docs/install-debian.md at 94ae11e20374587f9afba1b63375925c373394ee · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / docs / install-debian.md
at 94ae11e20374587f9afba1b63375925c373394ee 6.3 kB view raw view rendered
  1# Tranquil PDS Production Installation on Debian
  2This guide covers installing Tranquil PDS on Debian 13.
  3
  4## Prerequisites
  5- A VPS with at least 2GB RAM and 20GB disk
  6- A domain name pointing to your server's IP
  7- A wildcard TLS certificate for `*.pds.example.com` (user handles are served as subdomains)
  8- Root or sudo access
  9## 1. System Setup
 10```bash
 11apt update && apt upgrade -y
 12apt install -y curl git build-essential pkg-config libssl-dev
 13```
 14## 2. Install Rust
 15```bash
 16curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 17source ~/.cargo/env
 18rustup default stable
 19```
 20This installs the latest stable Rust.
 21## 3. Install postgres
 22```bash
 23apt install -y postgresql postgresql-contrib
 24systemctl enable postgresql
 25systemctl start postgresql
 26sudo -u postgres psql -c "CREATE USER tranquil_pds WITH PASSWORD 'your-secure-password';"
 27sudo -u postgres psql -c "CREATE DATABASE pds OWNER tranquil_pds;"
 28sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE pds TO tranquil_pds;"
 29```
 30## 4. Install minio
 31```bash
 32curl -O https://dl.min.io/server/minio/release/linux-amd64/minio
 33chmod +x minio
 34mv minio /usr/local/bin/
 35mkdir -p /var/lib/minio/data
 36useradd -r -s /sbin/nologin minio-user
 37chown -R minio-user:minio-user /var/lib/minio
 38cat > /etc/default/minio << 'EOF'
 39MINIO_ROOT_USER=minioadmin
 40MINIO_ROOT_PASSWORD=your-minio-password
 41MINIO_VOLUMES="/var/lib/minio/data"
 42MINIO_OPTS="--console-address :9001"
 43EOF
 44cat > /etc/systemd/system/minio.service << 'EOF'
 45[Unit]
 46Description=MinIO Object Storage
 47After=network.target
 48[Service]
 49User=minio-user
 50Group=minio-user
 51EnvironmentFile=/etc/default/minio
 52ExecStart=/usr/local/bin/minio server $MINIO_VOLUMES $MINIO_OPTS
 53Restart=always
 54LimitNOFILE=65536
 55[Install]
 56WantedBy=multi-user.target
 57EOF
 58systemctl daemon-reload
 59systemctl enable minio
 60systemctl start minio
 61```
 62Create the blob bucket (wait a few seconds for minio to start):
 63```bash
 64curl -O https://dl.min.io/client/mc/release/linux-amd64/mc
 65chmod +x mc
 66mv mc /usr/local/bin/
 67mc alias set local http://localhost:9000 minioadmin your-minio-password
 68mc mb local/pds-blobs
 69```
 70## 5. Install valkey
 71```bash
 72apt install -y valkey
 73systemctl enable valkey-server
 74systemctl start valkey-server
 75```
 76## 6. Install deno (for frontend build)
 77```bash
 78curl -fsSL https://deno.land/install.sh | sh
 79export PATH="$HOME/.deno/bin:$PATH"
 80echo 'export PATH="$HOME/.deno/bin:$PATH"' >> ~/.bashrc
 81```
 82## 7. Clone and Build Tranquil PDS
 83```bash
 84cd /opt
 85git clone https://tangled.org/lewis.moe/bspds-sandbox tranquil-pds
 86cd tranquil-pds
 87cd frontend
 88deno task build
 89cd ..
