patch of contrib,nix: local, sandboxed atmosphere infra · round #0 · pull #853 · tangled.org/core

+31

contrib/example.env

···

       1
       1
       +
       # NOTE: put actual DIDs here

     

       2
       2
       +
       alice_did=did:plc:alice-did

     

       3
       3
       +
       tangled_did=did:plc:tangled-did

     

       4
       4
       +
       

     

       5
       5
       +
       #core

     

       6
       6
       +
       export TANGLED_DEV=true

     

       7
       7
       +
       export TANGLED_APPVIEW_HOST=http://127.0.0.1:3000

     

       8
       8
       +
       # plc

     

       9
       9
       +
       export TANGLED_PLC_URL=https://plc.tngl.boltless.dev

     

       10
       10
       +
       # jetstream

     

       11
       11
       +
       export TANGLED_JETSTREAM_ENDPOINT=wss://jetstream.tngl.boltless.dev/subscribe

     

       12
       12
       +
       # label

     

       13
       13
       +
       export TANGLED_LABEL_GFI=at://${tangled_did}/sh.tangled.label.definition/good-first-issue

     

       14
       14
       +
       export TANGLED_LABEL_DEFAULTS=$TANGLED_LABEL_GFI

     

       15
       15
       +
       export TANGLED_LABEL_DEFAULTS=$TANGLED_LABEL_DEFAULTS,at://${tangled_did}/sh.tangled.label.definition/assignee

     

       16
       16
       +
       export TANGLED_LABEL_DEFAULTS=$TANGLED_LABEL_DEFAULTS,at://${tangled_did}/sh.tangled.label.definition/documentation

     

       17
       17
       +
       export TANGLED_LABEL_DEFAULTS=$TANGLED_LABEL_DEFAULTS,at://${tangled_did}/sh.tangled.label.definition/duplicate

     

       18
       18
       +
       export TANGLED_LABEL_DEFAULTS=$TANGLED_LABEL_DEFAULTS,at://${tangled_did}/sh.tangled.label.definition/wontfix

     

       19
       19
       +
       

     

       20
       20
       +
       # vm settings

     

       21
       21
       +
       export TANGLED_VM_PLC_URL=https://plc.tngl.boltless.dev

     

       22
       22
       +
       export TANGLED_VM_JETSTREAM_ENDPOINT=wss://jetstream.tngl.boltless.dev/subscribe

     

       23
       23
       +
       export TANGLED_VM_KNOT_HOST=knot.tngl.boltless.dev

     

       24
       24
       +
       export TANGLED_VM_KNOT_OWNER=$alice_did

     

       25
       25
       +
       export TANGLED_VM_SPINDLE_HOST=spindle.tngl.boltless.dev

     

       26
       26
       +
       export TANGLED_VM_SPINDLE_OWNER=$alice_did

     

       27
       27
       +
       

     

       28
       28
       +
       if [ -n "${TANGLED_RESEND_API_KEY:-}" ] && [ -n "${TANGLED_RESEND_SENT_FROM:-}" ]; then

     

       29
       29
       +
           export TANGLED_VM_PDS_EMAIL_SMTP_URL=smtps://resend:$TANGLED_RESEND_API_KEY@smtp.resend.com:465/

     

       30
       30
       +
           export TANGLED_VM_PDS_EMAIL_FROM_ADDRESS=$TANGLED_RESEND_SENT_FROM

     

       31
       31
       +
       fi

+12

contrib/pds.env

···

       1
       1
       +
       LOG_ENABLED=true

     

       2
       2
       +
       

     

       3
       3
       +
       PDS_JWT_SECRET=8cae8bffcc73d9932819650791e4e89a

     

       4
       4
       +
       PDS_ADMIN_PASSWORD=d6a902588cd93bee1af83f924f60cfd3

     

       5
       5
       +
       PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=2e92e336a50a618458e1097d94a1db86ec3fd8829d7735020cbae80625c761d7

     

       6
       6
       +
       

     

       7
       7
       +
       PDS_DATA_DIRECTORY=/pds

     

       8
       8
       +
       PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks

     

       9
       9
       +
       

     

       10
       10
       +
       PDS_DID_PLC_URL=http://localhost:8080

     

       11
       11
       +
       PDS_HOSTNAME=pds.tngl.boltless.dev

     

       12
       12
       +
       PDS_PORT=3000

+26

contrib/readme.md

···

       1
       1
       +
       # how to setup local appview dev environment

     

       2
       2
       +
       

     

       3
       3
       +
       Appview requires several microservices from knot and spindle to entire atproto infra. This test environment is implemented under nixos vm.

