+1 -1

Cargo.toml

··· 15 15 tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] } 16 16 hyper-util = { version = "0.1.16", features = ["client", "client-legacy"] } 17 17 tower-http = { version = "0.6", features = ["cors", "compression-zstd"] } 18 18 - tower_governor = "0.8.0" 18 18 + tower_governor = { version = "0.8.0", features = ["axum", "tracing"] } 19 19 hex = "0.4" 20 20 jwt-compact = { version = "0.8.0", features = ["es256k"] } 21 21 scrypt = "0.11"

+49 -1

README.md

··· 49 49 - pds 50 50 ``` 51 51 52 52 + For Coolify, if you're using Traefik as your proxy you'll need to make sure the labels for the container are set up correctly. A full example can be found at [./examples/coolify-compose.yml](./examples/coolify-compose.yml). 53 53 + 54 54 + ```yml 55 55 + gatekeeper: 56 56 + container_name: gatekeeper 57 57 + image: 'fatfingers23/pds_gatekeeper:latest' 58 58 + restart: unless-stopped 59 59 + volumes: 60 60 + - '/pds:/pds' 61 61 + environment: 62 62 + - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}' 63 63 + - 'PDS_BASE_URL=http://pds:3000' 64 64 + - GATEKEEPER_HOST=0.0.0.0 65 65 + depends_on: 66 66 + - pds 67 67 + healthcheck: 68 68 + test: 69 69 + - CMD 70 70 + - timeout 71 71 + - '1' 72 72 + - bash 73 73 + - '-c' 74 74 + - 'cat < /dev/null > /dev/tcp/0.0.0.0/8080' 75 75 + interval: 10s 76 76 + timeout: 5s 77 77 + retries: 3 78 78 + start_period: 10s 79 79 + labels: 80 80 + - traefik.enable=true 81 81 + - 'traefik.http.routers.pds-gatekeeper.rule=Host(`yourpds.com`) && (Path(`/xrpc/com.atproto.server.getSession`) || Path(`/xrpc/com.atproto.server.updateEmail`) || Path(`/xrpc/com.atproto.server.createSession`) || Path(`/xrpc/com.atproto.server.createAccount`) || Path(`/@atproto/oauth-provider/~api/sign-in`))' 82 82 + - traefik.http.routers.pds-gatekeeper.entrypoints=https 83 83 + - traefik.http.routers.pds-gatekeeper.tls=true 84 84 + - traefik.http.routers.pds-gatekeeper.priority=100 85 85 + - traefik.http.routers.pds-gatekeeper.middlewares=gatekeeper-cors 86 86 + - traefik.http.services.pds-gatekeeper.loadbalancer.server.port=8080 87 87 + - traefik.http.services.pds-gatekeeper.loadbalancer.server.scheme=http 88 88 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS,PATCH' 89 89 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowheaders=*' 90 90 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolalloworiginlist=*' 91 91 + - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolmaxage=100 92 92 + - traefik.http.middlewares.gatekeeper-cors.headers.addvaryheader=true 93 93 + - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowcredentials=true 94 94 + ``` 95 95 + 52 96 ## Caddy setup 53 97 54 98 For the reverse proxy I use caddy. This part is what overwrites the endpoints and proxies them to PDS gatekeeper to add ··· 80 124 path /xrpc/com.atproto.server.getSession 81 125 path /xrpc/com.atproto.server.updateEmail 82 126 path /xrpc/com.atproto.server.createSession 127 127 + path /xrpc/com.atproto.server.createAccount 83 128 path /@atproto/oauth-provider/~api/sign-in 84 129 } 85 130 86 131 handle @gatekeeper { 87 87 - reverse_proxy http://localhost:8080 132 132 + reverse_proxy http://localhost:8080 { 133 133 + #Makes sure the cloudflare ip is proxied and able to be picked up by pds gatekeeper 134 134 + header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} 135 135 + } 88 136 } 89 137 90 138 reverse_proxy http://localhost:3000

