commit d8876161e123b01f31f7f8096634ae9de47a9afe · bretton.dev/coves

+57

.env.prod.example

···

       1
       1
       +
       # Coves Production Environment Variables

     

       2
       2
       +
       # Copy to .env.prod and fill in real values

     

       3
       3
       +
       # NEVER commit .env.prod to git!

     

       4
       4
       +
       

     

       5
       5
       +
       # =============================================================================

     

       6
       6
       +
       # PostgreSQL (AppView Database)

     

       7
       7
       +
       # =============================================================================

     

       8
       8
       +
       POSTGRES_DB=coves_prod

     

       9
       9
       +
       POSTGRES_USER=coves_user

     

       10
       10
       +
       POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE

     

       11
       11
       +
       

     

       12
       12
       +
       # =============================================================================

     

       13
       13
       +
       # PDS (Personal Data Server)

     

       14
       14
       +
       # =============================================================================

     

       15
       15
       +
       # Generate with: openssl rand -hex 32

     

       16
       16
       +
       PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS

     

       17
       17
       +
       

     

       18
       18
       +
       # Admin password for PDS management

     

       19
       19
       +
       PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD

     

       20
       20
       +
       

     

       21
       21
       +
       # K256 private key for DID rotation

     

       22
       22
       +
       # Generate with: openssl rand -hex 32

     

       23
       23
       +
       PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS

     

       24
       24
       +
       

     

       25
       25
       +
       # Optional: Email configuration for account recovery

     

       26
       26
       +
       # PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587

     

       27
       27
       +
       # PDS_EMAIL_FROM_ADDRESS=noreply@coves.me

     

       28
       28
       +
       

     

       29
       29
       +
       # =============================================================================

     

       30
       30
       +
       # AppView OAuth (for mobile app authentication)

     

       31
       31
       +
       # =============================================================================

     

       32
       32
       +
       OAUTH_CLIENT_ID=https://coves.social/client-metadata.json

     

       33
       33
       +
       OAUTH_REDIRECT_URI=https://coves.social/oauth/callback

     

       34
       34
       +
       

     

       35
       35
       +
       # Generate EC P-256 private key in JWK format

     

       36
       36
       +
       # See: https://atproto.com/specs/oauth#client-metadata

     

       37
       37
       +
       OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}

     

       38
       38
       +
       

     

       39
       39
       +
       # =============================================================================

     

       40
       40
       +
       # AppView Encryption

     

       41
       41
       +
       # =============================================================================

     

       42
       42
       +
       # For encrypting community credentials in database

     

       43
       43
       +
       # Generate with: openssl rand -base64 32

     

       44
       44
       +
       ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY

     

       45
       45
       +
       

     

       46
       46
       +
       # =============================================================================

     

       47
       47
       +
       # Cloudflare (for wildcard SSL certificates)

     

       48
       48
       +
       # =============================================================================

     

       49
       49
       +
       # Required for *.coves.social wildcard certificate

     

       50
       50
       +
       # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token

     

       51
       51
       +
       # Template: "Edit zone DNS" with permissions for coves.social zone

     

       52
       52
       +
       CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN

     

       53
       53
       +
       

     

       54
       54
       +
       # =============================================================================

     

       55
       55
       +
       # Optional: Versioning

     

       56
       56
       +
       # =============================================================================

     

       57
       57
       +
       VERSION=latest

.gitignore

···

       20
       20
        
       .env.local

     

       21
       21
        
       .env.development

     

       22
       22
        
       .env.production

     

       23
       23
       +
       .env.prod

     

       23
       24
        
       .env.test

     

       24
       25
        
       

     

       25
       26
        
       # IDE

+139

Caddyfile

···

       1
       1
       +
       # Coves Production Caddyfile

     

       2
       2
       +
       # Handles HTTPS for both coves.social (AppView) and coves.me (PDS)

     

       3
       3
       +
       #

     

       4
       4
       +
       # Domain architecture:

     

       5
       5
       +
       #   - coves.social: AppView (API, web app)

     

       6
       6
       +
       #   - *.coves.social: Community handles (route atproto-did to PDS)

     

       7
       7
       +
       #   - coves.me: PDS (data storage)

     

       8
       8
       +
       

     

       9
       9
       +
       # Community handle subdomains (e.g., gaming.coves.social)

     

       10
       10
       +
       # These need to route /.well-known/atproto-did to PDS for handle resolution

     

       11
       11
       +
       #

     

       12
       12
       +
       # NOTE: Wildcard certs require DNS challenge. For Cloudflare:

     

       13
       13
       +
       # 1. Create API token with Zone:DNS:Edit permissions

     

       14
       14
       +
       # 2. Set CLOUDFLARE_API_TOKEN environment variable

     

       15
       15
       +
       # 3. Use caddy-dns/cloudflare plugin (see docker-compose.prod.yml)

     

       16
       16
       +
       *.coves.social {

     

       17
       17
       +
           tls {

     

       18
       18
       +
               dns cloudflare {env.CLOUDFLARE_API_TOKEN}

     

       19
       19
       +
           }

     

       20
       20
       +
           # Handle resolution - proxy to PDS

     

       21
       21
       +
           handle /.well-known/atproto-did {

     

       22
       22
       +
               reverse_proxy pds:3000

     

       23
       23
       +
           }

     

       24
       24
       +
       

     

       25
       25
       +
           # OAuth well-known endpoints - proxy to PDS

     

       26
       26
       +
           handle /.well-known/oauth-protected-resource {

     

       27
       27
       +
               reverse_proxy pds:3000

     

       28
       28
       +
           }

     

       29
       29
       +
       

     

       30
       30
       +
           handle /.well-known/oauth-authorization-server {

     

       31
       31
       +
               reverse_proxy pds:3000

     

       32
       32
       +
           }

     

       33
       33
       +
       

     

       34
       34
       +
           # All other requests return 404 (subdomains only exist for handle resolution)

     

       35
       35
       +
           handle {

     

       36
       36
       +
               respond "Not Found" 404

     

       37
       37
       +
           }

     

       38
       38
       +
       

     

       39
       39
       +
           # Security headers

     

       40
       40
       +
           header {

     

       41
       41
       +
               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

     

       42
       42
       +
               X-Content-Type-Options "nosniff"

     

       43
       43
       +
               -Server

     

       44
       44
       +
           }

     

       45
       45
       +
       }

     

       46
       46
       +
       

     

       47
       47
       +
       # AppView Domain (root)

     

       48
       48
       +
       coves.social {

     

       49
       49
       +
           # Serve .well-known files for DID verification

     

       50
       50
       +
           handle /.well-known/* {

     

       51
       51
       +
               root * /srv

     

       52
       52
       +
               file_server

     

       53
       53
       +
           }

     

       54
       54
       +
       

     

       55
       55
       +
           # Serve OAuth client metadata

     

       56
       56
       +
           handle /client-metadata.json {

     

       57
       57
       +
               root * /srv

     

       58
       58
       +
               file_server

     

       59
       59
       +
           }

     

       60
       60
       +
       

     

       61
       61
       +
           # Serve OAuth callback page

     

       62
       62
       +
           handle /oauth/callback {

     

       63
       63
       +
               root * /srv

     

       64
       64
       +
               rewrite * /oauth/callback.html

     

       65
       65
       +
               file_server

     

       66
       66
       +
           }

     

       67
       67
       +
       

     

       68
       68
       +
           # Proxy all other requests to AppView

     

       69
       69
       +
           handle {

     