     

       4
       4
       +
       

     

       5
       5
       +
       1. copy `contrib/example.env` to `.env`, fill it and source it

     

       6
       6
       +
       2. run vm

     

       7
       7
       +
         ```bash

     

       8
       8
       +
         nix run --impure .#vm

     

       9
       9
       +
         ```

     

       10
       10
       +
       3. trust the generated cert from host machine

     

       11
       11
       +
         ```bash

     

       12
       12
       +
         # for macos

     

       13
       13
       +
         sudo security add-trusted-cert -d -r trustRoot \

     

       14
       14
       +
           -k /Library/Keychains/System.keychain \

     

       15
       15
       +
           ./nix/vm-data/caddy/.local/share/caddy/pki/authorities/local/root.crt

     

       16
       16
       +
         ```

     

       17
       17
       +
       4. restart vm (now nixos self-trust caddy's rootCA)

     

       18
       18
       +
       5. create test accounts with valid emails (use [`create-test-account.sh`](./scripts/create-test-account.sh))

     

       19
       19
       +
       6. create default labels (use [`setup-const-records`](./scripts/setup-const-records.sh))

     

       20
       20
       +
       7. restart vm with correct owner-did

     

       21
       21
       +
       

     

       22
       22
       +
       for git-https, you should change your local git config:

     

       23
       23
       +
       ```

     

       24
       24
       +
       [http "https://knot.tngl.boltless.dev"]

     

       25
       25
       +
         sslCAPath = /Users/boltless/repo/tangled/nix/vm-data/caddy/.local/share/caddy/pki/authorities/local/

     

       26
       26
       +
       ```

+68

contrib/scripts/create-test-account.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       set -o errexit

     

       3
       3
       +
       set -o nounset

     

       4
       4
       +
       set -o pipefail

     

       5
       5
       +
       

     

       6
       6
       +
       source "$(dirname "$0")/../pds.env"

     

       7
       7
       +
       

     

       8
       8
       +
       # PDS_HOSTNAME=

     

       9
       9
       +
       # PDS_ADMIN_PASSWORD=

     

       10
       10
       +
       

     

       11
       11
       +
       # curl a URL and fail if the request fails.

     

       12
       12
       +
       function curl_cmd_get {

     

       13
       13
       +
         curl --fail --silent --show-error "$@"

     

       14
       14
       +
       }

     

       15
       15
       +
       

     

       16
       16
       +
       # curl a URL and fail if the request fails.

     

       17
       17
       +
       function curl_cmd_post {

     

       18
       18
       +
         curl --fail --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       # curl a URL but do not fail if the request fails.

     

       22
       22
       +
       function curl_cmd_post_nofail {

     

       23
       23
       +
         curl --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       24
       24
       +
       }

     

       25
       25
       +
       

     

       26
       26
       +
       USERNAME="${1:-}"

     

       27
       27
       +
       

     

       28
       28
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       29
       29
       +
         read -p "Enter a username: " USERNAME

     

       30
       30
       +
       fi

     

       31
       31
       +
       

     

       32
       32
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       33
       33
       +
         echo "ERROR: missing USERNAME parameter." >/dev/stderr

     

       34
       34
       +
         echo "Usage: $0 ${SUBCOMMAND} <USERNAME>" >/dev/stderr

     

       35
       35
       +
         exit 1

     

       36
       36
       +
       fi

     

       37
       37
       +
       

     

       38
       38
       +
       EMAIL=${USERNAME}@${PDS_HOSTNAME}

     

       39
       39
       +
       

     

       40
       40
       +
       PASSWORD="password"

     

       41
       41
       +
       INVITE_CODE="$(curl_cmd_post \

     

       42
       42
       +
         --user "admin:${PDS_ADMIN_PASSWORD}" \

     

       43
       43
       +
         --data '{"useCount": 1}' \

     

       44
       44
       +
         "https://${PDS_HOSTNAME}/xrpc/com.atproto.server.createInviteCode" | jq --raw-output '.code'

     

       45
       45
       +
       )"

     

       46
       46
       +
       RESULT="$(curl_cmd_post_nofail \

     

       47
       47
       +
         --data "{\"email\":\"${EMAIL}\", \"handle\":\"${USERNAME}.${PDS_HOSTNAME}\", \"password\":\"${PASSWORD}\", \"inviteCode\":\"${INVITE_CODE}\"}" \

     

       48
       48
       +
         "https://${PDS_HOSTNAME}/xrpc/com.atproto.server.createAccount"

     

       49
       49
       +
       )"

     

       50
       50
       +
       

     

       51
       51
       +
       DID="$(echo $RESULT | jq --raw-output '.did')"

     

       52
       52
       +
       if [[ "${DID}" != did:* ]]; then

     

       53
       53
       +
         ERR="$(echo ${RESULT} | jq --raw-output '.message')"

     

       54
       54
       +
         echo "ERROR: ${ERR}" >/dev/stderr

     

       55
       55
       +
         echo "Usage: $0 <EMAIL> <HANDLE>" >/dev/stderr

     

       56
       56
       +
         exit 1

     

       57
       57
       +
       fi

     

       58
       58
       +
       

     

       59
       59
       +
       echo

     

       60
       60
       +
       echo "Account created successfully!"

     

       61
       61
       +
       echo "-----------------------------"

     

       62
       62
       +
       echo "Handle   : ${USERNAME}.${PDS_HOSTNAME}"

     

       63
       63
       +
       echo "DID      : ${DID}"

     

       64
       64
       +
       echo "Password : ${PASSWORD}"

     

       65
       65
       +
       echo "-----------------------------"

     

       66
       66
       +
       echo "This is a test account with an insecure password."

     

       67
       67
       +
       echo "Make sure it's only used for development."

