+45 -27

README.md

reviewed

··· 2 2 3 3 A Nix-based development environment for running AT Protocol services (PDS, PLC, Caddy proxy, and MailHog). 4 4 5 5 + ## ⚠️ Security Warning 6 6 + 7 7 + **This environment uses a modified AT Protocol relay with SSRF protection disabled.** 8 8 + 9 9 + - The relay is built from a forked repository (`edouardparis/indigo`) with SSRF (Server-Side Request Forgery) protections disabled 10 10 + - Custom ports are allowed without restrictions 11 11 + - **This configuration is ONLY safe for local development environments** 12 12 + - **DO NOT use this relay configuration against external hosts or in production** 13 13 + - **DO NOT expose this relay to the internet** 14 14 + 15 15 + This setup is designed for controlled local testing where you need flexibility in network access that would normally be restricted for security reasons. 16 16 + 5 17 ## Prerequisites 6 18 7 7 - Make sure to add these lines to your `/etc/hosts` file: 8 8 - ``` 9 9 - 127.0.0.1 pds.example.org 10 10 - 127.0.0.1 plc.example.org 11 11 - 127.0.0.1 relay.example.org 12 12 - ``` 19 19 + 1. **Install mkcert** (required for SSL certificate generation): 20 20 + - On macOS: `brew install mkcert` 21 21 + - On Linux: See [mkcert installation guide](https://github.com/FiloSottile/mkcert#installation) 22 22 + - After installation, run: `mkcert -install` 13 23 14 14 - Generate SSL certificates before first use: 15 15 - ```bash 16 16 - nix run .#generate-certs 17 17 - ``` 24 24 + 2. **Add hosts file entries:** 25 25 + ``` 26 26 + 127.0.0.1 pds.example.org 27 27 + 127.0.0.1 plc.example.org 28 28 + 127.0.0.1 relay.example.org 29 29 + ``` 30 30 + 31 31 + 3. **Generate SSL certificates before first use:** 32 32 + ```bash 33 33 + nix run .#generate-certs 34 34 + ``` 18 35 19 36 ## Quick Start 20 37 ··· 33 50 - Pane 2: Caddy proxy 34 51 - Pane 3: AT Protocol Relay 35 52 36 36 - 3. **Create an invite code:** 53 53 + 3. **Add PDS host to the relay:** 54 54 + ```bash 55 55 + goat relay --relay-host=https://relay.example.org:8445 admin --admin-password=password host add "https://pds.example.org:8443" 56 56 + ``` 57 57 + 58 58 + 4. **Create an invite code:** 37 59 ```bash 38 60 scripts/create-invite.sh 39 61 ``` 40 62 41 41 - 4. **Create a user account:** 63 63 + 5. **Create a user account:** 42 64 ```bash 43 65 goat account create \ 44 66 --pds-host=https://pds.example.org:8443 \ ··· 48 70 --handle=edouard.pds.example.org 49 71 ``` 50 72 51 51 - Expected output: 52 52 - ``` 53 53 - Success! 54 54 - DID: did:plc:pzvsc3jwfjwidojtpbxv4rdd 55 55 - Handle: edouard.pds.example.org 56 56 - ``` 57 57 - 58 58 - 5. **Verify the DID is registered:** 73 73 + 6. **Verify the DID is registered:** 59 74 ```bash 60 60 - goat --plc-host=https://plc.example.org data did:plc:pzvsc3jwfjwidojtpbxv4rdd 75 75 + goat plc --plc-host=https://plc.example.org data <your-did> 61 76 ``` 62 77 63 63 - 6. **Login to your account:** 78 78 + 7. **Login to your account:** 64 79 ```bash 65 80 goat account login \ 66 81 --username=edouard.pds.example.org \ ··· 68 83 --pds-host=https://pds.example.org:8443 69 84 ``` 70 85 71 71 - 7. **Create your first post:** 86 86 + 8. **Create your first post:** 72 87 ```bash 73 88 goat bsky post "hello world!" 74 89 ``` ··· 80 95 - **AT Protocol Relay**: https://relay.example.org:8445 81 96 - **MailHog**: http://localhost:8025 82 97 83 83 - ## Available Tools 98 98 + ## Monitoring 84 99 85 85 - - `goat` - AT Protocol CLI tool 86 86 - - `curl`, `jq` - HTTP and JSON utilities 87 87 - - `tmux` - Terminal multiplexer 100 100 + To monitor the AT Protocol relay firehose: 101 101 + ```bash 102 102 + goat firehose --relay-host wss://relay.example.org:8445 103 103 + ``` 104 104 + 105 105 + This will show real-time events from the relay. You can run this in a separate terminal or tmux pane. 88 106 89 107 ## Management Commands 90 108

