Remove inaccurate client-side claim from meta description

Caddyfile

@@ -1,10 +1,8 @@
-{$DOMAIN:localhost} {
+(common) {
 	root * /srv
 	encode gzip
 
-	# Security headers
 	header {
-		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 		X-Content-Type-Options "nosniff"
 		X-Frame-Options "DENY"
 		Referrer-Policy "no-referrer"
@@ -12,13 +10,20 @@
 		Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; form-action 'none'; frame-ancestors 'none'; base-uri 'none'"
 	}
 
-	# Short URL rewrite: /s/CODE -> s.php?c=CODE
 	@shorturl path_regexp short ^/s/([a-zA-Z0-9]+)$
 	rewrite @shorturl /s.php?c={re.short.1}
 
-	# PHP via FPM
 	php_fastcgi 127.0.0.1:9000
-
-	# Static files
 	file_server
 }
+
+# Clearnet (auto-HTTPS)
+{$DOMAIN:localhost} {
+	import common
+	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+}
+
+# Tor hidden service (HTTP only, no TLS needed)
+:8080 {
+	import common
+}

Dockerfile

@@ -31,7 +31,7 @@ COPY Caddyfile /etc/caddy/Caddyfile
 COPY docker-entrypoint.sh /usr/local/bin/
 RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-EXPOSE 80 443
+EXPOSE 80 443 8080
 
 VOLUME ["/srv/data", "/data/caddy"]
 

README.md

@@ -14,7 +14,7 @@ You need a VPS with a domain pointing to it. Then:
 curl -sL https://xmrpay.link/install.sh | sh -s your-domain.com
 ```
 
-Done. HTTPS is automatic (via Caddy + Let's Encrypt).
+Done. HTTPS is automatic (via Caddy + Let's Encrypt). A **Tor hidden service** (.onion) is included — the installer shows your onion address after setup.
 
 ### Requirements
 
@@ -66,6 +66,9 @@ XMRPAY_IMAGE=schmidt1024/xmrpay:latest
 EOF
 
 docker compose pull && docker compose up -d
+
+# Show your onion address
+docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname
 ```
 
 ### Uninstall

docker-compose.yml

@@ -12,6 +12,29 @@ services:
       - xmrpay-data:/srv/data
       - caddy-data:/data/caddy
 
+  tor:
+    image: alpine:latest
+    container_name: xmrpay-tor
+    restart: unless-stopped
+    depends_on:
+      - xmrpay
+    entrypoint: /bin/sh
+    command:
+      - -c
+      - |
+        apk add --no-cache tor > /dev/null 2>&1
+        mkdir -p /var/lib/tor/hidden_service
+        chmod 700 /var/lib/tor/hidden_service
+        cat > /etc/tor/torrc <<EOF
+        SocksPort 0
+        HiddenServiceDir /var/lib/tor/hidden_service
+        HiddenServicePort 80 xmrpay:8080
+        EOF
+        echo "Starting Tor..."
+        tor -f /etc/tor/torrc
+    volumes:
+      - tor-keys:/var/lib/tor/hidden_service
+
   watchtower:
     image: containrrr/watchtower
     container_name: watchtower
@@ -25,3 +48,4 @@ services:
 volumes:
   xmrpay-data:
   caddy-data:
+  tor-keys:

i18n.js

@@ -11,7 +11,7 @@ var I18n = (function () {
     ru: { name: 'Русский' }
   };
 
-  var VERSION = '1.0.0';
+  var VERSION = '1.1.1';
 
   var footer = 'Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v' + VERSION + '</span>';
 
