docker-compose.prod.yml at 1059fb79830a15a41fde3c4653e83584dc619512 · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / docker-compose.prod.yml
at 1059fb79830a15a41fde3c4653e83584dc619512 7.0 kB view raw
  1# Coves Production Stack
  2#
  3# Architecture:
  4#   - coves.social: AppView domain (API, frontend, .well-known/did.json)
  5#   - coves.me: PDS domain (must be separate from AppView)
  6#
  7# Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID
  8#
  9# Usage:
 10#   docker-compose -f docker-compose.prod.yml up -d
 11#
 12# Prerequisites:
 13#   1. DNS configured for both domains
 14#   2. SSL certificates (Caddy handles this automatically)
 15#   3. .env.prod file with secrets
 16#   4. .well-known/did.json deployed to coves.social
 17
 18services:
 19  # PostgreSQL Database for AppView
 20  postgres:
 21    image: postgres:15
 22    container_name: coves-prod-postgres
 23    restart: unless-stopped
 24    environment:
 25      POSTGRES_DB: ${POSTGRES_DB}
 26      POSTGRES_USER: ${POSTGRES_USER}
 27      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
 28    volumes:
 29      - postgres-data:/var/lib/postgresql/data
 30      # Mount backup directory for pg_dump
 31      - ./backups:/backups
 32    networks:
 33      - coves-internal
 34    healthcheck:
 35      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
 36      interval: 10s
 37      timeout: 5s
 38      retries: 5
 39    # Generous limits for 256GB server
 40    deploy:
 41      resources:
 42        limits:
 43          memory: 32G
 44        reservations:
 45          memory: 4G
 46
 47  # Coves AppView (Go Server)
 48  appview:
 49    build:
 50      context: .
 51      dockerfile: Dockerfile
 52    image: coves/appview:${VERSION:-latest}
 53    container_name: coves-prod-appview
 54    restart: unless-stopped
 55    ports:
 56      - "127.0.0.1:8080:8080"  # Only expose to localhost (Caddy proxies)
 57    environment:
 58      # Database
 59      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
 60
 61      # Instance identity
 62      INSTANCE_DID: did:web:coves.social
 63      INSTANCE_DOMAIN: coves.social
 64
 65      # PDS connection (separate domain!)
 66      PDS_URL: https://coves.me
 67
 68      # Jetstream (Bluesky production firehose)
 69      JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe
 70
 71      # Custom lexicon consumers (use production Jetstream with collection filters)
 72      COMMUNITY_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
 73      POST_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
 74      AGGREGATOR_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.aggregator.service&wantedCollections=social.coves.aggregator.authorization
 75      VOTE_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
 76      COMMENT_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
 77
 78      # Security - MUST be false in production
 79      AUTH_SKIP_VERIFY: "false"
 80      SKIP_DID_WEB_VERIFICATION: "false"
 81
 82      # OAuth (for community account provisioning)
 83      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
 84      OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}
 85      OAUTH_PRIVATE_JWK: ${OAUTH_PRIVATE_JWK}
 86
 87      # Application settings
 88      PORT: 8080
 89      ENV: production
 90      LOG_LEVEL: info
 91
 92      # Encryption key for community credentials
 93      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
 94
 95      # Cursor encryption for pagination
 96      CURSOR_SECRET: ${CURSOR_SECRET}
 97    networks:
 98      - coves-internal
 99    depends_on:
100      postgres:
101        condition: service_healthy
102    healthcheck:
103      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]
104      interval: 30s
105      timeout: 5s
106      retries: 3
107      start_period: 10s
108    # Go is memory-efficient, but give it room for connection pools
109    deploy:
110      resources:
111        limits:
112          memory: 8G
113        reservations:
114          memory: 512M
115
116  # Bluesky PDS (Personal Data Server)
117  # Handles community accounts and their repositories
118  pds:
119    image: ghcr.io/bluesky-social/pds:latest
120    container_name: coves-prod-pds
121    restart: unless-stopped
122    ports:
123      - "127.0.0.1:3000:3000"  # Only expose to localhost (Caddy proxies)
124    environment:
125      # PDS identity
126      PDS_HOSTNAME: coves.me
127      PDS_PORT: 3000
128      PDS_DATA_DIRECTORY: /pds
129      PDS_BLOBSTORE_DISK_LOCATION: /pds/blocks
130
131      # PLC Directory (production)
132      PDS_DID_PLC_URL: https://plc.directory
133
134      # Handle domains
135      # Community handles use @community.coves.social (AppView domain)
136      # Include both root domain and subdomains
137      PDS_SERVICE_HANDLE_DOMAINS: .coves.social,coves.social
138
139      # Security (set real values in .env.prod)
140      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
141      PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}
142      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}
143
144      # Email (optional, for account recovery)
145      # NOTE: Must set BOTH or NEITHER - PDS fails with partial config
146      # PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL}
147      # PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS}
148
149      # Production mode
150      PDS_DEV_MODE: "false"
151      PDS_INVITE_REQUIRED: "false"  # Set to true if you want invite-only
152
153      # Logging
154      NODE_ENV: production
155      LOG_ENABLED: "true"
156      LOG_LEVEL: info
157    volumes:
158      - pds-data:/pds
159    networks:
160      - coves-internal
161    healthcheck:
162      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]
163      interval: 30s
164      timeout: 5s
165      retries: 5
166    # PDS (Node.js) needs memory for blob handling
167    deploy:
168      resources:
169        limits:
170          memory: 16G
171        reservations:
172          memory: 1G
173
174  # Caddy Reverse Proxy
175  # Handles HTTPS automatically via Let's Encrypt
176  # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)
177  caddy:
178    # Pre-built Caddy with Cloudflare DNS plugin
179    # Updates automatically with docker-compose pull
180    # Alternative: build your own with Dockerfile.caddy
181    image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest
182    container_name: coves-prod-caddy
183    restart: unless-stopped
184    ports:
185      - "80:80"
186      - "443:443"
187    environment:
188      # Required for wildcard SSL via DNS challenge
189      # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
190      # Permissions: Zone:DNS:Edit for coves.social zone
191      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
192    volumes:
193      - ./Caddyfile:/etc/caddy/Caddyfile:ro
194      - caddy-data:/data
195      - caddy-config:/config
196      # Static files (.well-known, client-metadata.json, oauth callback)
197      - ./static:/srv:ro
198    networks:
199      - coves-internal
200    depends_on:
201      - appview
202      - pds
203
204networks:
205  coves-internal:
206    driver: bridge
207    name: coves-prod-network
208
209volumes:
210  postgres-data:
211    name: coves-prod-postgres-data
212  pds-data:
213    name: coves-prod-pds-data
214  caddy-data:
215    name: coves-prod-caddy-data
216  caddy-config:
217    name: coves-prod-caddy-config