From 718820daecddf030989cff7cdcf090f36508761c Mon Sep 17 00:00:00 2001
From: syui <syui@syui.ai>
Date: Wed, 4 Feb 2026 22:52:06 +0900
Subject: [PATCH] add k8s

---
 .gitignore              |   3 +
 k8s/bgs.yaml            |  78 ++++++++++++++++
 k8s/bsky.yaml           | 199 ++++++++++++++++++++++++++++++++++++++++
 k8s/feed.yaml           |  71 ++++++++++++++
 k8s/gen-secrets.sh      |  26 ++++++
 k8s/jetstream.yaml      |  67 ++++++++++++++
 k8s/kustomization.yaml  |  27 ++++++
 k8s/namespace.yaml      |   4 +
 k8s/ozone-web.yaml      |  47 ++++++++++
 k8s/ozone.yaml          |  96 +++++++++++++++++++
 k8s/pds.yaml            | 121 ++++++++++++++++++++++++
 k8s/plc.yaml            |  53 +++++++++++
 k8s/postgres.yaml       |  89 ++++++++++++++++++
 k8s/redis.yaml          |  58 ++++++++++++
 k8s/secrets.env.example |  10 ++
 k8s/social-app.yaml     |  52 +++++++++++
 16 files changed, 1001 insertions(+)
 create mode 100644 k8s/bgs.yaml
 create mode 100644 k8s/bsky.yaml
 create mode 100644 k8s/feed.yaml
 create mode 100755 k8s/gen-secrets.sh
 create mode 100644 k8s/jetstream.yaml
 create mode 100644 k8s/kustomization.yaml
 create mode 100644 k8s/namespace.yaml
 create mode 100644 k8s/ozone-web.yaml
 create mode 100644 k8s/ozone.yaml
 create mode 100644 k8s/pds.yaml
 create mode 100644 k8s/plc.yaml
 create mode 100644 k8s/postgres.yaml
 create mode 100644 k8s/redis.yaml
 create mode 100644 k8s/secrets.env.example
 create mode 100644 k8s/social-app.yaml

diff --git a/.gitignore b/.gitignore
index d85a12e..eff7c05 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,9 @@ deploy.yml
 claude.md
 embedded.mobileprovision
 .env
+k8s/secrets.env
+k8s/deploy.yml
 web/dist
 node_modules
 package-lock.json
+
diff --git a/k8s/bgs.yaml b/k8s/bgs.yaml
new file mode 100644
index 0000000..6b3f7fc
--- /dev/null
+++ b/k8s/bgs.yaml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bgs
+  namespace: atproto
+spec:
+  selector:
+    app: bgs
+  ports:
+    - port: 2470
+      targetPort: 2470
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bgs-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bgs
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bgs
+  template:
+    metadata:
+      labels:
+        app: bgs
+    spec:
+      containers:
+        - name: bgs
+          image: registry/bgs
+          ports:
+            - containerPort: 2470
+          env:
+            - name: DATABASE_URL
+              value: "postgres://postgres:postgres@database/bgs"
+            - name: CARSTORE_DATABASE_URL
+              value: "postgres://postgres:postgres@database/carstore"
+            - name: DATA_DIR
+              value: "/data"
+            - name: ATP_PLC_HOST
+              value: "https://plc.syu.is"
+            - name: BGS_NEW_PDS_PER_DAY_LIMIT
+              value: "1000"
+            - name: BGS_ADMIN_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: bgs-admin-key
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 2470
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 2470
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: bgs-data
diff --git a/k8s/bsky.yaml b/k8s/bsky.yaml
new file mode 100644
index 0000000..6460ac9
--- /dev/null
+++ b/k8s/bsky.yaml
@@ -0,0 +1,199 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bsky
+  namespace: atproto
+spec:
+  selector:
+    app: bsky
+  ports:
+    - name: api
+      port: 2584
+      targetPort: 2584
+    - name: dataplane
+      port: 3001
+      targetPort: 3001
+    - name: bsync
+      port: 3002
+      targetPort: 3002
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bsky-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bsky
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bsky
+  template:
+    metadata:
+      labels:
+        app: bsky
+    spec:
+      securityContext:
+        runAsUser: 0
+      containers:
+        - name: bsky
+          image: registry/bsky
+          command: ["node", "--enable-source-maps", "api.js"]
+          ports:
+            - containerPort: 2584
+            - containerPort: 3001
+            - containerPort: 3002
+          env:
+            - name: BSKY_PORT
+              value: "2584"
+            - name: BSKY_BLOB_CACHE_LOC
+              value: "/data/"
+            - name: BSKY_BSYNC_HTTP_VERSION