+73

examples/coolify-compose.yml

··· 1 1 + services: 2 2 + pds: 3 3 + image: 'ghcr.io/bluesky-social/pds:0.4.182' 4 4 + volumes: 5 5 + - '/pds:/pds' 6 6 + environment: 7 7 + - SERVICE_URL_PDS_3000 8 8 + - 'PDS_HOSTNAME=${SERVICE_FQDN_PDS_3000}' 9 9 + - 'PDS_JWT_SECRET=${SERVICE_HEX_32_JWTSECRET}' 10 10 + - 'PDS_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}' 11 11 + - 'PDS_ADMIN_EMAIL=${PDS_ADMIN_EMAIL}' 12 12 + - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_32_ROTATIONKEY}' 13 13 + - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}' 14 14 + - 'PDS_BLOBSTORE_DISK_LOCATION=${PDS_DATA_DIRECTORY:-/pds}/blocks' 15 15 + - 'PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}' 16 16 + - 'PDS_DID_PLC_URL=${PDS_DID_PLC_URL:-https://plc.directory}' 17 17 + - 'PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS}' 18 18 + - 'PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL}' 19 19 + - 'PDS_BSKY_APP_VIEW_URL=${PDS_BSKY_APP_VIEW_URL:-https://api.bsky.app}' 20 20 + - 'PDS_BSKY_APP_VIEW_DID=${PDS_BSKY_APP_VIEW_DID:-did:web:api.bsky.app}' 21 21 + - 'PDS_REPORT_SERVICE_URL=${PDS_REPORT_SERVICE_URL:-https://mod.bsky.app/xrpc/com.atproto.moderation.createReport}' 22 22 + - 'PDS_REPORT_SERVICE_DID=${PDS_REPORT_SERVICE_DID:-did:plc:ar7c4by46qjdydhdevvrndac}' 23 23 + - 'PDS_CRAWLERS=${PDS_CRAWLERS:-https://bsky.network}' 24 24 + - 'LOG_ENABLED=${LOG_ENABLED:-true}' 25 25 + command: "sh -c '\n set -euo pipefail\n echo \"Installing required packages and pdsadmin...\"\n apk add --no-cache openssl curl bash jq coreutils gnupg util-linux-misc >/dev/null\n curl -o /usr/local/bin/pdsadmin.sh https://raw.githubusercontent.com/bluesky-social/pds/main/pdsadmin.sh\n chmod 700 /usr/local/bin/pdsadmin.sh\n ln -sf /usr/local/bin/pdsadmin.sh /usr/local/bin/pdsadmin\n echo \"Creating an empty pds.env file so pdsadmin works...\"\n touch ${PDS_DATA_DIRECTORY}/pds.env\n echo \"Launching PDS, enjoy!...\"\n exec node --enable-source-maps index.js\n'\n" 26 26 + healthcheck: 27 27 + test: 28 28 + - CMD 29 29 + - wget 30 30 + - '--spider' 31 31 + - 'http://127.0.0.1:3000/xrpc/_health' 32 32 + interval: 5s 33 33 + timeout: 10s 34 34 + retries: 10 35 35 + gatekeeper: 36 36 + container_name: gatekeeper 37 37 + image: 'fatfingers23/pds_gatekeeper:latest' 38 38 + restart: unless-stopped 39 39 + volumes: 40 40 + - '/pds:/pds' 41 41 + environment: 42 42 + - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}' 43 43 + - 'PDS_BASE_URL=http://pds:3000' 44 44 + - GATEKEEPER_HOST=0.0.0.0 45 45 + depends_on: 46 46 + - pds 47 47 + healthcheck: 48 48 + test: 49 49 + - CMD 50 50 + - timeout 51 51 + - '1' 52 52 + - bash 53 53 + - '-c' 54 54 + - 'cat < /dev/null > /dev/tcp/0.0.0.0/8080' 55 55 + interval: 10s 56 56 + timeout: 5s 57 57 + retries: 3 58 58 + start_period: 10s 59 59 + labels: 60 60 + - traefik.enable=true 61 61 + - 'traefik.http.routers.pds-gatekeeper.rule=Host(`yourpds.com`) && (Path(`/xrpc/com.atproto.server.getSession`) || Path(`/xrpc/com.atproto.server.updateEmail`) || Path(`/xrpc/com.atproto.server.createSession`) || Path(`/xrpc/com.atproto.server.createAccount`) || Path(`/@atproto/oauth-provider/~api/sign-in`))' 62 62 + - traefik.http.routers.pds-gatekeeper.entrypoints=https 63 63 + - traefik.http.routers.pds-gatekeeper.tls=true 64 64 + - traefik.http.routers.pds-gatekeeper.priority=100 65 65 + - traefik.http.routers.pds-gatekeeper.middlewares=gatekeeper-cors 66 66 + - traefik.http.services.pds-gatekeeper.loadbalancer.server.port=8080 67 67 + - traefik.http.services.pds-gatekeeper.loadbalancer.server.scheme=http 68 68 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowmethods=GET,POST,PUT,DELETE,OPTIONS,PATCH' 69 69 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowheaders=*' 70 70 + - 'traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolalloworiginlist=*' 71 71 + - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolmaxage=100 72 72 + - traefik.http.middlewares.gatekeeper-cors.headers.addvaryheader=true 73 73 + - traefik.http.middlewares.gatekeeper-cors.headers.accesscontrolallowcredentials=true

