kot.pink
1{
2 description = "atproto github";
3
4 inputs = {
5 nixpkgs.url = "github:nixos/nixpkgs";
6 indigo = {
7 url = "github:oppiliappan/indigo";
8 flake = false;
9 };
10 htmx-src = {
11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js";
12 flake = false;
13 };
14 lucide-src = {
15 url = "https://unpkg.com/lucide@latest";
16 flake = false;
17 };
18 ia-fonts-src = {
19 url = "github:iaolo/iA-Fonts";
20 flake = false;
21 };
22 gitignore = {
23 url = "github:hercules-ci/gitignore.nix";
24 inputs.nixpkgs.follows = "nixpkgs";
25 };
26 };
27
28 outputs = {
29 self,
30 nixpkgs,
31 indigo,
32 htmx-src,
33 lucide-src,
34 gitignore,
35 ia-fonts-src,
36 }: let
37 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"];
38 forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
39 nixpkgsFor = forAllSystems (system:
40 import nixpkgs {
41 inherit system;
42 overlays = [self.overlays.default];
43 });
44 inherit (gitignore.lib) gitignoreSource;
45 in {
46 overlays.default = final: prev: let
47 goModHash = "sha256-k+WeNx9jZ5YGgskCJYiU2mwyz25E0bhFgSg2GDWZXFw=";
48 buildCmdPackage = name:
49 final.buildGoModule {
50 pname = name;
51 version = "0.1.0";
52 src = gitignoreSource ./.;
53 subPackages = ["cmd/${name}"];
54 vendorHash = goModHash;
55 env.CGO_ENABLED = 0;
56 };
57 in {
58 indigo-lexgen = with final;
59 final.buildGoModule {
60 pname = "indigo-lexgen";
61 version = "0.1.0";
62 src = indigo;
63 subPackages = ["cmd/lexgen"];
64 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs=";
65 doCheck = false;
66 };
67
68 appview = with final;
69 final.pkgsStatic.buildGoModule {
70 pname = "appview";
71 version = "0.1.0";
72 src = gitignoreSource ./.;
73 postUnpack = ''
74 pushd source
75 cp -f ${htmx-src} appview/pages/static/htmx.min.js
76 cp -f ${lucide-src} appview/pages/static/lucide.min.js
77 mkdir -p appview/pages/static/fonts
78 cp -f ${ia-fonts-src}/"iA Writer Quattro"/Static/*.ttf appview/pages/static/fonts/
79 cp -f ${ia-fonts-src}/"iA Writer Mono"/Static/*.ttf appview/pages/static/fonts/
80 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css
81 popd
82 '';
83 doCheck = false;
84 subPackages = ["cmd/appview"];
85 vendorHash = goModHash;
86 env.CGO_ENABLED = 1;
87 stdenv = pkgsStatic.stdenv;
88 };
89
90 knotserver = with final;
91 final.pkgsStatic.buildGoModule {
92 pname = "knotserver";
93 version = "0.1.0";
94 src = gitignoreSource ./.;
95 nativeBuildInputs = [final.makeWrapper];
96 subPackages = ["cmd/knotserver"];
97 vendorHash = goModHash;
98 installPhase = ''
99 runHook preInstall
100
101 mkdir -p $out/bin
102 cp $GOPATH/bin/knotserver $out/bin/knotserver
103
104 wrapProgram $out/bin/knotserver \
105 --prefix PATH : ${pkgs.git}/bin
106
107 runHook postInstall
108 '';
109 env.CGO_ENABLED = 1;
110 };
111 knotserver-unwrapped = with final;
112 final.pkgsStatic.buildGoModule {
113 pname = "knotserver";
114 version = "0.1.0";
115 src = gitignoreSource ./.;
116 subPackages = ["cmd/knotserver"];
117 vendorHash = goModHash;
118 env.CGO_ENABLED = 1;
119 };
120 repoguard = buildCmdPackage "repoguard";
121 keyfetch = buildCmdPackage "keyfetch";
122 };
123 packages = forAllSystems (system: {
124 inherit
125 (nixpkgsFor."${system}")
126 indigo-lexgen
127 appview
128 knotserver
129 knotserver-unwrapped
130 repoguard
131 keyfetch
132 ;
133 });
134 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview);
135 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra);
136 devShells = forAllSystems (system: let
137 pkgs = nixpkgsFor.${system};
138 staticShell = pkgs.mkShell.override {
139 stdenv = pkgs.pkgsStatic.stdenv;
140 };
141 in {
142 default = staticShell {
143 nativeBuildInputs = [
144 pkgs.go
145 pkgs.air
146 pkgs.gopls
147 pkgs.httpie
148 pkgs.indigo-lexgen
149 pkgs.litecli
150 pkgs.websocat
151 pkgs.tailwindcss
152 pkgs.nixos-shell
153 ];
154 shellHook = ''
155 cp -f ${htmx-src} appview/pages/static/htmx.min.js
156 cp -f ${lucide-src} appview/pages/static/lucide.min.js
157 cp -f ${ia-fonts-src}/"iA Writer Quattro"/Static/*.ttf appview/pages/static/fonts/
158 cp -f ${ia-fonts-src}/"iA Writer Mono"/Static/*.ttf appview/pages/static/fonts/
159 '';
160 };
161 });
162 apps = forAllSystems (system: let
163 pkgs = nixpkgsFor."${system}";
164 air-watcher = name:
165 pkgs.writeShellScriptBin "run"
166 ''
167 ${pkgs.air}/bin/air -c /dev/null \
168 -build.cmd "${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o ./appview/pages/static/tw.css && ${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \
169 -build.bin "./out/${name}.out" \
170 -build.include_ext "go,html,css"
171 '';
172 in {
173 watch-appview = {
174 type = "app";
175 program = ''${air-watcher "appview"}/bin/run'';
176 };
177 watch-knotserver = {
178 type = "app";
179 program = ''${air-watcher "knotserver"}/bin/run'';
180 };
181 });
182
183 nixosModules.appview = {
184 config,
185 pkgs,
186 lib,
187 ...
