comparing 9b355fc2fa939912f3c9bb096ab6251c6c9fe7b5 and main on starhaven.dev/infra

+212 -4

flake.lock

···

       1
        
       {

     

       2
        
         "nodes": {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       3
        
           "nixpkgs": {

     

       4
        
             "locked": {

     

       5
       -
               "lastModified": 1764517877,

     

       6
       -
               "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",

     

       7
        
               "owner": "NixOS",

     

       8
        
               "repo": "nixpkgs",

     

       9
       -
               "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",

     

       10
        
               "type": "github"

     

       11
        
             },

     

       12
        
             "original": {

     
···

       19
        
           "root": {

     

       20
        
             "inputs": {

     

       21
        
               "nixpkgs": "nixpkgs",

     

       22
       -
               "sops-nix": "sops-nix"

     

       0
        
       
     

       23
        
             }

     

       24
        
           },

     

       25
        
           "sops-nix": {

     
···

       40
        
               "owner": "Mic92",

     

       41
        
               "repo": "sops-nix",

     

       42
        
               "type": "github"

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       43
        
             }

     

       44
        
           }

     

       45
        
         },

···

       1
        
       {

     

       2
        
         "nodes": {

     

       3
       +
           "actor-typeahead-src": {

     

       4
       +
             "flake": false,

     

       5
       +
             "locked": {

     

       6
       +
               "lastModified": 1762835797,

     

       7
       +
               "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",

     

       8
       +
               "ref": "refs/heads/main",

     

       9
       +
               "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",

     

       10
       +
               "revCount": 6,

     

       11
       +
               "type": "git",

     

       12
       +
               "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"

     

       13
       +
             },

     

       14
       +
             "original": {

     

       15
       +
               "type": "git",

     

       16
       +
               "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"

     

       17
       +
             }

     

       18
       +
           },

     

       19
       +
           "flake-compat": {

     

       20
       +
             "flake": false,

     

       21
       +
             "locked": {

     

       22
       +
               "lastModified": 1751685974,

     

       23
       +
               "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",

     

       24
       +
               "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",

     

       25
       +
               "type": "tarball",

     

       26
       +
               "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1"

     

       27
       +
             },

     

       28
       +
             "original": {

     

       29
       +
               "type": "tarball",

     

       30
       +
               "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"

     

       31
       +
             }

     

       32
       +
           },

     

       33
       +
           "flake-utils": {

     

       34
       +
             "inputs": {

     

       35
       +
               "systems": "systems"

     

       36
       +
             },

     

       37
       +
             "locked": {

     

       38
       +
               "lastModified": 1694529238,

     

       39
       +
               "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",

     

       40
       +
               "owner": "numtide",

     

       41
       +
               "repo": "flake-utils",

     

       42
       +
               "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",

     

       43
       +
               "type": "github"

     

       44
       +
             },

     

       45
       +
             "original": {

     

       46
       +
               "owner": "numtide",

     

       47
       +
               "repo": "flake-utils",

     

       48
       +
               "type": "github"

     

       49
       +
             }

     

       50
       +
           },

     

       51
       +
           "gomod2nix": {

     

       52
       +
             "inputs": {

     

       53
       +
               "flake-utils": "flake-utils",

     

       54
       +
               "nixpkgs": [

     

       55
       +
                 "tangled",

     

       56
       +
                 "nixpkgs"

     

       57
       +
               ]

     

       58
       +
             },

     

       59
       +
             "locked": {

     

       60
       +
               "lastModified": 1754078208,

     

       61
       +
               "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",

     

       62
       +
               "owner": "nix-community",

     

       63
       +
               "repo": "gomod2nix",

     

       64
       +
               "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",

     

       65
       +
               "type": "github"

     

       66
       +
             },

     

       67
       +
             "original": {

     

       68
       +
               "owner": "nix-community",

     

       69
       +
               "repo": "gomod2nix",

     

       70
       +
               "type": "github"

     

       71
       +
             }

     

       72
       +
           },

     

       73
       +
           "htmx-src": {

     

       74
       +
             "flake": false,

     

       75
       +
             "locked": {

     

       76
       +
               "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=",

     

       77
       +
               "type": "file",

     

       78
       +
               "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

     

       79
       +
             },

     

       80
       +
             "original": {

     

       81
       +
               "type": "file",

     

       82
       +
               "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

     

       83
       +
             }

     

       84
       +
           },

     

       85
       +
           "htmx-ws-src": {

     

       86
       +
             "flake": false,

     

       87
       +
             "locked": {

     

       88
       +
               "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=",

     

       89
       +
               "type": "file",

     

       90
       +
               "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"

     

       91
       +
             },

     

       92
       +
             "original": {

     

       93
       +
               "type": "file",

     

       94
       +
               "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"

     

       95
       +
             }

     

       96
       +
           },

     

       97
       +
           "ibm-plex-mono-src": {

     

       98
       +
             "flake": false,

     

       99
       +
             "locked": {

     

       100
       +
               "lastModified": 1731402384,

     

       101
       +
               "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=",

     

       102
       +
               "type": "tarball",

     

       103
       +
               "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"

     

       104
       +
             },

     

       105
       +
             "original": {

     

       106
       +
               "type": "tarball",

     

       107
       +
               "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"

     

       108
       +
             }

     

       109
       +
           },

     

       110
       +
           "indigo": {

     

       111
       +
             "flake": false,

     

       112
       +
             "locked": {

     

