feat(pm)!: switch bluesky pds to tranquil PDS #202

Tranquil PDS has features we prefer to bluesky's, such as OIDC on accounts. Let's switch over!

BREAKING-CHANGE: You are required to manually migrate accounts to the new PDS. Not doing this will cause data loss.

+96 -44

2 changed files

Diff round #0

expand all

unified split

npins

sources.json

packetmix

systems

teal

pds.nix

+12

npins/sources.json

··· 627 "url": null, 628 "hash": "sha256-MaJyvfHh52nFI8qgROh5nmTaEHPwBzpcEuQD9s40mog=" 629 }, 630 "treefmt-nix": { 631 "type": "Git", 632 "repository": {

··· 627 "url": null, 628 "hash": "sha256-MaJyvfHh52nFI8qgROh5nmTaEHPwBzpcEuQD9s40mog=" 629 }, 630 + "tranquil-pds": { 631 + "type": "Git", 632 + "repository": { 633 + "type": "Git", 634 + "url": "https://tangled.org/tranquil.farm/tranquil-pds" 635 + }, 636 + "branch": "feat/nix-module", 637 + "submodules": false, 638 + "revision": "e6b4698735918c5c6ee2572ef7d4fd29f791f219", 639 + "url": null, 640 + "hash": "sha256-7r113ZJ0Y7inOHPlfRldItrh2DMC/RuxyeDw3ZMSJfE=" 641 + }, 642 "treefmt-nix": { 643 "type": "Git", 644 "repository": {

+84 -44

packetmix/systems/teal/pds.nix

··· 1 - # SPDX-FileCopyrightText: 2025 FreshlyBakedCake 2 # 3 # SPDX-License-Identifier: MIT 4 5 { 6 project, 7 system, 8 ... 9 }: 10 { 11 - services.bluesky-pds = { 12 enable = true; 13 - package = project.packages.packetmix-bluesky-pds.result.${system}; 14 settings = { 15 - PDS_HOSTNAME = "pds.freshly.space"; 16 - PDS_PORT = 1033; 17 - PDS_SERVICE_HANDLE_DOMAINS = ".at.freshlybakedca.ke"; 18 - PDS_EMAIL_FROM_ADDRESS = "pds@freshly.space"; 19 - PDS_BLOB_UPLOAD_LIMIT = "268435456"; 20 }; 21 - environmentFiles = [ 22 - "/secrets/pds/environmentFile" 23 - ]; 24 }; 25 26 services.nginx.virtualHosts."pds.freshly.space" = { 27 - addSSL = true; 28 enableACME = true; 29 acmeRoot = null; 30 - 31 - serverAliases = [ "*.at.freshlybakedca.ke" ]; 32 33 locations."/" = { 34 - proxyPass = "http://127.0.0.1:1033"; 35 - recommendedProxySettings = true; 36 - proxyWebsockets = true; 37 - }; 38 - 39 - locations."/xrpc/app.bsky.ageassurance.getState" = { 40 - extraConfig = '' 41 - default_type application/json; 42 - add_header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" always; 43 - add_header access-control-allow-origin "*" always; 44 - add_header X-Frame-Options SAMEORIGIN always; 45 - add_header X-Content-Type-Options nosniff; 46 - ''; 47 - return = "200 '${ 48 - builtins.toJSON { 49 - state = { 50 - lastInitiatedAt = "2025-09-11T19:18:03.551Z"; 51 - status = "assured"; 52 - access = "full"; 53 - }; 54 - metadata.accountCreatedAt = "2023-12-12T20:16:56.499Z"; 55 - } 56 - }'"; 57 - # Our PDS is private 58 - # Therefore, we have verified the age of everyone on the service is over the age of majority - and we didn't need KWS to do it! 59 }; 60 - 61 - extraConfig = '' 62 - client_max_body_size 1024M; 63 - ''; 64 }; 65 66 - clicks.storage.impermanence.persist.directories = [ "/var/lib/pds" ]; 67 }

