fix: update docs for toml env #26

-227

.env.example

··· 1 1 - # ============================================================================= 2 2 - # Server 3 3 - # ============================================================================= 4 4 - SERVER_HOST=127.0.0.1 5 5 - SERVER_PORT=3000 6 6 - # The public-facing hostname of the PDS (used in DID documents, JWTs, etc.) 7 7 - PDS_HOSTNAME=localhost:3000 8 8 - # ============================================================================= 9 9 - # Database 10 10 - # ============================================================================= 11 11 - DATABASE_URL=postgres://postgres:postgres@localhost:5432/pds 12 12 - # Connection pool settings (defaults are good for most deployments) 13 13 - # DATABASE_MAX_CONNECTIONS=100 14 14 - # DATABASE_MIN_CONNECTIONS=10 15 15 - # DATABASE_ACQUIRE_TIMEOUT_SECS=30 16 16 - # ============================================================================= 17 17 - # Blob Storage 18 18 - # ============================================================================= 19 19 - # Backend: "filesystem" (default) or "s3" 20 20 - # BLOB_STORAGE_BACKEND=filesystem 21 21 - # For filesystem backend: 22 22 - BLOB_STORAGE_PATH=/var/lib/tranquil/blobs 23 23 - # For S3 backend: 24 24 - # S3_ENDPOINT=http://localhost:9000 25 25 - # AWS_REGION=us-east-1 26 26 - # S3_BUCKET=pds-blobs 27 27 - # AWS_ACCESS_KEY_ID=minioadmin 28 28 - # AWS_SECRET_ACCESS_KEY=minioadmin 29 29 - # ============================================================================= 30 30 - # Backups 31 31 - # ============================================================================= 32 32 - # Enable/disable automatic repo backups 33 33 - # BACKUP_ENABLED=true 34 34 - # Backend: "filesystem" (default) or "s3" 35 35 - # BACKUP_STORAGE_BACKEND=filesystem 36 36 - # For filesystem backend: 37 37 - BACKUP_STORAGE_PATH=/var/lib/tranquil/backups 38 38 - # For S3 backend: 39 39 - # BACKUP_S3_BUCKET=pds-backups 40 40 - # Backup schedule and retention 41 41 - # BACKUP_RETENTION_COUNT=7 42 42 - # BACKUP_INTERVAL_SECS=86400 43 43 - # ============================================================================= 44 44 - # Cache & Rate Limiting 45 45 - # ============================================================================= 46 46 - # Ripple (in-process CRDT cache) is the default. No config needed for single-node. 47 47 - # Set VALKEY_URL to use valkey instead (disables ripple). 48 48 - # VALKEY_URL=redis://localhost:6379 49 49 - # 50 50 - # Ripple multi-node settings (only needed when clustering): 51 51 - # RIPPLE_BIND=0.0.0.0:7890 52 52 - # RIPPLE_PEERS=10.0.0.2:7890,10.0.0.3:7890 53 53 - # RIPPLE_MACHINE_ID=1 54 54 - # RIPPLE_GOSSIP_INTERVAL_MS=200 55 55 - # RIPPLE_CACHE_MAX_MB=256 56 56 - # ============================================================================= 57 57 - # Security Secrets 58 58 - # ============================================================================= 59 59 - # These MUST be set in production (minimum 32 characters each) 60 60 - # In development, set TRANQUIL_PDS_ALLOW_INSECURE_SECRETS=1 to use defaults 61 61 - # Server-wide secret for OAuth token signing (HS256) 62 62 - # JWT_SECRET=your-secure-random-string-at-least-32-chars 63 63 - # Secret for DPoP proof validation 64 64 - # DPOP_SECRET=your-secure-random-string-at-least-32-chars 65 65 - # Key for encrypting user signing keys at rest (AES-256-GCM) 66 66 - # MASTER_KEY=your-secure-random-string-at-least-32-chars 67 67 - # Set this ONLY in development to allow default/weak secrets 68 68 - # TRANQUIL_PDS_ALLOW_INSECURE_SECRETS=1 69 69 - # ============================================================================= 70 70 - # PLC Directory 71 71 - # ============================================================================= 72 72 - # PLC_DIRECTORY_URL=https://plc.directory 73 73 - # PLC_TIMEOUT_SECS=10 74 74 - # PLC_CONNECT_TIMEOUT_SECS=5 75 75 - # Optional: rotation key for PLC operations (defaults to user's key) 76 76 - # PLC_ROTATION_KEY=did:key:... 