A community based topic aggregation platform built on atproto
bretton.dev
1# Coves Production Stack
2#
3# Architecture:
4# - coves.social: AppView domain (API, frontend, .well-known/did.json)
5# - pds.coves.me: PDS domain (canonical hostname for relay registration)
6# - coves.me: PDS domain (legacy, kept for compatibility)
7#
8# Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID
9#
10# Usage:
11# docker-compose -f docker-compose.prod.yml up -d
12#
13# Prerequisites:
14# 1. DNS configured for both domains
15# 2. SSL certificates (Caddy handles this automatically)
16# 3. .env.prod file with secrets
17# 4. .well-known/did.json deployed to coves.social
18
19services:
20 # PostgreSQL Database for AppView
21 postgres:
22 image: postgres:15
23 container_name: coves-prod-postgres
24 restart: unless-stopped
25 environment:
26 POSTGRES_DB: ${POSTGRES_DB}
27 POSTGRES_USER: ${POSTGRES_USER}
28 POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
29 volumes:
30 - postgres-data:/var/lib/postgresql/data
31 # Mount backup directory for pg_dump
32 - ./backups:/backups
33 networks:
34 - coves-internal
35 healthcheck:
36 test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
37 interval: 10s
38 timeout: 5s
39 retries: 5
40 # Generous limits for 256GB server
41 deploy:
42 resources:
43 limits:
44 memory: 32G
45 reservations:
46 memory: 4G
47
48 # Coves AppView (Go Server)
49 appview:
50 build:
51 context: .
52 dockerfile: Dockerfile
53 image: coves/appview:${VERSION:-latest}
54 container_name: coves-prod-appview
55 restart: unless-stopped
56 ports:
57 - "127.0.0.1:8080:8080" # Only expose to localhost (Caddy proxies)
58 environment:
59 # Database
60 DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
61
62 # Instance identity
63 INSTANCE_DID: did:web:coves.social
64 INSTANCE_DOMAIN: coves.social
65
66 # PDS connection (separate domain!)
67 PDS_URL: https://coves.me
68
69 # Jetstream (Bluesky production firehose)
70 JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe
71
72 # Custom lexicon consumers (use production Jetstream with collection filters)
73 COMMUNITY_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
74 POST_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
75 AGGREGATOR_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.aggregator.service&wantedCollections=social.coves.aggregator.authorization
76 VOTE_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
77 COMMENT_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
78
79 # Security - MUST be false in production
80 AUTH_SKIP_VERIFY: "false"
81 SKIP_DID_WEB_VERIFICATION: "false"
82
83 # OAuth (for community account provisioning)
84 OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
85 OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}
86
87 # Application settings
88 PORT: 8080
89 ENV: production
90 LOG_LEVEL: info
91
92 # Encryption key for community credentials
93 ENCRYPTION_KEY: ${ENCRYPTION_KEY}
94
95 # Cursor encryption for pagination
96 CURSOR_SECRET: ${CURSOR_SECRET}
97
98 # PDS JWT secret for verifying HS256 tokens from the PDS
99 # Must match the PDS_JWT_SECRET configured on the PDS
100 PDS_JWT_SECRET: ${PDS_JWT_SECRET}
101 # Whitelist PDS issuer(s) allowed to use HS256 (no kid)
102 HS256_ISSUERS: ${HS256_ISSUERS}
103
104 # Restrict community creation to instance DID only
105 COMMUNITY_CREATORS: did:web:coves.social
106 networks:
107 - coves-internal
108 depends_on:
109 postgres:
110 condition: service_healthy
111 healthcheck:
112 test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]
113 interval: 30s
114 timeout: 5s
115 retries: 3
116 start_period: 10s
117 # Go is memory-efficient, but give it room for connection pools
118 deploy:
119 resources:
120 limits:
121 memory: 8G
122 reservations:
123 memory: 512M
124
125 # Bluesky PDS (Personal Data Server)
126 # Handles community accounts and their repositories
127 pds:
128 image: ghcr.io/bluesky-social/pds:latest