       113
       +
               "lastModified": 1753693716,

     

       114
       +
               "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=",

     

       115
       +
               "owner": "oppiliappan",

     

       116
       +
               "repo": "indigo",

     

       117
       +
               "rev": "5f170569da9360f57add450a278d73538092d8ca",

     

       118
       +
               "type": "github"

     

       119
       +
             },

     

       120
       +
             "original": {

     

       121
       +
               "owner": "oppiliappan",

     

       122
       +
               "repo": "indigo",

     

       123
       +
               "type": "github"

     

       124
       +
             }

     

       125
       +
           },

     

       126
       +
           "inter-fonts-src": {

     

       127
       +
             "flake": false,

     

       128
       +
             "locked": {

     

       129
       +
               "lastModified": 1731687360,

     

       130
       +
               "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=",

     

       131
       +
               "type": "tarball",

     

       132
       +
               "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"

     

       133
       +
             },

     

       134
       +
             "original": {

     

       135
       +
               "type": "tarball",

     

       136
       +
               "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"

     

       137
       +
             }

     

       138
       +
           },

     

       139
       +
           "lucide-src": {

     

       140
       +
             "flake": false,

     

       141
       +
             "locked": {

     

       142
       +
               "lastModified": 1754044466,

     

       143
       +
               "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=",

     

       144
       +
               "type": "tarball",

     

       145
       +
               "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

     

       146
       +
             },

     

       147
       +
             "original": {

     

       148
       +
               "type": "tarball",

     

       149
       +
               "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

     

       150
       +
             }

     

       151
       +
           },

     

       152
        
           "nixpkgs": {

     

       153
        
             "locked": {

     

       154
       +
               "lastModified": 1764667669,

     

       155
       +
               "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",

     

       156
        
               "owner": "NixOS",

     

       157
        
               "repo": "nixpkgs",

     

       158
       +
               "rev": "418468ac9527e799809c900eda37cbff999199b6",

     

       159
        
               "type": "github"

     

       160
        
             },

     

       161
        
             "original": {

     
···

       168
        
           "root": {

     

       169
        
             "inputs": {

     

       170
        
               "nixpkgs": "nixpkgs",

     

       171
       +
               "sops-nix": "sops-nix",

     

       172
       +
               "tangled": "tangled"

     

       173
        
             }

     

       174
        
           },

     

       175
        
           "sops-nix": {

     
···

       190
        
               "owner": "Mic92",

     

       191
        
               "repo": "sops-nix",

     

       192
        
               "type": "github"

     

       193
       +
             }

     

       194
       +
           },

     

       195
       +
           "sqlite-lib-src": {

     

       196
       +
             "flake": false,

     

       197
       +
             "locked": {

     

       198
       +
               "lastModified": 1706631843,

     

       199
       +
               "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=",

     

       200
       +
               "type": "tarball",

     

       201
       +
               "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"

     

       202
       +
             },

     

       203
       +
             "original": {

     

       204
       +
               "type": "tarball",

     

       205
       +
               "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"

     

       206
       +
             }

     

       207
       +
           },

     

       208
       +
           "systems": {

     

       209
       +
             "locked": {

     

       210
       +
               "lastModified": 1681028828,

     

       211
       +
               "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

     

       212
       +
               "owner": "nix-systems",

     

       213
       +
               "repo": "default",

     

       214
       +
               "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

     

       215
       +
               "type": "github"

     

       216
       +
             },

     

       217
       +
             "original": {

     

       218
       +
               "owner": "nix-systems",

     

       219
       +
               "repo": "default",

     

       220
       +
               "type": "github"

     

       221
       +
             }

     

       222
       +
           },

     

       223
       +
           "tangled": {

     

       224
       +
             "inputs": {

     

       225
       +
               "actor-typeahead-src": "actor-typeahead-src",

     

       226
       +
               "flake-compat": "flake-compat",

     

       227
       +
               "gomod2nix": "gomod2nix",

     

       228
       +
               "htmx-src": "htmx-src",

     

       229
       +
               "htmx-ws-src": "htmx-ws-src",

     

       230
       +
               "ibm-plex-mono-src": "ibm-plex-mono-src",

     

       231
       +
               "indigo": "indigo",

     

       232
       +
               "inter-fonts-src": "inter-fonts-src",

     

       233
       +
               "lucide-src": "lucide-src",

     

       234
       +
               "nixpkgs": [

     

       235
       +
                 "nixpkgs"

     

       236
       +
               ],

     

       237
       +
               "sqlite-lib-src": "sqlite-lib-src"

     

       238
       +
             },

     

       239
       +
             "locked": {

     

       240
       +
               "lastModified": 1764871901,

     

       241
       +
               "narHash": "sha256-P+4bXuzU66XYwvhw4SIC6T/dS5O5ascASGL4cb2TNuI=",

     

       242
       +
               "ref": "refs/heads/master",

     

       243
       +
               "rev": "ca41f2429eb734a16c5f5061940acda4033d437f",

     

       244
       +
               "revCount": 1697,

     

       245
       +
               "type": "git",

     

       246
       +
               "url": "https://tangled.org/tangled.org/core"

     

       247
       +
             },

     

       248
       +
             "original": {

     

       249
       +
               "type": "git",

     

       250
       +
               "url": "https://tangled.org/tangled.org/core"

     

       251
        
             }

     

       252
        
           }

     

       253
        
         },

+2 -2

modules/auto-upgrade.nix

···

       1
        
       {

     

