gravityfargo/bluesky-pds-docker
1
0
Fork 0
Code Issues 1 Pull requests Packages 1 Activity
A self contained Bluesky PDS
24 commits 2 branches 0 tags 145 KiB
Dockerfile 54.9%
Shell 26.8%
Makefile 18.3%
Find a file
Nathan Price 976e508ee5 improved instructions
2024-12-10 17:29:27 +00:00
assets improved instructions 2024-12-10 17:29:27 +00:00
.dockerignore init 2024-12-03 17:47:58 -05:00
.gitignore bump 2024-12-03 17:50:09 -05:00
docker-compose.yaml using traefik and building added 2024-12-10 17:27:55 +00:00
Dockerfile add bsdextrautils, combined some run stages 2024-12-03 17:49:19 -05:00
entrypoint.sh dynamically create the pds.env file 2024-12-03 17:48:54 -05:00
example.env added an example 2024-12-10 17:28:20 +00:00
LICENSE add license 2024-12-02 20:35:09 -05:00
Makefile removed "build" and added variables to the dev .env 2024-12-10 17:29:05 +00:00
README.md improved instructions 2024-12-10 17:29:27 +00:00

README.md

bluesky-pds-docker

A self-contained Docker image for the Bluesky PDS (Personal Data Server) for use with Traefik. This image is pinned to v0.4.74.

It is required to run the instance behind a proxy (like traefik) to generate SSL certificates. This will not work otherwise. The standard pds install includes caddy to handle this.

I can confirm it works behind Cloudflare's DNS Proxy with Full (strict).

Deployment

Reqirements (to)

Manjaro/Arch

sudo pacman -Syu install jq

Debian/Ubunut

sudo apt install make xxd

Setup

Generate secrets and add them to .env file. See example.env as an example.

# Generate secret environment variables
echo PDS_ADMIN_PASSWORD: $(openssl rand --hex 16)
echo PDS_JWT_SECRET: $(openssl rand --hex 16)
echo PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: $(openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32)

Standalone

Full list of additional Environment Variables can be found in the packages/pds/src/config/env.ts

# Standalone, you'll need to add a proxy in front of this with SSL.
services:
  bluesky-pds:
    container_name: bluesky-pds
    image: forgejo.gravityfargo.dev/gravityfargo/bluesky-pds
    environment:
      # Define variables here or in a .env file
      PDS_JWT_SECRET: ...
      PDS_ADMIN_PASSWORD: ...
      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ...
      PDS_HOSTNAME: ...
      PDS_EMAIL_SMTP_URL: ""
      PDS_EMAIL_FROM_ADDRESS: ""
    volumes:
      - ./bluesky-pds:/pds

Traefik

# Traefik Proxy
services:
  bluesky-pds:
    container_name: bluesky-pds
    image: forgejo.gravityfargo.dev/gravityfargo/bluesky-pds:latest
    env_file:
      - .env
    volumes:
      - ./bluesky-pds:/pds
    labels:
      traefik.enable: "true"
      traefik.http.routers.bluesky-pds-insecure.entrypoints: http
      traefik.http.routers.bluesky-pds-insecure.rule: HostRegexp(`^.+\.example\.com$`)
      traefik.http.routers.bluesky-pds-secure.entrypoints: https
      traefik.http.routers.bluesky-pds-secure.rule: HostRegexp(`^.+\.example\.com$`)
      traefik.http.routers.bluesky-pds-secure.tls: "true"
      traefik.http.services.bluesky-pds.loadbalancer.server.scheme: http
      traefik.http.services.bluesky-pds.loadbalancer.server.port: 3000
      traefik.http.routers.bluesky-pds-secure.middlewares: BlueskyHeaders@file
      traefik.http.routers.bluesky-pds-insecure.middlewares: BlueskyHeaders@file

Middleware

I think file configs are cleaner than having a billion labels.

# middleware.yaml
http:
  middlewares:
    BlueskyHeaders:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
          - POST
          - DELETE
        accessControlAllowHeaders: "*"
        accessControlAllowOriginList: "*"
        addVaryHeader: true
        stsSeconds: 63072000

Optional Proxy Network

docker network create --subnet=192.168.1.0/24 --ipv6 --attachable proxy
# /etc/docker/daemon.json
# {
#   "ipv6": true,
#   "fixed-cidr-v6": "2001:db8:1::/64"
# }

Cloudflare DNS

alt text