+16 -3

nixosConfigurations/black-mesa.nix

reviewed

··· 121 121 imperm.keep = ["/var/lib/acme"]; 122 122 }; 123 123 124 124 + networking.firewall.allowedTCPPorts = [ 125 125 + 80 126 126 + 443 127 127 + ]; 128 128 + 124 129 services.nginx = { 125 130 enable = true; 131 131 + 132 132 + recommendedTlsSettings = true; 133 133 + recommendedBrotliSettings = true; 134 134 + recommendedOptimisation = true; 135 135 + recommendedGzipSettings = true; 136 136 + recommendedProxySettings = true; 137 137 + experimentalZstdSettings = true; 138 138 + 126 139 virtualHosts."knot.bwc9876.dev" = { 127 127 - forceSSL = true; 140 140 + addSSL = true; 128 141 acmeRoot = null; # Doing DNS challenges 129 142 useACMEHost = "bwc9876.dev"; 130 143 }; 131 131 - virtualHosts."pds.bwc7986.dev" = { 132 132 - forceSSL = true; 144 144 + virtualHosts."pds.bwc9876.dev" = { 145 145 + addSSL = true; 133 146 acmeRoot = null; # DNS 134 147 useACMEHost = "bwc9876.dev"; 135 148 };

+52 -7

nixosModules/cocoon.nix

reviewed

··· 60 60 ]; 61 61 62 62 services.nginx.virtualHosts.${conf.hostname} = { 63 63 - locations = { 63 63 + serverAliases = [".${conf.hostname}"]; 64 64 + 65 65 + # All stolen from Isabel 66 66 + # https://github.com/isabelroses/dotfiles/blob/262ae19c1e92be5d759f40020e894113ba5d5d44/modules/nixos/services/pds/default.nix 67 67 + locations = let 68 68 + mkAgeAssured = state: { 69 69 + return = "200 '${builtins.toJSON state}'"; 70 70 + extraConfig = '' 71 71 + default_type application/json; 72 72 + ''; 73 73 + }; 74 74 + in { 75 75 + "/xrpc/app.bsky.unspecced.getAgeAssuranceState" = mkAgeAssured { 76 76 + lastInitiatedAt = "2025-07-14T15:11:05.487Z"; 77 77 + status = "assured"; 78 78 + }; 79 79 + "/xrpc/app.bsky.ageassurance.getConfig" = mkAgeAssured { 80 80 + regions = []; 81 81 + }; 82 82 + "/xrpc/app.bsky.ageassurance.getState" = mkAgeAssured { 83 83 + state = { 84 84 + lastInitiatedAt = "2025-07-14T15:11:05.487Z"; 85 85 + status = "assured"; 86 86 + access = "full"; 87 87 + }; 88 88 + metadata = { 89 89 + accountCreatedAt = "2022-11-17T00:35:16.391Z"; 90 90 + }; 91 91 + }; 92 92 + 93 93 + # pass everything else to the pds 64 94 "/" = { 65 65 - proxyPass = "http://localhost:${builtins.toString conf.port}"; 66 66 - recommendedProxySettings = true; 95 95 + proxyPass = "http://localhost:${toString conf.port}"; 96 96 + proxyWebsockets = true; 67 97 }; 68 98 }; 69 99 }; ··· 90 120 ''; 91 121 92 122 script = '' 93 93 - COCOON_ADMIN_PASSWORD=$(cat $CREDENTIALS_DIRECTORY/adminPass) \ 94 94 - COCOON_SESSION_SECRET=$(cat $CREDENTIALS_DIRECTORY/session) \ 95 95 - ${lib.getExe pkgs.cocoon} 123 123 + COCOON_ADMIN_PASSWORD=$(cat "$CREDENTIALS_DIRECTORY/adminPass") \ 124 124 + COCOON_SESSION_SECRET=$(cat "$CREDENTIALS_DIRECTORY/session") \ 125 125 + ${lib.getExe pkgs.cocoon} run 96 126 ''; 97 127 98 128 serviceConfig = { ··· 118 148 CONTACT_EMAIL = conf.email; 119 149 120 150 # TODO: Don't hardcode 121 121 - RELAYS = "https://bsky.network"; 151 151 + RELAYS = lib.join "," [ 152 152 + "https://bsky.network" 153 153 + "https://relay.cerulea.blue" 154 154 + "https://relay.fire.hose.cam" 155 155 + "https://relay2.fire.hose.cam" 156 156 + "https://relay3.fr.hose.cam" 157 157 + "https://relay.hayescmd.net" 158 158 + "https://relay.xero.systems" 159 159 + "https://relay.upcloud.world" 160 160 + "https://relay.feeds.blue" 161 161 + "https://atproto.africa" 162 162 + "https://relay.whey.party" 163 163 + ]; 164 164 + 165 165 + # TODO: Don't? 166 166 + FALLBACK_PROXY = "did:web:api.bsky.app#bsky_appview"; 122 167 123 168 JWK_PATH = "%d/jwt"; 124 169 ROTATION_KEY_PATH = "%d/rotation";