ansible-playbook.yml

- hosts: [some-host]
  become: true
  tasks:
  - docker_network:
      name: tor_proxy_network
      driver_options:
        com.docker.network.bridge.name: tor
  - docker_container:
      name: tor_proxy
      # object 9d8903fbee049c379537c5e291cfa88f57b049f2
      # tag docker/3.0.0-tor0.4.3.5-amd64
      image: docker.io/fphammerle/tor-proxy@sha256:501c5b5432156f25ecfce9e48ebfe0827f7702a1d32206af79f256cc94487a0f
      mounts:
      - type: volume
        source: tor_proxy_data
        target: /var/lib/tor
        read_only: no
      - type: tmpfs
        target: /tmp # torrc
        # nosuid,nodev,noexec added by default
        tmpfs_mode: '1777'
        tmpfs_size: 4k
      read_only: yes
      networks:
      - name: tor_proxy_network
      purge_networks: yes
      ports:
      - '127.0.0.1:9050:9050/tcp'
      - '127.0.0.1:53:9053/udp'
      cap_drop: [ALL]
      security_opts: [no-new-privileges]
      memory: 128M
      restart_policy: unless-stopped
  - iptables:
      action: append
      table: filter
      chain: OUTPUT
      out_interface: '!lo'
      jump: REJECT
      reject_with: icmp-admin-prohibited