···
-
cfg = config.services.tangled-knot;
-
services.tangled-knot = {
-
description = "Enable a tangled knot";
-
appviewEndpoint = mkOption {
-
default = "https://tangled.sh";
-
description = "Appview endpoint";
-
description = "User that hosts git repos and performs git operations";
-
openFirewall = mkOption {
-
description = "Open port 22 in the firewall for ssh";
-
default = "/home/${cfg.gitUser}";
-
description = "Tangled knot data directory";
-
default = cfg.stateDir;
-
description = "Path where repositories are scanned from";
-
mainBranch = mkOption {
-
description = "Default branch name for repositories";
-
listenAddr = mkOption {
-
default = "0.0.0.0:5555";
-
description = "Address to listen on";
-
internalListenAddr = mkOption {
-
default = "127.0.0.1:5444";
-
description = "Internal address for inter-service communication";
-
secretFile = mkOption {
-
example = "KNOT_SERVER_SECRET=<hash>";
-
description = "File containing secret key provided by appview (required)";
-
default = "${cfg.stateDir}/knotserver.db";
-
description = "Path to the database file";
-
example = "knot.tangled.sh";
-
description = "Hostname for the server (required)";
-
description = "Enable development mode (disables signature verification)";
-
config = mkIf cfg.enable {
-
environment.systemPackages = with pkgs; [git];
-
system.activationScripts.gitConfig = ''
-
mkdir -p "${cfg.repo.scanPath}"
-
chown -R ${cfg.gitUser}:${cfg.gitUser} \
-
mkdir -p "${cfg.stateDir}/.config/git"
-
cat > "${cfg.stateDir}/.config/git/config" << EOF
-
email = git@example.com
-
chown -R ${cfg.gitUser}:${cfg.gitUser} \
-
users.users.${cfg.gitUser} = {
-
useDefaultShell = true;
-
users.groups.${cfg.gitUser} = {};
-
Match User ${cfg.gitUser}
-
AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
-
AuthorizedKeysCommandUser nobody
-
environment.etc."ssh/keyfetch_wrapper" = {
-
${self.packages.${pkgs.system}.knot}/bin/knot keys \
-
-output authorized-keys \
-
-internal-api "http://${cfg.server.internalListenAddr}" \
-
-git-dir "${cfg.repo.scanPath}" \
-
-log-path /tmp/knotguard.log
-
systemd.services.knot = {
-
description = "knot service";
-
after = ["network.target" "sshd.service"];
-
wantedBy = ["multi-user.target"];
-
WorkingDirectory = cfg.stateDir;
-
"KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
-
"KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
-
"APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
-
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
-
"KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
-
"KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
-
"KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
-
EnvironmentFile = cfg.server.secretFile;
-
ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server";
-
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem {
···
nixosModules.appview = import ./nix/modules/appview.nix {inherit self;};
oppi.li