Completed on Digital Ocean Ubuntu 22.04 droplet running nginx and letsencrypt.

The installer assumes ports 80 and 443 are available and launches a Docker instance of Caddy to serve. This will conflict with NGINX but the installer still gets us started:

wget https://raw.githubusercontent.com/bluesky-social/pds/main/installer.sh
sudo bash installer.sh

You'll see from your list of Docker instances that Caddy didn't start OK. Kill all the instances related to PDS by listing them, stopping them, then removing them:

docker ps
docker stop <instance>
docker rm <instance>

To get things to work correctly we are going to need to replace compose.yaml with something that doesn't start Caddy. Here's a modification of the one found here. For a standard install you'll put compose.yaml in /pds

version: '3.9'
services:
  pds:
    container_name: pds
    image: ghcr.io/bluesky-social/pds:0.4
    restart: unless-stopped
    volumes:
      - type: bind
        source: /pds
        target: /pds
    ports:
      - '3000:3000'
    env_file:
      - /pds/pds.envroot@togettech-main:/pds

• Now restart PDS with docker compose up -d. (It appears a better way might be systemctl restart pds.service)
• Make sure all the docker instances are running OK. Use sudo docker logs -f pds to see the logs
• Finally, check if the instance is accessible locally:

wget http://localhost:3000/xrpc/_health

should return something close to:{"version":"0.4.74"}

• I didn't have an email server already set up on the server that was available to pdsadmin so I set up an SMTP server on AWS using their SES.
• Then I added these lines to /pds/pds.env

PDS_EMAIL_SMTP_URL=smtps://<SES USER>:<SES PW>@email-smtp.us-east-2.amazonaws.com:465/ # change AWS email server as needed
PDS_EMAIL_FROM_ADDRESS=<YOUR EMAIL ADDRESS>

• Restart with docker compose up -d
• Check the logs: sudo docker logs -f pds

In /etc/nginx/sites-available create a file (could be named pds):

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
    server_name <YOUR DOMAIN NAME HERE. COULD HAVE SUBDOMAIN. EXAMPLE: pds.johnharrison.cc>;

    location /xrpc {
        proxy_pass http://localhost:3000;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host            $host;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location /.well-known/atproto-did {
        proxy_pass http://localhost:3000/.well-known/atproto-did;
        proxy_set_header Host            $host;
    }

• Make sure NGINX config is happy: nginx -t
• Whereever you keep your DNS settings for your domain, add one for the domain/subdomain you just set up.
• Once the (sub)domain resolves correctly it's time for letsencrypt: certbot --nginx will expand your existing certificate to include all (sub)domains nginx serves
• Check for external access:

wget https://<YOUR DOMAIN>/xrpc/_health

should return something close to:{"version":"0.4.74"}

• Check if websockets are working:

wsdump "wss://example.com/xrpc/com.atproto.sync.subscribeRepos?cursor=0"

If you don't see an error such as unauthorized it's probably working. There won't be much output yet. If it's not working, it's a problem in your Nginx config

This requires a Go app called Goat which is provided by Bluesky. This can be installed on any machine i.e. it doesn't have to be installed on the local PDS

• install a current version Go if you don't already have it. Snap is an option but Snaps often give me trouble so I went downloading and installing:

wget https://go.dev/dl/go-INSERT_CURRENT_VERSION_HERE.linux-amd64.tar.gz
sudo tar -C /usr/local -xvf goINSERT_CURRENT_VERSION_HERE.linux-amd64.tar.gz
echo "export PATH=$PATH:/usr/local/go/bin" >> ~/.profile
source ~/.profile
go version # verify it's working

• next this is suppose to work but gave me an error: go install github.com/bluesky-social/indigo/cmd/goat@latest
• So instead I downloaded from Git and installed that way:

git clone https://github.com/bluesky-social/indigo
go build ./cmd/goat
sudo cp goat /usr/local/bin
goat --version # confirm it's working

• log into your old account with goat and request token to your email:

goat account login -u $OLDHANDLE -p $OLDPASSWORD''
goat account plc request-token

• on the local PDS server get an invite code: pdsadmin create-invite-code
• Now comes the magical migrate command. Here's the format and an example unabashedly ripped from here:

# format
goat account migrate \
    --pds-host $NEWPDSHOST \
    --new-handle $NEWHANDLE \
    --new-password $NEWPASSWORD \
    --new-email $NEWEMAIL \
    --plc-token $NEWPLCTOKEN \
    --invite-code $INVITECODE

# example
goat account migrate \
    --pds-host https://blueskydemo.hyprlab.co \
    --new-handle jasondemo.blueskydemo.hyprlab.co \
    --new-password tPVQ9oRLwfAqq7gz \
    --new-email servers@hyprlab.co \
    --plc-token QUCDK-SHTBV \
    --invite-code blueskydemo-hyprlab-co-lz3di-wlsvy

• It took a few tries to get everything in this command right. If it fails you need to delete the incomplete migration before trying again:

pdsadmin account list
pdsadmin account delete $YOURDID

• log out of Bluesky
• log back in:
  • Sign in –> Other account
  • under Hosting provider select Custom
  • Enter domain name for your PDS

At this point my profile showed “invalid handle.” To fix:

• In Settings go through the email verification process.
• After verification is complete, you will have a new option: change handle in settings
• When choosing change handle you have the option I have my own domain. It's probably optional if you are already happy with the domain of your PDS but I didn't want the pds subdomain for my domain in my handle so I went through this process
• Choose your new handle

• https://www.hostinger.com/tutorials/how-to-host-a-bluesky-pds
• Self-hosing Bluesky using NGINX as a proxy
• Migrate Bluesky to another PDS
• (where I learned how to get the logs for pds)
• Migrating a PDS account with GOAT
• https://rafaeleyng.github.io/self-hosting-a-bluesky-pds-and-using-your-domain-as-your-handle