nel.pet
1{
2 description = "atproto github";
3
4 inputs = {
5 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
6 indigo = {
7 url = "github:oppiliappan/indigo";
8 flake = false;
9 };
10 htmx-src = {
11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js";
12 flake = false;
13 };
14 lucide-src = {
15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip";
16 flake = false;
17 };
18 inter-fonts-src = {
19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip";
20 flake = false;
21 };
22 ibm-plex-mono-src = {
23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip";
24 flake = false;
25 };
26 gitignore = {
27 url = "github:hercules-ci/gitignore.nix";
28 inputs.nixpkgs.follows = "nixpkgs";
29 };
30 };
31
32 outputs = {
33 self,
34 nixpkgs,
35 indigo,
36 htmx-src,
37 lucide-src,
38 gitignore,
39 inter-fonts-src,
40 ibm-plex-mono-src,
41 }: let
42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"];
43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
44 nixpkgsFor = forAllSystems (system:
45 import nixpkgs {
46 inherit system;
47 overlays = [self.overlays.default];
48 });
49 inherit (gitignore.lib) gitignoreSource;
50 in {
51 overlays.default = final: prev: let
52 goModHash = "sha256-TwlPge7vhVGmtNvYkHFFnZjJs2DWPUwPhCSBTCUYCtc=";
53 buildCmdPackage = name:
54 final.buildGoModule {
55 pname = name;
56 version = "0.1.0";
57 src = gitignoreSource ./.;
58 subPackages = ["cmd/${name}"];
59 vendorHash = goModHash;
60 env.CGO_ENABLED = 0;
61 };
62 in {
63 indigo-lexgen = final.buildGoModule {
64 pname = "indigo-lexgen";
65 version = "0.1.0";
66 src = indigo;
67 subPackages = ["cmd/lexgen"];
68 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs=";
69 doCheck = false;
70 };
71
72 appview = with final;
73 final.pkgsStatic.buildGoModule {
74 pname = "appview";
75 version = "0.1.0";
76 src = gitignoreSource ./.;
77 postUnpack = ''
78 pushd source
79 mkdir -p appview/pages/static/{fonts,icons}
80 cp -f ${htmx-src} appview/pages/static/htmx.min.js
81 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/
82 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/
83 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/
84 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/
85 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css
86 popd
87 '';
88 doCheck = false;
89 subPackages = ["cmd/appview"];
90 vendorHash = goModHash;
91 env.CGO_ENABLED = 1;
92 stdenv = pkgsStatic.stdenv;
93 };
94
95 knotserver = with final;
96 final.pkgsStatic.buildGoModule {
97 pname = "knotserver";
98 version = "0.1.0";
99 src = gitignoreSource ./.;
100 nativeBuildInputs = [final.makeWrapper];
101 subPackages = ["cmd/knotserver"];
102 vendorHash = goModHash;
103 installPhase = ''
104 runHook preInstall
105
106 mkdir -p $out/bin
107 cp $GOPATH/bin/knotserver $out/bin/knotserver
108
109 wrapProgram $out/bin/knotserver \
110 --prefix PATH : ${pkgs.git}/bin
111
112 runHook postInstall
113 '';
114 env.CGO_ENABLED = 1;
115 };
116 knotserver-unwrapped = final.pkgsStatic.buildGoModule {
117 pname = "knotserver";
118 version = "0.1.0";
119 src = gitignoreSource ./.;
120 subPackages = ["cmd/knotserver"];
121 vendorHash = goModHash;
122 env.CGO_ENABLED = 1;
123 };
124 repoguard = buildCmdPackage "repoguard";
125 keyfetch = buildCmdPackage "keyfetch";
