patch of local-infra: local, sandboxed atmosphere infra · round #3 · pull #684 · tangled.org/core

+45

local-infra/Caddyfile

···

       1
       1
       +
       {

     

       2
       2
       +
       	storage file_system /data/

     

       3
       3
       +
       	debug

     

       4
       4
       +
       	pki {

     

       5
       5
       +
       		ca localtangled {

     

       6
       6
       +
       			name "LocalTangledCA"

     

       7
       7
       +
       		}

     

       8
       8
       +
       	}

     

       9
       9
       +
           auto_https disable_redirects

     

       10
       10
       +
       }

     

       11
       11
       +
       

     

       12
       12
       +
       plc.tngl.boltless.dev {

     

       13
       13
       +
       	tls {

     

       14
       14
       +
       		issuer internal {

     

       15
       15
       +
       			ca localtangled

     

       16
       16
       +
       		}

     

       17
       17
       +
       	}

     

       18
       18
       +
       	reverse_proxy http://plc:8080

     

       19
       19
       +
       }

     

       20
       20
       +
       

     

       21
       21
       +
       *.pds.tngl.boltless.dev, pds.tngl.boltless.dev {

     

       22
       22
       +
       	tls {

     

       23
       23
       +
       		issuer internal {

     

       24
       24
       +
       			ca localtangled

     

       25
       25
       +
       		}

     

       26
       26
       +
       	}

     

       27
       27
       +
       	reverse_proxy http://pds:3000

     

       28
       28
       +
       }

     

       29
       29
       +
       

     

       30
       30
       +
       jetstream.tngl.boltless.dev {

     

       31
       31
       +
       	tls {

     

       32
       32
       +
       		issuer internal {

     

       33
       33
       +
       			ca localtangled

     

       34
       34
       +
       		}

     

       35
       35
       +
       	}

     

       36
       36
       +
       	reverse_proxy http://jetstream:6008

     

       37
       37
       +
       }

     

       38
       38
       +
       

     

       39
       39
       +
       http://knot.tngl.boltless.dev {

     

       40
       40
       +
       	reverse_proxy http://host.docker.internal:6000

     

       41
       41
       +
       }

     

       42
       42
       +
       

     

       43
       43
       +
       http://spindle.tngl.boltless.dev {

     

       44
       44
       +
       	reverse_proxy http://host.docker.internal:6555

     

       45
       45
       +
       }

+12

local-infra/cert/localtangled/intermediate.crt

···

       1
       1
       +
       -----BEGIN CERTIFICATE-----

     

       2
       2
       +
       MIIBuTCCAWCgAwIBAgIRALKb0dndMd7jlCHAzm0G+N4wCgYIKoZIzj0EAwIwKTEn

     

       3
       3
       +
       MCUGA1UEAxMeTG9jYWxUYW5nbGVkQ0EgLSAyMDI1IEVDQyBSb290MB4XDTI1MTAy

     

       4
       4
       +
       MTA3NDAwNloXDTI1MTAyODA3NDAwNlowLDEqMCgGA1UEAxMhTG9jYWxUYW5nbGVk

     

       5
       5
       +
       Q0EgLSBFQ0MgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE

     

       6
       6
       +
       bX+zyr9rLxF3E8oCZwJluCKX/xmU4waabkjaTGbI5K0cemiAAmZRJ2lVhgh+KfXD

     

       7
       7
       +
       PpTmt+YE6FUF4xAWADOUuaNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQI

     

       8
       8
       +
       MAYBAf8CAQAwHQYDVR0OBBYEFIoGsfx3Qg/9qG7tm7CZ1pHYl3prMB8GA1UdIwQY

     

       9
       9
       +
       MBaAFCkl8dPP2IAMTPru6WEHLP1hySEQMAoGCCqGSM49BAMCA0cAMEQCIFc3gOEl

     

       10
       10
       +
       aUR/OWbQuWvYwoTZs81ERj73ZeQWy4a3i4ooAiAB7Mnih/7kEvLyfkjLRgRXrtlq

     

       11
       11
       +
       kVmXVyWHIncR6Bsktw==

     

       12
       12
       +
       -----END CERTIFICATE-----

+5

local-infra/cert/localtangled/intermediate.key

···

       1
       1
       +
       -----BEGIN EC PRIVATE KEY-----

     

       2
       2
       +
       MHcCAQEEIB1EH4KZGLcfO0neWDuV3oWMXPEze8JTsyKFoQuYApFSoAoGCCqGSM49

     

       3
       3
       +
       AwEHoUQDQgAEbX+zyr9rLxF3E8oCZwJluCKX/xmU4waabkjaTGbI5K0cemiAAmZR

     

       4
       4
       +
       J2lVhgh+KfXDPpTmt+YE6FUF4xAWADOUuQ==

     

