+6 -5

.gitignore

reviewed

··· 1 1 # terraform 2 2 - infra/.terraform/ 3 3 - infra/.terraform.lock.hcl 4 4 - infra/terraform.tfstate 5 5 - infra/terraform.tfstate.backup 6 6 - infra/*.tfvars 2 2 + infra/**/.terraform/ 3 3 + infra/**/.terraform.lock.hcl 4 4 + infra/**/terraform.tfstate 5 5 + infra/**/terraform.tfstate.backup 6 6 + infra/**/*.tfvars 7 7 !infra/terraform.tfvars.example 8 8 9 9 # kubeconfig (fetched from server) 10 10 kubeconfig.yaml 11 11 + zlay-kubeconfig.yaml 11 12 12 13 # secrets 13 14 *.secret

+2

deploy/collectiondir-values.yaml

reviewed

··· 19 19 - /data/dau 20 20 - --upstream 21 21 - ws://relay:2470 22 22 + - --crawl-qps 23 23 + - "8" 22 24 probes: 23 25 liveness: &probes 24 26 enabled: true

+9

deploy/monitoring-values.yaml

reviewed

··· 72 72 editable: true 73 73 options: 74 74 path: /var/lib/grafana/dashboards/relay 75 75 + - name: zlay 76 76 + orgId: 1 77 77 + folder: "" 78 78 + type: file 79 79 + disableDeletion: false 80 80 + editable: true 81 81 + options: 82 82 + path: /var/lib/grafana/dashboards/zlay 75 83 dashboardsConfigMaps: 76 84 relay: relay-dashboard 85 85 + zlay: zlay-dashboard 77 86 defaultDashboardsEnabled: false 78 87 79 88 # --- operator ---

+70

deploy/reconnect-cronjob.yaml

reviewed

··· 1 1 + apiVersion: batch/v1 2 2 + kind: CronJob 3 3 + metadata: 4 4 + name: relay-reconnect 5 5 + namespace: relay 6 6 + spec: 7 7 + schedule: "0 */4 * * *" # every 4 hours 8 8 + concurrencyPolicy: Forbid 9 9 + successfulJobsHistoryLimit: 3 10 10 + failedJobsHistoryLimit: 3 11 11 + jobTemplate: 12 12 + spec: 13 13 + backoffLimit: 1 14 14 + activeDeadlineSeconds: 1800 # 30 min max 15 15 + template: 16 16 + spec: 17 17 + restartPolicy: Never 18 18 + containers: 19 19 + - name: reconnect 20 20 + image: python:3.12-alpine 21 21 + env: 22 22 + - name: PYTHONUNBUFFERED 23 23 + value: "1" 24 24 + - name: RELAY_ADMIN_PASSWORD 25 25 + valueFrom: 26 26 + secretKeyRef: 27 27 + name: relay-secret 28 28 + key: RELAY_ADMIN_PASSWORD 29 29 + command: 30 30 + - python3 31 31 + - -c 32 32 + - | 33 33 + import json, urllib.request, time, os, base64, sys 34 34 + 35 35 + PDS_LIST_URL = "https://raw.githubusercontent.com/mary-ext/atproto-scraping/refs/heads/trunk/state.json" 36 36 + RELAY_URL = "http://relay.relay.svc.cluster.local:2470" 37 37 + PASSWORD = os.environ["RELAY_ADMIN_PASSWORD"] 38 38 + AUTH = base64.b64encode(f"admin:{PASSWORD}".encode()).decode() 39 39 + 40 40 + print(f"fetching PDS list from {PDS_LIST_URL}...") 41 41 + with urllib.request.urlopen(PDS_LIST_URL, timeout=30) as resp: 42 42 + data = json.loads(resp.read()) 43 43 + hosts = [url.rstrip("/") for url in data.get("pdses", {}).keys() if url.startswith("https://")] 44 44 + print(f"found {len(hosts)} PDS hosts") 45 45 + 46 46 + ok = errors = 0 47 47 + start = time.time() 48 48 + 49 49 + for i, host in enumerate(hosts): 50 50 + payload = json.dumps({"hostname": host}).encode() 51 51 + req = urllib.request.Request( 52 52 + f"{RELAY_URL}/admin/pds/requestCrawl", 53 53 + data=payload, 54 54 + headers={"Content-Type": "application/json", "Authorization": f"Basic {AUTH}"}, 55 55 + method="POST", 56 56 + ) 57 57 + try: 58 58 + with urllib.request.urlopen(req, timeout=10) as resp: 59 59 + ok += 1 60 60 + except urllib.error.HTTPError: 61 61 + errors += 1 62 62 + except (ConnectionError, OSError, urllib.error.URLError): 63 63 + errors += 1 64 64 + 65 65 + if (i + 1) % 500 == 0: 66 66 + print(f" {i + 1}/{len(hosts)} ({ok} ok, {errors} errors, {time.time() - start:.0f}s)") 67 67 + 68 68 + time.sleep(0.05) 69 69 + 70 70 + print(f"done: {ok} ok, {errors} errors, {time.time() - start:.0f}s")

