bsky pds · jaspermayone.com/dots@3b805d0

+10 -31

flake.lock

··· 102 102 "type": "github" 103 103 } 104 104 }, 105 - "disko": { 106 - "inputs": { 107 - "nixpkgs": [ 108 - "nixpkgs" 109 - ] 110 - }, 111 - "locked": { 112 - "lastModified": 1766150702, 113 - "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", 114 - "owner": "nix-community", 115 - "repo": "disko", 116 - "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", 117 - "type": "github" 118 - }, 119 - "original": { 120 - "owner": "nix-community", 121 - "repo": "disko", 122 - "type": "github" 123 - } 124 - }, 125 105 "flake-compat": { 126 106 "flake": false, 127 107 "locked": { ··· 456 436 }, 457 437 "nixpkgs_2": { 458 438 "locked": { 459 - "lastModified": 1766622938, 460 - "narHash": "sha256-Eovt/DOCYjFFBZuYbbG9j5jhklzxdNbUGVYYxh3lG3s=", 439 + "lastModified": 1766736597, 440 + "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", 461 441 "owner": "nixos", 462 442 "repo": "nixpkgs", 463 - "rev": "5900a0a8850cbba98e16d5a7a6ed389402dfcf4f", 443 + "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", 464 444 "type": "github" 465 445 }, 466 446 "original": { ··· 493 473 ] 494 474 }, 495 475 "locked": { 496 - "lastModified": 1766713035, 497 - "narHash": "sha256-YFZuKia+pHDtJCOXciRoRWY05Z2zGeGAL4KSklsGBFA=", 476 + "lastModified": 1766846886, 477 + "narHash": "sha256-ze8vZb04OkaRfTBzqSVlw5ypBxvq6TOXmrZOk4jObmI=", 498 478 "owner": "nix-community", 499 479 "repo": "NUR", 500 - "rev": "fc7ae20903d7160a9e1b90780d5dc13c63d8d9a4", 480 + "rev": "019accb238eabd9b1aea2ee60fa4638e3c1ffb17", 501 481 "type": "github" 502 482 }, 503 483 "original": { ··· 511 491 "agenix": "agenix", 512 492 "claude-desktop": "claude-desktop", 513 493 "deploy-rs": "deploy-rs", 514 - "disko": "disko", 515 494 "hardware": "hardware", 516 495 "home-manager": "home-manager_2", 517 496 "import-tree": "import-tree", ··· 628 607 "sqlite-lib-src": "sqlite-lib-src" 629 608 }, 630 609 "locked": { 631 - "lastModified": 1766504962, 632 - "narHash": "sha256-is2yCWdVQ0S5NY893TfTVFgBUpWkh8SFZd0yy+gsjAU=", 610 + "lastModified": 1766839491, 611 + "narHash": "sha256-wP7N2Ft/wGqa3d+hGH2WaOA5KA1JLfD57q4WYx/4/Tw=", 633 612 "ref": "refs/heads/master", 634 - "rev": "3596ea2d0f5aba3f13ccf92ceb2560b7fa581364", 635 - "revCount": 1775, 613 + "rev": "6e7c3686a8f4caf4c3d2658fbad57e471167f19f", 614 + "revCount": 1777, 636 615 "type": "git", 637 616 "url": "https://tangled.org/tangled.org/core" 638 617 },

-7

flake.nix

··· 44 44 zmx = { 45 45 url = "github:neurosnap/zmx"; 46 46 }; 47 - 48 - disko = { 49 - url = "github:nix-community/disko"; 50 - inputs.nixpkgs.follows = "nixpkgs"; 51 - }; 52 47 }; 53 48 54 49 outputs = { ··· 61 56 nix-darwin, 62 57 deploy-rs, 63 58 tangled, 64 - disko, 65 59 ... 66 60 }@inputs: 67 61 let ··· 96 90 modules = [ 97 91 ./hosts/${hostname}/configuration.nix 98 92 agenix.nixosModules.default 99 - disko.nixosModules.disko 100 93 unstable-overlays 101 94 nur.modules.nixos.default 102 95 home-manager.nixosModules.home-manager

