kris/wafrn-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
06bc1598778b4726eb595f431bbdfa103727efe7
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kris 06bc159877 first commit
2026-02-19 19:25:51 +02:00
modules
first commit
2026-02-19 19:25:51 +02:00
flake.lock
first commit
2026-02-19 19:25:51 +02:00
flake.nix
first commit
2026-02-19 19:25:51 +02:00
README.md
first commit
2026-02-19 19:25:51 +02:00

README.md

wafrn-nix

example:

{
  inputs.wafrn-nix.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";

  outputs = { self, nixpkgs, wafrn-nix, ... }: {
    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        wafrn-nix.nixosModules.default
        ({ ... }: {
          virtualisation.docker.enable = true;

          services.wafrn = {
            enable = true;
            source = "/srv/wafrn";
            stateDir = "/var/lib/wafrn";
            secretsFile = "/run/secrets/wafrn.env";

            # cloudflared doesnt need https:
            # httpPort = 8080;
            # httpsPort = null;

            bun2nix = {
              enable = true;
              outputFile = "bun.nix";
            };

            environment = {
              DOMAIN_NAME = "wafrn.example.com";
              CACHE_DOMAIN = "cache.wafrn.example.com";
              MEDIA_DOMAIN = "media.wafrn.example.com";
              FRONTEND_MEDIA_URL = "https://media.wafrn.example.com";
              FRONTEND_CACHE_URL = "https://cache.wafrn.example.com/api/cache?media=";
              FRONTEND_FQDN_URL = "https://wafrn.example.com";
              ACME_EMAIL = "admin@example.com";
            };
          };
        })
      ];
    };
  };
}

External PDS mode

To use a separate PDS (not the bundled Wafrn PDS container):

services.wafrn = {
  enable = true;
  source = "/srv/wafrn";

  bluesky = {
    enable = true;
    useBundledPds = false;
    pdsDomain = "pds.example.com";
  };

  environment = {
    PDS_DOMAIN_NAME = "pds.example.com";
  };
};

Persistence

All important data is persisted in stateDir:

  • postgres/ - PostgreSQL data
  • redis/ - Redis data
  • uploads/ - user uploads
  • cache/ - backend cache
  • caddy/ - Caddy data and cert state
  • frontend/ - built frontend shared volume
  • pds/ - bundled PDS data (only when enabled)

Secrets

Put secrets in services.wafrn.secretsFile (dotenv format), for example:

ADMIN_PASSWORD=super-secret
JWT_SECRET=another-secret
SMTP_PASSWORD=smtp-secret
PDS_JWT_SECRET=pds-jwt-secret
PDS_ADMIN_PASSWORD=pds-admin-secret
WEBPUSH_PRIVATE=...
WEBPUSH_PUBLIC=...

This file is appended at runtime to the generated .env, so secret values override defaults.

bun2nix integration

By default, services.wafrn.bun2nix.enable = true, which runs bun2nix against the lock file in the Wafrn source checkout before starting containers.

  • Input lock file: services.wafrn.source + "/" + services.wafrn.bun2nix.lockFile (default bun.lock)
  • Output expression: services.wafrn.stateDir + "/" + services.wafrn.bun2nix.outputFile (default bun.nix)
  • Copy prefix: services.wafrn.bun2nix.copyPrefix (default ./)

You can disable this behavior with:

services.wafrn.bun2nix.enable = false;

Minimal Cloudflared exposure

If Cloudflared is your only public entrypoint, you can publish only one local HTTP port:

services.wafrn = {
  enable = true;
  source = "/srv/wafrn";

  httpPort = 8080;
  httpsPort = null;
  openFirewall = false;
};

Then point Cloudflared ingress to http://127.0.0.1:8080.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 116 KiB
Languages
Nix 100%