45 lines
1.6 KiB
Nix
45 lines
1.6 KiB
Nix
# Tor hidden service — gives each machine a .onion address
|
|
#
|
|
# After first boot, find the .onion address:
|
|
# cat /var/lib/tor/onion/wiki/hostname
|
|
#
|
|
# Back up the private key! Losing it means losing the .onion address:
|
|
# /var/lib/tor/onion/wiki/hs_ed25519_secret_key
|
|
#
|
|
# The .onion address is a hash of this key — it's permanent as long as
|
|
# the key exists. Both machines get different keys and different addresses.
|
|
#
|
|
# Traffic flow:
|
|
# Tor user → Tor network → local Tor daemon → localhost:8080 → Caddy → PHP-FPM
|
|
#
|
|
# No Cloudflare in the path, no TLS needed (.onion v3 is end-to-end encrypted),
|
|
# no IP-based rate limiting possible (all traffic arrives from 127.0.0.1).
|
|
{ config, pkgs, lib, ... }:
|
|
{
|
|
services.tor = {
|
|
enable = true;
|
|
client.enable = false; # we're a server, not a client
|
|
|
|
relay.onionServices.wiki = {
|
|
version = 3;
|
|
map = [{
|
|
port = 80;
|
|
target = {
|
|
addr = "127.0.0.1";
|
|
port = 8080;
|
|
};
|
|
}];
|
|
};
|
|
};
|
|
|
|
# Tor needs outbound connectivity to join the network
|
|
# (already allowed — the firewall doesn't block outbound by default)
|
|
|
|
# Ensure the onion service directory is backed up
|
|
# The key files are in /var/lib/tor/onion/wiki/
|
|
# If using agenix to manage a pre-generated key for a stable .onion address:
|
|
# 1. Generate a key: tor --keygen (or use mkp224o for vanity addresses)
|
|
# 2. Encrypt with agenix: agenix -e secrets/tor-onion-key.age
|
|
# 3. Deploy to /var/lib/tor/onion/wiki/hs_ed25519_secret_key
|
|
# For now, Tor generates the key on first boot — just back it up.
|
|
}
|