+              value: "1.1"
+            - name: BSKY_BSYNC_PORT
+              value: "3002"
+            - name: BSKY_BSYNC_URL
+              value: "http://localhost:3002"
+            - name: BSKY_COURIER_URL
+              value: "http://fake-courier.example.invalid/"
+            - name: BSKY_DATAPLANE_HTTP_VERSION
+              value: "1.1"
+            - name: BSKY_DATAPLANE_PORT
+              value: "3001"
+            - name: BSKY_DATAPLANE_URLS
+              value: "http://localhost:3001"
+            - name: BSKY_DB_POSTGRES_URL
+              value: "postgres://postgres:postgres@database/bsky"
+            - name: BSKY_DID_PLC_URL
+              value: "https://plc.syu.is"
+            - name: BSKY_PUBLIC_URL
+              value: "https://bsky.syu.is"
+            - name: BSKY_REPO_PROVIDER
+              value: "ws://bgs:2470"
+            - name: BSKY_SERVER_DID
+              value: "did:web:bsky.syu.is"
+            - name: MOD_SERVICE_DID
+              value: "did:web:ozone.syu.is"
+            - name: BSKY_ADMIN_PASSWORDS
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: bsky-admin-passwords
+            - name: BSKY_SERVICE_SIGNING_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: bsky-service-signing-key
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 2584
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 2584
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: bsky-data
+---
+## bsky subscription monitor
+## subscriptionが停止していたらPodを再起動する
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bsky-subscription-watchdog
+  namespace: atproto
+spec:
+  schedule: "*/5 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: watchdog
+              image: postgres:16-alpine
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  # BGSの最新seqを取得
+                  LATEST_SEQ=$(psql -t -A "$DB_URL" -c "SELECT COALESCE(MAX(seq),0) FROM repo_event_records")
+                  # bskyのsubscription cursorを取得
+                  BSKY_CURSOR=$(psql -t -A "$BSKY_DB_URL" -c "SELECT COALESCE(state,0) FROM subscription WHERE service='ws://bgs:2470' LIMIT 1")
+                  LAG=$((LATEST_SEQ - BSKY_CURSOR))
+                  echo "BGS seq=$LATEST_SEQ, bsky cursor=$BSKY_CURSOR, lag=$LAG"
+                  if [ "$LAG" -gt 50 ]; then
+                    echo "WARN: bsky subscription lag=$LAG, restarting bsky pod"
+                    # Podを削除すればDeploymentが再作成する
+                    apk add --no-cache curl > /dev/null 2>&1
+                    APISERVER=https://kubernetes.default.svc
+                    TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+                    NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+                    # bsky podを取得して削除
+                    POD=$(curl -s -k -H "Authorization: Bearer $TOKEN" \
+                      "$APISERVER/api/v1/namespaces/$NAMESPACE/pods?labelSelector=app=bsky" \
+                      | grep -o '"name":"bsky-[^"]*"' | head -1 | cut -d'"' -f4)
+                    if [ -n "$POD" ]; then
+                      curl -s -k -X DELETE -H "Authorization: Bearer $TOKEN" \
+                        "$APISERVER/api/v1/namespaces/$NAMESPACE/pods/$POD"
+                      echo "Deleted pod $POD"
+                    fi
+                  else
+                    echo "OK: subscription is healthy"
+                  fi
+              env:
+                - name: DB_URL
+                  value: "postgres://postgres:postgres@database/bgs"
+                - name: BSKY_DB_URL
+                  value: "postgres://postgres:postgres@database/bsky"
+          restartPolicy: OnFailure
+          serviceAccountName: bsky-watchdog
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bsky-watchdog
+  namespace: atproto
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: bsky-watchdog
+  namespace: atproto
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: bsky-watchdog
+  namespace: atproto
+subjects:
+  - kind: ServiceAccount
+    name: bsky-watchdog
+    namespace: atproto
+roleRef:
+  kind: Role
+  name: bsky-watchdog
+  apiGroup: rbac.authorization.k8s.io
diff --git a/k8s/feed.yaml b/k8s/feed.yaml
new file mode 100644
index 0000000..ec5d558
--- /dev/null
+++ b/k8s/feed.yaml
