recipe-maintainers/bluesky-pds
0
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity
Files
fdbd1e2fee3d8444068ca2652d473360ebd70079
bluesky-pds/compose.yml
autonomic-bot fdbd1e2fee fix(routing): unique pds alias so caddy resolves THIS stack's PDS on shared proxy 
The caddy sidecar uses on-demand TLS and asks http://app:3000/tls-check before issuing a cert.
On a shared host every co-located stack aliases its main service 'app' on the 'proxy' overlay;
caddy (on both proxy+internal) resolves bare 'app' to a FOREIGN stack's endpoint, so the tls-check
connection is refused, no cert is issued, and the PDS is unreachable over HTTPS (xrpc/_health=000).
Give the PDS a unique 'pds' alias on the internal network and point caddy's reverse_proxy +
on_demand_tls ask at it; 'pds' exists only on internal, so it always resolves to this stack's PDS.
Service name stays 'app' (no downstream breakage).
2026-06-18 01:27:38 +00:00

108 lines
3.2 KiB
YAML
Raw Blame History

---
version: "3.8"
services:
app:
image: ghcr.io/bluesky-social/pds:0.4.219
networks:
# Unique alias so the caddy sidecar resolves THIS stack's PDS, not a foreign service. On a
# shared host the default service name `app` is aliased by every co-located stack on the
# `proxy` overlay; caddy (attached to both `proxy` and `internal`) otherwise resolves bare
# `app` to another stack's endpoint, so its on-demand-TLS `ask` to the PDS is refused and the
# cert is never issued (HTTPS dead). `pds` exists only on `internal`, so it resolves correctly.
internal:
aliases:
- pds
environment:
- PDS_HOSTNAME=${DOMAIN}
- PDS_DATA_DIRECTORY=/pds
- PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks
- PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}
- PDS_EMAIL_SMTP_URL=${PDS_EMAIL_SMTP_URL:-}
- PDS_EMAIL_FROM_ADDRESS=${PDS_EMAIL_FROM_ADDRESS:-}
- PDS_INVITE_REQUIRED=${PDS_INVITE_REQUIRED:-true}
- LOG_ENABLED=${LOG_ENABLED:-true}
entrypoint:
- "dumb-init"
- "--"
command:
- "/entrypoint.sh"
configs:
- source: entrypoint
target: /entrypoint.sh
mode: 0555
secrets:
- pds_jwt_secret
- pds_admin_password
- pds_plc_rotation_key
volumes:
- pds_data:/pds
deploy:
restart_policy:
condition: on-failure
max_attempts: 5
labels:
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
- "coop-cloud.${STACK_NAME}.version=0.3.0+v0.4.219"
- "backupbot.backup=true"
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/xrpc/_health"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
caddy:
image: caddy:2
networks:
- proxy
- internal
environment:
- DOMAIN=${DOMAIN}
configs:
- source: caddyfile
target: /etc/caddy/Caddyfile
volumes:
- caddy_data:/data
deploy:
restart_policy:
condition: on-failure
max_attempts: 5
labels:
- "traefik.enable=true"
- "traefik.swarm.network=proxy"
- "traefik.tcp.routers.${STACK_NAME}.rule=HostSNI(`${DOMAIN}`) || HostSNIRegexp(`^.+\\.${DOMAIN}$$`)"
- "traefik.tcp.routers.${STACK_NAME}.ruleSyntax=v3"
- "traefik.tcp.routers.${STACK_NAME}.entrypoints=web-secure"
- "traefik.tcp.routers.${STACK_NAME}.tls.passthrough=true"
- "traefik.tcp.services.${STACK_NAME}.loadbalancer.server.port=443"
networks:
proxy:
external: true
internal:
volumes:
pds_data:
caddy_data:
secrets:
pds_jwt_secret:
external: true
name: ${STACK_NAME}_pds_jwt_secret_${SECRET_PDS_JWT_SECRET_VERSION}
pds_admin_password:
external: true
name: ${STACK_NAME}_pds_admin_password_${SECRET_PDS_ADMIN_PASSWORD_VERSION}
pds_plc_rotation_key:
external: true
name: ${STACK_NAME}_pds_plc_rotation_key_${SECRET_PDS_PLC_ROTATION_KEY_VERSION}
configs:
entrypoint:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang
caddyfile:
name: ${STACK_NAME}_caddyfile_${CADDYFILE_VERSION}
file: Caddyfile
Reference in New Issue View Git Blame Copy Permalink