CI/CD for Tor Hidden Service Deployments

Set up a Git bare repository on your Tor server that triggers automatic deployments on push. All Git operations happen over Tor SSH, keeping your server anonymous:

# On the server — create bare repo with post-receive hook
mkdir -p /var/git/onion-site.git
cd /var/git/onion-site.git
git init --bare

# Create post-receive hook
cat > hooks/post-receive << 'HOOK'
#!/bin/bash
GIT_WORK_TREE=/var/www/onion git checkout -f main

# Restart application if needed
systemctl restart onion-app

echo "Deployment complete at $(date -u +'%Y-%m-%d %H:%M UTC')"
HOOK

chmod +x hooks/post-receive

# On your local machine — configure Git remote over Tor
# Requires torsocks and SSH .onion access

# ~/.ssh/config
Host onion-server
    HostName your56charaddress.onion
    User deploy
    ProxyCommand torsocks nc %h %p
    IdentityFile ~/.ssh/onion_deploy_key

# Add remote and push
git remote add onion onion-server:/var/git/onion-site.git
git push onion main

Every git push to the onion remote triggers the post-receive hook, which checks out the latest code to the web root and restarts the application. The entire process happens over Tor — your development machine's IP is never exposed to the server.

Use Ansible to manage Tor hidden service infrastructure with playbooks that execute over Tor SSH connections:

# inventory.yml — Ansible inventory with Tor connectivity
all:
  hosts:
    onion-web:
      ansible_host: your56charaddress.onion
      ansible_user: root
      ansible_ssh_common_args: '-o ProxyCommand="torsocks nc %h %p"'
      ansible_python_interpreter: /usr/bin/python3

# deploy.yml — Deployment playbook
---
- name: Deploy onion service
  hosts: onion-web
  tasks:
    - name: Pull latest code
      git:
        repo: /var/git/onion-site.git
        dest: /var/www/onion
        version: main

    - name: Install dependencies
      command: npm install --production
      args:
        chdir: /var/www/onion

    - name: Build application
      command: npm run build
      args:
        chdir: /var/www/onion

    - name: Restart services
      systemd:
        name: "{{ item }}"
        state: restarted
      loop:
        - onion-app
        - nginx

    - name: Verify hidden service is responding
      command: torsocks curl -s -o /dev/null -w "%{http_code}" http://your56char.onion
      register: health_check
      failed_when: health_check.stdout != "200"
      retries: 3
      delay: 30

The playbook deploys code, installs dependencies, builds the application, restarts services, and verifies the .onion site is responding — all over Tor. The health check at the end connects through a full Tor circuit to confirm end-to-end functionality.

For fully automated CI/CD, run a self-hosted pipeline tool like Gitea + Drone or a simple webhook-based system on your Tor server:

# Simple webhook-based deployment script
# /opt/deploy/webhook.py
from flask import Flask, request
import subprocess
import hmac
import hashlib

app = Flask(__name__)
SECRET = "your-webhook-secret"

@app.route("/deploy", methods=["POST"])
def deploy():
    # Verify webhook signature
    signature = request.headers.get("X-Signature")
    expected = hmac.new(
        SECRET.encode(), request.data, hashlib.sha256
    ).hexdigest()

    if not hmac.compare_digest(signature, expected):
        return "Unauthorized", 403

    # Run deployment
    result = subprocess.run(
        ["/opt/deploy/deploy.sh"],
        capture_output=True, text=True, timeout=300
    )

    return f"Deploy: {'OK' if result.returncode == 0 else 'FAIL'}", 200

if __name__ == "__main__":
    app.run(host="127.0.0.1", port=9000)

Expose this webhook as its own .onion hidden service (or on a specific path of your existing service). When you push code, trigger the webhook via torsocks curl from your development machine. The entire CI/CD pipeline runs on the Tor server itself, eliminating any third-party service that could compromise your server's anonymity.

AnubizHost servers come with Git, SSH, and Tor pre-configured for automated deployments. Set up Git push deployment or Ansible automation from day one — our infrastructure supports all standard deployment tools over Tor SSH connections.

Our offshore servers in Iceland, Romania, and Finland provide full root access for customizing your deployment pipeline. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. Whether you prefer simple Git hooks or full Ansible playbooks, AnubizHost gives you the infrastructure and connectivity to automate your .onion service deployments securely.