       70
       70
       +
               reverse_proxy appview:8080 {

     

       71
       71
       +
                   # Health check

     

       72
       72
       +
                   health_uri /xrpc/_health

     

       73
       73
       +
                   health_interval 30s

     

       74
       74
       +
                   health_timeout 5s

     

       75
       75
       +
       

     

       76
       76
       +
                   # Headers

     

       77
       77
       +
                   header_up X-Real-IP {remote_host}

     

       78
       78
       +
                   header_up X-Forwarded-For {remote_host}

     

       79
       79
       +
                   header_up X-Forwarded-Proto {scheme}

     

       80
       80
       +
               }

     

       81
       81
       +
           }

     

       82
       82
       +
       

     

       83
       83
       +
           # Logging (Docker captures stdout/stderr)

     

       84
       84
       +
           log {

     

       85
       85
       +
               output stdout

     

       86
       86
       +
               format json

     

       87
       87
       +
           }

     

       88
       88
       +
       

     

       89
       89
       +
           # Security headers

     

       90
       90
       +
           header {

     

       91
       91
       +
               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

     

       92
       92
       +
               X-Content-Type-Options "nosniff"

     

       93
       93
       +
               X-Frame-Options "DENY"

     

       94
       94
       +
               Referrer-Policy "strict-origin-when-cross-origin"

     

       95
       95
       +
               Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://*.bsky.network wss://*.bsky.network"

     

       96
       96
       +
               # Remove Server header

     

       97
       97
       +
               -Server

     

       98
       98
       +
           }

     

       99
       99
       +
       

     

       100
       100
       +
           # Enable compression

     

       101
       101
       +
           encode gzip zstd

     

       102
       102
       +
       }

     

       103
       103
       +
       

     

       104
       104
       +
       # PDS Domain

     

       105
       105
       +
       coves.me {

     

       106
       106
       +
           reverse_proxy pds:3000 {

     

       107
       107
       +
               # Health check

     

       108
       108
       +
               health_uri /xrpc/_health

     

       109
       109
       +
               health_interval 30s

     

       110
       110
       +
               health_timeout 5s

     

       111
       111
       +
       

     

       112
       112
       +
               # Headers for proper client IP handling

     

       113
       113
       +
               header_up X-Real-IP {remote_host}

     

       114
       114
       +
               header_up X-Forwarded-For {remote_host}

     

       115
       115
       +
               header_up X-Forwarded-Proto {scheme}

     

       116
       116
       +
       

     

       117
       117
       +
               # WebSocket support for firehose

     

       118
       118
       +
               header_up Connection {>Connection}

     

       119
       119
       +
               header_up Upgrade {>Upgrade}

     

       120
       120
       +
           }

     

       121
       121
       +
       

     

       122
       122
       +
           # Logging (Docker captures stdout/stderr)

     

       123
       123
       +
           log {

     

       124
       124
       +
               output stdout

     

       125
       125
       +
               format json

     

       126
       126
       +
           }

     

       127
       127
       +
       

     

       128
       128
       +
           # Security headers

     

       129
       129
       +
           header {

     

       130
       130
       +
               Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

     

       131
       131
       +
               X-Content-Type-Options "nosniff"

     

       132
       132
       +
               X-Frame-Options "DENY"

     

       133
       133
       +
               Referrer-Policy "strict-origin-when-cross-origin"

     

       134
       134
       +
               -Server

     

       135
       135
       +
           }

     

       136
       136
       +
       

     

       137
       137
       +
           # Enable compression

     

       138
       138
       +
           encode gzip zstd

     

       139
       139
       +
       }

+61

Dockerfile

···

       1
       1
       +
       # Coves AppView - Multi-stage Dockerfile

     

       2
       2
       +
       # Builds a minimal production image for the Go server

     

       3
       3
       +
       

     

       4
       4
       +
       # Stage 1: Build

     

       5
       5
       +
       FROM golang:1.23-alpine AS builder

     

       6
       6
       +
       

     

       7
       7
       +
       # Install build dependencies

     

       8
       8
       +
       RUN apk add --no-cache git ca-certificates tzdata

     

       9
       9
       +
       

     

       10
       10
       +
       # Set working directory

     

       11
       11
       +
       WORKDIR /build

     

       12
       12
       +
       

     

       13
       13
       +
       # Copy go mod files first (better caching)

     

       14
       14
       +
       COPY go.mod go.sum ./

     

       15
       15
       +
       RUN go mod download

     

       16
       16
       +
       

     

       17
       17
       +
       # Copy source code

     

       18
       18
       +
       COPY . .

     

       19
       19
       +
       

     

       20
       20
       +
       # Build the binary

     

       21
       21
       +
       # CGO_ENABLED=0 for static binary (no libc dependency)

     

       22
       22
       +
       # -ldflags="-s -w" strips debug info for smaller binary

     

       23
       23
       +
       RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \

     

       24
       24
       +
           -ldflags="-s -w" \

     

       25
       25
       +
           -o /build/coves-server \

     

       26
       26
       +
           ./cmd/server

     

       27
       27
       +
       

     

       28
       28
       +
       # Stage 2: Runtime

     

       29
       29
       +
       FROM alpine:3.19

     

       30
       30
       +
       

     

       31
       31
       +
       # Install runtime dependencies

     

       32
       32
       +
       RUN apk add --no-cache ca-certificates tzdata

     

       33
       33
       +
       

     

       34
       34
       +
       # Create non-root user for security

     

       35
       35
       +
       RUN addgroup -g 1000 coves && \

     

       36
       36
       +
           adduser -u 1000 -G coves -s /bin/sh -D coves

     

       37
       37
       +
       

     

       38
       38
       +
       # Set working directory

     

       39
       39
       +
       WORKDIR /app

     

       40
       40
       +
       

     

       41
       41
       +
       # Copy binary from builder

     

       42
       42
       +
       COPY --from=builder /build/coves-server /app/coves-server

     

       43
       43
       +
       

     

       44
       44
       +
       # Copy migrations (needed for goose)

     

       45
       45
       +
       COPY --from=builder /build/internal/db/migrations /app/migrations

     

       46
       46
       +
       

     

       47
       47
       +
       # Set ownership

     

       48
       48
       +
       RUN chown -R coves:coves /app

     

       49
       49
       +
       

     

       50
       50
       +
       # Switch to non-root user

     

       51
       51
       +
       USER coves

     

       52
       52
       +
       

     

       53
       53
       +
       # Expose port

     

       54
       54
       +
       EXPOSE 8080

     

       55
       55
       +
       

     

       56
       56
       +
       # Health check

     

       57
       57
       +
       HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \

     

       58
       58
       +
           CMD wget --spider -q http://localhost:8080/xrpc/_health || exit 1

     

       59
       59
       +
       

     

       60
       60
       +
       # Run the server

     

       61
       61
       +
       ENTRYPOINT ["/app/coves-server"]

+205

docker-compose.prod.yml

···

       1
       1
       +
       # Coves Production Stack

     

       2
       2
       +
       #

     

       3
       3
       +
       # Architecture:

     

       4
       4
       +
       #   - coves.social: AppView domain (API, frontend, .well-known/did.json)

     

       5
       5
       +
       #   - coves.me: PDS domain (must be separate from AppView)

     

       6
       6
       +
       #

     

       7
       7
       +
       # Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID

     

       8
       8
       +
       #

     

       9
       9
       +
       # Usage:

     

       10
       10
       +
       #   docker-compose -f docker-compose.prod.yml up -d

     

       11
       11
       +
       #

     

