoredState()
--    def __init__(self, *args):
--        super().__init__(*args)
--        self.framework.observe(self.on.httpbin_pebble_ready, self._on_httpbin_pebble_ready)
--        self.framework.observe(self.on.config_changed, self._on_config_changed)
--        self.framework.observe(self.on.fortune_action, self._on_fortune_action)
--        self._stored.set_default(things=[])
--
--    def _on_httpbin_pebble_ready(self, event):
--        """Define and start a workload using the Pebble API.
--
--        TEMPLATE-TODO: change this example to suit your needs.
--        You'll need to specify the right entrypoint and environment
--        configuration for your specific workload. Tip: you can see the
--        standard entrypoint of an existing container using docker inspect
--
--        Learn more about Pebble layers at https://github.com/canonical/pebble
--        """
--        # Get a reference the container attribute on the PebbleReadyEvent
--        container = event.workload
--        # Define an initial Pebble layer configuration
--        pebble_layer = {
--            "summary": "httpbin layer",
--            "description": "pebble config layer for httpbin",
--            "services": {
--                "httpbin": {
--                    "override": "replace",
--                    "summary": "httpbin",
--                    "command": "gunicorn -b 0.0.0.0:80 httpbin:app -k gevent",
--                    "startup": "enabled",
--                    "environment": {"thing": self.model.config["thing"]},
--                }
--            },
--        }
--        # Add initial Pebble config layer using the Pebble API
--        container.add_layer("httpbin", pebble_layer, combine=True)
--        # Autostart any services that were defined with startup: enabled
--        container.autostart()
--        # Learn more about statuses in the SDK docs:
--        # https://juju.is/docs/sdk/constructs#heading--statuses
--        self.unit.status = ActiveStatus()
++def install_tor_repo():
++    """Authenticate, install and pin the tor package to the torproject.org repo."""
++    # Installation is based on Tor installation instructions for Debian/Ubuntu:
++    # https://support.torproject.org/apt/tor-deb-repo/
++    keyring_path = "/usr/share/keyrings/tor-archive-keyring.gpg"
++    base_url = "https://deb.torproject.org/torproject.org"
--    def _on_config_changed(self, _):
--        """Just an example to show how to deal with changed configuration.
++    # retrieve the signing key
++    keyring_url = "{}/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc".format(base_url)
++    with urllib.request.urlopen(keyring_url) as f:
++        keyring = f.read()
++
++    with open(keyring_path, "wb") as f:
++        f.write(keyring)
++
++    # identify our running series
++    series = get_series()
++
++    # build .list file
++    tor_list = "deb [signed-by={}] {} {} main\n".format(keyring_path, base_url, series)
++    tor_list += "deb-src [signed-by={}] {} {} main\n".format(keyring_path, base_url, series)
--        TEMPLATE-TODO: change this example to suit your needs.
--        If you don't need to handle config, you can remove this method,
--        the hook created in __init__.py for it, the corresponding test,
--        and the config.py file.
++    # write .list file
++    with open("/etc/apt/sources.list.d/tor.list", "wb") as f:
++        f.write(tor_list.encode('utf-8'))
--        Learn more about config at https://juju.is/docs/sdk/config
--        """
--        current = self.config["thing"]
--        if current not in self._stored.things:
--            logger.debug("found a new thing: %r", current)
--            self._stored.things.append(current)
++    # pin the tor package to this repo
++    pin_config = "Package: tor\n"
++    pin_config += "Pin: release c=main\n"
++    pin_config += "Pin-Priority: 900\n\n"
--    def _on_fortune_action(self, event):
--        """Just an example to show how to receive actions.
++    # don't use the universe version
++    pin_config += "Package: tor\n"
++    pin_config += "Pin: release c=universe\n"
++    pin_config += "Pin-Priority: 1\n\n"
--        TEMPLATE-TODO: change this example to suit your needs.
--        If you don't need to handle actions, you can remove this method,
--        the hook created in __init__.py for it, the corresponding test,
--        and the actions.py file.
