Merge branch 'main' into env-vars · sullen.net/pds@a8cb3e7

+6 -6

ACCOUNT_MIGRATION.md

··· 1 - # Account Migration 1 + # Account Migration 2 + 3 + **Update May 2025:** An updated guide to account migration is now [part of the atproto specifications](https://atproto.com/guides/account-migration). There is also [a blog post available](https://whtwnd.com/bnewbold.net/3l5ii332pf32u) which describes how to do an account migration using a command-line tool (`goat`). 2 4 3 5 ### ⚠️ Warning ⚠️ ️ 4 - Account migration is a potentially destructive operation. Part of the operation involves signing away your old PDS's ability to make updates to your DID. If something goes wrong, you could be permanently locked out of your account, and Bluesky will not be able to help you recover it. 6 + Account migration is a potentially destructive operation. Part of the operation involves signing away your old PDS's ability to make updates to your DID. If something goes wrong, you could be permanently locked out of your account, and Bluesky will not be able to help you recover it. 5 7 6 8 Therefore, we do not recommend migrating your primary account yet. And we specifically recommend _against_ migrating your main account if you do not understand how PLC operations work. 7 9 8 - Also, the Bluesky PDS is not currently accepting incoming migrations (it will in the future). Therefore this is currently a one-way street. If you migrate off of `bsky.social`, _you will not be able to return_. However, you will be able to migrate between other PDSs. 9 - 10 10 ![Diagram of account migration flow](https://raw.githubusercontent.com/bluesky-social/pds/main/assets/account-migration.png) 11 11 12 12 Account Migration occurs in 4 main steps: ··· 22 22 23 23 To do so, you need a JWT signed with the signing key associated with your DID. You can obtain this through calling `com.atproto.server.getServiceAuth` from your old PDS. If your old PDS is not willing to provide the authentication token, you will need to update your DID document to point to a signing key that you possess in order to mint an authentication token yourself. 24 24 25 - With this JWT set as a Bearer token, you can then create an account on the new PDS by calling `com.atproto.server.createAccount`. You'll need to fulfill any challenges that the new PDS requires - such as an invite code. 25 + With this JWT set as a Bearer token, you can then create an account on the new PDS by calling `com.atproto.server.createAccount`. You'll need to fulfill any challenges that the new PDS requires - such as an invite code. 26 26 27 27 After creating an account, you'll have a signing key on the new PDS and an empty repository. Your account will be in a "deactivated" state such that it is not usable yet. 28 28 ··· 32 32 33 33 First, you can grab your entire repository in the form of a [CAR file](https://ipld.io/specs/transport/car/carv1/) by calling `com.atproto.sync.getRepo`. You can then upload those exact bytes to your new PDS through `com.atproto.repo.importRepo`. The new PDS will parse the CAR file, index all blocks and records, and sign a new commit for the repository. 34 34 35 - Next, you'll need to upload all relevant blobs. These can be discovered by calling `com.atproto.sync.listBlobs` on your old PDS. For each blob, you'll need to download the contents through `com.atproto.sync.getBlob` and upload them to your new PDS through `com.atproto.repo.uploadBlob`. 35 + Next, you'll need to upload all relevant blobs. These can be discovered by calling `com.atproto.sync.listBlobs` on your old PDS. For each blob, you'll need to download the contents through `com.atproto.sync.getBlob` and upload them to your new PDS through `com.atproto.repo.uploadBlob`. 36 36 37 37 Finally, you'll need to migrate private state. Currently the only private state held on your PDS is your preferences. You can migrate this by calling `app.bsky.actor.getPreferences` on your old PDS, and submitting the results to `app.bsky.actor.putPreferences` on your new PDS. 38 38