       2
        
         system.autoUpgrade = {

     

       3
       -
           enable = false; # TODO

     

       4
       -
           flake = "git+https://tangled.org/starhaven.dev/infra"; # TODO

     

       5
        
           flags = [

     

       6
        
             "-L" # print build logs

     

       7
        
           ];

···

       1
        
       {

     

       2
        
         system.autoUpgrade = {

     

       3
       +
           enable = true;

     

       4
       +
           flake = "git+https://tangled.org/starhaven.dev/infra";

     

       5
        
           flags = [

     

       6
        
             "-L" # print build logs

     

       7
        
           ];

+13 -4

secrets/kuribo/pds.env

···

       1
        
       PDS_JWT_SECRET=ENC[AES256_GCM,data:SwmU7j+3kfoCCQlZk/LAzytRoVSb7tgKI6tGdZKJThg=,iv:1WCvMVlPR4L7rO/YUmkobjHcXlSGlyIo80ir+GymdeQ=,tag:WbGeolX/pzSZ+LA8ueUygA==,type:str]

     

       2
        
       PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:+U1Tw+rRcb9rPjZTsOZ9ZYdVeTRFjv8yhuSCCFIe+wQ=,iv:TLJ+HJ8hDXcaZ/9qtSonnOE1oz4JngxuXJLjXpqdDwU=,tag:W7Hi9XMXUMUZAimnAc6uJQ==,type:str]

     

       3
        
       PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:thNijhgsq106+SJVnoseWu1S8SU2AB8Z5EqjKUzMBm+29FB146dmqPOphXL5yBPDuj0gjzFvfu4W7BOAKcx7fA==,iv:zcmhJopT8WHN2GfhDGO1oYp/NeyPpXeNrg6AVmDYMGk=,tag:JLcO4aVuKMVgRU6pirks+A==,type:str]

     

       4
       -
       PDS_EMAIL_SMTP_URL=ENC[AES256_GCM,data:ltLt4Q7CaIL4swhDA2pBcMRR2gaMGcYw/7E7JtU4bMotEXrEO19V5ySomjbdFs3ImFzMtVVNY0am9R5Q40TZq85r6zDsoGv6,iv:Kh10CNUhkzqj5PROyFgGme0KUspZL/epxiQf2Ej0G6Y=,tag:noT7j38nip6OLbnwr8AWDQ==,type:str]

     

       5
       -
       PDS_EMAIL_FROM_ADDRESS=ENC[AES256_GCM,data:VxEX3on/7jQ/SXmr53bvFzd3O/xu,iv:yehoA4hxkJ6UOjv625834otS1Es4uKtarjZjKFk2sJI=,tag:XaplSBikfq97mLTq+XyOrQ==,type:str]

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       6
        
       sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenRnNWFlMzBIOTJsclYw\nSkw3ZW9pa0NRejRQd1FmOENTaE54UU4rcHkwCjFBSXljeTdQeGhXZDZrWS9JUkx0\nUXpxWUVKZTdGWjVLT1FRUmloMXhNdWcKLS0tIEhERVFJNU5pSU00b3MxUHB1Y280\nWTFiaTh0YXJyUXFKNGNrOE84elRONVUK20OPeWSZW2A9mTnEDfQmDc7n3jvUQhxb\nBatl6b0ismrkTWcRJK8nxImcvxBtMMCLfzK5Wt/9gBLJ6VDT6UPYFg==\n-----END AGE ENCRYPTED FILE-----\n

     

       7
        
       sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2

     

       8
        
       sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OVBaMzZ3UGd1R25SczNN\nd3R6bzVGTkN0SWpjb05wankvb2tpNTJvZlR3CjhwYUdHaTJ6Y1VPSTltOHhNbWdL\ncGs3OEJqaFljUFRhUVNncm13RFdETTgKLS0tIG1Mb1ZXQ3BpejdteWFkWUFyOGJu\ndFpyWkNiK2hoNlROd09xTzVueFdSUmcKDrIcoDDH2O/c9dyS/oLL0rudsrsmtOhJ\n55QagSzYouGlJbpl2xtBeUplg1WcEBX7FSW3UWFbz+Gc0/Rv76jRCA==\n-----END AGE ENCRYPTED FILE-----\n

     

       9
        
       sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl

     

       10
       -
       sops_lastmodified=2025-12-01T18:49:36Z

     

       11
       -
       sops_mac=ENC[AES256_GCM,data:tSPG0g8XpTu0IJ8GQKIUczVlreLbZ/VFncomwSVzFEIXloJ6QQsX2hobyFCW4RwovQoZnVfO4uL8Ku/SIjsLIMCejLiGXAa4r0VDDZtxhnaX7tPBecG7gE3Ke15V4bT6B9uxB7TGhJYTsTlq/tb8D7UZG2+yWudFry8ArJRFxp0=,iv:9vxvakrxx8EmNBPSY1wnoV5cHx2/8GqGhNLYHyDj74w=,tag:5NeNRKenYykPj6b13bHFOg==,type:str]

     

       12
        
       sops_unencrypted_suffix=_unencrypted

     

       13
        
       sops_version=3.11.0

···

       1
        
       PDS_JWT_SECRET=ENC[AES256_GCM,data:SwmU7j+3kfoCCQlZk/LAzytRoVSb7tgKI6tGdZKJThg=,iv:1WCvMVlPR4L7rO/YUmkobjHcXlSGlyIo80ir+GymdeQ=,tag:WbGeolX/pzSZ+LA8ueUygA==,type:str]

