+1 -1

.gitignore

reviewed

··· 1 1 keys/ 2 2 nixos.* 3 3 CLAUDE.md 4 4 - result 4 4 + result*

+38

flake.lock

reviewed

··· 70 70 "type": "github" 71 71 } 72 72 }, 73 73 + "nixpkgs-fetch-deno": { 74 74 + "locked": { 75 75 + "lastModified": 1766410835, 76 76 + "narHash": "sha256-dRhVt0aFDyTqppyzRLxiO1JZEAoIA2fUnaeyJTe+UwU=", 77 77 + "owner": "aMOPel", 78 78 + "repo": "nixpkgs", 79 79 + "rev": "c9801acc8c4fac6377d076bc1c102b15bd9cfa6f", 80 80 + "type": "github" 81 81 + }, 82 82 + "original": { 83 83 + "owner": "aMOPel", 84 84 + "ref": "feat/fetchDenoDeps", 85 85 + "repo": "nixpkgs", 86 86 + "type": "github" 87 87 + } 88 88 + }, 73 89 "nixpkgs-stable": { 74 90 "locked": { 75 91 "lastModified": 1774244481, ··· 93 109 "nixpkgs": "nixpkgs", 94 110 "nixpkgs-stable": "nixpkgs-stable", 95 111 "sops-nix": "sops-nix", 112 112 + "tranquil-pds": "tranquil-pds", 96 113 "turing-rk1": "turing-rk1" 97 114 } 98 115 }, ··· 129 146 "owner": "nix-systems", 130 147 "repo": "default", 131 148 "type": "github" 149 149 + } 150 150 + }, 151 151 + "tranquil-pds": { 152 152 + "inputs": { 153 153 + "nixpkgs": [ 154 154 + "nixpkgs" 155 155 + ], 156 156 + "nixpkgs-fetch-deno": "nixpkgs-fetch-deno" 157 157 + }, 158 158 + "locked": { 159 159 + "lastModified": 1774995911, 160 160 + "narHash": "sha256-89B4Ul3bEf9miOd4DGtK5CSQRlg7rIss9RkaBvmRWtg=", 161 161 + "ref": "refs/heads/main", 162 162 + "rev": "5dc810ceef4676e72982be1dd2f5096a808e16ff", 163 163 + "revCount": 270, 164 164 + "type": "git", 165 165 + "url": "https://tangled.org/tranquil.farm/tranquil-pds" 166 166 + }, 167 167 + "original": { 168 168 + "type": "git", 169 169 + "url": "https://tangled.org/tranquil.farm/tranquil-pds" 132 170 } 133 171 }, 134 172 "turing-rk1": {

+6

flake.nix

reviewed

··· 17 17 url = "github:GiyoMoon/nixos-turing-rk1"; 18 18 inputs.nixpkgs.follows = "nixpkgs"; 19 19 }; 20 20 + tranquil-pds = { 21 21 + url = "git+https://tangled.org/tranquil.farm/tranquil-pds"; 22 22 + inputs.nixpkgs.follows = "nixpkgs"; 23 23 + }; 20 24 }; 21 25 22 26 outputs = ··· 28 32 nixos-hardware, 29 33 turing-rk1, 30 34 sops-nix, 35 35 + tranquil-pds, 31 36 ... 32 37 }@inputs: 33 38 let ··· 97 102 modules = [ 98 103 host.hardware 99 104 sops-nix.nixosModules.sops 105 105 + tranquil-pds.nixosModules.default 100 106 ./hosts/${name}.nix 101 107 ]; 102 108 };

+1

hosts/rk1-node-1.nix

reviewed

··· 4 4 ../modules/common.nix 5 5 ../modules/continuwuity.nix 6 6 ../modules/paperless.nix 7 7 + ../modules/tranquil-pds.nix 7 8 ]; 8 9 9 10 system.stateVersion = "25.11";

+3

modules/caddy.nix

reviewed

··· 121 121 reverse_proxy cm4-node-2:8080 122 122 } 123 123 ''; 124 124 + "pds.goo.garden".extraConfig = '' 125 125 + reverse_proxy rk1-node-1:3000 126 126 + ''; 124 127 "paperless.goo.garden".extraConfig = '' 125 128 reverse_proxy rk1-node-1:28981 126 129 '';

modules/pds.nix

reviewed

This is a binary file and will not be displayed.

+51

modules/tranquil-pds.nix

reviewed

··· 1 1 + { config, ... }: 2 2 + { 3 3 + services.tranquil-pds = { 4 4 + enable = true; 5 5 + database.createLocally = true; 6 6 + environmentFiles = [ config.sops.templates."tranquil-pds.env".path ]; 7 7 + settings = { 8 8 + server = { 9 9 + hostname = "pds.goo.garden"; 10 10 + host = "0.0.0.0"; 11 11 + port = 3000; 12 12 + }; 13 13 + storage.path = "/mnt/nas/data/tranquil-pds/blobs"; 14 14 + firehose.crawlers = [ 15 15 + "https://bsky.network" 16 16 + "https://relay.fire.hose.cam" 17 17 + "https://relay3.fr.hose.cam" 18 18 + "https://relay.hayescmd.net" 19 19 + "https://relay.xero.systems" 20 20 + "https://relay.feeds.blue" 21 21 + "https://atproto.africa" 22 22 + ]; 23 23 + }; 24 24 + }; 25 25 + 26 26 + services.postgresqlBackup = { 27 27 + enable = true; 28 28 + databases = [ "tranquil-pds" ]; 29 29 + startAt = "*-*-* 02:00:00"; 30 30 + }; 31 31 + 32 32 + systemd.tmpfiles.rules = [ 33 33 + "d /mnt/nas/data/tranquil-pds/blobs 0750 root root -" 34 34 + ]; 35 35 + 36 36 + systemd.services.tranquil-pds = { 37 37 + after = [ "mnt-nas.mount" ]; 38 38 + requires = [ "mnt-nas.mount" ]; 39 39 + }; 40 40 + 41 41 + sops.templates."tranquil-pds.env".content = '' 42 42 + JWT_SECRET=${config.sops.placeholder.pds-jwt-secret} 43 43 + DPOP_SECRET=${config.sops.placeholder.pds-dpop-secret} 44 44 + MASTER_KEY=${config.sops.placeholder.pds-master-key} 45 45 + ''; 46 46 + sops.secrets.pds-jwt-secret = { }; 47 47 + sops.secrets.pds-dpop-secret = { }; 48 48 + sops.secrets.pds-master-key = { }; 49 49 + 50 50 + networking.firewall.allowedTCPPorts = [ 3000 ]; 51 51 + }

+5 -2

secrets/secrets.yaml

reviewed

··· 23 23 paperless-oidc-client-secret: ENC[AES256_GCM,data:5VRihI4tukYYMzW2E8QTXWgWospKAgf6AGyLKhAMB+Y=,iv:NgBA3E+9jWqXrSfige1Kn9P/egUtKABE81Hz6+/FiPE=,tag:NEoOub3oROlzgb4Z6Gm8Lg==,type:str] 24 24 paperless-admin-password: ENC[AES256_GCM,data:cFGZt5Iz3bFvFuu0a6DpkQMOCobwaYEXIxnVjtkWvRXNu+YTEK4Bp5cOnUNTCyQARZjAn/wow10nbeA=,iv:jOhVz2hHr/8VYcLfuf0g7eRR7I9HwyW8Tr5zC81mPTw=,tag:KezJTY6W0EFqz4DbMwqLlA==,type:str] 25 25 paperless-api-token: ENC[AES256_GCM,data:2deP+mqPVvajm1q+d7cLlid0gd/vo5/1BgPW1gyoezRDb/HxNMWemA==,iv:/J+C/ofDRHb6WpQnuYWzSPaSmkFi7mrxbh3D9sxJAE4=,tag:jHXP2aF+kD5zknUo1+XJRw==,type:str] 26 26 + pds-jwt-secret: ENC[AES256_GCM,data:wjlsFmthpVGJqhX0hoYCi0fEXvXT/AU9tlMKaJsx8NEd8a/gSNbha9Iw53bZIylLvH6C5u6OGHgD67HanzJcMA==,iv:bkbnVlijTGXF5WQcOYl74SYFDJiZ2PMlyMsI5Em685k=,tag:QYVPajVhYl/f+/O7jrIHFA==,type:str] 27 27 + pds-dpop-secret: ENC[AES256_GCM,data:6Z7WFE8ws4OI/golktA9QPRKRN3sA//Rlgv5kQQCS38NeLky2kVKUNd7h4DNYCpaBxtJ/EKrYdZxWISzUyO/rA==,iv:Y0Bt8RPt+8qkTdAVXF26EFolbMRrIxnDF4gXSXVUq1o=,tag:ckWfRpZc2OHO2AyZ3Plr8g==,type:str] 28 28 + pds-master-key: ENC[AES256_GCM,data:jLDqeb5NHwy7CeWbaee4QA6P8QjAVzrNXUwtY4DPd2f5bFx02MTMGLlVXjqwWLcSyRnLDYzQqAhb7WCbRvInPQ==,iv:90D4Vs8+iIbPyvp62ntuX3BlL62euwLQB1DxAsAcewI=,tag:wrpby5KkdHHuF4tVR4A1Lw==,type:str] 26 29 mumble-password: ENC[AES256_GCM,data:/GA5G4CEVQ==,iv:Ri70GW9Ln7vv3Nf0CSNW0PwypLUNvh+kvJjUqu393ig=,tag:NY+u/RxcKudlaZStgnGVTw==,type:str] 27 30 backup-repository: ENC[AES256_GCM,data:v6tUjTwVsym8i52jcapjSRXPIjX2xNFY+bZRkHnVsp4AebcksHzHEDX6N4BF3OuQ2KepOfHngMn61Mk=,iv:HPV+8aCPpvFnytja6RUA7hJdtz2BMI1zsH01w1J9r2w=,tag:znMIFmrcsKTIq2TowhAV0w==,type:str] 28 31 backup-identity: ENC[AES256_GCM,data:8TJP7vSWJAj56AcczQhMRoQqahxM4EGzPm+wk1apMD+L3pybXh/4LPp0DNcGugOb3RPTyjki6jZArDgiirS+ltbldaNQPZaZ4cFrtiJVt8D/iQlsgM9tR8oC7bcR4KV+UoVeeXJN0fWqy5U+IzJ87ZRKKyb9i8WKhPuWFIftb4KqZRyada7jhl/SzwuoIcw9BagMJPLv6BaUmNp1j5fOHvo7RseImiIqsbVo37NTqMMQf7PKM5gsMU6bbeAMjtdeC2RNVG21eop8JlO5uYVyjGxyl5wfU+PwMSRc+XNpgeVEv9mjdo6dkG3QC2poHZ77ot4py6HzQPUZjwLyFsr0ccC4e6e0PNOBtTPtku/LnXHsV45LB9Q3X7t9VSYCTtlJul2W8huZuCRnv7crvIUW21ZMTWiwMbqNEqDUJTBcPLDi42Ea4CvA+I6ODJP8n5g7GTHW0ggy6FtjVXH5DzhzJJULQ27kq97EWi43bSRv0N+N5C1viM+j+hs6tM5eQ15niRVB,iv:YpRoGlD8YFxZ+RChb6T4Eh665AMTTeTJXRFR0xa7l3k=,tag:FWOVonF+SYbbgQoopa2lhA==,type:str] ··· 73 76 ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk 74 77 1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg== 75 78 -----END AGE ENCRYPTED FILE----- 76 76 - lastmodified: "2026-04-01T09:35:35Z" 77 77 - mac: ENC[AES256_GCM,data:SM9HRqjIxf5SMOYoJIQqTBxkQdL30rRHWF/Zp5m8FKEPOL63gcZIVatQxVevzZSpn1Cczkqx7QNxbo/xD3rEtQManQ0WhoY8RgcWtwLRh2RqxrxgEmJ2JpYvsnpECcxm7YfBdKT5b2nKbNHnDhOdcn9m3htQjCXTJ1aJ6c8mzsw=,iv:zXrt0oCPrGjCIqD55ll1kvX/scn8Ak4qw/cLmtSJWuk=,tag:wL6StpC5sp5BZsIC2Bg5Fw==,type:str] 79 79 + lastmodified: "2026-04-01T12:55:56Z" 80 80 + mac: ENC[AES256_GCM,data:4loi+YgMHZ9Jbp7EyVCtma6kpJh83Rg3Eqg2CAuWSn4LtSXHoHsW+HCeSFZwYKMPDrxN/FMv+z6w27j636fUdYplNZtk0ibQWFBsHIKGLSdHAMR09VO9a5D0nf93MNhr8BMYD9o+xVHrF8cMofplPt7EJyhzcZLmwpmyVQKfeyQ=,iv:YctgEsAHWnpn6cgSN2DzzUbX4Mgy5ajewDx33tZxVvE=,tag:7qF1Lf2WRlB90DXP6jw+Zw==,type:str] 78 81 unencrypted_suffix: _unencrypted 79 82 version: 3.12.2