188 }:
189 with lib; {
190 options = {
191 services.tangled-appview = {
192 enable = mkOption {
193 type = types.bool;
194 default = false;
195 description = "Enable tangled appview";
196 };
197 port = mkOption {
198 type = types.int;
199 default = 3000;
200 description = "Port to run the appview on";
201 };
202 cookie_secret = mkOption {
203 type = types.str;
204 default = "00000000000000000000000000000000";
205 description = "Cookie secret";
206 };
207 };
208 };
209
210 config = mkIf config.services.tangled-appview.enable {
211 nixpkgs.overlays = [self.overlays.default];
212 systemd.services.tangled-appview = {
213 description = "tangled appview service";
214 wantedBy = ["multi-user.target"];
215
216 serviceConfig = {
217 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}";
218 ExecStart = "${pkgs.tangled-appview}/bin/tangled-appview";
219 Restart = "always";
220 };
221
222 environment = {
223 TANGLED_DB_PATH = "appview.db";
224 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret;
225 };
226 };
227 };
228 };
229
230 nixosModules.knotserver = {
231 config,
232 pkgs,
233 lib,
234 ...
235 }:
236 with lib; {
237 options = {
238 services.tangled-knotserver = {
239 enable = mkOption {
240 type = types.bool;
241 default = false;
242 description = "Enable a tangled knotserver";
243 };
244
245 appviewEndpoint = mkOption {
246 type = types.str;
247 default = "https://tangled.sh";
248 description = "Appview endpoint";
249 };
250
251 gitUser = mkOption {
252 type = types.str;
253 default = "git";
254 description = "User that hosts git repos and performs git operations";
255 };
256
257 repo = {
258 scanPath = mkOption {
259 type = types.path;
260 default = "/home/git";
261 description = "Path where repositories are scanned from";
262 };
263
264 mainBranch = mkOption {
265 type = types.str;
266 default = "main";
267 description = "Default branch name for repositories";
268 };
269 };
270
271 server = {
272 listenAddr = mkOption {
273 type = types.str;
274 default = "0.0.0.0:5555";
275 description = "Address to listen on";
276 };
277
278 internalListenAddr = mkOption {
279 type = types.str;
280 default = "127.0.0.1:5444";
281 description = "Internal address for inter-service communication";
282 };
283
284 secret = mkOption {
285 type = types.str;
286 example = "super-secret-key";
287 description = "Secret key provided by appview (required)";
288 };
289
290 dbPath = mkOption {
291 type = types.path;
292 default = "knotserver.db";
293 description = "Path to the database file";
294 };
295
296 hostname = mkOption {
297 type = types.str;
298 example = "knot.tangled.sh";
299 description = "Hostname for the server (required)";
300 };
301
302 dev = mkOption {
303 type = types.bool;
304 default = false;
305 description = "Enable development mode (disables signature verification)";
306 };
307 };
308 };
309 };
310
311 config = mkIf config.services.tangled-knotserver.enable {
312 nixpkgs.overlays = [self.overlays.default];
313
314 environment.systemPackages = with pkgs; [git];
315
316 users.users.git = {
317 isNormalUser = true;
318 home = "/home/git";
319 createHome = true;
320 uid = 1000;
321 group = "git";
322 };
323
324 users.groups.git = {};
325
326 services.openssh = {
327 enable = true;
328 extraConfig = ''
329 Match User git
330 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
331 AuthorizedKeysCommandUser nobody
332 '';
333 };
334
335 environment.etc."ssh/keyfetch_wrapper" = {
336 mode = "0555";
337 text = ''
338 #!${pkgs.stdenv.shell}
339 ${pkgs.keyfetch}/bin/keyfetch -repoguard-path ${pkgs.repoguard}/bin/repoguard -log-path /tmp/repoguard.log
340 '';
341 };
342
343 systemd.services.knotserver = {
344 description = "knotserver service";
345 after = ["network.target" "sshd.service"];
346 wantedBy = ["multi-user.target"];
347 serviceConfig = {
348 User = "git";
349 WorkingDirectory = "/home/git";
350 Environment = [
351 "KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}"
352 "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}"
353 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}"
354 "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}"
355 "KNOT_SERVER_SECRET=${config.services.tangled-knotserver.server.secret}"
356 "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}"
357 ];
358 ExecStart = "${pkgs.knotserver}/bin/knotserver";
359 Restart = "always";
360 };
361 };
362
363 networking.firewall.allowedTCPPorts = [22];
364 };
365 };
366
367 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem {
368 system = "x86_64-linux";
369 modules = [
370 self.nixosModules.knotserver
371 ({
372 config,
373 pkgs,
374 ...
375 }: {
376 virtualisation.memorySize = 2048;
377 virtualisation.cores = 2;
378 services.getty.autologinUser = "root";
379 environment.systemPackages = with pkgs; [curl vim git];
380 services.tangled-knotserver = {
381 enable = true;
382 server = {
383 secret = "ad7b32ded52fbe96e09f469a288084ee01cd12c971da87a1cbb87ef67081bd87";
384 hostname = "localhost:6000";
385 listenAddr = "0.0.0.0:6000";
386 };
387 };
388 })
389 ];
390 };
391 };
392}