comparing 863780d19f0ddcb0ccd484e52b5aa13a43d3772f and main on edouard.paris/atproto-nix-env

.gitignore

+6 -14

Caddyfile

···

       2
       2
        
           auto_https off

     

       3
       3
        
       }

     

       4
       4
        
       

     

       5
       5
       -
       localhost:8443 {

     

       6
       6
       -
           tls ./certs/cert.pem ./certs/key.pem

     

       7
       7
       -
       

     

       8
       8
       -
           header Content-Type "text/plain"

     

       9
       9
       -
           respond "Hello World!" 200

     

       10
       10
       -
       }

     

       11
       11
       -
       

     

       12
       12
       -
       localhost:8444 {

     

       13
       13
       -
           tls ./certs/cert.pem ./certs/key.pem

     

       14
       14
       -
       

     

       15
       15
       -
           header Content-Type "text/plain"

     

       16
       16
       -
           respond "Hello API!" 200

     

       17
       17
       -
       }

     

       18
       18
       -
       

     

       19
       5
        
       pds.example.org:8443 {

     

       20
       6
        
           tls ./certs/cert.pem ./certs/key.pem

     

       21
       7
        
       

     
···

       27
       13
        
       

     

       28
       14
        
           reverse_proxy localhost:2582

     

       29
       15
        
       }

     

       16
       16
       +
       

     

       17
       17
       +
       relay.example.org:8445 {

     

       18
       18
       +
           tls ./certs/cert.pem ./certs/key.pem

     

       19
       19
       +
       

     

       20
       20
       +
           reverse_proxy localhost:2470

     

       21
       21
       +
       }

+21

LICENSE

···

       1
       1
       +
       MIT License

     

       2
       2
       +
       

     

       3
       3
       +
       Copyright (c) 2025

     

       4
       4
       +
       

     

       5
       5
       +
       Permission is hereby granted, free of charge, to any person obtaining a copy

     

       6
       6
       +
       of this software and associated documentation files (the "Software"), to deal

     

       7
       7
       +
       in the Software without restriction, including without limitation the rights

     

       8
       8
       +
       to use, copy, modify, merge, publish, distribute, sublicense, and/or sell

     

       9
       9
       +
       copies of the Software, and to permit persons to whom the Software is

     

       10
       10
       +
       furnished to do so, subject to the following conditions:

     

       11
       11
       +
       

     

       12
       12
       +
       The above copyright notice and this permission notice shall be included in all

     

       13
       13
       +
       copies or substantial portions of the Software.

     

       14
       14
       +
       

     

       15
       15
       +
       THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR

     

       16
       16
       +
       IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,

     

       17
       17
       +
       FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE

     

       18
       18
       +
       AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER

     

       19
       19
       +
       LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,

     

       20
       20
       +
       OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE

     

       21
       21
       +
       SOFTWARE.

+60 -26

README.md

···

       4
       4
        
       

     

       5
       5
        
       ## Prerequisites

     

       6
       6
        
       

     

       7
       7
       -
       Make sure to add these lines to your `/etc/hosts` file:

     

       8
       8
       -
       ```

     

       9
       9
       -
       127.0.0.1 pds.example.org

     

       10
       10
       -
       127.0.0.1 plc.example.org

     

       11
       11
       -
       ```

     

       7
       7
       +
       1. **Install mkcert** (required for SSL certificate generation):

     

       8
       8
       +
          - On macOS: `brew install mkcert`

     

       9
       9
       +
          - On Linux: See [mkcert installation guide](https://github.com/FiloSottile/mkcert#installation)

     

       10
       10
       +
          - After installation, run: `mkcert -install`

     

       12
       11
        
       

     

       13
       13
       -
       Generate SSL certificates before first use:

     

       14
       14
       -
       ```bash

     

       15
       15
       -
       nix run .#generate-certs

     

       16
       16
       -
       ```

     

       12
       12
       +
       2. **Add hosts file entries:**

     

       13
       13
       +
          ```

     

