declarative relay deployment on hetzner
relay-eval.waow.tech
atproto
relay
1# deploying
2
3## prerequisites
4
5- [terraform](https://www.terraform.io/) (or [opentofu](https://opentofu.org/))
6- [helm](https://helm.sh/)
7- [kubectl](https://kubernetes.io/docs/tasks/tools/)
8- [just](https://github.com/casey/just)
9- a [Hetzner Cloud](https://www.hetzner.com/cloud/) account
10
11## setup
12
13create a `.env` file:
14
15```bash
16export HCLOUD_TOKEN="your-hetzner-api-token"
17export RELAY_DOMAIN="relay.yourdomain.com"
18export RELAY_ADMIN_PASSWORD="something-secure"
19export POSTGRES_PASSWORD="something-else-secure"
20export LETSENCRYPT_EMAIL="you@example.com"
21```
22
23then:
24
25```bash
26source .env
27
28just indigo init # terraform init
29just indigo infra # creates a CPX41 in Ashburn (~$30/mo) with k3s via cloud-init
30just indigo kubeconfig # waits for k3s, pulls kubeconfig (~2 min)
31just indigo deploy # installs cert-manager, postgresql, relay, jetstream, monitoring
32```
33
34point a DNS A record at the server IP (`just indigo server-ip`) before running deploy, so the Let's Encrypt HTTP-01 challenge succeeds.
35
36after deploy, seed the relay with the network's PDS hosts:
37
38```bash
39just indigo bootstrap # pulls hosts from upstream + restarts relay so slurper picks them up
40```
41
42## available commands
43
44```bash
45just indigo status # nodes, pods, health check
46just indigo logs # tail relay logs
47just indigo health # curl the public health endpoint
48just indigo reconnect # re-announce all known PDS hosts to the relay
49just indigo firehose # consume the firehose (passes args through)
50just indigo jetstream # consume the jetstream (passes args through)
51just indigo ssh # ssh into the server
52just indigo destroy # tear down everything
53```
54
55## maintenance
56
57a k8s CronJob (`indigo/deploy/reconnect-cronjob.yaml`) runs every 4 hours to re-announce PDS hosts to the relay — see [architecture](architecture.md#pds-connection-maintenance) for why this is needed. `just indigo reconnect` runs the same logic manually.
58
59## targeted deployments
60
61`just indigo deploy` deploys everything. for targeted updates:
62
63- `just indigo deploy-monitoring` — only the monitoring stack (prometheus, grafana, dashboards, ServiceMonitors). useful for dashboard changes or prometheus config tweaks without touching the relay.