retr0.id
A from-scratch atproto PDS implementation in Python (mirrors https://github.com/DavidBuchanan314/millipds)
1
2### Production deployment on Ubuntu[WIP]
3
4These specific instructions assume ubuntu+nginx+systemd. If you're on something else, it shouldn't be too hard to adapt.
5
6```sh
7# create group for service socket access
8sudo addgroup millipds-sock
9
10# create unprivileged user
11sudo adduser --system --shell /bin/false --home /opt/millipds millipds
12
13# add the user to the group (leaving its primary group as the default)
14sudo usermod -aG millipds-sock millipds
15
16# start a shell session under the new user
17sudo -u millipds -s
18
19# all commands below this point are run as the millipds user
20
21# create a virtualenv (maybe this will prove unnecessary, but it probably doesn't hurt)
22python3 -m venv ~/.venv
23
24# activate the virtualenv (this must be re-run every time you want to use it)
25source ~/.venv/bin/activate
26
27# all commands below this point are run inside the virtualenv
28
29# upgrade pip (maybe optional, again, probably doesn't hurt)
30python3 -m pip install --upgrade pip
31
32# install millipds
33python3 -m pip install --upgrade millipds@git+https://github.com/DavidBuchanan314/millipds
34```
35
36Upgrading:
37
38```sh
39sudo -u millipds -s
40source ~/.venv/bin/activate
41python3 -m pip install --upgrade --force-reinstall --no-cache-dir millipds@git+https://github.com/DavidBuchanan314/millipds
42exit
43sudo systemctl restart millipds
44```
45
46Create a systemd service
47
48```
49[Unit]
50Description=millipds
51After=network.target
52
53[Service]
54Type=simple
55Restart=on-failure
56User=millipds
57WorkingDirectory=/opt/millipds
58ExecStart=/opt/millipds/.venv/bin/millipds run --sock_path=/run/millipds/millipds.sock
59RuntimeDirectory=millipds
60
61[Install]
62WantedBy=multi-user.target
63```
64
65TODO: put this file in the repo so it can be copied into place more easily.
66
67Put this in `/etc/systemd/system/millipds.service`
68
69Create a new nginx config:
70```
71upstream millipds {
72 server unix:/run/millipds/millipds.sock fail_timeout=0;
73}
74
75server {
76 listen 80;
77 server_name millipds.test; # CHANGEME!
78
79 location / {
80 proxy_pass http://millipds;
81 proxy_http_version 1.1;
82 proxy_set_header Connection "upgrade";
83 proxy_set_header Upgrade $http_upgrade;
84 proxy_set_header X-Forwarded-For $remote_addr;
85 proxy_read_timeout 1d;
86 proxy_redirect off;
87 proxy_buffering off;
88 access_log off;
89 }
90}
91```
92TODO: is fail_timeout=0 sensible?
93
94Put this in `/etc/nginx/sites-enabled/millipds`
95
96Note: For a prod setup, you'll need to enable SSL. That's outside the scope of this guide, but one way is "once you have the service accessible via HTTP, use certbot"
97
98Add the user that nginx runs under (`www-data`) to the `millipds-sock` group:
99
100```sh
101sudo adduser www-data millipds-sock
102```
103
104Start the service:
105
106```sh
107sudo systemctl start millipds # make it start now
108sudo systemctl enable millipds # make it start on every boot
109systemctl status millipds # check that it's running
110sudo systemctl reload nginx # get nginx to see your new config
111```
112
113Useful command for watching the logs:
114```sh
115sudo journalctl -u millipds.service -f
116```
117
118Once the service is up, see [ACCOUNTS.md](./ACCOUNTS.md) for setting up user accounts.