++    with open("/etc/apt/preferences.d/tor-pin", "wb") as f:
++        f.write(pin_config.encode('utf-8'))
--        Learn more about actions at https://juju.is/docs/sdk/actions
--        """
--        fail = event.params["fail"]
--        if fail:
--            event.fail(fail)
--        else:
--            event.set_results({"fortune": "A bug in the code is worth two in the documentation."})
++
++def remove_tor_repo():
++    """Remove and unpin the torproject.org repo."""
++    paths = (
++        "/etc/apt/sources.list.d/tor.list",
++        "/etc/apt/preferences.d/tor-pin",
++        "/usr/share/keyrings/tor-archive-keyring.gpg",
++    )
++    for p in paths:
++        if os.path.isfile(p):
++            os.unlink(p)
++
++
++class TorCharm(CharmBase):
++    """Charm the tor service."""
++
++    _state = StoredState()
++
++    def __init__(self, *args):
++        super().__init__(*args)
++        self._state.set_default(
++            need_package_apt_transport_https=True,
++            need_package_gpg=True,
++            need_package_tor=True,
++        )
++        self.framework.observe(self.on.config_changed, self._on_config_changed)
++        self.framework.observe(
++            self.on.reverseproxy_relation_changed, self._on_reverseproxy_relation_changed
++        )
++
++    def _on_config_changed(self, _):
++        """Handle config changes."""
++        # ensure required packages are installed
++        self._ensure_apt_transport_https()
++        self._ensure_gpg()
++        self._ensure_tor()
++
++    def _ensure_apt_transport_https(self):
++        if self._state.need_package_apt_transport_https:
++            logger.info("Ensuring apt-transport-https is installed")
++            apt.add_package("apt-transport-https", update_cache=True)
++            self._state.need_package_apt_transport_https = False
++
++    def _ensure_gpg(self):
++        if self._state.need_package_gpg:
++            logger.info("Ensuring gpg is installed")
++            apt.add_package("gpg", update_cache=True)
++            self._state.need_package_gpg = False
++
++    def _ensure_tor(self):
++        if self._state.need_package_tor:
++            tor_source = self.model.config['tor_source']
++            if tor_source == 'ubuntu':
++                logger.info("Source is ubuntu, ensuring torproject repo is not set up")
++                remove_tor_repo()
++            elif tor_source == 'torproject':
++                logger.info("Source is torproject, ensuring torproject repo is set up")
++                install_tor_repo()
++            else:
++                err = "Unexpected tor_source value: {}".format(tor_source)
++                logger.error(err)
++                self.unit.status = BlockedStatus(err)
++            logger.info("Ensuring tor is installed")
++            apt.add_package("tor", update_cache=True)
++
++    def _tor_setup(self, services):
++        cfg = {}
++        cfg['socks5_port'] = self.model.config['socks5_port']
++        root_dir = '/var/lib/tor'
++        for k, v in services.items():
++            logger.info('Got service name {} with value {}'.format(k, v))
++            service_dir = '{}/{}'.format(root_dir, v.get('servername'))
++            if not os.path.isdir(service_dir):
++                subprocess.check_call(
++                    ['install', '-d', service_dir, '-o', 'debian-tor', '-m', '700']
++                )
++
++        for file in os.listdir(root_dir):
++            if os.path.isdir(file):
++                basename = os.path.basename(file)
++                for k, v in services.items():
++                    if k.get('servername') == basename:
++                        # keep this configured directory
++                        pass
++                    else:
++                        logger.info('Removing unconfigured site {}'.format(basename))
++                        shutil.rmtree(file)
++
++        # NOTE: Once the below closed issue is actually resolved[1], this function
++        # should be replaced with a built-in one in Operator Framework.
