Microservice to bring 2FA to self hosted PDSes
1services:
2 pds:
3 image: 'ghcr.io/bluesky-social/pds:0.4.182'
4 volumes:
5 - '/pds:/pds'
6 environment:
7 - SERVICE_URL_PDS_3000
8 - 'PDS_HOSTNAME=${SERVICE_FQDN_PDS_3000}'
9 - 'PDS_JWT_SECRET=${SERVICE_HEX_32_JWTSECRET}'
10 - 'PDS_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}'
11 - 'PDS_ADMIN_EMAIL=${PDS_ADMIN_EMAIL}'
12 - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_32_ROTATIONKEY}'
13 - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
14 - 'PDS_BLOBSTORE_DISK_LOCATION=${PDS_DATA_DIRECTORY:-/pds}/blocks'
15 - 'PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}'
16 - 'PDS_DID_PLC_URL=${PDS_DID_PLC_URL:-https://plc.directory}'
17 - 'PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS}'
18 - 'PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL}'
19 - 'PDS_BSKY_APP_VIEW_URL=${PDS_BSKY_APP_VIEW_URL:-https://api.bsky.app}'
20 - 'PDS_BSKY_APP_VIEW_DID=${PDS_BSKY_APP_VIEW_DID:-did:web:api.bsky.app}'
21 - 'PDS_REPORT_SERVICE_URL=${PDS_REPORT_SERVICE_URL:-https://mod.bsky.app/xrpc/com.atproto.moderation.createReport}'
22 - 'PDS_REPORT_SERVICE_DID=${PDS_REPORT_SERVICE_DID:-did:plc:ar7c4by46qjdydhdevvrndac}'
23 - 'PDS_CRAWLERS=${PDS_CRAWLERS:-https://bsky.network}'
24 - 'LOG_ENABLED=${LOG_ENABLED:-true}'
25 command: "sh -c '\n set -euo pipefail\n echo \"Installing required packages and pdsadmin...\"\n apk add --no-cache openssl curl bash jq coreutils gnupg util-linux-misc >/dev/null\n curl -o /usr/local/bin/pdsadmin.sh https://raw.githubusercontent.com/bluesky-social/pds/main/pdsadmin.sh\n chmod 700 /usr/local/bin/pdsadmin.sh\n ln -sf /usr/local/bin/pdsadmin.sh /usr/local/bin/pdsadmin\n echo \"Creating an empty pds.env file so pdsadmin works...\"\n touch ${PDS_DATA_DIRECTORY}/pds.env\n echo \"Launching PDS, enjoy!...\"\n exec node --enable-source-maps index.js\n'\n"
26 healthcheck:
27 test:
28 - CMD
29 - wget
30 - '--spider'
31 - 'http://127.0.0.1:3000/xrpc/_health'
32 interval: 5s
33 timeout: 10s
34 retries: 10
35 gatekeeper:
36 container_name: gatekeeper
37 image: 'fatfingers23/pds_gatekeeper:latest'
38 restart: unless-stopped
39 volumes:
40 - '/pds:/pds'
41 environment:
42 - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
43 - 'PDS_BASE_URL=http://pds:3000'
44 - GATEKEEPER_HOST=0.0.0.0
45 depends_on:
46 - pds
47 healthcheck:
48 test:
49 - CMD
50 - timeout
51 - '1'
52 - bash
53 - '-c'
54 - 'cat < /dev/null > /dev/tcp/0.0.0.0/8080'
55 interval: 10s
56 timeout: 5s
57 retries: 3
58 start_period: 10s
59 labels:
60 - traefik.enable=true
61 - 'traefik.http.routers.pds-gatekeeper.rule=Host(`yourpds.com`) && (Path(`/xrpc/com.atproto.server.getSession`) || Path(`/xrpc/com.atproto.server.describeServer`) || Path(`/xrpc/com.atproto.server.updateEmail`) || Path(`/xrpc/com.atproto.server.createSession`) || Path(`/xrpc/com.atproto.server.createAccount`) || Path(`/@atproto/oauth-provider/~api/sign-in`) || Path(`/gate`))'
62 - traefik.http.routers.pds-gatekeeper.entrypoints=https
63 - traefik.http.routers.pds-gatekeeper.tls=true
64 - traefik.http.routers.pds-gatekeeper.priority=100
65 - traefik.http.routers.pds-gatekeeper.middlewares=gatekeeper-cors
66 - traefik.http.services.pds-gatekeeper.loadbalancer.server.port=8080
67 - traefik.http.services.pds-gatekeeper.loadbalancer.server.scheme=http
68 - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS,PATCH'
69 - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowheaders=*'
70 - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolalloworiginlist=*'
71 - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolmaxage=100
72 - traefik.http.middlewares.gatekeeper-cors.headers.addvaryheader=true
73 - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowcredentials=true