     

       68
       68
       +
       echo

+106

contrib/scripts/setup-const-records.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       set -o errexit

     

       3
       3
       +
       set -o nounset

     

       4
       4
       +
       set -o pipefail

     

       5
       5
       +
       

     

       6
       6
       +
       source "$(dirname "$0")/../pds.env"

     

       7
       7
       +
       

     

       8
       8
       +
       # PDS_HOSTNAME=

     

       9
       9
       +
       

     

       10
       10
       +
       # curl a URL and fail if the request fails.

     

       11
       11
       +
       function curl_cmd_get {

     

       12
       12
       +
         curl --fail --silent --show-error "$@"

     

       13
       13
       +
       }

     

       14
       14
       +
       

     

       15
       15
       +
       # curl a URL and fail if the request fails.

     

       16
       16
       +
       function curl_cmd_post {

     

       17
       17
       +
         curl --fail --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       18
       18
       +
       }

     

       19
       19
       +
       

     

       20
       20
       +
       # curl a URL but do not fail if the request fails.

     

       21
       21
       +
       function curl_cmd_post_nofail {

     

       22
       22
       +
         curl --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       23
       23
       +
       }

     

       24
       24
       +
       

     

       25
       25
       +
       USERNAME="${1:-}"

     

       26
       26
       +
       

     

       27
       27
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       28
       28
       +
         read -p "Enter a username: " USERNAME

     

       29
       29
       +
       fi

     

       30
       30
       +
       

     

       31
       31
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       32
       32
       +
         echo "ERROR: missing USERNAME parameter." >/dev/stderr

     

       33
       33
       +
         echo "Usage: $0 ${SUBCOMMAND} <USERNAME>" >/dev/stderr

     

       34
       34
       +
         exit 1

     

       35
       35
       +
       fi

     

       36
       36
       +
       

     

       37
       37
       +
       SESS_RESULT="$(curl_cmd_post \

     

       38
       38
       +
         --data "$(cat <<EOF

     

       39
       39
       +
       {

     

       40
       40
       +
         "identifier": "$USERNAME",

     

       41
       41
       +
         "password": "password"

     

       42
       42
       +
       }

     

       43
       43
       +
       EOF

     

       44
       44
       +
         )" \

     

       45
       45
       +
         https://pds.tngl.boltless.dev/xrpc/com.atproto.server.createSession

     

       46
       46
       +
       )"

     

       47
       47
       +
       

     

       48
       48
       +
       echo $SESS_RESULT | jq

     

       49
       49
       +
       

     

       50
       50
       +
       DID="$(echo $SESS_RESULT | jq --raw-output '.did')"

     

       51
       51
       +
       ACCESS_JWT="$(echo $SESS_RESULT | jq --raw-output '.accessJwt')"

     

       52
       52
       +
       

     

       53
       53
       +
       function add_label_def {

     

       54
       54
       +
         local color=$1

     

       55
       55
       +
         local name=$2

     

       56
       56
       +
         echo $color

     

       57
       57
       +
         echo $name

     

       58
       58
       +
         local json_payload=$(cat <<EOF

     

       59
       59
       +
       {

     

       60
       60
       +
         "repo": "$DID",

     

       61
       61
       +
         "collection": "sh.tangled.label.definition",

     

       62
       62
       +
         "rkey": "$name",

     

       63
       63
       +
         "record": {

     

       64
       64
       +
           "name": "$name",

     

       65
       65
       +
           "color": "$color",

     

       66
       66
       +
           "scope": ["sh.tangled.repo.issue"],

     

       67
       67
       +
           "multiple": false,

     

       68
       68
       +
           "createdAt": "2025-09-22T11:14:35+01:00",

     

       69
       69
       +
           "valueType": {"type": "null", "format": "any"}

     

       70
       70
       +
         }

     

       71
       71
       +
       }

     

       72
       72
       +
       EOF

     

       73
       73
       +
       )

     

       74
       74
       +
         echo $json_payload

     

       75
       75
       +
         echo $json_payload | jq

     

       76
       76
       +
         RESULT="$(curl_cmd_post \

     

       77
       77
       +
           --data "$json_payload" \

     

       78
       78
       +
           -H "Authorization: Bearer ${ACCESS_JWT}" \

     

       79
       79
       +
           "https://${PDS_HOSTNAME}/xrpc/com.atproto.repo.createRecord")"

     

       80
       80
       +
         echo $RESULT | jq

     

       81
       81
       +
       }

     

       82
       82
       +
       

     

       83
       83
       +
       add_label_def '#64748b' 'wontfix'

     

       84
       84
       +
       add_label_def '#8B5CF6' 'good-first-issue'

     

       85
       85
       +
       add_label_def '#ef4444' 'duplicate'

     

       86
       86
       +
       add_label_def '#06b6d4' 'documentation'

     

       87
       87
       +
       json_payload=$(cat <<EOF

     

       88
       88
       +
       {

     

       89
       89
       +
         "repo": "$DID",

     

       90
       90
       +
         "collection": "sh.tangled.label.definition",

     

       91
       91
       +
         "rkey": "assignee",

     

       92
       92
       +
         "record": {

     

       93
       93
       +
           "name": "assignee",

     

       94
       94
       +
           "color": "#10B981",

     

