# PDS gatekeeper A microservice that sits on the same server as the PDS to add some of the security that the entryway does. ![Picture in black and white of a grassy hill with a gate at the top](./images/gate.jpg) PDS gatekeeper works by overriding some of the PDS endpoints inside your Caddyfile to provide gatekeeping to certain endpoints. Mainly, the ability to have 2FA on a self hosted PDS like it does on a Bluesky mushroom(PDS). Most of the logic of these endpoints still happens on the PDS via a proxied request, just some are gatekept. # Features ## 2FA - Overrides The login endpoint to add 2FA for both Bluesky client logged in and OAuth logins - Overrides the settings endpoints as well. As long as you have a confirmed email you can turn on 2FA ## Captcha on Create Account Future feature? # Setup PDS Gatekeeper has 2 parts to its setup, docker compose file and a reverse proxy (Caddy in this case). I will be assuming you setup the PDS following the directions found [here](https://atproto.com/guides/self-hosting), but if yours is different, or you have questions, feel free to let me know, and we can figure it out. ## Docker compose The pds gatekeeper container can be found on docker hub under the name `fatfingers23/pds_gatekeeper`. The container does need access to the `/pds` root folder to access the same db's as your PDS. The part you need to add would look a bit like below. You can find a full example of what I use for my pds at [./examples/compose.yml](./examples/compose.yml). This is usually found at `/pds/compose.yaml`on your PDS> ```yml gatekeeper: container_name: gatekeeper image: fatfingers23/pds_gatekeeper:arm-latest network_mode: host restart: unless-stopped #This gives the container to the access to the PDS folder. Source is the location on your server of that directory volumes: - type: bind source: /pds target: /pds depends_on: - pds ``` ## Caddy setup For the reverse proxy I use caddy. This part is what overwrites the endpoints and proxies them to PDS gatekeeper to add in extra functionality. The main part is below, for a full example see [./examples/Caddyfile](./examples/Caddyfile). This is usually found at `/pds/caddy/etc/caddy/Caddyfile` on your PDS. ```caddyfile @gatekeeper { path /xrpc/com.atproto.server.getSession path /xrpc/com.atproto.server.updateEmail path /xrpc/com.atproto.server.createSession path /@atproto/oauth-provider/~api/sign-in } handle @gatekeeper { reverse_proxy http://localhost:8080 } reverse_proxy http://localhost:3000 ``` If you use a cloudflare tunnel then your caddyfile would look a bit more like below with your tunnel proxying to `localhost:8081` (or w/e port you want). ```caddyfile http://*.localhost:8082, http://localhost:8082 { @gatekeeper { path /xrpc/com.atproto.server.getSession path /xrpc/com.atproto.server.updateEmail path /xrpc/com.atproto.server.createSession path /@atproto/oauth-provider/~api/sign-in } handle @gatekeeper { reverse_proxy http://localhost:8080 } reverse_proxy http://localhost:3000 } ``` # Environment variables and bonuses Every environment variable can be set in the `pds.env` and shared between PDS and gatekeeper and the PDS, with the exception of `PDS_ENV_LOCATION`. This can be set to load the pds.env, by default it checks `/pds/pds.env` and is recommended to mount the `/pds` folder on the server to `/pds` in the pds gatekeeper container. `PDS_DATA_DIRECTORY` - Root directory of the PDS. Same as the one found in `pds.env` this is how pds gatekeeper knows knows the rest of the environment variables. `GATEKEEPER_EMAIL_TEMPLATES_DIRECTORY` - The folder for templates of the emails PDS gatekeeper sends. You can find them in [./email_templates](./email_templates). You are free to edit them as you please and set this variable to a location in the pds gateekeper container and it will use them in place of the default ones. Just make sure ot keep the names the same. `PDS_BASE_URL` - Base url of the PDS. You most likely want `https://localhost:3000` which is also the default `GATEKEEPER_HOST` - Host for pds gatekeeper. Defaults to `127.0.0.1` `GATEKEEPER_PORT` - Port for pds gatekeeper. Defaults to `8080`