@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: feed
+  namespace: atproto
+spec:
+  selector:
+    app: feed
+  ports:
+    - port: 3000
+      targetPort: 3000
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: feed-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: feed
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: feed
+  template:
+    metadata:
+      labels:
+        app: feed
+    spec:
+      containers:
+        - name: feed
+          image: registry/feed
+          ports:
+            - containerPort: 3000
+          env:
+            - name: FEEDGEN_PORT
+              value: "3000"
+            - name: FEEDGEN_LISTENHOST
+              value: "0.0.0.0"
+            - name: FEEDGEN_SQLITE_LOCATION
+              value: "/data/db.sqlite"
+            - name: FEEDGEN_HOSTNAME
+              value: "feed.syu.is"
+            - name: FEEDGEN_PUBLISHER_DID
+              value: "did:plc:6qyecktefllvenje24fcxnie"
+            - name: FEEDGEN_SERVICE_DID
+              value: "did:web:feed.syu.is"
+            - name: FEEDGEN_JETSTREAM_URL
+              value: "ws://jetstream:6008/subscribe"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: feed-data
diff --git a/k8s/gen-secrets.sh b/k8s/gen-secrets.sh
new file mode 100755
index 0000000..3609e99
--- /dev/null
+++ b/k8s/gen-secrets.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+## envs/ から k8s/secrets.env を生成する
+## usage: cd k8s && bash gen-secrets.sh
+
+ENVS_DIR="${1:-../envs}"
+OUT="secrets.env"
+
+get_val() {
+  local file="$1" key="$2"
+  grep "^${key}=" "$file" 2>/dev/null | head -1 | cut -d'=' -f2-
+}
+
+cat > "$OUT" <<EOF
+pds-admin-password=$(get_val "$ENVS_DIR/pds" PDS_ADMIN_PASSWORD)
+pds-plc-rotation-key=$(get_val "$ENVS_DIR/pds" PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX)
+pds-repo-signing-key=$(get_val "$ENVS_DIR/pds" PDS_REPO_SIGNING_KEY_K256_PRIVATE_KEY_HEX)
+pds-jwt-secret=$(get_val "$ENVS_DIR/pds" PDS_JWT_SECRET)
+pds-email-smtp-url=$(get_val "$ENVS_DIR/pds" PDS_EMAIL_SMTP_URL)
+bsky-admin-passwords=$(get_val "$ENVS_DIR/bsky" BSKY_ADMIN_PASSWORDS)
+bsky-service-signing-key=$(get_val "$ENVS_DIR/bsky" BSKY_SERVICE_SIGNING_KEY)
+bgs-admin-key=$(get_val "$ENVS_DIR/bgs" BGS_ADMIN_KEY)
+ozone-admin-password=$(get_val "$ENVS_DIR/ozone" OZONE_ADMIN_PASSWORD)
+ozone-signing-key-hex=$(get_val "$ENVS_DIR/ozone" OZONE_SIGNING_KEY_HEX)
+EOF
+
+echo "generated $OUT"
diff --git a/k8s/jetstream.yaml b/k8s/jetstream.yaml
new file mode 100644
index 0000000..e13d2a6
--- /dev/null
+++ b/k8s/jetstream.yaml
@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: jetstream
+  namespace: atproto
+spec:
+  selector:
+    app: jetstream
+  ports:
+    - port: 6008
+      targetPort: 6008
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jetstream-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jetstream
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jetstream
+  template:
+    metadata:
+      labels:
+        app: jetstream
+    spec:
+      containers:
+        - name: jetstream
+          image: registry/jetstream
+          ports:
+            - containerPort: 6008
+          env:
+            - name: JETSTREAM_WS_URL
+              value: "ws://bgs:2470/xrpc/com.atproto.sync.subscribeRepos"
+            - name: JETSTREAM_DATA_DIR
+              value: "/data"
+            - name: JETSTREAM_LISTEN_ADDR
+              value: ":6008"
+            - name: JETSTREAM_METRICS_LISTEN_ADDR
+              value: ":6009"
+            - name: JETSTREAM_LIVENESS_TTL
+              value: "96h"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 6009
+            initialDelaySeconds: 10
+            periodSeconds: 10
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: jetstream-data
diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml
new file mode 100644
index 0000000..b1f2c07
--- /dev/null
+++ b/k8s/kustomization.yaml
@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: atproto
+
+resources:
+  - namespace.yaml
+  - postgres.yaml
+  - redis.yaml
+  - plc.yaml
+  - pds.yaml
+  - bgs.yaml
+  - bsky.yaml
+  - social-app.yaml
+  - ozone.yaml
+  - ozone-web.yaml
+  - jetstream.yaml
+  - feed.yaml
+
+## deploy.yml に images / secretGenerator を設定
+## デプロイ: cp deploy.yml kustomization.yaml && kubectl apply -k .
