add tranquil-pds for migration · starhaven.dev/infra@ffa9b92

+4

flake.nix

··· 8 8 9 9 tangled.url = "git+https://tangled.org/tangled.org/core"; 10 10 tangled.inputs.nixpkgs.follows = "nixpkgs"; 11 + 12 + tranquil-pds.url = "git+https://tangled.org/tranquil.farm/tranquil-pds"; 13 + tranquil-pds.inputs.nixpkgs.follows = "nixpkgs"; 11 14 }; 12 15 outputs = 13 16 inputs@{ nixpkgs, ... }: ··· 20 23 inputs.sops-nix.nixosModules.sops 21 24 inputs.tangled.nixosModules.knot 22 25 inputs.tangled.nixosModules.spindle 26 + inputs.tranquil-pds.nixosModules.tranquil-pds 23 27 ]; 24 28 }; 25 29 };

+6

modules/hetzner-aarch64.nix

··· 39 39 40 40 boot.tmp.cleanOnBoot = true; 41 41 zramSwap.enable = true; 42 + 43 + # Add swap file for building large Rust projects 44 + swapDevices = [{ 45 + device = "/swapfile"; 46 + size = 4 * 1024; # 4GB 47 + }]; 42 48 }

+28

secrets/kuribo/tranquil-pds.env

··· 1 + #ENC[AES256_GCM,data:uT7liv6i+39HBT1tMkHiTIGhUyXw,iv:92Ka7wMhb4KiL3dntrJ/noU4507aL7JW92CXt3JeSK0=,tag:KY8bJwDhCKvnQ3DUmk/oqA==,type:comment] 2 + #ENC[AES256_GCM,data:7OolqxEvGMgPdGPmENWsusNkCH/afKfL/wr20SqC5bzizOTY+vKqJ/JBsc4=,iv:eqo9z16twhExXhbCs2u0XTMK/rJWnXtx8BDx2yPpav8=,tag:uoEXFJo6XP9PRZUYkqMFhQ==,type:comment] 3 + JWT_SECRET=ENC[AES256_GCM,data:Mj1HC9XzBr5hjGHdLv+b2FExI+W6tTP5Z9qDomycr2M3OICj4wArt5Gf+YoGDWAgw96y1FueJuA7UZbpzdtdNA==,iv:Eah2ZgY//C0uUXq3rSHYqIWENKJkcdT8NUSIXH2HKVk=,tag:lxWGpzl13VeDg1wo/6cpDQ==,type:str] 4 + DPOP_SECRET=ENC[AES256_GCM,data:J2e1d0hyHRyKMSb/pZgb2aLCdWNwtZPAyV5I4f4yvx9zmaxs9KjicP0XODh9VkridbSUM4TRsC8IkuChMSTMhQ==,iv:ibMjSLvE6bxov7jtW99POXgK2Z7EAh5O+E9yUOtzGos=,tag:AnpEB0DM8eAsYx5IETQ74w==,type:str] 5 + MASTER_KEY=ENC[AES256_GCM,data:6O0m9MvoE1iWwd9WYpDMkxvIiHF7D3yJcduvKbA9bQwNyNS7ASlX8WtRsW9eYyqzJ9nExUTgsiRKWwrfLiRc8A==,iv:7AOGJcGRPjyD7ryAvZ1AN4u2348TQVBDKNzes3o1d4Q=,tag:ofpWXIfLDgMKUkqsWSSSiQ==,type:str] 6 + #ENC[AES256_GCM,data:0/SDGkkw2sqDOIkVdkSD6AhmPdobILxRhYGKj+8Ge45FWN2L0fnhT3s50Q==,iv:qRXdlOH3lEIBZDJhSaLR6fd4OQ5mr/lN6JTgrP3/Gnc=,tag:4srFAugJZ0sg/XrIPB3gpA==,type:comment] 7 + PLC_ROTATION_KEY=ENC[AES256_GCM,data:4A7+X1kvYXCjifiDtuoT8nthimenJ/5i0YKYgnvrplzH9b6gaF2yi2KOd2P/qGJzeWNYCV2wAigKsQ3+cs19sQ==,iv:iU+kjxRe+Sm4xhmzj0lFavnR4mgl5WS5yk6vQC6KuSk=,tag:AKcPp+w+NsL1MRb1+gulFw==,type:str] 8 + #ENC[AES256_GCM,data:Va4T6FcmXG6JzqOqTGeH2xP1UWI8fsuF0N0OSzKPbgs0oyrWLw==,iv:QykbfWjqo9MSPx+Z7DJPl979RrlU2m3tNgQMJgUKUL0=,tag:9TuIDROLYnHpomzXGRglaw==,type:comment] 9 + CLOUDFLARE_API_TOKEN=ENC[AES256_GCM,data:Wp+fQSFdA7mngPTxewSVGBftUEpaLW/TNrHTjVn+rY9rGyqfMIRevw==,iv:b4I8gS8yIURT7/QjJg282eEcXIXkLfV2To7zJlZaFDA=,tag:oZSAESmaHuw59XshEgTMNA==,type:str] 10 + #ENC[AES256_GCM,data:Rwsf2UXpqZZjTOIx7PQrY5VKYLvosACnAcs=,iv:1wwuqeU7slNLoY23WVMUjZ7Ds4rjs49CqSvjKRQ8Yr4=,tag:281fAfeJOMZBb6+5sssDYg==,type:comment] 11 + S3_BUCKET=ENC[AES256_GCM,data:zEBsVVwHOaxu,iv:FFNvGqOnTkSb/hThGE+4jhFVrtQu8UmuuFj1KLHUl4w=,tag:umarOwJihqvRnNXtzfBF9Q==,type:str] 