starhaven.dev
nixos server configurations
add bluesky pds
bates64.com
+127
-4
+13
.sops.yaml
+13
.sops.yaml
···
1
+
keys:
2
+
- &admin_bates64 age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2
3
+
- &server_kuribo age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl
4
+
creation_rules:
5
+
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
6
+
key_groups:
7
+
- age:
8
+
- *admin_bates64
9
+
- path_regex: secrets/kuribo/[^/]+\.(yaml|json|env|ini)$
10
+
key_groups:
11
+
- age:
12
+
- *admin_bates64
13
+
- *server_kuribo
+22
-1
flake.lock
+22
-1
flake.lock
···
18
18
},
19
19
"root": {
20
20
"inputs": {
21
-
"nixpkgs": "nixpkgs"
21
+
"nixpkgs": "nixpkgs",
22
+
"sops-nix": "sops-nix"
23
+
}
24
+
},
25
+
"sops-nix": {
26
+
"inputs": {
27
+
"nixpkgs": [
28
+
"nixpkgs"
29
+
]
30
+
},
31
+
"locked": {
32
+
"lastModified": 1764483358,
33
+
"narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
34
+
"owner": "Mic92",
35
+
"repo": "sops-nix",
36
+
"rev": "5aca6ff67264321d47856a2ed183729271107c9c",
37
+
"type": "github"
38
+
},
39
+
"original": {
40
+
"owner": "Mic92",
41
+
"repo": "sops-nix",
42
+
"type": "github"
22
43
}
23
44
}
24
45
},
+5
-3
flake.nix
+5
-3
flake.nix
···
1
1
{
2
-
description = "bates64";
3
-
2
+
description = "starhaven.dev infrastructure";
4
3
inputs = {
5
4
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
5
+
6
+
sops-nix.url = "github:Mic92/sops-nix";
7
+
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
6
8
};
7
-
8
9
outputs =
9
10
inputs@{ nixpkgs, ... }:
10
11
{
···
13
14
system = "aarch64-linux";
14
15
modules = [
15
16
./servers/kuribo/configuration.nix
17
+
inputs.sops-nix.nixosModules.sops
16
18
];
17
19
};
18
20
};
+13
secrets/kuribo/pds.env
+13
secrets/kuribo/pds.env
···
1
+
PDS_JWT_SECRET=ENC[AES256_GCM,data:SwmU7j+3kfoCCQlZk/LAzytRoVSb7tgKI6tGdZKJThg=,iv:1WCvMVlPR4L7rO/YUmkobjHcXlSGlyIo80ir+GymdeQ=,tag:WbGeolX/pzSZ+LA8ueUygA==,type:str]
2
+
PDS_ADMIN_PASSWORD=ENC[AES256_GCM,data:+U1Tw+rRcb9rPjZTsOZ9ZYdVeTRFjv8yhuSCCFIe+wQ=,iv:TLJ+HJ8hDXcaZ/9qtSonnOE1oz4JngxuXJLjXpqdDwU=,tag:W7Hi9XMXUMUZAimnAc6uJQ==,type:str]
3
+
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=ENC[AES256_GCM,data:thNijhgsq106+SJVnoseWu1S8SU2AB8Z5EqjKUzMBm+29FB146dmqPOphXL5yBPDuj0gjzFvfu4W7BOAKcx7fA==,iv:zcmhJopT8WHN2GfhDGO1oYp/NeyPpXeNrg6AVmDYMGk=,tag:JLcO4aVuKMVgRU6pirks+A==,type:str]
4
+