126 genjwks = buildCmdPackage "genjwks";
127 };
128 packages = forAllSystems (system: {
129 inherit
130 (nixpkgsFor."${system}")
131 indigo-lexgen
132 appview
133 knotserver
134 knotserver-unwrapped
135 repoguard
136 keyfetch
137 genjwks
138 ;
139 });
140 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview);
141 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra);
142 devShells = forAllSystems (system: let
143 pkgs = nixpkgsFor.${system};
144 staticShell = pkgs.mkShell.override {
145 stdenv = pkgs.pkgsStatic.stdenv;
146 };
147 in {
148 default = staticShell {
149 nativeBuildInputs = [
150 pkgs.go
151 pkgs.air
152 pkgs.gopls
153 pkgs.httpie
154 pkgs.indigo-lexgen
155 pkgs.litecli
156 pkgs.websocat
157 pkgs.tailwindcss
158 pkgs.nixos-shell
159 pkgs.nodePackages.localtunnel
160 pkgs.python312Packages.pyngrok
161 ];
162 shellHook = ''
163 mkdir -p appview/pages/static/{fonts,icons}
164 cp -f ${htmx-src} appview/pages/static/htmx.min.js
165 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/
166 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/
167 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/
168 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/
169 export TANGLED_OAUTH_JWKS="$(${pkgs.genjwks}/bin/genjwks)"
170 '';
171 env.CGO_ENABLED = 1;
172 };
173 });
174 apps = forAllSystems (system: let
175 pkgs = nixpkgsFor."${system}";
176 air-watcher = name:
177 pkgs.writeShellScriptBin "run"
178 ''
179 ${pkgs.air}/bin/air -c /dev/null \
180 -build.cmd "${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \
181 -build.bin "./out/${name}.out" \
182 -build.stop_on_error "true" \
183 -build.include_ext "go"
184 '';
185 tailwind-watcher =
186 pkgs.writeShellScriptBin "run"
187 ''
188 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css
189 '';
190 in {
191 watch-appview = {
192 type = "app";
193 program = ''${air-watcher "appview"}/bin/run'';
194 };
195 watch-knotserver = {
196 type = "app";
197 program = ''${air-watcher "knotserver"}/bin/run'';
198 };
199 watch-tailwind = {
200 type = "app";
201 program = ''${tailwind-watcher}/bin/run'';
202 };
203 });
204
205 nixosModules.appview = {
206 config,
207 pkgs,
208 lib,
209 ...
210 }:
211 with lib; {
212 options = {
213 services.tangled-appview = {
214 enable = mkOption {
215 type = types.bool;
216 default = false;
217 description = "Enable tangled appview";
218 };
219 port = mkOption {
220 type = types.int;
221 default = 3000;
222 description = "Port to run the appview on";
223 };
224 cookie_secret = mkOption {
225 type = types.str;
226 default = "00000000000000000000000000000000";
227 description = "Cookie secret";
228 };
229 };
230 };
231
232 config = mkIf config.services.tangled-appview.enable {
233 systemd.services.tangled-appview = {
234 description = "tangled appview service";
235 wantedBy = ["multi-user.target"];
236
237 serviceConfig = {
238 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}";
239 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview";
240 Restart = "always";
241 };
242
243 environment = {
244 TANGLED_DB_PATH = "appview.db";
245 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret;
246 };
247 };
248 };
249 };
250
251 nixosModules.knotserver = {
252 config,
253 pkgs,
254 lib,
255 ...
