Radish alpha
r
radicle-infra
rad:z254T5p17bdFPmzfDojsdjo4HjpoZ
Radicle Infrastructure as Code (NixOS, OpenTofu, …)
Radicle
Git
Commits 9b42e35
host/seed: Enable Tor Onion Service
Lorenz Leutgeb committed 10 months ago
commit 9b42e351364d836253af1ed54d67c02500dc990f
parent 7d6519c
3 files changed +62 -0
modified os/host/seed/radicle.nix
@@ -19,6 +19,7 @@
        alias = config.networking.fqdn;

        externalAddresses = [

          "${config.networking.fqdn}:8776"
+ 
          "seedradanrg2oje34eyidx4z63gpuakgaedaetvt7xxw5whv6qnexmid.onion:8776"

        ];

        peers = {

          type = "dynamic";
added os/host/seed/sops/tor_hs_ed25519_secret_key.bin.json
@@ -0,0 +1,27 @@
+ 
{
+ 
	"data": "ENC[AES256_GCM,data:D/cXb6sOPsORZM/Zsdk5FfRBRhHGD/SGaezAoVpVl/5lolA7AMaqSCqy4Qz4F81SIqN1hjUIxUIdlGXNVs1640zmI/s8PzyWGg/M5KDTtfTYq3b36L2woLx61k1Awue2,iv:mUiXQYno3B3hISYGHFMN9nqPQcLkpoxEI7LkVSBsmgw=,tag:D81gC3RnwNtlR9crZXQ77Q==,type:str]",
+ 
	"sops": {
+ 
		"age": [
+ 
			{
+ 
				"recipient": "age1c0g6s6daxy79dlm9uqczwlkh0hvjpghw5h8zzljc3vs275rvvqus30hv9l",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTS8zc21zMktFc2VHRGlx\naVp5R2JnMGhyUjBHbW8ycERhcWlsdFFxeVNZCjczRkc0QTduTWNZRnlxaGFEazFR\nTTN5QnpMTFdVdm9IUWlqalR2QXFKRXcKLS0tIDE2eVRtbm1wVGtWc3kvcnZwM0JU\nUXlQcUh0N25KMUJmUWpWLzh6cnorRnMK2343WqgXGCD0YnQPS0yY65m3MfofI4qj\nPlJ55ZMEUeM5mDkCoIyrucG55yfqgETA6EhQsHenA7R8NvNOqnWSAg==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age15fd8ljdtzkphz3gf9ezpz58u5fhc7260h68nn32znn4m00ank45skd3luy",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNStPM2dHaSs0ekVEVHp5\nNFM3Sy9rUktiV2Q2bUI5a201WEVHQXk3RUY4CjZYVnFUdnBCQnkvdU9JV0NNM0Zm\nS2haeHY2Sld1UGh3dWtrNDUwZXNGY28KLS0tIHh2bDVtVTBsMno0RGpuOXhnS2pv\nVWlqTE85Tzk2OXpLRVdOWXh6YXUra3MKsmotAB7ZzUEhHrnw7ArvFaZETU7NMZ1s\nqAlJuc5aDRJ5UFGRFhUUIeGcnpUHFItRbvlAinatBQRKx93aWVsVBQ==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1kygyyrr6m43lgmy8pq57nc0jfmzr38uv8p5udg956p39ghs4qvnsdzs6nm",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTW1KclQ0SDlEZzdsb0ow\nVkIyYTFsWTZwOUpvNkJxYkczREt0bUVlZTBFCmhsNC9iZEdjaDNYL0tYOTZmc1l4\ndGJEbDRDTzVyQkNyL1hLTDZYSDRwUGMKLS0tIElQV01RRmFSaU9FT1Y5WGFoV2Iv\nQ0Jlb0hUdkJOUys2cGZxMWJMQjZNeHcKeuteT806HhwPE9aZF2CdILD+71foI8SC\n+uyGazxIQ917W/C0x60t4CrSSJdsCcEA2TKdw+v0vYfkQ1Rzdy3F4A==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			},
+ 
			{
+ 
				"recipient": "age1jemy54kqt4xgglg5f3g3sda5tndsqhjynvdugpy0yknefnw69u7qwymfj4",
+ 
				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhcU04bFVhQWphM0hXblNR\nRk1YOVlYYmVGTGVtSzJqVGZpYS9OY0duNjMwCjZ6a001bUlPakpyd3FXQ3R3VHk5\nT3dTeW9NaUhQVE5uQmFjZXJmTDh0SWMKLS0tIHUwbkY4RnJiUnFVbjNFbjF3bElx\nMnY2TjFXUUNoVHNIaE9tUHFJQXRZaTgK70bsEg5J4J83O57wBOSnAZr61iuIAnLA\nrdp7hd3+qZlGEVqznKa3OVXoOTqBABZCXJEptiGXwVN520+7mirHdw==\n-----END AGE ENCRYPTED FILE-----\n"
+ 
			}
+ 
		],
+ 
		"lastmodified": "2025-06-16T14:35:25Z",
+ 
		"mac": "ENC[AES256_GCM,data:AmaR8zuJzLuKSc58awn4A4oVi0mzWs9pATfK5xztix9CeBW7H8vWphTYXMLdyYGZMSmVXlDTRli2yEDpZf9sRRD9JDfL5Bf+pMGKfMqLyoFvGkZGbrOn7YqhHusHSZgQsECe2nFjsEYm5MEQ4CJjcoUtM9mn/EltBsqprbohyEA=,iv:8QEyiTaN1WoOADJEOXeai3vxTK6xLhduxdZKZtfr0yw=,tag:2EXpIi+lSWsw7N6pQnZy1A==,type:str]",
+ 
		"unencrypted_suffix": "_unencrypted",
+ 
		"version": "3.10.2"
+ 
	}
+ 
}
modified os/host/seed/tor.nix
@@ -1,6 +1,40 @@
{
+ 
  config,
+ 
  lib,
+ 
  ...
+ 
}: let
+ 
  secret = "tor/hs_ed25519_secret_key";
+ 
in {
+ 
  sops.secrets.${secret} = {
+ 
    sopsFile = ./sops/tor_hs_ed25519_secret_key.bin.json;
+ 
    format = "binary";
+ 
  };
+ 


  services.tor = {

    enable = true;

    client.enable = true;
+
+ 
    enableGeoIP = false;
+ 
    openFirewall = true;
+
+ 
    relay = {
+ 
      role = "private-bridge";
+ 
      onionServices = {
+ 
        "radicle" = {
+ 
          map = [
+ 
            {port = 8776;}
+ 
          ];
+ 
          secretKey = config.sops.secrets.${secret}.path;
+ 
        };
+ 
      };
+ 
    };
+
+ 
    settings = {
+ 
      Nickname = config.networking.hostName;
+ 
      ContactInfo = "team@${config.networking.domain}";
+ 
      ClientUseIPv6 = true;
+ 
      ORPort = 9001;
+ 
      DirPort = 9030;
+ 
    };

  };

}