bram.gotink.be / macharian
A lowly tech priest's attempt to please Mars
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add a PDS

Bram Gotink 5ddbbba8 364201b7

+299
+15
kubernetes/apps/at/ks.yaml
··· 1 + # yaml-language-server: $schema=https://github.com/fluxcd-community/flux2-schemas/raw/refs/heads/main/all.json 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: apps-at-pds 6 + namespace: flux-system 7 + spec: 8 + interval: 10m 9 + path: ./kubernetes/apps/at/pds 10 + targetNamespace: at 11 + prune: true 12 + sourceRef: 13 + kind: GitRepository 14 + name: flux-system 15 + ---
+5
kubernetes/apps/at/kustomization.yaml
··· 1 + apiVersion: kustomize.config.k8s.io/v1beta1 2 + kind: Kustomization 3 + resources: 4 + - ks.yaml 5 + - namespace.yaml
+4
kubernetes/apps/at/namespace.yaml
··· 1 + apiVersion: v1 2 + kind: Namespace 3 + metadata: 4 + name: at
+242
kubernetes/apps/at/pds/helmrelease.yaml
··· 1 + apiVersion: helm.toolkit.fluxcd.io/v2 2 + kind: HelmRelease 3 + metadata: 4 + name: pds 5 + spec: 6 + interval: 30m 7 + chartRef: 8 + kind: OCIRepository 9 + namespace: global-shared 10 + name: app-template 11 + 12 + install: 13 + remediation: 14 + retries: 3 15 + upgrade: 16 + cleanupOnFail: true 17 + remediation: 18 + strategy: rollback 19 + retries: 3 20 + 21 + values: 22 + controllers: 23 + pds: 24 + annotations: 25 + reloader.stakater.com/auto: "true" 26 + containers: 27 + app: 28 + image: 29 + repository: ghcr.io/bluesky-social/pds 30 + tag: 0.4.188@sha256:87881525ec7a5cd2411a71b81a70ee2af9b5d79d770f9d1d1b84f74f91da4a9f 31 + env: 32 + TZ: ${TIMEZONE} 33 + LOG_ENABLED: true 34 + 35 + # service 36 + PDS_HOSTNAME: "pds.${ATPROTO_HOST}" 37 + PDS_PORT: '3000' 38 + # PDS_SERVICE_DID: '' 39 + # PDS_SERVICE_NAME: '' 40 + # PDS_VERSION: '' 41 + # PDS_HOME_URL: '' 42 + # PDS_LOGO_URL: '' 43 + # PDS_PRIVACY_POLICY_URL: '' 44 + # PDS_SUPPORT_URL: '' 45 + # PDS_TERMS_OF_SERVICE_URL: '' 46 + # PDS_CONTACT_EMAIL_ADDRESS: '' 47 + # PDS_ACCEPTING_REPO_IMPORTS: '' 48 + # PDS_MAX_REPO_IMPORT_SIZE: '' 49 + PDS_BLOB_UPLOAD_LIMIT: 104857600 50 + # PDS_DEV_MODE: '' 51 + 52 + # hCaptcha 53 + # PDS_HCAPTCHA_SITE_KEY: '' 54 + # PDS_HCAPTCHA_SECRET_KEY: '' 55 + # PDS_HCAPTCHA_TOKEN_SALT: '' 56 + 57 + # OAuth 58 + # PDS_OAUTH_TRUSTED_CLIENTS: '' 59 + 60 + # branding 61 + # PDS_LIGHT_COLOR: '' 62 + # PDS_DARK_COLOR: '' 63 + # PDS_PRIMARY_COLOR: '' 64 + # PDS_PRIMARY_COLOR_CONTRAST: '' 65 + # PDS_PRIMARY_COLOR_HUE: '' 66 + # PDS_ERROR_COLOR: '' 67 + # PDS_ERROR_COLOR_CONTRAST: '' 68 + # PDS_ERROR_COLOR_HUE: '' 69 + # PDS_WARNING_COLOR: '' 70 + # PDS_WARNING_COLOR_CONTRAST: '' 71 + # PDS_WARNING_COLOR_HUE: '' 72 + # PDS_SUCCESS_COLOR: '' 73 + # PDS_SUCCESS_COLOR_CONTRAST: '' 74 + # PDS_SUCCESS_COLOR_HUE: '' 75 + 76 + # database 77 + PDS_DATA_DIRECTORY: /pds 78 + # PDS_SQLITE_DISABLE_WAL_AUTO_CHECKPOINT: '' 79 + # PDS_ACCOUNT_DB_LOCATION: '' 80 + # PDS_SEQUENCER_DB_LOCATION: '' 81 + # PDS_DID_CACHE_DB_LOCATION: '' 82 + 83 + # actor store 84 + # PDS_ACTOR_STORE_DIRECTORY: '' 85 + # PDS_ACTOR_STORE_CACHE_SIZE: '' 86 + 87 + # blobstore: one required 88 + # s3 89 + # PDS_BLOBSTORE_S3_BUCKET: '' 90 + # PDS_BLOBSTORE_S3_REGION: '' 91 + # PDS_BLOBSTORE_S3_ENDPOINT: '' 92 + # PDS_BLOBSTORE_S3_FORCE_PATH_STYLE: '' 93 + # PDS_BLOBSTORE_S3_ACCESS_KEY_ID: '' 94 + # PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY: '' 95 + # PDS_BLOBSTORE_S3_UPLOAD_TIMEOUT_MS: '' 96 + # disk 97 + PDS_BLOBSTORE_DISK_LOCATION: /blobstore 98 + # PDS_BLOBSTORE_DISK_TMP_LOCATION: '' 99 + 100 + # identity 101 + PDS_DID_PLC_URL: https://plc.directory 102 + # PDS_DID_CACHE_STALE_TTL: '' 103 + # PDS_DID_CACHE_MAX_TTL: '' 104 + # PDS_ID_RESOLVER_TIMEOUT: '' 105 + # PDS_RECOVERY_DID_KEY: '' 106 + # PDS_SERVICE_HANDLE_DOMAINS: '' 107 + # PDS_HANDLE_BACKUP_NAMESERVERS: '' 108 + # PDS_ENABLE_DID_DOC_WITH_SESSION: '' 109 + 110 + # entryway 111 + # PDS_ENTRYWAY_URL: '' 112 + # PDS_ENTRYWAY_DID: '' 113 + # PDS_ENTRYWAY_JWT_VERIFY_KEY_K256_PUBLIC_KEY_HEX: '' 114 + # PDS_ENTRYWAY_PLC_ROTATION_KEY: '' 115 + 116 + # invites 117 + # PDS_INVITE_REQUIRED: '' 118 + # PDS_INVITE_INTERVAL: '' 119 + # PDS_INVITE_EPOCH: '' 120 + 121 + # email 122 + # PDS_EMAIL_SMTP_URL: '' 123 + # PDS_EMAIL_FROM_ADDRESS: '' 124 + # PDS_MODERATION_EMAIL_SMTP_URL: '' 125 + # PDS_MODERATION_EMAIL_ADDRESS: '' 126 + 127 + # subscription 128 + # PDS_MAX_SUBSCRIPTION_BUFFER: '' 129 + # PDS_REPO_BACKFILL_LIMIT_MS: '' 130 + 131 + # appview 132 + PDS_BSKY_APP_VIEW_URL: https://api.bsky.app 133 + PDS_BSKY_APP_VIEW_DID: did:web:api.bsky.app 134 + # PDS_BSKY_APP_VIEW_CDN_URL_PATTERN: '' 135 + 136 + # mod service 137 + # PDS_MOD_SERVICE_URL: '' 138 + # PDS_MOD_SERVICE_DID: '' 139 + 140 + # report service 141 + PDS_REPORT_SERVICE_URL: https://mod.bsky.app 142 + PDS_REPORT_SERVICE_DID: did:plc:ar7c4by46qjdydhdevvrndac 143 + 144 + # rate limits 145 + # PDS_RATE_LIMITS_ENABLED: '' 146 + # PDS_RATE_LIMIT_BYPASS_KEY: '' 147 + # PDS_RATE_LIMIT_BYPASS_IPS: '' 148 + 149 + # redis 150 + # PDS_REDIS_SCRATCH_ADDRESS: '' 151 + # PDS_REDIS_SCRATCH_PASSWORD: '' 152 + 153 + # crawlers 154 + PDS_CRAWLERS: https://bsky.network 155 + 156 + # secrets 157 + # PDS_DPOP_SECRET: set via secret 158 + # PDS_JWT_SECRET: set via secret 159 + # PDS_ADMIN_PASSWORD: set via secret 160 + # PDS_ENTRYWAY_ADMIN_TOKEN: '' 161 + 162 + # kms 163 + # PDS_PLC_ROTATION_KEY_KMS_KEY_ID: '' 164 + # memory 165 + # PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: set via secret 166 + 167 + # user provided url http requests 168 + # PDS_DISABLE_SSRF_PROTECTION: '' 169 + 170 + # fetch 171 + # PDS_FETCH_MAX_RESPONSE_SIZE: '' 172 + 173 + # proxy 174 + # PDS_PROXY_ALLOW_HTTP2: '' 175 + # PDS_PROXY_HEADERS_TIMEOUT: '' 176 + # PDS_PROXY_BODY_TIMEOUT: '' 177 + # PDS_PROXY_MAX_RESPONSE_SIZE: '' 178 + # PDS_PROXY_MAX_RETRIES: '' 179 + # PDS_PROXY_PREFER_COMPRESSED: '' 180 + envFrom: 181 + - secretRef: 182 + name: pds-secrets 183 + probes: 184 + liveness: &probe 185 + enabled: true 186 + path: /xrpc/_health 187 + readiness: *probe 188 + startup: *probe 189 + securityContext: 190 + allowPrivilegeEscalation: false 191 + capabilities: { drop: ["ALL"] } 192 + resources: 193 + requests: 194 + cpu: 10m 195 + limits: 196 + memory: 512Mi 197 + 198 + defaultPodOptions: 199 + securityContext: 200 + runAsNonRoot: true 201 + runAsUser: 10001 202 + runAsGroup: 10001 203 + fsGroup: 10001 204 + fsGroupChangePolicy: OnRootMismatch 205 + seccompProfile: { type: RuntimeDefault } 206 + 207 + service: 208 + pds: 209 + primary: true 210 + controller: pds 211 + ports: 212 + http: 213 + primary: true 214 + port: &port 3000 215 + protocol: HTTP 216 + 217 + route: 218 + pds: 219 + annotations: 220 + route.proteus/redirect-http: 'true' 221 + parentRefs: 222 + - name: ingress-gateway 223 + namespace: ingress 224 + sectionName: atproto-https 225 + hostnames: 226 + - "pds.${ATPROTO_HOST}" 227 + rules: 228 + - backendRefs: 229 + - identifier: pds 230 + port: *port 231 + 232 + persistence: 233 + pds: 234 + type: persistentVolumeClaim 235 + accessMode: ReadWriteOncePod 236 + size: 2Gi 237 + blobstore: 238 + type: persistentVolumeClaim 239 + accessMode: ReadWriteOncePod 240 + size: 10Gi 241 + tmp: 242 + type: emptyDir