256 }: let
257 cfg = config.services.tangled-knotserver;
258 in
259 with lib; {
260 options = {
261 services.tangled-knotserver = {
262 enable = mkOption {
263 type = types.bool;
264 default = false;
265 description = "Enable a tangled knotserver";
266 };
267
268 appviewEndpoint = mkOption {
269 type = types.str;
270 default = "https://tangled.sh";
271 description = "Appview endpoint";
272 };
273
274 gitUser = mkOption {
275 type = types.str;
276 default = "git";
277 description = "User that hosts git repos and performs git operations";
278 };
279
280 openFirewall = mkOption {
281 type = types.bool;
282 default = true;
283 description = "Open port 22 in the firewall for ssh";
284 };
285
286 stateDir = mkOption {
287 type = types.path;
288 default = "/home/${cfg.gitUser}";
289 description = "Tangled knot data directory";
290 };
291
292 repo = {
293 scanPath = mkOption {
294 type = types.path;
295 default = cfg.stateDir;
296 description = "Path where repositories are scanned from";
297 };
298
299 mainBranch = mkOption {
300 type = types.str;
301 default = "main";
302 description = "Default branch name for repositories";
303 };
304 };
305
306 server = {
307 listenAddr = mkOption {
308 type = types.str;
309 default = "0.0.0.0:5555";
310 description = "Address to listen on";
311 };
312
313 internalListenAddr = mkOption {
314 type = types.str;
315 default = "127.0.0.1:5444";
316 description = "Internal address for inter-service communication";
317 };
318
319 secretFile = mkOption {
320 type = lib.types.path;
321 example = "KNOT_SERVER_SECRET=<hash>";
322 description = "File containing secret key provided by appview (required)";
323 };
324
325 dbPath = mkOption {
326 type = types.path;
327 default = "${cfg.stateDir}/knotserver.db";
328 description = "Path to the database file";
329 };
330
331 hostname = mkOption {
332 type = types.str;
333 example = "knot.tangled.sh";
334 description = "Hostname for the server (required)";
335 };
336
337 dev = mkOption {
338 type = types.bool;
339 default = false;
340 description = "Enable development mode (disables signature verification)";
341 };
342 };
343 };
344 };
345
346 config = mkIf cfg.enable {
347 environment.systemPackages = with pkgs; [git];
348
349 system.activationScripts.gitConfig = ''
350 mkdir -p "${cfg.repo.scanPath}"
351 chown -R ${cfg.gitUser}:${cfg.gitUser} \
352 "${cfg.repo.scanPath}"
353
354 mkdir -p "${cfg.stateDir}/.config/git"
355 cat > "${cfg.stateDir}/.config/git/config" << EOF
356 [user]
357 name = Git User
358 email = git@example.com
359 EOF
360 chown -R ${cfg.gitUser}:${cfg.gitUser} \
361 "${cfg.stateDir}"
362 '';
363
364 users.users.${cfg.gitUser} = {
365 isSystemUser = true;
366 useDefaultShell = true;
367 home = cfg.stateDir;
368 createHome = true;
369 group = cfg.gitUser;
370 };
371
372 users.groups.${cfg.gitUser} = {};
373
374 services.openssh = {
375 enable = true;
376 extraConfig = ''
377 Match User ${cfg.gitUser}
378 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
379 AuthorizedKeysCommandUser nobody
380 '';
381 };
382
383 environment.etc."ssh/keyfetch_wrapper" = {
384 mode = "0555";
385 text = ''
386 #!${pkgs.stdenv.shell}
387 ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \
388 -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \
389 -internal-api "http://${cfg.server.internalListenAddr}" \
390 -git-dir "${cfg.repo.scanPath}" \
391 -log-path /tmp/repoguard.log
392 '';
393 };
394
395 systemd.services.knotserver = {
396 description = "knotserver service";
397 after = ["network.target" "sshd.service"];
398 wantedBy = ["multi-user.target"];
399 serviceConfig = {
400 User = cfg.gitUser;
401 WorkingDirectory = cfg.stateDir;
402 Environment = [
403 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
404 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
405 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
406 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
407 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
408 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
409 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
410 ];
411 EnvironmentFile = cfg.server.secretFile;
412 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver";
413 Restart = "always";
414 };
415 };
416
417 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
418 };
419 };
420
421 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem {
422 system = "x86_64-linux";
423 modules = [
424 self.nixosModules.knotserver
425 ({
426 config,
427 pkgs,
428 ...
429 }: {
430 virtualisation.memorySize = 2048;
431 virtualisation.diskSize = 10 * 1024;
432 virtualisation.cores = 2;
433 services.getty.autologinUser = "root";
434 environment.systemPackages = with pkgs; [curl vim git];
435 systemd.tmpfiles.rules = let
436 u = config.services.tangled-knotserver.gitUser;
437 g = config.services.tangled-knotserver.gitUser;
438 in [
439 "d /var/lib/knotserver 0770 ${u} ${g} - -" # Create the directory first
440 "f+ /var/lib/knotserver/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=679f15000084699abc6a20d3ef449efa3656583f38e456a08f0638250688ff2e"
441 ];
442 services.tangled-knotserver = {
443 enable = true;
444 server = {
445 secretFile = "/var/lib/knotserver/secret";
446 hostname = "localhost:6000";
447 listenAddr = "0.0.0.0:6000";
448 };
449 };
450 })
451 ];
452 };
453 };
454}