       5
       5
       +
       -----END EC PRIVATE KEY-----

+11

local-infra/cert/localtangled/root.crt

···

       1
       1
       +
       -----BEGIN CERTIFICATE-----

     

       2
       2
       +
       MIIBlTCCATygAwIBAgIRAMDTcwNxYDMgtUNC5LkCeEQwCgYIKoZIzj0EAwIwKTEn

     

       3
       3
       +
       MCUGA1UEAxMeTG9jYWxUYW5nbGVkQ0EgLSAyMDI1IEVDQyBSb290MB4XDTI1MTAx

     

       4
       4
       +
       NzE2MTE0NVoXDTM1MDgyNjE2MTE0NVowKTEnMCUGA1UEAxMeTG9jYWxUYW5nbGVk

     

       5
       5
       +
       Q0EgLSAyMDI1IEVDQyBSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7rFM

     

       6
       6
       +
       4oNfT0UMqMuc3L60TCLeTd58WFSUYnKl7R1HOHDWeWZhhoNdWguXJSHhFPiWmQ5E

     

       7
       7
       +
       +fiI7KvDAVQGHzfUAqNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB

     

       8
       8
       +
       Af8CAQEwHQYDVR0OBBYEFCkl8dPP2IAMTPru6WEHLP1hySEQMAoGCCqGSM49BAMC

     

       9
       9
       +
       A0cAMEQCIFjSGjvie1gO/JuNtP2HqeUHQNEh82K1fXdks54up3KEAiBWQDaOYeZ2

     

       10
       10
       +
       zVTiKe8ZQHpH3glXsIS0USsxeKaohMp0zA==

     

       11
       11
       +
       -----END CERTIFICATE-----

+5

local-infra/cert/localtangled/root.key

···

       1
       1
       +
       -----BEGIN EC PRIVATE KEY-----

     

       2
       2
       +
       MHcCAQEEIBqEj1iG3q+OLBgHjWQ3UkvKjq4sy5ej47syIYWn/Ql/oAoGCCqGSM49

     

       3
       3
       +
       AwEHoUQDQgAE7rFM4oNfT0UMqMuc3L60TCLeTd58WFSUYnKl7R1HOHDWeWZhhoNd

     

       4
       4
       +
       WguXJSHhFPiWmQ5E+fiI7KvDAVQGHzfUAg==

     

       5
       5
       +
       -----END EC PRIVATE KEY-----

+82

local-infra/docker-compose.yml

···

       1
       1
       +
       name: tangled-local-infra

     

       2
       2
       +
       services:

     

       3
       3
       +
         caddy:

     

       4
       4
       +
           container_name: caddy

     

       5
       5
       +
           image: caddy:2

     

       6
       6
       +
           depends_on:

     

       7
       7
       +
             - pds

     

       8
       8
       +
           restart: unless-stopped

     

       9
       9
       +
           cap_add:

     

       10
       10
       +
             - NET_ADMIN

     

       11
       11
       +
           ports:

     

       12
       12
       +
             - "80:80"

     

       13
       13
       +
             - "443:443"

     

       14
       14
       +
             - "443:443/udp"

     

       15
       15
       +
           volumes:

     

       16
       16
       +
             - ./Caddyfile:/etc/caddy/Caddyfile

     

       17
       17
       +
             - ./cert/localtangled:/data/pki/authorities/localtangled

     

       18
       18
       +
             - caddy_data:/data

     

       19
       19
       +
             - caddy_config:/config

     

       20
       20
       +
       

     

       21
       21
       +
         plc:

     

       22
       22
       +
           image: ghcr.io/bluesky-social/did-method-plc:plc-f2ab7516bac5bc0f3f86842fa94e996bd1b3815b

     

       23
       23
       +
           # did-method-plc only provides linux/amd64

     

       24
       24
       +
           platform: linux/amd64

     

       25
       25
       +
           container_name: plc

     

       26
       26
       +
           restart: unless-stopped

     

       27
       27
       +
           depends_on:

     

       28
       28
       +
             - plc_db

     

       29
       29
       +
           environment:

     

       30
       30
       +
             DEBUG_MODE: 1

     

       31
       31
       +
             LOG_ENABLED: "true"

     

       32
       32
       +
             LOG_LEVEL: "debug"

     

       33
       33
       +
             LOG_DESTINATION: 1

     

       34
       34
       +
             DB_CREDS_JSON: &DB_CREDS_JSON '{"username":"pg","password":"password","host":"plc_db","port":5432}'

     

       35
       35
       +
             DB_MIGRATE_CREDS_JSON: *DB_CREDS_JSON

     

       36
       36
       +
             PLC_VERSION: 0.0.1

     

       37
       37
       +
             PORT: 8080

     

       38
       38
       +
       

     

