nixos-config/machines/renge/services/buchborgen.nix

{ pkgs, ... }:
let
  hiddenService = "kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion";
in
{
  services.tor = {
    enable = true;
    client.enable = true;
  };
  systemd.services."socat-trantor" = {
    after = [ "network.target" ];
    before = [ "nginx.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${pkgs.socat}/bin/socat tcp4-LISTEN:3003,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:${hiddenService}:80,socksport=9050";
      Restart = "on-failure";
    };
  };

  services.nginx = {
    appendHttpConfig = ''
      proxy_cache_path /var/cache/nginx/trantor levels=1:2 keys_zone=trantor:10m max_size=200m inactive=3600m use_temp_path=off;
    '';
    virtualHosts."buchborgen.sbruder.xyz" = {
      enableACME = true;
      forceSSL = true;

      basicAuthFile = "/etc/nginx/trantor.htpasswd";

      locations."/" = {
        extraConfig = ''
          proxy_set_header Authorization "";
          proxy_set_header Host "${hiddenService}";
          proxy_cache trantor;
          proxy_cache_valid any 1h;
          proxy_pass http://127.0.0.1:3003;
        '';
      };
    };
  };
}