       14
       14
       +
          127.0.0.1 pds.example.org

     

       15
       15
       +
          127.0.0.1 plc.example.org

     

       16
       16
       +
          127.0.0.1 relay.example.org

     

       17
       17
       +
          ```

     

       18
       18
       +
       

     

       19
       19
       +
       3. **Generate SSL certificates before first use:**

     

       20
       20
       +
          ```bash

     

       21
       21
       +
          nix run .#generate-certs

     

       22
       22
       +
          ```

     

       17
       23
        
       

     

       18
       24
        
       ## Quick Start

     

       19
       25
        
       

     
···

       26
       32
        
          ```bash

     

       27
       33
        
          nix run .#all

     

       28
       34
        
          ```

     

       29
       29
       -
          This will start all services in a 2x2 tmux pane layout:

     

       30
       30
       -
          - Top-left: PLC server

     

       31
       31
       -
          - Bottom-left: MailHog server

     

       32
       32
       -
          - Top-right: PDS server

     

       33
       33
       -
          - Bottom-right: Caddy proxy

     

       35
       35
       +
          This will start all services in a single-column tmux pane layout:

     

       36
       36
       +
          - Pane 0: PLC server

     

       37
       37
       +
          - Pane 1: PDS server

     

       38
       38
       +
          - Pane 2: Caddy proxy

     

       39
       39
       +
          - Pane 3: AT Protocol Relay

     

       40
       40
       +
       

     

       41
       41
       +
       3. **Add PDS host to the relay:**

     

       42
       42
       +
          ```bash

     

       43
       43
       +
          goat relay --relay-host=https://relay.example.org:8445 admin --admin-password=password host add "https://pds.example.org:8443"

     

       44
       44
       +
          ```

     

       34
       45
        
       

     

       35
       35
       -
       3. **Create an invite code:**

     

       46
       46
       +
       4. **Create an invite code:**

     

       36
       47
        
          ```bash

     

       37
       48
        
          scripts/create-invite.sh

     

       38
       49
        
          ```

     

       39
       50
        
       

     

       40
       40
       -
       4. **Create a user account:**

     

       51
       51
       +
       5. **Create a user account:**

     

       41
       52
        
          ```bash

     

       42
       53
        
          goat account create \

     

       43
       54
        
            --pds-host=https://pds.example.org:8443 \

     
···

       47
       58
        
            --handle=edouard.pds.example.org

     

       48
       59
        
          ```

     

       49
       60
        
       

     

       50
       50
       -
          Expected output:

     

       61
       61
       +
       6. **Verify the DID is registered:**

     

       62
       62
       +
          ```bash

     

       63
       63
       +
          goat plc --plc-host=https://plc.example.org data <your-did>

     

       51
       64
        
          ```

     

       52
       52
       -
          Success!

     

       53
       53
       -
          DID: did:plc:pzvsc3jwfjwidojtpbxv4rdd

     

       54
       54
       -
          Handle: edouard.pds.example.org

     

       65
       65
       +
       

     

       66
       66
       +
       7. **Login to your account:**

     

       67
       67
       +
          ```bash

     

       68
       68
       +
          goat account login \

     

       69
       69
       +
            --username=edouard.pds.example.org \

     

       70
       70
       +
            --app-password=password \

     

       71
       71
       +
            --pds-host=https://pds.example.org:8443

     

       55
       72
        
          ```

     

       56
       73
        
       

     

       57
       57
       -
       5. **Verify the DID is registered:**

     

       74
       74
       +
       8. **Create your first post:**

     

       58
       75
        
          ```bash

     

       59
       59
       -
          goat --plc-host=https://plc.example.org data did:plc:pzvsc3jwfjwidojtpbxv4rdd

     

       76
       76
       +
          goat bsky post "hello world!"

