Here’s how I got a self-hosted PDS (personal data server) running without docker.
This can be useful if you want to run the PDS on an existing machine, among other situations. I came up with these steps by emulating what the installer script does.
My setup uses nginx and a wildcard tls cert for my pds domain.
Get the code
Clone the pds repo
git clone https://github.com/bluesky-social/pds
Set up nginx
I use certbot to issue wildcard certs for my domains. See my wildcard cert script here. Note that you will need to set up credentials for your nameservers. I’m not aware of a way in nginx to issue certs on-demand like the example caddy config does.
Here’s my nginx config for the pds.
server {
listen 80;
server_name hellthread.pro *.hellthread.pro;
return 302 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name hellthread.pro *.hellthread.pro;
ssl_certificate /etc/letsencrypt/live/hellthread.pro/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hellthread.pro/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
include proxy_params;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://127.0.0.1:3002;
}
}Configure your .env file
Adjust the top 4 options, filling in your domain and generating keys with the following commands:
Use this for the JWT_SECRET:
openssl rand --hex 16
Use this twice to generate the admin password and rotation key:
openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32
PDS_HOSTNAME="your domain here"
PDS_JWT_SECRET="generated secret"
PDS_ADMIN_PASSWORD="generated key"
PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX="another generated key"
PDS_DATA_DIRECTORY=./data
PDS_BLOBSTORE_DISK_LOCATION=./data/blocks
PDS_DID_PLC_URL=https://plc.directory
PDS_BSKY_APP_VIEW_URL=https://api.bsky.app
PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app
PDS_REPORT_SERVICE_URL=https://mod.bsky.app
PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac
PDS_CRAWLERS=https://bsky.network
LOG_ENABLED=true
NODE_ENV=production
PDS_PORT=3002Run the pds
Be sure to install the dependencies:
cd service
pnpm install --production --frozen-lockfile
mkdir -p data/blocks
This is the systemd user unit I use to run the pds. Add this to your user units with the following steps:
mkdir -p ~/.config/systemd/user
$EDITOR ~/.config/systemd/user/pds.service
# copy in the example below and adjust as needed
systemctl --user daemon-reload
systemctl --user enable --now pds
[Unit]
Description=atproto personal data server
[Service]
WorkingDirectory=/home/ben/workspace/pds/service
ExecStart=/usr/bin/node --enable-source-maps index.js
Restart=on-failure
EnvironmentFile=/home/ben/workspace/pds/service/.env
[Install]
WantedBy=default.targetView the logs from journalctl like this:
journalctl --user --output=cat --follow --unit pds | jq
You can run the pdsadmin commands by setting the PDS_ENV_FILE variable like this:
ben@odin ~/w/p/pdsadmin (main)> PDS_ENV_FILE=../service/.env bash account.sh list
Handle Email DID
ben.hellthread.pro ben@hellthread.pro did:plc:g5isluhi3wkw557ucarjgtgyFor now you will need to request that your pds be added to the allowlist on the relay in the pds admin discord.
Update
To update your pds, use git pull in the directory you cloned it in. Then update dependencies in the service subdirectory and restart the unit:
cd pds
git pull
cd service
pnpm install --production --frozen-lockfile
systemctl --user restart pds
Leave a Reply