keea.dog / knot-spindle
forked from tangled.org/knot-docker
Community maintained Docker config for the spindle server
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+150 -105
.gitignore
Dockerfile
docker-compose.yml
license.txt
readme.md
rootfs
etc
s6-overlay
s6-rc.d
create-sshd-host-keys
type
up
knotserver
dependencies.d
base
run
type
spindleserver
dependencies.d
base
run
type
sshd
dependencies.d
base
create-sshd-host-keys
run
type
user
contents.d
knotserver
spindleserver
sshd
scripts
create-sshd-host-keys
keys-wrapper
ssh
sshd_config.d
tangled_sshd.conf
+1
.gitignore 
···

       

       
1

       
+

       
.DS_Store
+30 -34
Dockerfile 
···

       
1

       

       
-

       
FROM docker.io/golang:1.24-alpine3.21 AS build


     

       
2

       

       
-

       



     

       

       
1

       
+

       
FROM golang:1.24-alpine AS builder


     

       
3

       
2

       
 

       
ENV CGO_ENABLED=1


     

       
4

       

       
-

       
ENV KNOT_REPO_SCAN_PATH=/home/git/repositories


     

       
5

       

       
-

       
WORKDIR /usr/src/app


     

       
6

       

       
-

       
COPY go.mod go.sum ./


     

       
7

       
3

       
 

       



     

       
8

       

       
-

       
RUN apk add --no-cache gcc musl-dev


     

       
9

       

       
-

       
RUN go mod download


     

       

       
4

       
+

       
ARG TAG='v1.10.0-alpha'


     

       
10

       
5

       
 

       



     

       
11

       

       
-

       
COPY . .


     

       
12

       

       
-

       
RUN go build -v \


     

       
13

       

       
-

       
    -o /usr/local/bin/knot \


     

       
14

       

       
-

       
    -ldflags='-s -w -extldflags "-static"' \


     

       
15

       

       
-

       
    ./cmd/knot


     

       

       
6

       
+

       
WORKDIR /app


     

       

       
7

       
+

       
RUN apk add git gcc musl-dev


     

       

       
8

       
+

       
RUN git clone -b ${TAG} https://tangled.org/@tangled.org/core .


     

       

       
9

       
+

       
RUN go build -o /usr/bin/spindle -ldflags '-s -w -extldflags "-static"' ./cmd/spindle


     

       
16

       
10

       
 

       



     

       
17

       

       
-

       
FROM docker.io/alpine:3.21


     

       

       
11

       
+

       
FROM alpine:edge


     

       
18

       
12

       
 

       



     

       
19

       

       
-

       
LABEL org.opencontainers.image.title=Tangled


     

       
20

       

       
-

       
LABEL org.opencontainers.image.description="Tangled is a decentralized and open code collaboration platform, built on atproto."


     

       
21

       

       
-

       
LABEL org.opencontainers.image.vendor=Tangled.sh


     

       
22

       

       
-

       
LABEL org.opencontainers.image.licenses=MIT


     

       
23

       

       
-

       
LABEL org.opencontainers.image.url=https://tangled.sh


     

       
24

       

       
-

       
LABEL org.opencontainers.image.source=https://tangled.sh/@tangled.sh/core


     

       

       
13

       
+

       
ARG PORT=6555


     

       

       
14

       
+

       
EXPOSE $PORT


     

       
25

       
15

       
 

       



     

       
26

       

       
-

       
RUN apk add --no-cache shadow s6-overlay execline openssh git curl && \


     

       
27

       

       
-

       
    adduser --disabled-password git && \


     

       
28

       

       
-

       
    # We need to set password anyway since otherwise ssh won't work


     

       
29

       

       
-

       
    head -c 32 /dev/random | base64 | tr -dc 'a-zA-Z0-9' | passwd git --stdin && \


     

       
30

       

       
-

       
    mkdir /app && mkdir /home/git/repositories


     

       

       
16

       
+

       
LABEL org.opencontainers.image.title='spindle'


     

       

       
17

       
+

       
LABEL org.opencontainers.image.description='CI runner for tangled'


     

       

       
18

       
+

       
LABEL org.opencontainers.image.source='https://tangled.org/@keea.dog/spindle-docker'


     

       

       
19

       
+

       
LABEL org.opencontainers.image.url='https://tangled.org'


     

       

       
20

       
+

       
LABEL org.opencontainers.image.vendor='tangled.org'


     

       

       
21

       
+

       
LABEL org.opencontainers.image.licenses='MIT'


     

       
31

       
22

       
 

       



     

       
32

       

       
-

       
COPY --from=build /usr/local/bin/knot /usr/local/bin


     

       
33

       

       
-

       
COPY docker/rootfs/ .


