bluesky-pds/README.md

# Bluesky PDS

Easy bluesky PDS configuration with docker and nginx as reverse proxy.

## PDS configuration

Create `pds` directory.

```shell
$ mkdir pds
```

Copy `.env.sample` to `.env` and fill in the configuration.

```shell
$ cp .env.sample .env
$ nano .env
```

## Nginx

`/etc/nginx/sites-enabled/pds.conf`
```nginx configuration
server
{
	listen      80;
	listen [::]:80;
	server_name {{SERVER_NAME}};

	# Let's Encrypt
	location /.well-known/acme-challenge/ { root /usr/share/nginx/html; allow all; }

	# HTTPS redirection.
	location / { return 301 https://$host$request_uri; }
}

server
{
	listen      443 ssl http2;
	listen [::]:443 ssl http2;
	server_name {{SERVER_NAME}};

	ssl_certificate /etc/letsencrypt/live/{{SERVER_NAME}}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{SERVER_NAME}}/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/{{SERVER_NAME}}/chain.pem;

	# Generic SSL configuration.
	include ssl.conf;

	location /
	{
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $http_host;
		proxy_pass http://localhost:8051;

		client_max_body_size 30m;
	}

	access_log none;
	error_log /var/log/nginx/{{SERVER_NAME}}.error.log;
}
```

`/etc/nginx/ssl.conf`
```nginx configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1:prime256v1;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256;
ssl_dhparam dhparam.pem;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_session_tickets on;
```
Initial configuration 2024-02-22 22:35:50 +01:00			`# Bluesky PDS`

			`Easy bluesky PDS configuration with docker and nginx as reverse proxy.`

			`## PDS configuration`

			Create `pds` directory.

			```shell
			`$ mkdir pds`
			```

			Copy `.env.sample` to `.env` and fill in the configuration.

			```shell
			`$ cp .env.sample .env`
			`$ nano .env`
			```

			`## Nginx`

			`/etc/nginx/sites-enabled/pds.conf`
			```nginx configuration
			`server`
			`{`
			`listen 80;`
			`listen [::]:80;`
			`server_name {{SERVER_NAME}};`

			`# Let's Encrypt`
			`location /.well-known/acme-challenge/ { root /usr/share/nginx/html; allow all; }`

			`# HTTPS redirection.`
			`location / { return 301 https://$host$request_uri; }`
			`}`

			`server`
			`{`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name {{SERVER_NAME}};`

			`ssl_certificate /etc/letsencrypt/live/{{SERVER_NAME}}/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/{{SERVER_NAME}}/privkey.pem;`
			`ssl_trusted_certificate /etc/letsencrypt/live/{{SERVER_NAME}}/chain.pem;`

			`# Generic SSL configuration.`
			`include ssl.conf;`

			`location /`
			`{`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_set_header Host $http_host;`
			`proxy_pass http://localhost:8051;`

			`client_max_body_size 30m;`
			`}`

			`access_log none;`
			`error_log /var/log/nginx/{{SERVER_NAME}}.error.log;`
			`}`
			```

			`/etc/nginx/ssl.conf`
			```nginx configuration
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1:prime256v1;`
			`ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256;`
			`ssl_dhparam dhparam.pem;`
			`ssl_prefer_server_ciphers on;`

			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 5m;`
			`ssl_session_tickets on;`
			```