···
on the [AT Protocol](https://atproto.com).
Read the introduction to Tangled [here](https://blog.tangled.sh/intro).
9
+
## knot self-hosting guide
11
+
So you want to run your own knot server? Great! Here are a few prerequisites:
13
+
1. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux of some kind.
14
+
2. A (sub)domain name. People generally use `knot.example.com`.
15
+
3. A valid SSL certificate for your domain.
17
+
There's a couple of ways to get started:
18
+
* NixOS: refer to [flake.nix](https://tangled.sh/@tangled.sh/core/blob/master/flake.nix)
19
+
* Manual: Documented below.
23
+
First, clone this repository:
26
+
git clone https://tangled.sh/@tangled.sh/core
29
+
Then, build our binaries (you need to have Go installed):
30
+
* `knotserver`: the main server program
31
+
* `keyfetch`: utility to fetch ssh pubkeys
32
+
* `repoguard`: enforces repository access control
36
+
export CGO_ENABLED=1
37
+
go build -o knot ./cmd/knotserver
38
+
go build -o keyfetch ./cmd/keyfetch
39
+
go build -o repoguard ./cmd/repoguard
42
+
Next, move the `keyfetch` binary to a location owned by `root` -- `/keyfetch` is
46
+
sudo mv keyfetch /keyfetch
47
+
sudo chown root:root /keyfetch
48
+
sudo chmod 755 /keyfetch
51
+
This is necessary because SSH `AuthorizedKeysCommand` requires [really specific
52
+
permissions](https://stackoverflow.com/a/27638306). Let's set that up:
55
+
sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
57
+
AuthorizedKeysCommand /keyfetch
58
+
AuthorizedKeysCommandUser nobody
62
+
Next, create the `git` user:
68
+
Copy the `repoguard` binary to the `git` user's home directory:
71
+
sudo cp repoguard /home/git
72
+
sudo chown git:git /home/git/repoguard
75
+
Now, let's set up the server. Copy the `knot` binary to
76
+
`/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the
77
+
following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be
78
+
obtaind from the [/knots](/knots) page on Tangled.
81
+
KNOT_REPO_SCAN_PATH=/home/git
82
+
KNOT_SERVER_HOSTNAME=knot.example.com
83
+
APPVIEW_ENDPOINT=https://tangled.sh
84
+
KNOT_SERVER_SECRET=secret
85
+
KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444
86
+
KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555
89
+
If you run a Linux distribution that uses systemd, you can use the provided
90
+
service file to run the server. Copy
91
+
[`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service)
92
+
to `/etc/systemd/system/`. Then, run:
95
+
systemctl enable knotserver
96
+
systemctl start knotserver
99
+
You should now have a running knot server! You can finalize your registration by hitting the
100
+
`initialize` button on the [/knots](/knots) page.
dunkirk.sh
anirudh.fi