kot.pink
1{
2 description = "atproto github";
3
4 inputs = {
5 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
6 indigo = {
7 url = "github:oppiliappan/indigo";
8 flake = false;
9 };
10 htmx-src = {
11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js";
12 flake = false;
13 };
14 lucide-src = {
15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip";
16 flake = false;
17 };
18 inter-fonts-src = {
19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip";
20 flake = false;
21 };
22 ibm-plex-mono-src = {
23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip";
24 flake = false;
25 };
26 gitignore = {
27 url = "github:hercules-ci/gitignore.nix";
28 inputs.nixpkgs.follows = "nixpkgs";
29 };
30 };
31
32 outputs = {
33 self,
34 nixpkgs,
35 indigo,
36 htmx-src,
37 lucide-src,
38 gitignore,
39 inter-fonts-src,
40 ibm-plex-mono-src,
41 }: let
42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"];
43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
44 nixpkgsFor = forAllSystems (system:
45 import nixpkgs {
46 inherit system;
47 overlays = [self.overlays.default];
48 });
49 inherit (gitignore.lib) gitignoreSource;
50 in {
51 overlays.default = final: prev: let
52 goModHash = "sha256-ZckpIPqFk7/XBiEJUbmrAzdjAxV62hv896xqAXF2aZs=";
53 appviewBuildAttrs = final:
54 with final; {
55 pname = "appview";
56 version = "0.1.0";
57 src = gitignoreSource ./.;
58 postUnpack = ''
59 pushd source
60 mkdir -p appview/pages/static/{fonts,icons}
61 cp -f ${htmx-src} appview/pages/static/htmx.min.js
62 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/
63 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/
64 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/
65 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/
66 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css
67 popd
68 '';
69 doCheck = false;
70 subPackages = ["cmd/appview"];
71 vendorHash = goModHash;
72 env.CGO_ENABLED = 1;
73 stdenv = pkgsStatic.stdenv;
74 };
75 knotBuildAttrs = final:
76 with final; {
77 pname = "knot";
78 version = "0.1.0";
79 src = gitignoreSource ./.;
80 subPackages = ["cmd/knot"];
81 vendorHash = goModHash;
82 env.CGO_ENABLED = 1;
83 };
84 in {
85 indigo-lexgen = final.buildGoModule {
86 pname = "indigo-lexgen";
87 version = "0.1.0";
88 src = indigo;
89 subPackages = ["cmd/lexgen"];
90 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs=";
91 doCheck = false;
92 };
93
94 # appview packages
95 appview = final.pkgsStatic.buildGoModule (appviewBuildAttrs final);
96 appview-cross = final.pkgsCross.gnu64.pkgsStatic.buildGoModule (appviewBuildAttrs final);
97
98 # knot packages
99 knot = with final;
100 final.pkgsStatic.buildGoModule ((knotBuildAttrs final)
101 // {
102 nativeBuildInputs = [final.makeWrapper];
103 installPhase = ''
104 runHook preInstall
105
106 mkdir -p $out/bin
107 cp $GOPATH/bin/knot $out/bin/knot
108
109 wrapProgram $out/bin/knot \
110 --prefix PATH : ${pkgs.git}/bin
111
112 runHook postInstall
113 '';
114 });
115 knot-cross = final.pkgsCross.gnu64.pkgsStatic.buildGoModule (knotBuildAttrs final); # cross-compile on darwin to x86_64-linux
116 knot-unwrapped = final.pkgsStatic.buildGoModule (knotBuildAttrs final);
117
118 genjwks = final.buildGoModule {
119 pname = "genjwks";
120 version = "0.1.0";
121 src = gitignoreSource ./.;
122 subPackages = ["cmd/genjwks"];
123 vendorHash = goModHash;
124 env.CGO_ENABLED = 0;
125 };
126 };
127 packages = forAllSystems (system: {
128 inherit
129 (nixpkgsFor."${system}")
130 indigo-lexgen
131 appview
132 appview-cross
133 knot
134 knot-cross
135 knot-unwrapped
136 genjwks
137 ;
138 });
139 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview);
140 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra);
141 devShells = forAllSystems (system: let
142 pkgs = nixpkgsFor.${system};
143 staticShell = pkgs.mkShell.override {
144 stdenv = pkgs.pkgsStatic.stdenv;
145 };
146 in {
147 default = staticShell {
148 nativeBuildInputs = [
149 pkgs.go
150 pkgs.air
151 pkgs.gopls
152 pkgs.httpie
153 pkgs.indigo-lexgen
154 pkgs.litecli
155 pkgs.websocat
156 pkgs.tailwindcss
157 pkgs.nixos-shell
158 pkgs.redis
159 ];
160 shellHook = ''
161 mkdir -p appview/pages/static/{fonts,icons}
162 cp -f ${htmx-src} appview/pages/static/htmx.min.js
163 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/
164 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/
165 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/
166 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/
167 export TANGLED_OAUTH_JWKS="$(${pkgs.genjwks}/bin/genjwks)"
168 '';
169 env.CGO_ENABLED = 1;
170 };
171 });
172 apps = forAllSystems (system: let
173 pkgs = nixpkgsFor."${system}";
174 air-watcher = name: arg:
175 pkgs.writeShellScriptBin "run"
176 ''
177 ${pkgs.air}/bin/air -c /dev/null \
178 -build.cmd "${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \
179 -build.bin "./out/${name}.out ${arg}" \
180 -build.stop_on_error "true" \
181 -build.include_ext "go"
182 '';
183 tailwind-watcher =
184 pkgs.writeShellScriptBin "run"
185 ''
186 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css
187 '';
188 in {
189 watch-appview = {
190 type = "app";
191 program = ''${air-watcher "appview" ""}/bin/run'';
192 };
193 watch-knot = {
194 type = "app";
195 program = ''${air-watcher "knot" "server"}/bin/run'';
196 };
197 watch-tailwind = {
198 type = "app";
199 program = ''${tailwind-watcher}/bin/run'';
200 };
201 });
202
203 nixosModules.knot = {
204 config,
205 pkgs,
206 lib,
207 ...
