Add single-hop onion service

config/hosts/capetillo/configuration.nix

@@ -8,6 +8,7 @@
 		../../common/services/acme.nix
 		./services/nginx.nix
 		./services/mail.nix
+		./services/tor.nix
 		./data/secrets/secrets.nix
 	];
 

config/hosts/capetillo/services/nginx.nix

@@ -1,3 +1,4 @@
+{ lib, ... }:
 {
 	imports = [ ../../../common/services/nginx.nix ];
 	services.nginx.virtualHosts = {
@@ -11,5 +12,18 @@
 			forceSSL = true;
 			root = "/var/www/mta-sts/public";
 		};
+		"ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = {
+			# TODO: Do this with unix sockets instead
+			listen = [ {
+								addr = "[::1]";
+								port = 8080;
+							} ];
+			root = "/var/www/nixaalb.org/public";
+		};
+	};
+
+	
+	systemd.services.nginx.serviceConfig = {
+		PrivateTmp = lib.mkForce "false";
 	};
 }

config/hosts/capetillo/services/tor.nix

@@ -0,0 +1,27 @@
+{config, ...}:
+{
+services.tor = {
+	enable = true;
+	enableGeoIP = false;
+	settings = {
+		HiddenServiceNonAnonymousMode = true;
+		Sandbox = true;
+	};
+	relay.onionServices = {
+		nixaalborg = {
+			version = 3;
+			map = [{
+				port = 80;
+				target = {
+					# TODO: Do this with unix sockets instead
+					addr = "[::1]";
+					port = 8080;
+				};
+			}];
+			settings = {
+				hiddenServiceSingleHopMode = true;
+			};
+		};
+	};
+};
+}