+2 -1

Dockerfile

··· 1 1 FROM node:20.11-alpine3.18 as build 2 2 3 - RUN npm install -g pnpm 3 + RUN corepack enable 4 4 5 5 # Move files into the image and install 6 6 WORKDIR /app 7 7 COPY ./service ./ 8 + RUN corepack prepare --activate 8 9 RUN pnpm install --production --frozen-lockfile > /dev/null 9 10 10 11 # Uses assets from build stage to reduce build size

+33

PUBLISH.md

··· 1 + # Publishing a new version of the PDS distro 2 + 3 + Below are the steps to publish a new version of the PDS distribution. The distribution is hosted by GitHub Container Registry, supported by the `build-and-push-ghcr` workflow. We use git tags to generate Docker tags on the resulting images. 4 + 5 + 1. Update the @atproto/pds dependency in the `service/` directory. 6 + 7 + We're using version `0.4.999` as an example. The latest version of the [`@atproto/pds` package](https://www.npmjs.com/package/@atproto/pds) must already be published on npm. 8 + ```sh 9 + $ cd service/ 10 + $ pnpm update @atproto/pds@0.4.999 11 + $ cd .. 12 + ``` 13 + 14 + 2. Commit the change directly to `main`. 15 + 16 + As soon as this is committed and pushed, the workflow to build the Docker image will start running. 17 + ```sh 18 + $ git add service/ 19 + $ git commit -m "pds v0.4.999" 20 + $ git push 21 + ``` 22 + 23 + 3. Smoke test the new Docker image. 24 + 25 + The new Docker image built by GitHub can be found [here](https://github.com/bluesky-social/pds/pkgs/container/pds). You can use the `sha-`prefixed tag to deploy this image to a test PDS for smoke testing. 26 + 27 + 4. Finally, tag the latest Docker image version. 28 + 29 + The Docker image will be tagged as `latest`, `0.4.999`, and `0.4`. Our self-hosters generally use the `0.4` tag, and their PDS distribution will be updated automatically over night in many cases. The Docker tags are generated automatically from git tags. 30 + ```sh 31 + $ git tag v0.4.999 32 + $ git push --tags 33 + ```