     

       2
        
       PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:+U1Tw+rRcb9rPjZTsOZ9ZYdVeTRFjv8yhuSCCFIe+wQ=,iv:TLJ+HJ8hDXcaZ/9qtSonnOE1oz4JngxuXJLjXpqdDwU=,tag:W7Hi9XMXUMUZAimnAc6uJQ==,type:str]

     

       3
        
       PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:thNijhgsq106+SJVnoseWu1S8SU2AB8Z5EqjKUzMBm+29FB146dmqPOphXL5yBPDuj0gjzFvfu4W7BOAKcx7fA==,iv:zcmhJopT8WHN2GfhDGO1oYp/NeyPpXeNrg6AVmDYMGk=,tag:JLcO4aVuKMVgRU6pirks+A==,type:str]

     

       4
       +
       PDS_EMAIL_SMTP_URL=ENC[AES256_GCM,data:SEM3Kr3oJH+Qgf68hAFa+5kxvpak8KrQmvqNIANgUaZflik7uQQpmN+nYDLPIv7NAzKBTt+0jIWCLi9HfD5fZKYNiJCa8oJb7w==,iv:+nCm3k4SBOXsVhctz9PPkCcpuD/yv2kBQmfB1nHjKT0=,tag:IUmyDZco9Yy1z/Ahp0bDOw==,type:str]

     

       5
       +
       PDS_EMAIL_FROM_ADDRESS=ENC[AES256_GCM,data:O+F92VuNJPZV5ihqG9KAYcTFZpCd,iv:C9g6AQ9h6seu0WYIkmLqTL9FUluky8p9WMOdavhJfwg=,tag:Ab6L4i21b4eIZ7hnPA3GHg==,type:str]

     

       6
       +
       PDS_BLOBSTORE_S3_BUCKET=ENC[AES256_GCM,data:a2jMY4b0HZEd,iv:IL4aG6cNOI3VLS+axwr47ZLPXQ8NAz4ZmtcHsVkYZE0=,tag:PedqBtofxgtARa4L81sMOw==,type:str]

     

       7
       +
       PDS_BLOBSTORE_S3_REGION=ENC[AES256_GCM,data:jA5Fbg==,iv:oa73XQbCcMuYlSaDzs6TgAxe8QkofaIbTLjGLYViGtE=,tag:RaJcADDkLBNAeP9deMqFqA==,type:str]

     

       8
       +
       PDS_BLOBSTORE_S3_ENDPOINT=ENC[AES256_GCM,data:f4Sg8Zb3KK7rbi7wxDvl05YcAq7FhejgbYRwQMNkzG8jxxk=,iv:RCN8LTqEb327n0ICipVerIAHXq/EzLsDx2uPIOg0VTc=,tag:/SV9uPuAr2S3O5rRDDqwRQ==,type:str]

     

       9
       +
       PDS_BLOBSTORE_S3_ACCESS_KEY_ID=ENC[AES256_GCM,data:3xbCb2QO3x/jI4W+OXTuLcA18XE=,iv:Bs9knoz+PVZRbUIF1TnVP8bvP8xbN7ItVgQHsDDkQd4=,tag:4yqYBRGHUA8KurW19G9X8A==,type:str]

     

       10
       +
       PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:MWIwduFqqe20aYD7dGedcQskSQ6mAoDc55YvAjn1fYxzN6RCNgE28Q==,iv:C8NEL9+3UoN2uv8XG3Bpjedb1pans8g1YuyYdnQ918I=,tag:5hN28CsG67WOaL606k5Y6w==,type:str]

     

       11
       +
       PDS_HCAPTCHA_SITE_KEY=ENC[AES256_GCM,data:qkhAjbyESlfzmeeNFBvE9OmM5bsbAG/lK0TFgJ0yRpPU8sEP,iv:3LL84eHS9A8c2FFovYi/g4+NroqLesbjIFhDnqLtEnc=,tag:EMPmyYSubtK/RJsa7GglqA==,type:str]

     

       12
       +
       PDS_HCAPTCHA_SECRET_KEY=ENC[AES256_GCM,data:8eO1yMUYo3wnwe0z9n4WygNOpQPBmktbLukFSvAAOyC1Bic=,iv:5VllqLj5Wn0Lfj5X/Jobtk7qSRGm3rxIZuYFSyjkfJc=,tag:GQj6h6Fmzgj15LpQVKjUiQ==,type:str]

     

       13
       +
       PDS_HCAPTCHA_TOKEN_SALT=ENC[AES256_GCM,data:no+3mQ==,iv:qXz3svuAPQFEkidBIT0xND+69UjlNbwVqbIM/2rl6rE=,tag:WIP/jBABy2+k5EAD6Mb7AA==,type:str]

     

       14
       +
       CLOUDFLARE_API_TOKEN=ENC[AES256_GCM,data:1evMsnfzqoQtkFyzULhcKsmvOORGvRLUbUs1BvES7jQ99PFSUQ3B9w==,iv:6R40bMGDJOkD/OH9Cwzb6jjI1Syg90WvnVxHddd4yCU=,tag:U1sY/8m4VGOxh1IYQ/P3uQ==,type:str]

     