··· 1 + # SPDX-FileCopyrightText: 2026 FreshlyBakedCake 2 # 3 # SPDX-License-Identifier: MIT 4 5 { 6 project, 7 + config, 8 system, 9 + pkgs, 10 + lib, 11 ... 12 }: 13 { 14 + imports = [ project.inputs.tranquil-pds.result.nixosModules.default ]; 15 + 16 + services.tranquil-pds = { 17 enable = true; 18 + secretsFile = "/secrets/pds/environmentFile"; 19 + 20 + database.createLocally = true; 21 + 22 + nginx = { 23 + enable = true; 24 + openFirewall = false; # This should definitely be done elsewhere(!!) 25 + }; 26 + 27 settings = { 28 + server = { 29 + pdsHostname = "at.freshly.space"; 30 + host = "127.0.0.1"; 31 + port = 1039; 32 + }; 33 + 34 + cache.valkeyUrl = "unix://${config.services.redis.servers.tranquil-pds.unixSocket}"; 35 + 36 + storage.blobBackend = "filesystem"; 37 + backup = { 38 + enable = true; 39 + backend = "filesystem"; 40 + }; 41 + 42 + notifications = { 43 + mailFromAddress = "pds@freshly.space"; 44 + mailFromName = "Freshly PDS"; 45 + sendmailPath = "${pkgs.msmtp}/bin/sendmail"; 46 + }; 47 + 48 + import.accepting = true; 49 + 50 + registration = { 51 + inviteCodeRequired = true; 52 + availableUserDomains = "at.freshly.space,at.freshlybakedca.ke"; 53 + enableSelfHostedDidWeb = false; 54 + }; 55 + 56 + misc.ageAssuranceOverride = true; 57 + # Our PDS is private 58 + # Therefore, we have verified the age of everyone on the service is over the age of majority - and we didn't need KWS to do it! 59 + 60 + sso.oidc = { 61 + enable = true; 62 + clientId = "pds"; 63 + issuer = "https://idm.freshly.space/oauth2/openid/pds/"; 64 + name = "Freshly IDM"; 65 + }; 66 }; 67 + }; 68 + 69 + services.redis.package = pkgs.valkey; 70 + services.redis.servers.tranquil-pds = { 71 + enable = true; 72 + appendOnly = true; 73 + user = "tranquil-pds"; 74 + }; 75 + 76 + systemd.services.tranquil-pds = { 77 + wants = [ "redis-tranquil-pds.service" ]; 78 + after = [ "redis-tranquil-pds.service" ]; 79 + 80 + environment = { 81 + XDG_CONFIG_HOME = "/secrets/pds"; 82 + }; 83 + 84 + serviceConfig.StateDirectory = [ 85 + "tranquil-pds/blobs" 86 + "tranquil-pds/backups" 87 + ]; # Not created automatically by tranquil for some reason... 88 + }; 89 + 90 + services.nginx.virtualHosts."at.freshly.space" = { 91 + acmeRoot = null; 92 + 93 + serverAliases = lib.mkForce [ "*.at.freshlybakedca.ke" "*.at.freshly.space" ]; 94 }; 95 96 services.nginx.virtualHosts."pds.freshly.space" = { 97 enableACME = true; 98 acmeRoot = null; 99 + addSSL = true; 100 101 locations."/" = { 102 + return = "308 https://at.freshly.space$request_uri"; 103 }; 104 }; 105 106 + clicks.storage.impermanence.persist.directories = [ "/var/lib/tranquil-pds" ]; 107 }

History

3 rounds 0 comments

a.starrysky.fyi submitted #2 4w

diff interdiff

1 commit

expand

b89a3883

feat(pm)!: switch bluesky pds to tranquil PDS

expand 0 comments

closed without merging

a.starrysky.fyi submitted #1 4w

diff interdiff

1 commit

expand

f6e3c82f

feat(pm)!: switch bluesky pds to tranquil PDS

expand 0 comments

a.starrysky.fyi submitted #0 4w

1 commit

expand

f8dcce7c

feat(pm)!: switch bluesky pds to tranquil PDS

expand 0 comments