2 files changed, 64 insertions, 0 deletions

diff --git a/adonis/tor/default.nix b/adonis/tor/default.nix
new file mode 100644
index 0000000..7fcf2b4
--- /dev/null
+++ b/adonis/tor/default.nix
@@ -0,0 +1,45 @@
+{config, ...}: let
+  owner = config.customOps.owner.username;
+  domain = config.customOps.domain.fqdn;
+in {
+  imports = [./snowflake.nix];
+
+  services.tor = {
+    enable = true;
+    openFirewall = true;
+    enableGeoIP = false;
+    torsocks.enable = true;
+    client.enable = true;
+
+    relay = {
+      enable = true;
+      role = "relay";
+    };
+
+    settings = {
+      Nickname = "${owner}";
+      ContactInfo = "admin.tor@${domain}";
+
+      ExitRelay = false;
+
+      MaxAdvertisedBandwidth = "100 MB";
+      BandWidthRate = "100 MB";
+      RelayBandwidthRate = "100 MB";
+      RelayBandwidthBurst = "100 MB";
+
+      CookieAuthentication = true;
+      AvoidDiskWrites = 1;
+      HardwareAccel = 0;
+      SafeLogging = 1;
+      NumCPUs = 4;
+
+      ORPort = [
+        9001
+        {
+          addr = "[2a0a:4cc0:c1:cf00::10]";
+          port = 9030;
+        }
+      ];
+    };
+  };
+}
diff --git a/adonis/tor/snowflake.nix b/adonis/tor/snowflake.nix
new file mode 100644
index 0000000..5a1c4bb
--- /dev/null
+++ b/adonis/tor/snowflake.nix
@@ -0,0 +1,19 @@
+{config, ...}: let
+  torDomain = "tor.${config.customOps.domain.fqdn}";
+in {
+  services.snowflake-proxy = {
+    enable = true;
+    capacity = 20;
+    extraFlags = ["-metrics"];
+  };
+
+  services.nginx.virtualHosts.${torDomain} = {
+    root = "/var/www/${torDomain}";
+    forceSSL = true;
+    enableACME = true;
+    locations."~ \\.php$".extraConfig = ''
+      fastcgi_pass  unix:${config.services.phpfpm.pools.mypool.socket};
+      fastcgi_index index.php;
+    '';
+  };
+}