commit 86773498f046e4264a17600768669d8e49db452e · starhaven.dev/infra

+13

.sops.yaml

···

       1
       1
       +
       keys:

     

       2
       2
       +
         - &admin_bates64 age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2

     

       3
       3
       +
         - &server_kuribo age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl

     

       4
       4
       +
       creation_rules:

     

       5
       5
       +
         - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$

     

       6
       6
       +
           key_groups:

     

       7
       7
       +
             - age:

     

       8
       8
       +
                 - *admin_bates64

     

       9
       9
       +
         - path_regex: secrets/kuribo/[^/]+\.(yaml|json|env|ini)$

     

       10
       10
       +
           key_groups:

     

       11
       11
       +
             - age:

     

       12
       12
       +
                 - *admin_bates64

     

       13
       13
       +
                 - *server_kuribo

+22 -1

flake.lock

···

       18
       18
        
           },

     

       19
       19
        
           "root": {

     

       20
       20
        
             "inputs": {

     

       21
       21
       -
               "nixpkgs": "nixpkgs"

     

       21
       21
       +
               "nixpkgs": "nixpkgs",

     

       22
       22
       +
               "sops-nix": "sops-nix"

     

       23
       23
       +
             }

     

       24
       24
       +
           },

     

       25
       25
       +
           "sops-nix": {

     

       26
       26
       +
             "inputs": {

     

       27
       27
       +
               "nixpkgs": [

     

       28
       28
       +
                 "nixpkgs"

     

       29
       29
       +
               ]

     

       30
       30
       +
             },

     

       31
       31
       +
             "locked": {

     

       32
       32
       +
               "lastModified": 1764483358,

     

       33
       33
       +
               "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",

     

       34
       34
       +
               "owner": "Mic92",

     

       35
       35
       +
               "repo": "sops-nix",

     

       36
       36
       +
               "rev": "5aca6ff67264321d47856a2ed183729271107c9c",

     

       37
       37
       +
               "type": "github"

     

       38
       38
       +
             },

     

       39
       39
       +
             "original": {

     

       40
       40
       +
               "owner": "Mic92",

     

       41
       41
       +
               "repo": "sops-nix",

     

       42
       42
       +
               "type": "github"

     

       22
       43
        
             }

     

       23
       44
        
           }

     

       24
       45
        
         },

+5 -3

flake.nix

···

       1
       1
        
       {

     

       2
       2
       -
         description = "bates64";

     

       3
       3
       -
       

     

       2
       2
       +
         description = "starhaven.dev infrastructure";

     

       4
       3
        
         inputs = {

     

       5
       4
        
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

     

       5
       5
       +
       

     

       6
       6
       +
           sops-nix.url = "github:Mic92/sops-nix";

     

       7
       7
       +
           sops-nix.inputs.nixpkgs.follows = "nixpkgs";

     

       6
       8
        
         };

     

       7
       7
       -
       

     

       8
       9
        
         outputs =

     

       9
       10
        
           inputs@{ nixpkgs, ... }:

     

       10
       11
        
           {

     
···

       13
       14
        
                 system = "aarch64-linux";

     

       14
       15
        
                 modules = [

     

       15
       16
        
                   ./servers/kuribo/configuration.nix

     

       17
       17
       +
                   inputs.sops-nix.nixosModules.sops

     

       16
       18
        
                 ];

     

       17
       19
        
               };

     

       18
       20
        
             };

+13

secrets/kuribo/pds.env

···

       1
       1
       +
       PDS_JWT_SECRET=ENC[AES256_GCM,data:SwmU7j+3kfoCCQlZk/LAzytRoVSb7tgKI6tGdZKJThg=,iv:1WCvMVlPR4L7rO/YUmkobjHcXlSGlyIo80ir+GymdeQ=,tag:WbGeolX/pzSZ+LA8ueUygA==,type:str]

     

       2
       2
       +
       PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:+U1Tw+rRcb9rPjZTsOZ9ZYdVeTRFjv8yhuSCCFIe+wQ=,iv:TLJ+HJ8hDXcaZ/9qtSonnOE1oz4JngxuXJLjXpqdDwU=,tag:W7Hi9XMXUMUZAimnAc6uJQ==,type:str]

     

       3
       3
       +
       PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:thNijhgsq106+SJVnoseWu1S8SU2AB8Z5EqjKUzMBm+29FB146dmqPOphXL5yBPDuj0gjzFvfu4W7BOAKcx7fA==,iv:zcmhJopT8WHN2GfhDGO1oYp/NeyPpXeNrg6AVmDYMGk=,tag:JLcO4aVuKMVgRU6pirks+A==,type:str]

     