       95
       95
       +
           "scope": ["sh.tangled.repo.issue", "sh.tangled.repo.pull"],

     

       96
       96
       +
           "multiple": false,

     

       97
       97
       +
           "createdAt": "2025-09-22T11:14:35+01:00",

     

       98
       98
       +
           "valueType": {"type": "string", "format": "did"}

     

       99
       99
       +
         }

     

       100
       100
       +
       }

     

       101
       101
       +
       EOF

     

       102
       102
       +
       )

     

       103
       103
       +
       curl_cmd_post \

     

       104
       104
       +
         --data "$json_payload" \

     

       105
       105
       +
         -H "Authorization: Bearer ${ACCESS_JWT}" \

     

       106
       106
       +
         "https://${PDS_HOSTNAME}/xrpc/com.atproto.repo.createRecord"

+21 -3

flake.nix

···

       92
       92
        
               spindle = self.callPackage ./nix/pkgs/spindle.nix {};

     

       93
       93
        
               knot-unwrapped = self.callPackage ./nix/pkgs/knot-unwrapped.nix {};

     

       94
       94
        
               knot = self.callPackage ./nix/pkgs/knot.nix {};

     

       95
       95
       +
               plc = self.callPackage ./nix/pkgs/did-method-plc.nix {};

     

       96
       96
       +
               jetstream = self.callPackage ./nix/pkgs/bluesky-jetstream.nix {};

     

       95
       97
        
             });

     

       96
       98
        
         in {

     

       97
       99
        
           overlays.default = final: prev: {

     

       98
       98
       -
             inherit (mkPackageSet final) lexgen goat sqlite-lib spindle knot-unwrapped knot appview;

     

       100
       100
       +
             inherit (mkPackageSet final) lexgen goat sqlite-lib spindle knot-unwrapped knot appview plc jetstream;

     

       99
       101
        
           };

     

       100
       102
        
       

     

       101
       103
        
           packages = forAllSystems (system: let

     
···

       104
       106
        
             staticPackages = mkPackageSet pkgs.pkgsStatic;

     

       105
       107
        
             crossPackages = mkPackageSet pkgs.pkgsCross.gnu64.pkgsStatic;

     

       106
       108
        
           in {

     

       107
       107
       -
             inherit (packages) appview appview-static-files lexgen goat spindle knot knot-unwrapped sqlite-lib;

     

       109
       109
       +
             inherit (packages) appview appview-static-files lexgen goat spindle knot knot-unwrapped sqlite-lib plc jetstream;

     

       108
       110
        
       

     

       109
       111
        
             pkgsStatic-appview = staticPackages.appview;

     

       110
       112
        
             pkgsStatic-knot = staticPackages.knot;

     
···

       232
       234
        
                     rootDir=$(jj --ignore-working-copy root || git rev-parse --show-toplevel) || (echo "error: can't find repo root?"; exit 1)

     

       233
       235
        
                     cd "$rootDir"

     

       234
       236
        
       

     

       235
       235
       -
                     mkdir -p nix/vm-data/{knot,repos,spindle,spindle-logs}

     

       237
       237
       +
                     mkdir -p nix/vm-data/{caddy,knot,repos,spindle,spindle-logs}

     

       236
       238
        
       

     

       237
       239
        
                     export TANGLED_VM_DATA_DIR="$rootDir/nix/vm-data"

     

       238
       240
        
                     exec ${pkgs.lib.getExe

     
···

       305
       307
        
       

     

       306
       308
        
             services.tangled.spindle.package = lib.mkDefault self.packages.${pkgs.stdenv.hostPlatform.system}.spindle;

     

       307
       309
        
           };

     

       310
       310
       +
           nixosModules.jetstream = {

     

       311
       311
       +
             lib,

     

       312
       312
       +
             pkgs,

     

       313
       313
       +
             ...

     

       314
       314
       +
           }: {

     

       315
       315
       +
             imports = [./nix/modules/jetstream.nix];

     

       316
       316
       +
             services.jetstream.package = lib.mkDefault self.packages.${pkgs.system}.jetstream;

     

       317
       317
       +
           };

     

       318
       318
       +
           nixosModules.did-method-plc = {

     

       319
       319
       +
             lib,

     

       320
       320
       +
             pkgs,

     

       321
       321
       +
             ...

     

       322
       322
       +
           }: {

     

       323
       323
       +
             imports = [./nix/modules/did-method-plc.nix];

     

       324
       324
       +
             services.plc.package = lib.mkDefault self.packages.${pkgs.system}.plc;

     

       325
       325
       +
           };

     

       308
       326
        
         };

     

       309
       327
        
       }

+76

nix/modules/did-method-plc.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         pkgs,

     

       4
       4
       +
         lib,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }: let

     

       7
       7
       +
         cfg = config.services.plc;

     

       8
       8
       +
       in

     

       9
       9
       +
         with lib; {

     

       10
       10
       +
           options.services.plc = {

     

       11
       11
       +
             enable = mkEnableOption "did-method-plc server";

     

       12
       12
       +
             package = mkPackageOption pkgs "plc" {};

     

       13
       13
       +
           };

     

       14
       14
       +
           config = mkIf cfg.enable {

     

       15
       15
       +
             services.postgresql = {

     

       16
       16
       +
               enable = true;