+258

deploy/zlay-dashboard.json

reviewed

··· 1 1 + { 2 2 + "annotations": { 3 3 + "list": [] 4 4 + }, 5 5 + "editable": true, 6 6 + "fiscalYearStartMonth": 0, 7 7 + "graphTooltip": 1, 8 8 + "links": [], 9 9 + "panels": [ 10 10 + { 11 11 + "title": "events/sec", 12 12 + "type": "timeseries", 13 13 + "gridPos": { "h": 8, "w": 8, "x": 0, "y": 0 }, 14 14 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 15 15 + "fieldConfig": { 16 16 + "defaults": { 17 17 + "unit": "ops", 18 18 + "color": { "mode": "palette-classic" }, 19 19 + "custom": { 20 20 + "fillOpacity": 15, 21 21 + "lineWidth": 2, 22 22 + "spanNulls": false 23 23 + } 24 24 + }, 25 25 + "overrides": [] 26 26 + }, 27 27 + "targets": [ 28 28 + { 29 29 + "expr": "sum(rate(relay_frames_received_total{job=\"zlay\"}[5m]))", 30 30 + "legendFormat": "events received", 31 31 + "refId": "A" 32 32 + } 33 33 + ] 34 34 + }, 35 35 + { 36 36 + "title": "connected PDS hosts", 37 37 + "type": "stat", 38 38 + "gridPos": { "h": 8, "w": 8, "x": 8, "y": 0 }, 39 39 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 40 40 + "fieldConfig": { 41 41 + "defaults": { 42 42 + "color": { "mode": "thresholds" }, 43 43 + "thresholds": { 44 44 + "steps": [ 45 45 + { "color": "red", "value": null }, 46 46 + { "color": "yellow", "value": 500 }, 47 47 + { "color": "green", "value": 1000 } 48 48 + ] 49 49 + } 50 50 + }, 51 51 + "overrides": [] 52 52 + }, 53 53 + "options": { 54 54 + "colorMode": "value", 55 55 + "graphMode": "area", 56 56 + "reduceOptions": { "calcs": ["lastNotNull"] } 57 57 + }, 58 58 + "targets": [ 59 59 + { 60 60 + "expr": "sum(relay_connected_inbound{job=\"zlay\"})", 61 61 + "legendFormat": "hosts", 62 62 + "refId": "A" 63 63 + } 64 64 + ] 65 65 + }, 66 66 + { 67 67 + "title": "downstream consumers", 68 68 + "type": "timeseries", 69 69 + "gridPos": { "h": 8, "w": 8, "x": 16, "y": 0 }, 70 70 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 71 71 + "fieldConfig": { 72 72 + "defaults": { 73 73 + "unit": "ops", 74 74 + "color": { "mode": "palette-classic" }, 75 75 + "custom": { 76 76 + "fillOpacity": 15, 77 77 + "lineWidth": 2, 78 78 + "spanNulls": false 79 79 + } 80 80 + }, 81 81 + "overrides": [] 82 82 + }, 83 83 + "targets": [ 84 84 + { 85 85 + "expr": "sum(rate(relay_frames_broadcast_total{job=\"zlay\"}[5m]))", 86 86 + "legendFormat": "events sent", 87 87 + "refId": "A" 88 88 + } 89 89 + ] 90 90 + }, 91 91 + { 92 92 + "title": "validation/sec", 93 93 + "type": "timeseries", 94 94 + "gridPos": { "h": 8, "w": 8, "x": 0, "y": 8 }, 95 95 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 96 96 + "fieldConfig": { 97 97 + "defaults": { 98 98 + "unit": "ops", 99 99 + "color": { "mode": "palette-classic" }, 100 100 + "custom": { 101 101 + "fillOpacity": 15, 102 102 + "lineWidth": 2, 103 103 + "spanNulls": false 104 104 + } 105 105 + }, 106 106 + "overrides": [] 107 107 + }, 108 108 + "targets": [ 109 109 + { 110 110 + "expr": "sum(rate(relay_validation_total{job=\"zlay\",result=\"validated\"}[5m]))", 111 111 + "legendFormat": "validated", 112 112 + "refId": "A" 113 113 + }, 114 114 + { 115 115 + "expr": "sum(rate(relay_validation_total{job=\"zlay\",result=\"failed\"}[5m]))", 116 116 + "legendFormat": "failed", 117 117 + "refId": "B" 118 118 + }, 119 119 + { 120 120 + "expr": "sum(rate(relay_validation_total{job=\"zlay\",result=\"skipped\"}[5m]))", 121 121 + "legendFormat": "skipped", 122 122 + "refId": "C" 123 123 + } 124 124 + ] 125 125 + }, 126 126 + { 127 127 + "title": "memory", 128 128 + "type": "timeseries", 129 129 + "gridPos": { "h": 8, "w": 8, "x": 8, "y": 8 }, 130 130 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 131 131 + "fieldConfig": { 132 132 + "defaults": { 133 133 + "unit": "bytes", 134 134 + "color": { "mode": "palette-classic" }, 135 135 + "custom": { 136 136 + "fillOpacity": 15, 137 137 + "lineWidth": 2, 138 138 + "spanNulls": false 139 139 + } 140 140 + }, 141 141 + "overrides": [] 142 142 + }, 143 143 + "targets": [ 144 144 + { 145 145 + "expr": "container_memory_working_set_bytes{namespace=\"zlay\",pod=~\"zlay.*\",container=\"main\"}", 146 146 + "legendFormat": "working set", 147 147 + "refId": "A" 148 148 + }, 149 149 + { 150 150 + "expr": "kube_pod_container_resource_limits{namespace=\"zlay\",pod=~\"zlay.*\",container=\"main\",resource=\"memory\"}", 151 151 + "legendFormat": "limit", 152 152 + "refId": "B" 153 153 + } 154 154 + ] 155 155 + }, 156 156 + { 157 157 + "title": "uptime", 158 158 + "type": "stat", 159 159 + "gridPos": { "h": 8, "w": 8, "x": 16, "y": 8 }, 160 160 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 161 161 + "fieldConfig": { 162 162 + "defaults": { 163 163 + "unit": "s", 164 164 + "color": { "mode": "thresholds" }, 165 165 + "thresholds": { 166 166 + "steps": [ 167 167 + { "color": "red", "value": null }, 168 168 + { "color": "yellow", "value": 3600 }, 169 169 + { "color": "green", "value": 86400 } 170 170 + ] 171 171 + } 172 172 + }, 173 173 + "overrides": [] 174 174 + }, 175 175 + "options": { 176 176 + "colorMode": "value", 177 177 + "graphMode": "none", 178 178 + "reduceOptions": { "calcs": ["lastNotNull"] } 179 179 + }, 180 180 + "targets": [ 181 181 + { 182 182 + "expr": "sum(relay_uptime_seconds{job=\"zlay\"})", 183 183 + "legendFormat": "uptime", 184 184 + "refId": "A" 185 185 + } 186 186 + ] 187 187 + }, 188 188 + { 189 189 + "title": "key cache/sec", 190 190 + "type": "timeseries", 191 191 + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 16 }, 192 192 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 193 193 + "fieldConfig": { 194 194 + "defaults": { 195 195 + "unit": "ops", 196 196 + "color": { "mode": "palette-classic" }, 197 197 + "custom": { 198 198 + "fillOpacity": 15, 199 199 + "lineWidth": 2, 200 200 + "spanNulls": false 201 201 + } 202 202 + }, 203 203 + "overrides": [] 204 204 + }, 205 205 + "targets": [ 206 206 + { 207 207 + "expr": "sum(rate(relay_cache_total{job=\"zlay\",result=\"hit\"}[5m]))", 208 208 + "legendFormat": "hits", 209 209 + "refId": "A" 210 210 + }, 211 211 + { 212 212 + "expr": "sum(rate(relay_cache_total{job=\"zlay\",result=\"miss\"}[5m]))", 213 213 + "legendFormat": "misses", 214 214 + "refId": "B" 215 215 + } 216 216 + ] 217 217 + }, 218 218 + { 219 219 + "title": "errors/sec", 220 220 + "type": "timeseries", 221 221 + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 16 }, 222 222 + "datasource": { "type": "prometheus", "uid": "prometheus" }, 223 223 + "fieldConfig": { 224 224 + "defaults": { 225 225 + "unit": "ops", 226 226 + "color": { "mode": "palette-classic" }, 227 227 + "custom": { 228 228 + "fillOpacity": 15, 229 229 + "lineWidth": 2, 230 230 + "spanNulls": false 231 231 + } 232 232 + }, 233 233 + "overrides": [] 234 234 + }, 235 235 + "targets": [ 236 236 + { 237 237 + "expr": "sum(rate(relay_decode_errors_total{job=\"zlay\"}[5m]))", 238 238 + "legendFormat": "decode errors", 239 239 + "refId": "A" 240 240 + }, 241 241 + { 242 242 + "expr": "sum(rate(relay_slow_consumers_total{job=\"zlay\"}[5m]))", 243 243 + "legendFormat": "slow consumer drops", 244 244 + "refId": "B" 245 245 + } 246 246 + ] 247 247 + } 248 248 + ], 249 249 + "schemaVersion": 39, 250 250 + "tags": ["zlay", "atproto"], 251 251 + "templating": { "list": [] }, 252 252 + "time": { "from": "now-1h", "to": "now" }, 253 253 + "timepicker": {}, 254 254 + "timezone": "browser", 255 255 + "title": "zlay.waow.tech", 256 256 + "uid": "zlay-waow", 257 257 + "version": 1 258 258 + }