@@ -39,7 +39,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} days',
       pdf_date: 'Date',
       pdf_scan_qr: 'Scan QR code to pay',
-      pdf_footer: 'Created with xmrpay.link',
+      pdf_footer: 'Created with xmrpay',
       qr_hint: 'Click QR to save',
       self_host_banner: 'This is a public demo. For real payments, <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">host your own instance</a> — it takes 60 seconds.',
       footer: footer,
@@ -92,7 +92,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} Tage',
       pdf_date: 'Datum',
       pdf_scan_qr: 'QR-Code scannen zum Bezahlen',
-      pdf_footer: 'Erstellt mit xmrpay.link',
+      pdf_footer: 'Erstellt mit xmrpay',
       self_host_banner: 'Dies ist eine öffentliche Demo. Für echte Zahlungen <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">eigene Instanz hosten</a> — dauert 60 Sekunden.',
       qr_hint: 'Klick auf QR zum Speichern',
       footer: footer,
@@ -145,7 +145,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} jours',
       pdf_date: 'Date',
       pdf_scan_qr: 'Scanner le QR code pour payer',
-      pdf_footer: 'Créé avec xmrpay.link',
+      pdf_footer: 'Créé avec xmrpay',
       self_host_banner: 'Ceci est une démo publique. Pour de vrais paiements, <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">hébergez votre propre instance</a> — ça prend 60 secondes.',
       qr_hint: 'Cliquez sur le QR pour enregistrer',
       footer: footer,
@@ -198,7 +198,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} giorni',
       pdf_date: 'Data',
       pdf_scan_qr: 'Scansiona il QR per pagare',
-      pdf_footer: 'Creato con xmrpay.link',
+      pdf_footer: 'Creato con xmrpay',
       self_host_banner: 'Questa è una demo pubblica. Per pagamenti reali, <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">ospita la tua istanza</a> — ci vogliono 60 secondi.',
       qr_hint: 'Clicca sul QR per salvare',
       footer: footer,
@@ -251,7 +251,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} días',
       pdf_date: 'Fecha',
       pdf_scan_qr: 'Escanear QR para pagar',
-      pdf_footer: 'Creado con xmrpay.link',
+      pdf_footer: 'Creado con xmrpay',
       self_host_banner: 'Esta es una demo pública. Para pagos reales, <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">aloja tu propia instancia</a> — toma 60 segundos.',
       qr_hint: 'Clic en QR para guardar',
       footer: footer,
@@ -304,7 +304,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} dias',
       pdf_date: 'Data',
       pdf_scan_qr: 'Digitalizar QR para pagar',
-      pdf_footer: 'Criado com xmrpay.link',
+      pdf_footer: 'Criado com xmrpay',
       self_host_banner: 'Esta é uma demo pública. Para pagamentos reais, <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">hospede sua própria instância</a> — leva 60 segundos.',
       qr_hint: 'Clique no QR para guardar',
       footer: footer,
@@ -357,7 +357,7 @@ var I18n = (function () {
       pdf_deadline_days: '{d} дней',
       pdf_date: 'Дата',
       pdf_scan_qr: 'Сканируйте QR для оплаты',
-      pdf_footer: 'Создано с помощью xmrpay.link',
+      pdf_footer: 'Создано с помощью xmrpay',
       self_host_banner: 'Это публичная демо-версия. Для реальных платежей <a href="https://github.com/schmidt1024/xmrpay#self-host-in-60-seconds">разверните свой экземпляр</a> — это займёт 60 секунд.',
       qr_hint: 'Нажмите на QR для сохранения',
       footer: footer,

index.html

@@ -3,12 +3,12 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>xmrpay.link — Monero Invoice Generator</title>
-  <meta name="description" content="Create Monero payment requests in seconds. No account registration, no KYC. Minimal backend for short URLs only.">
+  <title>xmrpay — Monero Invoice Generator</title>
+  <meta name="description" content="Self-hosted Monero payment requests in seconds. No accounts, no KYC, no tracking. Generate QR codes, PDF invoices, and verify payments.">
   <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; form-action 'none'; base-uri 'none'">
   <link rel="icon" id="favicon" href="favicon.svg" type="image/svg+xml">
   <link rel="preload" href="fonts/inter-400.woff2" as="font" type="font/woff2" crossorigin>
-  <link rel="stylesheet" href="style.css?v=20260326-3" integrity="sha384-TLao5+UFp5VS0Vn+LamdOYwxjGy1ZB0dNemTi7Za0HpPsnA+koCWOmVM0Szwaf3n" crossorigin="anonymous">
+  <link rel="stylesheet" href="style.css?v=20260326-3" integrity="sha384-HrVyafi6sY5wzJh/jPfdCAq5WytRoWDiUnZ/Y05Xt2Oz1C+kLZLO47euo7q3fv46" crossorigin="anonymous">
 </head>
 <body>
 
@@ -18,7 +18,7 @@
   </div>
 
   <header>
-    <h1><a href="/" id="homeLink">xmr<span>pay</span>.link</a></h1>
+    <h1><a href="/" id="homeLink">xmr<span>pay</span></a></h1>
     <p data-i18n="subtitle">Monero payment request in seconds</p>
   </header>
 
@@ -120,7 +120,7 @@
   </main>
 
   <footer>
-    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v1.0.0</span></p>
+    <p data-i18n-html="footer">Open Source &middot; No Tracking &middot; No KYC<br /><a href="https://github.com/schmidt1024/xmrpay" target="_blank" rel="noopener noreferrer">Source</a> &middot; <a href="http://mc6wfeaqc7oijgdcudrr5zsotmwok3jzk3tu2uezzyjisn7nzzjjizyd.onion" title="Tor Hidden Service">Onion</a> &middot; <a href="/privacy.html">Privacy &amp; Terms</a><br /><span class="version">v1.1.1</span></p>
   </footer>
 