++        # [1]: https://github.com/canonical/operator/issues/228
++
++        list_services = []
++        for k, v in services.items():
++            list_services.append(v)
++
++        templates = jinja2.Environment(
++            loader=jinja2.FileSystemLoader(self.charm_dir / "templates"),
++        )
++        template = templates.get_template("torrc")
++        torrc = template.render({'cfg': cfg, 'services': list_services})
++
++        torrc_filename = '/etc/tor/torrc'
++
++        with open(torrc_filename, 'wb') as f:
++            f.write(torrc.encode('utf-8'))
++
++    def _on_reverseproxy_relation_changed(self, event: RelationChangedEvent):
++        unit_data = event.relation.data
++        logger.info(unit_data)
++        services = {}
++        for unit in unit_data:
++            if not isinstance(unit, Unit):
++                logger.info("Skipping data of type {}".format(type(unit)))
++                continue
++            if unit.name == self.unit.name:
++                logger.info("Skipping our own unit ({})".format(unit.name))
++                continue
++            logger.info("Found related unit {}".format(unit))
++
++            services.update({
++                unit.name: {
++                    'hostname': unit_data[unit].get('hostname'),
++                    'private_address': unit_data[unit].get('private-address'),
++                    'port': unit_data[unit].get('port'),
++                    'servername': unit_data[unit].get('servername'),
++                }
++            })
++        self._tor_setup(services)
  if __name__ == "__main__":
--    main(CharmTorCharm)
++    main(TorCharm)
 diff --git a/templates/torrc b/templates/torrc
 new file mode 100644
 index 0000000..d709005
 --- /dev/null
 +++ b/templates/torrc
@@ -0,0 +1,12 @@
++# torrc generated by Juju.
++# Do not edit, changes are subject to being overwritten.
++
++SocksPort 127.0.0.1:{{ cfg.socks5_port }}
++
++{% for service in services %}
++HiddenServiceDir /var/lib/tor/{{ service.servername }}/
++# service.hostname is {{ service.hostname }}
++# service.private-address is {{ service.private_address }}
++HiddenServicePort {{ service.port }} {{ service.private_address }}:{{ service.port }}
++
++{% endfor %}
 diff --git a/tests/__init__.py b/tests/__init__.py
 index e163492..0c77dd5 100644
 --- a/tests/__init__.py
 +++ b/tests/__init__.py
@@ -1,2 +1,6 @@
++# Copyright 2022 Canonical Ltd.
++# See LICENSE file for licensing details.
++
  import ops.testing
++
  ops.testing.SIMULATE_CAN_CONNECT = True
 diff --git a/tests/test_charm.py b/tests/test_charm.py
 index 0830b8d..c7e4d40 100644
 --- a/tests/test_charm.py
 +++ b/tests/test_charm.py
@@ -1,15 +1,12 @@
--# Copyright 2022 Barry Price
++# Copyright 2022 Canonical Ltd.
  # See LICENSE file for licensing details.
--#
--# Learn more about testing at: https://juju.is/docs/sdk/testing
  import unittest
--from unittest.mock import Mock
--from charm import CharmTorCharm
--from ops.model import ActiveStatus
  from ops.testing import Harness
++from charm import CharmTorCharm
++
  class TestCharm(unittest.TestCase):
      def setUp(self):
@@ -19,50 +16,5 @@ class TestCharm(unittest.TestCase):
      def test_config_changed(self):
          self.assertEqual(list(self.harness.charm._stored.things), [])
--        self.harness.update_config({"thing": "foo"})
--        self.assertEqual(list(self.harness.charm._stored.things), ["foo"])
--
--    def test_action(self):
--        # the harness doesn't (yet!) help much with actions themselves
--        action_event = Mock(params={"fail": ""})
--        self.harness.charm._on_fortune_action(action_event)
--
--        self.assertTrue(action_event.set_results.called)
--
--    def test_action_fail(self):
--        action_event = Mock(params={"fail": "fail this"})
--        self.harness.charm._on_fortune_action(action_event)
--
--        self.assertEqual(action_event.fail.call_args, [("fail this",)])
