From 0a76bb3e78890a4069ce9f595e7057bcf6827996 Mon Sep 17 00:00:00 2001
From: Skyler Grey <minion@freshlybakedca.ke>
Date: Sun, 21 Sep 2025 14:52:10 +0000
Subject: [PATCH] feat(teal): add PDS
Change-Id: ynxomyxnwrpvoswnzpxvtvmzonlztskw

We'd like to move off bluesky's PDS, and the obvious candidate is to set
up our own...

...we've chosen to have our handles *.at.freshlybakedca.ke because they
are technically publicly visible - although we expect to be using custom
domains for most/all accounts on this PDS

...we've chosen to have the pds at pds.freshly.space because, like
files.freshly.space, while *technically* publicly usable (file shares
or accessing our bsky accounts), it is only going to host accounts of
friends and patissiers of freshlybakedca.ke. There is no process to get
an account on our PDS as a general member of the public. It also isn't
generally particularly visible in public UIs. (This criteria also means
that spindle.freshlybakedca.ke should be at spindle.freshly.space, which
we will migrate in the future. Other than that everything we host meets
this criteria)

This is part of a series of atproto migration patches. Our plan so
far is:
- [x] Set up a tangled.org spindle
- [x] Set up a PDS
   ^ You are here
- [ ] Set up email for our PDS
- [ ] Set up a tangled.org knot
- [ ] Pull in upcoming external idp patches for PDS
- [ ] Rename tangled.org spindle to spindle.freshly.space
---
 packetmix/systems/teal/pds.nix | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 packetmix/systems/teal/pds.nix

diff --git a/packetmix/systems/teal/pds.nix b/packetmix/systems/teal/pds.nix
new file mode 100644
index 00000000..1b604253
--- /dev/null
+++ b/packetmix/systems/teal/pds.nix
@@ -0,0 +1,33 @@
+# SPDX-FileCopyrightText: 2025 FreshlyBakedCake
+#
+# SPDX-License-Identifier: MIT
+
+{
+  services.pds = {
+    enable = true;
+    settings = {
+      PDS_HOSTNAME = "pds.freshly.space";
+      PDS_PORT = 1033;
+      PDS_SERVICE_HANDLE_DOMAINS = ".at.freshlybakedca.ke";
+    };
+    environmentFiles = [
+      "/secrets/pds/environmentFile"
+    ];
+  };
+
+  services.nginx.virtualHosts."pds.freshly.space" = {
+    addSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    serverAliases = [ "*.at.freshlybakedca.ke" ];
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:1033";
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+    };
+  };
+
+  clicks.storage.impermanence.persist.directories = [ "/var/lib/pds" ];
+}
-- 
2.43.0