+33
kubernetes/apps/at/pds/secrets.yaml
··· 1 + apiVersion: v1 2 + kind: Secret 3 + metadata: 4 + name: pds-secrets 5 + stringData: 6 + PDS_DPOP_SECRET: ENC[AES256_GCM,data:g5E5hwsDU/3/kF1NMa7PlhK35Qxu1JQ9zvKPWWbFL/lLxuAs2BUi+FASNmU5C7sxSu7MM4j8/iZROZGbjppRjA==,iv:MZ0BQZk/wafkBy/cXn+kVLLWcHzikhz3QbyEhOXxaK4=,tag:MZPmVpcjTh8aRiOXIEOKgA==,type:str] 7 + PDS_JWT_SECRET: ENC[AES256_GCM,data:fP4HMcaHNGjCndEDkBvC90lNRP1VD1AZ+3N5pLxMHng=,iv:VPljOatCXsy5EE5XzlTzQHMr5woQfxwH+buLz9BLF9E=,tag:wq608dHdf82jEye0L5E1xw==,type:str] 8 + PDS_ADMIN_PASSWORD: ENC[AES256_GCM,data:pP4KqRXe+aWjOfGhXtALXssQJXwMsqRaSQy6e1MxBLs=,iv:LeQ8jgMLjA9Crav1DBs0sD4UKSfCwimN5LbiUw1LnDo=,tag:6nTY43Y/iVW/QQh7tCcT9Q==,type:str] 9 + PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:7tYJX2JInpw1ddtiC4WDs5472p1Rn5U630NM8aJ/UUXoqvUKbWp8JwTl8Sce8wOiE2ZQZjOXNYW4BNNW8Za/yA==,iv:jhjfs5rrNhObn7kf70gEh+m70bKX5kHUp6ZZdgRw+Jo=,tag:BScxQo9DQ4eUmoShCLY2SQ==,type:str] 10 + sops: 11 + age: 12 + - recipient: age13u6nqs8jgp268mya8rht9gyhu86cc53j74f5va65077rsrvkr9gsjeqk88 13 + enc: | 14 + -----BEGIN AGE ENCRYPTED FILE----- 15 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUDU4RUYvZ0JHUG5HeVlE 16 + cmZ5YUhMQ0k1TFhSUDVaTXcvR0R1VHNXOFY0Ck1WbG9yRlU3U1RjUCtmYUs1NGFh 17 + Q3VqUkJqS21HdDRLM1VZcit2MjlTeFEKLS0tIGNaQW5xR1ppSnJvRWppMzZ4RXYz 18 + Ynl4NTJzdE5yY296bktWNHh2K2pCZ00K9SSFhatky5xXldG3/fZqUUoT98MT3juP 19 + /pLi389UP9+sphwhEQpIwqh8ZHeXY1GgaTzHd2b5v7cnydGCPsWV/A== 20 + -----END AGE ENCRYPTED FILE----- 21 + - recipient: age16tv9zf54wf4txwjx39wz9phw7zggtxe7k0p2lkhtx59u4he72erq4d9xh9 22 + enc: | 23 + -----BEGIN AGE ENCRYPTED FILE----- 24 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdG1CeXU0V0N6eWZtRlQw 25 + TkxPVHIzL0c5cjFJcTFkZ1NENEdQMkhtYW5NClVzMHZZNjhaWFAwQXFRSDRxYW1X 26 + RWZ1T3dySFBjem1DU1ZQVkxmeXFhbW8KLS0tIE9UalNMSFkwZksyZnBqa21iZElH 27 + T0NvQ0p3SHlNZm5ETmo1VitzRWhobWsKDL26hIDYVlyUhMUZ/T4zASdLSZp6ZOTs 28 + 57TRvz73ueG4h9EKq3zIrQBmofE33tBUa8edL4k5Udg2IAE/7phTSw== 29 + -----END AGE ENCRYPTED FILE----- 30 + lastmodified: "2025-11-09T21:37:51Z" 31 + mac: ENC[AES256_GCM,data:wi59VE4/+aWJEJXyJnCZPJrnMd9Uk0wssZE9QkYULqhQ/YBhPVecm+IMVh8G5mQhqoXmPZm32gmnSR1jbxpJYzlhXN5PyJS0GPcv2HODUiZ3uUMg8ooIsmH4VcLmjaFdwwddR1tlfszrYzg65mDHZ0XEDz3AxJ32bZh6d2wq1Bo=,iv:zZWnhZAjDfllfrRqV7W5C2FhcvThfIBVoOimIRrStTE=,tag:UhBvYBSnls4WBVK5Vfo2Fw==,type:str] 32 + encrypted_regex: ^(data|stringData)$ 33 + version: 3.11.0