# bluesky-pds-docker

A self-contained Docker image for the [Bluesky PDS (Personal Data Server) ](https://github.com/bluesky-social/pds) for use with Traefik. This image is pinned to v0.4.74.

It is required to run the instance behind a proxy (like traefik) to generate SSL certificates. This will not work otherwise. The standard pds install includes caddy to handle this.

I can confirm it works behind Cloudflare's DNS Proxy with Full (strict).

## Deployment

### Reqirements (to)

#### Manjaro/Arch

```bash
sudo pacman -Syu install jq
```

#### Debian/Ubunut

```bash
sudo apt install make xxd
```

### Setup

Generate secrets and add them to `.env` file. See [example.env](example.env) as an example.

```bash
# Generate secret environment variables
echo PDS_ADMIN_PASSWORD: $(openssl rand --hex 16)
echo PDS_JWT_SECRET: $(openssl rand --hex 16)
echo PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: $(openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32)
```

### Standalone

Full list of additional Environment Variables can be found in the [packages/pds/src/config/env.ts](https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts)

```yaml
# Standalone, you'll need to add a proxy in front of this with SSL.
services:
  bluesky-pds:
    container_name: bluesky-pds
    image: forgejo.gravityfargo.dev/gravityfargo/bluesky-pds
    environment:
      # Define variables here or in a .env file
      PDS_JWT_SECRET: ...
      PDS_ADMIN_PASSWORD: ...
      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ...
      PDS_HOSTNAME: ...
      PDS_EMAIL_SMTP_URL: ""
      PDS_EMAIL_FROM_ADDRESS: ""
    volumes:
      - ./bluesky-pds:/pds
```

### Traefik

```yaml
# Traefik Proxy
services:
  bluesky-pds:
    container_name: bluesky-pds
    image: forgejo.gravityfargo.dev/gravityfargo/bluesky-pds:latest
    env_file:
      - .env
    volumes:
      - ./bluesky-pds:/pds
    labels:
      traefik.enable: "true"
      traefik.http.routers.bluesky-pds-insecure.entrypoints: http
      traefik.http.routers.bluesky-pds-insecure.rule: HostRegexp(`^.+\.example\.com$`)
      traefik.http.routers.bluesky-pds-secure.entrypoints: https
      traefik.http.routers.bluesky-pds-secure.rule: HostRegexp(`^.+\.example\.com$`)
      traefik.http.routers.bluesky-pds-secure.tls: "true"
      traefik.http.services.bluesky-pds.loadbalancer.server.scheme: http
      traefik.http.services.bluesky-pds.loadbalancer.server.port: 3000
      traefik.http.routers.bluesky-pds-secure.middlewares: BlueskyHeaders@file
      traefik.http.routers.bluesky-pds-insecure.middlewares: BlueskyHeaders@file
```

#### Middleware

I think file configs are cleaner than having a billion labels.

```yaml
# middleware.yaml
http:
  middlewares:
    BlueskyHeaders:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - DELETE
        accessControlAllowHeaders: "*"
        accessControlAllowOriginList: "*"
        addVaryHeader: true
        stsSeconds: 63072000
```

#### Optional Proxy Network

```bash
docker network create --subnet=192.168.1.0/24 --ipv6 --attachable proxy
# /etc/docker/daemon.json
# {
#   "ipv6": true,
#   "fixed-cidr-v6": "2001:db8:1::/64"
# }

```

#### Cloudflare DNS

![alt text](assets/image.png)