77 77 - # ============================================================================= 78 78 - # DID Resolution 79 79 - # ============================================================================= 80 80 - # Cache TTL for resolved DID documents (default: 300 seconds) 81 81 - # DID_CACHE_TTL_SECS=300 82 82 - # ============================================================================= 83 83 - # Relays 84 84 - # ============================================================================= 85 85 - # Comma-separated list of relay URLs to notify via requestCrawl 86 86 - # CRAWLERS=https://bsky.network,https://relay.upcloud.world 87 87 - # ============================================================================= 88 88 - # Firehose (subscribeRepos WebSocket) 89 89 - # ============================================================================= 90 90 - # Buffer size for firehose broadcast channel 91 91 - # FIREHOSE_BUFFER_SIZE=10000 92 92 - # Disconnect slow consumers after this many events of lag 93 93 - # FIREHOSE_MAX_LAG=5000 94 94 - # ============================================================================= 95 95 - # Notification Service 96 96 - # ============================================================================= 97 97 - # Queue processing settings 98 98 - # NOTIFICATION_BATCH_SIZE=100 99 99 - # NOTIFICATION_POLL_INTERVAL_MS=1000 100 100 - # Email notifications (via sendmail/msmtp) 101 101 - # MAIL_FROM_ADDRESS=noreply@example.com 102 102 - # MAIL_FROM_NAME=My PDS 103 103 - # SENDMAIL_PATH=/usr/sbin/sendmail 104 104 - # Discord notifications (via bot DM) 105 105 - # DISCORD_BOT_TOKEN=bot-token 106 106 - # Telegram notifications (via bot) 107 107 - # TELEGRAM_BOT_TOKEN=bot-token 108 108 - # TELEGRAM_WEBHOOK_SECRET=random-secret 109 109 - # Signal notifications (via signal-cli) 110 110 - # SIGNAL_CLI_PATH=/usr/local/bin/signal-cli 111 111 - # SIGNAL_SENDER_NUMBER=+1234567890 112 112 - # ============================================================================= 113 113 - # Upload Limits 114 114 - # ============================================================================= 115 115 - # Maximum blob/body size in bytes (default: 10GB) 116 116 - # This controls both the Axum body limit and blob upload limits. 117 117 - # Make sure your nginx client_max_body_size matches or exceeds this value. 118 118 - # MAX_BLOB_SIZE=10737418240 119 119 - # ============================================================================= 120 120 - # Repository Import 121 121 - # ============================================================================= 122 122 - # Set to "true" to accept repository imports 123 123 - # ACCEPTING_REPO_IMPORTS=false 124 124 - # Maximum import size in bytes (default: 100MB) 125 125 - # MAX_IMPORT_SIZE=104857600 126 126 - # Maximum blocks per import (default: 100000) 127 127 - # MAX_IMPORT_BLOCKS=100000 128 128 - # Skip verification during import (testing only) 129 129 - # SKIP_IMPORT_VERIFICATION=false 130 130 - # ============================================================================= 131 131 - # Account Registration 132 132 - # ============================================================================= 133 133 - # Require invite codes for registration 134 134 - # INVITE_CODE_REQUIRED=true 135 135 - # Comma-separated list of available user domains 136 136 - # AVAILABLE_USER_DOMAINS=example.com 137 137 - # Enable self-hosted did:web identities (default: true) 138 138 - # Hosting did:web requires a long-term commitment to serve DID documents. 139 139 - # Set to false if you don't want to offer this option. 