diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 1461b55..694fd0b 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -21,6 +21,7 @@ ./containers/torrent.nix ./containers/puffer.nix ./containers/sharkey + ./containers/pds ./vms/hass.nix # ./vms/windows.nix ]; diff --git a/hosts/koi/containers/pds/default.nix b/hosts/koi/containers/pds/default.nix new file mode 100644 index 0000000..bfdaaa2 --- /dev/null +++ b/hosts/koi/containers/pds/default.nix @@ -0,0 +1,39 @@ +{ abs, config, pkgs, ... }@inputs: + + +let + secrets = import (abs "lib/secrets.nix"); +in { + imports = [ + (secrets.declare [ + "bluesky-pds-secrets" + ]) + ((import (abs "lib/containers.nix") inputs).mkDockerComposeContainer { + directory = ./.; + envFiles = [ + # PDS_JWT_SECRET, PDS_ADMIN_PASSWORD, PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX, PDS_EMAIL_SMTP_URL + (secrets.file config "bluesky-pds-secrets") + ]; + }) + ]; + + systemd.tmpfiles.rules = [ + "d /mnt/puffer/bluesky-pds 0777 root root -" + "d /srv/bluesky-pds/data 0777 root root -" + ]; + + services.nginx.virtualHosts."pds.stupid.fish" = { + forceSSL = true; + useACMEHost = "stupid.fish"; + http2 = true; + + extraConfig = '' + client_max_body_size 250M; + ''; + + locations."/" = { + proxyPass = "http://pds.pds.docker:3000/"; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/koi/containers/pds/docker-compose.yaml b/hosts/koi/containers/pds/docker-compose.yaml new file mode 100644 index 0000000..d23dd37 --- /dev/null +++ b/hosts/koi/containers/pds/docker-compose.yaml @@ -0,0 +1,31 @@ +version: "3" + +services: + pds: + image: ghcr.io/bluesky-social/pds:sha-5cd5289d470ab6e8ab3fe5b1c1698ed26dbeb4b4 + restart: unless-stopped + environment: + - PDS_HOSTNAME=pds.stupid.fish + - PDS_DATA_DIRECTORY=/pds + - PDS_BLOBSTORE_DISK_LOCATION=/blobstore + - PDS_DID_PLC_URL=https://plc.directory + - PDS_BSKY_APP_VIEW_URL=https://api.bsky.app + - PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app + - PDS_REPORT_SERVICE_URL=https://mod.bsky.app + - PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac + - PDS_CRAWLERS=https://bsky.network + - LOG_ENABLED=true + - PDS_EMAIL_FROM_ADDRESS=alina@tei.su + - PDS_INVITE_REQUIRED=true + # forward secret variables + - PDS_JWT_SECRET=$PDS_JWT_SECRET + - PDS_ADMIN_PASSWORD=$PDS_ADMIN_PASSWORD + - PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=$PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX + - PDS_EMAIL_SMTP_URL=$PDS_EMAIL_SMTP_URL + volumes: + - type: bind + source: /srv/bluesky-pds/data + target: /pds + - type: bind + source: /mnt/puffer/bluesky-pds + target: /blobstore diff --git a/hosts/koi/services/landing/assets/.well-known/assetlinks.json b/hosts/koi/services/landing/assets/.well-known/assetlinks.json new file mode 100644 index 0000000..bc38d93 --- /dev/null +++ b/hosts/koi/services/landing/assets/.well-known/assetlinks.json @@ -0,0 +1,9 @@ +[{ + "relation": ["delegate_permission/common.handle_all_urls"], + "target": { + "namespace": "android_app", + "package_name": "fish.stupid.twa", + "sha256_cert_fingerprints": + ["6B:39:DC:A2:51:76:4C:57:BF:6F:A0:CD:47:D9:F8:23:49:1B:25:E5:DE:5B:BE:7D:BB:CD:F5:A7:91:4A:AA:DD"] + } + }] \ No newline at end of file diff --git a/hosts/koi/services/landing/assets/lol.jpg b/hosts/koi/services/landing/assets/lol.jpg new file mode 100644 index 0000000..ce88827 Binary files /dev/null and b/hosts/koi/services/landing/assets/lol.jpg differ diff --git a/hosts/koi/services/landing/assets/manifest.json b/hosts/koi/services/landing/assets/manifest.json new file mode 100644 index 0000000..c2d126f --- /dev/null +++ b/hosts/koi/services/landing/assets/manifest.json @@ -0,0 +1,8 @@ +{ + "name": "fish", + "short_name": "fish", + "start_url": ".", + "display": "standalone", + "background_color": "#000", + "description": "fish stupid" +} \ No newline at end of file diff --git a/lib/containers.nix b/lib/containers.nix index c91670e..775e1c1 100644 --- a/lib/containers.nix +++ b/lib/containers.nix @@ -69,12 +69,25 @@ in # every time we change anything at all storeDir = trivial.storeDirectory directory; - cmdline = [ - "--build" - "--remove-orphans" - ] ++ map (env: "--env-file ${env}") envFiles - ++ map (name: "-e ${name}=${lib.escapeShellArg env.${name}}") (builtins.attrNames env) - ++ extraFlags; + inlineEnvNames = builtins.attrNames env; + inlineEnvDrv = lib.optionals (builtins.length inlineEnvNames != 0) [ + (pkgs.writeText "${name}.env" ( + builtins.concatStringsSep "\n" ( + map (name: "${name}=${builtins.toJSON env.${name}}") inlineEnvNames + ) + )) + ]; + allEnvFiles = envFiles ++ inlineEnvDrv; + + cmdline = builtins.concatStringsSep " " ( + [ + "--build" + "--remove-orphans" + ] ++ extraFlags + ); + cmdlineBeforeUp = builtins.concatStringsSep " " ( + map (env: "--env-file ${lib.escapeShellArg env}") allEnvFiles + ); in { systemd.services."docker-compose-${name}" = { @@ -82,7 +95,7 @@ in after = [ "docker.service" "docker.socket" ]; serviceConfig = { WorkingDirectory = storeDir; - ExecStart = "${pkgs.docker}/bin/docker compose up ${builtins.concatStringsSep " " cmdline}"; + ExecStart = "${pkgs.docker}/bin/docker compose ${cmdlineBeforeUp} up ${cmdline}"; ExecStopPost = "${pkgs.docker}/bin/docker compose down"; } // (extraConfig.serviceConfig or { }); } // (builtins.removeAttrs extraConfig [ "serviceConfig" ]); diff --git a/secrets/bluesky-pds-secrets.age b/secrets/bluesky-pds-secrets.age new file mode 100644 index 0000000..0a235c5 --- /dev/null +++ b/secrets/bluesky-pds-secrets.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 sj88Xw PLt6rtLAJNLP3FnCB2zaOxiHk7kQqKeyjNQTr07Vohw +OrZCrZ6W8aYOQvHPNRWypZRufnmdzS0Slu9fAdq5Mf8 +--- 5LwMDjPXQJH0JYAhmjCnNtpd+R/mMIU4n7Tvyin2eNg +V y|\=ga8{%<ҾH+KF@%H1%"3GSא 3QnK~ޅSL=n%$c_uS|MC85IW@j+foCDXC\K6X+So-4tClF=W4yQ#ֶ q]`0R0l醖[ZPLΔ)[/[Ip7/>l' 9v>ҷa s'%AEi:SNJC&)ϴ^(.]cXc \ No newline at end of file