julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
tangled-core / flake.nix
at push-kstnoynmspqp 16 kB view raw
1{ 2 description = "atproto github"; 3 4 inputs = { 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; 6 indigo = { 7 url = "github:oppiliappan/indigo"; 8 flake = false; 9 }; 10 htmx-src = { 11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"; 12 flake = false; 13 }; 14 lucide-src = { 15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"; 16 flake = false; 17 }; 18 inter-fonts-src = { 19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 20 flake = false; 21 }; 22 ibm-plex-mono-src = { 23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip"; 24 flake = false; 25 }; 26 gitignore = { 27 url = "github:hercules-ci/gitignore.nix"; 28 inputs.nixpkgs.follows = "nixpkgs"; 29 }; 30 }; 31 32 outputs = 33 { self 34 , nixpkgs 35 , indigo 36 , htmx-src 37 , lucide-src 38 , gitignore 39 , inter-fonts-src 40 , ibm-plex-mono-src 41 , 42 }: 43 let 44 supportedSystems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; 45 forAllSystems = nixpkgs.lib.genAttrs supportedSystems; 46 nixpkgsFor = forAllSystems (system: 47 import nixpkgs { 48 inherit system; 49 overlays = [ self.overlays.default ]; 50 }); 51 inherit (gitignore.lib) gitignoreSource; 52 in 53 { 54 overlays.default = final: prev: 55 let 56 goModHash = "sha256-EilWxfqrcKDaSR5zA3ZuDSCq7V+/IfWpKPu8HWhpndA="; 57 buildCmdPackage = name: 58 final.buildGoModule { 59 pname = name; 60 version = "0.1.0"; 61 src = gitignoreSource ./.; 62 subPackages = [ "cmd/${name}" ]; 63 vendorHash = goModHash; 64 CGO_ENABLED = 0; 65 }; 66 in 67 { 68 indigo-lexgen = final.buildGoModule { 69 pname = "indigo-lexgen"; 70 version = "0.1.0"; 71 src = indigo; 72 subPackages = [ "cmd/lexgen" ]; 73 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs="; 74 doCheck = false; 75 }; 76 77 appview = with final; 78 final.pkgsStatic.buildGoModule { 79 pname = "appview"; 80 version = "0.1.0"; 81 src = gitignoreSource ./.; 82 postUnpack = '' 83 pushd source 84 mkdir -p appview/pages/static/{fonts,icons} 85 cp -f ${htmx-src} appview/pages/static/htmx.min.js 86 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 87 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 88 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 89 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 90 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 91 popd 92 ''; 93 doCheck = false; 94 subPackages = [ "cmd/appview" ]; 95 vendorHash = goModHash; 96 CGO_ENABLED = 1; 97 stdenv = pkgsStatic.stdenv; 98 }; 99 100 knotserver = with final; 101 final.pkgsStatic.buildGoModule { 102 pname = "knotserver"; 103 version = "0.1.0"; 104 src = gitignoreSource ./.; 105 nativeBuildInputs = [ final.makeWrapper ]; 106 subPackages = [ "cmd/knotserver" ]; 107 vendorHash = goModHash; 108 installPhase = '' 109 runHook preInstall 110 111 mkdir -p $out/bin 112 cp $GOPATH/bin/knotserver $out/bin/knotserver 113 114 wrapProgram $out/bin/knotserver \ 115 --prefix PATH : ${pkgs.git}/bin 116 117 runHook postInstall 118 ''; 119 CGO_ENABLED = 1; 120 }; 121 knotserver-unwrapped = final.pkgsStatic.buildGoModule { 122 pname = "knotserver"; 123 version = "0.1.0"; 124 src = gitignoreSource ./.; 125 subPackages = [ "cmd/knotserver" ]; 126 vendorHash = goModHash; 127 CGO_ENABLED = 1; 128 }; 129 repoguard = buildCmdPackage "repoguard"; 130 keyfetch = buildCmdPackage "keyfetch"; 131 }; 132 packages = forAllSystems (system: { 133 inherit 134 (nixpkgsFor."${system}") 135 indigo-lexgen 136 appview 137 knotserver 138 knotserver-unwrapped 139 repoguard 140 keyfetch 141 ; 142 }); 143 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview); 144 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra); 145 devShells = forAllSystems (system: 146 let 147 pkgs = nixpkgsFor.