{
  pkgs,
  secrets,
  ...
}: let
  # The websocket pluggable-transport isn't in nixpkgs yet.
  # https://github.com/NixOS/nixpkgs/pull/277487
  webtunnel = pkgs.buildGoModule {
    pname = "webtunnel";
    version = "main";
    src = pkgs.fetchFromGitLab {
      domain = "gitlab.torproject.org";
      group = "tpo";
      owner = "anti-censorship/pluggable-transports";
      repo = "webtunnel";
      rev = "e64b1b3562f3ab50d06141ecd513a21ec74fe8c6";
      hash = "sha256-25ZtoCe1bcN6VrSzMfwzT8xSO3xw2qzE4Me3Gi4GbVs=";
    };
    vendorHash = "sha256-3AAPySLAoMimXUOiy8Ctl+ghG5q+3dWRNGXHpl9nfG0=";
  };
in {
  # Bridges are Tor relays that help circumvent censorship. WebTunnel is a
  # censorship-resistant pluggable transport designed to mimic encrypted web
  # traffic (HTTPS). It works by wrapping the payload connection into a
  # WebSocket-like HTTPS connection, appearing to network observers as an
  # ordinary HTTPS (WebSocket) connection.
  # https://community.torproject.org/relay/setup/webtunnel/
  # https://community.torproject.org/relay/setup/webtunnel/source/
  #
  # Test the bridge by setting
  #   webtunnel 10.0.0.2:443 FINGERPRINT url=https://yourdomain/path
  # in the Tor Browser settings (from webtunnel/source final notes).
  services.tor = {
    enable = true;
    relay = {
      enable = true;
      role = "bridge";
    };
    settings = {
      Nickname = "DXV7520WebTunnel";
      ContactInfo = "admin@caspervk.net";
      ORPort = [
        {
          addr = "127.0.0.1";
          port = "auto";
        }
        {
          addr = "[::1]";
          port = "auto";
        }
      ];
      AssumeReachable = true;
      ServerTransportPlugin.transports = ["webtunnel"];
      ServerTransportPlugin.exec = "${webtunnel}/bin/server";
      ServerTransportListenAddr = "webtunnel 127.0.0.1:15000";
      ServerTransportOptions = "webtunnel url=${secrets.hosts.alpha.tor.webtunnel-host + secrets.hosts.alpha.tor.webtunnel-path}";
    };
  };

  environment.persistence."/nix/persist" = {
    directories = [
      {
        directory = "/var/lib/tor";
        user = "tor";
        group = "tor";
        mode = "0700";
      }
    ];
  };
}