   <div class="lang-picker" id="langPicker">
@@ -137,7 +137,7 @@
   <div class="toast" id="toast"></div>
 
   <script src="lib/qrcode.min.js?v=20260326-3" integrity="sha384-3zSEDfvllQohrq0PHL1fOXJuC/jSOO34H46t6UQfobFOmxE5BpjjaIJY5F2/bMnU" crossorigin="anonymous" defer></script>
-  <script src="i18n.min.js?v=20260326-3" integrity="sha384-mKqQalrpTWCzSD1ErLtp+GqHpzJDm7D1jzHDMuhCW7ql2v9YkEzSfE4PNuTj4dqU" crossorigin="anonymous" defer></script>
-  <script src="app.min.js?v=20260326-3" integrity="sha384-tdgiaUZYJ6E+/EqlbzOvxRvySKQZNdxjNktRV3K75fitMLdkR5DXuVU9XTppNku5" crossorigin="anonymous" defer></script>
+  <script src="i18n.min.js?v=20260326-3" integrity="sha384-FfBaeFwBMGnIIOFgRYMxAcFLdp1MMUAc4V8YIg+jLInG8yWQdpMA05eicLc+QFaC" crossorigin="anonymous" defer></script>
+  <script src="app.min.js?v=20260326-3" integrity="sha384-JORIDcn40te850GEco3PPlCjpMXhAbHLSVu8t5BSX4g7XaQyUsGK3IaXLC+1AUYk" crossorigin="anonymous" defer></script>
 </body>
 </html>

install.sh

@@ -52,7 +52,23 @@ docker compose up -d
 
 ok "xmrpay is running!"
 echo ""
-echo "  https://$DOMAIN"
+echo "  Clearnet:  https://$DOMAIN"
+
+# Wait for Tor to generate the onion address (up to 30s)
+info "Waiting for Tor hidden service..."
+ONION=""
+for i in $(seq 1 30); do
+  ONION=$(docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname 2>/dev/null || true)
+  [ -n "$ONION" ] && break
+  sleep 1
+done
+if [ -n "$ONION" ]; then
+  ok "Tor hidden service ready"
+  echo "  Onion:     http://$ONION"
+else
+  echo "  Onion:     (still starting — run: docker exec xmrpay-tor cat /var/lib/tor/hidden_service/hostname)"
+fi
+
 echo ""
 echo "  Watchtower checks for updates every 6 hours."
 echo "  Data stored in Docker volume: xmrpay-data"

privacy.html

@@ -3,11 +3,11 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
-  <title>xmrpay.link — Privacy & Terms</title>
-  <meta name="description" content="Privacy policy and terms of use for xmrpay.link.">
-  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
+  <title>xmrpay — Privacy & Terms</title>
+  <meta name="description" content="Privacy policy and terms of use for xmrpay.">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
   <link rel="icon" href="favicon.svg" type="image/svg+xml">
-  <link rel="stylesheet" href="style.css?v=20260326-3" integrity="sha384-TLao5+UFp5VS0Vn+LamdOYwxjGy1ZB0dNemTi7Za0HpPsnA+koCWOmVM0Szwaf3n" crossorigin="anonymous">
+  <link rel="stylesheet" href="style.css?v=20260326-3" integrity="sha384-HrVyafi6sY5wzJh/jPfdCAq5WytRoWDiUnZ/Y05Xt2Oz1C+kLZLO47euo7q3fv46" crossorigin="anonymous">
   <style>
     main.legal-main {
       max-width: 920px;
@@ -52,7 +52,7 @@
 </head>
 <body>
   <header>
-    <h1><a href="/" id="homeLink">xmr<span>pay</span>.link</a></h1>
+    <h1><a href="/" id="homeLink">xmr<span>pay</span></a></h1>
     <p>Privacy &amp; Terms</p>
   </header>
 
@@ -212,7 +212,7 @@
     <div class="lang-dropdown" id="langDropdown"></div>
   </div>
 
-  <script src="i18n.min.js?v=20260326-3" defer></script>
+  <script src="i18n.min.js?v=20260326-3" integrity="sha384-FfBaeFwBMGnIIOFgRYMxAcFLdp1MMUAc4V8YIg+jLInG8yWQdpMA05eicLc+QFaC" crossorigin="anonymous" defer></script>
   <script>
     document.addEventListener('DOMContentLoaded', function () {
       var supported = ['en', 'de', 'fr', 'it', 'es', 'pt', 'ru'];

style.css

@@ -66,6 +66,7 @@ body {
   font-size: 0.85rem;
   line-height: 1.4;
   position: relative;
+  z-index: 60;
 }
 
 .self-host-banner a {