+secretGenerator:
+  - name: atproto-secrets
+    envs:
+      - secrets.env
+    options:
+      disableNameSuffixHash: true
diff --git a/k8s/namespace.yaml b/k8s/namespace.yaml
new file mode 100644
index 0000000..20fd341
--- /dev/null
+++ b/k8s/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: atproto
diff --git a/k8s/ozone-web.yaml b/k8s/ozone-web.yaml
new file mode 100644
index 0000000..af16402
--- /dev/null
+++ b/k8s/ozone-web.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ozone-web
+  namespace: atproto
+spec:
+  selector:
+    app: ozone-web
+  ports:
+    - port: 3000
+      targetPort: 3000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ozone-web
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ozone-web
+  template:
+    metadata:
+      labels:
+        app: ozone-web
+    spec:
+      containers:
+        - name: ozone-web
+          image: registry/ozone-web
+          ports:
+            - containerPort: 3000
+          env:
+            - name: NEXT_PUBLIC_PLC_DIRECTORY_URL
+              value: "https://plc.syu.is"
+            - name: NEXT_PUBLIC_OZONE_SERVICE_DID
+              value: "did:web:ozone.syu.is"
+            - name: NEXT_PUBLIC_SOCIAL_APP_DOMAIN
+              value: "syu.is"
+            - name: NEXT_PUBLIC_SOCIAL_APP_URL
+              value: "https://syu.is"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
diff --git a/k8s/ozone.yaml b/k8s/ozone.yaml
new file mode 100644
index 0000000..2da22f6
--- /dev/null
+++ b/k8s/ozone.yaml
@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ozone
+  namespace: atproto
+spec:
+  selector:
+    app: ozone
+  ports:
+    - port: 3000
+      targetPort: 3000
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ozone-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ozone
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ozone
+  template:
+    metadata:
+      labels:
+        app: ozone
+    spec:
+      containers:
+        - name: ozone
+          image: registry/ozone
+          command: ["node", "--enable-source-maps", "api.js"]
+          ports:
+            - containerPort: 3000
+          env:
+            - name: OZONE_SERVER_DID
+              value: "did:web:ozone.syu.is"
+            - name: OZONE_PUBLIC_URL
+              value: "https://ozone.syu.is"
+            - name: OZONE_DB_POSTGRES_URL
+              value: "postgres://postgres:postgres@database/ozone"
+            - name: OZONE_DID_PLC_URL
+              value: "https://plc.syu.is"
+            - name: OZONE_APPVIEW_DID
+              value: "did:web:bsky.syu.is"
+            - name: OZONE_APPVIEW_URL
+              value: "https://bsky.syu.is"
+            - name: OZONE_APPVIEW_PUSH_EVENTS
+              value: "true"
+            - name: OZONE_PDS_DID
+              value: "did:web:syu.is"
+            - name: OZONE_PDS_URL
+              value: "https://syu.is"
+            - name: OZONE_DEV_MODE
+              value: "true"
+            - name: OZONE_DB_MIGRATE
+              value: "1"
+            - name: OZONE_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: ozone-admin-password
+            - name: OZONE_SIGNING_KEY_HEX
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: ozone-signing-key-hex
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: ozone-data
diff --git a/k8s/pds.yaml b/k8s/pds.yaml
new file mode 100644
index 0000000..7dbf38b
--- /dev/null
+++ b/k8s/pds.yaml
@@ -0,0 +1,121 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pds
+  namespace: atproto
+spec:
+  selector:
+    app: pds
+  ports:
+    - port: 3000
+      targetPort: 3000
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pds-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pds
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pds
+  template:
+    metadata:
+      labels:
+        app: pds
+    spec:
+      containers:
+        - name: pds
+          image: registry/pds
+          command: ["node", "--enable-source-maps", "index.js"]