       15
        
       sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenRnNWFlMzBIOTJsclYw\nSkw3ZW9pa0NRejRQd1FmOENTaE54UU4rcHkwCjFBSXljeTdQeGhXZDZrWS9JUkx0\nUXpxWUVKZTdGWjVLT1FRUmloMXhNdWcKLS0tIEhERVFJNU5pSU00b3MxUHB1Y280\nWTFiaTh0YXJyUXFKNGNrOE84elRONVUK20OPeWSZW2A9mTnEDfQmDc7n3jvUQhxb\nBatl6b0ismrkTWcRJK8nxImcvxBtMMCLfzK5Wt/9gBLJ6VDT6UPYFg==\n-----END AGE ENCRYPTED FILE-----\n

     

       16
        
       sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2

     

       17
        
       sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OVBaMzZ3UGd1R25SczNN\nd3R6bzVGTkN0SWpjb05wankvb2tpNTJvZlR3CjhwYUdHaTJ6Y1VPSTltOHhNbWdL\ncGs3OEJqaFljUFRhUVNncm13RFdETTgKLS0tIG1Mb1ZXQ3BpejdteWFkWUFyOGJu\ndFpyWkNiK2hoNlROd09xTzVueFdSUmcKDrIcoDDH2O/c9dyS/oLL0rudsrsmtOhJ\n55QagSzYouGlJbpl2xtBeUplg1WcEBX7FSW3UWFbz+Gc0/Rv76jRCA==\n-----END AGE ENCRYPTED FILE-----\n

     

       18
        
       sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl

     

       19
       +
       sops_lastmodified=2025-12-04T19:58:02Z

     

       20
       +
       sops_mac=ENC[AES256_GCM,data:j78zbHBXs1QaklOG6Bh40WSg+Dx++Wv47Tnw+rTW/YW7Xi+dDb6w1ixoR8/563KE396+5YP3PGshzF75gG8cUICq0sg3RBC7RZUGfACeMQVc4e2Zx/w3LwxrgPaZeV1d6WeCRUyACIjogt5xNiFVYPqcvUck8wiR2IrxI5PJdA4=,iv:dy0QQg6BgutGv2F2sjhvZ0WkUGRflfVT0IpAx7RlXkg=,tag:6DOBdEdzcz7S1SDS4+d4hw==,type:str]

     

       21
        
       sops_unencrypted_suffix=_unencrypted

     

       22
        
       sops_version=3.11.0

+215

servers/kuribo/ondemand_tls_helper.py

···

       1
       +
       """

     

       2
       +
       This HTTP service implements the /tls-check endpoint used by Caddy's

     

       3
       +
       on_demand_tls.ask configuration. Behavior:

     

       4
       +
       

     

       5
       +
       - If the query parameter `domain` is ALLOWED  -> return HTTP 200 OK with body "OK".

     

       6
       +
       - Otherwise proxy the request (including the query string) to the real PDS

     

       7
       +
         tls-check endpoint at http://127.0.0.1:<PDS_PORT>/tls-check and forward

     

       8
       +
         the upstream status and body.

     

       9
       +
       """

     

       10
       +
       

     

       11
       +
       import logging

     

       12
       +
       import os

     

       13
       +
       import socket

     

       14
       +
       import sys

     

       15
       +
       import urllib.error

     

       16
       +
       import urllib.request

     

       17
       +
       from http.server import BaseHTTPRequestHandler, HTTPServer

     

       18
       +
       from urllib.parse import parse_qs, urlparse

     

       19
       +
       

     

       20
       +
       # Configuration (can be overridden with env vars)

     

       21
       +
       PDS_PORT = int(os.environ.get("PDS_PORT", "3000"))

     

       22
       +
       LISTEN_HOST = os.environ.get("LISTEN_HOST", "127.0.0.1")

     

       23
       +
       LISTEN_PORT = int(os.environ.get("LISTEN_PORT", "8081"))

     

       24
       +
       TIMEOUT = float(os.environ.get("TIMEOUT", "5.0"))

     

       25
       +
       

     

       26
       +
       # Allowed domain values (lowercase)

     

       27
       +
       ALLOWED = {"pds", "knot", "spindle"}

     

       28
       +
       

     

       29
       +
       # Configure logging to stderr (systemd/journal-friendly)

     

       30
       +
       logging.basicConfig(

     

       31
       +
           level=logging.INFO,

     

       32
       +
           format="%(asctime)s %(levelname)s %(message)s",

     

       33
       +
           stream=sys.stderr,

     

       34
       +
       )

     

       35
       +
       

     

       36
       +
       

     

       37
       +
       def filter_response_headers(headers):

     

       38
       +
           """

     

       39
       +
           Given an iterable of (header, value) pairs or a mapping-like object,

     

       40
       +
           return a dict with hop-by-hop headers removed. This avoids sending

     

       41
       +
           problematic headers to the client (Caddy).

