docker-compose.prod.yml at feat/dpop-token-binding · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / docker-compose.prod.yml
at feat/dpop-token-binding 8.4 kB view raw
  1# Coves Production Stack
  2#
  3# Architecture:
  4#   - coves.social: AppView domain (API, frontend, .well-known/did.json)
  5#   - pds.coves.me: PDS domain (canonical hostname for relay registration)
  6#   - coves.me: PDS domain (legacy, kept for compatibility)
  7#
  8# Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID
  9#
 10# Usage:
 11#   docker-compose -f docker-compose.prod.yml up -d
 12#
 13# Prerequisites:
 14#   1. DNS configured for both domains
 15#   2. SSL certificates (Caddy handles this automatically)
 16#   3. .env.prod file with secrets
 17#   4. .well-known/did.json deployed to coves.social
 18
 19services:
 20  # PostgreSQL Database for AppView
 21  postgres:
 22    image: postgres:15
 23    container_name: coves-prod-postgres
 24    restart: unless-stopped
 25    environment:
 26      POSTGRES_DB: ${POSTGRES_DB}
 27      POSTGRES_USER: ${POSTGRES_USER}
 28      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
 29    volumes:
 30      - postgres-data:/var/lib/postgresql/data
 31      # Mount backup directory for pg_dump
 32      - ./backups:/backups
 33    networks:
 34      - coves-internal
 35    healthcheck:
 36      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
 37      interval: 10s
 38      timeout: 5s
 39      retries: 5
 40    # Generous limits for 256GB server
 41    deploy:
 42      resources:
 43        limits:
 44          memory: 32G
 45        reservations:
 46          memory: 4G
 47
 48  # Coves AppView (Go Server)
 49  appview:
 50    build:
 51      context: .
 52      dockerfile: Dockerfile
 53    image: coves/appview:${VERSION:-latest}
 54    container_name: coves-prod-appview
 55    restart: unless-stopped
 56    ports:
 57      - "127.0.0.1:8080:8080"  # Only expose to localhost (Caddy proxies)
 58    environment:
 59      # Database
 60      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
 61
 62      # Instance identity
 63      INSTANCE_DID: did:web:coves.social
 64      INSTANCE_DOMAIN: coves.social
 65
 66      # PDS connection (separate domain!)
 67      PDS_URL: https://coves.me
 68
 69      # Jetstream (Bluesky production firehose)
 70      JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe
 71
 72      # Custom lexicon consumers (use production Jetstream with collection filters)
 73      COMMUNITY_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
 74      POST_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
 75      AGGREGATOR_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.aggregator.service&wantedCollections=social.coves.aggregator.authorization
 76      VOTE_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
 77      COMMENT_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
 78
 79      # Security - MUST be false in production
 80      AUTH_SKIP_VERIFY: "false"
 81      SKIP_DID_WEB_VERIFICATION: "false"
 82
 83      # OAuth (for community account provisioning)
 84      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
 85      OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}
 86      OAUTH_PRIVATE_JWK: ${OAUTH_PRIVATE_JWK}
 87
 88      # Application settings
 89      PORT: 8080
 90      ENV: production
 91      LOG_LEVEL: info
 92
 93      # Encryption key for community credentials
 94      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
 95
 96      # Cursor encryption for pagination
 97      CURSOR_SECRET: ${CURSOR_SECRET}
 98
 99      # PDS JWT secret for verifying HS256 tokens from the PDS
100      # Must match the PDS_JWT_SECRET configured on the PDS
101      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
102      # Whitelist PDS issuer(s) allowed to use HS256 (no kid)
103      HS256_ISSUERS: ${HS256_ISSUERS}
104
105      # Restrict community creation to instance DID only
106      COMMUNITY_CREATORS: did:web:coves.social
107    networks:
108      - coves-internal
109    depends_on:
110      postgres:
111        condition: service_healthy
112    healthcheck:
113      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]
114      interval: 30s
115      timeout: 5s
116      retries: 3
117      start_period: 10s
118    # Go is memory-efficient, but give it room for connection pools
119    deploy:
120      resources:
121        limits:
122          memory: 8G
123        reservations:
124          memory: 512M
