Commit a555ad106259

Vincent Demeester <vincent@sbr.pm>
2026-05-07 10:35:15
feat: added self-hosted ATProto PDS on carthage
Configured bluesky-pds service with Caddy reverse proxy at pds.demeester.fr. Added agenix-managed PDS secrets (JWT, admin password, PLC rotation key) and enabled pdsadmin and goat CLI tools for account management.
main
1 parent a76f8e3
Changed files (2)
systems
carthage
extra.nix
secrets.nix
systems/carthage/extra.nix
@@ -596,6 +596,29 @@ in
       ip6tables -A nixos-fw -p tcp --syn -m connlimit --connlimit-above 30 --connlimit-mask 24 -j DROP
     '';
   };
+  # ATProto PDS (Personal Data Server)
+  age.secrets."pds.env" = {
+    file = ../../secrets/carthage/pds.env.age;
+    mode = "400";
+    owner = "pds";
+    group = "pds";
+  };
+
+  services.bluesky-pds = {
+    enable = true;
+    pdsadmin.enable = true;
+    goat.enable = true;
+    settings = {
+      PDS_HOSTNAME = "pds.demeester.fr";
+      PDS_DATA_DIRECTORY = "/var/lib/pds";
+      PDS_BLOBSTORE_DISK_LOCATION = "/var/lib/pds/blocks";
+      PDS_INVITE_REQUIRED = "true";
+    };
+    environmentFiles = [
+      config.age.secrets."pds.env".path
+    ];
+  };
+
   # Allow Caddy to access public git repositories only (override ProtectHome)
   systemd.services.caddy.serviceConfig = {
     ProtectHome = lib.mkForce "tmpfs"; # Allow read access to /home with bind mounts
@@ -934,6 +957,13 @@ in
         }
       '';
 
+      # ATProto PDS
+      "pds.demeester.fr".extraConfig = ''
+        reverse_proxy localhost:3000 {
+          header_up Host {host}
+        }
+      '';
+
       # Personal website with directory browsing
       "vincent.demeester.fr".extraConfig = ''
         ${blockAIBotsSnippet}
secrets.nix
@@ -42,6 +42,9 @@ let
   systems = servers ++ desktops;
 in
 {
+  # ATProto PDS secrets
+  "secrets/carthage/pds.env.age".publicKeys = users ++ [ carthage ];
+
   # Mail passwords
   "secrets/mails/icloud-vdemeester.age".publicKeys = users ++ [ athena ];