+11 -2

secrets/kuribo/pds.env

reviewed

··· 3 3 PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:thNijhgsq106+SJVnoseWu1S8SU2AB8Z5EqjKUzMBm+29FB146dmqPOphXL5yBPDuj0gjzFvfu4W7BOAKcx7fA==,iv:zcmhJopT8WHN2GfhDGO1oYp/NeyPpXeNrg6AVmDYMGk=,tag:JLcO4aVuKMVgRU6pirks+A==,type:str] 4 4 PDS_EMAIL_SMTP_URL=ENC[AES256_GCM,data:ltLt4Q7CaIL4swhDA2pBcMRR2gaMGcYw/7E7JtU4bMotEXrEO19V5ySomjbdFs3ImFzMtVVNY0am9R5Q40TZq85r6zDsoGv6,iv:Kh10CNUhkzqj5PROyFgGme0KUspZL/epxiQf2Ej0G6Y=,tag:noT7j38nip6OLbnwr8AWDQ==,type:str] 5 5 PDS_EMAIL_FROM_ADDRESS=ENC[AES256_GCM,data:VxEX3on/7jQ/SXmr53bvFzd3O/xu,iv:yehoA4hxkJ6UOjv625834otS1Es4uKtarjZjKFk2sJI=,tag:XaplSBikfq97mLTq+XyOrQ==,type:str] 6 6 + PDS_BLOBSTORE_S3_BUCKET=ENC[AES256_GCM,data:a2jMY4b0HZEd,iv:IL4aG6cNOI3VLS+axwr47ZLPXQ8NAz4ZmtcHsVkYZE0=,tag:PedqBtofxgtARa4L81sMOw==,type:str] 7 7 + PDS_BLOBSTORE_S3_REGION=ENC[AES256_GCM,data:jA5Fbg==,iv:oa73XQbCcMuYlSaDzs6TgAxe8QkofaIbTLjGLYViGtE=,tag:RaJcADDkLBNAeP9deMqFqA==,type:str] 8 8 + PDS_BLOBSTORE_S3_ENDPOINT=ENC[AES256_GCM,data:f4Sg8Zb3KK7rbi7wxDvl05YcAq7FhejgbYRwQMNkzG8jxxk=,iv:RCN8LTqEb327n0ICipVerIAHXq/EzLsDx2uPIOg0VTc=,tag:/SV9uPuAr2S3O5rRDDqwRQ==,type:str] 9 9 + PDS_BLOBSTORE_S3_ACCESS_KEY_ID=ENC[AES256_GCM,data:3xbCb2QO3x/jI4W+OXTuLcA18XE=,iv:Bs9knoz+PVZRbUIF1TnVP8bvP8xbN7ItVgQHsDDkQd4=,tag:4yqYBRGHUA8KurW19G9X8A==,type:str] 10 10 + PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:MWIwduFqqe20aYD7dGedcQskSQ6mAoDc55YvAjn1fYxzN6RCNgE28Q==,iv:C8NEL9+3UoN2uv8XG3Bpjedb1pans8g1YuyYdnQ918I=,tag:5hN28CsG67WOaL606k5Y6w==,type:str] 11 11 + PDS_HCAPTCHA_SITE_KEY=ENC[AES256_GCM,data:qkhAjbyESlfzmeeNFBvE9OmM5bsbAG/lK0TFgJ0yRpPU8sEP,iv:3LL84eHS9A8c2FFovYi/g4+NroqLesbjIFhDnqLtEnc=,tag:EMPmyYSubtK/RJsa7GglqA==,type:str] 12 12 + PDS_HCAPTCHA_SECRET_KEY=ENC[AES256_GCM,data:8eO1yMUYo3wnwe0z9n4WygNOpQPBmktbLukFSvAAOyC1Bic=,iv:5VllqLj5Wn0Lfj5X/Jobtk7qSRGm3rxIZuYFSyjkfJc=,tag:GQj6h6Fmzgj15LpQVKjUiQ==,type:str] 13 13 + PDS_HCAPTCHA_TOKEN_SALT=ENC[AES256_GCM,data:no+3mQ==,iv:qXz3svuAPQFEkidBIT0xND+69UjlNbwVqbIM/2rl6rE=,tag:WIP/jBABy2+k5EAD6Mb7AA==,type:str] 14 14 + CLOUDFLARE_API_TOKEN=ENC[AES256_GCM,data:1evMsnfzqoQtkFyzULhcKsmvOORGvRLUbUs1BvES7jQ99PFSUQ3B9w==,iv:6R40bMGDJOkD/OH9Cwzb6jjI1Syg90WvnVxHddd4yCU=,tag:U1sY/8m4VGOxh1IYQ/P3uQ==,type:str] 6 15 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenRnNWFlMzBIOTJsclYw\nSkw3ZW9pa0NRejRQd1FmOENTaE54UU4rcHkwCjFBSXljeTdQeGhXZDZrWS9JUkx0\nUXpxWUVKZTdGWjVLT1FRUmloMXhNdWcKLS0tIEhERVFJNU5pSU00b3MxUHB1Y280\nWTFiaTh0YXJyUXFKNGNrOE84elRONVUK20OPeWSZW2A9mTnEDfQmDc7n3jvUQhxb\nBatl6b0ismrkTWcRJK8nxImcvxBtMMCLfzK5Wt/9gBLJ6VDT6UPYFg==\n-----END AGE ENCRYPTED FILE-----\n 7 16 sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2 8 17 sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OVBaMzZ3UGd1R25SczNN\nd3R6bzVGTkN0SWpjb05wankvb2tpNTJvZlR3CjhwYUdHaTJ6Y1VPSTltOHhNbWdL\ncGs3OEJqaFljUFRhUVNncm13RFdETTgKLS0tIG1Mb1ZXQ3BpejdteWFkWUFyOGJu\ndFpyWkNiK2hoNlROd09xTzVueFdSUmcKDrIcoDDH2O/c9dyS/oLL0rudsrsmtOhJ\n55QagSzYouGlJbpl2xtBeUplg1WcEBX7FSW3UWFbz+Gc0/Rv76jRCA==\n-----END AGE ENCRYPTED FILE-----\n 9 18 sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl 10 10 - sops_lastmodified=2025-12-01T18:49:36Z 11 11 - sops_mac=ENC[AES256_GCM,data:tSPG0g8XpTu0IJ8GQKIUczVlreLbZ/VFncomwSVzFEIXloJ6QQsX2hobyFCW4RwovQoZnVfO4uL8Ku/SIjsLIMCejLiGXAa4r0VDDZtxhnaX7tPBecG7gE3Ke15V4bT6B9uxB7TGhJYTsTlq/tb8D7UZG2+yWudFry8ArJRFxp0=,iv:9vxvakrxx8EmNBPSY1wnoV5cHx2/8GqGhNLYHyDj74w=,tag:5NeNRKenYykPj6b13bHFOg==,type:str] 19 19 + sops_lastmodified=2025-12-04T01:38:29Z 20 20 + sops_mac=ENC[AES256_GCM,data:M25RTOpBGfBh6jC194BJtfMKTC4MGpOtlHQS9JamLIWz2Zgo9P0Lp92UsUcEEVUI2r3aQ+MQZVeKxmmIDPcSC+DcMY1vKJwoPRFKTifHxf2mXfj3fB8mjHJm+k2DvMFhWQ5lic5mznx08kTISwdmTZqPMybzypxzLOhM/aZm37Y=,iv:Zm8KCNSYmVbz0+inrInCC3IV0AU2mOhcr06w7APK5Vw=,tag:QwkTAYZZXVEcWNe1XbjDAQ==,type:str] 12 21 sops_unencrypted_suffix=_unencrypted 13 22 sops_version=3.11.0