+68

deploy/zlay-ingress.yaml

reviewed

··· 1 1 + apiVersion: networking.k8s.io/v1 2 2 + kind: Ingress 3 3 + metadata: 4 4 + name: zlay 5 5 + namespace: zlay 6 6 + annotations: 7 7 + cert-manager.io/cluster-issuer: letsencrypt-prod 8 8 + # websocket support 9 9 + traefik.ingress.kubernetes.io/custom-response-headers: "Connection: Upgrade" 10 10 + spec: 11 11 + ingressClassName: traefik 12 12 + tls: 13 13 + - hosts: 14 14 + - ZLAY_DOMAIN_PLACEHOLDER 15 15 + secretName: zlay-tls 16 16 + rules: 17 17 + - host: ZLAY_DOMAIN_PLACEHOLDER 18 18 + http: 19 19 + paths: 20 20 + - path: /xrpc/com.atproto.sync.subscribeRepos 21 21 + pathType: Exact 22 22 + backend: 23 23 + service: 24 24 + name: zlay 25 25 + port: 26 26 + number: 3000 27 27 + - path: / 28 28 + pathType: Prefix 29 29 + backend: 30 30 + service: 31 31 + name: zlay 32 32 + port: 33 33 + number: 3001 34 34 + - path: /_health 35 35 + pathType: Exact 36 36 + backend: 37 37 + service: 38 38 + name: zlay 39 39 + port: 40 40 + number: 3001 41 41 + - path: /_stats 42 42 + pathType: Exact 43 43 + backend: 44 44 + service: 45 45 + name: zlay 46 46 + port: 47 47 + number: 3001 48 48 + - path: /metrics 49 49 + pathType: Exact 50 50 + backend: 51 51 + service: 52 52 + name: zlay 53 53 + port: 54 54 + number: 3001 55 55 + - path: /admin 56 56 + pathType: Prefix 57 57 + backend: 58 58 + service: 59 59 + name: zlay 60 60 + port: 61 61 + number: 3001 62 62 + - path: /xrpc/com.atproto.sync.requestCrawl 63 63 + pathType: Exact 64 64 + backend: 65 65 + service: 66 66 + name: zlay 67 67 + port: 68 68 + number: 3001

+16

deploy/zlay-servicemonitor.yaml

reviewed

··· 1 1 + apiVersion: monitoring.coreos.com/v1 2 2 + kind: ServiceMonitor 3 3 + metadata: 4 4 + name: zlay 5 5 + namespace: monitoring 6 6 + spec: 7 7 + selector: 8 8 + matchLabels: 9 9 + app.kubernetes.io/name: zlay 10 10 + namespaceSelector: 11 11 + matchNames: 12 12 + - zlay 13 13 + endpoints: 14 14 + - port: http 15 15 + path: /metrics 16 16 + interval: 30s

+58

deploy/zlay-values.yaml

reviewed

··· 1 1 + # bjw-s/app-template helm values for the zat relay (zlay) 2 2 + # schema: https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template 3 3 + 4 4 + controllers: 5 5 + zlay: 6 6 + containers: 7 7 + main: 8 8 + image: 9 9 + repository: atcr.io/zzstoatzz.io/zlay 10 10 + tag: latest 11 11 + env: 12 12 + RELAY_PORT: "3000" 13 13 + RELAY_HTTP_PORT: "3001" 14 14 + RELAY_UPSTREAM: "bsky.network" 15 15 + RELAY_DATA_DIR: /data/events 16 16 + RELAY_RETENTION_HOURS: "72" 17 17 + envFrom: 18 18 + - secretRef: 19 19 + name: zlay-secret 20 20 + probes: 21 21 + liveness: &probes 22 22 + enabled: true 23 23 + custom: true 24 24 + spec: 25 25 + httpGet: 26 26 + path: /_health 27 27 + port: &http-port 3001 28 28 + initialDelaySeconds: 5 29 29 + periodSeconds: 10 30 30 + timeoutSeconds: 3 31 31 + failureThreshold: 5 32 32 + readiness: *probes 33 33 + resources: 34 34 + requests: 35 35 + memory: 128Mi 36 36 + cpu: 250m 37 37 + limits: 38 38 + memory: 2Gi 39 39 + 40 40 + service: 41 41 + zlay: 42 42 + controller: zlay 43 43 + ports: 44 44 + ws: 45 45 + port: 3000 46 46 + http: 47 47 + port: *http-port 48 48 + 49 49 + defaultPodOptions: 50 50 + imagePullSecrets: 51 51 + - name: atcr-creds 52 52 + 53 53 + persistence: 54 54 + data: 55 55 + enabled: true 56 56 + type: persistentVolumeClaim 57 57 + accessMode: ReadWriteOnce 58 58 + size: 20Gi

+8 -2

docs/architecture.md

reviewed

··· 41 41 42 42 the relay and collectiondir ServiceMonitors are standalone manifests (`kubectl apply -f`) rather than inline in the helm values — the `additionalServiceMonitors` field in kube-prometheus-stack silently fails when targeting services in a different namespace. 43 43 44 44 + ## PDS connection maintenance 45 45 + 46 46 + relays try to reconnect to PDS hosts when connections drop, but eventually give up after repeated failures (exponential backoff). PDS hosts re-announce themselves to bluesky's relay when they come back online, but not to third-party relays like ours. this causes a natural decay in connected host count over time. 47 47 + 48 48 + fix: a k8s CronJob (`deploy/reconnect-cronjob.yaml`) runs every 4 hours, fetching the [community PDS list](https://github.com/mary-ext/atproto-scraping) and sending `requestCrawl` for each host. this can also be run manually via `just reconnect`. 49 49 + 44 50 ## steady-state specs 45 51 46 52 | metric | value | 47 53 |--------|-------| 48 54 | storage (relay data) | ~21 GB | 49 55 | storage (postgres) | ~2.4 GB | 50 50 - | storage (collectiondir pebble) | ~300 MB (pre-bsky-backfill) | 56 56 + | storage (collectiondir pebble) | ~5 GB (post-backfill) | 51 57 | CPU usage | 5-15% | 52 58 | network throughput | ~600 events/sec typical, 2000 peak | 53 53 - | connected PDS hosts | ~2200 | 59 59 + | connected PDS hosts | ~2800 |