${system}; 148 staticShell = pkgs.mkShell.override { 149 stdenv = pkgs.pkgsStatic.stdenv; 150 }; 151 in 152 { 153 default = staticShell { 154 nativeBuildInputs = [ 155 pkgs.go 156 pkgs.air 157 pkgs.gopls 158 pkgs.httpie 159 pkgs.indigo-lexgen 160 pkgs.litecli 161 pkgs.websocat 162 pkgs.tailwindcss 163 pkgs.nixos-shell 164 ]; 165 shellHook = '' 166 mkdir -p appview/pages/static/{fonts,icons} 167 cp -f ${htmx-src} appview/pages/static/htmx.min.js 168 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 169 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 170 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 171 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 172 ''; 173 }; 174 }); 175 apps = forAllSystems (system: 176 let 177 pkgs = nixpkgsFor."${system}"; 178 air-watcher = name: 179 pkgs.writeShellScriptBin "run" 180 '' 181 TANGLED_DEV=true ${pkgs.air}/bin/air -c /dev/null \ 182 -build.cmd "${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o ./appview/pages/static/tw.css && ${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \ 183 -build.bin "./out/${name}.out" \ 184 -build.include_ext "go" 185 ''; 186 tailwind-watcher = 187 pkgs.writeShellScriptBin "run" 188 '' 189 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css 190 ''; 191 in 192 { 193 watch-appview = { 194 type = "app"; 195 program = ''${air-watcher "appview"}/bin/run''; 196 }; 197 watch-knotserver = { 198 type = "app"; 199 program = ''${air-watcher "knotserver"}/bin/run''; 200 }; 201 watch-tailwind = { 202 type = "app"; 203 program = ''${tailwind-watcher}/bin/run''; 204 }; 205 }); 206 207 nixosModules.appview = 208 { config 209 , pkgs 210 , lib 211 , ... 212 }: 213 with lib; { 214 options = { 215 services.tangled-appview = { 216 enable = mkOption { 217 type = types.bool; 218 default = false; 219 description = "Enable tangled appview"; 220 }; 221 port = mkOption { 222 type = types.int; 223 default = 3000; 224 description = "Port to run the appview on"; 225 }; 226 cookie_secret = mkOption { 227 type = types.str; 228 default = "00000000000000000000000000000000"; 229 description = "Cookie secret"; 230 }; 231 }; 232 }; 233 234 config = mkIf config.services.tangled-appview.enable { 235 systemd.services.tangled-appview = { 236 description = "tangled appview service"; 237 wantedBy = [ "multi-user.target" ]; 238 239 serviceConfig = { 240 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}"; 241 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview"; 242 Restart = "always"; 243 }; 244 245 environment = { 246 TANGLED_DB_PATH = "appview.db"; 247 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret; 248 }; 249 }; 250 }; 251 }; 252 253 nixosModules.knotserver = 254 { config 255 , pkgs 256 , lib 257 , ... 258 }: 259 let 260 cfg = config.services.tangled-knotserver; 261 in 262 with lib; { 263 options = { 264 services.tangled-knotserver = { 265 enable = mkOption { 266 type = types.bool; 267 default = false; 268 description = "Enable a tangled knotserver"; 269 }; 270 271 appviewEndpoint = mkOption { 272 type = types.str; 273 default = "https://tangled.sh"; 274 description = "Appview endpoint"; 275 }; 276 277 gitUser = mkOption { 278 type = types.str; 279 default = "git"; 280 description = "User that hosts git repos and performs git operations"; 281 }; 282 283 openFirewall = mkOption { 284 type = types.bool; 285 default = true; 286 description = "Open port 22 in the firewall for ssh"; 287 }; 288 289 stateDir = mkOption { 290 type = types.path; 291 default = "/home/${cfg.gitUser}"; 292 description = "Tangled knot data directory"; 293 }; 294 295 repo = { 296 scanPath = mkOption { 297 type = types.path; 298 default = cfg.stateDir; 299 description = "Path where repositories are scanned from"; 300 }; 301 302 mainBranch = mkOption { 303 type = types.str; 304 default = "main"; 305 description = "Default branch name for repositories"; 306 }; 307 }; 308 309 server = { 310 listenAddr = mkOption { 311 type = types.str; 312 default = "0.0.0.0:5555"; 313 description = "Address to listen on"; 314 }; 315 316 internalListenAddr = mkOption { 317 type = types.str; 318 default = "127.0.0.1:5444"; 319 