+215

servers/kuribo/ondemand_tls_helper.py

reviewed

··· 1 1 + """ 2 2 + This HTTP service implements the /tls-check endpoint used by Caddy's 3 3 + on_demand_tls.ask configuration. Behavior: 4 4 + 5 5 + - If the query parameter `domain` is ALLOWED -> return HTTP 200 OK with body "OK". 6 6 + - Otherwise proxy the request (including the query string) to the real PDS 7 7 + tls-check endpoint at http://127.0.0.1:<PDS_PORT>/tls-check and forward 8 8 + the upstream status and body. 9 9 + """ 10 10 + 11 11 + import logging 12 12 + import os 13 13 + import socket 14 14 + import sys 15 15 + import urllib.error 16 16 + import urllib.request 17 17 + from http.server import BaseHTTPRequestHandler, HTTPServer 18 18 + from urllib.parse import parse_qs, urlparse 19 19 + 20 20 + # Configuration (can be overridden with env vars) 21 21 + PDS_PORT = int(os.environ.get("PDS_PORT", "3000")) 22 22 + LISTEN_HOST = os.environ.get("LISTEN_HOST", "127.0.0.1") 23 23 + LISTEN_PORT = int(os.environ.get("LISTEN_PORT", "8081")) 24 24 + TIMEOUT = float(os.environ.get("TIMEOUT", "5.0")) 25 25 + 26 26 + # Allowed domain values (lowercase) 27 27 + ALLOWED = {"pds", "knot", "spindle"} 28 28 + 29 29 + # Configure logging to stderr (systemd/journal-friendly) 30 30 + logging.basicConfig( 31 31 + level=logging.INFO, 32 32 + format="%(asctime)s %(levelname)s %(message)s", 33 33 + stream=sys.stderr, 34 34 + ) 35 35 + 36 36 + 37 37 + def filter_response_headers(headers): 38 38 + """ 39 39 + Given an iterable of (header, value) pairs or a mapping-like object, 40 40 + return a dict with hop-by-hop headers removed. This avoids sending 41 41 + problematic headers to the client (Caddy). 42 42 + """ 43 43 + hop_by_hop = { 44 44 + "connection", 45 45 + "keep-alive", 46 46 + "proxy-authenticate", 47 47 + "proxy-authorization", 48 48 + "te", 49 49 + "trailers", 50 50 + "transfer-encoding", 51 51 + "upgrade", 52 52 + } 53 53 + result = {} 54 54 + if hasattr(headers, "items"): 55 55 + iterator = headers.items() 56 56 + else: 57 57 + iterator = headers 58 58 + for k, v in iterator: 59 59 + if k.lower() not in hop_by_hop: 60 60 + result[k] = v 61 61 + return result 62 62 + 63 63 + 64 64 + class TLSCheckHandler(BaseHTTPRequestHandler): 65 65 + # Reduce console noise from BaseHTTPRequestHandler 66 66 + def log_message(self, format, *args): 67 67 + # route to logging module at INFO level 68 68 + logging.info("%s - %s", self.client_address[0], format % args) 69 69 + 70 70 + def _send(self, status, body=b"", headers=None): 71 71 + # Send status, headers, and body to the client 72 72 + self.send_response(status) 73 73 + if headers: 74 74 + for k, v in headers.items(): 75 75 + # BaseHTTPRequestHandler will fold multiple headers set via send_header 76 76 + # if necessary; we assume simple string values here. 77 77 + try: 78 78 + self.send_header(k, v) 79 79 + except Exception: 80 80 + # Ignore any header-setting errors; continue to send response 81 81 + logging.debug("skipping header %r due to error", k) 82 82 + else: 83 83 + self.send_header("Content-Type", "text/plain; charset=utf-8") 84 84 + self.end_headers() 85 85 + if body: 86 86 + if isinstance(body, str): 87 87 + body = body.encode("utf-8") 88 88 + try: 89 89 + self.wfile.write(body) 90 90 + except BrokenPipeError: 91 91 + # Client disconnected early; nothing to do 92 92 + pass 93 93 + 94 94 + def _proxy_to_pds(self, path_with_query): 95 95 + """ 96 96 + Proxy a request to http://127.0.0.1:<PDS_PORT><path_with_query>. 97 97 + Returns (status, body_bytes, headers_dict). 