     

       42
       +
           """

     

       43
       +
           hop_by_hop = {

     

       44
       +
               "connection",

     

       45
       +
               "keep-alive",

     

       46
       +
               "proxy-authenticate",

     

       47
       +
               "proxy-authorization",

     

       48
       +
               "te",

     

       49
       +
               "trailers",

     

       50
       +
               "transfer-encoding",

     

       51
       +
               "upgrade",

     

       52
       +
           }

     

       53
       +
           result = {}

     

       54
       +
           if hasattr(headers, "items"):

     

       55
       +
               iterator = headers.items()

     

       56
       +
           else:

     

       57
       +
               iterator = headers

     

       58
       +
           for k, v in iterator:

     

       59
       +
               if k.lower() not in hop_by_hop:

     

       60
       +
                   result[k] = v

     

       61
       +
           return result

     

       62
       +
       

     

       63
       +
       

     

       64
       +
       class TLSCheckHandler(BaseHTTPRequestHandler):

     

       65
       +
           # Reduce console noise from BaseHTTPRequestHandler

     

       66
       +
           def log_message(self, format, *args):

     

       67
       +
               # route to logging module at INFO level

     

       68
       +
               logging.info("%s - %s", self.client_address[0], format % args)

     

       69
       +
       

     

       70
       +
           def _send(self, status, body=b"", headers=None):

     

       71
       +
               # Send status, headers, and body to the client

     

       72
       +
               self.send_response(status)

     

       73
       +
               if headers:

     

       74
       +
                   for k, v in headers.items():

     

       75
       +
                       # BaseHTTPRequestHandler will fold multiple headers set via send_header

     

       76
       +
                       # if necessary; we assume simple string values here.

     

       77
       +
                       try:

     

       78
       +
                           self.send_header(k, v)

     

       79
       +
                       except Exception:

     

       80
       +
                           # Ignore any header-setting errors; continue to send response

     

       81
       +
                           logging.debug("skipping header %r due to error", k)

     

       82
       +
               else:

     

       83
       +
                   self.send_header("Content-Type", "text/plain; charset=utf-8")

     

       84
       +
               self.end_headers()

     

       85
       +
               if body:

     

       86
       +
                   if isinstance(body, str):

     

       87
       +
                       body = body.encode("utf-8")

     

       88
       +
                   try:

     

       89
       +
                       self.wfile.write(body)

     

       90
       +
                   except BrokenPipeError:

     

       91
       +
                       # Client disconnected early; nothing to do

     

       92
       +
                       pass

     

       93
       +
       

     

       94
       +
           def _proxy_to_pds(self, path_with_query):

     

       95
       +
               """

     

       96
       +
               Proxy a request to http://127.0.0.1:<PDS_PORT><path_with_query>.

     

       97
       +
               Returns (status, body_bytes, headers_dict).

     

       98
       +
               """

     

       99
       +
               target = f"http://127.0.0.1:{PDS_PORT}{path_with_query}"

     

       100
       +
               logging.debug("proxying to upstream: %s", target)

     

       101
       +
               req = urllib.request.Request(

     

       102
       +
                   target, headers={"User-Agent": "ondemand-tls-helper/1.0"}

     

       103
       +
               )

     

       104
       +
               try:

     

       105
       +
                   with urllib.request.urlopen(req, timeout=TIMEOUT) as resp:

     

       106
       +
                       data = resp.read()

     

       107
       +
                       headers = filter_response_headers(resp.getheaders())

     

       108
       +
                       return resp.status, data, headers

     

       109
       +
               except urllib.error.HTTPError as e:

     

       110
       +
                   # Upstream returned an HTTP error; return its body and status

     

       111
       +
                   try:

     

       112
       +
                       data = e.read()

     

       113
       +
                   except Exception:

     

       114
       +
                       data = b""

     

       115
       +
                   status = getattr(e, "code", 502)

     

       116
       +
                   headers = {}

     

       117
       +
                   logging.info("upstream returned HTTPError %s for %s", status, target)

     

       118
       +
                   return status, data, headers

     

       119
       +
               except Exception as e:

     

       120
       +
                   logging.exception("error proxying to upstream %s: %s", target, e)

     

       121
       +
                   # Return 502 Bad Gateway

     

       122
       +
                   return 502, f"upstream error: {e}".encode("utf-8"), {}

     

       123
       +
       

     

       124
       +
           def _get_domain_param(self):

     

       125
       +
               parsed = urlparse(self.path)

     

       126
       +
               qs = parse_qs(parsed.query)

     

       127
       +
               domain_vals = qs.get("domain") or []

     

       128
       +
               if not domain_vals:

     

       129
       +
                   return ""

     

       130
       +
               return domain_vals[0].strip().lower()

     

       131
       +
       

     

       132
       +
           def do_GET(self):

     

       133
       +
               parsed = urlparse(self.path)

     

       134
       +
               path_with_query = parsed.path + ("?" + parsed.query if parsed.query else "")

     

       135
       +
               domain = self._get_domain_param()

     

       136
       +
       

     

       137
       +
               if domain in ALLOWED:

     

       138
       +
                   logging.debug("allowed domain %r -> returning 200", domain)

     

       139
       +
                   return self._send(200, "OK")

     

       140
       +
       

     

       141
       +
               status, body, headers = self._proxy_to_pds(path_with_query)

     

       142
       +
               return self._send(status, body, headers=headers)

     

       143
       +
       

     

       144
       +
           def do_HEAD(self):

     

       145
       +
               parsed = urlparse(self.path)

     

       146
       +
               path_with_query = parsed.path + ("?" + parsed.query if parsed.query else "")

     

       147
       +
               domain = self._get_domain_param()

     

       148
       +
       

     

       149
       +
               if domain in ALLOWED:

     

       150
       +
                   logging.debug("allowed domain (HEAD) %r -> returning 200", domain)

     

       151
       +
                   return self._send(200, b"")

     

       152
       +
       

     

       153
       +
               status, _, headers = self._proxy_to_pds(path_with_query)

     

       154
       +
               return self._send(status, b"", headers=headers)

     

       155
       +
       

     

       156
       +
       

     

       157
       +
       def run():