     

       60
       77
        
          ```

     

       61
       78
        
       

     

       62
       79
        
       ## Services

     

       63
       80
        
       

     

       64
       81
        
       - **Bluesky PDS**: https://pds.example.org:8443

     

       65
       82
        
       - **DID PLC**: https://plc.example.org:8444

     

       83
       83
       +
       - **AT Protocol Relay**: https://relay.example.org:8445

     

       66
       84
        
       - **MailHog**: http://localhost:8025

     

       67
       85
        
       

     

       68
       68
       -
       ## Available Tools

     

       86
       86
       +
       ## Monitoring

     

       87
       87
       +
       

     

       88
       88
       +
       To monitor the AT Protocol relay firehose:

     

       89
       89
       +
       ```bash

     

       90
       90
       +
       goat firehose --relay-host wss://relay.example.org:8445

     

       91
       91
       +
       ```

     

       69
       92
        
       

     

       70
       70
       -
       - `goat` - AT Protocol CLI tool

     

       71
       71
       -
       - `curl`, `jq` - HTTP and JSON utilities

     

       72
       72
       -
       - `tmux` - Terminal multiplexer

     

       93
       93
       +
       This will show real-time events from the relay. You can run this in a separate terminal or tmux pane.

     

       73
       94
        
       

     

       74
       95
        
       ## Management Commands

     

       75
       96
        
       

     

       76
       97
        
       - `tmux attach -t atproto` - Attach to the services session

     

       77
       98
        
       - `tmux kill-session -t atproto` - Stop all services

     

       99
       99
       +
       - `nix run .#mailhog` - Start MailHog (run separately if needed)

     

       78
       100
        
       - `nix run .#generate-certs` - Generate SSL certificates

     

       101
       101
       +
       

     

       102
       102
       +
       ## ⚠️ Security Warning

     

       103
       103
       +
       

     

       104
       104
       +
       **This environment uses a modified AT Protocol relay with SSRF protection disabled.** 

     

       105
       105
       +
       

     

       106
       106
       +
       - The relay is built from a forked repository (`edouardparis/indigo`) with SSRF (Server-Side Request Forgery) protections disabled

     

       107
       107
       +
       - Custom ports are allowed without restrictions

     

       108
       108
       +
       - **This configuration is ONLY safe for local development environments**

     

       109
       109
       +
       - **DO NOT use this relay configuration against external hosts or in production**

     

       110
       110
       +
       - **DO NOT expose this relay to the internet**

     

       111
       111
       +
       

     

       112
       112
       +
       This setup is designed for controlled local testing where you need flexibility in network access that would normally be restricted for security reasons.

+49 -12

flake.nix

···

       14
       14
        
           caddy-proxy = pkgs.callPackage ./packages/caddy.nix { };

     

       15
       15
        
           pds = pkgs.callPackage ./packages/pds.nix { };

     

       16
       16
        
           mailhog = pkgs.callPackage ./packages/mailhog.nix { };

     

       17
       17
       +
           indigo-relay = pkgs.callPackage ./packages/indigo-relay.nix { };

     

       17
       18
        
         in

     

       18
       19
        
         {

     

       19
       20
        
           packages.${system} = {

     
···

       25
       26
        
             pds = pds;

     

       26
       27
        
       

     

       27
       28
        
             mailhog = mailhog;

     

       29
       29
       +
       

     

       30
       30
       +
             indigo-relay = indigo-relay;

     

       28
       31
        
       

     

       29
       32
        
             # Script to generate certificates on host

     

       30
       33
        
             generate-certs = pkgs.writeShellScriptBin "generate-certs" ''

     
···

       44
       47
        
                 127.0.0.1 \

     

       45
       48
        
                 ::1 \

     

       46
       49
        
                 pds.example.org \

     

       47
       47
       -
                 plc.example.org

     

       50
       50
       +
                 plc.example.org \

     

       51
       51
       +
                 relay.example.org

     

       48
       52
        
       

     

       49
       53
        
               echo "Certificates generated in ./certs/"

     

       50
       54
        
               echo "Files created:"

     
···

       87
       91
        
               # Create new tmux session with PLC server

     

       88
       92
        
               tmux new-session -d -s atproto "${plc}/bin/plc"

     

       89
       93
        
       

     