       4
       4
       +
       PDS_EMAIL_SMTP_URL=ENC[AES256_GCM,data:ltLt4Q7CaIL4swhDA2pBcMRR2gaMGcYw/7E7JtU4bMotEXrEO19V5ySomjbdFs3ImFzMtVVNY0am9R5Q40TZq85r6zDsoGv6,iv:Kh10CNUhkzqj5PROyFgGme0KUspZL/epxiQf2Ej0G6Y=,tag:noT7j38nip6OLbnwr8AWDQ==,type:str]

     

       5
       5
       +
       PDS_EMAIL_FROM_ADDRESS=ENC[AES256_GCM,data:VxEX3on/7jQ/SXmr53bvFzd3O/xu,iv:yehoA4hxkJ6UOjv625834otS1Es4uKtarjZjKFk2sJI=,tag:XaplSBikfq97mLTq+XyOrQ==,type:str]

     

       6
       6
       +
       sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenRnNWFlMzBIOTJsclYw\nSkw3ZW9pa0NRejRQd1FmOENTaE54UU4rcHkwCjFBSXljeTdQeGhXZDZrWS9JUkx0\nUXpxWUVKZTdGWjVLT1FRUmloMXhNdWcKLS0tIEhERVFJNU5pSU00b3MxUHB1Y280\nWTFiaTh0YXJyUXFKNGNrOE84elRONVUK20OPeWSZW2A9mTnEDfQmDc7n3jvUQhxb\nBatl6b0ismrkTWcRJK8nxImcvxBtMMCLfzK5Wt/9gBLJ6VDT6UPYFg==\n-----END AGE ENCRYPTED FILE-----\n

     

       7
       7
       +
       sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2

     

       8
       8
       +
       sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OVBaMzZ3UGd1R25SczNN\nd3R6bzVGTkN0SWpjb05wankvb2tpNTJvZlR3CjhwYUdHaTJ6Y1VPSTltOHhNbWdL\ncGs3OEJqaFljUFRhUVNncm13RFdETTgKLS0tIG1Mb1ZXQ3BpejdteWFkWUFyOGJu\ndFpyWkNiK2hoNlROd09xTzVueFdSUmcKDrIcoDDH2O/c9dyS/oLL0rudsrsmtOhJ\n55QagSzYouGlJbpl2xtBeUplg1WcEBX7FSW3UWFbz+Gc0/Rv76jRCA==\n-----END AGE ENCRYPTED FILE-----\n

     

       9
       9
       +
       sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl

     

       10
       10
       +
       sops_lastmodified=2025-12-01T18:49:36Z

     

       11
       11
       +
       sops_mac=ENC[AES256_GCM,data:tSPG0g8XpTu0IJ8GQKIUczVlreLbZ/VFncomwSVzFEIXloJ6QQsX2hobyFCW4RwovQoZnVfO4uL8Ku/SIjsLIMCejLiGXAa4r0VDDZtxhnaX7tPBecG7gE3Ke15V4bT6B9uxB7TGhJYTsTlq/tb8D7UZG2+yWudFry8ArJRFxp0=,iv:9vxvakrxx8EmNBPSY1wnoV5cHx2/8GqGhNLYHyDj74w=,tag:5NeNRKenYykPj6b13bHFOg==,type:str]

     

       12
       12
       +
       sops_unencrypted_suffix=_unencrypted

     

       13
       13
       +
       sops_version=3.11.0

+16

secrets/secrets.yaml

···

       1
       1
       +
       hello: ENC[AES256_GCM,data:Qu9O3bH7MKpraW17zQaBAw==,iv:aYX8MM/yFbyVQHqoUTn98fFDb78lywuQNvOaJoTlpMg=,tag:UTHsJ5KdogR8c9bW3m50/Q==,type:str]

     

       2
       2
       +
       sops:

     

       3
       3
       +
           age:

     

       4
       4
       +
               - recipient: age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2

     

       5
       5
       +
                 enc: |

     

       6
       6
       +
                   -----BEGIN AGE ENCRYPTED FILE-----

     

       7
       7
       +
                   YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldFJveWZZeUh5Qytibkkv

     

       8
       8
       +
                   MTBqNnJTYnl2aVlzbHpnZUJIQ0xWZzBFNmhVCitoM3MyRXBBVUc2WHY4TUpmNmdn

     

       9
       9
       +
                   YmtiVkpJUVhNWXNRdDRJNFJtdkkwYWcKLS0tIHJpV3habGJxdStCc0MwcVFhSmxa

     

       10
       10
       +
                   cmFVYTN0bUlXQ29rOUZVaHRBblpJUE0KHLXin6XsfzIvqYMDRt+GW444X43Eh5Fe

     

       11
       11
       +
                   rMppR22DHSVdZ8+rJj+pKnYH9DSNc7QbUJwMoeiKBknFh/uXhPCXgg==

