services/pds.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

{ config, pkgs, auxiliaryPkgs, ... }:

let
  inherit (pkgs) dockerTools glibc;
  inherit (auxiliaryPkgs) common;
  inherit (auxiliaryPkgs.bluesky) pds pdsadmin;

  inherit (config.age) secrets;

  pdsLocalPort = 16419;
  pdsDir = "/srv/pds";

  pdsImage = dockerTools.streamLayeredImage {
    name = "pds";
    tag = pds.version;
    fromImage = common.alpine.base;
    contents = [ pds pdsadmin glibc ];
    # this convices `detect-libc`, which is used by `sharp`
    # to pick the correct binary artifact, that we're using
    # glibc and not musl to choose the right one.
    extraCommands = ''
      mkdir -p usr/bin
      ln -s ${glibc.bin}/bin/ldd usr/bin/ldd
    '';
  };

in
{
  age.secrets = {
    pds-secrets.file = ../secrets/pds-secrets.age;
    cloudflare-dns.file = ../secrets/cloudflare-dns.age;
  };

  foundation.services.pds = {
    image = pdsImage;
    ports = [ [ pdsLocalPort 3000 ] ];

    volumes = [
      [ "${pdsDir}" "/pds" ]
    ];

    environment = {
      PDS_PORT = "3000";
      PDS_HOSTNAME = "pds.rnrd.eu";

      PDS_DATA_DIRECTORY = "/pds";
      PDS_BLOBSTORE_DISK_LOCATION = "/pds/blocks";
      PDS_BLOB_UPLOAD_LIMIT = "52428800";

      PDS_DID_PLC_URL = "https://plc.directory";
      PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
      PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
      PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
      PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac";
      PDS_CRAWLERS = "https://bsky.network";

      LOG_ENABLED = "true";
    };

    environmentFiles = [ secrets.pds-secrets.path ];

    workdir = "/pds";
    entrypoint = "${pds}/bin/pds";
  };

  security.acme.certs."pds.rnrd.eu" = {
    domain = "*.pds.rnrd.eu";
    extraDomainNames = [ "pds.rnrd.eu" ];
    dnsProvider = "cloudflare";
    credentialFiles = {
      CLOUDFLARE_DNS_API_TOKEN_FILE = secrets.cloudflare-dns.path;
    };
  };

  services.nginx.virtualHosts."pds.rnrd.eu" = {
    serverAliases = [ "*.pds.rnrd.eu" ];
    forceSSL = true;
    useACMEHost = "pds.rnrd.eu";

    locations."/" = {
      proxyWebsockets = true;
      proxyPass = "http://127.0.0.1:16419";
    };

    extraConfig = ''
      access_log /var/log/nginx/pds.access.log json_combined;
    '';
  };
}