       12
       12
       +
       # Prerequisites:

     

       13
       13
       +
       #   1. DNS configured for both domains

     

       14
       14
       +
       #   2. SSL certificates (Caddy handles this automatically)

     

       15
       15
       +
       #   3. .env.prod file with secrets

     

       16
       16
       +
       #   4. .well-known/did.json deployed to coves.social

     

       17
       17
       +
       

     

       18
       18
       +
       services:

     

       19
       19
       +
         # PostgreSQL Database for AppView

     

       20
       20
       +
         postgres:

     

       21
       21
       +
           image: postgres:15

     

       22
       22
       +
           container_name: coves-prod-postgres

     

       23
       23
       +
           restart: unless-stopped

     

       24
       24
       +
           environment:

     

       25
       25
       +
             POSTGRES_DB: ${POSTGRES_DB}

     

       26
       26
       +
             POSTGRES_USER: ${POSTGRES_USER}

     

       27
       27
       +
             POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}

     

       28
       28
       +
           volumes:

     

       29
       29
       +
             - postgres-data:/var/lib/postgresql/data

     

       30
       30
       +
             # Mount backup directory for pg_dump

     

       31
       31
       +
             - ./backups:/backups

     

       32
       32
       +
           networks:

     

       33
       33
       +
             - coves-internal

     

       34
       34
       +
           healthcheck:

     

       35
       35
       +
             test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]

     

       36
       36
       +
             interval: 10s

     

       37
       37
       +
             timeout: 5s

     

       38
       38
       +
             retries: 5

     

       39
       39
       +
           # Generous limits for 256GB server

     

       40
       40
       +
           deploy:

     

       41
       41
       +
             resources:

     

       42
       42
       +
               limits:

     

       43
       43
       +
                 memory: 32G

     

       44
       44
       +
               reservations:

     

       45
       45
       +
                 memory: 4G

     

       46
       46
       +
       

     

       47
       47
       +
         # Coves AppView (Go Server)

     

       48
       48
       +
         appview:

     

       49
       49
       +
           build:

     

       50
       50
       +
             context: .

     

       51
       51
       +
             dockerfile: Dockerfile

     

       52
       52
       +
           image: coves/appview:${VERSION:-latest}

     

       53
       53
       +
           container_name: coves-prod-appview

     

       54
       54
       +
           restart: unless-stopped

     

       55
       55
       +
           ports:

     

       56
       56
       +
             - "127.0.0.1:8080:8080"  # Only expose to localhost (Caddy proxies)

     

       57
       57
       +
           environment:

     

       58
       58
       +
             # Database

     

       59
       59
       +
             DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable

     

       60
       60
       +
       

     

       61
       61
       +
             # Instance identity

     

       62
       62
       +
             INSTANCE_DID: did:web:coves.social

     

       63
       63
       +
             INSTANCE_DOMAIN: coves.social

     

       64
       64
       +
       

     

       65
       65
       +
             # PDS connection (separate domain!)

     

       66
       66
       +
             PDS_URL: https://coves.me

     

       67
       67
       +
       

     

       68
       68
       +
             # Jetstream (Bluesky production firehose)

     

       69
       69
       +
             JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe

     

       70
       70
       +
       

     

       71
       71
       +
             # Security - MUST be false in production

     

       72
       72
       +
             AUTH_SKIP_VERIFY: "false"

     

       73
       73
       +
             SKIP_DID_WEB_VERIFICATION: "false"

     

       74
       74
       +
       

     

       75
       75
       +
             # OAuth (for community account provisioning)

     

       76
       76
       +
             OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}

     

       77
       77
       +
             OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}

     

       78
       78
       +
             OAUTH_PRIVATE_JWK: ${OAUTH_PRIVATE_JWK}

     

       79
       79
       +
       

     

       80
       80
       +
             # Application settings

     

       81
       81
       +
             PORT: 8080

     

       82
       82
       +
             ENV: production

     

       83
       83
       +
             LOG_LEVEL: info

     

       84
       84
       +
       

     

       85
       85
       +
             # Encryption key for community credentials

     

       86
       86
       +
             ENCRYPTION_KEY: ${ENCRYPTION_KEY}

     

       87
       87
       +
           networks:

     

       88
       88
       +
             - coves-internal

     

       89
       89
       +
           depends_on:

     

       90
       90
       +
             postgres:

     

       91
       91
       +
               condition: service_healthy

     

       92
       92
       +
           healthcheck:

     

       93
       93
       +
             test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]

     

       94
       94
       +
             interval: 30s

     

       95
       95
       +
             timeout: 5s

     

       96
       96
       +
             retries: 3

     

       97
       97
       +
             start_period: 10s

     

       98
       98
       +
           # Go is memory-efficient, but give it room for connection pools

     

       99
       99
       +
           deploy:

     

       100
       100
       +
             resources:

     

       101
       101
       +
               limits:

     

       102
       102
       +
                 memory: 8G

     

       103
       103
       +
               reservations:

     

       104
       104
       +
                 memory: 512M

     

       105
       105
       +
       

     

       106
       106
       +
         # Bluesky PDS (Personal Data Server)

     

       107
       107
       +
         # Handles community accounts and their repositories

     

       108
       108
       +
         pds:

     

       109
       109
       +
           image: ghcr.io/bluesky-social/pds:latest

     

       110
       110
       +
           container_name: coves-prod-pds

     

       111
       111
       +
           restart: unless-stopped

     

       112
       112
       +
           ports:

     

       113
       113
       +
             - "127.0.0.1:3000:3000"  # Only expose to localhost (Caddy proxies)

     

       114
       114
       +
           environment:

     

       115
       115
       +
             # PDS identity

     

       116
       116
       +
             PDS_HOSTNAME: coves.me

     

       117
       117
       +
             PDS_PORT: 3000

     

       118
       118
       +
             PDS_DATA_DIRECTORY: /pds

     

       119
       119
       +
             PDS_BLOBSTORE_DISK_LOCATION: /pds/blocks

     

       120
       120
       +
       

     

       121
       121
       +
             # PLC Directory (production)

     

       122
       122
       +
             PDS_DID_PLC_URL: https://plc.directory

     

       123
       123
       +
       

     

       124
       124
       +
             # Handle domains

     

       125
       125
       +
             # Community handles use @community.coves.social (AppView domain)

     

       126
       126
       +
             PDS_SERVICE_HANDLE_DOMAINS: .coves.social

     

       127
       127
       +
       

     

       128
       128
       +
             # Security (set real values in .env.prod)

     

       129
       129
       +
             PDS_JWT_SECRET: ${PDS_JWT_SECRET}

     

       130
       130
       +
             PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}

     

       131
       131
       +
             PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}

     

       132
       132
       +
       

     

       133
       133
       +
             # Email (optional, for account recovery)

     

       134
       134
       +
             PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL:-}

     

       135
       135
       +
             PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS:-noreply@coves.me}

     

       136
       136
       +
       

     

       137
       137
       +
             # Production mode

     

       138
       138
       +
             PDS_DEV_MODE: "false"

     

       139
       139
       +
             PDS_INVITE_REQUIRED: "false"  # Set to true if you want invite-only

     

       140
       140
       +
       

     

       141
       141
       +
             # Logging

     

       142
       142
       +
             NODE_ENV: production

     

       143
       143
       +
             LOG_ENABLED: "true"

     

       144
       144
       +
             LOG_LEVEL: info

     

       145
       145
       +
           volumes:

     

       146
       146
       +
             - pds-data:/pds

     