+26 -1

hosts/alastor/configuration.nix

··· 7 7 ../../modules/frps 8 8 ../../modules/status 9 9 ../../modules/knot/sync.nix 10 + ../../modules/bluesky-pds/default.nix 10 11 inputs.tangled.nixosModules.knot 11 12 ]; 12 13 ··· 39 40 curl 40 41 jq 41 42 tmux 43 + bluesky-pds 42 44 inputs.agenix.packages.${pkgs.system}.default # agenix CLI 43 45 ]; 44 46 ··· 89 91 security.sudo.wheelNeedsPassword = false; 90 92 91 93 # Agenix secrets 92 - age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key.age" ]; 94 + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 93 95 age.secrets = { 94 96 frps-token = { 95 97 file = ../../secrets/frps-token.age; ··· 109 111 mode = "400"; 110 112 owner = "git"; # tangled uses git user 111 113 }; 114 + pds = { 115 + file = ../../secrets/pds.age; 116 + mode = "600"; 117 + owner = "pds"; 118 + group = "pds"; 119 + }; 120 + pds-mailer = { 121 + file = ../../secrets/pds-mailer.age; 122 + mode = "600"; 123 + owner = "pds"; 124 + group = "pds"; 125 + }; 112 126 }; 113 127 114 128 # FRP tunnel server ··· 140 154 listenAddr = "127.0.0.1:5555"; 141 155 }; 142 156 }; 157 + 158 + services.bluesky-pds-hosting = { 159 + enable = true; 160 + hostname = "hogwarts.dev"; 161 + port = 3000; 162 + adminEmail = "pds-admin@hogwarts.dev"; 163 + environmentFile = config.age.secrets.pds.path; 164 + mailerEnvironmentFile = config.age.secrets.pds-mailer.path; 165 + enableAgeAssurance = false; 166 + }; 167 + 143 168 144 169 # Knot to GitHub sync service 145 170 jsp.services.knot-sync = {

-34

hosts/alastor/disko.nix

··· 1 - # Disko configuration for alastor VPS 2 - # Used by nixos-anywhere for automated partitioning 3 - { 4 - disko.devices = { 5 - disk = { 6 - main = { 7 - type = "disk"; 8 - device = "/dev/sda"; 9 - content = { 10 - type = "gpt"; 11 - partitions = { 12 - ESP = { 13 - size = "512M"; 14 - type = "EF00"; 15 - content = { 16 - type = "filesystem"; 17 - format = "vfat"; 18 - mountpoint = "/boot"; 19 - }; 20 - }; 21 - root = { 22 - size = "100%"; 23 - content = { 24 - type = "filesystem"; 25 - format = "ext4"; 26 - mountpoint = "/"; 27 - }; 28 - }; 29 - }; 30 - }; 31 - }; 32 - }; 33 - }; 34 - }

