feat(pm)!: switch bluesky pds to tranquil PDS #202

Tranquil PDS has features we prefer to bluesky's, such as OIDC on accounts. Let's switch over!

BREAKING-CHANGE: You are required to manually migrate accounts to the new PDS. Not doing this will cause data loss.

+86 -43

2 changed files

Diff round #2

expand all

unified split

npins

sources.json

packetmix

systems

teal

pds.nix

+12

npins/sources.json

··· 627 627 "url": null, 628 628 "hash": "sha256-MaJyvfHh52nFI8qgROh5nmTaEHPwBzpcEuQD9s40mog=" 629 629 }, 630 + "tranquil-pds": { 631 + "type": "Git", 632 + "repository": { 633 + "type": "Git", 634 + "url": "https://tangled.org/tranquil.farm/tranquil-pds" 635 + }, 636 + "branch": "feat/nix-module", 637 + "submodules": false, 638 + "revision": "e6b4698735918c5c6ee2572ef7d4fd29f791f219", 639 + "url": null, 640 + "hash": "sha256-7r113ZJ0Y7inOHPlfRldItrh2DMC/RuxyeDw3ZMSJfE=" 641 + }, 630 642 "treefmt-nix": { 631 643 "type": "Git", 632 644 "repository": {

+74 -43

packetmix/systems/teal/pds.nix

··· 1 - # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 1 + # SPDX-FileCopyrightText: 2026 FreshlyBakedCake 2 2 # 3 3 # SPDX-License-Identifier: MIT 4 4 5 5 { 6 6 project, 7 + config, 7 8 system, 9 + pkgs, 10 + lib, 8 11 ... 9 12 }: 10 13 { 11 - services.bluesky-pds = { 14 + imports = [ project.inputs.tranquil-pds.result.nixosModules.default ]; 15 + 16 + services.tranquil-pds = { 12 17 enable = true; 13 - package = project.packages.packetmix-bluesky-pds.result.${system}; 14 - settings = { 15 - PDS_HOSTNAME = "pds.freshly.space"; 16 - PDS_PORT = 1033; 17 - PDS_SERVICE_HANDLE_DOMAINS = ".at.freshlybakedca.ke"; 18 - PDS_EMAIL_FROM_ADDRESS = "pds@freshly.space"; 19 - PDS_BLOB_UPLOAD_LIMIT = "268435456"; 20 - }; 21 18 environmentFiles = [ 22 19 "/secrets/pds/environmentFile" 23 20 ]; 24 - }; 25 21 26 - services.nginx.virtualHosts."pds.freshly.space" = { 27 - addSSL = true; 28 - enableACME = true; 29 - acmeRoot = null; 22 + database.createLocally = true; 30 23 31 - serverAliases = [ "*.at.freshlybakedca.ke" ]; 24 + nginx.enable = true; 32 25 33 - locations."/" = { 34 - proxyPass = "http://127.0.0.1:1033"; 35 - recommendedProxySettings = true; 36 - proxyWebsockets = true; 37 - }; 26 + settings = { 27 + SERVER_HOST = "127.0.0.1"; 28 + SERVER_PORT = 1039; 29 + 30 + PDS_HOSTNAME = "at.freshly.space"; 31 + 32 + MAIL_FROM_NAME = "Freshly PDS"; 33 + MAIL_FROM_ADDRESS = "pds@freshly.space"; 34 + SENDMAIL_PATH = "${pkgs.msmtp}/bin/sendmail"; 35 + 36 + VALKEY_URL = "unix://${config.services.redis.servers.tranquil-pds.unixSocket}"; 37 + 38 + BACKUP_ENABLED = "true"; 38 39 39 - locations."/xrpc/app.bsky.ageassurance.getState" = { 40 - extraConfig = '' 41 - default_type application/json; 42 - add_header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" always; 43 - add_header access-control-allow-origin "*" always; 44 - add_header X-Frame-Options SAMEORIGIN always; 45 - add_header X-Content-Type-Options nosniff; 46 - ''; 47 - return = "200 '${ 48 - builtins.toJSON { 49 - state = { 50 - lastInitiatedAt = "2025-09-11T19:18:03.551Z"; 51 - status = "assured"; 52 - access = "full"; 53 - }; 54 - metadata.accountCreatedAt = "2023-12-12T20:16:56.499Z"; 55 - } 56 - }'"; 40 + ACCEPTING_REPO_IMPORTS = "true"; 41 + 42 + INVITE_CODE_REQUIRED = "true"; 43 + AVAILABLE_USER_DOMAINS = "at.freshly.space,at.freshlybakedca.ke"; 44 + ENABLE_SELF_HOSTED_DID_WEB = "false"; 45 + 46 + PDS_AGE_ASSURANCE_OVERRIDE = "true"; 57 47 # Our PDS is private 58 48 # Therefore, we have verified the age of everyone on the service is over the age of majority - and we didn't need KWS to do it! 49 + 50 + SSO_OIDC_ENABLED = "true"; 51 + SSO_OIDC_CLIENT_ID = "pds"; 52 + SSO_OIDC_ISSUER = "https://idm.freshly.space/oauth2/openid/pds/"; 53 + SSO_OIDC_NAME = "Freshly IDM"; 59 54 }; 55 + }; 60 56 61 - extraConfig = '' 62 - client_max_body_size 1024M; 63 - ''; 57 + services.redis.package = pkgs.valkey; 58 + services.redis.servers.tranquil-pds = { 59 + enable = true; 60 + appendOnly = true; 61 + user = "tranquil-pds"; 62 + }; 63 + 64 + systemd.services.tranquil-pds = { 65 + wants = [ "redis-tranquil-pds.service" ]; 66 + after = [ "redis-tranquil-pds.service" ]; 67 + 68 + environment = { 69 + XDG_CONFIG_HOME = "/secrets/pds"; 70 + }; 71 + 72 + serviceConfig.StateDirectory = [ 73 + "tranquil-pds/blobs" 74 + "tranquil-pds/backups" 75 + ]; # Not created automatically by tranquil for some reason... 76 + }; 77 + 78 + services.nginx.virtualHosts."at.freshly.space" = { 79 + acmeRoot = null; 80 + 81 + serverAliases = lib.mkForce [ 82 + "*.at.freshlybakedca.ke" 83 + "*.at.freshly.space" 84 + ]; 85 + }; 86 + 87 + services.nginx.virtualHosts."pds.freshly.space" = { 88 + enableACME = true; 89 + acmeRoot = null; 90 + addSSL = true; 91 + 92 + locations."/" = { 93 + return = "308 https://at.freshly.space$request_uri"; 94 + }; 64 95 }; 65 96 66 - clicks.storage.impermanence.persist.directories = [ "/var/lib/pds" ]; 97 + clicks.storage.impermanence.persist.directories = [ "/var/lib/tranquil-pds" ]; 67 98 }