140 140 - # ENABLE_PDS_HOSTED_DID_WEB=false 141 141 - # ============================================================================= 142 142 - # Server Metadata (returned by describeServer) 143 143 - # ============================================================================= 144 144 - # Privacy policy URL (optional) 145 145 - # PRIVACY_POLICY_URL=https://example.com/privacy 146 146 - # Terms of service URL (optional) 147 147 - # TERMS_OF_SERVICE_URL=https://example.com/terms 148 148 - # Contact email address (optional) 149 149 - # CONTACT_EMAIL=admin@example.com 150 150 - # ============================================================================= 151 151 - # Rate Limiting 152 152 - # ============================================================================= 153 153 - # Disable all rate limiting (testing only, NEVER in production) 154 154 - # DISABLE_RATE_LIMITING=1 155 155 - # ============================================================================= 156 156 - # Account Deletion 157 157 - # ============================================================================= 158 158 - # How often to check for scheduled account deletions (default: 3600 = 1 hour) 159 159 - # SCHEDULED_DELETE_CHECK_INTERVAL_SECS=3600 160 160 - # ============================================================================= 161 161 - # Moderation / Report Service 162 162 - # ============================================================================= 163 163 - # If configured, moderation reports will be proxied to this service 164 164 - # instead of being stored locally. The service should implement the 165 165 - # com.atproto.moderation.createReport endpoint (eg., Bluesky's Ozone). 166 166 - # Both URL and DID must be set for proxying to be enabled. 167 167 - # REPORT_SERVICE_URL=https://mod.bsky.app 168 168 - # REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac 169 169 - # ============================================================================= 170 170 - # Age Assurance Override 171 171 - # ============================================================================= 172 172 - # Enable this if you have separately assured the ages of your users 173 173 - # (eg., through your own age verification process). When enabled, the PDS 174 174 - # will return "assured" status for age assurance checks instead of proxying 175 175 - # to the appview. This helps migrated users avoid the age assurance 176 176 - # catch-22 on bsky.app. 177 177 - # PDS_AGE_ASSURANCE_OVERRIDE=1 178 178 - # ============================================================================= 179 179 - # Miscellaneous 180 180 - # ============================================================================= 181 181 - # Allow HTTP for proxy requests (development only) 182 182 - # ALLOW_HTTP_PROXY=1 183 183 - # ============================================================================= 184 184 - # SSO / Social Login 185 185 - # ============================================================================= 186 186 - # Each provider requires ENABLED=true plus CLIENT_ID and CLIENT_SECRET. 187 187 - # Register your PDS as an OAuth application with each provider to get credentials. 188 188 - 189 189 - # GitHub 190 190 - # SSO_GITHUB_ENABLED=true 191 191 - # SSO_GITHUB_CLIENT_ID= 192 192 - # SSO_GITHUB_CLIENT_SECRET= 193 193 - 194 194 - # Discord 195 195 - # SSO_DISCORD_ENABLED=true 196 196 - # SSO_DISCORD_CLIENT_ID= 197 197 - # SSO_DISCORD_CLIENT_SECRET= 198 198 - 199 199 - # Google 200 200 - # SSO_GOOGLE_ENABLED=true 201 201 - # SSO_GOOGLE_CLIENT_ID= 202 202 - # SSO_GOOGLE_CLIENT_SECRET= 203 203 - 204 204 - # GitLab (set ISSUER for self-hosted instances) 205 205 - # SSO_GITLAB_ENABLED=false 206 206 - # SSO_GITLAB_CLIENT_ID= 207 207 - # SSO_GITLAB_CLIENT_SECRET= 208 208 - # SSO_GITLAB_ISSUER=https://gitlab.com 209 209 - 210 210 - # Generic OIDC 211 211 - # SSO_OIDC_ENABLED=false 212 212 - # SSO_OIDC_CLIENT_ID= 213 213 - # SSO_OIDC_CLIENT_SECRET= 214 214 - # SSO_OIDC_ISSUER=https://your-identity-provider.com 215 215 - # SSO_OIDC_NAME=Custom Provider 216 216 - 217 217 - # Apple Sign-in 218 218 - # SSO_APPLE_ENABLED=true 219 219 - # SSO_APPLE_CLIENT_ID=com.example.signin # Services ID from Apple Developer Portal 220 220 - # SSO_APPLE_TEAM_ID=XXXXXXXXXX # 10-character Team ID 221 221 - # SSO_APPLE_KEY_ID=XXXXXXXXXX # Key ID from portal 222 222 - # SSO_APPLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----" 223 223 - CARGO_MOMMYS_LITTLE=mister 224 224 - CARGO_MOMMYS_PRONOUNS=his 225 225 - CARGO_MOMMYS_ROLES=daddy 226 226 - CARGO_MOMMYS_EMOTES="🚛/🧱/🚜/🔩/🦺" 227 227 - CARGO_MOMMYS_MOODS=ominous