     

       
34

       

       
-

       
RUN chmod +x /etc/s6-overlay/scripts/keys-wrapper && \


     

       
35

       

       
-

       
    chown git:git /app && \


     

       
36

       

       
-

       
    chown -R git:git /home/git/repositories


     

       

       
23

       
+

       
ARG UID=1000


     

       

       
24

       
+

       
ARG GID=1000


     

       
37

       
25

       
 

       



     

       
38

       

       
-

       
EXPOSE 22


     

       
39

       

       
-

       
EXPOSE 5555


     

       

       
26

       
+

       
COPY rootfs .


     

       

       
27

       
+

       
RUN chmod 755 /etc


     

       

       
28

       
+

       
RUN chmod -R 755 /etc/s6-overlay


     

       

       
29

       
+

       
RUN apk add shadow s6-overlay execline openssl curl


     

       

       
30

       
+

       
RUN groupadd -g $GID -f spindle


     

       

       
31

       
+

       
RUN useradd -u $UID -g $GID -d /home/spindle spindle


     

       

       
32

       
+

       
RUN openssl rand -hex 16 | passwd --stdin spindle


     

       

       
33

       
+

       
RUN mkdir -p /home/spindle/repositories && chown -R spindle:spindle /home/spindle


     

       

       
34

       
+

       
COPY --from=builder /usr/bin/spindle /usr/bin


     

       

       
35

       
+

       
RUN mkdir /app && chown -R spindle:spindle /app


     

       
40

       
36

       
 

       



     

       
41

       

       
-

       
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \


     

       
42

       

       
-

       
    CMD curl -f http://localhost:5555/ || exit 1


     

       

       
37

       
+

       
HEALTHCHECK --interval=60s --timeout=30s --start-period=5s --retries=3 \


     

       

       
38

       
+

       
    CMD curl -f http://localhost:${PORT} || exit 1


     

       
43

       
39

       
 

       



     

       
44

       

       
-

       
ENTRYPOINT ["/init"]

     

       

       
40

       
+

       
ENTRYPOINT ["/init"]
+22 -20
docker-compose.yml 
···

       
1

       
1

       
 

       
services:


     

       
2

       

       
-

       
  knot:


     

       

       
2

       
+

       
  spindle:


     

       
3

       
3

       
 

       
    build:


     

       
4

       

       
-

       
      context: ..


     

       
5

       

       
-

       
      dockerfile: docker/Dockerfile


     

       

       
4

       
+

       
      context: .


     

       

       
5

       
+

       
      args:


     

       

       
6

       
+

       
        UID: 1000


     

       

       
7

       
+

       
        GID: 1000


     

       

       
8

       
+

       
        PORT: ${INTERNAL_PORT:-6555}


     

       
6

       
9

       
 

       
    environment:


     

       
7

       

       
-

       
      KNOT_SERVER_HOSTNAME: ${KNOT_SERVER_HOSTNAME}


     

       
8

       

       
-

       
      KNOT_SERVER_SECRET: ${KNOT_SERVER_SECRET}


     

       
9

       

       
-

       
      KNOT_SERVER_DB_PATH: "/app/knotserver.db"


     

       
10

       

       
-

       
      KNOT_REPO_SCAN_PATH: "/home/git/repositories"


     

       
11

       

       
-

       
      KNOT_SERVER_INTERNAL_LISTEN_ADDR: "localhost:5444"


     

       

       
10

       
+

       
      SPINDLE_SERVER_HOSTNAME: ${SPINDLE_SERVER_HOSTNAME}


     

       

       
11

       
+

       
      SPINDLE_SERVER_OWNER: ${SPINDLE_SERVER_OWNER}


     

       

       
12

       
+

       
      SPINDLE_SERVER_DB_PATH: /app/spindle.db


     

       

       
13

       
+

       
      SPINDLE_SERVER_LISTEN_ADDR: localhost:6555


     

       

       
14

       
+

       
      SPINDLE_PIPELINES_LOG_DIR: /var/log/spindle


     

       

       
15

       
+

       
      PORT: ${INTERNAL_PORT:-6555}


     

       
12

       
16

       
 

       
    volumes:


     

       
13

       

       
-

       
      - "./keys:/etc/ssh/keys"


     

       
14

       

       
-

       
      - "./repositories:/home/git/repositories"


     

       
15

       

       
-

       
      - "./server:/app"


     

       

       
17

       
+

       
      - ./server:/app


     

       

       
18

       
+

       
      - /var/run/docker.sock:/var/run/docker.sock


     

       
16

       
19

       
 

       
    ports:


     

       
17

       

       
-

       
      - "5555:5555"


     

       
18

       

       
-

       
      - "2222:22"


     

       

       
20

       
+

       
      - "${INTERNAL_PORT:-6555}:${INTERNAL_PORT:-6555}"


     

       
19

       
21

       
 

       
    restart: always


     

       
20

       
22

       
 

       
  frontend:


     

       
21

       

       
-

       
    image: caddy:2-alpine


     

       

       
23

       
+

       
    image: caddy:alpine


     

       
22

       
24

       
 

       
    command: >


     

       
23

       
25

       
 

       
      caddy


     

       
24

       
26

       
 

       
      reverse-proxy


     

       
25

       

       
-

       
      --from ${KNOT_SERVER_HOSTNAME}


     

       
26

       

       
-

       
      --to knot:5555


     

       

       
27

       
+

       
      --from ${SPINDLE_SERVER_HOSTNAME}


     

       

       
28

       
+

       
      --to spindle:6555


     

       
27

       
29

       
 

       
    depends_on:


     

       
28

       

       
-

       
      - knot


     

       

       
30

       
+

       
      - spindle


     

       
29

       
31

       
 

       
    ports:


     

       
30

       

       
-

       
      - "${KNOT_SERVER_PORT:-443}:443"


     

       
31

       

       
-

       
      - "${KNOT_SERVER_PORT:-443}:443/udp"


     

       

       
32

       
+

       
      - ${SPINDLE_SERVER_PORT:-443}:443


     

       

       
33

       
+

       
      - ${SPINDLE_SERVER_PORT:-443}:443/udp


     

       
32

       
34

       
 

       
    volumes:


     

       
33

       

       
-

       
      - caddy_data:/data


     

       

       
35

       
+

       
      - ./caddy_data:/data


     

       
34

       
36

       
 

       
    restart: always


     

       
35

       
37

       
 

       
    profiles: ["caddy"]
+22
license.txt 
···

       

       
1

       
+

       
MIT License


     

       

       
2

       
+

       



     

       

       
3

       
+

       
Copyright (c) 2025 Tangled Team


     

       

       
4

       
+

       



     

       

       
5

       
+

       
Permission is hereby granted, free of charge, to any person obtaining a copy


     

       

       
6

       
+

       
of this software and associated documentation files (the "Software"), to deal


     

       

       
7

       
+

       
in the Software without restriction, including without limitation the rights


     

       

       
8

       
+

       
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell


     

       

       
9

       
+

       
copies of the Software, and to permit persons to whom the Software is


     

       

       
10

       
+

       
furnished to do so, subject to the following conditions:


     

       

       
11

       
+

       



     

       

       
12

       
+

       
The above copyright notice and this permission notice shall be included in all


     

       

       
13

       
+

       
copies or substantial portions of the Software.


     

       

       
14

       
+

       



     

       

       
15

       
+

       
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR


     

       

       
16

       
+

       
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,


     

       

       
17

       
+

       
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE


     

       

       
18

       
+

       
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER


     

       

       
19

       
+

       
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,


     

       

       
20

       
+

       
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE


     

       

       
21

       
+

       
SOFTWARE.


     

       

       
22

       
+
+71 -3
readme.md 
···

       
1

       

       
-

       
# knot-docker


     

       

       
1

       
+

       
# Knot Docker


     

       

       
2

       
+

       



     

       

       
3

       
+

       
> **IMPORTANT**


     

       

       
4

       
+

       
> This is a community maintained repository, support is not guaranteed.


     

       

       
5

       
+

       



     

       

       
6

       
+

       
Docker container and compose setup to run a [Tangled](https://tangled.org) knot


     

       

       
7

       
+

       
and host your own repository data.


     

       

       
8

       
+

       



     

       

       
9

       
+

       
## Pre-built Images


     

       

       
10

       
+

       



     

       

       
11

       
+

       
There is a [repository](https://hub.docker.com/r/tngl/knot) of pre-built images


     

       

       
12

       
+

       
for tags starting at `v1.8.0-alpha` if you prefer.