+16 -4

flake.nix

reviewed

··· 98 98 tmux split-window -v -t atproto "${caddy-proxy}/bin/caddy-proxy" 99 99 100 100 # Split vertically for Relay (with environment variables) 101 101 - tmux split-window -v -t atproto "RELAY_ADMIN_PASSWORD=password RELAY_PLC_HOST=https://plc.example.org:8444 RELAY_TRUSTED_DOMAINS=*.example.org RELAY_ALLOW_INSECURE_HOSTS=true ${indigo-relay}/bin/relay serve" 101 101 + tmux split-window -v -t atproto " 102 102 + export RELAY_ADMIN_PASSWORD=password 103 103 + export RELAY_PLC_HOST=https://plc.example.org:8444 104 104 + export RELAY_TRUSTED_DOMAINS=*.example.org 105 105 + export RELAY_ALLOW_INSECURE_HOSTS=true 106 106 + export RELAY_LOG_LEVEL=debug 107 107 + export RELAY_DISABLE_SSRF=true 108 108 + export RELAY_ALLOW_CUSTOM_PORTS=true 109 109 + ${indigo-relay}/bin/relay serve 110 110 + " 102 111 103 103 - # Make all panes equal size 104 104 - tmux select-layout -t atproto even-vertical 105 112 106 113 # Select the first pane 107 114 tmux select-pane -t atproto.0 ··· 112 119 echo " tmux attach -t atproto - Attach to the session" 113 120 echo " tmux kill-session -t atproto - Stop all services" 114 121 echo "" 115 115 - echo "📋 Panes layout (single column):" 122 122 + echo "📋 Panes layout:" 116 123 echo " • Pane 0: PLC server" 117 124 echo " • Pane 1: PDS server" 118 125 echo " • Pane 2: Caddy proxy" 119 126 echo " • Pane 3: AT Protocol Relay" 120 127 echo "" 121 128 echo "💡 Use Ctrl+b followed by arrow keys to switch between panes" 129 129 + echo "💡 To monitor firehose: goat firehose --relay-host wss://relay.example.org:8445" 122 130 ''; 123 131 124 132 # Script to start relay with environment ··· 135 143 export RELAY_PLC_HOST="https://plc.example.org:8444" 136 144 export RELAY_TRUSTED_DOMAINS="*.example.org" 137 145 export RELAY_ALLOW_INSECURE_HOSTS="true" 146 146 + export RELAY_LOG_LEVEL="debug" 147 147 + export RELAY_DISABLE_SSRF="true" 148 148 + export RELAY_ALLOW_CUSTOM_PORTS="true" 138 149 139 150 ${indigo-relay}/bin/relay serve 140 151 ''; ··· 171 182 echo " nix run .#plc - Start PLC server" 172 183 echo " nix run .#pds - Start PDS server" 173 184 echo " nix run .#caddy-proxy - Start Caddy proxy" 185 185 + echo " nix run .#relay - Start AT Protocol Relay" 174 186 echo " nix run .#mailhog - Start MailHog" 175 187 echo " nix run .#generate-certs - Generate SSL certificates" 176 188 echo ""

+3 -3

packages/indigo-relay.nix

reviewed

··· 8 8 version = "unstable-2024-10-03"; 9 9 10 10 src = fetchFromGitHub { 11 11 - owner = "bluesky-social"; 11 11 + owner = "edouardparis"; 12 12 repo = "indigo"; 13 13 - rev = "master"; # Latest commit from master branch 14 14 - hash = "sha256-yVj7DKGAUXQO4eTu4reAtm7bTE4ab0jYGX2ba74qazU="; 13 13 + rev = "disable-ssrf-and-allow-custom-ports"; 14 14 + hash = "sha256-0Uy/7IT3gVVkfntXauue07O6WDhmU+heNT4fSh+sK5A="; 15 15 }; 16 16 17 17 vendorHash = "sha256-7mYvgvR0tZdEnUgUYzKv6d2QyeXXnrFgVwY8/4UM3oU=";