3 files changed, 43 insertions, 4 deletions

diff --git a/static/files/articles/site-backend/pablotron.onion.conf.txt b/static/files/articles/site-backend/pablotron.onion.conf.txt
new file mode 100644
index 0000000..9c80ede
--- /dev/null
+++ b/static/files/articles/site-backend/pablotron.onion.conf.txt
@@ -0,0 +1,40 @@
+server {
+  listen unix:/var/run/tor/pablotron.sock;
+  server_name pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion;
+  root /store/www/pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/htdocs;
+  index index.html;
+  access_log /var/log/nginx/pablotron-access.log;
+
+  # enable compression, compress common types
+  gzip on;
+  gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml;
+
+  # security headers (see comments in apache config)
+  add_header "X-Frame-Options" "SAMEORIGIN";
+  add_header "X-Content-Type-Options" "nosniff";
+  add_header "Cross-Origin-Opener-Policy" "same-origin";
+  add_header "Cross-Origin-Resource-Policy" "same-origin";
+  add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion";
+  add_header "Referrer-Policy" "strict-origin-when-cross-origin";
+  add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()";
+
+  # different from apache; POST method not needed
+  add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS";
+
+  location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ {
+    # cache images, stylesheets, and javascript for 1 year
+    # note: caching makes a BIG difference when browsing via tor
+    expires 1y;
+  }
+
+  location ~ \.svg$ {
+    # relax Content-Security-Policy for SVGs to allow
+    # `style-src-attr 'unsafe-inline'`
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'";
+  }
+
+  location ^~ \.svg$ {
+    # default Content-Security-Policy
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org";
+  }
+}
diff --git a/static/files/articles/site-backend/pablotron.org.conf.txt b/static/files/articles/site-backend/pablotron.org.conf.txt
index 97a60d2..59ef28c 100644
--- a/static/files/articles/site-backend/pablotron.org.conf.txt
+++ b/static/files/articles/site-backend/pablotron.org.conf.txt
@@ -30,6 +30,9 @@
   # POST needed for /hooks
   Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
 
+  # expose tor onion service (2025-05-18)
+  Header set "Onion-Location" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion%{REQUEST_URI}s"
+
   # cache images, stylesheets, and javascript for 1 year
   <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
     Header set Cache-Control "max-age=31536000, public"
diff --git a/static/files/articles/site-backend/webhook.conf.txt b/static/files/articles/site-backend/webhook.conf.txt
index 254155d..1243946 100644
--- a/static/files/articles/site-backend/webhook.conf.txt
+++ b/static/files/articles/site-backend/webhook.conf.txt
@@ -9,10 +9,6 @@
 
   "pass-environment-to-command": [{
     "source": "string",
-    "envname": "DEPLOY_HTDOCS_PATH",
-    "name": "/data/www/pablotron.org/builds/current"
-  }, {
-    "source": "string",
     "envname": "DEPLOY_REPO_DIR",
     "name": "/data/www/pablotron.org/git"
   }, {