     

       

       
13

       
+

       



     

       

       
14

       
+

       
```


     

       

       
15

       
+

       
docker pull tngl/knot:v1.10.0-alpha


     

       

       
16

       
+

       
```


     

       

       
17

       
+

       



     

       

       
18

       
+

       
Note that these are *not* official images, you use them at your own risk.


     

       

       
19

       
+

       



     

       

       
20

       
+

       
## Building The Image


     

       

       
21

       
+

       



     

       

       
22

       
+

       
By default the `Dockerfile` will build the latest tag, but you can change it


     

       

       
23

       
+

       
with the `TAG` build argument.


     

       
2

       
24

       
 

       



     

       
3

       

       
-

       
This is a community maintained Docker setup for hosting your own knot


     

       
4

       

       
-

       
server.


     

       

       
25

       
+

       
```sh


     

       

       
26

       
+

       
docker build -t knot:latest --build-arg TAG=master .


     

       

       
27

       
+

       
```


     

       

       
28

       
+

       



     

       

       
29

       
+

       
The command above for example will build the latest commit on the `master`


     

       

       
30

       
+

       
branch.


     

       

       
31

       
+

       



     

       

       
32

       
+

       
By default it will also create a `git` user with user and group ID 1000:1000,


     

       

       
33

       
+

       
but you can change it with the `UID` and `GID` build arguments.


     

       

       
34

       
+

       



     

       

       
35

       
+

       
```sh


     

       

       
36

       
+

       
docker build -t knot:latest --build-arg UID=$(id -u) GID=$(id -g)


     

       

       
37

       
+

       
```


     

       

       
38

       
+

       



     

       

       
39

       
+

       
The command above for example will create a user with the host user's UID and GID.


     

       

       
40

       
+

       
This is useful if you are bind mounting the repositories and app folder on the host,


     

       

       
41

       
+

       
as in the provided `docker-compose.yml` file.


     

       

       
42

       
+

       



     

       

       
43

       
+

       
<hr style="margin-bottom: 20px; margin-top: 10px" />


     

       

       
44

       
+

       



     

       

       
45

       
+

       
When using compose, these can be specified as build arguments which will be


     

       

       
46

       
+

       
passed to the builder.


     

       

       
47

       
+

       



     

       

       
48

       
+

       
```yaml


     

       

       
49

       
+

       
build:


     

       

       
50

       
+

       
  context: .


     

       

       
51

       
+

       
  args:


     

       

       
52

       
+

       
    TAG: master


     

       

       
53

       
+

       
    UID: 1000


     

       

       
54

       
+

       
    GID: 1000


     

       

       
55

       
+

       
```


     

       

       
56

       
+

       



     

       

       
57

       
+

       
This will for example tell docker to build it using the `master` branch like


     

       

       
58

       
+

       
the command.


     

       

       
59

       
+

       



     

       

       
60

       
+

       
## Setting Up The Image


     

       

       
61

       
+

       



     

       

       
62

       
+

       
The simplest way to set up your own knot is to use the provided compose file


     

       

       
63

       
+

       
and run the following:


     

       

       
64

       
+

       



     

       

       
65

       
+

       
```sh


     

       

       
66

       
+

       
export KNOT_SERVER_HOSTNAME=example.com


     

       

       
67

       
+

       
export KNOT_SERVER_OWNER=did:plc:yourdidgoeshere


     

       

       
68

       
+

       
export KNOT_SERVER_PORT=443


     

       

       
69

       
+

       
docker compose up -d


     

       

       
70

       
+

       
```


     

       

       
71

       
+

       



     

       

       
72

       
+

       
This will setup everything for you including a reverse proxy.
-1
rootfs/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/type 
···

       
1

       

       
-

       
oneshot
-1
rootfs/etc/s6-overlay/s6-rc.d/create-sshd-host-keys/up 
···

       
1

       

       
-

       
/etc/s6-overlay/scripts/create-sshd-host-keys
rootfs/etc/s6-overlay/s6-rc.d/knotserver/dependencies.d/base

This is a binary file and will not be displayed.

-3
rootfs/etc/s6-overlay/s6-rc.d/knotserver/run 
···

       
1

       

       
-

       
#!/command/with-contenv ash


     

       
2

       

       
-

       



     

       
3

       

       
-

       
exec s6-setuidgid git /usr/local/bin/knot server
-1
rootfs/etc/s6-overlay/s6-rc.d/knotserver/type 
···

       
1

       

       
-

       
longrun
rootfs/etc/s6-overlay/s6-rc.d/spindleserver/dependencies.d/base

This is a binary file and will not be displayed.