+131 -41

README.md

··· 2 2 3 3 Welcome to the repository for the official Bluesky PDS (Personal Data Server). This repository includes container images and documentation designed to assist technical people with hosting a Bluesky PDS. 4 4 5 - Head over to the [AT Protocol PDS Admins Discord](https://discord.gg/e7hpHxRfBP) to chat with other folks hosting instances and get important updates about the PDS distribution! 5 + Head over to the [ATProto Touchers Discord](https://discord.atprotocol.dev/) to chat with other folks hosting instances and get important updates about the PDS distribution! 6 6 7 7 ## Table of Contents 8 8 ··· 10 10 11 11  12 12 13 - - [FAQ](#faq) 14 - * [What is Bluesky?](#what-is-bluesky) 15 - * [What is AT Protocol?](#what-is-at-protocol) 16 - * [Where is the code?](#where-is-the-code) 17 - * [What is the current status of federation?](#what-is-the-current-status-of-federation) 18 - - [Self-hosting PDS](#self-hosting-pds) 19 - * [Preparation for self-hosting PDS](#preparation-for-self-hosting-pds) 20 - * [Open your cloud firewall for HTTP and HTTPS](#open-your-cloud-firewall-for-http-and-https) 21 - * [Configure DNS for your domain](#configure-dns-for-your-domain) 22 - * [Check that DNS is working as expected](#check-that-dns-is-working-as-expected) 23 - * [Installer on Ubuntu 20.04/22.04 and Debian 11/12](#installer-on-ubuntu-20042204-and-debian-1112) 24 - * [Verifying that your PDS is online and accessible](#verifying-that-your-pds-is-online-and-accessible) 25 - * [Creating an account using pdsadmin](#creating-an-account-using-pdsadmin) 26 - * [Creating an account using an invite code](#creating-an-account-using-an-invite-code) 27 - * [Using the Bluesky app with your PDS](#using-the-bluesky-app-with-your-pds) 28 - * [Setting up SMTP](#setting-up-smtp) 29 - * [Updating your PDS](#updating-your-pds) 30 - * [Environment Variables](#environment-variables) 13 + - [PDS](#pds) 14 + - [Table of Contents](#table-of-contents) 15 + - [FAQ](#faq) 16 + - [What is Bluesky?](#what-is-bluesky) 17 + - [What is AT Protocol?](#what-is-at-protocol) 18 + - [Where is the code?](#where-is-the-code) 19 + - [What is the current status of federation?](#what-is-the-current-status-of-federation) 20 + - [Self-hosting a PDS](#self-hosting-a-pds) 21 + - [Deploying a PDS onto a VPS](#deploying-a-pds-onto-a-vps) 22 + - [Open your cloud firewall for HTTP and HTTPS](#open-your-cloud-firewall-for-http-and-https) 23 + - [Configure DNS for your domain](#configure-dns-for-your-domain) 24 + - [Check that DNS is working as expected](#check-that-dns-is-working-as-expected) 25 + - [Installing on Ubuntu 20.04/22.04/24.04 and Debian 11/12/13](#installing-on-ubuntu-200422042404-and-debian-111213) 26 + - [Verifying that your PDS is online and accessible](#verifying-that-your-pds-is-online-and-accessible) 27 + - [Creating an account using pdsadmin](#creating-an-account-using-pdsadmin) 28 + - [Creating an account using an invite code](#creating-an-account-using-an-invite-code) 29 + - [Using the Bluesky app with your PDS](#using-the-bluesky-app-with-your-pds) 30 + - [Setting up SMTP](#setting-up-smtp) 31 + - [Common SMTP issues](#common-smtp-issues) 32 + - [Logging](#logging) 33 + - [Updating your PDS](#updating-your-pds) 34 + - [Environment Variables](#environment-variables) 35 + - [License](#license) 31 36 32 37  33 38 ··· 52 57 53 58 ### What is the current status of federation? 54 59 55 - As of Spring 2024, the AT Protocol network is open to federation! 60 + The AT Protocol network is open to federation! 56 61 57 62 ✅ Federated domain handles (e.g. `@nytimes.com`) 58 63 ··· 66 71 67 72 ✅ Federated moderation (labeling) 68 73 69 - ## Self-hosting PDS 74 + ## Self-hosting a PDS 70 75 71 76 Self-hosting a Bluesky PDS means running your own Personal Data Server that is capable of federating with the wider Bluesky social network. 72 77 73 - ### Preparation for self-hosting PDS 78 + ### Deploying a PDS onto a VPS 74 79 75 - Launch a server on any cloud provider, [Digital Ocean](https://digitalocean.com/) and [Vultr](https://vultr.com/) are two popular choices. 80 + This README provides instructions for deploying a PDS using our install script onto a Virtual Private Server. [Digital Ocean](https://digitalocean.com/) and [Vultr](https://vultr.com/) are two popular choices for VPS hosting. 76 81 77 82 Ensure that you can ssh to your server and have root access. 78 83 ··· 84 89 **Server Recommendations** 85 90 | | | 86 91 | ---------------- | ------------ | 87 - | Operating System | Ubuntu 22.04 | 92 + | Operating System | Ubuntu 24.04 | 88 93 | Memory (RAM) | 1 GB | 89 94 | CPU Cores | 1 | 90 95 | Storage | 20 GB SSD | ··· 131 136 132 137 These should all return your server's public IP. 133 138 134 - ### Installer on Ubuntu 20.04/22.04 and Debian 11/12 139 + ### Installing on Ubuntu 20.04/22.04/24.04 and Debian 11/12/13 135 140 136 - On your server via ssh, download the installer script using wget: 141 + Note that this script assumes a relatively "fresh" VPS that is not also concurrently hosting a web server or anything else on port 80/443. If you intend to run a PDS alongside an existing webserver on the same VPS, you will not want to use this install script. 