From 454849d089fd848d5dfb5fb2c38d19fc5fa04d48 Mon Sep 17 00:00:00 2001
From: "dane.is.extraordinarily.cool" <me@dane.computer>
Date: Mon, 17 Nov 2025 17:22:44 -0500
Subject: [PATCH] docs: add coolify compose example

---
 README.md                    | 44 ++++++++++++++++++++++
 examples/coolify-compose.yml | 73 ++++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)
 create mode 100644 examples/coolify-compose.yml

diff --git a/README.md b/README.md
index c8b3769..a2c965a 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,50 @@ This is usually found at `/pds/compose.yaml`on your PDS>
       - pds
 ```
 
+For Coolify, if you're using Traefik as your proxy you'll need to make sure the labels for the container are set up correctly. A full example can be found at [./examples/coolify-compose.yml](./examples/coolify-compose.yml).
+
+```yml
+gatekeeper:
+    container_name: gatekeeper
+    image: 'fatfingers23/pds_gatekeeper:latest'
+    restart: unless-stopped
+    volumes:
+      - '/pds:/pds'
+    environment:
+      - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
+      - 'PDS_BASE_URL=http://pds:3000'
+      - GATEKEEPER_HOST=0.0.0.0
+    depends_on:
+      - pds
+    healthcheck:
+      test:
+        - CMD
+        - timeout
+        - '1'
+        - bash
+        - '-c'
+        - 'cat < /dev/null > /dev/tcp/0.0.0.0/8080'
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    labels:
+      - traefik.enable=true
+      - 'traefik.http.routers.pds-gatekeeper.rule=Host(`yourpds.com`) && (Path(`/xrpc/com.atproto.server.getSession`) || Path(`/xrpc/com.atproto.server.updateEmail`) || Path(`/xrpc/com.atproto.server.createSession`) || Path(`/xrpc/com.atproto.server.createAccount`) || Path(`/@atproto/oauth-provider/~api/sign-in`))'
+      - traefik.http.routers.pds-gatekeeper.entrypoints=https
+      - traefik.http.routers.pds-gatekeeper.tls=true
+      - traefik.http.routers.pds-gatekeeper.priority=100
+      - traefik.http.routers.pds-gatekeeper.middlewares=gatekeeper-cors
+      - traefik.http.services.pds-gatekeeper.loadbalancer.server.port=8080
+      - traefik.http.services.pds-gatekeeper.loadbalancer.server.scheme=http
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS,PATCH'
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowheaders=*'
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolalloworiginlist=*'
+      - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolmaxage=100
+      - traefik.http.middlewares.gatekeeper-cors.headers.addvaryheader=true
+      - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowcredentials=true
+```
+
 ## Caddy setup
 
 For the reverse proxy I use caddy. This part is what overwrites the endpoints and proxies them to PDS gatekeeper to add
diff --git a/examples/coolify-compose.yml b/examples/coolify-compose.yml
new file mode 100644
index 0000000..1ee1acf
--- /dev/null
+++ b/examples/coolify-compose.yml
@@ -0,0 +1,73 @@
+services:
+  pds:
+    image: 'ghcr.io/bluesky-social/pds:0.4.182'
+    volumes:
+      - '/pds:/pds'
+    environment:
+      - SERVICE_URL_PDS_3000
+      - 'PDS_HOSTNAME=${SERVICE_FQDN_PDS_3000}'
+      - 'PDS_JWT_SECRET=${SERVICE_HEX_32_JWTSECRET}'
+      - 'PDS_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}'
+      - 'PDS_ADMIN_EMAIL=${PDS_ADMIN_EMAIL}'
+      - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_32_ROTATIONKEY}'
+      - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
+      - 'PDS_BLOBSTORE_DISK_LOCATION=${PDS_DATA_DIRECTORY:-/pds}/blocks'
+      - 'PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}'
+      - 'PDS_DID_PLC_URL=${PDS_DID_PLC_URL:-https://plc.directory}'
+      - 'PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS}'
+      - 'PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL}'
+      - 'PDS_BSKY_APP_VIEW_URL=${PDS_BSKY_APP_VIEW_URL:-https://api.bsky.app}'
+      - 'PDS_BSKY_APP_VIEW_DID=${PDS_BSKY_APP_VIEW_DID:-did:web:api.bsky.app}'
+      - 'PDS_REPORT_SERVICE_URL=${PDS_REPORT_SERVICE_URL:-https://mod.bsky.app/xrpc/com.atproto.moderation.createReport}'
+      - 'PDS_REPORT_SERVICE_DID=${PDS_REPORT_SERVICE_DID:-did:plc:ar7c4by46qjdydhdevvrndac}'
+      - 'PDS_CRAWLERS=${PDS_CRAWLERS:-https://bsky.network}'
+      - 'LOG_ENABLED=${LOG_ENABLED:-true}'
+    command: "sh -c '\n  set -euo pipefail\n  echo \"Installing required packages and pdsadmin...\"\n  apk add --no-cache openssl curl bash jq coreutils gnupg util-linux-misc >/dev/null\n  curl -o /usr/local/bin/pdsadmin.sh https://raw.githubusercontent.com/bluesky-social/pds/main/pdsadmin.sh\n  chmod 700 /usr/local/bin/pdsadmin.sh\n  ln -sf /usr/local/bin/pdsadmin.sh /usr/local/bin/pdsadmin\n  echo \"Creating an empty pds.env file so pdsadmin works...\"\n  touch ${PDS_DATA_DIRECTORY}/pds.env\n  echo \"Launching PDS, enjoy!...\"\n  exec node --enable-source-maps index.js\n'\n"
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - '--spider'
+        - 'http://127.0.0.1:3000/xrpc/_health'
+      interval: 5s
+      timeout: 10s
+      retries: 10
+  gatekeeper:
+    container_name: gatekeeper
+    image: 'fatfingers23/pds_gatekeeper:latest'
+    restart: unless-stopped
+    volumes:
+      - '/pds:/pds'
+    environment:
+      - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
+      - 'PDS_BASE_URL=http://pds:3000'
+      - GATEKEEPER_HOST=0.0.0.0
+    depends_on:
+      - pds
+    healthcheck:
+      test:
+        - CMD
+        - timeout
+        - '1'
+        - bash
+        - '-c'
+        - 'cat < /dev/null > /dev/tcp/0.0.0.0/8080'
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
+    labels:
+      - traefik.enable=true
+      - 'traefik.http.routers.pds-gatekeeper.rule=Host(`yourpds.com`) && (Path(`/xrpc/com.atproto.server.getSession`) || Path(`/xrpc/com.atproto.server.updateEmail`) || Path(`/xrpc/com.atproto.server.createSession`) || Path(`/xrpc/com.atproto.server.createAccount`) || Path(`/@atproto/oauth-provider/~api/sign-in`))'
+      - traefik.http.routers.pds-gatekeeper.entrypoints=https
+      - traefik.http.routers.pds-gatekeeper.tls=true
+      - traefik.http.routers.pds-gatekeeper.priority=100
+      - traefik.http.routers.pds-gatekeeper.middlewares=gatekeeper-cors
+      - traefik.http.services.pds-gatekeeper.loadbalancer.server.port=8080
+      - traefik.http.services.pds-gatekeeper.loadbalancer.server.scheme=http
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS,PATCH'
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowheaders=*'
+      - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolalloworiginlist=*'
+      - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolmaxage=100
+      - traefik.http.middlewares.gatekeeper-cors.headers.addvaryheader=true
+      - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowcredentials=true
-- 
2.43.0