+17 -3

docs/backfill.md

reviewed

··· 16 16 17 17 **indie PDS hosts** (~2200): independently-run servers, mostly small (1-100 accounts each). backfilling all of them takes minutes. 18 18 19 19 - **bluesky shards** (~87): the mushroom-named hosts (`amanita.us-east.host.bsky.network`, `chanterelle.us-west.host.bsky.network`, etc.) that host the vast majority of accounts. ~14K repos per shard on average, up to ~40K for the largest. these take hours to crawl. 19 19 + **bluesky shards** (~88): the mushroom-named hosts (`amanita.us-east.host.bsky.network`, `chanterelle.us-west.host.bsky.network`, etc.) that host the vast majority of accounts. ~30K-50K repos per shard on average, up to ~500K for the largest. these take days to crawl (see batch sizing below). 20 20 21 21 ## running the backfill 22 22 ··· 35 35 ```bash 36 36 ./scripts/backfill --token "$COLLECTIONDIR_ADMIN_TOKEN" --hosts hosts.txt 37 37 ./scripts/backfill --token "$TOKEN" --hosts hosts.txt --batch-size 20 --pause 30 38 38 + 39 39 + # resume a run that died partway through (skip first 35 batches) 40 40 + ./scripts/backfill --token "$TOKEN" --hosts hosts.txt --batch-size 1 --skip 35 41 41 + 42 42 + # set a timeout per batch (useful for long-running shard crawls) 43 43 + ./scripts/backfill --token "$TOKEN" --hosts hosts.txt --batch-size 1 --batch-timeout 600 38 44 ``` 39 45 40 40 - the script sends batches of N hosts (default: 10) to `POST /admin/pds/requestCrawl`, then polls `GET /admin/crawlStatus` until active crawls drain before sending the next batch. ctrl-c stops after the current batch finishes. 46 46 + the script sends batches of N hosts (default: 10) to `POST /admin/pds/requestCrawl`, then polls `GET /admin/crawlStatus` until active crawls drain before sending the next batch. if `--batch-timeout` is set, it moves on after that many seconds even if crawls are still active. ctrl-c stops after the current batch finishes. 47 47 + 48 48 + the script retries on transient connection errors (e.g. port-forward drops) with exponential backoff — up to 12 retries for status polling, 6 for crawl requests. 41 49 42 50 ## batch sizing 43 51 ··· 53 61 - `kubectl exec -n relay deploy/collectiondir -- df -h /data` for pebble disk usage 54 62 - crawl status API: `curl -H "Authorization: Bearer $TOKEN" localhost:2510/admin/crawlStatus` 55 63 64 64 + ## gotchas 65 65 + 66 66 + - **port-forwards die** after ~80 minutes. server-side crawls survive the disconnect, so progress isn't lost — but the script can't poll status or submit new batches until the port-forward is re-established. the retry logic handles brief drops; for longer outages, re-run with `--skip`. 67 67 + - **crawl state is in-memory.** a collectiondir pod restart loses all in-progress crawl goroutines. completed pairs are already in pebble and safe. 68 68 + - **no 429 retry in crawl code.** the collectiondir's crawl thread doesn't retry on HTTP 429. a single rate-limit response kills the entire crawl for that host. this is why bsky shards must be submitted one at a time. 69 69 + 56 70 ## storage impact 57 71 58 58 - pebble stores one key per `(collection, DID)` pair. the indie host backfill brought the DB to ~300 MB. the full bsky shard backfill (millions of accounts, each with multiple collections) will likely grow it to a few GB. the collectiondir has a 10Gi PVC, so there's plenty of headroom. 72 72 + pebble stores one key per `(collection, DID)` pair. post-backfill (indie + all bsky shards, ~2.96M repos), the DB is ~5 GB. the collectiondir has a 10Gi PVC.

+6

docs/deploying.md

reviewed

··· 45 45 just status # nodes, pods, health check 46 46 just logs # tail relay logs 47 47 just health # curl the public health endpoint 48 48 + just reconnect # re-announce all known PDS hosts to the relay 49 49 + just backfill # backfill collectiondir with full network data 48 50 just firehose # consume the firehose (passes args through) 49 51 just jetstream # consume the jetstream (passes args through) 50 52 just ssh # ssh into the server 51 53 just destroy # tear down everything 52 54 ``` 55 55 + 56 56 + ## maintenance 57 57 + 58 58 + a k8s CronJob (`deploy/reconnect-cronjob.yaml`) runs every 4 hours to re-announce PDS hosts to the relay — see [architecture](architecture.md#pds-connection-maintenance) for why this is needed. `just reconnect` runs the same logic manually. 53 59 54 60 ## targeted deployments 55 61