+86

modules/bluesky-pds/default.nix

··· 1 + # modules/bluesky-pds/default.nix 2 + # NixOS module enabling Bluesky PDS with Caddy reverse proxy 3 + { lib, config, pkgs, ... }: 4 + let 5 + cfg = config.services.bluesky-pds-hosting; 6 + in 7 + { 8 + options.services.bluesky-pds-hosting = { 9 + enable = lib.mkEnableOption "Bluesky PDS hosting bundle (service + Caddy)"; 10 + hostname = lib.mkOption { 11 + type = lib.types.str; 12 + example = "example.com"; 13 + description = "Primary PDS hostname (root domain for handles)."; 14 + }; 15 + port = lib.mkOption { 16 + type = lib.types.int; 17 + default = 3000; 18 + description = "Internal PDS port."; 19 + }; 20 + adminEmail = lib.mkOption { 21 + type = lib.types.str; 22 + example = "pds@example.com"; 23 + }; 24 + environmentFile = lib.mkOption { 25 + type = lib.types.path; 26 + description = "Path to agenix-managed env file (pds.age)."; 27 + }; 28 + mailerEnvironmentFile = lib.mkOption { 29 + type = lib.types.nullOr lib.types.path; 30 + default = null; 31 + description = "Optional env file for SMTP/Resend (pds-mailer.age)."; 32 + }; 33 + cloudflareCredentialsFile = lib.mkOption { 34 + type = lib.types.nullOr lib.types.path; 35 + default = null; 36 + description = "Path to Cloudflare credentials for ACME DNS challenge."; 37 + }; 38 + enableAgeAssurance = lib.mkOption { 39 + type = lib.types.bool; 40 + default = false; 41 + description = "Serve age assurance stub endpoints."; 42 + }; 43 + }; 44 + 45 + config = lib.mkIf cfg.enable { 46 + services.bluesky-pds = { 47 + enable = true; 48 + environmentFiles = 49 + lib.lists.flatten [ 50 + [ cfg.environmentFile ] 51 + (lib.optional (cfg.mailerEnvironmentFile != null) cfg.mailerEnvironmentFile) 52 + ]; 53 + settings = { 54 + PDS_PORT = cfg.port; 55 + PDS_HOSTNAME = cfg.hostname; 56 + PDS_ADMIN_EMAIL = cfg.adminEmail; 57 + }; 58 + }; 59 + 60 + # Caddy reverse proxy for PDS 61 + services.caddy.virtualHosts = { 62 + # Main domain and wildcard for handles 63 + "${cfg.hostname}" = { 64 + serverAliases = [ "*.${cfg.hostname}" ]; 65 + extraConfig = '' 66 + tls { 67 + dns cloudflare {env.CLOUDFLARE_API_TOKEN} 68 + } 69 + reverse_proxy localhost:${toString cfg.port} { 70 + header_up X-Forwarded-Proto {scheme} 71 + header_up X-Forwarded-For {remote} 72 + } 73 + ''; 74 + }; 75 + }; 76 + 77 + # Hardening: restrict service user 78 + users.users.pds = { 79 + isSystemUser = true; 80 + group = "pds"; 81 + home = "/var/lib/pds"; 82 + createHome = true; 83 + }; 84 + users.groups.pds = { }; 85 + }; 86 + }

secrets/bore-token.age

This is a binary file and will not be displayed.

+6 -6

secrets/cloudflare-credentials.age

··· 1 1 age-encryption.org/v1 2 - -> ssh-ed25519 1uIO/w LAd+clCwXDS8lo1SYlzstFE12zgKaZuuqd2GzYMLWho 3 - dvXSECdcgzNwt4uXGxu5zBkFgK+C4vQwz31rhvEhRkg 4 - -> X25519 u4qCTB5JAOWIed2hJ76ok/aPi+6mEZd7J9RCwuYwRUQ 5 - mzQBP3msrUIm+XvtLkZoIOgZel6YwzXIh1xFTB5G2tQ 6 - --- lVXlK1mrrfDjKG5XhF5JiM7MTIHXgk+qYH1DhALR4Ac 7 - ��JDA��arR��<�$�d-�R�u�9)�1K�Z-��un��:��bߍ�yGN��Ge�Ѳ��}a¯��d$� �N��DK� 2 + -> ssh-ed25519 1uIO/w Gwl+A5eTw1wDAuqJ2S/WJUWqi5Gn71OBxXhFddzXlAM 3 + 3HYMGEMJirKS+pHlIUKJvuhSfUCmyDWVFOhWRyjIHKA 4 + -> X25519 u/9+aUqc/lVbL4FKQWib4qiXs9okvbDLgWjZ73HF7C4 5 + Np/QLqt3S35Zk8u41yCbtxzWwXauzMpspSkeuote2Xs 6 + --- rl3t3Yu3feBAv5W5DxCGGjq9VAHNLjEBevF8XeX65MM 7 + Ά!�sJ�dĕ<�̳�(�%(%ꃟ�2��צ��/j$i��r�%�7�'��Oh �d$�Fz"��B� Ty��$th�*;��

+6 -6

secrets/frps-token.age

··· 1 1 age-encryption.org/v1 2 - -> ssh-ed25519 1uIO/w N+K4LNGRdJ/Fm3I8ybiZ+cJim3+YZBEg54H1Z98fMT8 3 - GV3EjVEamsQcQk7oIKHoGh4hVEfsG+Gwq5R6zZXAFII 4 - -> X25519 eG8v/agg44d3b5q+L5AGqziPqhe2mhE6OfnOtLK/J1g 5 - G7ZeFtyRLGvz0aZ11wd+aGWxN/R+b8b87JmK0aXvAhU 6 - --- HZY3/P9vqmdjyYvAkr090NFX1MhvNTivq2jdQcBOI/k 7 - ��Ջgu��BC��z�� k��t�1:�g��@�[dz��qk��,�.��XW� &',�NȀ%�a��r 0�1�SZ�B4��z[q& 2 + -> ssh-ed25519 1uIO/w bi9hjsQIVSnMV5fbMZyKJRWvs2dP6LrcMSwV4fYusgI 3 + S7ZmzdOYUQzAcvwXUDM9gHtWIPorwasfWz1M+0VIj+Q 4 + -> X25519 3erSz8fWb1RGK2MfhhFDiqiImo9tc70vp2XvzFcgrzo 5 + hd5sxliEErWkHr3OokCPQei3JS11pWVm6ji3zKDGKcs 6 + --- AW7pyY+iVQQB9KTgWBcgOE5LBUJjrMQ4kjDbwTNBvkU 7 + �H�J�ӡ��5�_��k��<�<��r��-S��<�8g_Zۺ��]Z�ߥ��Ej�?��Lgƫ�^� �5.W�_/��F|&~�M&��\��

+6 -8

secrets/github-token.age

··· 1 1 age-encryption.org/v1 2 - -> ssh-ed25519 1uIO/w 2ynd9lYnvghWnQAw37kqwNNR8E7g74hMAUSUZDkctH4 3 - lrC4W0HHHj4VwDjsrWtjt6iiATnfpJcOcLILc4ZZVc0 4 - -> X25519 qcQm7Akuo+srBq7BclXGfCToVS1XitOwOTln2tVBxzc 5 - 9dw4SifdmAcLMv0MzY7wLnuKeMEqsVXwuo82J2aeL+M 6 - --- X36wC4snPbMQ5Ijtf+6LztQ+pe6qzwxzRAL2rbB0+48 7 - ��Fe�K4��N�j�%�*�AJ��p��VD��n"�RN�� 8 - @� 9 - �[�2��\�h��AL&�j� ��/6��NYj!0��.��e�?��N 嵋�F�vb�77 %s� �ȏCx�E{��j�|�� 2 + -> ssh-ed25519 1uIO/w 1ezKSNejHDldv3vsd5br5CVAH+Hx9vE9MgmPUvCyOic 3 + EtuBfsHWhBnMYHBxD2bQIhA+qExXuWxE/U5ev9vZOOw 4 + -> X25519 d6FUZocBqkrQJ/9XsXA01H7xpr96fCiK4Mydoxg/tmg 5 + xI1hXkWPKcCIyddCUIuNeRYU+ohLBVhS5lTvgcieNRI 6 + --- K+1r5CORQqN6tY7MEH71fREdLzInVgHPTS0GxJBW3DQ 7 + �� .��2g4s,�Ӹ�m�(U¸`W��*��N�D��y��6y��Rp}4fl h�!��H��̀�Nۖ��g��aN+��Z�6��к|أ�楍C�|�@*��L!|��!�Wj ��I

secrets/knot-secret.age

This is a binary file and will not be displayed.