       147
       147
       +
           networks:

     

       148
       148
       +
             - coves-internal

     

       149
       149
       +
           healthcheck:

     

       150
       150
       +
             test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]

     

       151
       151
       +
             interval: 30s

     

       152
       152
       +
             timeout: 5s

     

       153
       153
       +
             retries: 5

     

       154
       154
       +
           # PDS (Node.js) needs memory for blob handling

     

       155
       155
       +
           deploy:

     

       156
       156
       +
             resources:

     

       157
       157
       +
               limits:

     

       158
       158
       +
                 memory: 16G

     

       159
       159
       +
               reservations:

     

       160
       160
       +
                 memory: 1G

     

       161
       161
       +
       

     

       162
       162
       +
         # Caddy Reverse Proxy

     

       163
       163
       +
         # Handles HTTPS automatically via Let's Encrypt

     

       164
       164
       +
         # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)

     

       165
       165
       +
         caddy:

     

       166
       166
       +
           # Pre-built Caddy with Cloudflare DNS plugin

     

       167
       167
       +
           # Updates automatically with docker-compose pull

     

       168
       168
       +
           # Alternative: build your own with Dockerfile.caddy

     

       169
       169
       +
           image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest

     

       170
       170
       +
           container_name: coves-prod-caddy

     

       171
       171
       +
           restart: unless-stopped

     

       172
       172
       +
           ports:

     

       173
       173
       +
             - "80:80"

     

       174
       174
       +
             - "443:443"

     

       175
       175
       +
           environment:

     

       176
       176
       +
             # Required for wildcard SSL via DNS challenge

     

       177
       177
       +
             # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token

     

       178
       178
       +
             # Permissions: Zone:DNS:Edit for coves.social zone

     

       179
       179
       +
             CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}

     

       180
       180
       +
           volumes:

     

       181
       181
       +
             - ./Caddyfile:/etc/caddy/Caddyfile:ro

     

       182
       182
       +
             - caddy-data:/data

     

       183
       183
       +
             - caddy-config:/config

     

       184
       184
       +
             # Static files (.well-known, client-metadata.json, oauth callback)

     

       185
       185
       +
             - ./static:/srv:ro

     

       186
       186
       +
           networks:

     

       187
       187
       +
             - coves-internal

     

       188
       188
       +
           depends_on:

     

       189
       189
       +
             - appview

     

       190
       190
       +
             - pds

     

       191
       191
       +
       

     

       192
       192
       +
       networks:

     

       193
       193
       +
         coves-internal:

     

       194
       194
       +
           driver: bridge

     

       195
       195
       +
           name: coves-prod-network

     

       196
       196
       +
       

     

       197
       197
       +
       volumes:

     

       198
       198
       +
         postgres-data:

     

       199
       199
       +
           name: coves-prod-postgres-data

     

       200
       200
       +
         pds-data:

     

       201
       201
       +
           name: coves-prod-pds-data

     

       202
       202
       +
         caddy-data:

     

       203
       203
       +
           name: coves-prod-caddy-data

     

       204
       204
       +
         caddy-config:

     

       205
       205
       +
           name: coves-prod-caddy-config

+57

scripts/backup.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       # Coves Database Backup Script

     

       3
       3
       +
       # Usage: ./scripts/backup.sh

     

       4
       4
       +
       #

     

       5
       5
       +
       # Creates timestamped PostgreSQL backups in ./backups/

     

       6
       6
       +
       # Retention: Keeps last 30 days of backups

     

       7
       7
       +
       

     

       8
       8
       +
       set -e

     

       9
       9
       +
       

     

       10
       10
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       11
       11
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       12
       12
       +
       BACKUP_DIR="$PROJECT_DIR/backups"

     

       13
       13
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       14
       14
       +
       

     

       15
       15
       +
       # Load environment

     

       16
       16
       +
       set -a

     

       17
       17
       +
       source "$PROJECT_DIR/.env.prod"

     

       18
       18
       +
       set +a

     

       19
       19
       +
       

     

       20
       20
       +
       # Colors

     

       21
       21
       +
       GREEN='\033[0;32m'

     

       22
       22
       +
       YELLOW='\033[1;33m'

     

       23
       23
       +
       NC='\033[0m'

     

       24
       24
       +
       

     

       25
       25
       +
       log() { echo -e "${GREEN}[BACKUP]${NC} $1"; }

     

       26
       26
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       27
       27
       +
       

     

       28
       28
       +
       # Create backup directory

     

       29
       29
       +
       mkdir -p "$BACKUP_DIR"

     

       30
       30
       +
       

     

       31
       31
       +
       # Generate timestamp

     

       32
       32
       +
       TIMESTAMP=$(date +%Y%m%d_%H%M%S)

     

       33
       33
       +
       BACKUP_FILE="$BACKUP_DIR/coves_${TIMESTAMP}.sql.gz"

     

       34
       34
       +
       

     

       35
       35
       +
       log "Starting backup..."

     

       36
       36
       +
       

     

       37
       37
       +
       # Run pg_dump inside container

     

       38
       38
       +
       docker compose -f "$COMPOSE_FILE" exec -T postgres \

     

       39
       39
       +
           pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --clean --if-exists \

     

       40
       40
       +
           | gzip > "$BACKUP_FILE"

     

       41
       41
       +
       

     

       42
       42
       +
       # Get file size

     

       43
       43
       +
       SIZE=$(du -h "$BACKUP_FILE" | cut -f1)

     

       44
       44
       +
       

     

       45
       45
       +
       log "✅ Backup complete: $BACKUP_FILE ($SIZE)"

     

       46
       46
       +
       

     

       47
       47
       +
       # Cleanup old backups (keep last 30 days)

     

       48
       48
       +
       log "Cleaning up backups older than 30 days..."

     

       49
       49
       +
       find "$BACKUP_DIR" -name "coves_*.sql.gz" -mtime +30 -delete

     

       50
       50
       +
       

     

       51
       51
       +
       # List recent backups

     

       52
       52
       +
       log ""

     

       53
       53
       +
       log "Recent backups:"

     

       54
       54
       +
       ls -lh "$BACKUP_DIR"/*.sql.gz 2>/dev/null | tail -5

     

       55
       55
       +
       

     

       56
       56
       +
       log ""

     

       57
       57
       +
       log "To restore: gunzip -c $BACKUP_FILE | docker compose -f docker-compose.prod.yml exec -T postgres psql -U $POSTGRES_USER -d $POSTGRES_DB"

+133

scripts/deploy.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       # Coves Deployment Script

     

       3
       3
       +
       # Usage: ./scripts/deploy.sh [service]

     

       4
       4
       +
       #

     

       5
       5
       +
       # Examples:

     

       6
       6
       +
       #   ./scripts/deploy.sh           # Deploy all services

     

       7
       7
       +
       #   ./scripts/deploy.sh appview   # Deploy only AppView

     

       8
       8
       +
       #   ./scripts/deploy.sh --pull    # Pull from git first, then deploy

     

       9
       9
       +
       

     

       10
       10
       +
       set -e

     

       11
       11
       +
       

     

       12
       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       14
       +
       COMPOSE_FILE="$PROJECT_DIR/docker-compose.prod.yml"

     

       15
       15
       +
       

     

       16
       16
       +
       # Colors for output

     

       17
       17
       +
       RED='\033[0;31m'

     

       18
       18
       +
       GREEN='\033[0;32m'

     

       19
       19
       +
       YELLOW='\033[1;33m'

     

       20
       20
       +
       NC='\033[0m' # No Color

     

       21
       21
       +
       

     

       22
       22
       +
       log() {

     

       23
       23
       +
           echo -e "${GREEN}[DEPLOY]${NC} $1"

     

       24
       24
       +
       }

     

       25
       25
       +
       

     

       26
       26
       +
       warn() {

     

       27
       27
       +
           echo -e "${YELLOW}[WARN]${NC} $1"

     

       28
       28
       +
       }

     

       29
       29
       +
       

     

       30
       30
       +
       error() {

     

       31
       31
       +
           echo -e "${RED}[ERROR]${NC} $1"

     

       32
       32
       +
           exit 1

     

       33
       33
       +
       }

     

       34
       34
       +
       

     

       35
       35
       +
       # Parse arguments

     

       36
       36
       +
       PULL_GIT=false

     

       37
       37
       +
       SERVICE=""

     

       38
       38
       +
       

     

       39
       39
       +
       for arg in "$@"; do

     

       40
       40
       +
           case $arg in

     

       41
       41
       +
               --pull)

     

       42
       42
       +
                   PULL_GIT=true

     

       43
       43
       +
                   ;;

     

       44
       44
       +
               *)

     

       45
       45
       +
                   SERVICE="$arg"

     

       46
       46
       +
                   ;;

     

       47
       47
       +
           esac

     

       48
       48
       +
       done

     

       49
       49
       +
       

     

       50
       50
       +
       cd "$PROJECT_DIR"

     

       51
       51
       +
       

     

       52
       52
       +
       # Load environment variables

     

       53
       53
       +
       if [ ! -f ".env.prod" ]; then

     

       54
       54
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       55
       55
       +
       fi

     

       56
       56
       +
       

     

       57
       57
       +
       log "Loading environment from .env.prod..."

     

       58
       58
       +
       set -a

     

       59
       59
       +
       source .env.prod

     

       60
       60
       +
       set +a

     

       61
       61
       +
       

     

       62
       62
       +
       # Optional: Pull from git

     

       63
       63
       +
       if [ "$PULL_GIT" = true ]; then

     

       64
       64
       +
           log "Pulling latest code from git..."

     

       65
       65
       +
           git fetch origin

     

       66
       66
       +
           git pull origin main

     

       67
       67
       +
       fi

     

       68
       68
       +
       

     

       69
       69
       +
       # Check database connectivity before deployment

     

       70
       70
       +
       log "Checking database connectivity..."

     

       71
       71
       +
       if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       72
       72
       +
           log "Database is ready"

     

       73
       73
       +
       else

     

       74
       74
       +
           warn "Database not ready yet - it will start with the deployment"

     

       75
       75
       +
       fi

     

       76
       76
       +
       

     

       77
       77
       +
       # Build and deploy

     

       78
       78
       +
       if [ -n "$SERVICE" ]; then

     

       79
       79
       +
           log "Building $SERVICE..."

     

       80
       80
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache "$SERVICE"

     

       81
       81
       +
       

     

       82
       82
       +
           log "Deploying $SERVICE..."

     

       83
       83
       +
           docker compose -f "$COMPOSE_FILE" up -d "$SERVICE"

     

       84
       84
       +
       else

     

       85
       85
       +
           log "Building all services..."

     

       86
       86
       +
           docker compose -f "$COMPOSE_FILE" build --no-cache

     

       87
       87
       +
       

     

       88
       88
       +
           log "Deploying all services..."

     

       89
       89
       +
           docker compose -f "$COMPOSE_FILE" up -d

     

       90
       90
       +
       fi

     

       91
       91
       +
       

     

       92
       92
       +
       # Health check

     

       93
       93
       +
       log "Waiting for services to be healthy..."

     

       94
       94
       +
       sleep 10

     

       95
       95
       +
       

     

       96
       96
       +
       # Wait for database to be ready before running migrations

     

       97
       97
       +
       log "Waiting for database..."

     

       98
       98
       +
       for i in {1..30}; do

     

       99
       99
       +
           if docker compose -f "$COMPOSE_FILE" exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; then

     

       100
       100
       +
               break

     

       101
       101
       +
           fi

     

       102
       102
       +
           sleep 1

     

       103
       103
       +
       done

     

       104
       104
       +
       

     

       105
       105
       +
       # Run database migrations

     

       106
       106
       +
       # The AppView runs migrations on startup, but we can also trigger them explicitly

     

       107
       107
       +
       log "Running database migrations..."

     

       108
       108
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview /app/coves-server migrate 2>/dev/null; then

     

       109
       109
       +
           log "✅ Migrations completed"

     

       110
       110
       +
       else

     

       111
       111
       +
           warn "⚠️  Migration command not available or failed - AppView will run migrations on startup"

     

       112
       112
       +
       fi

     

       113
       113
       +
       

     

       114
       114
       +
       # Check AppView health

     

       115
       115
       +
       if docker compose -f "$COMPOSE_FILE" exec -T appview wget --spider -q http://localhost:8080/xrpc/_health 2>/dev/null; then

     

       116
       116
       +
           log "✅ AppView is healthy"

     

       117
       117
       +
       else

     

       118
       118
       +
           warn "⚠️  AppView health check failed - check logs with: docker compose -f docker-compose.prod.yml logs appview"

     

       119
       119
       +
       fi

     

       120
       120
       +
       

     

       121
       121
       +
       # Check PDS health

     

       122
       122
       +
       if docker compose -f "$COMPOSE_FILE" exec -T pds wget --spider -q http://localhost:3000/xrpc/_health 2>/dev/null; then

     

       123
       123
       +
           log "✅ PDS is healthy"

     

       124
       124
       +
       else

     

       125
       125
       +
           warn "⚠️  PDS health check failed - check logs with: docker compose -f docker-compose.prod.yml logs pds"

     

       126
       126
       +
       fi

     

       127
       127
       +
       

     

       128
       128
       +
       log "Deployment complete!"

     

       129
       129
       +
       log ""

     

       130
       130
       +
       log "Useful commands:"

     

       131
       131
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       132
       132
       +
       log "  Check status:  docker compose -f docker-compose.prod.yml ps"

     

       133
       133
       +
       log "  Rollback:      docker compose -f docker-compose.prod.yml down && git checkout HEAD~1 && ./scripts/deploy.sh"

+149

scripts/generate-did-keys.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       # Generate cryptographic keys for Coves did:web DID document

     

       3
       3
       +
       #

     

       4
       4
       +
       # This script generates a secp256k1 (K-256) key pair as required by atproto.

