begin embedded pds with xrpc endpoints and well-known

deploy/.env.prod.template

@@ -29,6 +29,26 @@ HOLD_DOMAIN=hold01.atcr.io
 # Example: did:plc:abc123xyz789
 HOLD_OWNER=did:plc:pddp4xt5lgnv2qsegbzzs4xg
 
+# Directory path for embedded PDS carstore (SQLite database)
+# Default: /var/lib/atcr-hold
+# If empty, embedded PDS is disabled
+#
+# Note: This should be a directory path, NOT a file path
+# Carstore creates db.sqlite3 inside this directory
+#
+# The embedded PDS makes the hold a proper ATProto user with:
+# - did:web identity (derived from HOLD_DOMAIN)
+# - DID document at /.well-known/did.json
+# - XRPC endpoints for crew management
+# - ATProto blob endpoints (wraps existing presigned URL logic)
+#
+# Example: For HOLD_DOMAIN=hold01.atcr.io, the hold becomes did:web:hold01.atcr.io
+HOLD_DATABASE_DIR=/var/lib/atcr-hold
+
+# Path to signing key (auto-generated on first run if missing)
+# Default: {HOLD_DATABASE_DIR}/signing.key
+# HOLD_KEY_PATH=/var/lib/atcr-hold/signing.key
+
 # Allow public blob reads (pulls) without authentication
 # - true: Anyone can pull images (read-only)
 # - false: Only authenticated users can pull
@@ -79,8 +99,9 @@ AWS_SECRET_ACCESS_KEY=
 
 # S3 Region (for distribution S3 driver)
 # UpCloud regions: us-chi1, us-nyc1, de-fra1, uk-lon1, sg-sin1, etc.
-# Default: us-chi1
-S3_REGION=us-chi1
+# Note: Use AWS_REGION (not S3_REGION) - this is what the hold service expects
+# Default: us-east-1
+AWS_REGION=us-chi1
 
 # S3 Bucket Name
 # Create this bucket in UpCloud Object Storage
@@ -177,7 +198,9 @@ ATCR_BACKFILL_INTERVAL=1h
 # ☐ Set APPVIEW_DOMAIN (e.g., atcr.io)
 # ☐ Set HOLD_DOMAIN (e.g., hold01.atcr.io)
 # ☐ Set HOLD_OWNER (your ATProto DID)
+# ☐ Set HOLD_DATABASE_DIR (default: /var/lib/atcr-hold) - enables embedded PDS
 # ☐ Set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
+# ☐ Set AWS_REGION (e.g., us-chi1)
 # ☐ Set S3_BUCKET (created in UpCloud Object Storage)
 # ☐ Set S3_ENDPOINT (UpCloud endpoint or custom domain)
 # ☐ Configured DNS records:
@@ -189,5 +212,6 @@ ATCR_BACKFILL_INTERVAL=1h
 #
 # After starting:
 # ☐ Complete hold OAuth registration (run: /opt/atcr/get-hold-oauth.sh)
+# ☐ Verify hold PDS: curl https://hold01.atcr.io/.well-known/did.json
 # ☐ Test registry: docker pull atcr.io/test/image
 # ☐ Monitor logs: /opt/atcr/logs.sh

deploy/docker-compose.prod.yml

@@ -98,6 +98,10 @@ services:
       HOLD_PUBLIC: ${HOLD_PUBLIC:-false}
       HOLD_OWNER: ${HOLD_OWNER}
 
+      # Embedded PDS configuration
+      HOLD_DATABASE_DIR: ${HOLD_DATABASE_DIR:-/var/lib/atcr-hold}
+      # HOLD_KEY_PATH: ${HOLD_KEY_PATH}  # Optional, defaults to {HOLD_DATABASE_DIR}/signing.key
+
       # Storage driver
       STORAGE_DRIVER: ${STORAGE_DRIVER:-s3}
 
@@ -113,10 +117,8 @@ services:
       # STORAGE_DRIVER: filesystem
       # STORAGE_ROOT_DIR: /var/lib/atcr/hold
     volumes:
-      # Only needed for filesystem driver
-      # - atcr-hold-data:/var/lib/atcr/hold
-      # OAuth token storage for hold registration
-      - atcr-hold-tokens:/root/.atcr
+      # PDS data (carstore SQLite + signing keys)
+      - atcr-hold-data:/var/lib/atcr-hold
     networks:
       - atcr-network
     healthcheck: