Web on Nobody's Home

Named Tor Site

Mon, 11 May 2026 00:00:00 +0000

What’s the Point of This?

Recently, schools across the US were hit by a breach of the education software Canvas by the ShinyHunters. The group’s ransom note included an interesting .onion url:

Normally a .onion address is randomly generated characters with no meaning. The site’s name being tied to the keys generated when the node joins the network. However, ShinyHunters and the CIA have been able to generate custom TOR keys to at least get a partially human readable url.

Hugo Static Site Generator

Fri, 24 Apr 2026 00:00:00 +0000

Hugo Site Example:

Introduction

This guide is not all inclusive. RTFM. Hugo is a static site generator, converting your .md text files, and a chosen theme into a modern looking website (like this one). There are a staggering number of themes to give you the look and feel that your site needs.

Everything Up Front

It all starts with the hugo.yaml file (you can use .toml too, but that’s beyond my expertise, consult the hugo documentation). Here is the configuration for this site:

AdGuardHome

Sat, 14 Mar 2026 00:00:00 +0000

References

AdGuardHome Download AdGuardHome Fix systemd-resolved

Why AdGuardHome?

AdGuard has become a key service in my homelab. I’m so used to having ads blocked across my network, it’s a surprise loading a site away from home and seeing the broken hellscape of ads everywhere. Get a network level adblocker and learn how to use it. The less tech savvy folks in your home will thank you.

Installation

Download the latest version of AdGuardHome
Extract using tar -xf AdGuardHome_linux_amd64.tar.gz
Move the folder to the destination: mv AdGuardHome [DESTINATION]
- Fedora: /usr/local/bin/
- Ubuntu: /opt/
Install using sudo ./AdGuardHome -s install
Set up your account at http://ADGUARD-SERVER:3000
Set your router’s DNS server to point at your AdGuardHome server (steps will vary by router)
Set your AdGuard
- Block Lists
- Upstream Providers
- DNS Rewrites
- Allow Lists
- Custom Rules
- Back up you AdGuardHome.yaml

Deploy with Docker Compose:

services:
  adguardhome:
    image: adguard/adguardhome
    container_name: adguardhome
    volumes:
	    #place AdGuardHome.yaml here if you already have a configured instance
      - [map to your /conf directory]:/opt/adguardhome/conf 
      - [map to your /work directory]:/opt/adguardhome/work
    deploy: 
      mode: global
    ports:
      - "53:53/udp"  # <Host Port>:<Container Port>
      - "53:53/tcp"
      - "67:67/udp"
#      - "68:68/udp"
      - "80:80/tcp"
      - "443:443/tcp"
      - "443:443/udp"
      - "3000:3000/tcp"
      - "853:853/tcp"
      - "853:853/udp"
      - "8853:8853/udp"
      - "784:784/udp"
      - "5443:5443/tcp"
      - "5443:5443/udp"
    restart: unless-stopped

Troubleshooting

Systemd-Resolved

Reference: Fix systemd-resolved Us these steps when systemd is using port 53:

Tor Site

Sat, 13 Dec 2025 00:00:00 +0000

Directory Setup

Set up the files and directories:

mkdir -p tor-site/keys tor-site/html tor-site/logs
touch tor-site/torrc

Set permissions:

chmod 700 tor-site/keys 
chmod 600 tor-site/logs
sudo chown root:root tor-site/keys tor-site/logs

Content Setup

Add the files for your website into the tor-site/html folder: example:

<!DOCTYPE html>
<html>
<body>
    <h1>Hello from the Onion Router!</h1>
    <p>This site is hosted inside Docker.</p>
</body>
</html>

Docker Setup

[[Install Docker]] Docker Compose File compose.yaml

services:
  nginx:
    container_name: nginx
    image: nginx
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - ./html:/usr/share/nginx/html:ro
      - ./logs:/var/log/nginx
    networks:
      - tor_network
  tor:
    container_name: tor
    volumes:
      - ./torrc:/etc/tor/torrc:ro
      - ./keys:/var/lib/tor/hidden_service/
    image: alpine:latest
    entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    networks:
      - tor_network
    depends_on:
      - nginx

networks:
  tor_network:

nginx is the name of your web server container - this is important for the torrc file.
:ro sets the volume to read only
networks: tor_network means all the traffic stays inside the tor network
security_opt: - no-new-privileges:true prevents the user from running as root through setuid or setgid
cap_drop: -All removes all default Linux capabilities granted to a container
cap_add: - NET_BIND_SERVICE will allow tor to work with only the necessary capabilities
networks ensures that all traffic stays inside the docker network with a custom bridge tor_network to access the tor relays See Docker Permissions

Create `torrc`:

# Standard Tor config
DataDirectory /var/lib/tor

# Define the Hidden Service
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 nginx:80

note: the name nginx should be the same as you name your web server container in the compose.yaml (see [[#Docker Setup]]).

Notes:

Did you know you can make a custom tor site name? See the Named Tor Site.
The docker service setup: Dockhand Portainer


services:
  nginx:
    container_name: nginx
    image: nginx
    volumes:
      - /home/mechanicus/code/tor-site/html:/usr/share/nginx/html:ro
      - /home/mechanicus/code/tor-site/logs:/var/log/nginx
    networks:
      - tor_network
    deploy: 
      mode: replicated
      replicas: 1
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "label=shepherd.autodeploy=true"
  tor:
    container_name: tor
    volumes:
      - /home/mechanicus/code/tor-site/torrc:/etc/tor/torrc:ro
      - /home/mechanicus/code/tor-site/keys:/var/lib/tor/hidden_service/
    image: alpine:latest
    entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    networks:
      - tor_network
    depends_on:
      - nginx
    deploy: 
      mode: replicated
      replicas: 1
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "label=shepherd.autodeploy=true"

networks:
  tor_network:

Cloudflare Tunnel

Thu, 04 Jul 2024 00:00:00 +0000

Links

dash.cloudflare.com one.dash.cloudflare.com

Installing the service

Ubuntu

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install [TUNNEL KEY]

Red Hat

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && 

sudo yum localinstall -y cloudflared.rpm && 

sudo cloudflared service install [TUNNEL KEY]

Docker

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY]

Docker Compose

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    network_mode: host
    environment:
      - "TUNNEL_TOKEN=[TUNNEL KEY]"
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

Cloudflare as a Docker Sidecar

Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below: