+25

secrets/kuribo/papermario-dx-build.json

reviewed

··· 1 1 + { 2 2 + "baseromUrl": "ENC[AES256_GCM,data:GQ8LVJL17pJ8kzdxU7YEnus3ZX7gBO95xdcAGJGMq043fnURqRb21++CAWTFm+/XICm+DfiuFA8pHMKEp0MvNlD5mIGDFBtmzTIaPn11QCM=,iv:+EHYAWbGl1bTemYluxDAO4E0a4SbDHbMwuA+k2+iIbI=,tag:o0BvKJO1Zp6graujgHWv9Q==,type:str]", 3 3 + "sccache": { 4 4 + "endpoint": "ENC[AES256_GCM,data:Lc7hXbrtT6j35iS9sNgPUwnEhsP8snvQVtoq,iv:H2QpjDD90+Q+T814OFPwUn621k90udGqTGpEDIZcjXE=,tag:qiG4+dwxkMJzO/vJ64vj9g==,type:str]", 5 5 + "bucket": "ENC[AES256_GCM,data:MkQxbbWDpQ==,iv:DPDVjzgn0YbWrPouFTlFVOz/ghersSBSr7HzQB6+IZ0=,tag:y0NJvelED0c1fzX9Ypx8HQ==,type:str]", 6 6 + "accessKey": "ENC[AES256_GCM,data:PgxncgfKg71JpvNI3zcDVsLxfbQ=,iv:XwlfbtxievXT0GDQBUOWvcW/dX1nt/VJaFVKCKLRuSc=,tag:q9GedCxhCKV3ex9UvxdCNA==,type:str]", 7 7 + "secretKey": "ENC[AES256_GCM,data:zUHw1WEZSLOb9N/5eKIp/q0kjtxgWXzNv7dQVClQ0wvzT4TOwe5olg==,iv:lZ8t8hio9vuWmMaqU75VLQyiq4G0Mi0DSdo3Ma3oLDc=,tag:LDi7HDQ5HV2tevL3sXJ8Qw==,type:str]" 8 8 + }, 9 9 + "sops": { 10 10 + "age": [ 11 11 + { 12 12 + "recipient": "age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2", 13 13 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZWGwyd2pUL2hNU1VYMVEy\nT0p1ZEpML1dOK1ZoK3Bscks5RldteFJtMUdNCjFhcXFjR01IVEE4d0p1K2k3c2lN\nTnM3Vm91dGEwaEVTRkhodUZINEtmdVEKLS0tIDY1cTR0OXJzeSs1LzNLbXdLMDdR\na1VneTZlOXlTVXppMGF5OUZZckpGaVUKMRGVmtHhfHs4c8Qnv7cntCRccrh4kHLI\ns+Xu4KSiqW+xTgBB6QKeDypRoDWUk3Jzm6uYqZdfWbCFxbSURrkZow==\n-----END AGE ENCRYPTED FILE-----\n" 14 14 + }, 15 15 + { 16 16 + "recipient": "age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl", 17 17 + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3VDVPSDFrdzYxTHJYTkZM\nTTF0Yk1WWDJVbllwaU5tdjhtb2VyYWhiemxNCjRvVHB4YjRHNXlYU1VSanEyUW4y\nUnlUbTdxZEM5dkNMTFpPOVlJbEozS1UKLS0tIGxoRTNxbVVJTWFuOVdPRmU0VmNE\nc0IrQ01LNzFRaklsRWI1THlBSDA4Y1UKVJvM77yd9kp0Q6nOkcrxq6aTANEo898W\nAphZshPVi9wG3AdZnAtkXbhB5V0nnsv098RYgt0u70WYADjw5BVPkQ==\n-----END AGE ENCRYPTED FILE-----\n" 18 18 + } 19 19 + ], 20 20 + "lastmodified": "2026-03-22T16:44:04Z", 21 21 + "mac": "ENC[AES256_GCM,data:W9PQ84hRNsFl8aBZ7UN09kackvj9k3HIY7o3JGmO2GjEP6tlO5/4Pr9xPQHn5MiPLsO15ghYl5nVkgcoBpOZCuePbzqZtv44SSW4+/DfygpfrT/yhE/UkkeHfifZzbLM09tOnxQEuOFto+oBttPJo9UzFUMXBmnleXZvqv4fr7U=,iv:7hybudHPn5PU7Rq9WqGMEf/MQ3gplyshSCZfMLqcIuY=,tag:VdhS0wewnaRqarwWdXmQeQ==,type:str]", 22 22 + "unencrypted_suffix": "_unencrypted", 23 23 + "version": "3.11.0" 24 24 + } 25 25 + }

+78

servers/kuribo/caddy.nix

reviewed

··· 1 1 + { config, pkgs, lib, ... }: 2 2 + let 3 3 + cfg = config.starhaven.caddy; 4 4 + in 5 5 + { 6 6 + options.starhaven.caddy = { 7 7 + extraHandles = lib.mkOption { 8 8 + type = lib.types.lines; 9 9 + default = ""; 10 10 + description = "Extra handle blocks for the *.starhaven.dev virtualHost. These are placed before the fallback handler."; 11 11 + }; 12 12 + fallbackHandle = lib.mkOption { 13 13 + type = lib.types.lines; 14 14 + default = ""; 15 15 + description = "Fallback handle block (catch-all, placed last)."; 16 16 + }; 17 17 + adminEmail = lib.mkOption { 18 18 + type = lib.types.str; 19 19 + default = "admin@starhaven.dev"; 20 20 + }; 21 21 + }; 22 22 + 23 23 + config = { 24 24 + services.caddy = { 25 25 + enable = true; 26 26 + package = pkgs.caddy.withPlugins { 27 27 + plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 28 28 + hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U="; 29 29 + }; 30 30 + email = cfg.adminEmail; 31 31 + globalConfig = '' 32 32 + on_demand_tls { 33 33 + ask http://127.0.0.1:8081 34 34 + } 35 35 + 36 36 + acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 37 37 + ''; 38 38 + virtualHosts."*.starhaven.dev" = { 39 39 + extraConfig = '' 40 40 + tls { 41 41 + on_demand 42 42 + } 43 43 + 44 44 + handle / { 45 45 + redir https://starhaven.dev 46 46 + } 47 47 + 48 48 + ${cfg.extraHandles} 49 49 + 50 50 + ${cfg.fallbackHandle} 51 51 + ''; 52 52 + }; 53 53 + }; 54 54 + 55 55 + environment.etc."ondemand_tls_helper.py" = { 56 56 + source = ./ondemand_tls_helper.py; 57 57 + mode = "0755"; 58 58 + }; 59 59 + 60 60 + systemd.services.ondemand-tls-helper = { 61 61 + description = "On-demand TLS helper for Caddy (returns 200 for allowed domains or proxies to PDS)"; 62 62 + wantedBy = [ "multi-user.target" ]; 63 63 + after = [ "network.target" ]; 64 64 + 65 65 + serviceConfig = { 66 66 + ExecStart = "${pkgs.python3}/bin/python3 /etc/ondemand_tls_helper.py"; 67 67 + User = "nobody"; 68 68 + Restart = "always"; 69 69 + RestartSec = 5; 70 70 + }; 71 71 + }; 72 72 + 73 73 + networking.firewall.allowedTCPPorts = [ 74 74 + 80 75 75 + 443 76 76 + ]; 77 77 + }; 78 78 + }

+2

servers/kuribo/configuration.nix

reviewed

··· 4 4 ../../modules/auto-upgrade.nix 5 5 ../../modules/gc.nix 6 6 ../../users/users.nix 7 7 + ./caddy.nix 7 8 ./pds.nix 8 9 ./tangled.nix 10 10 + ./papermario-dx-build.nix 9 11 ]; 10 12 11 13 networking.hostName = "kuribo";

+1 -1

servers/kuribo/ondemand_tls_helper.py

reviewed

··· 24 24 TIMEOUT = float(os.environ.get("TIMEOUT", "5.0")) 25 25 26 26 # Allowed domain values (lowercase) 27 27 - ALLOWED = {"pds", "knot", "spindle"} 27 27 + ALLOWED = {"pds", "knot", "spindle", "papermario-dx"} 28 28 29 29 # Configure logging to stderr (systemd/journal-friendly) 30 30 logging.basicConfig(

+65

servers/kuribo/papermario-dx-build.nix

reviewed

··· 1 1 + { config, pkgs, ... }: 2 2 + { 3 3 + sops.secrets."papermario-dx/baseromUrl" = { 4 4 + sopsFile = ../../secrets/kuribo/papermario-dx-build.json; 5 5 + format = "json"; 6 6 + key = "baseromUrl"; 7 7 + }; 8 8 + sops.secrets."papermario-dx/sccache/endpoint" = { 9 9 + sopsFile = ../../secrets/kuribo/papermario-dx-build.json; 10 10 + format = "json"; 11 11 + key = "sccache/endpoint"; 12 12 + }; 13 13 + sops.secrets."papermario-dx/sccache/bucket" = { 14 14 + sopsFile = ../../secrets/kuribo/papermario-dx-build.json; 15 15 + format = "json"; 16 16 + key = "sccache/bucket"; 17 17 + }; 18 18 + sops.secrets."papermario-dx/sccache/accessKey" = { 19 19 + sopsFile = ../../secrets/kuribo/papermario-dx-build.json; 20 20 + format = "json"; 21 21 + key = "sccache/accessKey"; 22 22 + }; 23 23 + sops.secrets."papermario-dx/sccache/secretKey" = { 24 24 + sopsFile = ../../secrets/kuribo/papermario-dx-build.json; 25 25 + format = "json"; 26 26 + key = "sccache/secretKey"; 27 27 + }; 28 28 + 29 29 + systemd.services.papermario-dx-build-json = { 30 30 + description = "Generate papermario-dx build.json from sops secrets"; 31 31 + wantedBy = [ "caddy.service" ]; 32 32 + before = [ "caddy.service" ]; 33 33 + after = [ "sops-nix.service" ]; 34 34 + serviceConfig = { 35 35 + Type = "oneshot"; 36 36 + RemainAfterExit = true; 37 37 + }; 38 38 + script = let 39 39 + s = name: config.sops.secrets."papermario-dx/${name}".path; 40 40 + in '' 41 41 + mkdir -p /run/papermario-dx 42 42 + cat > /run/papermario-dx/build.json <<ENDJSON 43 43 + { 44 44 + "baseromUrl": "$(cat ${s "baseromUrl"})", 45 45 + "sccache": { 46 46 + "endpoint": "$(cat ${s "sccache/endpoint"})", 47 47 + "bucket": "$(cat ${s "sccache/bucket"})", 48 48 + "accessKey": "$(cat ${s "sccache/accessKey"})", 49 49 + "secretKey": "$(cat ${s "sccache/secretKey"})" 50 50 + } 51 51 + } 52 52 + ENDJSON 53 53 + chmod 644 /run/papermario-dx/build.json 54 54 + ''; 55 55 + }; 56 56 + 57 57 + # Serve the decrypted build.json at papermario-dx.starhaven.dev 58 58 + starhaven.caddy.extraHandles = '' 59 59 + @papermario-dx host papermario-dx.starhaven.dev 60 60 + handle @papermario-dx { 61 61 + root * /run/papermario-dx 62 62 + file_server 63 63 + } 64 64 + ''; 65 65 + }

+19 -69

servers/kuribo/pds.nix

reviewed

··· 34 34 }; 35 35 }; 36 36 37 37 - services.caddy = { 38 38 - enable = true; 39 39 - package = pkgs.caddy.withPlugins { 40 40 - plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 41 41 - hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U="; 42 42 - }; 43 43 - email = pdsSettings.PDS_ADMIN_EMAIL; 44 44 - globalConfig = '' 45 45 - on_demand_tls { 46 46 - ask http://127.0.0.1:8081 47 47 - } 48 48 - 49 49 - acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 50 50 - ''; 51 51 - virtualHosts."*.starhaven.dev" = { 52 52 - extraConfig = '' 53 53 - tls { 54 54 - on_demand 55 55 - } 56 56 - 57 57 - handle / { 58 58 - redir https://starhaven.dev 59 59 - } 60 60 - 61 61 - @knot host ${toString config.services.tangled.knot.server.hostname} 62 62 - handle @knot { 63 63 - reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr} 64 64 - } 65 65 - 66 66 - @spindle host ${toString config.services.tangled.spindle.server.hostname} 67 67 - handle @spindle { 68 68 - reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr} 69 69 - } 70 70 - 71 71 - handle /xrpc/app.bsky.unspecced.getAgeAssuranceState { 72 72 - header content-type "application/json" 73 73 - header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 74 74 - header access-control-allow-origin "*" 75 75 - respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200 76 76 - } 37 37 + # Caddy config 38 38 + starhaven.caddy.adminEmail = pdsSettings.PDS_ADMIN_EMAIL; 39 39 + starhaven.caddy.extraHandles = '' 40 40 + handle /xrpc/app.bsky.unspecced.getAgeAssuranceState { 41 41 + header content-type "application/json" 42 42 + header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 43 43 + header access-control-allow-origin "*" 44 44 + respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200 45 45 + } 46 46 + ''; 47 47 + starhaven.caddy.fallbackHandle = '' 48 48 + handle { 49 49 + reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT} 50 50 + } 51 51 + ''; 77 52 78 78 - handle { 79 79 - reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT} 80 80 - } 81 81 - ''; 82 82 - }; 83 83 - }; 53 53 + # Caddy needs the PDS env file for CLOUDFLARE_API_TOKEN 84 54 systemd.services.caddy = { 85 55 after = [ 86 56 "ondemand-tls-helper.service" ··· 89 59 serviceConfig.EnvironmentFile = config.sops.secrets.pds.path; 90 60 }; 91 61 92 92 - environment.etc."ondemand_tls_helper.py" = { 93 93 - source = ./ondemand_tls_helper.py; 94 94 - mode = "0755"; 95 95 - }; 96 96 - 97 97 - systemd.services.ondemand-tls-helper = { 98 98 - description = "On-demand TLS helper for Caddy (returns 200 for allowed domains or proxies to PDS)"; 99 99 - wantedBy = [ "multi-user.target" ]; 100 100 - after = [ "network.target" ]; 101 101 - 102 102 - serviceConfig = { 103 103 - ExecStart = "${pkgs.python3}/bin/python3 /etc/ondemand_tls_helper.py"; 104 104 - Environment = "PDS_PORT=${toString pdsSettings.PDS_PORT}"; 105 105 - User = "nobody"; 106 106 - Restart = "always"; 107 107 - RestartSec = 5; 108 108 - }; 109 109 - }; 110 110 - 111 111 - networking.firewall.allowedTCPPorts = [ 112 112 - 80 113 113 - 443 114 114 - ]; 62 62 + # On-demand TLS helper proxies unknown domain checks to PDS 63 63 + systemd.services.ondemand-tls-helper.serviceConfig.Environment = 64 64 + "PDS_PORT=${toString pdsSettings.PDS_PORT}"; 115 65 }

+14

servers/kuribo/tangled.nix

reviewed

··· 1 1 + { config, ... }: 1 2 let 2 3 owner = "did:plc:tjgdahiw3u2djgnigyqeummg"; 3 4 in ··· 25 26 }; 26 27 }; 27 28 }; 29 29 + 30 30 + # Caddy: reverse proxy to knot and spindle 31 31 + starhaven.caddy.extraHandles = '' 32 32 + @knot host ${toString config.services.tangled.knot.server.hostname} 33 33 + handle @knot { 34 34 + reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr} 35 35 + } 36 36 + 37 37 + @spindle host ${toString config.services.tangled.spindle.server.hostname} 38 38 + handle @spindle { 39 39 + reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr} 40 40 + } 41 41 + ''; 28 42 }