+8

secrets/pds-mailer.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 1uIO/w Qmz2eXf3+G3Mg3wUVw4UpLo6FYFCL5l2c4yi0Xzr9DI 3 + MJEuWYw+1ntpbjjBynTub2hQCiupnFhFxcSNY8Xl40Y 4 + -> X25519 S4Ipnh2ZjkmWyWvAII5vpBYfututgcovdGpNBgxMX08 5 + ONbi6OBYQ26FY8Rf6EduaryZjnAVqx7HKAoTXAWJ9HE 6 + --- jfzNAWLde50+K8EJwEv5IBoe/FN+YbR8QdWpFizhjiw 7 + ��tą��iR�z>�L��EVgx�҅�F�S?5,��/d�P�C��G��3ʘ��@��X�*�e#3BC�f��b�G�e�Bsj�1��4#�d:�$��9쎬M�/��y+d}�Fe� 8 + �<.ݥ�i��tY0m��4��6 ��sT��nxwS

+10

secrets/pds.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 1uIO/w A7KKBwCJo3zz/BrgfOWuCuDZG4DLrSPVe9KTBTqmSGc 3 + OxDEwHXFUzWALbFNraJv9xQ5oENuSjxew/krKyVEbKU 4 + -> X25519 5kTAI4R5DPJIi5AqcRy7NKACF4zWqXgcYctfJmp+ynA 5 + iITndh5LivPqJSY3HJiRIYj4dIA6DyAWby1gD32YY5M 6 + --- LYf74+0j4hZs7U+A7H7uZz8KV6CTcquTVzkbr+495rY 7 + 5Y`��4��82˪%��X��̆@R{"��ڌ 8 + 1I{��V��D��;+�B�� 9 + C�ur�ѷ�S��9ro�_�*?��7�_E&� 10 + o6hc��0��]�*3]��r�˵��l/c�wpZ殴/C��s�9,qA$运�� ^�#��T?��-�A��lТ�3t%��<�`��<4�"��짒w�!~U��~��J�o\$ױ7|L!5C9��

+6

secrets/secrets.nix

··· 32 32 # Generate with: openssl rand -hex 32 33 33 "knot-secret.age".publicKeys = all; 34 34 35 + "pds.age".publicKeys = [ jsp alastor ]; 36 + 37 + # If using Resend SMTP, include API key here too 38 + "pds-mailer.age".publicKeys = [ jsp alastor ]; 39 + 40 + 35 41 # WiFi passwords for NixOS machines 36 42 # Format: NETWORK_PSK=password 37 43 "wifi-passwords.age".publicKeys = all;

+6 -7

secrets/wifi-passwords.age

··· 1 1 age-encryption.org/v1 2 - -> ssh-ed25519 1uIO/w Jl8j+7DpevVpjn5GH6+CeMxgDpML2/vC3ds5+O9t6gM 3 - u5BibaBSbOyuYlKvvnsq0fyKREXBcrgPTOVrzVcbFHQ 4 - -> X25519 V0XU32SEA/I3u59SjkXn5fBWStrpY3NPFN5coUWwBVo 5 - m1T1uzw6l+8YoasPcPABIjmTbzyHfuiCswutrtZOesk 6 - --- 6t3gbW5zDp1GjCbOTtJvhri9qj11Be7tvJNfNmJPXSM 7 - ��ǘ��Nv8�;�Il�q��N�m;�V�-(�k�g��[�l� 8 - iJ?pMU6##��1��^Z�Q�1�hfq�� 2 + -> ssh-ed25519 1uIO/w yI0OVUBD47exmt7+m2V/i9eFkoFR8IVc8sM9WdTkwx8 3 + GUUhAG++dLW9fpQYaaSzuP2nrIhtoVBxo51fK9acYmo 4 + -> X25519 qDtAfyfro3ZatpHod7VgCU5B5tGn2uQ9StoV0+izXW8 5 + yhnu2WayNQV6OYtB1S15k8oOpsN3jKrnXgpAGZtsnek 6 + --- mWLiWA1lJfDt8+EC7UiiG3L8+w1tbQhtEHlDCYfdNxw 7 + �q=��*��C�|#�>k`l��3*a��LH��zh�A�gae��~��q��aR?�� ڌ��t,�

Configure Feed

Configure Feed