     

       17
       17
       +
               package = pkgs.postgresql_14;

     

       18
       18
       +
               ensureDatabases = ["plc"];

     

       19
       19
       +
               ensureUsers = [

     

       20
       20
       +
                 {

     

       21
       21
       +
                   name = "pg";

     

       22
       22
       +
                   # ensurePermissions."DATABASE plc" = "ALL PRIVILEGES";

     

       23
       23
       +
                 }

     

       24
       24
       +
               ];

     

       25
       25
       +
               authentication = ''

     

       26
       26
       +
                 local all all trust

     

       27
       27
       +
                 host  all all 127.0.0.1/32 trust

     

       28
       28
       +
               '';

     

       29
       29
       +
             };

     

       30
       30
       +
             systemd.services.plc = {

     

       31
       31
       +
               description = "did-method-plc";

     

       32
       32
       +
       

     

       33
       33
       +
               after = ["postgresql.service"];

     

       34
       34
       +
               wants = ["postgresql.service"];

     

       35
       35
       +
               wantedBy = ["multi-user.target"];

     

       36
       36
       +
       

     

       37
       37
       +
               environment = let

     

       38
       38
       +
                 db_creds_json = builtins.toJSON {

     

       39
       39
       +
                   username = "pg";

     

       40
       40
       +
                   password = "";

     

       41
       41
       +
                   host = "127.0.0.1";

     

       42
       42
       +
                   port = 5432;

     

       43
       43
       +
                 };

     

       44
       44
       +
               in {

     

       45
       45
       +
                 # TODO: inherit from config

     

       46
       46
       +
                 DEBUG_MODE = "1";

     

       47
       47
       +
                 LOG_ENABLED = "true";

     

       48
       48
       +
                 LOG_LEVEL = "debug";

     

       49
       49
       +
                 LOG_DESTINATION = "1";

     

       50
       50
       +
                 ENABLE_MIGRATIONS = "true";

     

       51
       51
       +
                 DB_CREDS_JSON = db_creds_json;

     

       52
       52
       +
                 DB_MIGRATE_CREDS_JSON = db_creds_json;

     

       53
       53
       +
                 PLC_VERSION = "0.0.1";

     

       54
       54
       +
                 PORT = "8080";

     

       55
       55
       +
               };

     

       56
       56
       +
       

     

       57
       57
       +
               serviceConfig = {

     

       58
       58
       +
                 ExecStart = getExe cfg.package;

     

       59
       59
       +
                 User = "plc";

     

       60
       60
       +
                 Group = "plc";

     

       61
       61
       +
                 StateDirectory = "plc";

     

       62
       62
       +
                 StateDirectoryMode = "0755";

     

       63
       63
       +
                 Restart = "always";

     

       64
       64
       +
       

     

       65
       65
       +
                 # Hardening

     

       66
       66
       +
               };

     

       67
       67
       +
             };

     

       68
       68
       +
             users = {

     

       69
       69
       +
               users.plc = {

     

       70
       70
       +
                 group = "plc";

     

       71
       71
       +
                 isSystemUser = true;

     

       72
       72
       +
               };

     

       73
       73
       +
               groups.plc = {};

     

       74
       74
       +
             };

     

       75
       75
       +
           };

     

       76
       76
       +
         }

+64

nix/modules/jetstream.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         config,

     

       3
       3
       +
         pkgs,

     

       4
       4
       +
         lib,

     

       5
       5
       +
         ...

     

       6
       6
       +
       }: let

     

       7
       7
       +
         cfg = config.services.jetstream;

     

       8
       8
       +
       in

     

       9
       9
       +
         with lib; {

     

       10
       10
       +
           options.services.jetstream = {

     

       11
       11
       +
             enable = mkEnableOption "jetstream server";

     

       12
       12
       +
             package = mkPackageOption pkgs "jetstream" {};

     

       13
       13
       +
       

     

       14
       14
       +
             # dataDir = mkOption {

     

       15
       15
       +
             #   type = types.str;

     

       16
       16
       +
             #   default = "/var/lib/jetstream";

     

       17
       17
       +
             #   description = "directory to store data (pebbleDB)";

     

       18
       18
       +
             # };

     

       19
       19
       +
             livenessTtl = mkOption {

     

       20
       20
       +
               type = types.int;

     

       21
       21
       +
               default = 15;

     

       22
       22
       +
               description = "time to restart when no event detected (seconds)";

     

       23
       23
       +
             };

     

       24
       24
       +
             websocketUrl = mkOption {

     

       25
       25
       +
               type = types.str;

     

       26
       26
       +
               default = "wss://bsky.network/xrpc/com.atproto.sync.subscribeRepos";

     

       27
       27
       +
               description = "full websocket path to the ATProto SubscribeRepos XRPC endpoint";

     

       28
       28
       +
             };

     

       29
       29
       +
           };

     

       30
       30
       +
           config = mkIf cfg.enable {

     

       31
       31
       +
             systemd.services.jetstream = {

     

       32
       32
       +
               description = "jetstream";

     

       33
       33
       +
               after = ["network.target" "pds.service"];

     

       34
       34
       +
               wantedBy = ["multi-user.target"];

     

       35
       35
       +
       

     

