julien.rbrt.fr / tangled-core
forked from tangled.org/core
Monorepo for Tangled — https://tangled.org
fork atom
tangled-core / flake.nix
at push-lnupvsypkuow 15 kB view raw
1{ 2 description = "atproto github"; 3 4 inputs = { 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 6 indigo = { 7 url = "github:oppiliappan/indigo"; 8 flake = false; 9 }; 10 htmx-src = { 11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"; 12 flake = false; 13 }; 14 lucide-src = { 15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"; 16 flake = false; 17 }; 18 inter-fonts-src = { 19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 20 flake = false; 21 }; 22 ibm-plex-mono-src = { 23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip"; 24 flake = false; 25 }; 26 gitignore = { 27 url = "github:hercules-ci/gitignore.nix"; 28 inputs.nixpkgs.follows = "nixpkgs"; 29 }; 30 }; 31 32 outputs = { 33 self, 34 nixpkgs, 35 indigo, 36 htmx-src, 37 lucide-src, 38 gitignore, 39 inter-fonts-src, 40 ibm-plex-mono-src, 41 }: let 42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"]; 43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems; 44 nixpkgsFor = forAllSystems (system: 45 import nixpkgs { 46 inherit system; 47 overlays = [self.overlays.default]; 48 }); 49 inherit (gitignore.lib) gitignoreSource; 50 in { 51 overlays.default = final: prev: let 52 goModHash = "sha256-ZckpIPqFk7/XBiEJUbmrAzdjAxV62hv896xqAXF2aZs="; 53 appviewBuildAttrs = final: 54 with final; { 55 pname = "appview"; 56 version = "0.1.0"; 57 src = gitignoreSource ./.; 58 postUnpack = '' 59 pushd source 60 mkdir -p appview/pages/static/{fonts,icons} 61 cp -f ${htmx-src} appview/pages/static/htmx.min.js 62 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 63 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 64 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 65 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 66 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 67 popd 68 ''; 69 doCheck = false; 70 subPackages = ["cmd/appview"]; 71 vendorHash = goModHash; 72 env.CGO_ENABLED = 1; 73 stdenv = pkgsStatic.stdenv; 74 }; 75 knotBuildAttrs = final: 76 with final; { 77 pname = "knot"; 78 version = "0.1.0"; 79 src = gitignoreSource ./.; 80 subPackages = ["cmd/knot"]; 81 vendorHash = goModHash; 82 env.CGO_ENABLED = 1; 83 }; 84 in { 85 indigo-lexgen = final.buildGoModule { 86 pname = "indigo-lexgen"; 87 version = "0.1.0"; 88 src = indigo; 89 subPackages = ["cmd/lexgen"]; 90 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs="; 91 doCheck = false; 92 }; 93 94 # appview packages 95 appview = final.pkgsStatic.buildGoModule (appviewBuildAttrs final); 96 appview-cross = final.pkgsCross.gnu64.pkgsStatic.buildGoModule (appviewBuildAttrs final); 97 98 # knot packages 99 knot = with final; 100 final.pkgsStatic.buildGoModule ((knotBuildAttrs final) 101 // { 102 nativeBuildInputs = [final.makeWrapper]; 103 installPhase = '' 104 runHook preInstall 105 106 mkdir -p $out/bin 107 cp $GOPATH/bin/knot $out/bin/knot 108 109 wrapProgram $out/bin/knot \ 110 --prefix PATH : ${pkgs.git}/bin 111 112 runHook postInstall 113 ''; 114 }); 115 knot-cross = final.pkgsCross.gnu64.pkgsStatic.buildGoModule (knotBuildAttrs final); # cross-compile on darwin to x86_64-linux 116 knot-unwrapped = final.pkgsStatic.buildGoModule (knotBuildAttrs final); 117 118 genjwks = final.buildGoModule { 119 pname = "genjwks"; 120 version = "0.1.0"; 121 src = gitignoreSource ./.; 122 subPackages = ["cmd/genjwks"]; 123 vendorHash = goModHash; 124 env.CGO_ENABLED = 0; 125 }; 126 }; 127 packages = forAllSystems (system: { 128 inherit 129 (nixpkgsFor."${system}") 130 indigo-lexgen 131 appview 132 appview-cross 133 knot 134 knot-cross 135 knot-unwrapped 136 genjwks 137 ; 138 }); 139 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview); 140 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra); 141 devShells = forAllSystems (system: let 142 pkgs = nixpkgsFor.