docs/knot-hosting.md at 48cbc6861829eb11fefcdbaea5b90e75e450fb22 · notnite.com/core

notnite.com / core
this repo has no description
core / docs / knot-hosting.md
at 48cbc6861829eb11fefcdbaea5b90e75e450fb22 3.0 kB view raw view rendered
  1# knot self-hosting guide
  2
  3So you want to run your own knot server? Great! Here are a few prerequisites:
  4
  51. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux of some kind.
  62. A (sub)domain name. People generally use `knot.example.com`.
  73. A valid SSL certificate for your domain.
  8
  9There's a couple of ways to get started:
 10* NixOS: refer to [flake.nix](https://tangled.sh/@tangled.sh/core/blob/master/flake.nix)
 11* Docker: Documented below.
 12* Manual: Documented below.
 13
 14## docker setup
 15
 16Clone this repository:
 17
 18```
 19git clone https://tangled.sh/@tangled.sh/core
 20```
 21
 22Modify the `docker/docker-compose.yml`, specifically the
 23`KNOT_SERVER_SECRET` and `KNOT_SERVER_HOSTNAME` env vars. Then run:
 24
 25```
 26docker compose -f docker/docker-compose.yml up
 27```
 28
 29### manual setup
 30
 31First, clone this repository:
 32
 33```
 34git clone https://tangled.sh/@tangled.sh/core
 35```
 36
 37Then, build our binaries (you need to have Go installed):
 38* `knotserver`: the main server program
 39* `keyfetch`: utility to fetch ssh pubkeys
 40* `repoguard`: enforces repository access control
 41
 42```
 43cd core
 44export CGO_ENABLED=1
 45go build -o knot ./cmd/knotserver
 46go build -o keyfetch ./cmd/keyfetch
 47go build -o repoguard ./cmd/repoguard
 48```
 49
 50Next, move the `keyfetch` binary to a location owned by `root` --
 51`/usr/local/libexec/tangled-keyfetch` is a good choice:
 52
 53```
 54sudo mv keyfetch /usr/local/libexec/tangled-keyfetch
 55sudo chown root:root /usr/local/libexec/tangled-keyfetch
 56sudo chmod 755 /usr/local/libexec/tangled-keyfetch
 57```
 58
 59This is necessary because SSH `AuthorizedKeysCommand` requires [really specific
 60permissions](https://stackoverflow.com/a/27638306). Let's set that up:
 61
 62```
 63sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 64Match User git
 65  AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch
 66  AuthorizedKeysCommandUser nobody
 67EOF
 68```
 69
 70Next, create the `git` user:
 71
 72```
 73sudo adduser git
 74```
 75
 76Copy the `repoguard` binary to the `git` user's home directory:
 77
 78```
 79sudo cp repoguard /home/git
 80sudo chown git:git /home/git/repoguard
 81```
 82
 83Now, let's set up the server. Copy the `knot` binary to
 84`/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the
 85following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be
 86obtaind from the [/knots](/knots) page on Tangled.
 87
 88```
 89KNOT_REPO_SCAN_PATH=/home/git
 90KNOT_SERVER_HOSTNAME=knot.example.com
 91APPVIEW_ENDPOINT=https://tangled.sh
 92KNOT_SERVER_SECRET=secret
 93KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444
 94KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555
 95```
 96
 97If you run a Linux distribution that uses systemd, you can use the provided
 98service file to run the server. Copy
 99[`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service)
100to `/etc/systemd/system/`. Then, run:
101
102```
103systemctl enable knotserver
104systemctl start knotserver
105```
106
107You should now have a running knot server! You can finalize your registration by hitting the
108`initialize` button on the [/knots](/knots) page.