142 + 143 + On your server, download the install script using `curl`: 137 144 138 145 ```bash 139 - wget https://raw.githubusercontent.com/bluesky-social/pds/main/installer.sh 146 + curl https://raw.githubusercontent.com/bluesky-social/pds/main/installer.sh > installer.sh 140 147 ``` 141 148 142 - or download it using curl: 149 + And then run the installer using `bash`. You will need `sudo` permissions to continue: 143 150 144 151 ```bash 145 - curl https://raw.githubusercontent.com/bluesky-social/pds/main/installer.sh >installer.sh 152 + sudo bash installer.sh 146 153 ``` 147 154 148 - And then run the installer using bash: 155 + The install script is interactive and will prompt for input during the install process. You will need to provide your public DNS address, an admin email address (which does not need to be from the same domain), and be prompted to create a PDS user account with its own email address and handle. If you plan to reuse an existing AT handle, you can skip user account creation, though if it is your first time deploying a PDS you may want to create an account using your domain like `account.your-domain.net` for testing purposes. 149 156 150 - ```bash 151 - sudo bash installer.sh 157 + Upon completion of a successful installation, you'll receive output similar to the following: 158 + 159 + ``` 160 + ======================================================================== 161 + PDS installation successful! 162 + ------------------------------------------------------------------------ 163 + 164 + Check service status : sudo systemctl status pds 165 + Watch service logs : sudo docker logs -f pds 166 + Backup service data : /pds 167 + PDS Admin command : pdsadmin 168 + 169 + Required Firewall Ports 170 + ------------------------------------------------------------------------ 171 + Service Direction Port Protocol Source 172 + ------- --------- ---- -------- ---------------------- 173 + HTTP TLS verification Inbound 80 TCP Any 174 + HTTP Control Panel Inbound 443 TCP Any 175 + 176 + Required DNS entries 177 + ------------------------------------------------------------------------ 178 + Name Type Value 179 + ------- --------- --------------- 180 + your-domain.net A your-ip-address 181 + *.your-domain.net A your-ip-address 182 + 183 + Detected public IP of this server: your-ip-address 184 + 185 + To see pdsadmin commands, run "pdsadmin help" 186 + 187 + ======================================================================== 188 + ``` 189 + 190 + And, following account creation: 191 + 192 + ``` 193 + Account created successfully! 194 + ----------------------------- 195 + Handle : handle.your-domain.net 196 + DID : did:plc:your-did 197 + Password : your-password 198 + ----------------------------- 199 + Save this password, it will not be displayed again. 152 200 ``` 153 201 154 202 ### Verifying that your PDS is online and accessible 155 203 156 204 > [!TIP] 157 - > The most common problems with getting PDS content consumed in the live network are when folks substitute the provided Caddy configuration for nginx, apache, or similar reverse proxies. Getting TLS certificates, WebSockets, and virtual server names all correct can be tricky. We are not currently providing tech support for other configurations. 205 + > The most common problems with getting PDS content consumed in the live network usually result from users trying to port the provided Caddy configuration to Nginx, Apache, or other reverse proxies. Getting TLS certificates, WebSockets, and virtual server names provisioned can be challenging. We are not currently providing tech support for other configurations. 158 206 159 - You can check if your server is online and healthy by requesting the healthcheck endpoint. 207 + After installation, your PDS should be live and accessible on the web. You can check if your server is online and healthy by making a request to `https://your-domain.net/xrpc/_health` (the healthcheck endpoint). You should see a JSON response with a version, like: 160 208 161 - You can visit `https://example.com/xrpc/_health` in your browser. You should see a JSON response with a version, like: 209 + Visit `https://your-domain.net/xrpc/_health` in your browser. You should see a JSON response with a version, like: 162 210 163 211 ``` 164 212 {"version":"0.2.2-beta.2"} ··· 170 218 wsdump "wss://example.com/xrpc/com.atproto.sync.subscribeRepos?cursor=0" 171 219 ``` 172 220 173 - Note that there will be no events output on the WebSocket until they are created in the PDS, so the above command may continue to run with no output if things are configured successfully. 