Self-hosting a Bluesky PDS means running your own Personal Data Server that is capable of federating with the wider ATProto network. - https://atproto.com/guides/self-hosting

Set up your personal ATProto PDS with NixOs

This guide walks you through the process to host your own PDS instance using NixOs, agenix for secure environment management, and Caddy as a reverse proxy for traffic encryption.

Thanks to the Nixpkgs contributors for making this possible!

You need to have a server running NixOs. Using nixos-anywhere makes it easy to install on a vps. The server configuration should be in a NixOs flake.

Retrieve the SSH key from the host:

ssh-keyscan your.pds.domain

Add the ssh-rsa line to your flake’s secrets folder in the file secrets/secrets.nix:


let
  vps_ssh = "ssh-rsa ...";
in
{
  "pds-env.age".publicKeys = [ vps_ssh ];
}

Generate PDS secrets environment variables:

{
  # Generate JWT secret
  JWT_SECRET=$(openssl rand --hex 16)
  echo "PDS_JWT_SECRET=$JWT_SECRET"

  # Generate admin password
  ADMIN_PASSWORD=$(openssl rand --hex 16)
  echo "PDS_ADMIN_PASSWORD=$ADMIN_PASSWORD"

  # Generate PLC rotation key
  PLC_KEY=$(openssl ecparam --name secp256k1 --genkey --noout --outform DER | tail --bytes=+8 | head --bytes=32 | xxd --plain --cols 32)
  echo "PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=$PLC_KEY"
} > /tmp/pds-secrets.env

use agenix to encrypt the pds-env file according to the secrets.nix config:

cd secrets/
agenix -e pds-env.age < /tmp/pds-env.env

Then you can delete /tmp/pds-env.env after keeping its secrets safe in a password manager.

Modify the configuration.nix of the flake to enable the PDS service and use Caddy as a proxy to handle encryption:

{
  config,
  pkgs,
  ...
}: {

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  age.identityPaths = [ "/etc/ssh/ssh_host_rsa_key" ];

  age.secrets.pds-env = {
    file = ./secrets/pds-env.age;
    owner = "pds";
    group = "pds";
  };

  services.pds = {
    enable = true;
    settings = {
      PDS_HOSTNAME = "your.pds.domain";
      PDS_PORT = 3000;
      PDS_HOST = "127.0.0.1";
    };
    environmentFiles = [
      config.age.secrets.pds-env.path
    ];
  };


  services.caddy = {
    enable = true;
    configFile = pkgs.writeText "Caddyfile" ''
      your.pds.domain {
        reverse_proxy http://127.0.0.1:3000
      }
    '';
  };
}

Now, it is possible to test the flake for the ovh configuration (if you followed the note):

nixos-rebuild test --flake .#ovh-vps

Deploy the new configuration:

nixos-rebuild switch --flake .#ovh-vps --target-host "root@your.pds.domain"

The new personal PDS should be up and running at the chosen hostname:

curl https://your.pds.domain
         __                         __
        /\ \__                     /\ \__
    __  \ \ ,_\  _____   _ __   ___\ \ ,_\   ___
  /'__'\ \ \ \/ /\ '__'\/\''__\/ __'\ \ \/  / __'\
 /\ \L\.\_\ \ \_\ \ \L\ \ \ \//\ \L\ \ \ \_/\ \L\ \
 \ \__/.\_\\ \__\\ \ ,__/\ \_\\ \____/\ \__\ \____/
  \/__/\/_/ \/__/ \ \ \/  \/_/ \/___/  \/__/\/___/
                   \ \_\
                    \/_/


This is an AT Protocol Personal Data Server (aka, an atproto PDS)

Most API routes are under /xrpc/

      Code: https://github.com/bluesky-social/atproto
 Self-Host: https://github.com/bluesky-social/pds
  Protocol: https://atproto.com

To migrate an account to the new PDS, follow this guide: Migrating PDS account with goat.