Here’s how I got a self-hosted PDS (personal data server) running without docker.
This can be useful if you want to run the PDS on an existing machine or just don’t like docker. I came up with these steps by emulating what the installer script does.
My setup uses nginx and a wildcard TLS cert for my PDS domain.
Get the code
Clone the PDS repo
git clone https://github.com/bluesky-social/pdsSet up nginx
I use certbot to issue wildcard certs for my domains. See my wildcard cert script here. Note that you will need to set up credentials for your nameservers. I’m not aware of a way in nginx to issue certs on-demand like the example caddy config does.
Here’s my nginx config for the PDS.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name hellthread.pro *.hellthread.pro;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name hellthread.pro *.hellthread.pro;
ssl_certificate /etc/letsencrypt/live/hellthread.pro/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellthread.pro/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
client_max_body_size 500M;
location / {
include proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://127.0.0.1:3002;
}
location /blob/ {
# this adds a pretty url for blobs
# in the format of https://pds/blob/did/cid
rewrite ^/blob/(.*)/(.*)$ /xrpc/com.atproto.sync.getBlob?did=$1&cid=$2 last;
}
}Configure your .env file
Let’s create the service/.env file.
With the below example, adjust the top 6 options, filling in your domain, SMTP credentials, and generating keys with the following commands:
Use this for the JWT_SECRET:
openssl rand --hex 16Use this twice to generate the admin password and rotation key:
openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32PDS_HOSTNAME="your domain here"
PDS_JWT_SECRET="generated secret"
PDS_ADMIN_PASSWORD="generated key"
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="another generated key"
PDS_EMAIL_SMTP_URL="smtp://user:password@mail.example.com"
PDS_EMAIL_FROM_ADDRESS="pds@example.com"
PDS_DATA_DIRECTORY=./data
PDS_BLOBSTORE_DISK_LOCATION=./data/blocks
PDS_DID_PLC_URL=https://plc.directory
PDS_BSKY_APP_VIEW_URL=https://api.bsky.app
PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app
PDS_REPORT_SERVICE_URL=https://mod.bsky.app
PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
PDS_CRAWLERS=https://bsky.network
LOG_ENABLED=true
NODE_ENV=production
PDS_PORT=3002Run the PDS
Be sure to install the dependencies:
cd service
pnpm install --production --frozen-lockfile
mkdir -p data/blocksThis is the systemd setup I use to run the PDS. Add your own user unit with the following steps:
mkdir -p ~/.config/systemd/user
$EDITOR ~/.config/systemd/user/pds.service
# copy in the example below and adjust as needed
systemctl --user daemon-reload
systemctl --user enable --now pds~/.config/systemd/user/pds.service:
[Unit]
Description=atproto personal data server
[Service]
WorkingDirectory=/home/ben/workspace/pds/service
ExecStart=/usr/bin/node --enable-source-maps index.js
Restart=on-failure
EnvironmentFile=/home/ben/workspace/pds/service/.env
[Install]
WantedBy=default.targetView the logs from journalctl like this:
journalctl --user --output=cat --follow --unit pds | jqYou can run the pdsadmin commands by setting the PDS_ENV_FILE variable like this:
PDS_ENV_FILE=../service/.env bash account.sh list
Handle Email DID
ben.hellthread.pro ben@hellthread.pro did:plc:g5isluhi3wkw557ucarjgtgyUpdate
To update your PDS, use git pull in the directory you cloned it in. Then update dependencies in the service subdirectory and restart the unit:
cd pds
git pull
cd service
pnpm install --production --frozen-lockfile
systemctl --user restart pds
Leave a Reply