     

       12
       12
       +
                   -----END AGE ENCRYPTED FILE-----

     

       13
       13
       +
           lastmodified: "2025-12-01T19:41:23Z"

     

       14
       14
       +
           mac: ENC[AES256_GCM,data:DUVrnfELB9bpFlkpA1AajIsVYv1K7r0ur0hH1J3HwWLt4ezgHC6uCoFRlXzC/ysYGlVfn1Hu6WgFEZ75UJ3TzRsluCthZqcwHSGF4cgpD5b5YP2KsF/GoYDPdWhXT+eQ6bLnLCMzxtjstFVWRpkeD0eD9eHNk6Hg270pnS8c9S4=,iv:1FuAy0IT/bgRfUw7/TkPCypnfZNC5aM5qTv10hETBrw=,tag:VL0ema4HZaMvnld+YMNwXA==,type:str]

     

       15
       15
       +
           unencrypted_suffix: _unencrypted

     

       16
       16
       +
           version: 3.11.0

+4

servers/kuribo/configuration.nix

···

       4
       4
        
           ../../modules/auto-upgrade.nix

     

       5
       5
        
           ../../modules/gc.nix

     

       6
       6
        
           ../../users/users.nix

     

       7
       7
       +
           ./pds.nix

     

       7
       8
        
         ];

     

       8
       9
        
       

     

       9
       10
        
         networking.hostName = "kuribo";

     
···

       20
       21
        
           };

     

       21
       22
        
         };

     

       22
       23
        
         services.fail2ban.enable = true;

     

       24
       24
       +
       

     

       25
       25
       +
         sops.defaultSopsFile = ./secrets/secrets.yaml;

     

       26
       26
       +
         sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

     

       23
       27
        
       

     

       24
       28
        
         programs.neovim = {

     

       25
       29
        
           enable = true;

+54

servers/kuribo/pds.nix

···

       1
       1
       +
       { config, ... }:

     

       2
       2
       +
       let

     

       3
       3
       +
         pdsSettings = config.services.bluesky-pds.settings;

     

       4
       4
       +
       in

     

       5
       5
       +
       {

     

       6
       6
       +
         sops.secrets.pds = {

     

       7
       7
       +
           sopsFile = ../../secrets/kuribo/pds.env;

     

       8
       8
       +
           format = "dotenv";

     

       9
       9
       +
           owner = "pds";

     

       10
       10
       +
           group = "pds";

     

       11
       11
       +
         };

     

       12
       12
       +
       

     

       13
       13
       +
         services.bluesky-pds = {

     

       14
       14
       +
           enable = true;

     

       15
       15
       +
           environmentFiles = [ config.sops.secrets.pds.path ];

     

       16
       16
       +
           settings = {

     

       17
       17
       +
             PDS_PORT = 3000;

     

       18
       18
       +
             PDS_HOSTNAME = "pds.starhaven.dev";

     

       19
       19
       +
             PDS_ADMIN_EMAIL = "admin@starhaven.dev";

     

       20
       20
       +
           };

     

       21
       21
       +
         };

     

       22
       22
       +
       

     

       23
       23
       +
         services.caddy = {

     

       24
       24
       +
           enable = true;

     

       25
       25
       +
           email = pdsSettings.PDS_ADMIN_EMAIL;

     

       26
       26
       +
           globalConfig = ''

     

       27
       27
       +
             on_demand_tls {

     

       28
       28
       +
               ask http://127.0.0.1:${toString pdsSettings.PDS_PORT}/tls-check

     

       29
       29
       +
             }

     

       30
       30
       +
           '';

     

       31
       31
       +
           virtualHosts.${pdsSettings.PDS_HOSTNAME} = {

     

       32
       32
       +
             serverAliases = [ "*.${pdsSettings.PDS_HOSTNAME}" ];

     

       33
       33
       +
             extraConfig = ''

     

       34
       34
       +
               tls {

     

       35
       35
       +
                 on_demand

     

       36
       36
       +
               }

     

       37
       37
       +
       

     

       38
       38
       +
               reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT}

     

       39
       39
       +
       

     

       40
       40
       +
               handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {

     

       41
       41
       +
                 header content-type "application/json"

     

       42
       42
       +
                 header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"

     

       43
       43
       +
                 header access-control-allow-origin "*"

     

       44
       44
       +
                 respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200

     

       45
       45
       +
               }

     

       46
       46
       +
             '';

     

       47
       47
       +
           };

     

       48
       48
       +
         };

     

       49
       49
       +
       

     

       50
       50
       +
         networking.firewall.allowedTCPPorts = [

     

       51
       51
       +
           80

     

       52
       52
       +
           443

     

       53
       53
       +
         ];

     

       54
       54
       +
       }