       90
       90
       -
               # Split horizontally for PDS server

     

       91
       91
       -
               tmux split-window -h -t atproto "${pds}/bin/pds"

     

       94
       94
       +
               # Split vertically for PDS server

     

       95
       95
       +
               tmux split-window -v -t atproto "${pds}/bin/pds"

     

       92
       96
        
       

     

       93
       93
       -
               # Split the right pane vertically for Caddy proxy

     

       94
       94
       -
               tmux split-window -v -t atproto.1 "${caddy-proxy}/bin/caddy-proxy"

     

       97
       97
       +
               # Split vertically for Caddy proxy

     

       98
       98
       +
               tmux split-window -v -t atproto "${caddy-proxy}/bin/caddy-proxy"

     

       99
       99
       +
       

     

       100
       100
       +
               # Split vertically for Relay (with environment variables)

     

       101
       101
       +
               tmux split-window -v -t atproto "

     

       102
       102
       +
                 export RELAY_ADMIN_PASSWORD=password

     

       103
       103
       +
                 export RELAY_PLC_HOST=https://plc.example.org:8444

     

       104
       104
       +
                 export RELAY_TRUSTED_DOMAINS=*.example.org

     

       105
       105
       +
                 export RELAY_ALLOW_INSECURE_HOSTS=true

     

       106
       106
       +
                 export RELAY_LOG_LEVEL=debug

     

       107
       107
       +
                 export RELAY_DISABLE_SSRF=true

     

       108
       108
       +
                 export RELAY_ALLOW_CUSTOM_PORTS=true

     

       109
       109
       +
                 ${indigo-relay}/bin/relay serve

     

       110
       110
       +
               "

     

       95
       111
        
       

     

       96
       96
       -
               # Split the left pane vertically for MailHog

     

       97
       97
       -
               tmux split-window -v -t atproto.0 "${mailhog}/bin/mailhog"

     

       98
       112
        
       

     

       99
       113
        
               # Select the first pane

     

       100
       114
        
               tmux select-pane -t atproto.0

     
···

       105
       119
        
               echo "   tmux attach -t atproto       - Attach to the session"

     

       106
       120
        
               echo "   tmux kill-session -t atproto - Stop all services"

     

       107
       121
        
               echo ""

     

       108
       108
       -
               echo "🔲 Panes layout (2x2 grid):"

     

       109
       109
       -
               echo "   • Top-left:     PLC server"

     

       110
       110
       -
               echo "   • Bottom-left:  MailHog server"

     

       111
       111
       -
               echo "   • Top-right:    PDS server" 

     

       112
       112
       -
               echo "   • Bottom-right: Caddy proxy"

     

       122
       122
       +
               echo "📋 Panes layout:"

     

       123
       123
       +
               echo "   • Pane 0: PLC server"

     

       124
       124
       +
               echo "   • Pane 1: PDS server"

     

       125
       125
       +
               echo "   • Pane 2: Caddy proxy" 

     

       126
       126
       +
               echo "   • Pane 3: AT Protocol Relay"

     

       113
       127
        
               echo ""

     

       114
       128
        
               echo "💡 Use Ctrl+b followed by arrow keys to switch between panes"

     

       129
       129
       +
               echo "💡 To monitor firehose: goat firehose --relay-host wss://relay.example.org:8445"

     

       130
       130
       +
             '';

     

       131
       131
       +
       

     

       132
       132
       +
             # Script to start relay with environment

     

       133
       133
       +
             relay = pkgs.writeShellScriptBin "relay" ''

     

       134
       134
       +
               set -e

     

       135
       135
       +
               

     

       136
       136
       +
               echo "Starting AT Protocol Relay..."

