Static Site Generators for Tor Hidden Services: Hugo and Jekyll

Static site generators (SSGs) pre-build all pages as HTML files. Nginx serves these files with sub-millisecond processing time. Combined with Tor's 200-500ms circuit latency, static sites provide the minimum achievable total load time. Dynamic sites add 100-2000ms of application processing on top of circuit latency. For content-focused hidden services (news sites, documentation, wikis, blogs), SSGs eliminate application servers, databases, and runtime vulnerabilities. The entire site is HTML+CSS files with no executable code on the server. This dramatically reduces the attack surface - a static Nginx server serving HTML has far fewer vulnerabilities than a WordPress or Django installation.

Hugo requires configuration of the base URL to the .onion address for absolute URL generation. In config.toml: baseURL = 'http://youronionaddress.onion/'. Hugo generates all internal links using this base URL. Use hugo --baseURL='http://youronionaddress.onion/' for build to ensure all assets reference the .onion address. Enable minification in Hugo config (minify.minifyOutput = true) to reduce page weight. Disable Google Analytics and other clearnet external resources in themes. Replace CDN-served fonts with self-hosted font files. Review the theme for any external resource references (analytics scripts, CDN libraries) and replace with local copies or remove.

Jekyll configuration in _config.yml: url: 'http://youronionaddress.onion'. Run bundle exec jekyll build for production builds. Install jekyll-minifier for output minification. Review _includes/ and _layouts/ for external resource references - replace Google Fonts with @font-face from locally hosted files, replace CDN JavaScript with local copies, remove analytics tracking code. Jekyll's _data/ files provide a good place to store content that changes frequently (press releases, updates) without rebuilding the entire site. Automated deployment via Git hooks or CI/CD pipeline can trigger Jekyll builds on content changes and sync output to the VPS.

Automate the build-and-deploy workflow: maintain site source in a Git repository (preferably encrypted, private repository), trigger builds on git push using GitHub Actions, GitLab CI, or a local Gitea instance. Build step runs Hugo or Jekyll to generate HTML. Deploy step syncs the built output to the VPS via rsync over SSH (or git pull if the built output is committed). The VPS serves the synced HTML files via Nginx. For anonymous deployment (not wanting to link the VPS IP to the build system), build locally and use torsocks rsync to sync over Tor to the VPS's management SSH port accessible as a separate hidden service.

Content for static hidden service sites typically comes from: Markdown files (for blog posts, articles) versioned in Git, database-exported data files (for sites with structured data like directories or catalogs), and API-sourced data (fetched at build time using Hugo's remote data sources). For teams contributing content, use Git-based workflows with branch protection requiring review before merges to main (which triggers deployment). Git commits from contributors should be made over Tor to prevent IP-to-commit linkage if contributor anonymity is important. Signed commits (GPG) verify author identity cryptographically without requiring real names.