jamesog · July 24, 2025 07:46
diff --git a/pds.nix b/pds.nix
 services.caddy = {
    # Enable on-demand TLS to allow domain handles to work.
    # When a virtual host uses a wildcard, instead of trying to request a wildcard
    # from Let's Encrypt, it'll issue a cert for each hostname if the service
    # specified here responds with 200.
    globalConfig = ''
      on_demand_tls {
        ask http://[::1]:3000/tls-check
      }
    '';
    virtualHosts.pds =
      let
        ageAssuranceState = builtins.toJSON {
          lastInitiatedAt = "2025-07-24T07:00:00.456Z";
          status = "assured";
        };
      in
      {
        hostName = PDS_HOSTNAME;
        serverAliases = wildcardServiceDomains;
        logFormat = "import vhost_log ${PDS_HOSTNAME}";
        extraConfig = ''
          tls {
            on_demand
          }

          @pds {
            path /xrpc/*
            path /@atproto/*
            path /.well-known/*
            path /robots.txt
            path /oauth/*
            path /account/*
          }

          # Bypass age verification for UK Online Safety Act shenanigans
          # https://bsky.app/profile/mary.my.id/post/3ltwlpjciecsq
          @age_assurance_cors {
            path /xrpc/app.bsky.unspecced.getAgeAssuranceState
            method OPTIONS
          }
          handle @age_assurance_cors {
            header Access-Control-Allow-Headers *
            header Access-Control-Allow-Methods GET,HEAD,PUT,PATCH,POST,DELETE
            header Access-Control-Allow-Origin *
            header Access-Control-Max-Age 86400
            header Vary Access-Control-Request-Headers
            respond 204
          }
          @age_assurance {
            path /xrpc/app.bsky.unspecced.getAgeAssuranceState
          }
          handle @age_assurance {
            header Access-Control-Allow-Origin *
            header Content-Type application/json
            respond `${ageAssuranceState}` 200
          }

          handle @pds {
            reverse_proxy http://[::1]:3000
          }

          respond "Go away, bot!" 400 {
            close
          }
        '';
      };
  };
	services.caddy = {
	# Enable on-demand TLS to allow domain handles to work.
	# When a virtual host uses a wildcard, instead of trying to request a wildcard
	# from Let's Encrypt, it'll issue a cert for each hostname if the service
	# specified here responds with 200.
	globalConfig = ''
	on_demand_tls {
	ask http://[::1]:3000/tls-check
	}
	'';
	virtualHosts.pds =
	let
	ageAssuranceState = builtins.toJSON {
	lastInitiatedAt = "2025-07-24T07:00:00.456Z";
	status = "assured";
	};
	in
	{
	hostName = PDS_HOSTNAME;
	serverAliases = wildcardServiceDomains;
	logFormat = "import vhost_log ${PDS_HOSTNAME}";
	extraConfig = ''
	tls {
	on_demand
	}

	@pds {
	path /xrpc/*
	path /@atproto/*
	path /.well-known/*
	path /robots.txt
	path /oauth/*
	path /account/*
	}

	# Bypass age verification for UK Online Safety Act shenanigans
	# https://bsky.app/profile/mary.my.id/post/3ltwlpjciecsq
	@age_assurance_cors {
	path /xrpc/app.bsky.unspecced.getAgeAssuranceState
	method OPTIONS
	}
	handle @age_assurance_cors {
	header Access-Control-Allow-Headers *
	header Access-Control-Allow-Methods GET,HEAD,PUT,PATCH,POST,DELETE
	header Access-Control-Allow-Origin *
	header Access-Control-Max-Age 86400
	header Vary Access-Control-Request-Headers
	respond 204
	}
	@age_assurance {
	path /xrpc/app.bsky.unspecced.getAgeAssuranceState
	}
	handle @age_assurance {
	header Access-Control-Allow-Origin *
	header Content-Type application/json
	respond `${ageAssuranceState}` 200
	}

	handle @pds {
	reverse_proxy http://[::1]:3000
	}

	respond "Go away, bot!" 400 {
	close
	}
	'';
	};
	};