{ config, pkgs, auxiliaryPkgs, ... }: let inherit (pkgs) dockerTools glibc; inherit (auxiliaryPkgs) common; inherit (auxiliaryPkgs.bluesky) pds pdsadmin; inherit (config.age) secrets; pdsLocalPort = 16419; pdsDir = "/srv/pds"; pdsImage = dockerTools.streamLayeredImage { name = "pds"; tag = pds.version; fromImage = common.alpine.base; contents = [ pds pdsadmin glibc ]; # this convices `detect-libc`, which is used by `sharp` # to pick the correct binary artifact, that we're using # glibc and not musl to choose the right one. extraCommands = '' mkdir -p usr/bin ln -s ${glibc.bin}/bin/ldd usr/bin/ldd ''; }; in { age.secrets = { pds-secrets.file = ../secrets/pds-secrets.age; cloudflare-dns.file = ../secrets/cloudflare-dns.age; }; foundation.services.pds = { image = pdsImage; ports = [ [ pdsLocalPort 3000 ] ]; volumes = [ [ "${pdsDir}" "/pds" ] ]; environment = { PDS_PORT = "3000"; PDS_HOSTNAME = "pds.rnrd.eu"; PDS_DATA_DIRECTORY = "/pds"; PDS_BLOBSTORE_DISK_LOCATION = "/pds/blocks"; PDS_BLOB_UPLOAD_LIMIT = "52428800"; PDS_DID_PLC_URL = "https://plc.directory"; PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app"; PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app"; PDS_REPORT_SERVICE_URL = "https://mod.bsky.app"; PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac"; PDS_CRAWLERS = "https://bsky.network"; LOG_ENABLED = "true"; }; environmentFiles = [ secrets.pds-secrets.path ]; workdir = "/pds"; entrypoint = "${pds}/bin/pds"; }; security.acme.certs."pds.rnrd.eu" = { domain = "*.pds.rnrd.eu"; extraDomainNames = [ "pds.rnrd.eu" ]; dnsProvider = "cloudflare"; credentialFiles = { CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path; }; }; services.nginx.virtualHosts."pds.rnrd.eu" = { serverAliases = [ "*.pds.rnrd.eu" ]; forceSSL = true; useACMEHost = "pds.rnrd.eu"; locations."/" = { proxyWebsockets = true; proxyPass = "http://127.0.0.1:16419"; }; extraConfig = '' access_log /var/log/nginx/pds.access.log json_combined; ''; }; }