docker-compose.prod.yml at main · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / docker-compose.prod.yml
at main 8.6 kB view raw
  1# Coves Production Stack
  2#
  3# Architecture:
  4#   - coves.social: AppView domain (API, frontend, .well-known/did.json)
  5#   - pds.coves.me: PDS domain (canonical hostname for relay registration)
  6#   - coves.me: PDS domain (legacy, kept for compatibility)
  7#
  8# Hardware: AMD Epyc 7351p (16c/32t), 256GB RAM, 2x500GB NVMe RAID
  9#
 10# Usage:
 11#   docker-compose -f docker-compose.prod.yml up -d
 12#
 13# Prerequisites:
 14#   1. DNS configured for both domains
 15#   2. SSL certificates (Caddy handles this automatically)
 16#   3. .env.prod file with secrets
 17#   4. .well-known/did.json deployed to coves.social
 18
 19services:
 20  # PostgreSQL Database for AppView
 21  postgres:
 22    image: postgres:15
 23    container_name: coves-prod-postgres
 24    restart: unless-stopped
 25    environment:
 26      POSTGRES_DB: ${POSTGRES_DB}
 27      POSTGRES_USER: ${POSTGRES_USER}
 28      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
 29    volumes:
 30      - postgres-data:/var/lib/postgresql/data
 31      # Mount backup directory for pg_dump
 32      - ./backups:/backups
 33    networks:
 34      - coves-internal
 35    healthcheck:
 36      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
 37      interval: 10s
 38      timeout: 5s
 39      retries: 5
 40    # Generous limits for 256GB server
 41    deploy:
 42      resources:
 43        limits:
 44          memory: 32G
 45        reservations:
 46          memory: 4G
 47
 48  # Coves AppView (Go Server)
 49  appview:
 50    build:
 51      context: .
 52      dockerfile: Dockerfile
 53    image: coves/appview:${VERSION:-latest}
 54    container_name: coves-prod-appview
 55    restart: unless-stopped
 56    ports:
 57      - "127.0.0.1:8080:8080"  # Only expose to localhost (Caddy proxies)
 58    environment:
 59      # Database
 60      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable
 61
 62      # Instance identity
 63      INSTANCE_DID: did:web:coves.social
 64      INSTANCE_DOMAIN: coves.social
 65      APPVIEW_PUBLIC_URL: https://coves.social
 66
 67      # PDS connection (separate domain!)
 68      PDS_URL: https://coves.me
 69
 70      # Jetstream (Bluesky production firehose)
 71      JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe
 72
 73      # Custom lexicon consumers (use production Jetstream with collection filters)
 74      COMMUNITY_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
 75      POST_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
 76      AGGREGATOR_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.aggregator.service&wantedCollections=social.coves.aggregator.authorization
 77      VOTE_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
 78      COMMENT_JETSTREAM_URL: wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
 79
 80      # Security - MUST be false in production
 81      AUTH_SKIP_VERIFY: "false"
 82      SKIP_DID_WEB_VERIFICATION: "false"
 83
 84      # OAuth (for community account provisioning)
 85      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
 86      OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI}
 87      OAUTH_SEAL_SECRET: ${OAUTH_SEAL_SECRET}
 88
 89      # Application settings
 90      PORT: 8080
 91      ENV: production
 92      LOG_LEVEL: info
 93
 94      # Encryption key for community credentials
 95      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
 96
 97      # Cursor encryption for pagination
 98      CURSOR_SECRET: ${CURSOR_SECRET}
 99
100      # PDS JWT secret for verifying HS256 tokens from the PDS
101      # Must match the PDS_JWT_SECRET configured on the PDS
102      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
103      # Whitelist PDS issuer(s) allowed to use HS256 (no kid)
104      HS256_ISSUERS: ${HS256_ISSUERS}
105
106      # Restrict community creation to instance DID only
107      COMMUNITY_CREATORS: did:web:coves.social
108
109      # Trusted aggregators (bypass per-community authorization check)
110      # Comma-separated list of DIDs
111      TRUSTED_AGGREGATOR_DIDS: ${TRUSTED_AGGREGATOR_DIDS:-}
112    networks:
113      - coves-internal
114    depends_on:
115      postgres:
116        condition: service_healthy
117    healthcheck:
118      test: ["CMD", "wget", "--spider", "-q", "http://localhost:8080/xrpc/_health"]
119      interval: 30s
120      timeout: 5s
121      retries: 3
122      start_period: 10s
123    # Go is memory-efficient, but give it room for connection pools