+1 -1

justfile

··· 2 2 docker buildx build \ 3 3 --platform linux/arm64,linux/amd64 \ 4 4 --tag fatfingers23/pds_gatekeeper:latest \ 5 5 - --tag fatfingers23/pds_gatekeeper:0.1.0.2 \ 5 5 + --tag fatfingers23/pds_gatekeeper:0.1.0.3 \ 6 6 --push .

+6 -1

src/main.rs

··· 20 20 use std::{env, net::SocketAddr}; 21 21 use tower_governor::GovernorLayer; 22 22 use tower_governor::governor::GovernorConfigBuilder; 23 23 + use tower_governor::key_extractor::SmartIpKeyExtractor; 23 24 use tower_http::compression::CompressionLayer; 24 25 use tower_http::cors::{Any, CorsLayer}; 25 26 use tracing::log; ··· 172 173 let create_session_governor_conf = GovernorConfigBuilder::default() 173 174 .per_second(60) 174 175 .burst_size(5) 176 176 + .key_extractor(SmartIpKeyExtractor) 175 177 .finish() 176 178 .expect("failed to create governor config for create session. this should not happen and is a bug"); 177 179 ··· 179 181 let sign_in_governor_conf = GovernorConfigBuilder::default() 180 182 .per_second(60) 181 183 .burst_size(5) 184 184 + .key_extractor(SmartIpKeyExtractor) 182 185 .finish() 183 186 .expect( 184 187 "failed to create governor config for sign in. this should not happen and is a bug", ··· 207 210 create_account_governor_conf.burst_size(burst); 208 211 } 209 212 210 210 - let create_account_governor_conf = create_account_governor_conf.finish().expect( 213 213 + let create_account_governor_conf = create_account_governor_conf 214 214 + .key_extractor(SmartIpKeyExtractor) 215 215 + .finish().expect( 211 216 "failed to create governor config for create account. this should not happen and is a bug", 212 217 ); 213 218

+2 -1

src/oauth_provider.rs

··· 13 13 pub struct SignInRequest { 14 14 pub username: String, 15 15 pub password: String, 16 16 - pub remember: bool, 16 16 + #[serde(skip_serializing_if = "Option::is_none")] 17 17 + pub remember: Option<bool>, 17 18 pub locale: String, 18 19 #[serde(skip_serializing_if = "Option::is_none", rename = "emailOtp")] 19 20 pub email_otp: Option<String>,