{ pkgs, lib, ... }: with lib; let name = "bgt_cyberwar_hidden_service"; sec = (toString <secrets>) + "/"; secdir = sec + name; srvdir = "/var/lib/tor/onion/"; basedir = srvdir + name; hn = builtins.readFile (secdir + "/hostname"); in { systemd.services.prepare-hidden-service = { wantedBy = [ "local-fs.target" ]; before = [ "tor.service" ]; serviceConfig = { ExecStart = pkgs.writeScript "prepare-euer-blog-service" '' #!/bin/sh set -euf if ! test -d "${basedir}" ;then mkdir -p "${srvdir}" cp -r "${secdir}" "${srvdir}" chown -R tor:tor "${srvdir}" chmod -R 700 "${basedir}" else echo "not overwriting ${basedir}" fi ''; Type = "oneshot"; RemainAfterExit = "yes"; TimeoutSec = "0"; }; }; services.nginx.virtualHosts."${hn}".locations."/" = { proxyPass = "https://blog.binaergewitter.de"; extraConfig = '' proxy_set_header Host blog.binaergewitter.de; proxy_ssl_server_name on; ''; }; services.tor = { enable = true; hiddenServices."${name}".map = [ { port = 80; } # { port = 443; toHost = "blog.binaergewitter.de"; } ]; }; }