From 11e41b0592ec23dafa931e4027716ebbcfb168d5 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@noreply.git.autonomic.zone>
Date: Thu, 18 Jun 2026 01:59:17 +0000
Subject: [PATCH] fix(routing): rename main service app->pds so caddy resolves
 THIS stack on shared proxy

The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert. On a
multi-tenant host every co-located stack aliases its main service 'app' on the shared 'proxy' overlay;
caddy (on proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, the tls-check is refused,
no cert is issued, and HTTPS is dead (xrpc/_health=000). Renaming the service to 'pds' gives a unique
swarm DNS name that only this stack publishes, so caddy's reverse_proxy/on_demand_tls always resolve
this PDS. (A network alias would be cleaner but abra drops compose network aliases on deploy; the
service name is always applied.)

cc @trav @notplants
---
 Caddyfile   | 4 ++--
 compose.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 1a18550..6a61adb 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,6 +1,6 @@
 {
 	on_demand_tls {
-		ask http://app:3000/tls-check
+		ask http://pds:3000/tls-check
 	}
 }
 
@@ -8,5 +8,5 @@
 	tls {
 		on_demand
 	}
-	reverse_proxy app:3000
+	reverse_proxy pds:3000
 }
diff --git a/compose.yml b/compose.yml
index 22b2891..90eb81d 100644
--- a/compose.yml
+++ b/compose.yml
@@ -2,7 +2,7 @@
 version: "3.8"
 
 services:
-  app:
+  pds:
     image: ghcr.io/bluesky-social/pds:0.4.219
     networks:
       - internal