# Tor hidden service — gives each machine a .onion address
#
# After first boot, find the .onion address:
#   cat /var/lib/tor/onion/wiki/hostname
#
# Back up the private key! Losing it means losing the .onion address:
#   /var/lib/tor/onion/wiki/hs_ed25519_secret_key
#
# The .onion address is a hash of this key — it's permanent as long as
# the key exists. Both machines get different keys and different addresses.
#
# Traffic flow:
#   Tor user → Tor network → local Tor daemon → localhost:8080 → Caddy → PHP-FPM
#
# No Cloudflare in the path, no TLS needed (.onion v3 is end-to-end encrypted),
# no IP-based rate limiting possible (all traffic arrives from 127.0.0.1).
{ config, pkgs, lib, ... }:
{
  services.tor = {
    enable = true;
    client.enable = false; # we're a server, not a client

    relay.onionServices.wiki = {
      version = 3;
      map = [{
        port = 80;
        target = {
          addr = "127.0.0.1";
          port = 8080;
        };
      }];
    };
  };

  # Tor needs outbound connectivity to join the network
  # (already allowed — the firewall doesn't block outbound by default)

  # Ensure the onion service directory is backed up
  # The key files are in /var/lib/tor/onion/wiki/
  # If using agenix to manage a pre-generated key for a stable .onion address:
  #   1. Generate a key: tor --keygen (or use mkp224o for vanity addresses)
  #   2. Encrypt with agenix: agenix -e secrets/tor-onion-key.age
  #   3. Deploy to /var/lib/tor/onion/wiki/hs_ed25519_secret_key
  # For now, Tor generates the key on first boot — just back it up.
}