PDS_EMAIL_SMTP_URL=ENC[AES256_GCM,data:ltLt4Q7CaIL4swhDA2pBcMRR2gaMGcYw/7E7JtU4bMotEXrEO19V5ySomjbdFs3ImFzMtVVNY0am9R5Q40TZq85r6zDsoGv6,iv:Kh10CNUhkzqj5PROyFgGme0KUspZL/epxiQf2Ej0G6Y=,tag:noT7j38nip6OLbnwr8AWDQ==,type:str]
5
+
PDS_EMAIL_FROM_ADDRESS=ENC[AES256_GCM,data:VxEX3on/7jQ/SXmr53bvFzd3O/xu,iv:yehoA4hxkJ6UOjv625834otS1Es4uKtarjZjKFk2sJI=,tag:XaplSBikfq97mLTq+XyOrQ==,type:str]
6
+
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkenRnNWFlMzBIOTJsclYw\nSkw3ZW9pa0NRejRQd1FmOENTaE54UU4rcHkwCjFBSXljeTdQeGhXZDZrWS9JUkx0\nUXpxWUVKZTdGWjVLT1FRUmloMXhNdWcKLS0tIEhERVFJNU5pSU00b3MxUHB1Y280\nWTFiaTh0YXJyUXFKNGNrOE84elRONVUK20OPeWSZW2A9mTnEDfQmDc7n3jvUQhxb\nBatl6b0ismrkTWcRJK8nxImcvxBtMMCLfzK5Wt/9gBLJ6VDT6UPYFg==\n-----END AGE ENCRYPTED FILE-----\n
7
+
sops_age__list_0__map_recipient=age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2
8
+
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4OVBaMzZ3UGd1R25SczNN\nd3R6bzVGTkN0SWpjb05wankvb2tpNTJvZlR3CjhwYUdHaTJ6Y1VPSTltOHhNbWdL\ncGs3OEJqaFljUFRhUVNncm13RFdETTgKLS0tIG1Mb1ZXQ3BpejdteWFkWUFyOGJu\ndFpyWkNiK2hoNlROd09xTzVueFdSUmcKDrIcoDDH2O/c9dyS/oLL0rudsrsmtOhJ\n55QagSzYouGlJbpl2xtBeUplg1WcEBX7FSW3UWFbz+Gc0/Rv76jRCA==\n-----END AGE ENCRYPTED FILE-----\n
9
+
sops_age__list_1__map_recipient=age1dhxleu7puseq4fz5gprzdssprdd452kjry2n47xaqfh22p5eyqfs68zysl
10
+
sops_lastmodified=2025-12-01T18:49:36Z
11
+
sops_mac=ENC[AES256_GCM,data:tSPG0g8XpTu0IJ8GQKIUczVlreLbZ/VFncomwSVzFEIXloJ6QQsX2hobyFCW4RwovQoZnVfO4uL8Ku/SIjsLIMCejLiGXAa4r0VDDZtxhnaX7tPBecG7gE3Ke15V4bT6B9uxB7TGhJYTsTlq/tb8D7UZG2+yWudFry8ArJRFxp0=,iv:9vxvakrxx8EmNBPSY1wnoV5cHx2/8GqGhNLYHyDj74w=,tag:5NeNRKenYykPj6b13bHFOg==,type:str]
12
+
sops_unencrypted_suffix=_unencrypted
13
+
sops_version=3.11.0
+16
secrets/secrets.yaml
+16
secrets/secrets.yaml
···
1
+
hello: ENC[AES256_GCM,data:Qu9O3bH7MKpraW17zQaBAw==,iv:aYX8MM/yFbyVQHqoUTn98fFDb78lywuQNvOaJoTlpMg=,tag:UTHsJ5KdogR8c9bW3m50/Q==,type:str]
2
+
sops:
3
+
age:
4
+
- recipient: age1h08rnd0jeddf55l6l3rf6dlwwh7mngcxy92tyz0hfysjqx4wvgrq6vmah2
5
+
enc: |
6
+
-----BEGIN AGE ENCRYPTED FILE-----
7
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldFJveWZZeUh5Qytibkkv
8
+
MTBqNnJTYnl2aVlzbHpnZUJIQ0xWZzBFNmhVCitoM3MyRXBBVUc2WHY4TUpmNmdn
9
+
YmtiVkpJUVhNWXNRdDRJNFJtdkkwYWcKLS0tIHJpV3habGJxdStCc0MwcVFhSmxa
10
+
cmFVYTN0bUlXQ29rOUZVaHRBblpJUE0KHLXin6XsfzIvqYMDRt+GW444X43Eh5Fe
11
+
