diff --git a/services/default.nix b/services/default.nix index 98f75f9..f7b3cf8 100644 --- a/services/default.nix +++ b/services/default.nix @@ -15,7 +15,7 @@ ./unpackerr.nix ./qbittorrent.nix ./grafana.nix - ./pds + ./pds.nix ./gonic.nix ./youtuee.nix ./confess.nix diff --git a/services/pds/default.nix b/services/pds.nix similarity index 84% rename from services/pds/default.nix rename to services/pds.nix index 8419fde..c9309b1 100644 --- a/services/pds/default.nix +++ b/services/pds.nix @@ -1,14 +1,8 @@ -{ pkgs, config, inputs, ... }: { - imports = [ - ./module.nix - ]; - +{ config, inputs, ... }: { services = { pds = { enable = true; - package = pkgs.callPackage ./pkg/pds { }; - # https://github.com/NixOS/nixpkgs/pull/350645 Enable when pds merged - # pdsadmin.enable = true; + pdsadmin.enable = true; environmentFiles = [ "/etc/secrets/bluesky.env" diff --git a/services/pds/module.nix b/services/pds/module.nix deleted file mode 100644 index f01eccd..0000000 --- a/services/pds/module.nix +++ /dev/null @@ -1,202 +0,0 @@ -{ lib -, pkgs -, config -, ... -}: -let - cfg = config.services.pds; - - inherit (lib) - getExe - mkEnableOption - mkIf - mkOption - mkPackageOption - types - ; -in -# All defaults are from https://github.com/bluesky-social/pds/blob/8b9fc24cec5f30066b0d0b86d2b0ba3d66c2b532/installer.sh -{ - options.services.pds = { - enable = mkEnableOption "pds"; - - package = mkPackageOption pkgs "pds" { }; - - settings = mkOption { - type = types.submodule { - freeformType = types.attrsOf ( - types.oneOf [ - (types.nullOr types.str) - types.port - ] - ); - options = { - PDS_PORT = mkOption { - type = types.port; - default = 3000; - description = "Port to listen on"; - }; - - PDS_HOSTNAME = mkOption { - type = types.str; - example = "pds.example.com"; - description = "Instance hostname (base domain name)"; - }; - - PDS_BLOB_UPLOAD_LIMIT = mkOption { - type = types.str; - default = "52428800"; - description = "Size limit of uploaded blobs in bytes"; - }; - - PDS_DID_PLC_URL = mkOption { - type = types.str; - default = "https://plc.directory"; - description = "URL of DID PLC directory"; - }; - - PDS_BSKY_APP_VIEW_URL = mkOption { - type = types.str; - default = "https://api.bsky.app"; - description = "URL of bsky frontend"; - }; - - PDS_BSKY_APP_VIEW_DID = mkOption { - type = types.str; - default = "did:web:api.bsky.app"; - description = "DID of bsky frontend"; - }; - - PDS_REPORT_SERVICE_URL = mkOption { - type = types.str; - default = "https://mod.bsky.app"; - description = "URL of mod service"; - }; - - PDS_REPORT_SERVICE_DID = mkOption { - type = types.str; - default = "did:plc:ar7c4by46qjdydhdevvrndac"; - description = "DID of mod service"; - }; - - PDS_CRAWLERS = mkOption { - type = types.str; - default = "https://bsky.network"; - description = "URL of crawlers"; - }; - - PDS_DATA_DIRECTORY = mkOption { - type = types.str; - default = "/var/lib/pds"; - description = "Directory to store state"; - }; - - PDS_BLOBSTORE_DISK_LOCATION = mkOption { - type = types.nullOr types.str; - default = "/var/lib/pds/blocks"; - description = "Store blobs at this location, set to null to use e.g. S3"; - }; - - LOG_ENABLED = mkOption { - type = types.nullOr types.str; - default = "true"; - description = "Enable logging"; - }; - }; - }; - - description = '' - Environment variables to set for the service. Secrets should be - specified using {option}`environmentFile`. - - Refer to for available environment variables. - ''; - }; - - environmentFiles = mkOption { - type = types.listOf types.path; - default = [ ]; - description = '' - File to load environment variables from. Loaded variables override - values set in {option}`environment`. - - Use it to set values of `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, - and `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX` secrets. - `PDS_JWT_SECRET` and `PDS_ADMIN_PASSWORD` can be generated with - ``` - openssl rand --hex 16 - ``` - `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX` can be generated with - ``` - openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32 - ``` - ''; - }; - }; - - config = mkIf cfg.enable { - systemd.services.pds = { - description = "pds"; - - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - ExecStart = getExe cfg.package; - Environment = lib.mapAttrsToList (k: v: "${k}=${if builtins.isInt v then toString v else v}") ( - lib.filterAttrs (_: v: v != null) cfg.settings - ); - - EnvironmentFile = cfg.environmentFiles; - User = "pds"; - Group = "pds"; - StateDirectory = "pds"; - StateDirectoryMode = "0755"; - Restart = "always"; - - # Hardening - RemoveIPC = true; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - NoNewPrivileges = true; - PrivateDevices = true; - ProtectClock = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - ProtectKernelModules = true; - PrivateMounts = true; - SystemCallArchitectures = [ "native" ]; - MemoryDenyWriteExecute = false; # required by V8 JIT - RestrictNamespaces = true; - RestrictSUIDSGID = true; - ProtectHostname = true; - LockPersonality = true; - ProtectKernelTunables = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictRealtime = true; - DeviceAllow = [ "" ]; - ProtectSystem = "strict"; - ProtectProc = "invisible"; - ProcSubset = "pid"; - ProtectHome = true; - PrivateUsers = true; - PrivateTmp = true; - UMask = "0077"; - }; - }; - - users = { - users.pds = { - group = "pds"; - isSystemUser = true; - }; - groups.pds = { }; - }; - }; - - meta.maintainers = with lib.maintainers; [ t4ccer ]; -} diff --git a/services/pds/pkg/pds/default.nix b/services/pds/pkg/pds/default.nix deleted file mode 100644 index 07fb106..0000000 --- a/services/pds/pkg/pds/default.nix +++ /dev/null @@ -1,92 +0,0 @@ -{ stdenv -, makeBinaryWrapper -, removeReferencesTo -, srcOnly -, python3 -, pnpm_9 -, fetchFromGitHub -, nodejs -, vips -, pkg-config -, lib -, -}: - -let - nodeSources = srcOnly nodejs; - pythonEnv = python3.withPackages (p: [ p.setuptools ]); -in - -stdenv.mkDerivation (finalAttrs: { - pname = "pds"; - version = "0.4.74"; - - src = fetchFromGitHub { - owner = "bluesky-social"; - repo = "pds"; - rev = "v${finalAttrs.version}"; - hash = "sha256-kNHsQ6funmo8bnkFBNWHQ0Fmd5nf/uh+x9buaRJMZnM="; - }; - - sourceRoot = "${finalAttrs.src.name}/service"; - - nativeBuildInputs = [ - makeBinaryWrapper - nodejs - pythonEnv - pkg-config - pnpm_9.configHook - removeReferencesTo - ]; - - # Required for `sharp` NPM dependency - buildInputs = [ vips ]; - - pnpmDeps = pnpm_9.fetchDeps { - inherit (finalAttrs) - pname - version - src - sourceRoot - ; - hash = "sha256-oU4dwlBdsMmgAUv1ICaOqaqucmg/TjKOZxjnxpm0qL8="; - }; - - buildPhase = '' - runHook preBuild - - pushd ./node_modules/.pnpm/better-sqlite3@*/node_modules/better-sqlite3 - npm run build-release --offline --nodedir="${nodeSources}" - find build -type f -exec remove-references-to -t "${nodeSources}" {} \; - popd - - makeWrapper "${lib.getExe nodejs}" "$out/bin/pds" \ - --add-flags --enable-source-maps \ - --add-flags "$out/lib/pds/index.js" \ - --set-default NODE_ENV production - - runHook postBuild - ''; - - installPhase = '' - runHook preInstall - - mkdir -p $out/{bin,lib/pds} - mv node_modules $out/lib/pds - mv index.js $out/lib/pds - - runHook postInstall - ''; - - meta = { - description = "Bluesky Personal Data Server (PDS)"; - homepage = "https://github.com/bluesky-social/pds"; - license = with lib.licenses; [ - mit - asl20 - ]; - maintainers = with lib.maintainers; [ t4ccer ]; - platforms = lib.platforms.unix; - mainProgram = "pds"; - }; -})