···
git clone https://tangled.sh/@tangled.sh/core
37
-
Then, build our binaries (you need to have Go installed):
38
-
* `knotserver`: the main server program
39
-
* `keyfetch`: utility to fetch ssh pubkeys
40
-
* `repoguard`: enforces repository access control
37
+
Then, build the `knot` CLI. This is the knot administration and operation tool.
38
+
For the purpose of this guide, we're only concerned with these subcommands:
40
+
* `knot server`: the main knot server process, typically run as a
42
+
* `knot guard`: handles role-based access control for git over SSH
43
+
(you'll never have to run this yourself)
44
+
* `knot keys`: fetches SSH keys associated with your knot; we'll use
45
+
this to generate the SSH `AuthorizedKeysCommand`
45
-
go build -o knot ./cmd/knotserver
46
-
go build -o keyfetch ./cmd/keyfetch
47
-
go build -o repoguard ./cmd/repoguard
50
+
go build -o knot ./cmd/knot
50
-
Next, move the `keyfetch` binary to a location owned by `root` --
51
-
`/usr/local/libexec/tangled-keyfetch` is a good choice:
53
+
Next, move the `knot` binary to a location owned by `root` --
54
+
`/usr/local/bin/knot` is a good choice:
54
-
sudo mv keyfetch /usr/local/libexec/tangled-keyfetch
55
-
sudo chown root:root /usr/local/libexec/tangled-keyfetch
56
-
sudo chmod 755 /usr/local/libexec/tangled-keyfetch
57
+
sudo mv knot /usr/local/bin/knot
59
-
This is necessary because SSH `AuthorizedKeysCommand` requires [really specific
60
-
permissions](https://stackoverflow.com/a/27638306). Let's set that up:
60
+
This is necessary because SSH `AuthorizedKeysCommand` requires [really
61
+
specific permissions](https://stackoverflow.com/a/27638306). The
62
+
`AuthorizedKeysCommand` specifies a command that is run by `sshd` to
63
+
retrieve a user's public SSH keys dynamically for authentication. Let's
sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
65
-
AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch
69
+
AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys
AuthorizedKeysCommandUser nobody
70
-
Next, create the `git` user:
74
+
Next, create the `git` user. We'll use the `git` user's home directory
75
+
to store repositories:
76
-
Copy the `repoguard` binary to the `git` user's home directory:
79
-
sudo cp repoguard /home/git
80
-
sudo chown git:git /home/git/repoguard
83
-
Now, let's set up the server. Copy the `knot` binary to
84
-
`/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the
85
-
following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be
86
-
obtaind from the [/knots](/knots) page on Tangled.
81
+
Create `/home/git/.knot.env` with the following, updating the values as
82
+
necessary. The `KNOT_SERVER_SECRET` can be obtaind from the
83
+
[/knots](/knots) page on Tangled.
KNOT_REPO_SCAN_PATH=/home/git
···
If you run a Linux distribution that uses systemd, you can use the provided
service file to run the server. Copy
99
-
[`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service)
96
+
[`knotserver.service`](/systemd/knotserver.service)
to `/etc/systemd/system/`. Then, run:
···
KNOT_REPO_SCAN_PATH=/home/git/repositories
164
-
In your SSH config (e.g. `/etc/ssh/sshd_config.d/authorized_keys_command.conf`),
165
-
update the `AuthorizedKeysCommand` line to use the new folder. For example:
169
-
AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch -git-dir /home/git/repositories
170
-
AuthorizedKeysCommandUser nobody
173
-
Make sure to restart your SSH server!
177
-
The keyfetch executable takes multiple arguments to change certain paths. You
178
-
can view a full list by running `/usr/local/libexec/tangled-keyfetch -h`.
180
-
As an example, if you wanted to change the path to the repoguard executable,
181
-
you would edit your SSH config (e.g. `/etc/ssh/sshd_config.d/authorized_keys_command.conf`)
182
-
and update the `AuthorizedKeysCommand` line:
161
+
Similarly, update your `sshd` `AuthorizedKeysCommand` to use the updated
165
+
sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
186
-
AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch -repoguard-path /path/to/repoguard
167
+
AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys -git-dir /home/git/repositories
AuthorizedKeysCommandUser nobody
Make sure to restart your SSH server!
anirudh.fi