+          ports:
+            - containerPort: 3000
+          env:
+            - name: PDS_HOSTNAME
+              value: "syu.is"
+            - name: PDS_DB_POSTGRES_URL
+              value: "postgres://postgres:postgres@database/pds"
+            - name: PDS_DATA_DIRECTORY
+              value: "/data"
+            - name: PDS_BLOBSTORE_DISK_LOCATION
+              value: "/data/img/static"
+            - name: PDS_BSKY_APP_VIEW_DID
+              value: "did:web:bsky.syu.is"
+            - name: PDS_BSKY_APP_VIEW_URL
+              value: "https://bsky.syu.is"
+            - name: PDS_CRAWLERS
+              value: "https://bgs.syu.is"
+            - name: PDS_SEQUENCER_ENABLED
+              value: "true"
+            - name: PDS_SEQUENCER_DB_LOCATION
+              value: "/data/sequencer.sqlite"
+            - name: PDS_DEV_MODE
+              value: "true"
+            - name: PDS_DID_PLC_URL
+              value: "https://plc.syu.is"
+            - name: PDS_ENABLE_DID_DOC_WITH_SESSION
+              value: "true"
+            - name: PDS_INVITE_INTERVAL
+              value: "604800000"
+            - name: PDS_SERVICE_DID
+              value: "did:web:syu.is"
+            - name: PDS_EMAIL_FROM_ADDRESS
+              value: "no-reply@syu.is"
+            - name: PDS_INVITE_REQUIRED
+              value: "true"
+            - name: PDS_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: pds-admin-password
+            - name: PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: pds-plc-rotation-key
+            - name: PDS_REPO_SIGNING_KEY_K256_PRIVATE_KEY_HEX
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: pds-repo-signing-key
+            - name: PDS_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: pds-jwt-secret
+            - name: PDS_EMAIL_SMTP_URL
+              valueFrom:
+                secretKeyRef:
+                  name: atproto-secrets
+                  key: pds-email-smtp-url
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 3000
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /xrpc/_health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: pds-data
diff --git a/k8s/plc.yaml b/k8s/plc.yaml
new file mode 100644
index 0000000..126066c
--- /dev/null
+++ b/k8s/plc.yaml
@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: plc
+  namespace: atproto
+spec:
+  selector:
+    app: plc
+  ports:
+    - port: 3000
+      targetPort: 3000
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: plc
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: plc
+  template:
+    metadata:
+      labels:
+        app: plc
+    spec:
+      containers:
+        - name: plc
+          image: registry/plc
+          ports:
+            - containerPort: 3000
+          env:
+            - name: DATABASE_URL
+              value: "postgres://postgres:postgres@database/plc"
+            - name: DB_CREDS_JSON
+              value: '{"username":"postgres","password":"postgres","host":"database","port":"5432","database":"plc"}'
+            - name: ENABLE_MIGRATIONS
+              value: "true"
+            - name: DB_MIGRATE_CREDS_JSON
+              value: '{"username":"postgres","password":"postgres","host":"database","port":"5432","database":"plc"}'
+          livenessProbe:
+            httpGet:
+              path: /_health
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /_health
+              port: 3000
+            initialDelaySeconds: 5
+            periodSeconds: 5
diff --git a/k8s/postgres.yaml b/k8s/postgres.yaml
new file mode 100644
index 0000000..c5bbb7b
--- /dev/null
+++ b/k8s/postgres.yaml
@@ -0,0 +1,89 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init
+  namespace: atproto
+data:
+  init.sql: |
+    CREATE DATABASE plc;
+    GRANT ALL PRIVILEGES ON DATABASE plc TO postgres;
+    CREATE DATABASE bgs;
+    CREATE DATABASE carstore;
+    GRANT ALL PRIVILEGES ON DATABASE bgs TO postgres;
