feat: init

modules/tor.nix

@@ -0,0 +1,45 @@
+# Tor hidden service — gives each machine a .onion address
+#
+# After first boot, find the .onion address:
+#   cat /var/lib/tor/onion/wiki/hostname
+#
+# Back up the private key! Losing it means losing the .onion address:
+#   /var/lib/tor/onion/wiki/hs_ed25519_secret_key
+#
+# The .onion address is a hash of this key — it's permanent as long as
+# the key exists. Both machines get different keys and different addresses.
+#
+# Traffic flow:
+#   Tor user → Tor network → local Tor daemon → localhost:8080 → Caddy → PHP-FPM
+#
+# No Cloudflare in the path, no TLS needed (.onion v3 is end-to-end encrypted),
+# no IP-based rate limiting possible (all traffic arrives from 127.0.0.1).
+{ config, pkgs, lib, ... }:
+{
+  services.tor = {
+    enable = true;
+    client.enable = false; # we're a server, not a client
+
+    relay.onionServices.wiki = {
+      version = 3;
+      map = [{
+        port = 80;
+        target = {
+          addr = "127.0.0.1";
+          port = 8080;
+        };
+      }];
+    };
+  };
+
+  # Tor needs outbound connectivity to join the network
+  # (already allowed — the firewall doesn't block outbound by default)
+
+  # Ensure the onion service directory is backed up
+  # The key files are in /var/lib/tor/onion/wiki/
+  # If using agenix to manage a pre-generated key for a stable .onion address:
+  #   1. Generate a key: tor --keygen (or use mkp224o for vanity addresses)
+  #   2. Encrypt with agenix: agenix -e secrets/tor-onion-key.age
+  #   3. Deploy to /var/lib/tor/onion/wiki/hs_ed25519_secret_key
+  # For now, Tor generates the key on first boot — just back it up.
+}