declarative relay deployment on hetzner
relay-eval.waow.tech
atproto
relay
1# deploying
2
3## prerequisites
4
5- [terraform](https://www.terraform.io/) (or [opentofu](https://opentofu.org/))
6- [helm](https://helm.sh/)
7- [kubectl](https://kubernetes.io/docs/tasks/tools/)
8- [just](https://github.com/casey/just)
9- a [Hetzner Cloud](https://www.hetzner.com/cloud/) account
10
11## setup
12
13create a `.env` file:
14
15```bash
16export HCLOUD_TOKEN="your-hetzner-api-token"
17export RELAY_DOMAIN="relay.yourdomain.com"
18export RELAY_ADMIN_PASSWORD="something-secure"
19export POSTGRES_PASSWORD="something-else-secure"
20export LETSENCRYPT_EMAIL="you@example.com"
21```
22
23then:
24
25```bash
26source .env
27
28just indigo init # terraform init
29just indigo infra # creates a CPX41 in Ashburn (~$30/mo) with k3s via cloud-init
30just indigo kubeconfig # waits for k3s, pulls kubeconfig (~2 min)
31just indigo deploy # installs cert-manager, postgresql, relay, jetstream, monitoring
32```
33
34point a DNS A record at the server IP (`just indigo server-ip`) before running deploy, so the Let's Encrypt HTTP-01 challenge succeeds.
35
36after deploy, seed the relay with the network's PDS hosts:
37
38```bash
39just indigo bootstrap # pulls hosts from upstream + restarts relay so slurper picks them up
40```
41
42## available commands
43
44```bash
45just indigo status # nodes, pods, health check
46just indigo logs # tail relay logs
47just indigo health # curl the public health endpoint
48just indigo reconnect # re-announce all known PDS hosts to the relay
49just indigo backfill # backfill collectiondir with full network data
50just indigo firehose # consume the firehose (passes args through)
51just indigo jetstream # consume the jetstream (passes args through)
52just indigo ssh # ssh into the server
53just indigo destroy # tear down everything
54```
55
56## maintenance
57
58a k8s CronJob (`indigo/deploy/reconnect-cronjob.yaml`) runs every 4 hours to re-announce PDS hosts to the relay — see [architecture](architecture.md#pds-connection-maintenance) for why this is needed. `just indigo reconnect` runs the same logic manually.
59
60## targeted deployments
61
62`just indigo deploy` deploys everything. for targeted updates:
63
64- `just indigo deploy-monitoring` — only the monitoring stack (prometheus, grafana, dashboards, ServiceMonitors). useful for dashboard changes or prometheus config tweaks without touching the relay.