     

       5
       5
       +
       # Reference: https://atproto.com/specs/cryptography

     

       6
       6
       +
       #

     

       7
       7
       +
       # Key format:

     

       8
       8
       +
       #   - Curve: secp256k1 (K-256) - same as Bitcoin/Ethereum

     

       9
       9
       +
       #   - Type: Multikey

     

       10
       10
       +
       #   - Encoding: publicKeyMultibase with base58btc ('z' prefix)

     

       11
       11
       +
       #   - Multicodec: 0xe7 for secp256k1 compressed public key

     

       12
       12
       +
       #

     

       13
       13
       +
       # Output:

     

       14
       14
       +
       #   - Private key (hex) for PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX

     

       15
       15
       +
       #   - Public key (multibase) for did.json publicKeyMultibase field

     

       16
       16
       +
       #   - Complete did.json file

     

       17
       17
       +
       

     

       18
       18
       +
       set -e

     

       19
       19
       +
       

     

       20
       20
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       21
       21
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       22
       22
       +
       OUTPUT_DIR="$PROJECT_DIR/static/.well-known"

     

       23
       23
       +
       

     

       24
       24
       +
       # Colors

     

       25
       25
       +
       GREEN='\033[0;32m'

     

       26
       26
       +
       YELLOW='\033[1;33m'

     

       27
       27
       +
       RED='\033[0;31m'

     

       28
       28
       +
       NC='\033[0m'

     

       29
       29
       +
       

     

       30
       30
       +
       log() { echo -e "${GREEN}[KEYGEN]${NC} $1"; }

     

       31
       31
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       32
       32
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       33
       33
       +
       

     

       34
       34
       +
       # Check for required tools

     

       35
       35
       +
       if ! command -v openssl &> /dev/null; then

     

       36
       36
       +
           error "openssl is required but not installed"

     

       37
       37
       +
       fi

     

       38
       38
       +
       

     

       39
       39
       +
       if ! command -v python3 &> /dev/null; then

     

       40
       40
       +
           error "python3 is required for base58 encoding"

     

       41
       41
       +
       fi

     

       42
       42
       +
       

     

       43
       43
       +
       # Check for base58 library

     

       44
       44
       +
       if ! python3 -c "import base58" 2>/dev/null; then

     

       45
       45
       +
           warn "Installing base58 Python library..."

     

       46
       46
       +
           pip3 install base58 || error "Failed to install base58. Run: pip3 install base58"

     

       47
       47
       +
       fi

     

       48
       48
       +
       

     

       49
       49
       +
       log "Generating secp256k1 key pair for did:web..."

     

       50
       50
       +
       

     

       51
       51
       +
       # Generate private key

     

       52
       52
       +
       PRIVATE_KEY_PEM=$(mktemp)

     

       53
       53
       +
       openssl ecparam -name secp256k1 -genkey -noout -out "$PRIVATE_KEY_PEM" 2>/dev/null

     

       54
       54
       +
       

     

       55
       55
       +
       # Extract private key as hex (for PDS config)

     

       56
       56
       +
       PRIVATE_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -text -noout 2>/dev/null | \

     

       57
       57
       +
           grep -A 3 "priv:" | tail -n 3 | tr -d ' :\n' | tr -d '\r')

     

       58
       58
       +
       

     

       59
       59
       +
       # Extract public key as compressed format

     

       60
       60
       +
       # OpenSSL outputs the public key, we need to get the compressed form

     

       61
       61
       +
       PUBLIC_KEY_HEX=$(openssl ec -in "$PRIVATE_KEY_PEM" -pubout -conv_form compressed -outform DER 2>/dev/null | \

     

       62
       62
       +
           tail -c 33 | xxd -p | tr -d '\n')

     

       63
       63
       +
       

     

       64
       64
       +
       # Clean up temp file

     

       65
       65
       +
       rm -f "$PRIVATE_KEY_PEM"

     

       66
       66
       +
       

     

       67
       67
       +
       # Encode public key as multibase with multicodec

     

       68
       68
       +
       # Multicodec 0xe7 = secp256k1 compressed public key

     

       69
       69
       +
       # Then base58btc encode with 'z' prefix

     

       70
       70
       +
       PUBLIC_KEY_MULTIBASE=$(python3 << EOF

     

       71
       71
       +
       import base58

     

       72
       72
       +
       

     

       73
       73
       +
       # Compressed public key bytes

     

       74
       74
       +
       pub_hex = "$PUBLIC_KEY_HEX"

     

       75
       75
       +
       pub_bytes = bytes.fromhex(pub_hex)

     

       76
       76
       +
       

     

       77
       77
       +
       # Prepend multicodec 0xe7 for secp256k1-pub

     

       78
       78
       +
       # 0xe7 as varint is just 0xe7 (single byte, < 128)

     

       79
       79
       +
       multicodec = bytes([0xe7, 0x01])  # 0xe701 for secp256k1-pub compressed

     

       80
       80
       +
       key_with_codec = multicodec + pub_bytes

     

       81
       81
       +
       

     

       82
       82
       +
       # Base58btc encode

     

       83
       83
       +
       encoded = base58.b58encode(key_with_codec).decode('ascii')

     

       84
       84
       +
       

     

       85
       85
       +
       # Add 'z' prefix for multibase

     

       86
       86
       +
       print('z' + encoded)

     

       87
       87
       +
       EOF

     

       88
       88
       +
       )

     

       89
       89
       +
       

     

       90
       90
       +
       log "Keys generated successfully!"

     

       91
       91
       +
       echo ""

     

       92
       92
       +
       echo "============================================"

     

       93
       93
       +
       echo "  PRIVATE KEY (keep secret!)"

     

       94
       94
       +
       echo "============================================"

     

       95
       95
       +
       echo ""

     

       96
       96
       +
       echo "Add this to your .env.prod file:"

     

       97
       97
       +
       echo ""

     

       98
       98
       +
       echo "PDS_ROTATION_KEY=$PRIVATE_KEY_HEX"

     

       99
       99
       +
       echo ""

     

       100
       100
       +
       echo "============================================"

     

       101
       101
       +
       echo "  PUBLIC KEY (for did.json)"

     

       102
       102
       +
       echo "============================================"

     

       103
       103
       +
       echo ""

     

       104
       104
       +
       echo "publicKeyMultibase: $PUBLIC_KEY_MULTIBASE"

     

       105
       105
       +
       echo ""

     

       106
       106
       +
       

     

       107
       107
       +
       # Generate the did.json file

     

       108
       108
       +
       log "Generating did.json..."

     

       109
       109
       +
       

     

       110
       110
       +
       mkdir -p "$OUTPUT_DIR"

     

       111
       111
       +
       

     

       112
       112
       +
       cat > "$OUTPUT_DIR/did.json" << EOF

     

       113
       113
       +
       {

     

       114
       114
       +
         "id": "did:web:coves.social",

     

       115
       115
       +
         "alsoKnownAs": ["at://coves.social"],

     

       116
       116
       +
         "verificationMethod": [

     

       117
       117
       +
           {

     

       118
       118
       +
             "id": "did:web:coves.social#atproto",

     

       119
       119
       +
             "type": "Multikey",

     

       120
       120
       +
             "controller": "did:web:coves.social",

     

       121
       121
       +
             "publicKeyMultibase": "$PUBLIC_KEY_MULTIBASE"

     

       122
       122
       +
           }

     

       123
       123
       +
         ],

     

       124
       124
       +
         "service": [

     

       125
       125
       +
           {

     

       126
       126
       +
             "id": "#atproto_pds",

     

       127
       127
       +
             "type": "AtprotoPersonalDataServer",

     

       128
       128
       +
             "serviceEndpoint": "https://coves.me"

     

       129
       129
       +
           }

     

       130
       130
       +
         ]

     

       131
       131
       +
       }

     

       132
       132
       +
       EOF

     

       133
       133
       +
       

     

       134
       134
       +
       log "Created: $OUTPUT_DIR/did.json"

     

       135
       135
       +
       echo ""

     

       136
       136
       +
       echo "============================================"

     

       137
       137
       +
       echo "  NEXT STEPS"

     

       138
       138
       +
       echo "============================================"

     

       139
       139
       +
       echo ""

     

       140
       140
       +
       echo "1. Copy the PDS_ROTATION_KEY value to your .env.prod file"

     

       141
       141
       +
       echo ""

     

       142
       142
       +
       echo "2. Verify the did.json looks correct:"

     

       143
       143
       +
       echo "   cat $OUTPUT_DIR/did.json"

     

       144
       144
       +
       echo ""

     

       145
       145
       +
       echo "3. After deployment, verify it's accessible:"

     

       146
       146
       +
       echo "   curl https://coves.social/.well-known/did.json"

     

       147
       147
       +
       echo ""

     

       148
       148
       +
       warn "IMPORTANT: Keep the private key secret! Only share the public key."

     

       149
       149
       +
       warn "The did.json file with the public key IS safe to commit to git."

+106

scripts/setup-production.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       # Coves Production Setup Script

     

       3
       3
       +
       # Run this once on a fresh server to set up everything

     

       4
       4
       +
       #

     

       5
       5
       +
       # Prerequisites:

     

       6
       6
       +
       #   - Docker and docker-compose installed

     

       7
       7
       +
       #   - Git installed

     

       8
       8
       +
       #   - .env.prod file configured

     

       9
       9
       +
       

     

       10
       10
       +
       set -e

     

       11
       11
       +
       

     

       12
       12
       +
       SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

     

       13
       13
       +
       PROJECT_DIR="$(dirname "$SCRIPT_DIR")"

     

       14
       14
       +
       

     

       15
       15
       +
       # Colors

     

       16
       16
       +
       GREEN='\033[0;32m'

     

       17
       17
       +
       YELLOW='\033[1;33m'

     

       18
       18
       +
       RED='\033[0;31m'

     

       19
       19
       +
       NC='\033[0m'

     

       20
       20
       +
       

     

       21
       21
       +
       log() { echo -e "${GREEN}[SETUP]${NC} $1"; }

     

       22
       22
       +
       warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }

     

       23
       23
       +
       error() { echo -e "${RED}[ERROR]${NC} $1"; exit 1; }

     

       24
       24
       +
       

     

       25
       25
       +
       cd "$PROJECT_DIR"

     

       26
       26
       +
       

     

       27
       27
       +
       # Check prerequisites

     

       28
       28
       +
       log "Checking prerequisites..."

     

       29
       29
       +
       

     

       30
       30
       +
       if ! command -v docker &> /dev/null; then

     

       31
       31
       +
           error "Docker is not installed. Install with: curl -fsSL https://get.docker.com | sh"

     

       32
       32
       +
       fi

     

       33
       33
       +
       

     

       34
       34
       +
       if ! docker compose version &> /dev/null; then

     

       35
       35
       +
           error "docker compose is not available. Install with: apt install docker-compose-plugin"

     

       36
       36
       +
       fi

     

       37
       37
       +
       

     

       38
       38
       +
       # Check for .env.prod

     

       39
       39
       +
       if [ ! -f ".env.prod" ]; then

     

       40
       40
       +
           error ".env.prod not found! Copy from .env.prod.example and configure secrets."

     

       41
       41
       +
       fi

     

       42
       42
       +
       

     

       43
       43
       +
       # Load environment

     

       44
       44
       +
       set -a

     

       45
       45
       +
       source .env.prod

     

       46
       46
       +
       set +a

     

       47
       47
       +
       

     

       48
       48
       +
       # Create required directories

     

       49
       49
       +
       log "Creating directories..."

     

       50
       50
       +
       mkdir -p backups

     

       51
       51
       +
       mkdir -p static/.well-known

     

       52
       52
       +
       

     

       53
       53
       +
       # Check for did.json

     

       54
       54
       +
       if [ ! -f "static/.well-known/did.json" ]; then

     

       55
       55
       +
           warn "static/.well-known/did.json not found!"

     

       56
       56
       +
           warn "Run ./scripts/generate-did-keys.sh to create it."

     

       57
       57
       +
       fi

     

       58
       58
       +
       

     

       59
       59
       +
       # Note: Caddy logs are written to Docker volume (caddy-data)

     

       60
       60
       +
       # If you need host-accessible logs, uncomment and run as root:

     

       61
       61
       +
       # mkdir -p /var/log/caddy && chown 1000:1000 /var/log/caddy

     

       62
       62
       +
       

     

       63
       63
       +
       # Pull Docker images

     

       64
       64
       +
       log "Pulling Docker images..."

     

       65
       65
       +
       docker compose -f docker-compose.prod.yml pull postgres pds caddy

     

       66
       66
       +
       

     

       67
       67
       +
       # Build AppView

     

       68
       68
       +
       log "Building AppView..."

     

       69
       69
       +
       docker compose -f docker-compose.prod.yml build appview

     

       70
       70
       +
       

     

       71
       71
       +
       # Start services

     

       72
       72
       +
       log "Starting services..."

     

       73
       73
       +
       docker compose -f docker-compose.prod.yml up -d

     

       74
       74
       +
       

     

       75
       75
       +
       # Wait for PostgreSQL

     

       76
       76
       +
       log "Waiting for PostgreSQL to be ready..."

     

       77
       77
       +
       until docker compose -f docker-compose.prod.yml exec -T postgres pg_isready -U "$POSTGRES_USER" -d "$POSTGRES_DB" > /dev/null 2>&1; do

     

       78
       78
       +
           sleep 2

     

       79
       79
       +
       done

     

       80
       80
       +
       log "PostgreSQL is ready!"

     

       81
       81
       +
       

     

       82
       82
       +
       # Run migrations

     

       83
       83
       +
       log "Running database migrations..."

     

       84
       84
       +
       # The AppView runs migrations on startup, but you can also run them manually:

     

       85
       85
       +
       # docker compose -f docker-compose.prod.yml exec appview /app/coves-server migrate

     

       86
       86
       +
       

     

       87
       87
       +
       # Final status

     

       88
       88
       +
       log ""

     

       89
       89
       +
       log "============================================"

     

       90
       90
       +
       log "  Coves Production Setup Complete!"

     

       91
       91
       +
       log "============================================"

     

       92
       92
       +
       log ""

     

       93
       93
       +
       log "Services running:"

     

       94
       94
       +
       docker compose -f docker-compose.prod.yml ps

     

       95
       95
       +
       log ""

     

       96
       96
       +
       log "Next steps:"

     

       97
       97
       +
       log "  1. Configure DNS for coves.social and coves.me"

     

       98
       98
       +
       log "  2. Run ./scripts/generate-did-keys.sh to create DID keys"

     

       99
       99
       +
       log "  3. Test health endpoints:"

     

       100
       100
       +
       log "     curl https://coves.social/xrpc/_health"

     

       101
       101
       +
       log "     curl https://coves.me/xrpc/_health"

     

       102
       102
       +
       log ""

     

       103
       103
       +
       log "Useful commands:"

     

       104
       104
       +
       log "  View logs:     docker compose -f docker-compose.prod.yml logs -f"

     

       105
       105
       +
       log "  Deploy update: ./scripts/deploy.sh appview"

     

       106
       106
       +
       log "  Backup DB:     ./scripts/backup.sh"

+19

static/.well-known/did.json.template

···

       1
       1
       +
       {

     

       2
       2
       +
         "id": "did:web:coves.social",

     

       3
       3
       +
         "alsoKnownAs": ["at://coves.social"],

     

       4
       4
       +
         "verificationMethod": [

     

       5
       5
       +
           {

     

       6
       6
       +
             "id": "did:web:coves.social#atproto",

     

       7
       7
       +
             "type": "Multikey",

     

       8
       8
       +
             "controller": "did:web:coves.social",

     

       9
       9
       +
             "publicKeyMultibase": "REPLACE_WITH_YOUR_PUBLIC_KEY"

