{ pkgs, ... }: let hiddenService = "kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion"; in { services.tor = { enable = true; client.enable = true; }; systemd.services."socat-trantor" = { after = [ "network.target" ]; before = [ "nginx.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { DynamicUser = true; ExecStart = "${pkgs.socat}/bin/socat tcp4-LISTEN:3003,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:${hiddenService}:80,socksport=9050"; Restart = "on-failure"; }; }; services.nginx = { appendHttpConfig = '' proxy_cache_path /var/cache/nginx/trantor levels=1:2 keys_zone=trantor:10m max_size=200m inactive=3600m use_temp_path=off; ''; virtualHosts."buchborgen.sbruder.xyz" = { enableACME = true; forceSSL = true; basicAuthFile = "/etc/nginx/trantor.htpasswd"; locations."/" = { extraConfig = '' proxy_set_header Authorization ""; proxy_set_header Host "${hiddenService}"; proxy_cache trantor; proxy_cache_valid any 1h; proxy_pass http://127.0.0.1:3003; ''; }; }; }; }