12 + S3_ENDPOINT=ENC[AES256_GCM,data:0atTeoPoeFRbERHVGekwaAFeswWWhbIfqNH07e+WtboFrOM=,iv:MQ19TAXyyFiTy72vV7BNiIEV3mYub6rlnEMfaE5LYFI=,tag:JrpC0Tqf2lBffeS0UwnqyQ==,type:str] 13 + AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:o5qAatqaETTLuIeYX6wdjCT+8RE=,iv:VtZimAT/dv0naJClbs6Mww9l6xbeQ6J7o5zP9axdVb8=,tag:fsPq1GpVVfX9y3yKxo4ZXw==,type:str] 14 + AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:xmOHAOBYKgEvTwi3IojhjXAxmCDjKD54ZqeLdypdPBCz6WgoCvXFKA==,iv:j8CknNrur0D0imZdMBI+1CLAD29raDSmowz2+5N4bU8=,tag:tIttmCQsXH8Zq+w6oNdMjw==,type:str] 15 + AWS_REGION=ENC[AES256_GCM,data:WtfRdA==,iv:z5V8PZAlArDKnxPepFd3DGOu1uHW8o8nvbuFBbESi1I=,tag:os0joOzJO9EpaTpeIRcLdQ==,type:str] 16 + #ENC[AES256_GCM,data:R84B2kDI3ksykBe5,iv:7IZFFAnaBqrnrMM24pDgBSGHqnLb2mPjgg46/LSRV+w=,tag:UigfhDaWXLLH/6KQkJekyg==,type:comment] 17 + SSO_DISCORD_CLIENT_ID=ENC[AES256_GCM,data:Uv+XhViVoEbpI2fWQ9RjU9CjCQ==,iv:MvxNPKKRPe64APkkQBl7bEH1NqLD14mAxLk1EbgV0hE=,tag:gmvLUgJb+APs6qr73LJKpg==,type:str] 18 + SSO_DISCORD_CLIENT_SECRET=ENC[AES256_GCM,data:c4hoEm3ITaT8WWjez+qFo/nrsIs5PtCBnolGDt15AcQ=,iv:qTUxN79YxAKBJUkx5wyrX/4u3u1BEdEJBiUQ6YypLgk=,tag:j3dJ9tTW+RuN9FuOhqzHpQ==,type:str] 19 + #ENC[AES256_GCM,data:GFLA9tgtlgwWaqPG+Hhk6b5DD8DlnSM/iZkZcPQKQFKuqxuVE/oAd+n085zi18FKaqr+q1t6Xq/+HV09uEI=,iv:dlD06U+hXgmkXTztm1ZjcG10Ip4IPPFxxAb1C82saWE=,tag:/aG7Mw9N120fhxYHx0pvaQ==,type:comment] 20 + MAIL_FROM_ADDRESS=ENC[AES256_GCM,data:NBu6w+LxPvPZ7qRBoxZHMvUbPOg+,iv:KBpxZgwwjDSdXjX7mcCNNiL/A90+V0pd84d3OZbfJiA=,tag:3rzQ0dlsT4Fw09+YzFmEGQ==,type:str] 21 + sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLam52UzJyMFBUaWVWWStZ\nNUpBbHFjNHdqc1ZFTE96Q0laWWJjRDFHRm53ClIzVjd0UnRDS09jTmdGZ0MyZm5s\nd3I5UG5SUFB0VWFFUHgraFNhZFNzclEKLS0tIHlGNE1uTFBBUEZrM0RSU0dPMWZu\ncWtuSEVhRUtBMkpiSk9GWWhoTnZxZEkKiKWdUZ4mqvqAmqd013xd5tW5UGcMY8Wi\nkc/y1UlZnJFMU3OoICdWXEbet81TQriNxPjXjhgmBUlK3zfzy6LGIg==\n-----END AGE ENCRYPTED FILE-----\n 22 + sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2 23 + sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLS2ZYSExScEhhV1NRZUc4\nU1pDOU5ydVlPb2NNdHUxTmNYMHhqMDBRU3o0Ck91MHRKY2RJWG1FRlhGbGRNSHRw\nVGRpV3o0K3ZzaWxJK1NqNG5oRnYwY0EKLS0tIFFOWm05ZEtSMUFsME1WMGtKdEFs\nU1RCR29vREwzQXJZSXJoVmR3Y2IvTUEKps6/I4f4Ec73c+N0JN+xSyQfMfEsqHda\noC++w3UpkCkyNKiLWbbTaWMCjRoSX7jhKEmCZvoU7J1X4pTRFHFAQQ==\n-----END AGE ENCRYPTED FILE-----\n 24 + sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl 25 + sops_lastmodified=2026-03-27T03:46:07Z 26 + sops_mac=ENC[AES256_GCM,data:4IaypLApjBuyujeJNsBjYN3i3TW7Duvj532ex5EdtkrCuNhmoB+YoC6yoO3ap6Sq21M8yBmeyZKfxrDHQAUL+xoxQXQAyj/Ot1ZbGLwo/w1EI5ka/0+ohOxkb/Bc75ioGyu8x+605dEQYst2Sm6nTKkEclDoaM3FzZGd6gHtM8g=,iv:4sKe7PxjGw/curGjnq3d4bRb7N3EcXFd0e44oZYY3ZA=,tag:Q6JtBs31lu/KEc4WoXEXiQ==,type:str] 27 + sops_unencrypted_suffix=_unencrypted 28 + sops_version=3.11.0