125
126  # Bluesky PDS (Personal Data Server)
127  # Handles community accounts and their repositories
128  pds:
129    image: ghcr.io/bluesky-social/pds:latest
130    container_name: coves-prod-pds
131    restart: unless-stopped
132    ports:
133      - "127.0.0.1:3000:3000"  # Only expose to localhost (Caddy proxies)
134    environment:
135      # PDS identity (use pds.coves.me for fresh relay registration)
136      PDS_HOSTNAME: pds.coves.me
137      PDS_PORT: 3000
138      PDS_DATA_DIRECTORY: /pds
139      PDS_BLOB_UPLOAD_LIMIT: 104857600  # 100 MB
140
141      # S3-compatible blob storage
142      PDS_BLOBSTORE_S3_BUCKET: ${PDS_S3_BUCKET}
143      PDS_BLOBSTORE_S3_REGION: ${PDS_S3_REGION}
144      PDS_BLOBSTORE_S3_ENDPOINT: ${PDS_S3_ENDPOINT}
145      PDS_BLOBSTORE_S3_ACCESS_KEY_ID: ${PDS_S3_ACCESS_KEY_ID}
146      PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY: ${PDS_S3_SECRET_ACCESS_KEY}
147      PDS_BLOBSTORE_S3_FORCE_PATH_STYLE: "true"
148
149      # PLC Directory (production)
150      PDS_DID_PLC_URL: https://plc.directory
151
152      # Handle domains
153      # Community handles use @community.coves.social (AppView domain)
154      # Note: Root domain (coves.social) handle works via .well-known resolution
155      PDS_SERVICE_HANDLE_DOMAINS: .coves.social
156
157      # Security (set real values in .env.prod)
158      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
159      PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}
160      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}
161
162      # Email (optional, for account recovery)
163      # NOTE: Must set BOTH or NEITHER - PDS fails with partial config
164      # PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL}
165      # PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS}
166
167      # Production mode
168      PDS_DEV_MODE: "false"
169      PDS_INVITE_REQUIRED: "false"  # Set to true if you want invite-only
170
171      # Logging
172      NODE_ENV: production
173      LOG_ENABLED: "true"
174      LOG_LEVEL: info
175
176      # AppView proxy (for app.bsky.* methods like getProfile, notifications, etc.)
177      PDS_BSKY_APP_VIEW_URL: https://api.bsky.app
178      PDS_BSKY_APP_VIEW_DID: did:web:api.bsky.app
179
180      # Report service (for reporting content)
181      PDS_REPORT_SERVICE_URL: https://mod.bsky.app
182      PDS_REPORT_SERVICE_DID: did:plc:ar7c4by46qjdydhdevvrndac
183
184      # Relay crawlers (for federation with Bluesky network)
185      PDS_CRAWLERS: https://bsky.network,https://relay1.us-east.bsky.network,https://relay1.us-west.bsky.network,https://relay.fire.hose.cam,https://relay.upcloud.world
186    volumes:
187      - pds-data:/pds
188    networks:
189      - coves-internal
190    healthcheck:
191      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]
192      interval: 30s
193      timeout: 5s
194      retries: 5
195    # PDS (Node.js) needs memory for blob handling
196    deploy:
197      resources:
198        limits:
199          memory: 16G
200        reservations:
201          memory: 1G
202
203  # Caddy Reverse Proxy
204  # Handles HTTPS automatically via Let's Encrypt
205  # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)
206  caddy:
207    # Pre-built Caddy with Cloudflare DNS plugin
208    # Updates automatically with docker-compose pull
209    # Alternative: build your own with Dockerfile.caddy
210    image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest
211    container_name: coves-prod-caddy
212    restart: unless-stopped
213    ports:
214      - "80:80"
215      - "443:443"
216    environment:
217      # Required for wildcard SSL via DNS challenge
218      # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
219      # Permissions: Zone:DNS:Edit for coves.social zone
220      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
221    volumes:
222      - ./Caddyfile:/etc/caddy/Caddyfile:ro
223      - caddy-data:/data
224      - caddy-config:/config
225      # Static files (.well-known, client-metadata.json, oauth callback)
226      - ./static:/srv:ro
227    networks:
228      - coves-internal
229    depends_on:
230      - appview
231      - pds
232
233networks:
234  coves-internal:
235    driver: bridge
236    name: coves-prod-network
237
238volumes:
239  postgres-data:
240    name: coves-prod-postgres-data
241  pds-data:
242    name: coves-prod-pds-data
243  caddy-data:
244    name: coves-prod-caddy-data
245  caddy-config:
246    name: coves-prod-caddy-config