+216

docs/hacks.md

reviewed

··· 1 1 + # the micro-PDS trick 2 2 + 3 3 + a technique for injecting specific (DID, collection) pairs into the collectiondir without crawling entire PDS hosts. 4 4 + 5 5 + ## the problem 6 6 + 7 7 + the collectiondir indexes (DID, collection) pairs via two paths: 8 8 + 9 9 + 1. **firehose** — sees new `create`/`update` commits in real time. only indexes the specific collection in each commit. 10 10 + 2. **requestCrawl** — crawls a PDS by paginating `com.atproto.sync.listRepos` then calling `com.atproto.repo.describeRepo` for each DID. indexes all collections for every repo on that host. 11 11 + 12 12 + the backfill uses path 2. but bsky PDS shards have ~500K repos each and enforce a shared IP-based rate limit of 3,000 requests per 300 seconds (~10 QPS). the crawl code has no retry on 429 — a single rate limit response kills the entire crawl. at the default 100 QPS, the crawl dies after processing ~2-3K repos (0.6% of the shard). even at 8 QPS, running multiple shard crawls in parallel exhausts the shared budget. 13 13 + 14 14 + this leaves a gap: repos the relay knows about (firehose is current, revs match) but the collectiondir never indexed because the crawl died before reaching them. 15 15 + 16 16 + ## the trick 17 17 + 18 18 + the collectiondir's `requestCrawl` doesn't know or care what it's crawling. it talks XRPC to whatever hostname you give it. so: stand up a tiny HTTP server that implements just the two required endpoints — `listRepos` and `describeRepo` — with only the specific DIDs you need, and point `requestCrawl` at it. 19 19 + 20 20 + 22 DIDs with 784 collection pairs, indexed in 3 seconds. no rate limits, because it's our server talking to our server. 21 21 + 22 22 + ## how to do it 23 23 + 24 24 + ### 1. gather the data 25 25 + 26 26 + for each missing DID, resolve its PDS via `plc.directory` and call `describeRepo` to get its collections: 27 27 + 28 28 + ```python 29 29 + import json, urllib.request 30 30 + 31 31 + did = "did:plc:example" 32 32 + doc = json.loads(urllib.request.urlopen(f"https://plc.directory/{did}").read()) 33 33 + pds = [s["serviceEndpoint"] for s in doc["service"] if s["id"] == "#atproto_pds"][0] 34 34 + desc = json.loads(urllib.request.urlopen(f"{pds}/xrpc/com.atproto.repo.describeRepo?repo={did}").read()) 35 35 + # desc["collections"] is what we need 36 36 + ``` 37 37 + 38 38 + save all results to a JSON file keyed by DID: 39 39 + 40 40 + ```json 41 41 + { 42 42 + "did:plc:example": { 43 43 + "handle": "user.bsky.social", 44 44 + "did": "did:plc:example", 45 45 + "collections": ["app.bsky.feed.post", "io.atcr.sailor.profile", "..."] 46 46 + } 47 47 + } 48 48 + ``` 49 49 + 50 50 + ### 2. deploy as a k8s Job 51 51 + 52 52 + create a ConfigMap with the data and a Job that: 53 53 + - starts an HTTP server implementing `listRepos` and `describeRepo` 54 54 + - calls `requestCrawl` on the collectiondir pointing at itself (`http://POD_IP:8080`) 55 55 + - polls `crawlStatus` until the crawl drains 56 56 + - exits 57 57 + 58 58 + ```bash 59 59 + # create the configmap 60 60 + kubectl create configmap micro-pds-data \ 61 61 + --namespace relay \ 62 62 + --from-file=dids.json=missing-dids.json 63 63 + 64 64 + # create the job (see below for manifest) 65 65 + kubectl apply -f micro-pds-job.yaml 66 66 + 67 67 + # watch it run 68 68 + kubectl logs -n relay job/micro-pds-crawl -f 69 69 + 70 70 + # clean up 71 71 + kubectl delete job micro-pds-crawl configmap micro-pds-data -n relay 72 72 + ``` 73 73 + 74 74 + ### 3. the Job manifest 75 75 + 76 76 + ```yaml 77 77 + apiVersion: batch/v1 78 78 + kind: Job 79 79 + metadata: 80 80 + name: micro-pds-crawl 81 81 + namespace: relay 82 82 + spec: 83 83 + backoffLimit: 0 84 84 + activeDeadlineSeconds: 120 85 85 + template: 86 86 + spec: 87 87 + restartPolicy: Never 88 88 + containers: 89 89 + - name: micro-pds 90 90 + image: python:3.12-alpine 91 91 + env: 92 92 + - name: PYTHONUNBUFFERED 93 93 + value: "1" 94 94 + - name: POD_IP 95 95 + valueFrom: 96 96 + fieldRef: 97 97 + fieldPath: status.podIP 98 98 + - name: ADMIN_TOKEN 99 99 + valueFrom: 100 100 + secretKeyRef: 101 101 + name: collectiondir-secret 102 102 + key: COLLECTIONS_ADMIN_TOKEN 103 103 + volumeMounts: 104 104 + - name: data 105 105 + mountPath: /data 106 106 + command: 107 107 + - python3 108 108 + - -c 109 109 + - | 110 110 + import json, os, sys, time, urllib.request 111 111 + from http.server import HTTPServer, BaseHTTPRequestHandler 112 112 + from urllib.parse import urlparse, parse_qs 113 113 + from threading import Thread 114 114 + 115 115 + PORT = 8080 116 116 + POD_IP = os.environ["POD_IP"] 117 117 + ADMIN_TOKEN = os.environ["ADMIN_TOKEN"] 118 118 + COLLECTIONDIR = "http://collectiondir.relay.svc.cluster.local:2510" 119 119 + 120 120 + with open("/data/dids.json") as f: 121 121 + DID_DATA = json.load(f) 122 122 + 123 123 + DIDS = list(DID_DATA.keys()) 124 124 + print(f"micro-pds: serving {len(DIDS)} DIDs") 125 125 + 126 126 + class Handler(BaseHTTPRequestHandler): 127 127 + def log_message(self, *args): 128 128 + pass 129 129 + 130 130 + def do_GET(self): 131 131 + parsed = urlparse(self.path) 132 132 + params = parse_qs(parsed.query) 133 133 + 134 134 + if parsed.path == "/xrpc/com.atproto.sync.listRepos": 135 135 + cursor = params.get("cursor", [""])[0] 136 136 + limit = int(params.get("limit", ["1000"])[0]) 137 137 + start = int(cursor) if cursor else 0 138 138 + batch = DIDS[start:start + limit] 139 139 + repos = [{"did": d, "head": "baf", "rev": "0", "active": True} for d in batch] 140 140 + resp = {"repos": repos} 141 141 + if start + limit < len(DIDS): 142 142 + resp["cursor"] = str(start + limit) 143 143 + self.send_response(200) 144 144 + self.send_header("Content-Type", "application/json") 145 145 + self.end_headers() 146 146 + self.wfile.write(json.dumps(resp).encode()) 147 147 + 148 148 + elif parsed.path == "/xrpc/com.atproto.repo.describeRepo": 149 149 + repo = params.get("repo", [""])[0] 150 150 + if repo in DID_DATA: 151 151 + info = DID_DATA[repo] 152 152 + resp = { 153 153 + "handle": info.get("handle", "unknown"), 154 154 + "did": repo, 155 155 + "didDoc": {}, 156 156 + "collections": info["collections"], 157 157 + "handleIsCorrect": True, 158 158 + } 159 159 + self.send_response(200) 160 160 + self.send_header("Content-Type", "application/json") 161 161 + self.end_headers() 162 162 + self.wfile.write(json.dumps(resp).encode()) 163 163 + else: 164 164 + self.send_response(404) 165 165 + self.end_headers() 166 166 + else: 167 167 + self.send_response(404) 168 168 + self.end_headers() 169 169 + 170 170 + server = HTTPServer(("0.0.0.0", PORT), Handler) 171 171 + Thread(target=server.serve_forever, daemon=True).start() 172 172 + print(f"micro-pds: listening on {POD_IP}:{PORT}") 173 173 + time.sleep(1) 174 174 + 175 175 + # trigger crawl 176 176 + payload = json.dumps({"hostname": f"http://{POD_IP}:{PORT}"}).encode() 177 177 + req = urllib.request.Request( 178 178 + f"{COLLECTIONDIR}/admin/pds/requestCrawl", 179 179 + data=payload, 180 180 + headers={"Content-Type": "application/json", "Authorization": f"Bearer {ADMIN_TOKEN}"}, 181 181 + method="POST", 182 182 + ) 183 183 + with urllib.request.urlopen(req, timeout=10) as resp: 184 184 + print(f"micro-pds: requestCrawl -> {resp.status}") 185 185 + 186 186 + # wait for drain 187 187 + while True: 188 188 + time.sleep(2) 189 189 + req = urllib.request.Request( 190 190 + f"{COLLECTIONDIR}/admin/crawlStatus", 191 191 + headers={"Authorization": f"Bearer {ADMIN_TOKEN}"}, 192 192 + ) 193 193 + with urllib.request.urlopen(req, timeout=10) as resp: 194 194 + status = json.loads(resp.read()) 195 195 + if not status.get("host_starts"): 196 196 + break 197 197 + 198 198 + print("micro-pds: done") 199 199 + server.shutdown() 200 200 + volumes: 201 201 + - name: data 202 202 + configMap: 203 203 + name: micro-pds-data 204 204 + ``` 205 205 + 206 206 + ## when to use this 207 207 + 208 208 + - you have a specific set of DIDs that need indexing and can't wait for a full shard crawl 209 209 + - the full crawl is blocked by rate limits 210 210 + - you've verified the DIDs exist on their PDS (call `describeRepo` yourself first) 211 211 + 212 212 + ## limitations 213 213 + 214 214 + - only indexes what you give it. if you miss a DID, it won't be indexed. 215 215 + - the collectiondir treats this like any other crawl — it writes to the main pebble DB via the normal `ingestCrawl` pathway. no special code paths, no risk to existing data. 216 216 + - the data you gather is a point-in-time snapshot. if a user adds a new collection after you gathered the data, the micro-PDS won't know about it (but the firehose will catch it going forward).