rMppR22DHSVdZ8+rJj+pKnYH9DSNc7QbUJwMoeiKBknFh/uXhPCXgg==
12
+
-----END AGE ENCRYPTED FILE-----
13
+
lastmodified: "2025-12-01T19:41:23Z"
14
+
mac: ENC[AES256_GCM,data:DUVrnfELB9bpFlkpA1AajIsVYv1K7r0ur0hH1J3HwWLt4ezgHC6uCoFRlXzC/ysYGlVfn1Hu6WgFEZ75UJ3TzRsluCthZqcwHSGF4cgpD5b5YP2KsF/GoYDPdWhXT+eQ6bLnLCMzxtjstFVWRpkeD0eD9eHNk6Hg270pnS8c9S4=,iv:1FuAy0IT/bgRfUw7/TkPCypnfZNC5aM5qTv10hETBrw=,tag:VL0ema4HZaMvnld+YMNwXA==,type:str]
15
+
unencrypted_suffix: _unencrypted
16
+
version: 3.11.0
+4
servers/kuribo/configuration.nix
+4
servers/kuribo/configuration.nix
···
4
4
../../modules/auto-upgrade.nix
5
5
../../modules/gc.nix
6
6
../../users/users.nix
7
+
./pds.nix
7
8
];
8
9
9
10
networking.hostName = "kuribo";
···
20
21
};
21
22
};
22
23
services.fail2ban.enable = true;
24
+
25
+
sops.defaultSopsFile = ./secrets/secrets.yaml;
26
+
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
23
27
24
28
programs.neovim = {
25
29
enable = true;
+54
servers/kuribo/pds.nix
+54
servers/kuribo/pds.nix
···
1
+
{ config, ... }:
2
+
let
3
+
pdsSettings = config.services.bluesky-pds.settings;
4
+
in
5
+
{
6
+
sops.secrets.pds = {
7
+
sopsFile = ../../secrets/kuribo/pds.env;
8
+
format = "dotenv";
9
+
owner = "pds";
10
+
group = "pds";
11
+
};
12
+
13
+
services.bluesky-pds = {
14
+
enable = true;
15
+
environmentFiles = [ config.sops.secrets.pds.path ];
16
+
settings = {
17
+
PDS_PORT = 3000;
18
+
PDS_HOSTNAME = "pds.starhaven.dev";
19
+
PDS_ADMIN_EMAIL = "admin@starhaven.dev";
20
+
};
21
+
};
22
+
23
+
services.caddy = {
24
+
enable = true;
25
+
email = pdsSettings.PDS_ADMIN_EMAIL;
26
+
globalConfig = ''
27
+
on_demand_tls {
28
+
ask http://127.0.0.1:${toString pdsSettings.PDS_PORT}/tls-check
29
+
}
30
+
'';
31
+
virtualHosts.${pdsSettings.PDS_HOSTNAME} = {
32
+
serverAliases = [ "*.${pdsSettings.PDS_HOSTNAME}" ];
33
+
extraConfig = ''
34
+
tls {
35
+
on_demand
36
+
}
37
+
38
+
reverse_proxy http://127.0.0.1:${toString pdsSettings.PDS_PORT}
39
+
40
+
handle /xrpc/app.bsky.unspecced.getAgeAssuranceState {
41
+
header content-type "application/json"
42
+
header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy"
43
+
header access-control-allow-origin "*"
44
+
respond `{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured"}` 200
45
+
}
46
+
'';
47
+
};
48
+
};
49
+
50
+
networking.firewall.allowedTCPPorts = [
51
+
80
52
+
443
53
+
];
54
+
}