${system}; 143 staticShell = pkgs.mkShell.override { 144 stdenv = pkgs.pkgsStatic.stdenv; 145 }; 146 in { 147 default = staticShell { 148 nativeBuildInputs = [ 149 pkgs.go 150 pkgs.air 151 pkgs.gopls 152 pkgs.httpie 153 pkgs.indigo-lexgen 154 pkgs.litecli 155 pkgs.websocat 156 pkgs.tailwindcss 157 pkgs.nixos-shell 158 pkgs.redis 159 ]; 160 shellHook = '' 161 mkdir -p appview/pages/static/{fonts,icons} 162 cp -f ${htmx-src} appview/pages/static/htmx.min.js 163 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 164 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 165 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 166 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 167 export TANGLED_OAUTH_JWKS="$(${pkgs.genjwks}/bin/genjwks)" 168 ''; 169 env.CGO_ENABLED = 1; 170 }; 171 }); 172 apps = forAllSystems (system: let 173 pkgs = nixpkgsFor."${system}"; 174 air-watcher = name: arg: 175 pkgs.writeShellScriptBin "run" 176 '' 177 ${pkgs.air}/bin/air -c /dev/null \ 178 -build.cmd "${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \ 179 -build.bin "./out/${name}.out ${arg}" \ 180 -build.stop_on_error "true" \ 181 -build.include_ext "go" 182 ''; 183 tailwind-watcher = 184 pkgs.writeShellScriptBin "run" 185 '' 186 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css 187 ''; 188 in { 189 watch-appview = { 190 type = "app"; 191 program = ''${air-watcher "appview" ""}/bin/run''; 192 }; 193 watch-knot = { 194 type = "app"; 195 program = ''${air-watcher "knot" "server"}/bin/run''; 196 }; 197 watch-tailwind = { 198 type = "app"; 199 program = ''${tailwind-watcher}/bin/run''; 200 }; 201 }); 202 203 nixosModules.appview = { 204 config, 205 pkgs, 206 lib, 207 ... 208 }: 209 with lib; { 210 options = { 211 services.tangled-appview = { 212 enable = mkOption { 213 type = types.bool; 214 default = false; 215 description = "Enable tangled appview"; 216 }; 217 port = mkOption { 218 type = types.int; 219 default = 3000; 220 description = "Port to run the appview on"; 221 }; 222 cookie_secret = mkOption { 223 type = types.str; 224 default = "00000000000000000000000000000000"; 225 description = "Cookie secret"; 226 }; 227 }; 228 }; 229 230 config = mkIf config.services.tangled-appview.enable { 231 systemd.services.tangled-appview = { 232 description = "tangled appview service"; 233 wantedBy = ["multi-user.target"]; 234 235 serviceConfig = { 236 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}"; 237 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview"; 238 Restart = "always"; 239 }; 240 241 environment = { 242 TANGLED_DB_PATH = "appview.db"; 243 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret; 244 }; 245 }; 246 }; 247 }; 248 249 nixosModules.knot = { 250 config, 251 pkgs, 252 lib, 253 ... 254 }: let 255 cfg = config.services.tangled-knot; 256 in 257 with lib; { 258 options = { 259 services.tangled-knot = { 260 enable = mkOption { 261 type = types.bool; 262 default = false; 263 description = "Enable a tangled knot"; 264 }; 265 266 appviewEndpoint = mkOption { 267 type = types.str; 268 default = "https://tangled.sh"; 269 description = "Appview endpoint"; 270 }; 271 272 gitUser = mkOption { 273 type = types.str; 274 default = "git"; 275 description = "User that hosts git repos and performs git operations"; 276 }; 277 278 openFirewall = mkOption { 279 type = types.bool; 280 default = true; 281 description = "Open port 22 in the firewall for ssh"; 282 }; 283 284 stateDir = mkOption { 285 type = types.path; 286 default = "/home/${cfg.gitUser}"; 287 description = "Tangled knot data directory"; 288 }; 289 290 repo = { 291 scanPath = mkOption { 292 type = types.path; 293 default = cfg.stateDir; 294 description = "Path where repositories are scanned from"; 295 }; 296 297 mainBranch = mkOption { 298 type = types.str; 299 default = "main"; 300 description = "Default branch name for repositories"; 301 }; 302 }; 303 304 server = { 305 listenAddr = mkOption { 306 type = types.str; 307 default = "0.0.0.0:5555"; 308 description = "Address