+64

infra/zlay/main.tf

reviewed

··· 1 1 + data "hcloud_ssh_key" "main" { 2 2 + name = "relay-key" 3 3 + } 4 4 + 5 5 + resource "hcloud_firewall" "zlay" { 6 6 + name = "${var.server_name}-fw" 7 7 + 8 8 + # ssh 9 9 + rule { 10 10 + direction = "in" 11 11 + protocol = "tcp" 12 12 + port = "22" 13 13 + source_ips = ["0.0.0.0/0", "::/0"] 14 14 + } 15 15 + 16 16 + # http 17 17 + rule { 18 18 + direction = "in" 19 19 + protocol = "tcp" 20 20 + port = "80" 21 21 + source_ips = ["0.0.0.0/0", "::/0"] 22 22 + } 23 23 + 24 24 + # https 25 25 + rule { 26 26 + direction = "in" 27 27 + protocol = "tcp" 28 28 + port = "443" 29 29 + source_ips = ["0.0.0.0/0", "::/0"] 30 30 + } 31 31 + 32 32 + # k3s api (restrict this to your IP in production) 33 33 + rule { 34 34 + direction = "in" 35 35 + protocol = "tcp" 36 36 + port = "6443" 37 37 + source_ips = ["0.0.0.0/0", "::/0"] 38 38 + } 39 39 + } 40 40 + 41 41 + resource "hcloud_server" "zlay" { 42 42 + name = var.server_name 43 43 + server_type = var.server_type 44 44 + location = var.location 45 45 + image = "ubuntu-24.04" 46 46 + 47 47 + ssh_keys = [data.hcloud_ssh_key.main.id] 48 48 + firewall_ids = [hcloud_firewall.zlay.id] 49 49 + 50 50 + user_data = <<-CLOUDINIT 51 51 + #cloud-config 52 52 + package_update: true 53 53 + packages: 54 54 + - curl 55 55 + - jq 56 56 + 57 57 + runcmd: 58 58 + - | 59 59 + PUBLIC_IP=$(curl -s http://169.254.169.254/hetzner/v1/metadata/public-ipv4) 60 60 + curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --tls-san $PUBLIC_IP" sh - 61 61 + - while ! kubectl get nodes >/dev/null 2>&1; do sleep 2; done 62 62 + - touch /run/k3s-ready 63 63 + CLOUDINIT 64 64 + }

+3

infra/zlay/outputs.tf

reviewed

··· 1 1 + output "server_ip" { 2 2 + value = hcloud_server.zlay.ipv4_address 3 3 + }

+24

infra/zlay/variables.tf

reviewed

··· 1 1 + variable "hcloud_token" { 2 2 + description = "Hetzner Cloud API token" 3 3 + type = string 4 4 + sensitive = true 5 5 + } 6 6 + 7 7 + 8 8 + variable "server_type" { 9 9 + description = "Hetzner server type (cpx41 = 8 vCPU, 16 GB RAM, 160 GB disk)" 10 10 + type = string 11 11 + default = "cpx41" 12 12 + } 13 13 + 14 14 + variable "location" { 15 15 + description = "Hetzner datacenter location (hil = Hillsboro OR)" 16 16 + type = string 17 17 + default = "hil" 18 18 + } 19 19 + 20 20 + variable "server_name" { 21 21 + description = "Name for the server" 22 22 + type = string 23 23 + default = "zlay" 24 24 + }

+12

infra/zlay/versions.tf

reviewed

··· 1 1 + terraform { 2 2 + required_providers { 3 3 + hcloud = { 4 4 + source = "hetznercloud/hcloud" 5 5 + version = "~> 1.45" 6 6 + } 7 7 + } 8 8 + } 9 9 + 10 10 + provider "hcloud" { 11 11 + token = var.hcloud_token 12 12 + }

