docker-compose.prod.yml at main · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / docker-compose.prod.yml
at main 8.5 kB view raw
  1# Coves Production Stack
  2#
  3# Architecture:
  4#   - coves.social: AppView domain (API, frontend, .well-known/did.json)
  5#   - pds.coves.me: PDS domain (canonical hostname for relay registration)
  6#   - coves.me: PDS domain (legacy, kept for compatibility)
  7#
  8# Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID
  9#
 10# Usage:
 11#   docker-compose -f docker-compose.prod.yml up -d
 12#
 13# Prerequisites:
 14#   1. DNS configured for both domains
 15#   2. SSL certificates (Caddy handles this automatically)
 16#   3. .env.prod file with secrets
 17#   4. .well-known/did.json deployed to coves.social
 18
 19services:
 20  # PostgreSQL Database for AppView
 21  postgres:
 22    image: postgres:15
 23    container_name: coves-prod-postgres
 24    restart: unless-stopped
 25    environment:
 26      POSTGRES_DB: ${POSTGRES_DB}
 27      POSTGRES_USER: ${POSTGRES_USER}
 28      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
 29    volumes:
 30      - postgres-data:/var/lib/postgresql/data
 31      # Mount backup directory for pg_dump
 32      - ./backups:/backups
 33    networks:
 34      - coves-internal
 35    healthcheck:
 36      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
 37      interval: 10s
 38      timeout: 5s
 39      retries: 5
 40    # Generous limits for 256GB server
 41    deploy:
 42      resources:
 43        limits:
 44          memory: 32G
 45        reservations:
 46          memory: 4G
 47
 48  # Coves AppView (Go Server)
 49  appview:
 50    build:
 51      context: .
 52      dockerfile: Dockerfile
 53    image: coves/appview:${VERSION:-latest}
 54    container_name: coves-prod-appview
 55    restart: unless-stopped
 56    ports:
 57      - "127.0.0.1:8080:8080"  # Only expose to localhost (Caddy proxies)
 58    environment:
 59      # Database
 60      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
 61
 62      # Instance identity
 63      INSTANCE_DID: did:web:coves.social
 64      INSTANCE_DOMAIN: coves.social
 65      APPVIEW_PUBLIC_URL: https://coves.social
 66
 67      # PDS connection (separate domain!)
 68      PDS_URL: https://coves.me
 69
 70      # Jetstream (Bluesky production firehose)
 71      JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe
 72
 73      # Custom lexicon consumers (use production Jetstream with collection filters)
 74      COMMUNITY_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
 75      POST_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
 76      AGGREGATOR_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.aggregator.service&wantedCollections=social.coves.aggregator.authorization
 77      VOTE_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
 78      COMMENT_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
 79
 80      # Security - MUST be false in production
 81      AUTH_SKIP_VERIFY: "false"
 82      SKIP_DID_WEB_VERIFICATION: "false"
 83
 84      # OAuth (for community account provisioning)
 85      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
 86      OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}
 87      OAUTH_SEAL_SECRET: ${OAUTH_SEAL_SECRET}
 88
 89      # Application settings
 90      PORT: 8080
 91      ENV: production
 92      LOG_LEVEL: info
 93
 94      # Encryption key for community credentials
 95      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
 96
 97      # Cursor encryption for pagination
 98      CURSOR_SECRET: ${CURSOR_SECRET}
 99
100      # PDS JWT secret for verifying HS256 tokens from the PDS
101      # Must match the PDS_JWT_SECRET configured on the PDS
102      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
103      # Whitelist PDS issuer(s) allowed to use HS256 (no kid)
104      HS256_ISSUERS: ${HS256_ISSUERS}
105
106      # Restrict community creation to instance DID only
107      COMMUNITY_CREATORS: did:web:coves.social
108    networks:
109      - coves-internal
110    depends_on:
111      postgres:
112        condition: service_healthy
113    healthcheck:
114      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]
115      interval: 30s
116      timeout: 5s
117      retries: 3
118      start_period: 10s
119    # Go is memory-efficient, but give it room for connection pools
120    deploy:
121      resources:
122        limits:
123          memory: 8G
124        reservations:
125          memory: 512M