+4 -4

README.md

··· 17 17 ## Quick Start 18 18 19 19 ```bash 20 20 - cp .env.example .env 20 20 + cp example.toml config.toml 21 21 podman compose up db -d 22 22 just run 23 23 ``` ··· 27 27 See `example.toml` for all configuration options. 28 28 29 29 > [!NOTE] 30 30 - > The order of configuration precendence is: environment variables, than a config file passed via `--config`, than `/etc/tranquil-pds/config.toml`, than the built-in defaults. So you can use environment variables, or a config file, or both. 30 30 + > The order of configuration precedence is: environment variables, then a config file passed via `--config`, then `/etc/tranquil-pds/config.toml`, then the built-in defaults. So you can use environment variables, or a config file, or both. 31 31 32 32 ## Development 33 33 ··· 42 42 43 43 ### Quick Deploy (Docker/Podman Compose) 44 44 45 45 - Edit `.env` with your values. Generate secrets with `openssl rand -base64 48`. 45 45 + Edit `config.toml` with your values. Generate secrets with `openssl rand -base64 48`. 46 46 47 47 ```bash 48 48 - cp .env.example .env 48 48 + cp example.toml config.toml 49 49 podman-compose -f docker-compose.prod.yaml up -d 50 50 ``` 51 51

+1 -10

docker-compose.prod.yaml

··· 7 7 restart: unless-stopped 8 8 environment: 9 9 SERVER_HOST: "0.0.0.0" 10 10 - SERVER_PORT: "3000" 11 11 - PDS_HOSTNAME: "${PDS_HOSTNAME:?PDS_HOSTNAME is required}" 12 12 - DATABASE_URL: "postgres://tranquil_pds:${DB_PASSWORD:?DB_PASSWORD is required}@db:5432/pds" 13 13 - BLOB_STORAGE_PATH: "/var/lib/tranquil/blobs" 14 14 - BACKUP_STORAGE_PATH: "/var/lib/tranquil/backups" 15 15 - JWT_SECRET: "${JWT_SECRET:?JWT_SECRET is required (min 32 chars)}" 16 16 - DPOP_SECRET: "${DPOP_SECRET:?DPOP_SECRET is required (min 32 chars)}" 17 17 - MASTER_KEY: "${MASTER_KEY:?MASTER_KEY is required (min 32 chars)}" 18 18 - CRAWLERS: "${CRAWLERS:-https://bsky.network}" 19 10 volumes: 20 11 - ./config.toml:/etc/tranquil-pds/config.toml:ro 21 12 - blob_data:/var/lib/tranquil/blobs ··· 60 51 restart: unless-stopped 61 52 environment: 62 53 POSTGRES_USER: tranquil_pds 63 63 - POSTGRES_PASSWORD: "${DB_PASSWORD:?DB_PASSWORD is required}" 54 54 + POSTGRES_PASSWORD: "CHANGE-ME" 64 55 POSTGRES_DB: pds 65 56 volumes: 66 57 - postgres_data:/var/lib/postgresql/data

-2

docker-compose.yaml

··· 6 6 image: tranquil-pds 7 7 ports: 8 8 - "3000:3000" 9 9 - env_file: 10 10 - - ./.env 11 9 environment: 12 10 DATABASE_URL: postgres://postgres:postgres@db:5432/pds 13 11 volumes:

+1 -17

shell.nix

··· 27 27 28 28 env = { 29 29 RUST_SRC_PATH = rustPlatform.rustLibSrc; 30 30 - } 31 31 - # isabel if this is like a horrible way to do this forgive me for my sins ig 32 32 - # if you can make this better go do it and tell me how or something :3 33 33 - // builtins.fromTOML ( 34 34 - (s: if s == "" then s else s + "\"") (lib.replaceStrings [ "\n" "=" "\"" ] [ "\"\n" "=\"" "\\\"" ] 35 35 - (lib.concatStringsSep "\n" 36 36 - (lib.filter (line: !lib.hasPrefix "#" line && line != "") 37 37 - (lib.splitString "\n" 38 38 - (if lib.pathIsRegularFile ./.env 39 39 - then (lib.readFile ./.env) 40 40 - else "" 41 41 - ) 42 42 - ) 43 43 - ) 44 44 - ) 45 45 - ) 46 46 - ); 30 30 + }; 47 31 48 32 packages = [ 49 33 just