     

       10
       10
       +
           }

     

       11
       11
       +
         ],

     

       12
       12
       +
         "service": [

     

       13
       13
       +
           {

     

       14
       14
       +
             "id": "#atproto_pds",

     

       15
       15
       +
             "type": "AtprotoPersonalDataServer",

     

       16
       16
       +
             "serviceEndpoint": "https://coves.me"

     

       17
       17
       +
           }

     

       18
       18
       +
         ]

     

       19
       19
       +
       }

+18

static/client-metadata.json

···

       1
       1
       +
       {

     

       2
       2
       +
         "client_id": "https://coves.social/client-metadata.json",

     

       3
       3
       +
         "client_name": "Coves",

     

       4
       4
       +
         "client_uri": "https://coves.social",

     

       5
       5
       +
         "logo_uri": "https://coves.social/logo.png",

     

       6
       6
       +
         "tos_uri": "https://coves.social/terms",

     

       7
       7
       +
         "policy_uri": "https://coves.social/privacy",

     

       8
       8
       +
         "redirect_uris": [

     

       9
       9
       +
           "https://coves.social/oauth/callback",

     

       10
       10
       +
           "social.coves:/oauth/callback"

     

       11
       11
       +
         ],

     

       12
       12
       +
         "scope": "atproto transition:generic",

     

       13
       13
       +
         "grant_types": ["authorization_code", "refresh_token"],

     

       14
       14
       +
         "response_types": ["code"],

     

       15
       15
       +
         "application_type": "native",

     

       16
       16
       +
         "token_endpoint_auth_method": "none",

     

       17
       17
       +
         "dpop_bound_access_tokens": true

     

       18
       18
       +
       }

+97

static/oauth/callback.html

···

       1
       1
       +
       <!DOCTYPE html>

     

       2
       2
       +
       <html>

     

       3
       3
       +
       <head>

     

       4
       4
       +
         <meta charset="utf-8">

     

       5
       5
       +
         <meta name="viewport" content="width=device-width, initial-scale=1">

     

       6
       6
       +
         <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'">

     

       7
       7
       +
         <title>Authorization Successful - Coves</title>

     

       8
       8
       +
         <style>

     

       9
       9
       +
           body {

     

       10
       10
       +
             font-family: system-ui, -apple-system, sans-serif;

     

       11
       11
       +
             display: flex;

     

       12
       12
       +
             align-items: center;

     

       13
       13
       +
             justify-content: center;

     

       14
       14
       +
             min-height: 100vh;

     

       15
       15
       +
             margin: 0;

     

       16
       16
       +
             background: #f5f5f5;

     

       17
       17
       +
           }

     

       18
       18
       +
           .container {

     

       19
       19
       +
             text-align: center;

     

       20
       20
       +
             padding: 2rem;

     

       21
       21
       +
             background: white;

     

       22
       22
       +
             border-radius: 8px;

     

       23
       23
       +
             box-shadow: 0 2px 8px rgba(0,0,0,0.1);

     

       24
       24
       +
             max-width: 400px;

     

       25
       25
       +
           }

     

       26
       26
       +
           .success { color: #22c55e; font-size: 3rem; margin-bottom: 1rem; }

     

       27
       27
       +
           h1 { margin: 0 0 0.5rem; color: #1f2937; font-size: 1.5rem; }

     

       28
       28
       +
           p { color: #6b7280; margin: 0.5rem 0; }

     

       29
       29
       +
           a {

     

       30
       30
       +
             display: inline-block;

     

       31
       31
       +
             margin-top: 1rem;

     

       32
       32
       +
             padding: 0.75rem 1.5rem;

     

       33
       33
       +
             background: #3b82f6;

     

       34
       34
       +
             color: white;

     

       35
       35
       +
             text-decoration: none;

     

       36
       36
       +
             border-radius: 6px;

     

       37
       37
       +
             font-weight: 500;

     

       38
       38
       +
           }

     

       39
       39
       +
           a:hover { background: #2563eb; }

     

       40
       40
       +
         </style>

     

       41
       41
       +
       </head>

     

       42
       42
       +
       <body>

     

       43
       43
       +
         <div class="container">

     

       44
       44
       +
           <div class="success">✓</div>

     

       45
       45
       +
           <h1>Authorization Successful!</h1>

     

       46
       46
       +
           <p id="status">Returning to Coves...</p>

     

       47
       47
       +
           <a href="#" id="manualLink">Open Coves</a>

     

       48
       48
       +
         </div>

     

       49
       49
       +
         <script>

     

       50
       50
       +
           (function() {

     

       51
       51
       +
             // Parse and sanitize query params - only allow expected OAuth parameters

     

       52
       52
       +
             const urlParams = new URLSearchParams(window.location.search);

     

       53
       53
       +
             const safeParams = new URLSearchParams();

     

       54
       54
       +
       

     

       55
       55
       +
             // Whitelist only expected OAuth callback parameters

     

       56
       56
       +
             const code = urlParams.get('code');

     

       57
       57
       +
             const state = urlParams.get('state');

     

       58
       58
       +
             const error = urlParams.get('error');

     

       59
       59
       +
             const errorDescription = urlParams.get('error_description');

     

       60
       60
       +
             const iss = urlParams.get('iss');

     

       61
       61
       +
       

     

       62
       62
       +
             if (code) safeParams.set('code', code);

     

       63
       63
       +
             if (state) safeParams.set('state', state);

     

       64
       64
       +
             if (error) safeParams.set('error', error);

     

       65
       65
       +
             if (errorDescription) safeParams.set('error_description', errorDescription);

     

       66
       66
       +
             if (iss) safeParams.set('iss', iss);

     

       67
       67
       +
       

     

       68
       68
       +
             const sanitizedQuery = safeParams.toString() ? '?' + safeParams.toString() : '';

     

       69
       69
       +
       

     

       70
       70
       +
             const userAgent = navigator.userAgent || '';

     

       71
       71
       +
             const isAndroid = /Android/i.test(userAgent);

     

       72
       72
       +
       

     

       73
       73
       +
             // Build deep link based on platform

     

       74
       74
       +
             let deepLink;

     

       75
       75
       +
             if (isAndroid) {

     

       76
       76
       +
               // Android: Intent URL format

     

       77
       77
       +
               const pathAndQuery = '/oauth/callback' + sanitizedQuery;

     

       78
       78
       +
               deepLink = 'intent:/' + pathAndQuery + '#Intent;scheme=social.coves;package=social.coves;end';

     

       79
       79
       +
             } else {

     

       80
       80
       +
               // iOS: Custom scheme

     

       81
       81
       +
               deepLink = 'social.coves:/oauth/callback' + sanitizedQuery;

     

       82
       82
       +
             }

     

       83
       83
       +
       

     

       84
       84
       +
             // Update manual link

     

       85
       85
       +
             document.getElementById('manualLink').href = deepLink;

     

       86
       86
       +
       

     

       87
       87
       +
             // Attempt automatic redirect

     

       88
       88
       +
             window.location.href = deepLink;

     

       89
       89
       +
       

     

       90
       90
       +
             // Update status after 2 seconds if redirect didn't work

     

       91
       91
       +
             setTimeout(function() {

     

       92
       92
       +
               document.getElementById('status').textContent = 'Click the button above to continue';

     

       93
       93
       +
             }, 2000);

     

       94
       94
       +
           })();

     

       95
       95
       +
         </script>

     

       96
       96
       +
       </body>

     

       97
       97
       +
       </html>