       36
       36
       +
               serviceConfig = {

     

       37
       37
       +
                 User = "jetstream";

     

       38
       38
       +
                 Group = "jetstream";

     

       39
       39
       +
                 StateDirectory = "jetstream";

     

       40
       40
       +
                 StateDirectoryMode = "0755";

     

       41
       41
       +
                 # preStart = ''

     

       42
       42
       +
                 #   mkdir -p "${cfg.dataDir}"

     

       43
       43
       +
                 #   chown -R jetstream:jetstream "${cfg.dataDir}"

     

       44
       44
       +
                 # '';

     

       45
       45
       +
                 # WorkingDirectory = cfg.dataDir;

     

       46
       46
       +
                 Environment = [

     

       47
       47
       +
                   "JETSTREAM_DATA_DIR=/var/lib/jetstream/data"

     

       48
       48
       +
                   "JETSTREAM_LIVENESS_TTL=${toString cfg.livenessTtl}s"

     

       49
       49
       +
                   "JETSTREAM_WS_URL=${cfg.websocketUrl}"

     

       50
       50
       +
                 ];

     

       51
       51
       +
                 ExecStart = getExe cfg.package;

     

       52
       52
       +
                 Restart = "always";

     

       53
       53
       +
                 RestartSec = 5;

     

       54
       54
       +
               };

     

       55
       55
       +
             };

     

       56
       56
       +
             users = {

     

       57
       57
       +
               users.jetstream = {

     

       58
       58
       +
                 group = "jetstream";

     

       59
       59
       +
                 isSystemUser = true;

     

       60
       60
       +
               };

     

       61
       61
       +
               groups.jetstream = {};

     

       62
       62
       +
             };

     

       63
       63
       +
           };

     

       64
       64
       +
         }

+20

nix/pkgs/bluesky-jetstream.nix

···

       1
       1
       +
       {

     

       2
       2
       +
         buildGoModule,

     

       3
       3
       +
         fetchFromGitHub,

     

       4
       4
       +
       }:

     

       5
       5
       +
       buildGoModule {

     

       6
       6
       +
         pname = "jetstream";

     

       7
       7
       +
         version = "0.1.0";

     

       8
       8
       +
         src = fetchFromGitHub {

     

       9
       9
       +
           owner = "bluesky-social";

     

       10
       10
       +
           repo = "jetstream";

     

       11
       11
       +
           rev = "7d7efa58d7f14101a80ccc4f1085953948b7d5de";

     

       12
       12
       +
           sha256 = "sha256-1e9SL/8gaDPMA4YZed51ffzgpkptbMd0VTbTTDbPTFw=";

     

       13
       13
       +
         };

     

       14
       14
       +
         subPackages = ["cmd/jetstream"];

     

       15
       15
       +
         vendorHash = "sha256-/21XJQH6fo9uPzlABUAbdBwt1O90odmppH6gXu2wkiQ=";

     

       16
       16
       +
         doCheck = false;

     

       17
       17
       +
         meta = {

     

       18
       18
       +
           mainProgram = "jetstream";

     

       19
       19
       +
         };

     

       20
       20
       +
       }

+65

nix/pkgs/did-method-plc.nix

···

       1
       1
       +
       # inspired by https://github.com/NixOS/nixpkgs/blob/333bfb7c258fab089a834555ea1c435674c459b4/pkgs/by-name/ga/gatsby-cli/package.nix

     

       2
       2
       +
       {

     

       3
       3
       +
         lib,

     

       4
       4
       +
         stdenv,

     

       5
       5
       +
         fetchFromGitHub,

     

       6
       6
       +
         fetchYarnDeps,

     

       7
       7
       +
         yarnConfigHook,

     

       8
       8
       +
         yarnBuildHook,

     

       9
       9
       +
         nodejs,

     

       10
       10
       +
         makeBinaryWrapper,

     

       11
       11
       +
       }:

     

       12
       12
       +
       stdenv.mkDerivation (finalAttrs: {

     

       13
       13
       +
         pname = "plc";

     

       14
       14
       +
         version = "0.0.1";

     

       15
       15
       +
       

     

       16
       16
       +
         src = fetchFromGitHub {

     

       17
       17
       +
           owner = "did-method-plc";

     

       18
       18
       +
           repo = "did-method-plc";

     

       19
       19
       +
           rev = "158ba5535ac3da4fd4309954bde41deab0b45972";

     

       20
       20
       +
           sha256 = "sha256-O5smubbrnTDMCvL6iRyMXkddr5G7YHxkQRVMRULHanQ=";

     

       21
       21
       +
         };

     

       22
       22
       +
         postPatch = ''

     

       23
       23
       +
           # remove dd-trace dependency

     

       24
       24
       +
           sed -i '3d' packages/server/service/index.js

     

       25
       25
       +
         '';

     

       26
       26
       +
       

     

       27
       27
       +
         yarnOfflineCache = fetchYarnDeps {

     

       28
       28
       +
           yarnLock = finalAttrs.src + "/yarn.lock";

     

       29
       29
       +
           hash = "sha256-g8GzaAbWSnWwbQjJMV2DL5/ZlWCCX0sRkjjvX3tqU4Y=";

     

       30
       30
       +
         };

     