98 98 + """ 99 99 + target = f"http://127.0.0.1:{PDS_PORT}{path_with_query}" 100 100 + logging.debug("proxying to upstream: %s", target) 101 101 + req = urllib.request.Request( 102 102 + target, headers={"User-Agent": "ondemand-tls-helper/1.0"} 103 103 + ) 104 104 + try: 105 105 + with urllib.request.urlopen(req, timeout=TIMEOUT) as resp: 106 106 + data = resp.read() 107 107 + headers = filter_response_headers(resp.getheaders()) 108 108 + return resp.status, data, headers 109 109 + except urllib.error.HTTPError as e: 110 110 + # Upstream returned an HTTP error; return its body and status 111 111 + try: 112 112 + data = e.read() 113 113 + except Exception: 114 114 + data = b"" 115 115 + status = getattr(e, "code", 502) 116 116 + headers = {} 117 117 + logging.info("upstream returned HTTPError %s for %s", status, target) 118 118 + return status, data, headers 119 119 + except Exception as e: 120 120 + logging.exception("error proxying to upstream %s: %s", target, e) 121 121 + # Return 502 Bad Gateway 122 122 + return 502, f"upstream error: {e}".encode("utf-8"), {} 123 123 + 124 124 + def _get_domain_param(self): 125 125 + parsed = urlparse(self.path) 126 126 + qs = parse_qs(parsed.query) 127 127 + domain_vals = qs.get("domain") or [] 128 128 + if not domain_vals: 129 129 + return "" 130 130 + return domain_vals[0].strip().lower() 131 131 + 132 132 + def do_GET(self): 133 133 + parsed = urlparse(self.path) 134 134 + path_with_query = parsed.path + ("?" + parsed.query if parsed.query else "") 135 135 + domain = self._get_domain_param() 136 136 + 137 137 + if domain in ALLOWED: 138 138 + logging.debug("allowed domain %r -> returning 200", domain) 139 139 + return self._send(200, "OK") 140 140 + 141 141 + status, body, headers = self._proxy_to_pds(path_with_query) 142 142 + return self._send(status, body, headers=headers) 143 143 + 144 144 + def do_HEAD(self): 145 145 + parsed = urlparse(self.path) 146 146 + path_with_query = parsed.path + ("?" + parsed.query if parsed.query else "") 147 147 + domain = self._get_domain_param() 148 148 + 149 149 + if domain in ALLOWED: 150 150 + logging.debug("allowed domain (HEAD) %r -> returning 200", domain) 151 151 + return self._send(200, b"") 152 152 + 153 153 + status, _, headers = self._proxy_to_pds(path_with_query) 154 154 + return self._send(status, b"", headers=headers) 155 155 + 156 156 + 157 157 + def run(): 158 158 + server_address = (LISTEN_HOST, LISTEN_PORT) 159 159 + try: 160 160 + httpd = HTTPServer(server_address, TLSCheckHandler) 161 161 + except OSError as e: 162 162 + logging.error("cannot bind to %s:%s: %s", LISTEN_HOST, LISTEN_PORT, e) 163 163 + sys.exit(1) 164 164 + 165 165 + sa = httpd.socket.getsockname() 166 166 + logging.info("ondemand TLS helper listening on %s:%s", sa[0], sa[1]) 167 167 + try: 168 168 + httpd.serve_forever() 169 169 + except KeyboardInterrupt: 170 170 + logging.info("shutting down on keyboard interrupt") 171 171 + except Exception: 172 172 + logging.exception("server crashed") 173 173 + finally: 174 174 + try: 175 175 + httpd.server_close() 176 176 + except Exception: 177 177 + pass 178 178 + 179 179 + 180 180 + if __name__ == "__main__": 181 181 + # Allow override of config via arguments if invoked with simple flags: 182 182 + # --pds-port N --listen-host HOST --listen-port N --timeout S 183 183 + # to keep the script flexible for local testing. 184 184 + args = sys.argv[1:] 185 185 + it = iter(args) 186 186 + while True: 187 187 + try: 188 188 + a = next(it) 189 189 + except StopIteration: 190 190 + break 191 191 + if a in ("--pds-port",): 192 192 + try: 193 193 + PDS_PORT = int(next(it)) 194 194 + except StopIteration: 195 195 + break 196 196 + elif a in ("--listen-host",): 197 197 + try: 198 198 + LISTEN_HOST = next(it) 199 199 + except StopIteration: 200 200 + break 201 201 + elif a in ("--listen-port",): 202 202 + try: 203 203 + LISTEN_PORT = int(next(it)) 204 204 + except StopIteration: 205 205 + break 206 206 + elif a in ("--timeout",): 207 207 + try: 208 208 + TIMEOUT = float(next(it)) 209 209 + except StopIteration: 210 210 + break 211 211 + else: 212 212 + # ignore unknown args 213 213 + continue 214 214 + 215 215 + run()