--
--    def test_httpbin_pebble_ready(self):
--        # Simulate making the Pebble socket available
--        self.harness.set_can_connect("httpbin", True)
--        # Check the initial Pebble plan is empty
--        initial_plan = self.harness.get_container_pebble_plan("httpbin")
--        self.assertEqual(initial_plan.to_yaml(), "{}\n")
--        # Expected plan after Pebble ready with default config
--        expected_plan = {
--            "services": {
--                "httpbin": {
--                    "override": "replace",
--                    "summary": "httpbin",
--                    "command": "gunicorn -b 0.0.0.0:80 httpbin:app -k gevent",
--                    "startup": "enabled",
--                    "environment": {"thing": "🎁"},
--                }
--            },
--        }
--        # Get the httpbin container from the model
--        container = self.harness.model.unit.get_container("httpbin")
--        # Emit the PebbleReadyEvent carrying the httpbin container
--        self.harness.charm.on.httpbin_pebble_ready.emit(container)
--        # Get the plan now we've run PebbleReady
--        updated_plan = self.harness.get_container_pebble_plan("httpbin").to_dict()
--        # Check we've got the plan we expected
--        self.assertEqual(expected_plan, updated_plan)
--        # Check the service was started
--        service = self.harness.model.unit.get_container("httpbin").get_service("httpbin")
--        self.assertTrue(service.is_running())
--        # Ensure we set an ActiveStatus with no message
--        self.assertEqual(self.harness.model.unit.status, ActiveStatus())
++        self.harness.update_config({"tor-mode": "hidden"})
++        self.assertEqual(list(self.harness.charm._stored.things), ["hidden"])
 diff --git a/tox.ini b/tox.ini
 new file mode 100644
 index 0000000..bca0088
 --- /dev/null
 +++ b/tox.ini
@@ -0,0 +1,78 @@
++# Copyright 2022 Canonical Ltd.
++# See LICENSE file for licensing details.
++
++[tox]
++skipsdist=True
++skip_missing_interpreters = True
++envlist = lint, unit
++
++[vars]
++src_path = {toxinidir}/src/
++tst_path = {toxinidir}/tests/
++lib_path = {toxinidir}/lib/charms/operator_libs_linux
++all_path = {[vars]src_path} {[vars]tst_path}
++
++[testenv]
++setenv =
++  PYTHONPATH = {toxinidir}:{toxinidir}/lib:{[vars]src_path}
++  PYTHONBREAKPOINT=ipdb.set_trace
++  PY_COLORS=1
++passenv =
++  PYTHONPATH
++  HOME
++  PATH
++  CHARM_BUILD_DIR
++  MODEL_SETTINGS
++  HTTP_PROXY
++  HTTPS_PROXY
++  NO_PROXY
++
++[testenv:fmt]
++description = Apply coding style standards to code
++deps =
++    black
++    isort
++commands =
++    isort {[vars]all_path}
++    black {[vars]all_path}
++
++[testenv:lint]
++description = Check code against coding style standards
++deps =
++    black
++    flake8
++    flake8-docstrings
++    flake8-copyright
++    flake8-builtins
++    pyproject-flake8
++    pep8-naming
++    isort
++    codespell
++commands =
++    codespell {toxinidir}/*.yaml {toxinidir}/*.ini {toxinidir}/*.md \
++      {toxinidir}/*.toml {toxinidir}/*.txt {toxinidir}/.github
++    # pflake8 wrapper supports config from pyproject.toml
++    pflake8 {[vars]all_path}
++    isort --check-only --diff {[vars]all_path}
++    black --check --diff {[vars]all_path}
++
++[testenv:unit]
++description = Run unit tests
++deps =
++    pytest
++    coverage[toml]
++    -r{toxinidir}/requirements.txt
++commands =
++    coverage run --source={[vars]src_path} \
++        -m pytest --ignore={[vars]tst_path}integration -v --tb native -s {posargs}
++    coverage report
++
++[testenv:integration]
++description = Run integration tests
++deps =
++    git+https://github.com/juju/python-libjuju.git
++    pytest
++    git+https://github.com/charmed-kubernetes/pytest-operator.git
++    -r{toxinidir}/requirements.txt
++commands =
++    pytest -v --tb native --ignore={[vars]tst_path}unit --log-cli-level=INFO -s {posargs}