description = "Internal address for inter-service communication"; 320 }; 321 322 secretFile = mkOption { 323 type = lib.types.path; 324 example = "KNOT_SERVER_SECRET=<hash>"; 325 description = "File containing secret key provided by appview (required)"; 326 }; 327 328 dbPath = mkOption { 329 type = types.path; 330 default = "${cfg.stateDir}/knotserver.db"; 331 description = "Path to the database file"; 332 }; 333 334 hostname = mkOption { 335 type = types.str; 336 example = "knot.tangled.sh"; 337 description = "Hostname for the server (required)"; 338 }; 339 340 dev = mkOption { 341 type = types.bool; 342 default = false; 343 description = "Enable development mode (disables signature verification)"; 344 }; 345 }; 346 }; 347 }; 348 349 config = mkIf cfg.enable { 350 environment.systemPackages = with pkgs; [ git ]; 351 352 system.activationScripts.gitConfig = '' 353 mkdir -p "${cfg.repo.scanPath}" 354 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 355 "${cfg.repo.scanPath}" 356 357 mkdir -p "${cfg.stateDir}/.config/git" 358 cat > "${cfg.stateDir}/.config/git/config" << EOF 359 [user] 360 name = Git User 361 email = git@example.com 362 EOF 363 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 364 "${cfg.stateDir}" 365 ''; 366 367 users.users.${cfg.gitUser} = { 368 isSystemUser = true; 369 useDefaultShell = true; 370 home = cfg.stateDir; 371 createHome = true; 372 group = cfg.gitUser; 373 }; 374 375 users.groups.${cfg.gitUser} = { }; 376 377 services.openssh = { 378 enable = true; 379 extraConfig = '' 380 Match User ${cfg.gitUser} 381 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 382 AuthorizedKeysCommandUser nobody 383 ''; 384 }; 385 386 environment.etc."ssh/keyfetch_wrapper" = { 387 mode = "0555"; 388 text = '' 389 #!${pkgs.stdenv.shell} 390 ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \ 391 -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \ 392 -internal-api "http://${cfg.server.internalListenAddr}" \ 393 -git-dir "${cfg.repo.scanPath}" \ 394 -log-path /tmp/repoguard.log 395 ''; 396 }; 397 398 systemd.services.knotserver = { 399 description = "knotserver service"; 400 after = [ "network.target" "sshd.service" ]; 401 wantedBy = [ "multi-user.target" ]; 402 serviceConfig = { 403 User = cfg.gitUser; 404 WorkingDirectory = cfg.stateDir; 405 Environment = [ 406 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 407 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 408 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 409 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 410 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 411 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 412 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 413 ]; 414 EnvironmentFile = cfg.server.secretFile; 415 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 416 Restart = "always"; 417 }; 418 }; 419 420 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ 22 ]; 421 }; 422 }; 423 424 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 425 system = "x86_64-linux"; 426 modules = [ 427 self.nixosModules.knotserver 428 ({ config 429 , pkgs 430 , ... 431 }: { 432 virtualisation.memorySize = 2048; 433 virtualisation.diskSize = 10 * 1024; 434 virtualisation.cores = 2; 435 services.getty.autologinUser = "root"; 436 environment.systemPackages = with pkgs; [ curl vim git ]; 437 systemd.tmpfiles.rules = 438 let 439 u = config.services.tangled-knotserver.gitUser; 440 g = config.services.tangled-knotserver.gitUser; 441 in 442 [ 443 "d /var/lib/knotserver 0770 ${u} ${g} - -" # Create the directory first 444 "f+ /var/lib/knotserver/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=679f15000084699abc6a20d3ef449efa3656583f38e456a08f0638250688ff2e" 445 ]; 446 services.tangled-knotserver = { 447 enable = true; 448 server = { 449 secretFile = "/var/lib/knotserver/secret"; 450 hostname = "localhost:6000"; 451 listenAddr = "0.0.0.0:6000"; 452 }; 453 }; 454 }) 455 ]; 456 }; 457 }; 458}