     

       158
       +
           server_address = (LISTEN_HOST, LISTEN_PORT)

     

       159
       +
           try:

     

       160
       +
               httpd = HTTPServer(server_address, TLSCheckHandler)

     

       161
       +
           except OSError as e:

     

       162
       +
               logging.error("cannot bind to %s:%s: %s", LISTEN_HOST, LISTEN_PORT, e)

     

       163
       +
               sys.exit(1)

     

       164
       +
       

     

       165
       +
           sa = httpd.socket.getsockname()

     

       166
       +
           logging.info("ondemand TLS helper listening on %s:%s", sa[0], sa[1])

     

       167
       +
           try:

     

       168
       +
               httpd.serve_forever()

     

       169
       +
           except KeyboardInterrupt:

     

       170
       +
               logging.info("shutting down on keyboard interrupt")

     

       171
       +
           except Exception:

     

       172
       +
               logging.exception("server crashed")

     

       173
       +
           finally:

     

       174
       +
               try:

     

       175
       +
                   httpd.server_close()

     

       176
       +
               except Exception:

     

       177
       +
                   pass

     

       178
       +
       

     

       179
       +
       

     

       180
       +
       if __name__ == "__main__":

     

       181
       +
           # Allow override of config via arguments if invoked with simple flags:

     

       182
       +
           #   --pds-port N --listen-host HOST --listen-port N --timeout S

     

       183
       +
           # to keep the script flexible for local testing.

     

       184
       +
           args = sys.argv[1:]

     

       185
       +
           it = iter(args)

     

       186
       +
           while True:

     

       187
       +
               try:

     

       188
       +
                   a = next(it)

     

       189
       +
               except StopIteration:

     

       190
       +
                   break

     

       191
       +
               if a in ("--pds-port",):

     

       192
       +
                   try:

     

       193
       +
                       PDS_PORT = int(next(it))

     

       194
       +
                   except StopIteration:

     

       195
       +
                       break

     

       196
       +
               elif a in ("--listen-host",):

     

       197
       +
                   try:

     

       198
       +
                       LISTEN_HOST = next(it)

     

       199
       +
                   except StopIteration:

     

       200
       +
                       break

     

       201
       +
               elif a in ("--listen-port",):

     

       202
       +
                   try:

     

       203
       +
                       LISTEN_PORT = int(next(it))

     

       204
       +
                   except StopIteration:

     

       205
       +
                       break

     

       206
       +
               elif a in ("--timeout",):

     

       207
       +
                   try:

     

       208
       +
                       TIMEOUT = float(next(it))

     

       209
       +
                   except StopIteration:

     

       210
       +
                       break

     

       211
       +
               else:

     

       212
       +
                   # ignore unknown args

     

       213
       +
                   continue

     

       214
       +
       

     

       215
       +
           run()

+66 -5

servers/kuribo/pds.nix

···

       1
       -
       { config, ... }:

     

       2
        
       let

     

       3
        
         pdsSettings = config.services.bluesky-pds.settings;

     

       4
        
       in

     
···

       14
        
           enable = true;

     

       15
        
           environmentFiles = [ config.sops.secrets.pds.path ];

     

       16
        
           settings = {

     

       0
        
       
     

       0
        
       
     

       17
        
             PDS_PORT = 3000;

     

       18
        
             PDS_HOSTNAME = "pds.starhaven.dev";

     

       19
        
             PDS_ADMIN_EMAIL = "admin@starhaven.dev";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       20
        
           };

     

       21
        
         };

     

       22
        
       

     

       23
        
         services.caddy = {

     

       24
        
           enable = true;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       25
        
           email = pdsSettings.PDS_ADMIN_EMAIL;

     

       26
        
           globalConfig = ''

     

       27
        
             on_demand_tls {

     

       28
       -
               ask http://127.0.0.1:${toString pdsSettings.PDS_PORT}/tls-check

     

       29
        
             }

     

       0
        
       
     

       0
        
       
     

       30
        
           '';

     

       31
       -
           virtualHosts.${pdsSettings.PDS_HOSTNAME} = {

     

       32
       -
             serverAliases = [ "*.${pdsSettings.PDS_HOSTNAME}" ];

     

       33
        
             extraConfig = ''

     

       34
        
               tls {

     

       35
        
                 on_demand

     

       36
        
               }

     

       37
        
       

     

       38
       -
               reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       39
        
       

     

       40
        
               handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {

     

       41
        
                 header content-type "application/json"

     

       42
        
                 header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"

     

       43
        
                 header access-control-allow-origin "*"

     

       44
        
                 respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       45
        
               }

     

       46
        
             '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       47
        
           };

     

       48
        
         };

     

       49

···

       1
       +
       { config, pkgs, ... }:

     

       2
        
       let

     

       3
        
         pdsSettings = config.services.bluesky-pds.settings;

     

       4
        
       in

     
···

       14
        
           enable = true;

     

       15
        
           environmentFiles = [ config.sops.secrets.pds.path ];

     

       16
        
           settings = {

     

       17
       +
             # https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts

     

       18
       +
       

     

       19
        
             PDS_PORT = 3000;

     

       20
        
             PDS_HOSTNAME = "pds.starhaven.dev";

     

       21
        
             PDS_ADMIN_EMAIL = "admin@starhaven.dev";

     

       22
       +
             PDS_CONTACT_EMAIL_ADDRESS = "admin@starhaven.dev";

     