       39
       39
       +
         plc_db:

     

       40
       40
       +
           image: postgres:14.4-alpine

     

       41
       41
       +
           container_name: plc_db

     

       42
       42
       +
           environment:

     

       43
       43
       +
             - POSTGRES_USER=pg

     

       44
       44
       +
             - POSTGRES_PASSWORD=password

     

       45
       45
       +
             - PGPORT=5432

     

       46
       46
       +
           volumes:

     

       47
       47
       +
             - plc:/var/lib/postgresql/data

     

       48
       48
       +
       

     

       49
       49
       +
         pds:

     

       50
       50
       +
           container_name: pds

     

       51
       51
       +
           image: ghcr.io/bluesky-social/pds:0.4

     

       52
       52
       +
           restart: unless-stopped

     

       53
       53
       +
           volumes:

     

       54
       54
       +
             - pds:/pds

     

       55
       55
       +
           env_file:

     

       56
       56
       +
             - ./pds.env

     

       57
       57
       +
       

     

       58
       58
       +
         # I can change the knot-docker and spindle-docker images,

     

       59
       59
       +
         # which means I can inject the cert to those containers

     

       60
       60
       +
         #

     

       61
       61
       +
         # so define *.tngl.boltless.dev as extra_hosts & inject certs to those two containers

     

       62
       62
       +
         # extra_hosts:

     

       63
       63
       +
         #   plc.tngl.boltless.dev:host.docker.internal

     

       64
       64
       +
       

     

       65
       65
       +
         jetstream:

     

       66
       66
       +
           container_name: jetstream

     

       67
       67
       +
           image: ghcr.io/bluesky-social/jetstream:sha-0ab10bd

     

       68
       68
       +
           restart: unless-stopped

     

       69
       69
       +
           volumes:

     

       70
       70
       +
             - jetstream:/data

     

       71
       71
       +
           environment:

     

       72
       72
       +
             - JETSTREAM_DATA_DIR=/data

     

       73
       73
       +
               # livness check interval to restart when no events are received (default: 15sec)

     

       74
       74
       +
             - JETSTREAM_LIVENESS_TTL=300s

     

       75
       75
       +
             - JETSTREAM_WS_URL=ws://pds:3000/xrpc/com.atproto.sync.subscribeRepos

     

       76
       76
       +
       

     

       77
       77
       +
       volumes:

     

       78
       78
       +
         caddy_config:

     

       79
       79
       +
         caddy_data:

     

       80
       80
       +
         plc:

     

       81
       81
       +
         pds:

     

       82
       82
       +
         jetstream:

+17

local-infra/pds.env

···

       1
       1
       +
       PDS_JWT_SECRET=8cae8bffcc73d9932819650791e4e89a

     

       2
       2
       +
       PDS_ADMIN_PASSWORD=d6a902588cd93bee1af83f924f60cfd3

     

       3
       3
       +
       PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=2e92e336a50a618458e1097d94a1db86ec3fd8829d7735020cbae80625c761d7

     

       4
       4
       +
       

     

       5
       5
       +
       LOG_ENABLED=true

     

       6
       6
       +
       

     

       7
       7
       +
       # PDS_BSKY_APP_VIEW_DID=did:web:api.bsky.app

     

       8
       8
       +
       # PDS_BSKY_APP_VIEW_URL=https://api.bsky.app

     

       9
       9
       +
       

     

       10
       10
       +
       PDS_DATA_DIRECTORY=/pds

     

       11
       11
       +
       PDS_BLOBSTORE_DISK_LOCATION=/pds/blocks

     

       12
       12
       +
       

     

       13
       13
       +
       PDS_DID_PLC_URL=http://plc:8080

     

       14
       14
       +
       PDS_HOSTNAME=pds.tngl.boltless.dev

     

       15
       15
       +
       

     

       16
       16
       +
       # PDS_REPORT_SERVICE_DID=did:plc:ar7c4by46qjdydhdevvrndac

     

       17
       17
       +
       # PDS_REPORT_SERVICE_URL=https://mod.bsky.app

+9

local-infra/readme.md

···

       1
       1
       +
       run compose

     

       2
       2
       +
       ```

     

       3
       3
       +
       docker compose up -d

     

       4
       4
       +
       ```

     

       5
       5
       +
       

     

       6
       6
       +
       trust the cert (macOS)

     

       7
       7
       +
       ```

     

       8
       8
       +
       sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ./local-infra/cert/localtangled/root.crt

     

       9
       9
       +
       ```

+63

local-infra/scripts/create-test-account.sh

···

       1
       1
       +
       #!/bin/bash

     

       2
       2
       +
       set -o errexit

     

       3
       3
       +
       set -o nounset

     

       4
       4
       +
       set -o pipefail

     

       5
       5
       +
       

     

       6
       6
       +
       source "$(dirname "$0")/../pds.env"

     

       7
       7
       +
       

     

       8
       8
       +
       # curl a URL and fail if the request fails.