     

       137
       137
       +
               echo "Admin password: password"

     

       138
       138
       +
               echo "PLC host: https://plc.example.org:8444"

     

       139
       139
       +
               echo ""

     

       140
       140
       +
               

     

       141
       141
       +
               # Set relay environment variables

     

       142
       142
       +
               export RELAY_ADMIN_PASSWORD="password"

     

       143
       143
       +
               export RELAY_PLC_HOST="https://plc.example.org:8444"

     

       144
       144
       +
               export RELAY_TRUSTED_DOMAINS="*.example.org"

     

       145
       145
       +
               export RELAY_ALLOW_INSECURE_HOSTS="true"

     

       146
       146
       +
               export RELAY_LOG_LEVEL="debug"

     

       147
       147
       +
               export RELAY_DISABLE_SSRF="true"

     

       148
       148
       +
               export RELAY_ALLOW_CUSTOM_PORTS="true"

     

       149
       149
       +
               

     

       150
       150
       +
               ${indigo-relay}/bin/relay serve

     

       115
       151
        
             '';

     

       116
       152
        
           };

     

       117
       153
        
       

     
···

       146
       182
        
               echo "   nix run .#plc            - Start PLC server"

     

       147
       183
        
               echo "   nix run .#pds            - Start PDS server"

     

       148
       184
        
               echo "   nix run .#caddy-proxy    - Start Caddy proxy"

     

       185
       185
       +
               echo "   nix run .#relay          - Start AT Protocol Relay"

     

       149
       186
        
               echo "   nix run .#mailhog        - Start MailHog"

     

       150
       187
        
               echo "   nix run .#generate-certs - Generate SSL certificates"

     

       151
       188
        
               echo ""

+46

packages/indigo-relay.nix

···

       1
       1
       +
       { lib

     

       2
       2
       +
       , buildGoModule

     

       3
       3
       +
       , fetchFromGitHub

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       buildGoModule rec {

     

       7
       7
       +
         pname = "indigo-relay";

     

       8
       8
       +
         version = "unstable-2024-10-03";

     

       9
       9
       +
       

     

       10
       10
       +
         src = fetchFromGitHub {

     

       11
       11
       +
           owner = "edouardparis";

     

       12
       12
       +
           repo = "indigo";

     

       13
       13
       +
           rev = "disable-ssrf-and-allow-custom-ports";

     

       14
       14
       +
           hash = "sha256-0Uy/7IT3gVVkfntXauue07O6WDhmU+heNT4fSh+sK5A=";

     

       15
       15
       +
         };

     

       16
       16
       +
       

     

       17
       17
       +
         vendorHash = "sha256-7mYvgvR0tZdEnUgUYzKv6d2QyeXXnrFgVwY8/4UM3oU=";

     

       18
       18
       +
       

     

       19
       19
       +
         # Build only the relay binary

     

       20
       20
       +
         subPackages = [ "cmd/relay" ];

     

       21
       21
       +
       

     

       22
       22
       +
         # Set the module path

     

       23
       23
       +
         modRoot = ".";

     

       24
       24
       +
       

     

       25
       25
       +
         # Build configuration

     

       26
       26
       +
         env.CGO_ENABLED = "1";

     

       27
       27
       +
         

     

       28
       28
       +
         # Build flags

     

       29
       29
       +
         ldflags = [

     

       30
       30
       +
           "-s"

     

       31
       31
       +
           "-w"

     

       32
       32
       +
           "-X github.com/carlmjohnson/versioninfo.Version=${version}"

     

       33
       33
       +
         ];

     

       34
       34
       +
       

     

       35
       35
       +
         # Tests require additional services running

     

       36
       36
       +
         doCheck = false;

     

       37
       37
       +
       

     

       38
       38
       +
         meta = with lib; {

     

       39
       39
       +
           description = "AT Protocol relay daemon from the Indigo project";

     

       40
       40
       +
           homepage = "https://github.com/bluesky-social/indigo";

     

       41
       41
       +
           license = with licenses; [ mit asl20 ];  # Dual licensed

     

       42
       42
       +
           maintainers = with maintainers; [ ];

     

       43
       43
       +
           platforms = platforms.linux ++ platforms.darwin;

     

       44
       44
       +
           mainProgram = "relay";

     

       45
       45
       +
         };

     

       46
       46
       +
       }

Compare changes