diff --git a/config.toml b/config.toml
index 4e7826f..331a992 100644
--- a/config.toml
+++ b/config.toml
@@ -7,7 +7,7 @@ PygmentsCodeFences = true
PygmentsStyle = "monokai"
paginate = 20
-rssLimit = 60 # Maximum number of items in the RSS feed.
+rssLimit = 60 # Maximum number of items in the RSS feed.
copyright = "Contents are licensed under CC 4.0 unless specified otherwise.
Source code for this website is available at gitea.bgenc.net."
# googleAnalytics = ""
@@ -117,6 +117,9 @@ trademark = false
rss = true
copyright = true
author = false
+bottomText = [
+ "This website is available at bgenc.net, or as an onion service at bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion which you can view through the Tor browser.",
+]
topText = []
# bottomText = [
@@ -154,11 +157,11 @@ logoHomeLink = "/"
# url = ""
[params.portrait]
- path = "/img/profile.2022.12.jpeg"
- pathWebp = "/img/profile.2022.12.webp"
- pathAvif = "/img/profile.2022.12.avif"
- alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
- maxWidth = "20rem"
+path = "/img/profile.2022.12.jpeg"
+pathWebp = "/img/profile.2022.12.webp"
+pathAvif = "/img/profile.2022.12.avif"
+alt = "A picture of Kaan, wearing a beanie, in front of some shrubbery."
+maxWidth = "20rem"
# Social icons
[[params.social]]
@@ -208,6 +211,3 @@ url = "posts/"
identifier = "portfolio"
name = "Portfolio"
url = "portfolio/"
-
-[gmnhg]
-baseUrl = "gemini://gemini.bgenc.net"
diff --git a/content/img/tor-censorship-snowflake-chart.webp b/content/img/tor-censorship-snowflake-chart.webp
new file mode 100644
index 0000000..9cf3c16
Binary files /dev/null and b/content/img/tor-censorship-snowflake-chart.webp differ
diff --git a/content/posts/2023.03.05.set-up-my-blog-as-onion-service.md b/content/posts/2023.03.05.set-up-my-blog-as-onion-service.md
new file mode 100644
index 0000000..9a6f163
--- /dev/null
+++ b/content/posts/2023.03.05.set-up-my-blog-as-onion-service.md
@@ -0,0 +1,96 @@
+---
+title: "Setting up my blog as an Onion service (Tor hidden service)"
+date: 2023-03-05T15:54:13-05:00
+toc: false
+images:
+---
+
+If you don't know about it, Tor is a software that helps online privacy and
+fights censorship using the Onion network. For example, [tens of thousands of people in Iran and Russia are using Tor through Tor's Snowflake proxies](https://blog.torproject.org/snowflake-daily-operations/) to get
+around government censorship and access vital information, as news organizations like the [BBC started offering access through Tor](https://www.wsj.com/articles/russia-rolls-down-internet-iron-curtain-but-gaps-remain-11647087321).
+As [online services are happy to turn over our data to the authorities](https://www.businessinsider.com/police-getting-help-social-media-to-prosecute-people-seeking-abortions-2023-2?op=1),
+it is crucial for Tor to exist so journalists, activists, whistle-blowers, and
+anyone living under oppressive regimes can access information and communicate freely.
+
+But there is really no reason for Tor to be used solely by people trying to
+avoid censorship or stay private. In fact, I think it is good for people to use
+Tor for other things, because this way Tor is not just a tool for "people with
+something to hide" but a tool that everyone uses. It's a bit like adding
+pronouns in your bio on social media: it's good when cis people put pronouns in
+their bios because otherwise just having your pronouns in your bio would
+immediately flag you as a trans or gender nonconforming person. Everyone else
+joining in gives security to those who really need it.
+
+## Setting up the Onion service
+
+My first step was to set up a Docker container to run Tor in.
+I put this container on DockerHub for others to use: [seriousbug/tor](https://hub.docker.com/repository/docker/seriousbug/tor/general).
+
+Next, I used [mkp224o](https://github.com/cathugger/mkp224o) to get a vanity
+address. Onion addresses are made out of long, random sequences like
+`xbbubmuxby...qd.onion`, but you can try to generate one that starts with a
+special prefix, for example DuckDuckGo has an Onion service that starts with
+"duckduckgo": `duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion`.
+Doing this is computationally expensive, but short prefixes are easy to
+generate. I wanted something that starts with `bgenc`, which only took a few
+seconds. I also tried `kaanbgenc` but gave up after waiting several minutes: the
+difficulty goes up exponentially the longer the prefix you want is, so 9
+characters would have likely taken months on my desktop.
+
+Next, I set up the configuration file for Tor. That looks like this:
+
+```
+Log notice stdout
+HiddenServiceDir /etc/tor/service
+HiddenServicePort 80 unix:/var/run/tor/bgenc.net.sock
+```
+
+I put the keys that `mkp224o` generated into a subfolder named `service` next to
+my Tor config. These are going to be mounted at `/etc/tor` in the Tor container.
+I then told Tor to look at `/var/run/tor/bgenc.net.sock`, where I'll be mounting
+my nginx unix socket at.
+
+And that reminds me, it's time to set up nginx! Under the `server` block that
+serves my website, I added my onion address as one of the host names:
+
+```
+server_name bgenc.net;
+server_name bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion;
+```
+
+Then, I added the listen directive to create and listen to that socket:
+
+```
+listen 443 ssl http2;
+listen unix:/var/run/nginx/bgenc.net.sock;
+```
+
+I'm using a unix socket here because my nginx is actually running on the base
+system without a container, while tor is in a container. So to allow Tor to
+connect to the nginx in the host, I would have had to allow the tor container to
+use the host network. But I can get around that with a Unix socket, because the
+socket can get mounted from the host into the container.
+
+Also mind that I'm not using SSL or http2 for the unix socket. There are very few
+SSL key services that support Tor, and it's not necessary anyway because the Tor
+network provides the same security guarantees to you already. I also found that
+`http2` does not work, though I'm not sure why.
+
+I finally added the tor container to a `docker-compose.yml` to make it easier to
+rebuild if needed. That looks like this:
+
+```yml
+ tor-hidden-service:
+ image: seriousbug/tor
+ restart: always
+ volumes:
+ - ./tor:/etc/tor
+ - /var/run/nginx:/var/run/tor
+```
+
+I also needed to make the tor directory with the configuration file and services
+owned by root, and use 700 as the file permission. Otherwise Tor refuses to start.
+
+Once all of this is set up, I restarted nginx and my Tor container. And that was about it!
+The website is now accessible through Tor! You can find it at [bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion](http://bgenc2iv62mumkhu2p564vxtao6ha7ihavmzwpetkmazgq6av7zvfwyd.onion/).
+
diff --git a/themes/catafalque b/themes/catafalque
index 01bc449..083f35e 160000
--- a/themes/catafalque
+++ b/themes/catafalque
@@ -1 +1 @@
-Subproject commit 01bc4490d0750b37b31b18e56bc28ae68dd2b23f
+Subproject commit 083f35e878d741ee72d8d757ff094792ba6cae9e