135 lines
3.1 KiB
Markdown
135 lines
3.1 KiB
Markdown
# wafrn-nix
|
|
|
|
example:
|
|
|
|
```nix
|
|
{
|
|
inputs.wafrn-nix.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";
|
|
|
|
outputs = { self, nixpkgs, wafrn-nix, ... }: {
|
|
nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
wafrn-nix.nixosModules.default
|
|
({ ... }: {
|
|
virtualisation.docker.enable = true;
|
|
|
|
services.wafrn = {
|
|
enable = true;
|
|
source = "/srv/wafrn";
|
|
stateDir = "/var/lib/wafrn";
|
|
secretsFile = "/run/secrets/wafrn.env";
|
|
|
|
# cloudflared doesnt need https:
|
|
# httpPort = 8080;
|
|
# httpsPort = null;
|
|
|
|
bun2nix = {
|
|
enable = true;
|
|
outputFile = "bun.nix";
|
|
};
|
|
|
|
environment = {
|
|
DOMAIN_NAME = "wafrn.example.com";
|
|
CACHE_DOMAIN = "cache.wafrn.example.com";
|
|
MEDIA_DOMAIN = "media.wafrn.example.com";
|
|
FRONTEND_MEDIA_URL = "https://media.wafrn.example.com";
|
|
FRONTEND_CACHE_URL = "https://cache.wafrn.example.com/api/cache?media=";
|
|
FRONTEND_FQDN_URL = "https://wafrn.example.com";
|
|
ACME_EMAIL = "admin@example.com";
|
|
};
|
|
};
|
|
})
|
|
];
|
|
};
|
|
};
|
|
}
|
|
```
|
|
|
|
## External PDS mode
|
|
|
|
To use a separate PDS (not the bundled Wafrn PDS container):
|
|
|
|
```nix
|
|
services.wafrn = {
|
|
enable = true;
|
|
source = "/srv/wafrn";
|
|
|
|
bluesky = {
|
|
enable = true;
|
|
useBundledPds = false;
|
|
pdsDomain = "pds.example.com";
|
|
};
|
|
|
|
environment = {
|
|
PDS_DOMAIN_NAME = "pds.example.com";
|
|
};
|
|
};
|
|
```
|
|
|
|
## Persistence
|
|
|
|
All important data is persisted in `stateDir`:
|
|
|
|
- `postgres/` - PostgreSQL data
|
|
- `redis/` - Redis data
|
|
- `uploads/` - user uploads
|
|
- `cache/` - backend cache
|
|
- `caddy/` - Caddy data and cert state
|
|
- `frontend/` - built frontend shared volume
|
|
- `pds/` - bundled PDS data (only when enabled)
|
|
|
|
## Secrets
|
|
|
|
Put secrets in `services.wafrn.secretsFile` (dotenv format), for example:
|
|
|
|
```dotenv
|
|
ADMIN_PASSWORD=super-secret
|
|
JWT_SECRET=another-secret
|
|
SMTP_PASSWORD=smtp-secret
|
|
PDS_JWT_SECRET=pds-jwt-secret
|
|
PDS_ADMIN_PASSWORD=pds-admin-secret
|
|
WEBPUSH_PRIVATE=...
|
|
WEBPUSH_PUBLIC=...
|
|
```
|
|
|
|
This file is appended at runtime to the generated `.env`, so secret values
|
|
override defaults.
|
|
|
|
## bun2nix integration
|
|
|
|
By default, `services.wafrn.bun2nix.enable = true`, which runs `bun2nix` against
|
|
the lock file in the Wafrn source checkout before starting containers.
|
|
|
|
- Input lock file:
|
|
`services.wafrn.source + "/" + services.wafrn.bun2nix.lockFile` (default
|
|
`bun.lock`)
|
|
- Output expression:
|
|
`services.wafrn.stateDir + "/" + services.wafrn.bun2nix.outputFile` (default
|
|
`bun.nix`)
|
|
- Copy prefix: `services.wafrn.bun2nix.copyPrefix` (default `./`)
|
|
|
|
You can disable this behavior with:
|
|
|
|
```nix
|
|
services.wafrn.bun2nix.enable = false;
|
|
```
|
|
|
|
## Minimal Cloudflared exposure
|
|
|
|
If Cloudflared is your only public entrypoint, you can publish only one local
|
|
HTTP port:
|
|
|
|
```nix
|
|
services.wafrn = {
|
|
enable = true;
|
|
source = "/srv/wafrn";
|
|
|
|
httpPort = 8080;
|
|
httpsPort = null;
|
|
openFirewall = false;
|
|
};
|
|
```
|
|
|
|
Then point Cloudflared ingress to `http://127.0.0.1:8080`.
|