221 + Note that there will be no events output on the WebSocket until they are created in the PDS, so the above command may continue to run with no output immediately post-installation. 174 222 175 223 ### Creating an account using pdsadmin 176 224 177 - Using ssh on your server, use `pdsadmin` to create an account if you haven't already. 225 + You'll now have access to some additional command line tools on this server. Use `pdsadmin` to create an account if you haven't already: 178 226 179 227 ```bash 180 228 sudo pdsadmin account create ··· 182 230 183 231 ### Creating an account using an invite code 184 232 185 - Using ssh on your server, use `pdsadmin` to create an invite code. 233 + If needed, use `pdsadmin` to create an invite code: 186 234 187 235 ```bash 188 236 sudo pdsadmin create-invite-code ··· 206 254 207 255 To be able to verify users' email addresses and send other emails, you need to set up an SMTP server. 208 256 209 - One way to do this is to use an email service. [Resend](https://resend.com/) and [SendGrid](https://sendgrid.com/) are two popular choices. 257 + As an alternative to running your own SMTP server, you can use an email service. [Resend](https://resend.com/) and [SendGrid](https://sendgrid.com/) are two popular choices. 210 258 211 - Create an account and API key on an email service, ensure your server allows access on the required ports, and set these variables in `/pds/pds.env` (example with Resend): 259 + Create an account and API key on an email service, ensure your server allows access on the required ports, and then you can add these configuration variables to `/pds/pds.env` on your server (example with Resend): 212 260 213 261 ``` 214 262 PDS_EMAIL_SMTP_URL=smtps://resend:<your api key here>@smtp.resend.com:465/ 215 263 PDS_EMAIL_FROM_ADDRESS=admin@your.domain 216 264 ``` 217 265 266 + If you prefer to use a standard SMTP server (a local one or from your email provider), put your account's username and password in the URL: 267 + 268 + ``` 269 + PDS_EMAIL_SMTP_URL=smtps://username:password@smtp.example.com/ 270 + ``` 271 + 272 + Alternatively, if you're running a local sendmail-compatible mail service like Postfix or Exim on the same host, you can configure the PDS to use the sendmail transport by using such URL: 273 + 274 + ``` 275 + PDS_EMAIL_SMTP_URL=smtp:///?sendmail=true 276 + ``` 277 + 218 278 _Note: Your PDS will need to be restarted with those variables. This varies depending on your setup. If you followed this installation guide, run `systemctl restart pds`. You might need to restart the server or recreate the container, depending on what you are using._ 219 279 280 + #### Common SMTP issues 281 + 282 + If you find that your test messages using cURL or other sources go out correctly, but you are not receiving emails from your PDS, you may need to URL encode your username and password on `/pds/pds.env` and restart the PDS service. 283 + 284 + If the username and/or password contain special characters, the special characters will need to be [percent encoded](https://en.wikipedia.org/wiki/Percent-encoding). For some email services, the username will contain an extra `@` symbol that will also need to be percent encoded. For example, the URL `user&name@oci:p@ssword@smtphost:465` after percent encoding for the username and password fields would become `user%26name%40oci:p%40ssword@smtphost:465`. 285 + 286 + If you are migrating an account, Bluesky's UI will ask you to confirm your email address. The confirmation code email is meant to come from your PDS. If you are encountering issues with SMTP and want to confirm the address before solving it, you can find the confirmation code on the `email_token` table on `accounts.sqlite`. 287 + 288 + ### Logging 289 + 290 + By default, logs from the PDS are printed to `stdout` and end up in Docker's log. You can browse them by running: 291 + 292 + ``` 293 + [sudo] docker logs pds 294 + ``` 295 + 296 + Note: these logs are not persisted, so they will be lost after server reboot. 297 + 298 + Alternatively, you can configure the logs to be printed to a file by setting `LOG_DESTINATION`: 299 + 300 + ``` 301 + LOG_DESTINATION=/pds/pds.log 302 + ``` 303 + 304 + You can also change the minimum level of logs to be printed (default: `info`): 305 + 306 + ``` 307 + LOG_LEVEL=debug 308 + ``` 309 + 220 310 ### Updating your PDS 221 311 222 - It is recommended that you keep your PDS up to date with new versions, otherwise things may break. You can use the `pdsadmin` tool to update your PDS. 312 + It is recommended that you keep your PDS up to date with new versions. You can use the `pdsadmin` tool to update your PDS. 223 313 224 314 ```bash 225 315 sudo pdsadmin update

