From 804cafad279dccc8b6fb2bb95304612525ee22e2 Mon Sep 17 00:00:00 2001
From: Leyla Becker <git@jan-leila.com>
Date: Wed, 11 Feb 2026 18:57:53 -0600
Subject: [PATCH] feat: deployed application to tor

---
 _includes/base.njk    |  6 +++++
 assets/onion-icon.svg |  6 +++++
 nix/configuration.nix | 34 ++++++++++++++++++++++++-
 nix/module.nix        | 59 ++++++++++++++++++++++++++++++++++---------
 4 files changed, 92 insertions(+), 13 deletions(-)
 create mode 100644 assets/onion-icon.svg

diff --git a/_includes/base.njk b/_includes/base.njk
index bdd4892..88af7a7 100644
--- a/_includes/base.njk
+++ b/_includes/base.njk
@@ -83,6 +83,12 @@
     <!-- About site itself -->
     <div>
       <a href="https://git.jan-leila.com/jan-leila/volpe">source</a>
+      <a href="http://2ggpzgonqsll5gi56u47aywu4qyl37eiu5jjrq7ma43z77ekkwuqxmid.onion" style="display: flex;">
+        <span style="display: inline-block; width: 24px; height: 24px; margin: 0 8px;">
+          <img src="{{ 'onion-icon.svg' | fileHash('assets') }}" alt="Tor Onion Logo" style="width: 100%; height: 100%;">
+        </span>
+        onion mirror
+      </a>
       <span>&copy; {{ page.date.getFullYear() }} Volpe</span>
     </div>
   </footer>
diff --git a/assets/onion-icon.svg b/assets/onion-icon.svg
new file mode 100644
index 0000000..5b8ca60
--- /dev/null
+++ b/assets/onion-icon.svg
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="100%" height="100%" viewBox="0 0 180 180" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <g id="tor-glyph" stroke="none" stroke-width="1" fill="#000000" fill-rule="evenodd">
+        <path d="M90.1846205,163.631147 L90.1846205,152.721073 C124.743583,152.621278 152.726063,124.581416 152.726063,89.9975051 C152.726063,55.4160892 124.743583,27.3762266 90.1846205,27.2764318 L90.1846205,16.366358 C130.768698,16.4686478 163.633642,49.3909741 163.633642,89.9975051 C163.633642,130.606531 130.768698,163.531352 90.1846205,163.631147 Z M90.1846205,125.444642 C109.677053,125.342352 125.454621,109.517381 125.454621,89.9975051 C125.454621,70.4801242 109.677053,54.6551533 90.1846205,54.5528636 L90.1846205,43.6452847 C115.704663,43.7450796 136.364695,64.4550091 136.364695,89.9975051 C136.364695,115.542496 115.704663,136.252426 90.1846205,136.35222 L90.1846205,125.444642 Z M90.1846205,70.9167267 C100.640628,71.0165216 109.090758,79.5165493 109.090758,89.9975051 C109.090758,100.480956 100.640628,108.980984 90.1846205,109.080778 L90.1846205,70.9167267 Z M0,89.9975051 C0,139.705328 40.2921772,180 90,180 C139.705328,180 180,139.705328 180,89.9975051 C180,40.2921772 139.705328,0 90,0 C40.2921772,0 0,40.2921772 0,89.9975051 Z" id="tor-glyph" fill="#000000"></path>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/nix/configuration.nix b/nix/configuration.nix
index 8ec82a3..e499384 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -35,8 +35,40 @@
   services.volpe = {
     enable = true;
     domain = "blog.jan-leila.com";
-    extraDomains = ["volpe.jan-leila.com"];
+    extraDomains = [
+      "volpe.jan-leila.com"
+      "2ggpzgonqsll5gi56u47aywu4qyl37eiu5jjrq7ma43z77ekkwuqxmid.onion"
+    ];
     enableACME = true;
     acmeEmail = "leyla@jan-leila.com";
   };
+
+  services.tor = {
+    enable = true;
+    enableGeoIP = false;
+    relay.onionServices = {
+      volpe = {
+        version = 3;
+        map = [
+          {
+            port = 80;
+            target = {
+              addr = "[::1]";
+              port = 80;
+            };
+          }
+        ];
+      };
+    };
+    settings = {
+      ClientUseIPv4 = true;
+      ClientUseIPv6 = true;
+      ClientPreferIPv6ORPort = true;
+    };
+  };
+
+  services.snowflake-proxy = {
+    enable = true;
+    capacity = 100;
+  };
 }
diff --git a/nix/module.nix b/nix/module.nix
index 796dc2d..0e780e2 100644
--- a/nix/module.nix
+++ b/nix/module.nix
@@ -6,21 +6,27 @@
 }: let
   cfg = config.services.volpe;
 
-  mkPkg = domain:
+  isOnion = domain: lib.hasSuffix ".onion" domain;
+
+  mkPkg = domain: let
+    protocol =
+      if isOnion domain
+      then "http"
+      else "https";
+  in
     pkgs.callPackage ./package.nix {
-      siteUrl = "https://${domain}";
+      siteUrl = "${protocol}://${domain}";
     };
 
   allDomains = [cfg.domain] ++ cfg.extraDomains;
+  regularDomains = lib.filter (d: !(isOnion d)) allDomains;
+  onionDomains = lib.filter isOnion cfg.extraDomains;
 
-  mkVirtualHost = domain: {
+  mkHost = domain: {
     root = "${mkPkg domain}";
-    forceSSL = cfg.enableACME;
-    enableACME = cfg.enableACME;
     locations."/" = {
       tryFiles = "$uri $uri/ /index.html";
     };
-    # Cache static assets (CSS, JS, images) for 1 year with immutable
     locations."~* \\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$" = {
       extraConfig = ''
         expires 1y;
@@ -29,6 +35,28 @@
       '';
     };
   };
+
+  mkVirtualHost = domain:
+    {
+      forceSSL = cfg.enableACME;
+      enableACME = cfg.enableACME;
+    }
+    // (mkHost domain);
+
+  mkOnionVirtualHost = domain:
+    {
+      listen = [
+        {
+          addr = "[::1]";
+          port = 80;
+        }
+        {
+          addr = "127.0.0.1";
+          port = 80;
+        }
+      ];
+    }
+    // (mkHost domain);
 in {
   options.services.volpe = {
     enable = lib.mkEnableOption "volpe blog";
@@ -64,13 +92,20 @@ in {
       recommendedOptimisation = true;
       recommendedGzipSettings = true;
       recommendedProxySettings = true;
+      serverNamesHashBucketSize = 128;
 
-      # Create a virtualHost for each domain
-      virtualHosts = lib.listToAttrs (map (domain: {
-          name = domain;
-          value = mkVirtualHost domain;
-        })
-        allDomains);
+      virtualHosts = lib.listToAttrs (
+        (map (domain: {
+            name = domain;
+            value = mkVirtualHost domain;
+          })
+          regularDomains)
+        ++ (map (domain: {
+            name = domain;
+            value = mkOnionVirtualHost domain;
+          })
+          onionDomains)
+      );
     };
 
     security.acme = lib.mkIf cfg.enableACME {