diff --git a/config/hosts/capetillo/configuration.nix b/config/hosts/capetillo/configuration.nix index 65bd6b1..69bf319 100644 --- a/config/hosts/capetillo/configuration.nix +++ b/config/hosts/capetillo/configuration.nix @@ -8,6 +8,7 @@ ../../common/services/acme.nix ./services/nginx.nix ./services/mail.nix + ./services/tor.nix ./data/secrets/secrets.nix ]; diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix index 189e7ae..a9fa2d1 100644 --- a/config/hosts/capetillo/services/nginx.nix +++ b/config/hosts/capetillo/services/nginx.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { imports = [ ../../../common/services/nginx.nix ]; services.nginx.virtualHosts = { @@ -11,5 +12,18 @@ forceSSL = true; root = "/var/www/mta-sts/public"; }; + "ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion" = { + # TODO: Do this with unix sockets instead + listen = [ { + addr = "[::1]"; + port = 8080; + } ]; + root = "/var/www/nixaalb.org/public"; + }; + }; + + + systemd.services.nginx.serviceConfig = { + PrivateTmp = lib.mkForce "false"; }; } diff --git a/config/hosts/capetillo/services/tor.nix b/config/hosts/capetillo/services/tor.nix new file mode 100644 index 0000000..d82984e --- /dev/null +++ b/config/hosts/capetillo/services/tor.nix @@ -0,0 +1,27 @@ +{config, ...}: +{ +services.tor = { + enable = true; + enableGeoIP = false; + settings = { + HiddenServiceNonAnonymousMode = true; + Sandbox = true; + }; + relay.onionServices = { + nixaalborg = { + version = 3; + map = [{ + port = 80; + target = { + # TODO: Do this with unix sockets instead + addr = "[::1]"; + port = 8080; + }; + }]; + settings = { + hiddenServiceSingleHopMode = true; + }; + }; + }; +}; +}