first commit
This commit is contained in:
134
README.md
Normal file
134
README.md
Normal file
@@ -0,0 +1,134 @@
|
||||
# wafrn-nix
|
||||
|
||||
example:
|
||||
|
||||
```nix
|
||||
{
|
||||
inputs.wafrn-nix.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";
|
||||
|
||||
outputs = { self, nixpkgs, wafrn-nix, ... }: {
|
||||
nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
wafrn-nix.nixosModules.default
|
||||
({ ... }: {
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.wafrn = {
|
||||
enable = true;
|
||||
source = "/srv/wafrn";
|
||||
stateDir = "/var/lib/wafrn";
|
||||
secretsFile = "/run/secrets/wafrn.env";
|
||||
|
||||
# cloudflared doesnt need https:
|
||||
# httpPort = 8080;
|
||||
# httpsPort = null;
|
||||
|
||||
bun2nix = {
|
||||
enable = true;
|
||||
outputFile = "bun.nix";
|
||||
};
|
||||
|
||||
environment = {
|
||||
DOMAIN_NAME = "wafrn.example.com";
|
||||
CACHE_DOMAIN = "cache.wafrn.example.com";
|
||||
MEDIA_DOMAIN = "media.wafrn.example.com";
|
||||
FRONTEND_MEDIA_URL = "https://media.wafrn.example.com";
|
||||
FRONTEND_CACHE_URL = "https://cache.wafrn.example.com/api/cache?media=";
|
||||
FRONTEND_FQDN_URL = "https://wafrn.example.com";
|
||||
ACME_EMAIL = "admin@example.com";
|
||||
};
|
||||
};
|
||||
})
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
```
|
||||
|
||||
## External PDS mode
|
||||
|
||||
To use a separate PDS (not the bundled Wafrn PDS container):
|
||||
|
||||
```nix
|
||||
services.wafrn = {
|
||||
enable = true;
|
||||
source = "/srv/wafrn";
|
||||
|
||||
bluesky = {
|
||||
enable = true;
|
||||
useBundledPds = false;
|
||||
pdsDomain = "pds.example.com";
|
||||
};
|
||||
|
||||
environment = {
|
||||
PDS_DOMAIN_NAME = "pds.example.com";
|
||||
};
|
||||
};
|
||||
```
|
||||
|
||||
## Persistence
|
||||
|
||||
All important data is persisted in `stateDir`:
|
||||
|
||||
- `postgres/` - PostgreSQL data
|
||||
- `redis/` - Redis data
|
||||
- `uploads/` - user uploads
|
||||
- `cache/` - backend cache
|
||||
- `caddy/` - Caddy data and cert state
|
||||
- `frontend/` - built frontend shared volume
|
||||
- `pds/` - bundled PDS data (only when enabled)
|
||||
|
||||
## Secrets
|
||||
|
||||
Put secrets in `services.wafrn.secretsFile` (dotenv format), for example:
|
||||
|
||||
```dotenv
|
||||
ADMIN_PASSWORD=super-secret
|
||||
JWT_SECRET=another-secret
|
||||
SMTP_PASSWORD=smtp-secret
|
||||
PDS_JWT_SECRET=pds-jwt-secret
|
||||
PDS_ADMIN_PASSWORD=pds-admin-secret
|
||||
WEBPUSH_PRIVATE=...
|
||||
WEBPUSH_PUBLIC=...
|
||||
```
|
||||
|
||||
This file is appended at runtime to the generated `.env`, so secret values
|
||||
override defaults.
|
||||
|
||||
## bun2nix integration
|
||||
|
||||
By default, `services.wafrn.bun2nix.enable = true`, which runs `bun2nix` against
|
||||
the lock file in the Wafrn source checkout before starting containers.
|
||||
|
||||
- Input lock file:
|
||||
`services.wafrn.source + "/" + services.wafrn.bun2nix.lockFile` (default
|
||||
`bun.lock`)
|
||||
- Output expression:
|
||||
`services.wafrn.stateDir + "/" + services.wafrn.bun2nix.outputFile` (default
|
||||
`bun.nix`)
|
||||
- Copy prefix: `services.wafrn.bun2nix.copyPrefix` (default `./`)
|
||||
|
||||
You can disable this behavior with:
|
||||
|
||||
```nix
|
||||
services.wafrn.bun2nix.enable = false;
|
||||
```
|
||||
|
||||
## Minimal Cloudflared exposure
|
||||
|
||||
If Cloudflared is your only public entrypoint, you can publish only one local
|
||||
HTTP port:
|
||||
|
||||
```nix
|
||||
services.wafrn = {
|
||||
enable = true;
|
||||
source = "/srv/wafrn";
|
||||
|
||||
httpPort = 8080;
|
||||
httpsPort = null;
|
||||
openFirewall = false;
|
||||
};
|
||||
```
|
||||
|
||||
Then point Cloudflared ingress to `http://127.0.0.1:8080`.
|
||||
Reference in New Issue
Block a user