starhaven.dev / infra
nixos server configurations
fork atom
infra / servers / kuribo / pds.nix
at main 3.3 kB view raw
1{ config, pkgs, ... }: 2let 3 pdsSettings = config.services.bluesky-pds.settings; 4in 5{ 6 sops.secrets.pds = { 7 sopsFile = ../../secrets/kuribo/pds.env; 8 format = "dotenv"; 9 owner = "pds"; 10 group = "pds"; 11 }; 12 13 services.bluesky-pds = { 14 enable = true; 15 environmentFiles = [ config.sops.secrets.pds.path ]; 16 settings = { 17 # https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts 18 19 PDS_PORT = 3000; 20 PDS_HOSTNAME = "pds.starhaven.dev"; 21 PDS_ADMIN_EMAIL = "admin@starhaven.dev"; 22 PDS_CONTACT_EMAIL_ADDRESS = "admin@starhaven.dev"; 23 PDS_SERVICE_HANDLE_DOMAINS = ".starhaven.dev"; 24 25 # Branding 26 PDS_SERVICE_NAME = "\"Star Haven\""; 27 PDS_HOME_URL = "https://starhaven.dev"; 28 #PDS_LOGO_URL 29 PDS_PRIMARY_COLOR = "#dbb23e"; 30 PDS_PRIMARY_COLOR_CONTRAST = "#000"; 31 32 # S3 is configured in secrets 33 PDS_BLOBSTORE_DISK_LOCATION = null; 34 }; 35 }; 36 37 services.caddy = { 38 enable = true; 39 package = pkgs.caddy.withPlugins { 40 plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 41 hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U="; 42 }; 43 email = pdsSettings.PDS_ADMIN_EMAIL; 44 globalConfig = '' 45 on_demand_tls { 46 ask http://127.0.0.1:8081 47 } 48 49 acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 50 ''; 51 virtualHosts."*.starhaven.dev" = { 52 extraConfig = '' 53 tls { 54 on_demand 55 } 56 57 handle / { 58 redir https://starhaven.dev 59 } 60 61 @knot host ${toString config.services.tangled.knot.server.hostname} 62 handle @knot { 63 reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr} 64 } 65 66 @spindle host ${toString config.services.tangled.spindle.server.hostname} 67 handle @spindle { 68 reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr} 69 } 70 71 handle /xrpc/app.bsky.unspecced.getAgeAssuranceState { 72 header content-type "application/json" 73 header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 74 header access-control-allow-origin "*" 75 respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200 76 } 77 78 handle { 79 reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT} 80 } 81 ''; 82 }; 83 }; 84 systemd.services.caddy = { 85 after = [ 86 "ondemand-tls-helper.service" 87 "sops-nix.service" 88 ]; 89 serviceConfig.EnvironmentFile = config.sops.secrets.pds.path; 90 }; 91 92 environment.etc."ondemand_tls_helper.py" = { 93 source = ./ondemand_tls_helper.py; 94 mode = "0755"; 95 }; 96 97 systemd.services.ondemand-tls-helper = { 98 description = "On-demand TLS helper for Caddy (returns 200 for allowed domains or proxies to PDS)"; 99 wantedBy = [ "multi-user.target" ]; 100 after = [ "network.target" ]; 101 102 serviceConfig = { 103 ExecStart = "${pkgs.python3}/bin/python3 /etc/ondemand_tls_helper.py"; 104 Environment = "PDS_PORT=${toString pdsSettings.PDS_PORT}"; 105 User = "nobody"; 106 Restart = "always"; 107 RestartSec = 5; 108 }; 109 }; 110 111 networking.firewall.allowedTCPPorts = [ 112 80 113 443 114 ]; 115}