 90cargo build --release
 91```
 92## 8. Install sqlx-cli and Run Migrations
 93```bash
 94cargo install sqlx-cli --no-default-features --features postgres
 95export DATABASE_URL="postgres://tranquil_pds:your-secure-password@localhost:5432/pds"
 96sqlx migrate run
 97```
 98## 9. Configure Tranquil PDS
 99```bash
100mkdir -p /etc/tranquil-pds
101cp /opt/tranquil-pds/.env.example /etc/tranquil-pds/tranquil-pds.env
102chmod 600 /etc/tranquil-pds/tranquil-pds.env
103```
104Edit `/etc/tranquil-pds/tranquil-pds.env` and fill in your values. Generate secrets with:
105```bash
106openssl rand -base64 48
107```
108## 10. Create Systemd Service
109```bash
110useradd -r -s /sbin/nologin tranquil-pds
111cp /opt/tranquil-pds/target/release/tranquil-pds /usr/local/bin/
112mkdir -p /var/lib/tranquil-pds
113cp -r /opt/tranquil-pds/frontend/dist /var/lib/tranquil-pds/frontend
114chown -R tranquil-pds:tranquil-pds /var/lib/tranquil-pds
115cat > /etc/systemd/system/tranquil-pds.service << 'EOF'
116[Unit]
117Description=Tranquil PDS - AT Protocol PDS
118After=network.target postgresql.service minio.service
119[Service]
120Type=simple
121User=tranquil-pds
122Group=tranquil-pds
123EnvironmentFile=/etc/tranquil-pds/tranquil-pds.env
124Environment=FRONTEND_DIR=/var/lib/tranquil-pds/frontend
125ExecStart=/usr/local/bin/tranquil-pds
126Restart=always
127RestartSec=5
128[Install]
129WantedBy=multi-user.target
130EOF
131systemctl daemon-reload
132systemctl enable tranquil-pds
133systemctl start tranquil-pds
134```
135## 11. Install and Configure nginx
136```bash
137apt install -y nginx certbot python3-certbot-nginx
138cat > /etc/nginx/sites-available/tranquil-pds << 'EOF'
139server {
140    listen 80;
141    listen [::]:80;
142    server_name pds.example.com;
143    location / {
144        proxy_pass http://127.0.0.1:3000;
145        proxy_http_version 1.1;
146        proxy_set_header Upgrade $http_upgrade;
147        proxy_set_header Connection "upgrade";
148        proxy_set_header Host $host;
149        proxy_set_header X-Real-IP $remote_addr;
150        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
151        proxy_set_header X-Forwarded-Proto $scheme;
152        proxy_read_timeout 86400;
153    }
154}
155EOF
156ln -s /etc/nginx/sites-available/tranquil-pds /etc/nginx/sites-enabled/
157rm -f /etc/nginx/sites-enabled/default
158nginx -t
159systemctl reload nginx
160```
161## 12. Obtain Wildcard SSL Certificate
162User handles are served as subdomains (e.g., `alice.pds.example.com`), so you need a wildcard certificate.
163
164Wildcard certs require DNS-01 validation. If your DNS provider has a certbot plugin:
165```bash
166apt install -y python3-certbot-dns-cloudflare
167certbot certonly --dns-cloudflare \
168  --dns-cloudflare-credentials /etc/cloudflare.ini \
169  -d pds.example.com -d '*.pds.example.com'
170```
171
172For manual DNS validation (works with any provider):
173```bash
174certbot certonly --manual --preferred-challenges dns \
175  -d pds.example.com -d '*.pds.example.com'
176```
177Follow the prompts to add TXT records to your DNS. Note: manual mode doesn't auto-renew.
178
179After obtaining the cert, update nginx to use it and reload.
180## 13. Configure Firewall
181```bash
182apt install -y ufw
183ufw allow ssh
184ufw allow 80/tcp
185ufw allow 443/tcp
186ufw enable
187```
188## 14. Verify Installation
189```bash
190systemctl status tranquil-pds
191curl -s https://pds.example.com/xrpc/_health | jq
192curl -s https://pds.example.com/.well-known/atproto-did
193```
194## Maintenance
195View logs:
196```bash
197journalctl -u tranquil-pds -f
198```
199Update Tranquil PDS:
200```bash
201cd /opt/tranquil-pds
202git pull
203cd frontend && deno task build && cd ..
204cargo build --release
205systemctl stop tranquil-pds
206cp target/release/tranquil-pds /usr/local/bin/
207cp -r frontend/dist /var/lib/tranquil-pds/frontend
208DATABASE_URL="postgres://tranquil_pds:your-secure-password@localhost:5432/pds" sqlx migrate run
209systemctl start tranquil-pds
210```
211Backup database:
212```bash
213sudo -u postgres pg_dump pds > /var/backups/pds-$(date +%Y%m%d).sql
214```