+160

justfile

reviewed

··· 1 1 # ATProto relay deployment 2 2 # required env vars: HCLOUD_TOKEN, RELAY_DOMAIN, RELAY_ADMIN_PASSWORD, POSTGRES_PASSWORD, LETSENCRYPT_EMAIL 3 3 # optional env vars: GRAFANA_DOMAIN (default: relay-metrics.waow.tech), GRAFANA_ADMIN_PASSWORD, JETSTREAM_DOMAIN (default: jetstream.waow.tech) 4 4 + # zlay env vars: ZLAY_DOMAIN, ZLAY_ADMIN_PASSWORD, ZLAY_POSTGRES_PASSWORD, LETSENCRYPT_EMAIL 4 5 5 6 set dotenv-load 6 7 ··· 147 148 --wait --timeout 5m 148 149 kubectl apply -f deploy/collectiondir-servicemonitor.yaml 149 150 151 151 + echo "==> installing reconnect cronjob" 152 152 + kubectl apply -f deploy/reconnect-cronjob.yaml 153 153 + 150 154 echo "==> installing jetstream" 151 155 JETSTREAM_DOMAIN="${JETSTREAM_DOMAIN:-jetstream.waow.tech}" 152 156 helm upgrade --install jetstream bjw-s/app-template \ ··· 248 252 249 253 # --- scripts --- 250 254 255 255 + # reconnect relay to all known PDS hosts (run periodically, e.g. every 4 hours) 256 256 + reconnect *args: 257 257 + #!/usr/bin/env bash 258 258 + set -euo pipefail 259 259 + : "${RELAY_ADMIN_PASSWORD:?set RELAY_ADMIN_PASSWORD}" 260 260 + ./scripts/reconnect --password "$RELAY_ADMIN_PASSWORD" {{ args }} 261 261 + 251 262 # consume the firehose (default: 10s of bsky posts) 252 263 firehose *args: 253 264 ./scripts/firehose {{ args }} ··· 294 305 ./scripts/backfill \ 295 306 --token "$COLLECTIONDIR_ADMIN_TOKEN" \ 296 307 "${EXTRA_ARGS[@]}" 308 308 + 309 309 + # === zlay (zig relay) === 310 310 + 311 311 + export ZLAY_KUBECONFIG := justfile_directory() / "zlay-kubeconfig.yaml" 312 312 + 313 313 + # initialize zlay terraform 314 314 + zlay-init: 315 315 + terraform -chdir=infra/zlay init 316 316 + 317 317 + # create the zlay hetzner server with k3s 318 318 + zlay-infra: 319 319 + terraform -chdir=infra/zlay apply -var="hcloud_token=$HCLOUD_TOKEN" 320 320 + 321 321 + # destroy zlay infrastructure 322 322 + zlay-destroy: 323 323 + terraform -chdir=infra/zlay destroy -var="hcloud_token=$HCLOUD_TOKEN" 324 324 + 325 325 + # get the zlay server IP 326 326 + zlay-server-ip: 327 327 + @terraform -chdir=infra/zlay output -raw server_ip 328 328 + 329 329 + # ssh into the zlay server 330 330 + zlay-ssh: 331 331 + ssh root@$(just zlay-server-ip) 332 332 + 333 333 + # fetch zlay kubeconfig 334 334 + zlay-kubeconfig: 335 335 + #!/usr/bin/env bash 336 336 + set -euo pipefail 337 337 + IP=$(just zlay-server-ip) 338 338 + echo "fetching kubeconfig from $IP..." 339 339 + until ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=accept-new root@$IP test -f /run/k3s-ready 2>/dev/null; do 340 340 + echo " waiting for k3s..." 341 341 + sleep 5 342 342 + done 343 343 + scp root@$IP:/etc/rancher/k3s/k3s.yaml zlay-kubeconfig.yaml 344 344 + if [[ "$(uname)" == "Darwin" ]]; then 345 345 + sed -i '' "s|127.0.0.1|$IP|g" zlay-kubeconfig.yaml 346 346 + else 347 347 + sed -i "s|127.0.0.1|$IP|g" zlay-kubeconfig.yaml 348 348 + fi 349 349 + chmod 600 zlay-kubeconfig.yaml 350 350 + echo "kubeconfig written to zlay-kubeconfig.yaml" 351 351 + KUBECONFIG=zlay-kubeconfig.yaml kubectl get nodes 352 352 + 353 353 + # build and push zlay image (cross-compile on host, tiny docker image) 354 354 + zlay-publish: 355 355 + #!/usr/bin/env bash 356 356 + set -euo pipefail 357 357 + TMPDIR=$(mktemp -d) 358 358 + trap "rm -rf $TMPDIR" EXIT 359 359 + git clone --depth 1 https://tangled.org/zzstoatzz.io/zlay "$TMPDIR" 360 360 + cd "$TMPDIR" 361 361 + zig build -Dtarget=x86_64-linux -Doptimize=ReleaseSafe 362 362 + docker build --platform linux/amd64 -t atcr.io/zzstoatzz.io/zlay:latest . 363 363 + ATCR_AUTO_AUTH=1 docker push atcr.io/zzstoatzz.io/zlay:latest 364 364 + 365 365 + # deploy zlay to its k3s cluster 366 366 + zlay-deploy: helm-repos 367 367 + #!/usr/bin/env bash 368 368 + set -euo pipefail 369 369 + export KUBECONFIG="$ZLAY_KUBECONFIG" 370 370 + 371 371 + : "${ZLAY_DOMAIN:?set ZLAY_DOMAIN}" 372 372 + : "${ZLAY_POSTGRES_PASSWORD:?set ZLAY_POSTGRES_PASSWORD}" 373 373 + : "${LETSENCRYPT_EMAIL:?set LETSENCRYPT_EMAIL}" 374 374 + ZLAY_ADMIN_PASSWORD="${ZLAY_ADMIN_PASSWORD:-}" 375 375 + 376 376 + echo "==> creating namespace" 377 377 + kubectl create namespace zlay --dry-run=client -o yaml | kubectl apply -f - 378 378 + 379 379 + echo "==> installing cert-manager" 380 380 + helm upgrade --install cert-manager jetstack/cert-manager \ 381 381 + --namespace cert-manager --create-namespace \ 382 382 + --set crds.enabled=true \ 383 383 + --wait 384 384 + 385 385 + echo "==> applying cluster issuer" 386 386 + sed "s|you@example.com|$LETSENCRYPT_EMAIL|g" deploy/cluster-issuer.yaml \ 387 387 + | kubectl apply -f - 388 388 + 389 389 + echo "==> installing postgresql" 390 390 + helm upgrade --install zlay-db bitnami/postgresql \ 391 391 + --namespace zlay \ 392 392 + --values deploy/postgres-values.yaml \ 393 393 + --set auth.password="$ZLAY_POSTGRES_PASSWORD" \ 394 394 + --wait 395 395 + 396 396 + echo "==> creating zlay secret" 397 397 + kubectl create secret generic zlay-secret \ 398 398 + --namespace zlay \ 399 399 + --from-literal=DATABASE_URL="postgres://relay:${ZLAY_POSTGRES_PASSWORD}@zlay-db-postgresql.zlay.svc.cluster.local:5432/relay" \ 400 400 + --from-literal=RELAY_ADMIN_PASSWORD="$ZLAY_ADMIN_PASSWORD" \ 401 401 + --dry-run=client -o yaml | kubectl apply -f - 402 402 + 403 403 + echo "==> installing zlay" 404 404 + helm upgrade --install zlay bjw-s/app-template \ 405 405 + --namespace zlay \ 406 406 + --values deploy/zlay-values.yaml \ 407 407 + --wait --timeout 5m 408 408 + 409 409 + echo "==> applying ingress" 410 410 + sed "s|ZLAY_DOMAIN_PLACEHOLDER|$ZLAY_DOMAIN|g" deploy/zlay-ingress.yaml \ 411 411 + | kubectl apply -f - 412 412 + 413 413 + echo "==> installing monitoring" 414 414 + ZLAY_METRICS_DOMAIN="${ZLAY_METRICS_DOMAIN:-zlay-metrics.waow.tech}" 415 415 + kubectl create namespace monitoring --dry-run=client -o yaml | kubectl apply -f - 416 416 + helm upgrade --install kube-prometheus-stack prometheus-community/kube-prometheus-stack \ 417 417 + --namespace monitoring \ 418 418 + --values deploy/monitoring-values.yaml \ 419 419 + --set grafana.adminPassword="${GRAFANA_ADMIN_PASSWORD:-prom-operator}" \ 420 420 + --set "grafana.grafana\\.ini.server.root_url=https://$ZLAY_METRICS_DOMAIN" \ 421 421 + --wait --timeout 5m 422 422 + kubectl apply -f deploy/zlay-servicemonitor.yaml 423 423 + 424 424 + echo "==> applying grafana ingress" 425 425 + sed "s|GRAFANA_DOMAIN_PLACEHOLDER|$ZLAY_METRICS_DOMAIN|g" deploy/grafana-ingress.yaml \ 426 426 + | kubectl apply -f - 427 427 + 428 428 + echo "" 429 429 + echo "done. point DNS:" 430 430 + echo " $ZLAY_DOMAIN -> $(just zlay-server-ip)" 431 431 + echo " $ZLAY_METRICS_DOMAIN -> $(just zlay-server-ip)" 432 432 + echo "then check:" 433 433 + echo " curl https://$ZLAY_DOMAIN/_health" 434 434 + 435 435 + # check zlay status 436 436 + zlay-status: 437 437 + #!/usr/bin/env bash 438 438 + export KUBECONFIG="$ZLAY_KUBECONFIG" 439 439 + echo "==> nodes" 440 440 + kubectl get nodes 441 441 + echo "" 442 442 + echo "==> pods" 443 443 + kubectl get pods -n zlay 444 444 + echo "" 445 445 + echo "==> health" 446 446 + kubectl exec -n zlay deploy/zlay -- wget -qO- http://localhost:3001/_health 2>/dev/null || echo "(zlay not ready)" 447 447 + 448 448 + # tail zlay logs 449 449 + zlay-logs: 450 450 + KUBECONFIG="$ZLAY_KUBECONFIG" kubectl logs -n zlay deploy/zlay -f 451 451 + 452 452 + # check zlay health via public endpoint 453 453 + zlay-health: 454 454 + #!/usr/bin/env bash 455 455 + : "${ZLAY_DOMAIN:?set ZLAY_DOMAIN}" 456 456 + curl -sf "https://$ZLAY_DOMAIN/_health" | jq .