to listen on"; 309 }; 310 311 internalListenAddr = mkOption { 312 type = types.str; 313 default = "127.0.0.1:5444"; 314 description = "Internal address for inter-service communication"; 315 }; 316 317 secretFile = mkOption { 318 type = lib.types.path; 319 example = "KNOT_SERVER_SECRET=<hash>"; 320 description = "File containing secret key provided by appview (required)"; 321 }; 322 323 dbPath = mkOption { 324 type = types.path; 325 default = "${cfg.stateDir}/knotserver.db"; 326 description = "Path to the database file"; 327 }; 328 329 hostname = mkOption { 330 type = types.str; 331 example = "knot.tangled.sh"; 332 description = "Hostname for the server (required)"; 333 }; 334 335 dev = mkOption { 336 type = types.bool; 337 default = false; 338 description = "Enable development mode (disables signature verification)"; 339 }; 340 }; 341 }; 342 }; 343 344 config = mkIf cfg.enable { 345 environment.systemPackages = with pkgs; [git]; 346 347 system.activationScripts.gitConfig = '' 348 mkdir -p "${cfg.repo.scanPath}" 349 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 350 "${cfg.repo.scanPath}" 351 352 mkdir -p "${cfg.stateDir}/.config/git" 353 cat > "${cfg.stateDir}/.config/git/config" << EOF 354 [user] 355 name = Git User 356 email = git@example.com 357 EOF 358 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 359 "${cfg.stateDir}" 360 ''; 361 362 users.users.${cfg.gitUser} = { 363 isSystemUser = true; 364 useDefaultShell = true; 365 home = cfg.stateDir; 366 createHome = true; 367 group = cfg.gitUser; 368 }; 369 370 users.groups.${cfg.gitUser} = {}; 371 372 services.openssh = { 373 enable = true; 374 extraConfig = '' 375 Match User ${cfg.gitUser} 376 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 377 AuthorizedKeysCommandUser nobody 378 ''; 379 }; 380 381 environment.etc."ssh/keyfetch_wrapper" = { 382 mode = "0555"; 383 text = '' 384 #!${pkgs.stdenv.shell} 385 ${self.packages.${pkgs.system}.knot}/bin/knot keys \ 386 -output authorized-keys \ 387 -internal-api "http://${cfg.server.internalListenAddr}" \ 388 -git-dir "${cfg.repo.scanPath}" \ 389 -log-path /tmp/knotguard.log 390 ''; 391 }; 392 393 systemd.services.knot = { 394 description = "knot service"; 395 after = ["network.target" "sshd.service"]; 396 wantedBy = ["multi-user.target"]; 397 serviceConfig = { 398 User = cfg.gitUser; 399 WorkingDirectory = cfg.stateDir; 400 Environment = [ 401 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 402 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 403 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 404 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 405 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 406 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 407 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 408 ]; 409 EnvironmentFile = cfg.server.secretFile; 410 ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server"; 411 Restart = "always"; 412 }; 413 }; 414 415 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 416 }; 417 }; 418 419 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 420 system = "x86_64-linux"; 421 modules = [ 422 self.nixosModules.knot 423 ({ 424 config, 425 pkgs, 426 ... 427 }: { 428 virtualisation.memorySize = 2048; 429 virtualisation.diskSize = 10 * 1024; 430 virtualisation.cores = 2; 431 services.getty.autologinUser = "root"; 432 environment.systemPackages = with pkgs; [curl vim git]; 433 systemd.tmpfiles.rules = let 434 u = config.services.tangled-knot.gitUser; 435 g = config.services.tangled-knot.gitUser; 436 in [ 437 "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first 438 "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=38a7c3237c2a585807e06a5bcfac92eb39442063f3da306b7acb15cfdc51d19d" 439 ]; 440 services.tangled-knot = { 441 enable = true; 442 server = { 443 secretFile = "/var/lib/knot/secret"; 444 hostname = "localhost:6000"; 445 listenAddr = "0.0.0.0:6000"; 446 }; 447 }; 448 }) 449 ]; 450 }; 451 }; 452}