+16 -10

dns/dnsconfig.js

reviewed

··· 8 8 var TRIMOUNTS_IP4 = "159.195.58.28"; 9 9 var TRIMOUNTS_IP6 = "2a0a:4cc0:c1:e83d::b00b"; 10 10 var TRIMOUNTS_IPS = [TRIMOUNTS_IP4, TRIMOUNTS_IP6]; 11 11 + var VOLSINII_IP4 = "199.71.188.53"; 12 12 + var VOLSINII_IP6 = ""; // no ipv6 for now 13 13 + var VOLSINII_IPS = [VOLSINII_IP4]; 11 14 12 15 function host(name, ips, opts) { 13 13 - if (opts) 14 14 - return [ 15 15 - A(name, ips[0], opts), 16 16 - AAAA(name, ips[1], opts), 17 17 - ]; 18 18 - else 19 19 - return [ 20 20 - A(name, ips[0]), 21 21 - AAAA(name, ips[1]), 22 22 - ]; 16 16 + var records = []; 17 17 + if (opts) { 18 18 + records.push(A(name, ips[0], opts)); 19 19 + if (ips[1]) records.push(AAAA(name, ips[1], opts)); 20 20 + } else { 21 21 + records.push(A(name, ips[0])); 22 22 + if (ips[1]) records.push(AAAA(name, ips[1])); 23 23 + } 24 24 + return records; 23 25 } 24 26 25 27 function hosts(_names, ips, opts) { ··· 44 46 function DZWONEK(names, opts) { 45 47 return hosts(names, DZWONEK_IPS, opts); 46 48 } 49 49 + function VOLSINII(names, opts) { 50 50 + return hosts(names, VOLSINII_IPS, opts); 51 51 + } 47 52 48 53 function IGNORE_ACME() { 49 54 return IGNORE_NAME("_acme-challenge"); ··· 62 67 CF_PROXY_OFF, 63 68 ), 64 69 DZWONEK("vpn", CF_PROXY_OFF), 70 70 + VOLSINII("tap", CF_PROXY_OFF), 65 71 // github pages 66 72 CNAME("dev", "90-008.github.io."), 67 73 // fastmail

+1 -1

hosts/volsinii/disk-config.nix

reviewed

··· 33 33 extraArgs = [ "-f" ]; # Override existing partition 34 34 mountpoint = "/"; 35 35 mountOptions = [ 36 36 - "compress=zstd" 36 36 + "compress-force=zstd:5" 37 37 "noatime" 38 38 ]; 39 39 };

+48

hosts/volsinii/modules/nginx.nix

reviewed

··· 1 1 + { 2 2 + inputs, 3 3 + ... 4 4 + }: 5 5 + { 6 6 + services.nginx = { 7 7 + enable = true; 8 8 + recommendedTlsSettings = true; 9 9 + recommendedOptimisation = true; 10 10 + recommendedGzipSettings = true; 11 11 + recommendedProxySettings = true; 12 12 + # /nginx_status 13 13 + statusPage = true; 14 14 + }; 15 15 + 16 16 + networking.firewall.allowedTCPPorts = [ 17 17 + 80 18 18 + 443 19 19 + ]; 20 20 + 21 21 + # output json logs so we can consume them more easily 22 22 + services.nginx.appendHttpConfig = '' 23 23 + log_format json_logs escape=json '{' 24 24 + '"_msg":"request completed",' 25 25 + '"time":"$time_local",' 26 26 + '"req.remoteAddr":"$remote_addr",' 27 27 + '"req.method":"$request_method",' 28 28 + '"req.url":"$uri",' 29 29 + '"req.httpVersion":"$server_protocol",' 30 30 + '"res.statusCode":$status,' 31 31 + '"res.bodySize":$body_bytes_sent,' 32 32 + '"req.headers.id":"$request_id",' 33 33 + '"req.headers.referer":"$http_referer",' 34 34 + '"req.headers.user-agent":"$http_user_agent",' 35 35 + '"requestTime":$request_time' 36 36 + '}'; 37 37 + access_log /var/log/nginx/access.log json_logs; 38 38 + ''; 39 39 + 40 40 + users.users.nginx.extraGroups = [ "acme" ]; 41 41 + 42 42 + security.acme = { 43 43 + acceptTerms = true; 44 44 + defaults.email = (import "${inputs.self}/personal.nix").emails.primary; 45 45 + defaults.webroot = "/var/lib/acme/acme-challenge"; 46 46 + certs."tap.gaze.systems" = { }; 47 47 + }; 48 48 + }

+41

hosts/volsinii/modules/tap.nix

reviewed

··· 1 1 + { terra, config, ... }: 2 2 + let 3 3 + domain = "tap.gaze.systems"; 4 4 + cfg = config.services.bluesky-tap; 5 5 + in 6 6 + { 7 7 + imports = [../../../modules/bluesky-tap.nix]; 8 8 + 9 9 + services.bluesky-tap = { 10 10 + enable = true; 11 11 + package = terra.bluesky-tap; 12 12 + fullNetwork = true; 13 13 + databaseUrl = "postgresql://bluesky-tap@/bluesky-tap"; 14 14 + bind = "127.0.0.1:2480"; 15 15 + metricsListen = "127.0.0.1:8765"; 16 16 + logLevel = "info"; 17 17 + }; 18 18 + 19 19 + # setup postgres 20 20 + services.postgresql = { 21 21 + enable = true; 22 22 + ensureDatabases = ["bluesky-tap"]; 23 23 + ensureUsers = [{ 24 24 + name = "bluesky-tap"; 25 25 + ensureDBOwnership = true; 26 26 + }]; 27 27 + }; 28 28 + 29 29 + # nginx reverse proxy 30 30 + services.nginx.virtualHosts.${domain} = { 31 31 + useACMEHost = domain; 32 32 + forceSSL = true; 33 33 + quic = true; 34 34 + kTLS = true; 35 35 + 36 36 + # locations."/" = { 37 37 + # proxyPass = "http://${cfg.bind}"; 38 38 + # proxyWebsockets = true; 39 39 + # }; 40 40 + }; 41 41 + }

+123

modules/bluesky-tap.nix

reviewed

··· 1 1 + { config, lib, ... }: 2 2 + let 3 3 + cfg = config.services.bluesky-tap; 4 4 + in 5 5 + { 6 6 + options.services.bluesky-tap = { 7 7 + enable = lib.mkEnableOption "bluesky network tap service"; 8 8 + 9 9 + package = lib.mkOption { 10 10 + type = lib.types.package; 11 11 + }; 12 12 + 13 13 + databaseUrl = lib.mkOption { 14 14 + type = lib.types.str; 15 15 + default = "sqlite:///var/lib/bluesky-tap/tap.db"; 16 16 + description = "database connection string (sqlite or postgresql)"; 17 17 + example = "postgresql://tap@/tap"; 18 18 + }; 19 19 + 20 20 + bind = lib.mkOption { 21 21 + type = lib.types.str; 22 22 + default = ":2480"; 23 23 + description = "HTTP server address"; 24 24 + }; 25 25 + 26 26 + relayUrl = lib.mkOption { 27 27 + type = lib.types.str; 28 28 + default = "https://relay1.us-east.bsky.network"; 29 29 + description = "AT Protocol relay URL"; 30 30 + }; 31 31 + 32 32 + fullNetwork = lib.mkOption { 33 33 + type = lib.types.bool; 34 34 + default = false; 35 35 + description = '' 36 36 + track all repos on the entire network. 37 37 + resource-intensive and takes days/weeks to complete backfill. 38 38 + ''; 39 39 + }; 40 40 + 41 41 + signalCollection = lib.mkOption { 42 42 + type = lib.types.nullOr lib.types.str; 43 43 + default = null; 44 44 + description = "track all repos with at least one record in this collection"; 45 45 + example = "app.bsky.actor.profile"; 46 46 + }; 47 47 + 48 48 + collectionFilters = lib.mkOption { 49 49 + type = lib.types.listOf lib.types.str; 50 50 + default = []; 51 51 + description = "collection filters (wildcards accepted)"; 52 52 + example = [ "app.bsky.feed.post" "app.bsky.graph.*" ]; 53 53 + }; 54 54 + 55 55 + metricsListen = lib.mkOption { 56 56 + type = lib.types.nullOr lib.types.str; 57 57 + default = ":8765"; 58 58 + description = "address for metrics/pprof server (disabled if null)"; 59 59 + }; 60 60 + 61 61 + disableAcks = lib.mkOption { 62 62 + type = lib.types.bool; 63 63 + default = false; 64 64 + description = "fire-and-forget mode, no client acks"; 65 65 + }; 66 66 + 67 67 + logLevel = lib.mkOption { 68 68 + type = lib.types.enum [ "debug" "info" "warn" "error" ]; 69 69 + default = "info"; 70 70 + description = "log verbosity"; 71 71 + }; 72 72 + }; 73 73 + 74 74 + config = lib.mkIf cfg.enable { 75 75 + systemd.services.bluesky-tap = { 76 76 + description = "bluesky network tap firehose consumer"; 77 77 + wantedBy = [ "multi-user.target" ]; 78 78 + after = [ "network.target" ]; 79 79 + 80 80 + environment = { 81 81 + TAP_DATABASE_URL = cfg.databaseUrl; 82 82 + TAP_BIND = cfg.bind; 83 83 + TAP_RELAY_URL = cfg.relayUrl; 84 84 + TAP_FULL_NETWORK = lib.boolToString cfg.fullNetwork; 85 85 + TAP_DISABLE_ACKS = lib.boolToString cfg.disableAcks; 86 86 + TAP_LOG_LEVEL = cfg.logLevel; 87 87 + } // lib.optionalAttrs (cfg.signalCollection != null) { 88 88 + TAP_SIGNAL_COLLECTION = cfg.signalCollection; 89 89 + } // lib.optionalAttrs (cfg.collectionFilters != []) { 90 90 + TAP_COLLECTION_FILTERS = lib.concatStringsSep "," cfg.collectionFilters; 91 91 + } // lib.optionalAttrs (cfg.metricsListen != null) { 92 92 + TAP_METRICS_LISTEN = cfg.metricsListen; 93 93 + }; 94 94 + 95 95 + serviceConfig = { 96 96 + Type = "simple"; 97 97 + ExecStart = "${cfg.package}/bin/tap run"; 98 98 + Restart = "on-failure"; 99 99 + RestartSec = "10s"; 100 100 + StateDirectory = "bluesky-tap"; 101 101 + WorkingDirectory = "/var/lib/bluesky-tap"; 102 102 + 103 103 + # create dedicated user instead of dynamic 104 104 + User = "bluesky-tap"; 105 105 + Group = "bluesky-tap"; 106 106 + 107 107 + # hardening 108 108 + NoNewPrivileges = true; 109 109 + PrivateTmp = true; 110 110 + ProtectSystem = "strict"; 111 111 + ProtectHome = true; 112 112 + ReadWritePaths = [ "/var/lib/bluesky-tap" ]; 113 113 + }; 114 114 + }; 115 115 + 116 116 + users.users.bluesky-tap = { 117 117 + isSystemUser = true; 118 118 + group = "bluesky-tap"; 119 119 + home = "/var/lib/bluesky-tap"; 120 120 + }; 121 121 + users.groups.bluesky-tap = {}; 122 122 + }; 123 123 + }

+25

pkgs-set/pkgs/bluesky-tap.nix

reviewed

··· 1 1 + { 2 2 + buildGoModule, 3 3 + fetchFromGitHub, 4 4 + ... 5 5 + }: 6 6 + let 7 7 + rev = "6818fd27ae5e3644fe7239eb68a1de6447d052c9"; 8 8 + in 9 9 + buildGoModule { 10 10 + pname = "bluesky-tap"; 11 11 + version = builtins.substring 0 8 rev; 12 12 + 13 13 + src = fetchFromGitHub { 14 14 + owner = "bluesky-social"; 15 15 + repo = "indigo"; 16 16 + inherit rev; 17 17 + hash = "sha256-NwfhXpo1uBbJe1w9CKejLEljaiu+5fumJFbD0w9+Aqk="; 18 18 + }; 19 19 + 20 20 + vendorHash = "sha256-UOedwNYnM8Jx6B7Y9tFcZX8IeUBESAFAPTRYk7n0yo8="; 21 21 + 22 22 + subPackages = [ "cmd/tap" ]; 23 23 + 24 24 + ldflags = [ "-s" "-w" ]; 25 25 + }