+    GRANT ALL PRIVILEGES ON DATABASE carstore TO postgres;
+    CREATE DATABASE bsky;
+    GRANT ALL PRIVILEGES ON DATABASE bsky TO postgres;
+    CREATE DATABASE ozone;
+    GRANT ALL PRIVILEGES ON DATABASE ozone TO postgres;
+    CREATE DATABASE pds;
+    GRANT ALL PRIVILEGES ON DATABASE pds TO postgres;
+    CREATE DATABASE bsync;
+    GRANT ALL PRIVILEGES ON DATABASE bsync TO postgres;
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: database
+  namespace: atproto
+spec:
+  selector:
+    app: postgres
+  ports:
+    - port: 5432
+      targetPort: 5432
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: atproto
+spec:
+  serviceName: database
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:16-alpine
+          env:
+            - name: POSTGRES_USER
+              value: postgres
+            - name: POSTGRES_PASSWORD
+              value: postgres
+            - name: POSTGRES_DB
+              value: healthcheck
+          ports:
+            - containerPort: 5432
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+            - name: init
+              mountPath: /docker-entrypoint-initdb.d
+          livenessProbe:
+            exec:
+              command: ["pg_isready", "-U", "postgres", "-d", "healthcheck"]
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            exec:
+              command: ["pg_isready", "-U", "postgres", "-d", "healthcheck"]
+            initialDelaySeconds: 5
+            periodSeconds: 5
+      volumes:
+        - name: init
+          configMap:
+            name: postgres-init
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 20Gi
diff --git a/k8s/redis.yaml b/k8s/redis.yaml
new file mode 100644
index 0000000..987f1fb
--- /dev/null
+++ b/k8s/redis.yaml
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: atproto
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:alpine
+          ports:
+            - containerPort: 6379
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          livenessProbe:
+            exec:
+              command: ["redis-cli", "ping"]
+            periodSeconds: 5
+          readinessProbe:
+            exec:
+              command: ["redis-cli", "ping"]
+            periodSeconds: 5
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: redis-data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-data
+  namespace: atproto
+spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/k8s/secrets.env.example b/k8s/secrets.env.example
new file mode 100644
index 0000000..05e682e
--- /dev/null
+++ b/k8s/secrets.env.example
@@ -0,0 +1,10 @@
+pds-admin-password=
+pds-plc-rotation-key=
+pds-repo-signing-key=
+pds-jwt-secret=
+pds-email-smtp-url=
+bsky-admin-passwords=
+bsky-service-signing-key=
+bgs-admin-key=
+ozone-admin-password=
+ozone-signing-key-hex=
diff --git a/k8s/social-app.yaml b/k8s/social-app.yaml
new file mode 100644
index 0000000..17e15b7
--- /dev/null
+++ b/k8s/social-app.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: social-app
+  namespace: atproto
+spec:
+  selector:
+    app: social-app
+  ports:
+    - port: 8100
+      targetPort: 8100
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: social-app
+  namespace: atproto
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: social-app
+  template:
+    metadata:
+      labels:
+        app: social-app
+    spec:
+      containers:
+        - name: social-app
+          image: registry/social-app
+          command: ["/usr/bin/bskyweb", "serve"]
+          ports:
+            - containerPort: 8100
+          env:
+            - name: ATP_APPVIEW_HOST
+              value: "https://public.api.bsky.app"
+            - name: EXPO_PUBLIC_BLUESKY_PROXY_DID
+              value: "did:web:api.bsky.app"
+            - name: EXPO_PUBLIC_ENV
+              value: "production"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8100
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 8100
+            initialDelaySeconds: 5
+            periodSeconds: 5