+8 -11

installer.sh

··· 1 - #!/bin/bash 1 + #!/usr/bin/env bash 2 2 set -o errexit 3 3 set -o nounset 4 4 set -o pipefail ··· 31 31 openssl 32 32 sqlite3 33 33 xxd 34 + jq 34 35 " 35 36 # Docker packages. 36 37 REQUIRED_DOCKER_PACKAGES=" ··· 93 94 elif [[ "${DISTRIB_CODENAME}" == "jammy" ]]; then 94 95 SUPPORTED_OS="true" 95 96 echo "* Detected supported distribution Ubuntu 22.04 LTS" 96 - elif [[ "${DISTRIB_CODENAME}" == "mantic" ]]; then 97 + elif [[ "${DISTRIB_CODENAME}" == "noble" ]]; then 97 98 SUPPORTED_OS="true" 98 - echo "* Detected supported distribution Ubuntu 23.10 LTS" 99 + echo "* Detected supported distribution Ubuntu 24.04 LTS" 99 100 fi 100 101 elif [[ "${DISTRIB_ID}" == "debian" ]]; then 101 102 if [[ "${DISTRIB_CODENAME}" == "bullseye" ]]; then ··· 104 105 elif [[ "${DISTRIB_CODENAME}" == "bookworm" ]]; then 105 106 SUPPORTED_OS="true" 106 107 echo "* Detected supported distribution Debian 12" 108 + elif [[ "${DISTRIB_CODENAME}" == "trixie" ]]; then 109 + SUPPORTED_OS="true" 110 + echo "* Detected supported distribution Debian 13" 107 111 fi 108 112 fi 109 113 110 114 if [[ "${SUPPORTED_OS}" != "true" ]]; then 111 - echo "Sorry, only Ubuntu 20.04, 22.04, Debian 11 and Debian 12 are supported by this installer. Exiting..." 115 + echo "Sorry, only Ubuntu 20.04, 22.04, 24.04, and Debian 11, 12, and 13 are supported by this installer. Exiting..." 112 116 exit 1 113 117 fi 114 118 ··· 214 218 fi 215 219 216 220 # Admin email 217 - if [[ -z "${PDS_ADMIN_EMAIL}" ]]; then 218 - read -p "Enter an admin email address (e.g. you@example.com): " PDS_ADMIN_EMAIL 219 - fi 220 - if [[ -z "${PDS_ADMIN_EMAIL}" ]]; then 221 - usage "No admin email specified" 222 - fi 223 - 224 221 if [[ -z "${PDS_ADMIN_EMAIL}" ]]; then 225 222 read -p "Enter an admin email address (e.g. you@example.com): " PDS_ADMIN_EMAIL 226 223 fi

+2 -2

pdsadmin.sh

··· 1 - #!/bin/bash 1 + #!/usr/bin/env bash 2 2 set -o errexit 3 3 set -o nounset 4 4 set -o pipefail ··· 26 26 27 27 chmod +x "${SCRIPT_FILE}" 28 28 if "${SCRIPT_FILE}" "$@"; then 29 - rm --force "${SCRIPT_FILE}" 29 + rm -f "${SCRIPT_FILE}" 30 30 fi

+1 -1

pdsadmin/account.sh