     

       9
       9
       +
       function curl_cmd_get {

     

       10
       10
       +
         curl --fail --silent --show-error "$@"

     

       11
       11
       +
       }

     

       12
       12
       +
       

     

       13
       13
       +
       # curl a URL and fail if the request fails.

     

       14
       14
       +
       function curl_cmd_post {

     

       15
       15
       +
         curl --fail --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       16
       16
       +
       }

     

       17
       17
       +
       

     

       18
       18
       +
       # curl a URL but do not fail if the request fails.

     

       19
       19
       +
       function curl_cmd_post_nofail {

     

       20
       20
       +
         curl --silent --show-error --request POST --header "Content-Type: application/json" "$@"

     

       21
       21
       +
       }

     

       22
       22
       +
       

     

       23
       23
       +
       USERNAME="${1:-}"

     

       24
       24
       +
       

     

       25
       25
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       26
       26
       +
         read -p "Enter a username: " USERNAME

     

       27
       27
       +
       fi

     

       28
       28
       +
       

     

       29
       29
       +
       if [[ "${USERNAME}" == "" ]]; then

     

       30
       30
       +
         echo "ERROR: missing USERNAME parameter." >/dev/stderr

     

       31
       31
       +
         echo "Usage: $0 ${SUBCOMMAND} <USERNAME>" >/dev/stderr

     

       32
       32
       +
         exit 1

     

       33
       33
       +
       fi

     

       34
       34
       +
       

     

       35
       35
       +
       PASSWORD="password"

     

       36
       36
       +
       INVITE_CODE="$(curl_cmd_post \

     

       37
       37
       +
         --user "admin:${PDS_ADMIN_PASSWORD}" \

     

       38
       38
       +
         --data '{"useCount": 1}' \

     

       39
       39
       +
         "https://${PDS_HOSTNAME}/xrpc/com.atproto.server.createInviteCode" | jq --raw-output '.code'

     

       40
       40
       +
       )"

     

       41
       41
       +
       RESULT="$(curl_cmd_post_nofail \

     

       42
       42
       +
         --data "{\"email\":\"${USERNAME}@${PDS_HOSTNAME}\", \"handle\":\"${USERNAME}.${PDS_HOSTNAME}\", \"password\":\"${PASSWORD}\", \"inviteCode\":\"${INVITE_CODE}\"}" \

     

       43
       43
       +
         "https://${PDS_HOSTNAME}/xrpc/com.atproto.server.createAccount"

     

       44
       44
       +
       )"

     

       45
       45
       +
       

     

       46
       46
       +
       DID="$(echo $RESULT | jq --raw-output '.did')"

     

       47
       47
       +
       if [[ "${DID}" != did:* ]]; then

     

       48
       48
       +
         ERR="$(echo ${RESULT} | jq --raw-output '.message')"

     

       49
       49
       +
         echo "ERROR: ${ERR}" >/dev/stderr

     

       50
       50
       +
         echo "Usage: $0 <EMAIL> <HANDLE>" >/dev/stderr

     

       51
       51
       +
         exit 1

     

       52
       52
       +
       fi

     

       53
       53
       +
       

     

       54
       54
       +
       echo

     

       55
       55
       +
       echo "Account created successfully!"

     

       56
       56
       +
       echo "-----------------------------"

     

       57
       57
       +
       echo "Handle   : ${USERNAME}.${PDS_HOSTNAME}"

     

       58
       58
       +
       echo "DID      : ${DID}"

     

       59
       59
       +
       echo "Password : ${PASSWORD}"

     

       60
       60
       +
       echo "-----------------------------"

     

       61
       61
       +
       echo "This is a test account with an insecure password."

     

       62
       62
       +
       echo "Make sure it's only used for development."

     

       63
       63
       +
       echo

+5

nix/vm.nix

···

       79
       79
        
               };

     

       80
       80
        
               # This is fine because any and all ports that are forwarded to host are explicitly marked above, we don't need a separate guest firewall

     

       81
       81
        
               networking.firewall.enable = false;

     

       82
       82
       +
               services.dnsmasq.enable = true;

     

       83
       83
       +
               services.dnsmasq.settings.address = "/tngl.boltless.dev/10.0.2.2";

     

       84
       84
       +
               security.pki.certificates = [

     

       85
       85
       +
                 (builtins.readFile ../local-infra/cert/localtangled/root.crt)

     

       86
       86
       +
               ];

     

       82
       87
        
               time.timeZone = "Europe/London";

     

       83
       88
        
               services.getty.autologinUser = "root";

     

       84
       89
        
               environment.systemPackages = with pkgs; [curl vim git sqlite litecli];