208 }: let
209 cfg = config.services.tangled-knot;
210 in
211 with lib; {
212 options = {
213 services.tangled-knot = {
214 enable = mkOption {
215 type = types.bool;
216 default = false;
217 description = "Enable a tangled knot";
218 };
219
220 appviewEndpoint = mkOption {
221 type = types.str;
222 default = "https://tangled.sh";
223 description = "Appview endpoint";
224 };
225
226 gitUser = mkOption {
227 type = types.str;
228 default = "git";
229 description = "User that hosts git repos and performs git operations";
230 };
231
232 openFirewall = mkOption {
233 type = types.bool;
234 default = true;
235 description = "Open port 22 in the firewall for ssh";
236 };
237
238 stateDir = mkOption {
239 type = types.path;
240 default = "/home/${cfg.gitUser}";
241 description = "Tangled knot data directory";
242 };
243
244 repo = {
245 scanPath = mkOption {
246 type = types.path;
247 default = cfg.stateDir;
248 description = "Path where repositories are scanned from";
249 };
250
251 mainBranch = mkOption {
252 type = types.str;
253 default = "main";
254 description = "Default branch name for repositories";
255 };
256 };
257
258 server = {
259 listenAddr = mkOption {
260 type = types.str;
261 default = "0.0.0.0:5555";
262 description = "Address to listen on";
263 };
264
265 internalListenAddr = mkOption {
266 type = types.str;
267 default = "127.0.0.1:5444";
268 description = "Internal address for inter-service communication";
269 };
270
271 secretFile = mkOption {
272 type = lib.types.path;
273 example = "KNOT_SERVER_SECRET=<hash>";
274 description = "File containing secret key provided by appview (required)";
275 };
276
277 dbPath = mkOption {
278 type = types.path;
279 default = "${cfg.stateDir}/knotserver.db";
280 description = "Path to the database file";
281 };
282
283 hostname = mkOption {
284 type = types.str;
285 example = "knot.tangled.sh";
286 description = "Hostname for the server (required)";
287 };
288
289 dev = mkOption {
290 type = types.bool;
291 default = false;
292 description = "Enable development mode (disables signature verification)";
293 };
294 };
295 };
296 };
297
298 config = mkIf cfg.enable {
299 environment.systemPackages = with pkgs; [git];
300
301 system.activationScripts.gitConfig = ''
302 mkdir -p "${cfg.repo.scanPath}"
303 chown -R ${cfg.gitUser}:${cfg.gitUser} \
304 "${cfg.repo.scanPath}"
305
306 mkdir -p "${cfg.stateDir}/.config/git"
307 cat > "${cfg.stateDir}/.config/git/config" << EOF
308 [user]
309 name = Git User
310 email = git@example.com
311 EOF
312 chown -R ${cfg.gitUser}:${cfg.gitUser} \
313 "${cfg.stateDir}"
314 '';
315
316 users.users.${cfg.gitUser} = {
317 isSystemUser = true;
318 useDefaultShell = true;
319 home = cfg.stateDir;
320 createHome = true;
321 group = cfg.gitUser;
322 };
323
324 users.groups.${cfg.gitUser} = {};
325
326 services.openssh = {
327 enable = true;
328 extraConfig = ''
329 Match User ${cfg.gitUser}
330 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
331 AuthorizedKeysCommandUser nobody
332 '';
333 };
334
335 environment.etc."ssh/keyfetch_wrapper" = {
336 mode = "0555";
337 text = ''
338 #!${pkgs.stdenv.shell}
339 ${self.packages.${pkgs.system}.knot}/bin/knot keys \
340 -output authorized-keys \
341 -internal-api "http://${cfg.server.internalListenAddr}" \
342 -git-dir "${cfg.repo.scanPath}" \
343 -log-path /tmp/knotguard.log
344 '';
345 };
346
347 systemd.services.knot = {
348 description = "knot service";
349 after = ["network.target" "sshd.service"];
350 wantedBy = ["multi-user.target"];
351 serviceConfig = {
352 User = cfg.gitUser;
353 WorkingDirectory = cfg.stateDir;
354 Environment = [
355 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
356 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
357 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
358 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
359 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
360 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
361 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
362 ];
363 EnvironmentFile = cfg.server.secretFile;
364 ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server";
365 Restart = "always";
366 };
367 };
368
369 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
370 };
371 };
372
373 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem {
374 system = "x86_64-linux";
375 modules = [
376 self.nixosModules.knot
377 ({
378 config,
379 pkgs,
380 ...
381 }: {
382 virtualisation.memorySize = 2048;
383 virtualisation.diskSize = 10 * 1024;
384 virtualisation.cores = 2;
385 services.getty.autologinUser = "root";
386 environment.systemPackages = with pkgs; [curl vim git];
387 systemd.tmpfiles.rules = let
388 u = config.services.tangled-knot.gitUser;
389 g = config.services.tangled-knot.gitUser;
390 in [
391 "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first
392 "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=38a7c3237c2a585807e06a5bcfac92eb39442063f3da306b7acb15cfdc51d19d"
393 ];
394 services.tangled-knot = {
395 enable = true;
396 server = {
397 secretFile = "/var/lib/knot/secret";
398 hostname = "localhost:6000";
399 listenAddr = "0.0.0.0:6000";
400 };
401 };
402 })
403 ];
404 };
405 nixosModules.appview = import ./nix/modules/appview.nix {inherit self;};
406 };
407}