+2 -1

servers/kuribo/configuration.nix

··· 5 5 ../../modules/gc.nix 6 6 ../../users/users.nix 7 7 ./caddy.nix 8 - ./pds.nix 8 + ./pds.nix # Old PDS on port 3000 - remove after migration 9 + ./tranquil-pds.nix # Tranquil on port 3001 at new.pds.starhaven.dev 9 10 ./tangled.nix 10 11 ./papermario-dx-build.nix 11 12 ];

+73

servers/kuribo/tranquil-pds.nix

··· 1 + # STAGING CONFIG: Tranquil at new.pds.starhaven.dev (port 3001) 2 + # Old PDS stays at pds.starhaven.dev (port 3000) 3 + # After migration, change hostname back to pds.starhaven.dev and port to 3000 4 + { config, pkgs, ... }: 5 + { 6 + sops.secrets.tranquil-pds = { 7 + sopsFile = ../../secrets/kuribo/tranquil-pds.env; 8 + format = "dotenv"; 9 + owner = "tranquil-pds"; 10 + group = "tranquil-pds"; 11 + }; 12 + 13 + services.tranquil-pds = { 14 + enable = true; 15 + database.createLocally = true; 16 + environmentFiles = [ config.sops.secrets.tranquil-pds.path ]; 17 + 18 + settings = { 19 + server = { 20 + # STAGING: temporary subdomain during migration 21 + hostname = "new.pds.starhaven.dev"; 22 + port = 3001; 23 + user_handle_domains = [ ".starhaven.dev" ]; 24 + contact_email = "admin@starhaven.dev"; 25 + 26 + # Open registration (no invite required) 27 + invite_code_required = false; 28 + }; 29 + 30 + storage = { 31 + # S3 config comes from environment file 32 + backend = "s3"; 33 + }; 34 + 35 + email = { 36 + from_address = "noreply@starhaven.dev"; 37 + from_name = "Star Haven"; 38 + }; 39 + 40 + # Discord SSO (credentials in env file) 41 + sso.discord = { 42 + enabled = true; 43 + display_name = "Discord"; 44 + }; 45 + 46 + # Accept repo imports for migration 47 + import = { 48 + accepting = true; 49 + max_size = 1073741824; # 1GB 50 + }; 51 + }; 52 + }; 53 + 54 + # Caddy: serve both old PDS and new Tranquil 55 + services.caddy.virtualHosts."new.pds.starhaven.dev" = { 56 + extraConfig = '' 57 + tls { 58 + dns cloudflare {env.CLOUDFLARE_API_TOKEN} 59 + } 60 + reverse_proxy http://127.0.0.1:3001 61 + ''; 62 + }; 63 + 64 + # Caddy needs the secrets for CLOUDFLARE_API_TOKEN 65 + systemd.services.caddy = { 66 + after = [ 67 + "tranquil-pds.service" 68 + "ondemand-tls-helper.service" 69 + "sops-nix.service" 70 + ]; 71 + serviceConfig.EnvironmentFile = config.sops.secrets.tranquil-pds.path; 72 + }; 73 + }

Configure Feed

Configure Feed