vicwalker.dev.br
forked from
tranquil.farm/tranquil-pds
Our Personal Data Server from scratch!
oyster.cafe
1# =============================================================================
2# Server
3# =============================================================================
4SERVER_HOST=127.0.0.1
5SERVER_PORT=3000
6# The public-facing hostname of the PDS (used in DID documents, JWTs, etc.)
7PDS_HOSTNAME=localhost:3000
8# =============================================================================
9# Database
10# =============================================================================
11DATABASE_URL=postgres://postgres:postgres@localhost:5432/pds
12# Connection pool settings (defaults are good for most deployments)
13# DATABASE_MAX_CONNECTIONS=100
14# DATABASE_MIN_CONNECTIONS=10
15# DATABASE_ACQUIRE_TIMEOUT_SECS=30
16# =============================================================================
17# Blob Storage
18# =============================================================================
19# Backend: "filesystem" (default) or "s3"
20# BLOB_STORAGE_BACKEND=filesystem
21# For filesystem backend:
22BLOB_STORAGE_PATH=/var/lib/tranquil/blobs
23# For S3 backend:
24# S3_ENDPOINT=http://localhost:9000
25# AWS_REGION=us-east-1
26# S3_BUCKET=pds-blobs
27# AWS_ACCESS_KEY_ID=minioadmin
28# AWS_SECRET_ACCESS_KEY=minioadmin
29# =============================================================================
30# Backups
31# =============================================================================
32# Enable/disable automatic repo backups
33# BACKUP_ENABLED=true
34# Backend: "filesystem" (default) or "s3"
35# BACKUP_STORAGE_BACKEND=filesystem
36# For filesystem backend:
37BACKUP_STORAGE_PATH=/var/lib/tranquil/backups
38# For S3 backend:
39# BACKUP_S3_BUCKET=pds-backups
40# Backup schedule and retention
41# BACKUP_RETENTION_COUNT=7
42# BACKUP_INTERVAL_SECS=86400
43# =============================================================================
44# Valkey (for caching and distributed rate limiting)
45# =============================================================================
46# If not set, falls back to in-memory caching (single-node only)
47# VALKEY_URL=redis://localhost:6379
48# =============================================================================
49# Security Secrets
50# =============================================================================
51# These MUST be set in production (minimum 32 characters each)
52# In development, set TRANQUIL_PDS_ALLOW_INSECURE_SECRETS=1 to use defaults
53# Server-wide secret for OAuth token signing (HS256)
54# JWT_SECRET=your-secure-random-string-at-least-32-chars
55# Secret for DPoP proof validation
56# DPOP_SECRET=your-secure-random-string-at-least-32-chars
57# Key for encrypting user signing keys at rest (AES-256-GCM)
58# MASTER_KEY=your-secure-random-string-at-least-32-chars
59# Set this ONLY in development to allow default/weak secrets
60# TRANQUIL_PDS_ALLOW_INSECURE_SECRETS=1
61# =============================================================================
62# PLC Directory
63# =============================================================================
64# PLC_DIRECTORY_URL=https://plc.directory
65# PLC_TIMEOUT_SECS=10
66# PLC_CONNECT_TIMEOUT_SECS=5
67# Optional: rotation key for PLC operations (defaults to user's key)
68# PLC_ROTATION_KEY=did:key:...
69# =============================================================================
70# DID Resolution
71# =============================================================================
72# Cache TTL for resolved DID documents (default: 300 seconds)
73# DID_CACHE_TTL_SECS=300
74# =============================================================================
75# Relays
76# =============================================================================
77# Comma-separated list of relay URLs to notify via requestCrawl
78# CRAWLERS=https://bsky.network,https://relay.upcloud.world
79# =============================================================================
80# Firehose (subscribeRepos WebSocket)
81# =============================================================================
82# Buffer size for firehose broadcast channel
83# FIREHOSE_BUFFER_SIZE=10000
84# Disconnect slow consumers after this many events of lag
85# FIREHOSE_MAX_LAG=5000
86# =============================================================================
87# Notification Service
88# =============================================================================
89# Queue processing settings
90# NOTIFICATION_BATCH_SIZE=100
91# NOTIFICATION_POLL_INTERVAL_MS=1000
92# Email notifications (via sendmail/msmtp)
93# MAIL_FROM_ADDRESS=noreply@example.com
94# MAIL_FROM_NAME=My PDS
95# SENDMAIL_PATH=/usr/sbin/sendmail
96# Discord notifications (via webhook)
97# DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...
98# Telegram notifications (via bot)
99# TELEGRAM_BOT_TOKEN=your-bot-token
100# Signal notifications (via signal-cli)
101# SIGNAL_CLI_PATH=/usr/local/bin/signal-cli
102# SIGNAL_SENDER_NUMBER=+1234567890
103# =============================================================================
104# Upload Limits
105# =============================================================================
106# Maximum blob/body size in bytes (default: 10GB)
107# This controls both the Axum body limit and blob upload limits.
108# Make sure your nginx client_max_body_size matches or exceeds this value.
109# MAX_BLOB_SIZE=10737418240
110# =============================================================================
111# Repository Import
112# =============================================================================
113# Set to "true" to accept repository imports
114# ACCEPTING_REPO_IMPORTS=false
115# Maximum import size in bytes (default: 100MB)
116# MAX_IMPORT_SIZE=104857600
117# Maximum blocks per import (default: 100000)
118# MAX_IMPORT_BLOCKS=100000
119# Skip verification during import (testing only)
120# SKIP_IMPORT_VERIFICATION=false
121# =============================================================================
122# Account Registration
123# =============================================================================
124# Require invite codes for registration
125# INVITE_CODE_REQUIRED=false
126# Comma-separated list of available user domains
127# AVAILABLE_USER_DOMAINS=example.com
128# Enable self-hosted did:web identities (default: true)
129# Hosting did:web requires a long-term commitment to serve DID documents.
130# Set to false if you don't want to offer this option.
131# ENABLE_SELF_HOSTED_DID_WEB=true
132# =============================================================================
133# Server Metadata (returned by describeServer)
134# =============================================================================
135# Privacy policy URL (optional)
136# PRIVACY_POLICY_URL=https://example.com/privacy
137# Terms of service URL (optional)
138# TERMS_OF_SERVICE_URL=https://example.com/terms
139# Contact email address (optional)
140# CONTACT_EMAIL=admin@example.com
141# =============================================================================
142# Rate Limiting
143# =============================================================================
144# Disable all rate limiting (testing only, NEVER in production)
145# DISABLE_RATE_LIMITING=1
146# =============================================================================
147# Account Deletion
148# =============================================================================
149# How often to check for scheduled account deletions (default: 3600 = 1 hour)
150# SCHEDULED_DELETE_CHECK_INTERVAL_SECS=3600
151# =============================================================================
152# Moderation / Report Service
153# =============================================================================
154# If configured, moderation reports will be proxied to this service
155# instead of being stored locally. The service should implement the
156# com.atproto.moderation.createReport endpoint (eg., Bluesky's Ozone).
157# Both URL and DID must be set for proxying to be enabled.
158# REPORT_SERVICE_URL=https://mod.bsky.app
159# REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
160# =============================================================================
161# Age Assurance Override
162# =============================================================================
163# Enable this if you have separately assured the ages of your users
164# (eg., through your own age verification process). When enabled, the PDS
165# will return "assured" status for age assurance checks instead of proxying
166# to the appview. This helps migrated users avoid the age assurance
167# catch-22 on bsky.app.
168# PDS_AGE_ASSURANCE_OVERRIDE=1
169# =============================================================================
170# Miscellaneous
171# =============================================================================
172# Allow HTTP for proxy requests (development only)
173# ALLOW_HTTP_PROXY=1
174# =============================================================================
175# SSO / Social Login
176# =============================================================================
177# Each provider requires ENABLED=true plus CLIENT_ID and CLIENT_SECRET.
178# Register your PDS as an OAuth application with each provider to get credentials.
179
180# GitHub
181# SSO_GITHUB_ENABLED=true
182# SSO_GITHUB_CLIENT_ID=
183# SSO_GITHUB_CLIENT_SECRET=
184
185# Discord
186# SSO_DISCORD_ENABLED=true
187# SSO_DISCORD_CLIENT_ID=
188# SSO_DISCORD_CLIENT_SECRET=
189
190# Google
191# SSO_GOOGLE_ENABLED=true
192# SSO_GOOGLE_CLIENT_ID=
193# SSO_GOOGLE_CLIENT_SECRET=
194
195# GitLab (set ISSUER for self-hosted instances)
196# SSO_GITLAB_ENABLED=false
197# SSO_GITLAB_CLIENT_ID=
198# SSO_GITLAB_CLIENT_SECRET=
199# SSO_GITLAB_ISSUER=https://gitlab.com
200
201# Generic OIDC
202# SSO_OIDC_ENABLED=false
203# SSO_OIDC_CLIENT_ID=
204# SSO_OIDC_CLIENT_SECRET=
205# SSO_OIDC_ISSUER=https://your-identity-provider.com
206# SSO_OIDC_NAME=Custom Provider
207
208# Apple Sign-in
209# SSO_APPLE_ENABLED=true
210# SSO_APPLE_CLIENT_ID=com.example.signin # Services ID from Apple Developer Portal
211# SSO_APPLE_TEAM_ID=XXXXXXXXXX # 10-character Team ID
212# SSO_APPLE_KEY_ID=XXXXXXXXXX # Key ID from portal
213# SSO_APPLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
214CARGO_MOMMYS_LITTLE=mister
215CARGO_MOMMYS_PRONOUNS=his
216CARGO_MOMMYS_ROLES=daddy
217CARGO_MOMMYS_EMOTES="🚛/🧱/🚜/🔩/🦺"
218CARGO_MOMMYS_MOODS=ominous