diff --git a/.env.sample b/.env.sample
new file mode 100644
index 0000000..2337c74
--- /dev/null
+++ b/.env.sample
@@ -0,0 +1,30 @@
+TYPE=bluesky-pds
+
+DOMAIN=pds.example.com
+LETS_ENCRYPT_ENV=production
+
+# Blob upload limit in bytes (default: 100MB)
+#PDS_BLOB_UPLOAD_LIMIT=104857600
+
+# Federation settings (defaults connect to the main Bluesky network)
+#PDS_DID_PLC_URL=https://plc.directory
+#PDS_BSKY_APP_VIEW_URL=https://api.bsky.app
+#PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app
+#PDS_REPORT_SERVICE_URL=https://mod.bsky.app
+#PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
+#PDS_CRAWLERS=https://bsky.network
+
+# Require invite codes for new account registration
+#PDS_INVITE_REQUIRED=true
+
+# Logging
+#LOG_ENABLED=true
+
+# Email (optional, needed for password resets and email verification)
+#PDS_EMAIL_SMTP_URL=smtps://username:password@smtp.example.com/
+#PDS_EMAIL_FROM_ADDRESS=noreply@example.com
+
+# Secrets
+SECRET_PDS_JWT_SECRET_VERSION=v1 # length=32
+SECRET_PDS_ADMIN_PASSWORD_VERSION=v1 # length=32
+SECRET_PDS_PLC_ROTATION_KEY_VERSION=v1 # generate=false
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f1d97b0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.envrc
+.idea
diff --git a/abra.sh b/abra.sh
new file mode 100644
index 0000000..e6c130b
--- /dev/null
+++ b/abra.sh
@@ -0,0 +1 @@
+export ENTRYPOINT_VERSION=v1
diff --git a/compose.yml b/compose.yml
new file mode 100644
index 0000000..6be5b78
--- /dev/null
+++ b/compose.yml
@@ -0,0 +1,80 @@
+---
+version: "3.8"
+
+services:
+  app:
+    image: ghcr.io/bluesky-social/pds:0.4
+    networks:
+      - proxy
+    environment:
+      - PDS_HOSTNAME=${DOMAIN}
+      - PDS_DATA_DIRECTORY=/pds
+      - PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks
+      - PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}
+      - PDS_DID_PLC_URL=${PDS_DID_PLC_URL:-https://plc.directory}
+      - PDS_BSKY_APP_VIEW_URL=${PDS_BSKY_APP_VIEW_URL:-https://api.bsky.app}
+      - PDS_BSKY_APP_VIEW_DID=${PDS_BSKY_APP_VIEW_DID:-did:web:api.bsky.app}
+      - PDS_REPORT_SERVICE_URL=${PDS_REPORT_SERVICE_URL:-https://mod.bsky.app}
+      - PDS_REPORT_SERVICE_DID=${PDS_REPORT_SERVICE_DID:-did:plc:ar7c4by46qjdydhdevvrndac}
+      - PDS_CRAWLERS=${PDS_CRAWLERS:-https://bsky.network}
+      - PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL:-}
+      - PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS:-}
+      - PDS_INVITE_REQUIRED=${PDS_INVITE_REQUIRED:-true}
+      - LOG_ENABLED=${LOG_ENABLED:-true}
+    entrypoint:
+      - "dumb-init"
+      - "--"
+    command:
+      - "/entrypoint.sh"
+    configs:
+      - source: entrypoint
+        target: /entrypoint.sh
+        mode: 0555
+    secrets:
+      - pds_jwt_secret
+      - pds_admin_password
+      - pds_plc_rotation_key
+    volumes:
+      - pds_data:/pds
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        - "traefik.enable=true"
+        - "traefik.docker.network=proxy"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=3000"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
+        - "coop-cloud.${STACK_NAME}.version=0.1.0+0.4"
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/xrpc/_health"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+
+networks:
+  proxy:
+    external: true
+
+volumes:
+  pds_data:
+
+secrets:
+  pds_jwt_secret:
+    external: true
+    name: ${STACK_NAME}_pds_jwt_secret_${SECRET_PDS_JWT_SECRET_VERSION}
+  pds_admin_password:
+    external: true
+    name: ${STACK_NAME}_pds_admin_password_${SECRET_PDS_ADMIN_PASSWORD_VERSION}
+  pds_plc_rotation_key:
+    external: true
+    name: ${STACK_NAME}_pds_plc_rotation_key_${SECRET_PDS_PLC_ROTATION_KEY_VERSION}
+
+configs:
+  entrypoint:
+    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
+    file: entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
new file mode 100644
index 0000000..8ef7ae4
--- /dev/null
+++ b/entrypoint.sh.tmpl
@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+export PDS_JWT_SECRET=$(cat /run/secrets/pds_jwt_secret)
+export PDS_ADMIN_PASSWORD=$(cat /run/secrets/pds_admin_password)
+export PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=$(cat /run/secrets/pds_plc_rotation_key)
+
+exec node --enable-source-maps index.js