···
203
-
nixosModules.knot = {
209
-
cfg = config.services.tangled-knot;
213
-
services.tangled-knot = {
214
-
enable = mkOption {
217
-
description = "Enable a tangled knot";
220
-
appviewEndpoint = mkOption {
222
-
default = "https://tangled.sh";
223
-
description = "Appview endpoint";
226
-
gitUser = mkOption {
229
-
description = "User that hosts git repos and performs git operations";
232
-
openFirewall = mkOption {
235
-
description = "Open port 22 in the firewall for ssh";
238
-
stateDir = mkOption {
240
-
default = "/home/${cfg.gitUser}";
241
-
description = "Tangled knot data directory";
245
-
scanPath = mkOption {
247
-
default = cfg.stateDir;
248
-
description = "Path where repositories are scanned from";
251
-
mainBranch = mkOption {
254
-
description = "Default branch name for repositories";
259
-
listenAddr = mkOption {
261
-
default = "0.0.0.0:5555";
262
-
description = "Address to listen on";
265
-
internalListenAddr = mkOption {
267
-
default = "127.0.0.1:5444";
268
-
description = "Internal address for inter-service communication";
271
-
secretFile = mkOption {
272
-
type = lib.types.path;
273
-
example = "KNOT_SERVER_SECRET=<hash>";
274
-
description = "File containing secret key provided by appview (required)";
277
-
dbPath = mkOption {
279
-
default = "${cfg.stateDir}/knotserver.db";
280
-
description = "Path to the database file";
283
-
hostname = mkOption {
285
-
example = "knot.tangled.sh";
286
-
description = "Hostname for the server (required)";
292
-
description = "Enable development mode (disables signature verification)";
298
-
config = mkIf cfg.enable {
299
-
environment.systemPackages = with pkgs; [git];
301
-
system.activationScripts.gitConfig = ''
302
-
mkdir -p "${cfg.repo.scanPath}"
303
-
chown -R ${cfg.gitUser}:${cfg.gitUser} \
304
-
"${cfg.repo.scanPath}"
306
-
mkdir -p "${cfg.stateDir}/.config/git"
307
-
cat > "${cfg.stateDir}/.config/git/config" << EOF
310
-
email = git@example.com
312
-
chown -R ${cfg.gitUser}:${cfg.gitUser} \
316
-
users.users.${cfg.gitUser} = {
317
-
isSystemUser = true;
318
-
useDefaultShell = true;
319
-
home = cfg.stateDir;
321
-
group = cfg.gitUser;
324
-
users.groups.${cfg.gitUser} = {};
326
-
services.openssh = {
329
-
Match User ${cfg.gitUser}
330
-
AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper
331
-
AuthorizedKeysCommandUser nobody
335
-
environment.etc."ssh/keyfetch_wrapper" = {
338
-
#!${pkgs.stdenv.shell}
339
-
${self.packages.${pkgs.system}.knot}/bin/knot keys \
340
-
-output authorized-keys \
341
-
-internal-api "http://${cfg.server.internalListenAddr}" \
342
-
-git-dir "${cfg.repo.scanPath}" \
343
-
-log-path /tmp/knotguard.log
347
-
systemd.services.knot = {
348
-
description = "knot service";
349
-
after = ["network.target" "sshd.service"];
350
-
wantedBy = ["multi-user.target"];
352
-
User = cfg.gitUser;
353
-
WorkingDirectory = cfg.stateDir;
355
-
"KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}"
356
-
"KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}"
357
-
"APPVIEW_ENDPOINT=${cfg.appviewEndpoint}"
358
-
"KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}"
359
-
"KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}"
360
-
"KNOT_SERVER_DB_PATH=${cfg.server.dbPath}"
361
-
"KNOT_SERVER_HOSTNAME=${cfg.server.hostname}"
363
-
EnvironmentFile = cfg.server.secretFile;
364
-
ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server";
365
-
Restart = "always";
369
-
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22];
nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem {
···
nixosModules.appview = import ./nix/modules/appview.nix {inherit self;};
236
+
nixosModules.knot = import ./nix/modules/knot.nix {inherit self;};
oppi.li