126
127  # Bluesky PDS (Personal Data Server)
128  # Handles community accounts and their repositories
129  pds:
130    image: ghcr.io/bluesky-social/pds:latest
131    container_name: coves-prod-pds
132    restart: unless-stopped
133    ports:
134      - "127.0.0.1:3000:3000"  # Only expose to localhost (Caddy proxies)
135    environment:
136      # PDS identity (use pds.coves.me for fresh relay registration)
137      PDS_HOSTNAME: pds.coves.me
138      PDS_PORT: 3000
139      PDS_DATA_DIRECTORY: /pds
140      PDS_BLOB_UPLOAD_LIMIT: 104857600  # 100 MB
141
142      # S3-compatible blob storage
143      PDS_BLOBSTORE_S3_BUCKET: ${PDS_S3_BUCKET}
144      PDS_BLOBSTORE_S3_REGION: ${PDS_S3_REGION}
145      PDS_BLOBSTORE_S3_ENDPOINT: ${PDS_S3_ENDPOINT}
146      PDS_BLOBSTORE_S3_ACCESS_KEY_ID: ${PDS_S3_ACCESS_KEY_ID}
147      PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY: ${PDS_S3_SECRET_ACCESS_KEY}
148      PDS_BLOBSTORE_S3_FORCE_PATH_STYLE: "true"
149
150      # PLC Directory (production)
151      PDS_DID_PLC_URL: https://plc.directory
152
153      # Handle domains
154      # Community handles use @community.coves.social (AppView domain)
155      # Note: Root domain (coves.social) handle works via .well-known resolution
156      PDS_SERVICE_HANDLE_DOMAINS: .coves.social
157
158      # Security (set real values in .env.prod)
159      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
160      PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}
161      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}
162
163      # Email (optional, for account recovery)
164      # NOTE: Must set BOTH or NEITHER - PDS fails with partial config
165      # PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL}
166      # PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS}
167
168      # Production mode
169      PDS_DEV_MODE: "false"
170      PDS_INVITE_REQUIRED: "false"  # Set to true if you want invite-only
171
172      # Logging
173      NODE_ENV: production
174      LOG_ENABLED: "true"
175      LOG_LEVEL: info
176
177      # AppView proxy (for app.bsky.* methods like getProfile, notifications, etc.)
178      PDS_BSKY_APP_VIEW_URL: https://api.bsky.app
179      PDS_BSKY_APP_VIEW_DID: did:web:api.bsky.app
180
181      # Report service (for reporting content)
182      PDS_REPORT_SERVICE_URL: https://mod.bsky.app
183      PDS_REPORT_SERVICE_DID: did:plc:ar7c4by46qjdydhdevvrndac
184
185      # Relay crawlers (for federation with Bluesky network)
186      PDS_CRAWLERS: https://bsky.network,https://relay1.us-east.bsky.network,https://relay1.us-west.bsky.network,https://relay.fire.hose.cam,https://relay.upcloud.world
187    volumes:
188      - pds-data:/pds
189    networks:
190      - coves-internal
191    healthcheck:
192      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]
193      interval: 30s
194      timeout: 5s
195      retries: 5
196    # PDS (Node.js) needs memory for blob handling
197    deploy:
198      resources:
199        limits:
200          memory: 16G
201        reservations:
202          memory: 1G
203
204  # Caddy Reverse Proxy
205  # Handles HTTPS automatically via Let's Encrypt
206  # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)
207  caddy:
208    # Pre-built Caddy with Cloudflare DNS plugin
209    # Updates automatically with docker-compose pull
210    # Alternative: build your own with Dockerfile.caddy
211    image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest
212    container_name: coves-prod-caddy
213    restart: unless-stopped
214    ports:
215      - "80:80"
216      - "443:443"
217    environment:
218      # Required for wildcard SSL via DNS challenge
219      # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
220      # Permissions: Zone:DNS:Edit for coves.social zone
221      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
222    volumes:
223      - ./Caddyfile:/etc/caddy/Caddyfile:ro
224      - caddy-data:/data
225      - caddy-config:/config
226      # Static files (.well-known, client-metadata.json, oauth callback)
227      - ./static:/srv:ro
228    networks:
229      - coves-internal
230    depends_on:
231      - appview
232      - pds
233
234networks:
235  coves-internal:
236    driver: bridge
237    name: coves-prod-network
238
239volumes:
240  postgres-data:
241    name: coves-prod-postgres-data
242  pds-data:
243    name: coves-prod-pds-data
244  caddy-data:
245    name: coves-prod-caddy-data
246  caddy-config:
247    name: coves-prod-caddy-config