124    deploy:
125      resources:
126        limits:
127          memory: 8G
128        reservations:
129          memory: 512M
130
131  # Bluesky PDS (Personal Data Server)
132  # Handles community accounts and their repositories
133  pds:
134    image: ghcr.io/bluesky-social/pds:latest
135    container_name: coves-prod-pds
136    restart: unless-stopped
137    ports:
138      - "127.0.0.1:3000:3000"  # Only expose to localhost (Caddy proxies)
139    environment:
140      # PDS identity (use pds.coves.me for fresh relay registration)
141      PDS_HOSTNAME: pds.coves.me
142      PDS_PORT: 3000
143      PDS_DATA_DIRECTORY: /pds
144      PDS_BLOB_UPLOAD_LIMIT: 104857600  # 100 MB
145
146      # S3-compatible blob storage
147      PDS_BLOBSTORE_S3_BUCKET: ${PDS_S3_BUCKET}
148      PDS_BLOBSTORE_S3_REGION: ${PDS_S3_REGION}
149      PDS_BLOBSTORE_S3_ENDPOINT: ${PDS_S3_ENDPOINT}
150      PDS_BLOBSTORE_S3_ACCESS_KEY_ID: ${PDS_S3_ACCESS_KEY_ID}
151      PDS_BLOBSTORE_S3_SECRET_ACCESS_KEY: ${PDS_S3_SECRET_ACCESS_KEY}
152      PDS_BLOBSTORE_S3_FORCE_PATH_STYLE: "true"
153
154      # PLC Directory (production)
155      PDS_DID_PLC_URL: https://plc.directory
156
157      # Handle domains
158      # Community handles use @community.coves.social (AppView domain)
159      # Note: Root domain (coves.social) handle works via .well-known resolution
160      PDS_SERVICE_HANDLE_DOMAINS: .coves.social
161
162      # Security (set real values in .env.prod)
163      PDS_JWT_SECRET: ${PDS_JWT_SECRET}
164      PDS_ADMIN_PASSWORD: ${PDS_ADMIN_PASSWORD}
165      PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX: ${PDS_ROTATION_KEY}
166
167      # Email (optional, for account recovery)
168      # NOTE: Must set BOTH or NEITHER - PDS fails with partial config
169      # PDS_EMAIL_SMTP_URL: ${PDS_EMAIL_SMTP_URL}
170      # PDS_EMAIL_FROM_ADDRESS: ${PDS_EMAIL_FROM_ADDRESS}
171
172      # Production mode
173      PDS_DEV_MODE: "false"
174      PDS_INVITE_REQUIRED: "true"
175
176      # Logging
177      NODE_ENV: production
178      LOG_ENABLED: "true"
179      LOG_LEVEL: info
180
181      # AppView proxy (for app.bsky.* methods like getProfile, notifications, etc.)
182      PDS_BSKY_APP_VIEW_URL: https://api.bsky.app
183      PDS_BSKY_APP_VIEW_DID: did:web:api.bsky.app
184
185      # Report service (for reporting content)
186      PDS_REPORT_SERVICE_URL: https://mod.bsky.app
187      PDS_REPORT_SERVICE_DID: did:plc:ar7c4by46qjdydhdevvrndac
188
189      # Relay crawlers (for federation with Bluesky network)
190      PDS_CRAWLERS: https://bsky.network,https://relay1.us-east.bsky.network,https://relay1.us-west.bsky.network,https://relay.fire.hose.cam,https://relay.upcloud.world
191    volumes:
192      - pds-data:/pds
193    networks:
194      - coves-internal
195    healthcheck:
196      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3000/xrpc/_health"]
197      interval: 30s
198      timeout: 5s
199      retries: 5
200    # PDS (Node.js) needs memory for blob handling
201    deploy:
202      resources:
203        limits:
204          memory: 16G
205        reservations:
206          memory: 1G
207
208  # Caddy Reverse Proxy
209  # Handles HTTPS automatically via Let's Encrypt
210  # Uses Cloudflare plugin for wildcard SSL certificates (*.coves.social)
211  caddy:
212    # Pre-built Caddy with Cloudflare DNS plugin
213    # Updates automatically with docker-compose pull
214    # Alternative: build your own with Dockerfile.caddy
215    image: ghcr.io/slothcroissant/caddy-cloudflaredns:latest
216    container_name: coves-prod-caddy
217    restart: unless-stopped
218    ports:
219      - "80:80"
220      - "443:443"
221    environment:
222      # Required for wildcard SSL via DNS challenge
223      # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
224      # Permissions: Zone:DNS:Edit for coves.social zone
225      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
226    volumes:
227      - ./Caddyfile:/etc/caddy/Caddyfile:ro
228      - caddy-data:/data
229      - caddy-config:/config
230      # Static files (.well-known, client-metadata.json, oauth callback)
231      - ./static:/srv:ro
232    networks:
233      - coves-internal
234    depends_on:
235      - appview
236      - pds
237
238networks:
239  coves-internal:
240    driver: bridge
241    name: coves-prod-network
242
243volumes:
244  postgres-data:
245    name: coves-prod-postgres-data
246  pds-data:
247    name: coves-prod-pds-data
248  caddy-data:
249    name: coves-prod-caddy-data
250  caddy-config:
251    name: coves-prod-caddy-config