+3
rootfs/etc/s6-overlay/s6-rc.d/spindleserver/run 
···

       

       
1

       
+

       
#!/command/with-contenv ash


     

       

       
2

       
+

       



     

       

       
3

       
+

       
exec s6-setuidgid spindle /usr/bin/spindle server
+1
rootfs/etc/s6-overlay/s6-rc.d/spindleserver/type 
···

       

       
1

       
+

       
longrun
rootfs/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/base

This is a binary file and will not be displayed.

rootfs/etc/s6-overlay/s6-rc.d/sshd/dependencies.d/create-sshd-host-keys

This is a binary file and will not be displayed.

-3
rootfs/etc/s6-overlay/s6-rc.d/sshd/run 
···

       
1

       

       
-

       
#!/usr/bin/execlineb -P


     

       
2

       

       
-

       



     

       
3

       

       
-

       
/usr/sbin/sshd -e -D
-1
rootfs/etc/s6-overlay/s6-rc.d/sshd/type 
···

       
1

       

       
-

       
longrun
rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/knotserver

This is a binary file and will not be displayed.

rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/spindleserver

This is a binary file and will not be displayed.

rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/sshd

This is a binary file and will not be displayed.

-21
rootfs/etc/s6-overlay/scripts/create-sshd-host-keys 
···

       
1

       

       
-

       
#!/usr/bin/execlineb -P


     

       
2

       

       
-

       



     

       
3

       

       
-

       
foreground {


     

       
4

       

       
-

       
  if -n { test -d /etc/ssh/keys }


     

       
5

       

       
-

       
  mkdir /etc/ssh/keys


     

       
6

       

       
-

       
}


     

       
7

       

       
-

       



     

       
8

       

       
-

       
foreground {


     

       
9

       

       
-

       
  if -n { test -f /etc/ssh/keys/ssh_host_rsa_key }


     

       
10

       

       
-

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_rsa_key -q -N ""


     

       
11

       

       
-

       
}


     

       
12

       

       
-

       



     

       
13

       

       
-

       
foreground {


     

       
14

       

       
-

       
  if -n { test -f /etc/ssh/keys/ssh_host_ecdsa_key }


     

       
15

       

       
-

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ecdsa_key -q -N ""


     

       
16

       

       
-

       
}


     

       
17

       

       
-

       



     

       
18

       

       
-

       
foreground {


     

       
19

       

       
-

       
  if -n { test -f /etc/ssh/keys/ssh_host_ed25519_key }


     

       
20

       

       
-

       
  ssh-keygen -t rsa -f /etc/ssh/keys/ssh_host_ed25519_key -q -N ""


     

       
21

       

       
-

       
}
-8
rootfs/etc/s6-overlay/scripts/keys-wrapper 
···

       
1

       

       
-

       
#!/bin/sh


     

       
2

       

       
-

       



     

       
3

       

       
-

       
# Execute the knot keys command with proper shell context


     

       
4

       

       
-

       
exec /bin/sh -c '/usr/local/bin/knot keys \


     

       
5

       

       
-

       
    -output authorized-keys \


     

       
6

       

       
-

       
    -internal-api "http://${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}" \


     

       
7

       

       
-

       
    -git-dir "${KNOT_REPO_SCAN_PATH:-/home/git/repositories}" \


     

       
8

       

       
-

       
    -log-path "/tmp/knotguard.log"'
-9
rootfs/etc/ssh/sshd_config.d/tangled_sshd.conf 
···

       
1

       

       
-

       
HostKey /etc/ssh/keys/ssh_host_rsa_key


     

       
2

       

       
-

       
HostKey /etc/ssh/keys/ssh_host_ecdsa_key


     

       
3

       

       
-

       
HostKey /etc/ssh/keys/ssh_host_ed25519_key


     

       
4

       

       
-

       



     

       
5

       

       
-

       
PasswordAuthentication no


     

       
6

       

       
-

       



     

       
7

       

       
-

       
Match User git


     

       
8

       

       
-

       
  AuthorizedKeysCommand /etc/s6-overlay/scripts/keys-wrapper


     

       
9

       

       
-

       
  AuthorizedKeysCommandUser nobody