+66 -6

servers/kuribo/pds.nix

reviewed

··· 1 1 - { config, ... }: 1 1 + { config, pkgs, ... }: 2 2 let 3 3 pdsSettings = config.services.bluesky-pds.settings; 4 4 in ··· 14 14 enable = true; 15 15 environmentFiles = [ config.sops.secrets.pds.path ]; 16 16 settings = { 17 17 + # https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts 18 18 + 17 19 PDS_PORT = 3000; 18 20 PDS_HOSTNAME = "pds.starhaven.dev"; 19 19 - PDS_ADMIN_EMAIL = "admin@starhaven.dev"; 21 21 + PDS_CONTACT_EMAIL_ADDRESS = "admin@starhaven.dev"; 22 22 + PDS_SERVICE_HANDLE_DOMAINS = ".starhaven.dev"; 23 23 + 24 24 + # Branding 25 25 + PDS_SERVICE_NAME = "\"Star Haven\""; 26 26 + PDS_HOME_URL = "https://starhaven.dev"; 27 27 + #PDS_LOGO_URL 28 28 + PDS_PRIMARY_COLOR = "#dbb23e"; 29 29 + PDS_PRIMARY_COLOR_CONTRAST = "#000"; 30 30 + 31 31 + # S3 is configured in secrets 32 32 + PDS_BLOBSTORE_DISK_LOCATION = null; 20 33 }; 21 34 }; 22 35 23 36 services.caddy = { 24 37 enable = true; 38 38 + package = pkgs.caddy.withPlugins { 39 39 + plugins = [ "github.com/caddy-dns/cloudflare@v0.2.2" ]; 40 40 + hash = "sha256-ea8PC/+SlPRdEVVF/I3c1CBprlVp1nrumKM5cMwJJ3U="; 41 41 + }; 25 42 email = pdsSettings.PDS_ADMIN_EMAIL; 26 43 globalConfig = '' 27 44 on_demand_tls { 28 28 - ask http://127.0.0.1:${toString pdsSettings.PDS_PORT}/tls-check 45 45 + ask http://127.0.0.1:8081 29 46 } 47 47 + 48 48 + acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN} 30 49 ''; 31 31 - virtualHosts.${pdsSettings.PDS_HOSTNAME} = { 32 32 - serverAliases = [ "*.${pdsSettings.PDS_HOSTNAME}" ]; 50 50 + virtualHosts."*.starhaven.dev" = { 33 51 extraConfig = '' 34 52 tls { 35 53 on_demand 36 54 } 37 55 38 38 - reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT} 56 56 + handle / { 57 57 + redir https://starhaven.dev 58 58 + } 59 59 + 60 60 + @knot host ${toString config.services.tangled.knot.server.hostname} 61 61 + handle @knot { 62 62 + reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr} 63 63 + } 64 64 + 65 65 + @spindle host ${toString config.services.tangled.spindle.server.hostname} 66 66 + handle @spindle { 67 67 + reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr} 68 68 + } 39 69 40 70 handle /xrpc/app.bsky.unspecced.getAgeAssuranceState { 41 71 header content-type "application/json" ··· 43 73 header access-control-allow-origin "*" 44 74 respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200 45 75 } 76 76 + 77 77 + handle { 78 78 + reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT} 79 79 + } 46 80 ''; 81 81 + }; 82 82 + }; 83 83 + systemd.services.caddy = { 84 84 + after = [ 85 85 + "ondemand-tls-helper.service" 86 86 + "sops-nix.service" 87 87 + ]; 88 88 + serviceConfig.EnvironmentFile = config.sops.secrets.pds.path; 89 89 + }; 90 90 + 91 91 + environment.etc."ondemand_tls_helper.py" = { 92 92 + source = ./ondemand_tls_helper.py; 93 93 + mode = "0755"; 94 94 + }; 95 95 + 96 96 + systemd.services.ondemand-tls-helper = { 97 97 + description = "On-demand TLS helper for Caddy (returns 200 for allowed domains or proxies to PDS)"; 98 98 + wantedBy = [ "multi-user.target" ]; 99 99 + after = [ "network.target" ]; 100 100 + 101 101 + serviceConfig = { 102 102 + ExecStart = "${pkgs.python3}/bin/python3 /etc/ondemand_tls_helper.py"; 103 103 + Environment = "PDS_PORT=${toString pdsSettings.PDS_PORT}"; 104 104 + User = "nobody"; 105 105 + Restart = "always"; 106 106 + RestartSec = 5; 47 107 }; 48 108 }; 49 109

-14

servers/kuribo/tangled.nix

reviewed

··· 1 1 - { config, ... }: 2 1 let 3 2 owner = "did:plc:tjgdahiw3u2djgnigyqeummg"; 4 3 in ··· 24 23 inherit owner; 25 24 hostname = "spindle.starhaven.dev"; 26 25 }; 27 27 - }; 28 28 - }; 29 29 - 30 30 - services.caddy.virtualHosts = { 31 31 - ${config.services.tangled.knot.server.hostname} = { 32 32 - extraConfig = '' 33 33 - reverse_proxy http://${toString config.services.tangled.knot.server.listenAddr} 34 34 - ''; 35 35 - }; 36 36 - ${config.services.tangled.spindle.server.hostname} = { 37 37 - extraConfig = '' 38 38 - reverse_proxy http://${toString config.services.tangled.spindle.server.listenAddr} 39 39 - ''; 40 26 }; 41 27 }; 42 28 }