       31
       31
       +
       

     

       32
       32
       +
         nativeBuildInputs = [

     

       33
       33
       +
           yarnConfigHook

     

       34
       34
       +
           yarnBuildHook

     

       35
       35
       +
           nodejs

     

       36
       36
       +
           makeBinaryWrapper

     

       37
       37
       +
         ];

     

       38
       38
       +
         yarnBuildScript = "lerna";

     

       39
       39
       +
         yarnBuildFlags = [

     

       40
       40
       +
           "run"

     

       41
       41
       +
           "build"

     

       42
       42
       +
           "--scope"

     

       43
       43
       +
           "@did-plc/server"

     

       44
       44
       +
           "--include-dependencies"

     

       45
       45
       +
         ];

     

       46
       46
       +
       

     

       47
       47
       +
         installPhase = ''

     

       48
       48
       +
           runHook preInstall

     

       49
       49
       +
       

     

       50
       50
       +
           mkdir -p $out/lib/node_modules/

     

       51
       51
       +
           mv packages/ $out/lib/packages/

     

       52
       52
       +
           mv node_modules/* $out/lib/node_modules/

     

       53
       53
       +
       

     

       54
       54
       +
           makeWrapper ${lib.getExe nodejs} $out/bin/plc \

     

       55
       55
       +
             --add-flags $out/lib/packages/server/service/index.js \

     

       56
       56
       +
             --add-flags --enable-source-maps \

     

       57
       57
       +
             --set NODE_PATH $out/lib/node_modules

     

       58
       58
       +
       

     

       59
       59
       +
           runHook postInstall

     

       60
       60
       +
         '';

     

       61
       61
       +
       

     

       62
       62
       +
         meta = {

     

       63
       63
       +
           mainProgram = "plc";

     

       64
       64
       +
         };

     

       65
       65
       +
       })

+107

nix/vm.nix

···

       23
       23
        
         nixpkgs.lib.nixosSystem {

     

       24
       24
        
           inherit system;

     

       25
       25
        
           modules = [

     

       26
       26
       +
             self.nixosModules.did-method-plc

     

       27
       27
       +
             self.nixosModules.jetstream

     

       26
       28
        
             self.nixosModules.knot

     

       27
       29
        
             self.nixosModules.spindle

     

       28
       30
        
             ({

     
···

       39
       41
        
                 diskSize = 10 * 1024;

     

       40
       42
        
                 cores = 2;

     

       41
       43
        
                 forwardPorts = [

     

       44
       44
       +
                   # caddy

     

       45
       45
       +
                   {

     

       46
       46
       +
                     from = "host";

     

       47
       47
       +
                     host.port = 80;

     

       48
       48
       +
                     guest.port = 80;

     

       49
       49
       +
                   }

     

       50
       50
       +
                   {

     

       51
       51
       +
                     from = "host";

     

       52
       52
       +
                     host.port = 443;

     

       53
       53
       +
                     guest.port = 443;

     

       54
       54
       +
                   }

     

       55
       55
       +
                   {

     

       56
       56
       +
                     from = "host";

     

       57
       57
       +
                     proto = "udp";

     

       58
       58
       +
                     host.port = 443;

     

       59
       59
       +
                     guest.port = 443;

     

       60
       60
       +
                   }

     

       42
       61
        
                   # ssh

     

       43
       62
        
                   {

     

       44
       63
        
                     from = "host";

     
···

       63
       82
        
                   # as SQLite is incompatible with them. So instead we

     

       64
       83
        
                   # mount the shared directories to a different location

     

       65
       84
        
                   # and copy the contents around on service start/stop.

     

       85
       85
       +
                   caddyData = {

     

       86
       86
       +
                     source = "$TANGLED_VM_DATA_DIR/caddy";

     

       87
       87
       +
                     target = config.services.caddy.dataDir;

     

       88
       88
       +
                   };

     

       66
       89
        
                   knotData = {

     

       67
       90
        
                     source = "$TANGLED_VM_DATA_DIR/knot";

     

       68
       91
        
                     target = "/mnt/knot-data";

     
···

       76
       99
        
                     target = "/var/log/spindle";

     

       77
       100
        
                   };

     

       78
       101
        
                 };

     

       102
       102
       +
                 useHostCerts = true;

     

       79
       103
        
               };

     

       80
       104
        
               # This is fine because any and all ports that are forwarded to host are explicitly marked above, we don't need a separate guest firewall

     

       81
       105
        
               networking.firewall.enable = false;

     

       106
       106
       +
               # resolve `*.tngl.boltless.dev` to host

     

       107
       107
       +
               services.dnsmasq.enable = true;

     

       108
       108
       +
               services.dnsmasq.settings.address = "/tngl.boltless.dev/10.0.2.2";

     

       82
       109
        
               time.timeZone = "Europe/London";

     

       110
       110
       +
               services.timesyncd.enable = lib.mkVMOverride true;

     

       83
       111
        
               services.getty.autologinUser = "root";

     

       84
       112
        
               environment.systemPackages = with pkgs; [curl vim git sqlite litecli];

     

       85
       113
        
               services.tangled.knot = {

     
···

       109
       137
        
                   };

     

       110
       138
        
                 };

     

       111
       139
        
               };