       23
       +
             PDS_SERVICE_HANDLE_DOMAINS = ".starhaven.dev";

     

       24
       +
       

     

       25
       +
             # Branding

     

       26
       +
             PDS_SERVICE_NAME = "\"Star Haven\"";

     

       27
       +
             PDS_HOME_URL = "https://starhaven.dev";

     

       28
       +
             #PDS_LOGO_URL

     

       29
       +
             PDS_PRIMARY_COLOR = "#dbb23e";

     

       30
       +
             PDS_PRIMARY_COLOR_CONTRAST = "#000";

     

       31
       +
       

     

       32
       +
             # S3 is configured in secrets

     

       33
       +
             PDS_BLOBSTORE_DISK_LOCATION = null;

     

       34
        
           };

     

       35
        
         };

     

       36
        
       

     

       37
        
         services.caddy = {

     

       38
        
           enable = true;

     

       39
       +
           package = pkgs.caddy.withPlugins {

     

       40
       +
             plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ];

     

       41
       +
             hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U=";

     

       42
       +
           };

     

       43
        
           email = pdsSettings.PDS_ADMIN_EMAIL;

     

       44
        
           globalConfig = ''

     

       45
        
             on_demand_tls {

     

       46
       +
               ask http://127.0.0.1:8081

     

       47
        
             }

     

       48
       +
       

     

       49
       +
             acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}

     

       50
        
           '';

     

       51
       +
           virtualHosts."*.starhaven.dev" = {

     

       0
        
       
     

       52
        
             extraConfig = ''

     

       53
        
               tls {

     

       54
        
                 on_demand

     

       55
        
               }

     

       56
        
       

     

       57
       +
               handle / {

     

       58
       +
                 redir https://starhaven.dev

     

       59
       +
               }

     

       60
       +
       

     

       61
       +
               @knot host ${toString config.services.tangled.knot.server.hostname}

     

       62
       +
               handle @knot {

     

       63
       +
                 reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr}

     

       64
       +
               }

     

       65
       +
       

     

       66
       +
               @spindle host ${toString config.services.tangled.spindle.server.hostname}

     

       67
       +
               handle @spindle {

     

       68
       +
                 reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr}

     

       69
       +
               }

     

       70
        
       

     

       71
        
               handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {

     

       72
        
                 header content-type "application/json"

     

       73
        
                 header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"

     

       74
        
                 header access-control-allow-origin "*"

     

       75
        
                 respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200

     

       76
       +
               }

     

       77
       +
       

     

       78
       +
               handle {

     

       79
       +
                 reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT}

     

       80
        
               }

     

       81
        
             '';

     

       82
       +
           };

     

       83
       +
         };

     

       84
       +
         systemd.services.caddy = {

     

       85
       +
           after = [

     

       86
       +
             "ondemand-tls-helper.service"

     

       87
       +
             "sops-nix.service"

     

       88
       +
           ];

     

       89
       +
           serviceConfig.EnvironmentFile = config.sops.secrets.pds.path;

     

       90
       +
         };

     

       91
       +
       

     

       92
       +
         environment.etc."ondemand_tls_helper.py" = {

     

       93
       +
           source = ./ondemand_tls_helper.py;

     

       94
       +
           mode = "0755";

     

       95
       +
         };

     

       96
       +
       

     

       97
       +
         systemd.services.ondemand-tls-helper = {

     

       98
       +
           description = "On-demand TLS helper for Caddy (returns 200 for allowed domains or proxies to PDS)";

     

       99
       +
           wantedBy = [ "multi-user.target" ];

     

       100
       +
           after = [ "network.target" ];

     

       101
       +
       

     

       102
       +
           serviceConfig = {

     

       103
       +
             ExecStart = "${pkgs.python3}/bin/python3 /etc/ondemand_tls_helper.py";

     

       104
       +
             Environment = "PDS_PORT=${toString pdsSettings.PDS_PORT}";

     

       105
       +
             User = "nobody";

     

       106
       +
             Restart = "always";

     

       107
       +
             RestartSec = 5;

     

       108
        
           };

     

       109
        
         };

     

       110

-14

servers/kuribo/tangled.nix

···

       1
       -
       { config, ... }:

     

       2
        
       let

     

       3
        
         owner = "did:plc:tjgdahiw3u2djgnigyqeummg";

     

       4
        
       in

     
···

       24
        
               inherit owner;

     

       25
        
               hostname = "spindle.starhaven.dev";

     

       26
        
             };

     

       27
       -
           };

     

       28
       -
         };

     

       29
       -
       

     

       30
       -
         services.caddy.virtualHosts = {

     

       31
       -
           ${config.services.tangled.knot.server.hostname} = {

     

       32
       -
             extraConfig = ''

     

       33
       -
               reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr}

     

       34
       -
             '';

     

       35
       -
           };

     

       36
       -
           ${config.services.tangled.spindle.server.hostname} = {

     

       37
       -
             extraConfig = ''

     

       38
       -
               reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr}

     

       39
       -
             '';

     

       40
        
           };

     

       41
        
         };

     

       42
        
       }

···

       0
        
       
     

       1
        
       let

     

       2
        
         owner = "did:plc:tjgdahiw3u2djgnigyqeummg";

     

       3
        
       in

     
···

       23
        
               inherit owner;

     

       24
        
               hostname = "spindle.starhaven.dev";

     

       25
        
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       26
        
           };

     

       27
        
         };

     

       28
        
       }

Compare changes