blob: 5f1c8e03c652d7c04f2ed3259368a6927f9be784 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
{ config, pkgs, auxiliaryPkgs, ... }:
let
inherit (pkgs) dockerTools glibc;
inherit (auxiliaryPkgs) common;
inherit (auxiliaryPkgs.bluesky) pds pdsadmin;
inherit (config.age) secrets;
pdsLocalPort = 16419;
pdsDir = "/srv/pds";
pdsImage = dockerTools.streamLayeredImage {
name = "pds";
tag = pds.version;
fromImage = common.alpine.base;
contents = [ pds pdsadmin glibc ];
# this convices `detect-libc`, which is used by `sharp`
# to pick the correct binary artifact, that we're using
# glibc and not musl to choose the right one.
extraCommands = ''
mkdir -p usr/bin
ln -s ${glibc.bin}/bin/ldd usr/bin/ldd
'';
};
in
{
age.secrets = {
pds-secrets.file = ../secrets/pds-secrets.age;
cloudflare-dns.file = ../secrets/cloudflare-dns.age;
};
foundation.services.pds = {
image = pdsImage;
ports = [ [ pdsLocalPort 3000 ] ];
volumes = [
[ "${pdsDir}" "/pds" ]
];
environment = {
PDS_PORT = "3000";
PDS_HOSTNAME = "pds.rnrd.eu";
PDS_DATA_DIRECTORY = "/pds";
PDS_BLOBSTORE_DISK_LOCATION = "/pds/blocks";
PDS_BLOB_UPLOAD_LIMIT = "52428800";
PDS_DID_PLC_URL = "https://plc.directory";
PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac";
PDS_CRAWLERS = "https://bsky.network";
LOG_ENABLED = "true";
};
environmentFiles = [ secrets.pds-secrets.path ];
workdir = "/pds";
entrypoint = "${pds}/bin/pds";
};
security.acme.certs."pds.rnrd.eu" = {
group = "nginx";
domain = "*.pds.rnrd.eu";
extraDomainNames = [ "pds.rnrd.eu" ];
dnsProvider = "cloudflare";
credentialFiles = {
CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
};
};
services.nginx.virtualHosts."pds.rnrd.eu" = {
serverAliases = [ "*.pds.rnrd.eu" ];
forceSSL = true;
useACMEHost = "pds.rnrd.eu";
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:16419";
};
extraConfig = ''
access_log /var/log/nginx/pds.access.log json_combined;
'';
};
}
|