     

       140
       140
       +
               services.pds = {

     

       141
       141
       +
                 enable = true;

     

       142
       142
       +
                 # overriding package version to support emails

     

       143
       143
       +
                 package = pkgs.pds.overrideAttrs (old: rec {

     

       144
       144
       +
                   version = "0.4.188";

     

       145
       145
       +
                   src = pkgs.fetchFromGitHub {

     

       146
       146
       +
                     owner = "bluesky-social";

     

       147
       147
       +
                     repo = "pds";

     

       148
       148
       +
                     tag = "v${version}";

     

       149
       149
       +
                     hash = "sha256-t8KdyEygXdbj/5Rhj8W40e1o8mXprELpjsKddHExmo0=";

     

       150
       150
       +
                   };

     

       151
       151
       +
                   pnpmDeps = pkgs.pnpm_9.fetchDeps {

     

       152
       152
       +
                     inherit version src;

     

       153
       153
       +
                     pname = old.pname;

     

       154
       154
       +
                     sourceRoot = old.sourceRoot;

     

       155
       155
       +
                     fetcherVersion = 2;

     

       156
       156
       +
                     hash = "sha256-lQie7f8JbWKSpoavnMjHegBzH3GB9teXsn+S2SLJHHU=";

     

       157
       157
       +
                   };

     

       158
       158
       +
                 });

     

       159
       159
       +
                 settings = {

     

       160
       160
       +
                   LOG_ENABLED = "true";

     

       161
       161
       +
       

     

       162
       162
       +
                   PDS_JWT_SECRET = "8cae8bffcc73d9932819650791e4e89a";

     

       163
       163
       +
                   PDS_ADMIN_PASSWORD = "d6a902588cd93bee1af83f924f60cfd3";

     

       164
       164
       +
                   PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX = "2e92e336a50a618458e1097d94a1db86ec3fd8829d7735020cbae80625c761d7";

     

       165
       165
       +
       

     

       166
       166
       +
                   PDS_EMAIL_SMTP_URL = envVarOr "TANGLED_VM_PDS_EMAIL_SMTP_URL" null;

     

       167
       167
       +
                   PDS_EMAIL_FROM_ADDRESS = envVarOr "TANGLED_VM_PDS_EMAIL_FROM_ADDRESS" null;

     

       168
       168
       +
       

     

       169
       169
       +
                   PDS_DID_PLC_URL = "http://localhost:8080";

     

       170
       170
       +
                   PDS_HOSTNAME = "pds.tngl.boltless.dev";

     

       171
       171
       +
                   PDS_PORT = 3000;

     

       172
       172
       +
                 };

     

       173
       173
       +
               };

     

       174
       174
       +
               services.plc.enable = true;

     

       175
       175
       +
               services.jetstream = {

     

       176
       176
       +
                 enable = true;

     

       177
       177
       +
                 livenessTtl = 300;

     

       178
       178
       +
                 websocketUrl = "ws://localhost:3000/xrpc/com.atproto.sync.subscribeRepos";

     

       179
       179
       +
               };

     

       180
       180
       +
               services.caddy = {

     

       181
       181
       +
                 enable = true;

     

       182
       182
       +
                 configFile = pkgs.writeText "Caddyfile" ''

     

       183
       183
       +
                   {

     

       184
       184
       +
                     debug

     

       185
       185
       +
                     cert_lifetime 3601d

     

       186
       186
       +
                     pki {

     

       187
       187
       +
                       ca local {

     

       188
       188
       +
                         intermediate_lifetime 3599d

     

       189
       189
       +
                       }

     

       190
       190
       +
                     }

     

       191
       191
       +
                   }

     

       192
       192
       +
       

     

       193
       193
       +
                   plc.tngl.boltless.dev {

     

       194
       194
       +
                     tls internal

     

       195
       195
       +
                     reverse_proxy http://localhost:8080

     

       196
       196
       +
                   }

     

       197
       197
       +
       

     

       198
       198
       +
                   *.pds.tngl.boltless.dev, pds.tngl.boltless.dev {

     

       199
       199
       +
                     tls internal

     

       200
       200
       +
                     reverse_proxy http://localhost:3000

     

       201
       201
       +
                   }

     

       202
       202
       +
       

     

       203
       203
       +
                   jetstream.tngl.boltless.dev {

     

       204
       204
       +
                     tls internal

     

       205
       205
       +
                     reverse_proxy http://localhost:6008

     

       206
       206
       +
                   }

     

       207
       207
       +
       

     

       208
       208
       +
                   knot.tngl.boltless.dev {

     

       209
       209
       +
                     tls internal

     

       210
       210
       +
                     reverse_proxy http://localhost:6444

     

       211
       211
       +
                   }

     

       212
       212
       +
       

     

       213
       213
       +
                   spindle.tngl.boltless.dev {

     

       214
       214
       +
                     tls internal

     

       215
       215
       +
                     reverse_proxy http://localhost:6555

     

       216
       216
       +
                   }

     

       217
       217
       +
                 '';

     

       218
       218
       +
               };

     

       112
       219
        
               users = {

     

       113
       220
        
                 # So we don't have to deal with permission clashing between

     

       114
       221
        
                 # blank disk VMs and existing state