+25 -16

scripts/backfill

reviewed

··· 50 50 return json.loads(resp.read()) 51 51 52 52 53 53 - def active_crawl_count(url: str, token: str, retries: int = 3) -> tuple[int, int]: 54 54 - """returns (active_count, total_repos_seen). retries on transient errors.""" 53 53 + def active_crawl_count(url: str, token: str, retries: int = 12) -> tuple[int, int]: 54 54 + """returns (active_count, total_repos_seen). retries on transient errors with backoff.""" 55 55 for attempt in range(retries): 56 56 try: 57 57 status = crawl_status(url, token) ··· 60 60 return len(active), seen 61 61 except (ConnectionError, OSError, urllib.error.URLError) as e: 62 62 if attempt < retries - 1: 63 63 - sys.stdout.write(f"\r connection error ({e}), retrying in 5s...") 63 63 + delay = min(5 * (attempt + 1), 30) 64 64 + sys.stdout.write(f"\r connection error (attempt {attempt + 1}/{retries}), retrying in {delay}s...") 64 65 sys.stdout.flush() 65 65 - time.sleep(5) 66 66 + time.sleep(delay) 66 67 else: 67 68 raise 68 69 ··· 141 142 print(f"batch {i + 1}/{len(batches)} — {', '.join(batch[:3])}{'...' if len(batch) > 3 else ''}") 142 143 print(f" [{hosts_crawled}/{len(all_hosts)} hosts, {total_repos} repos, {elapsed:.0f}s elapsed{eta_str}]") 143 144 144 144 - try: 145 145 - request_crawl(args.url, args.token, batch) 146 146 - except urllib.error.HTTPError as e: 147 147 - body = e.read().decode(errors="replace") 148 148 - print(f" error: {e.code} {e.reason} — {body}") 149 149 - if e.code == 403: 150 150 - print(" check that COLLECTIONS_ADMIN_TOKEN is set on the collectiondir pod") 151 151 - return 152 152 - continue 153 153 - except Exception as e: 154 154 - print(f" error sending batch: {e}") 155 155 - continue 145 145 + for attempt in range(6): 146 146 + try: 147 147 + request_crawl(args.url, args.token, batch) 148 148 + break 149 149 + except urllib.error.HTTPError as e: 150 150 + body = e.read().decode(errors="replace") 151 151 + print(f" error: {e.code} {e.reason} — {body}") 152 152 + if e.code == 403: 153 153 + print(" check that COLLECTIONS_ADMIN_TOKEN is set on the collectiondir pod") 154 154 + return 155 155 + break 156 156 + except (ConnectionError, OSError, urllib.error.URLError) as e: 157 157 + if attempt < 5: 158 158 + delay = min(5 * (attempt + 1), 30) 159 159 + sys.stdout.write(f"\r request_crawl connection error (attempt {attempt + 1}/6), retrying in {delay}s...") 160 160 + sys.stdout.flush() 161 161 + time.sleep(delay) 162 162 + else: 163 163 + print(f" error sending batch after 6 attempts: {e}") 164 164 + break 156 165 157 166 repos = wait_for_batch(args.url, args.token, baseline, timeout=args.batch_timeout) 158 167 total_repos += repos

+106

scripts/reconnect

reviewed

··· 1 1 + #!/usr/bin/env -S PYTHONUNBUFFERED=1 uv run --script --quiet 2 2 + # /// script 3 3 + # requires-python = ">=3.12" 4 4 + # dependencies = [] 5 5 + # /// 6 6 + """ 7 7 + reconnect relay to all known PDS hosts. 8 8 + 9 9 + fetches the community PDS list and sends requestCrawl for each host, 10 10 + preventing the natural decay of connections as indie PDS hosts go quiet. 11 11 + 12 12 + intended to run on a cron (every ~4 hours). 13 13 + 14 14 + usage: 15 15 + ./scripts/reconnect 16 16 + ./scripts/reconnect --url https://relay.waow.tech --password "$RELAY_ADMIN_PASSWORD" 17 17 + ./scripts/reconnect --dry-run 18 18 + """ 19 19 + 20 20 + import argparse 21 21 + import json 22 22 + import sys 23 23 + import time 24 24 + import urllib.request 25 25 + 26 26 + 27 27 + PDS_LIST_URL = "https://raw.githubusercontent.com/mary-ext/atproto-scraping/refs/heads/trunk/state.json" 28 28 + 29 29 + 30 30 + def fetch_pds_list() -> list[str]: 31 31 + """fetch community-maintained PDS host list.""" 32 32 + req = urllib.request.Request(PDS_LIST_URL) 33 33 + with urllib.request.urlopen(req, timeout=30) as resp: 34 34 + data = json.loads(resp.read()) 35 35 + return [url.rstrip("/") for url in data.get("pdses", {}).keys() if url.startswith("https://")] 36 36 + 37 37 + 38 38 + def request_crawl(relay_url: str, password: str, hostname: str) -> int: 39 39 + """send requestCrawl to relay admin endpoint. returns http status.""" 40 40 + import base64 41 41 + payload = json.dumps({"hostname": hostname}).encode() 42 42 + auth = base64.b64encode(f"admin:{password}".encode()).decode() 43 43 + req = urllib.request.Request( 44 44 + f"{relay_url}/admin/pds/requestCrawl", 45 45 + data=payload, 46 46 + headers={"Content-Type": "application/json", "Authorization": f"Basic {auth}"}, 47 47 + method="POST", 48 48 + ) 49 49 + try: 50 50 + with urllib.request.urlopen(req, timeout=10) as resp: 51 51 + return resp.status 52 52 + except urllib.error.HTTPError as e: 53 53 + return e.code 54 54 + except (ConnectionError, OSError, urllib.error.URLError): 55 55 + return 0 56 56 + 57 57 + 58 58 + def main(): 59 59 + parser = argparse.ArgumentParser(description="reconnect relay to all known PDS hosts") 60 60 + parser.add_argument("--url", default="https://relay.waow.tech", help="relay URL") 61 61 + parser.add_argument("--password", default=None, help="relay admin password (or RELAY_ADMIN_PASSWORD env)") 62 62 + parser.add_argument("--delay", type=float, default=0.1, help="delay between requests in seconds") 63 63 + parser.add_argument("--dry-run", action="store_true", help="just fetch and count, don't send requests") 64 64 + args = parser.parse_args() 65 65 + 66 66 + import os 67 67 + password = args.password or os.environ.get("RELAY_ADMIN_PASSWORD", "") 68 68 + if not password and not args.dry_run: 69 69 + print("error: --password or RELAY_ADMIN_PASSWORD required", file=sys.stderr) 70 70 + return 71 71 + 72 72 + print(f"fetching PDS list from {PDS_LIST_URL}...") 73 73 + hosts = fetch_pds_list() 74 74 + print(f"found {len(hosts)} PDS hosts") 75 75 + 76 76 + if args.dry_run: 77 77 + print("dry run, exiting") 78 78 + return 79 79 + 80 80 + ok = 0 81 81 + errors = 0 82 82 + start = time.time() 83 83 + 84 84 + for i, host in enumerate(hosts): 85 85 + status = request_crawl(args.url, password, host) 86 86 + if status == 200: 87 87 + ok += 1 88 88 + else: 89 89 + errors += 1 90 90 + if errors <= 10: 91 91 + print(f" error: {host} -> {status}") 92 92 + elif errors == 11: 93 93 + print(f" (suppressing further errors)") 94 94 + 95 95 + if (i + 1) % 500 == 0: 96 96 + elapsed = time.time() - start 97 97 + print(f" {i + 1}/{len(hosts)} ({ok} ok, {errors} errors, {elapsed:.0f}s)") 98 98 + 99 99 + time.sleep(args.delay) 100 100 + 101 101 + elapsed = time.time() - start 102 102 + print(f"done: {ok} ok, {errors} errors, {elapsed:.0f}s") 103 103 + 104 104 + 105 105 + if __name__ == "__main__": 106 106 + main()