129 container_name: coves-prod-pds
130 restart: unless-stopped
131 ports:
132 - "127.0.0.1:3000:3000" # Only expose to localhost (Caddy proxies)
133 environment:
134 # PDS identity (use pds.coves.me for fresh relay registration)
135 PDS_HOSTNAME: pds.coves.me
136 PDS_PORT: 3000
137 PDS_DATA_DIRECTORY: /pds
138 PDS_BLOB_UPLOAD_LIMIT: 104857600 # 100 MB
139
140 # S3-compatible blob storage
141 PDS_BLOBSTORE_S3_BUCKET: ${PDS_S3_BUCKET}
142 PDS_BLOBSTORE_S3_REGION: ${PDS_S3_REGION}
143 PDS_BLOBSTORE_S3_ENDPOINT: ${PDS_S3_ENDPOINT}
144 PDS_BLOBSTORE_S3_ACCESS_KEY_ID: ${PDS_S3_ACCESS_KEY_ID}
145 PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY: ${PDS_S3_SECRET_ACCESS_KEY}
146 PDS_BLOBSTORE_S3_FORCE_PATH_STYLE: "true"
147
148 # PLC Directory (production)
149 PDS_DID_PLC_URL: https://plc.directory
150
151 # Handle domains
152 # Community handles use @community.coves.social (AppView domain)
153 # Note: Root domain (coves.social) handle works via .well-known resolution
154 PDS_SERVICE_HANDLE_DOMAINS: .coves.social
155
156 # Security (set real values in .env.prod)
157 PDS_JWT_SECRET: ${PDS_JWT_SECRET}
158 PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}
159 PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}
160
161 # Email (optional, for account recovery)
162 # NOTE: Must set BOTH or NEITHER - PDS fails with partial config
163 # PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL}
164 # PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS}
165
166 # Production mode
167 PDS_DEV_MODE: "false"
168 PDS_INVITE_REQUIRED: "false" # Set to true if you want invite-only
169
170 # Logging
171 NODE_ENV: production
172 LOG_ENABLED: "true"
173 LOG_LEVEL: info
174
175 # AppView proxy (for app.bsky.* methods like getProfile, notifications, etc.)
176 PDS_BSKY_APP_VIEW_URL: https://api.bsky.app
177 PDS_BSKY_APP_VIEW_DID: did:web:api.bsky.app
178
179 # Report service (for reporting content)
180 PDS_REPORT_SERVICE_URL: https://mod.bsky.app
181 PDS_REPORT_SERVICE_DID: did:plc:ar7c4by46qjdydhdevvrndac
182
183 # Relay crawlers (for federation with Bluesky network)
184 PDS_CRAWLERS: https://bsky.network,https://relay1.us-east.bsky.network,https://relay1.us-west.bsky.network,https://relay.fire.hose.cam,https://relay.upcloud.world
185 volumes:
186 - pds-data:/pds
187 networks:
188 - coves-internal
189 healthcheck:
190 test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]
191 interval: 30s
192 timeout: 5s
193 retries: 5
194 # PDS (Node.js) needs memory for blob handling
195 deploy:
196 resources:
197 limits:
198 memory: 16G
199 reservations:
200 memory: 1G
201
202 # Caddy Reverse Proxy
203 # Handles HTTPS automatically via Let's Encrypt
204 # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)
205 caddy:
206 # Pre-built Caddy with Cloudflare DNS plugin
207 # Updates automatically with docker-compose pull
208 # Alternative: build your own with Dockerfile.caddy
209 image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest
210 container_name: coves-prod-caddy
211 restart: unless-stopped
212 ports:
213 - "80:80"
214 - "443:443"
215 environment:
216 # Required for wildcard SSL via DNS challenge
217 # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
218 # Permissions: Zone:DNS:Edit for coves.social zone
219 CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
220 volumes:
221 - ./Caddyfile:/etc/caddy/Caddyfile:ro
222 - caddy-data:/data
223 - caddy-config:/config
224 # Static files (.well-known, client-metadata.json, oauth callback)
225 - ./static:/srv:ro
226 networks:
227 - coves-internal
228 depends_on:
229 - appview
230 - pds
231
232networks:
233 coves-internal:
234 driver: bridge
235 name: coves-prod-network
236
237volumes:
238 postgres-data:
239 name: coves-prod-postgres-data
240 pds-data:
241 name: coves-prod-pds-data
242 caddy-data:
243 name: coves-prod-caddy-data
244 caddy-config:
245 name: coves-prod-caddy-config