veryroundbird.house / core
forked from tangled.org/core
this repo has no description
fork atom
core / flake.nix
at 1ec8fe70a82f92dea2710c3d9f9f39fd94ac730e 14 kB view raw
1{ 2 description = "atproto github"; 3 4 inputs = { 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; 6 indigo = { 7 url = "github:oppiliappan/indigo"; 8 flake = false; 9 }; 10 htmx-src = { 11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"; 12 flake = false; 13 }; 14 lucide-src = { 15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"; 16 flake = false; 17 }; 18 inter-fonts-src = { 19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 20 flake = false; 21 }; 22 ibm-plex-mono-src = { 23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip"; 24 flake = false; 25 }; 26 gitignore = { 27 url = "github:hercules-ci/gitignore.nix"; 28 inputs.nixpkgs.follows = "nixpkgs"; 29 }; 30 }; 31 32 outputs = { 33 self, 34 nixpkgs, 35 indigo, 36 htmx-src, 37 lucide-src, 38 gitignore, 39 inter-fonts-src, 40 ibm-plex-mono-src, 41 }: let 42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"]; 43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems; 44 nixpkgsFor = forAllSystems (system: 45 import nixpkgs { 46 inherit system; 47 overlays = [self.overlays.default]; 48 }); 49 inherit (gitignore.lib) gitignoreSource; 50 in { 51 overlays.default = final: prev: let 52 goModHash = "sha256-2vljseczrvsl2T0P9k69ro72yU59l5fp9r/sszmXYY4="; 53 buildCmdPackage = name: 54 final.buildGoModule { 55 pname = name; 56 version = "0.1.0"; 57 src = gitignoreSource ./.; 58 subPackages = ["cmd/${name}"]; 59 vendorHash = goModHash; 60 CGO_ENABLED = 0; 61 }; 62 in { 63 indigo-lexgen = final.buildGoModule { 64 pname = "indigo-lexgen"; 65 version = "0.1.0"; 66 src = indigo; 67 subPackages = ["cmd/lexgen"]; 68 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs="; 69 doCheck = false; 70 }; 71 72 syntax-chroma = final.buildGoModule { 73 pname = "chroma"; 74 version = "0.1.0"; 75 src = gitignoreSource ./.; 76 subPackages = ["cmd/syntax/chroma.go"]; 77 vendorHash = goModHash; 78 CGO_ENABLED = 1; 79 }; 80 81 appview = with final; 82 final.pkgsStatic.buildGoModule { 83 pname = "appview"; 84 version = "0.1.0"; 85 src = gitignoreSource ./.; 86 postUnpack = '' 87 pushd source 88 mkdir -p appview/pages/static/{fonts,icons} 89 cp -f ${htmx-src} appview/pages/static/htmx.min.js 90 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 91 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 92 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 93 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 94 ${pkgs.syntax-chroma}/bin/chroma -out appview/pages/static/syntax.css 95 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 96 popd 97 ''; 98 doCheck = false; 99 subPackages = ["cmd/appview"]; 100 vendorHash = goModHash; 101 CGO_ENABLED = 1; 102 stdenv = pkgsStatic.stdenv; 103 }; 104 105 knotserver = with final; 106 final.pkgsStatic.buildGoModule { 107 pname = "knotserver"; 108 version = "0.1.0"; 109 src = gitignoreSource ./.; 110 nativeBuildInputs = [final.makeWrapper]; 111 subPackages = ["cmd/knotserver"]; 112 vendorHash = goModHash; 113 installPhase = '' 114 runHook preInstall 115 116 mkdir -p $out/bin 117 cp $GOPATH/bin/knotserver $out/bin/knotserver 118 119 wrapProgram $out/bin/knotserver \ 120 --prefix PATH : ${pkgs.git}/bin 121 122 runHook postInstall 123 ''; 124 CGO_ENABLED = 1; 125 }; 126 knotserver-unwrapped = final.pkgsStatic.buildGoModule { 127 pname = "knotserver"; 128 version = "0.1.0"; 129 src = gitignoreSource ./.; 130 subPackages = ["cmd/knotserver"]; 131 vendorHash = goModHash; 132 CGO_ENABLED = 1; 133 }; 134 repoguard = buildCmdPackage "repoguard"; 135 keyfetch = buildCmdPackage "keyfetch"; 136 }; 137 packages = forAllSystems (system: { 138 inherit 139 (nixpkgsFor."${system}") 140 indigo-lexgen 141 appview 142 knotserver 143 knotserver-unwrapped 144 repoguard 145 keyfetch 146 ; 147 }); 148 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview); 149 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra); 150 devShells = forAllSystems (system: let 151 pkgs = nixpkgsFor.${system}; 152 staticShell = pkgs.mkShell.override { 153 stdenv = pkgs.pkgsStatic.stdenv; 154 }; 155 in { 156 default = staticShell { 157 nativeBuildInputs = [ 158 pkgs.go 159 pkgs.air 160 pkgs.gopls 161 pkgs.httpie 162 pkgs.indigo-lexgen 163 pkgs.litecli 164 pkgs.websocat 165 pkgs.tailwindcss 166 pkgs.nixos-shell 167 ]; 168 shellHook = '' 169 mkdir -p appview/pages/static/{fonts,icons} 170 cp -f ${htmx-src} appview/pages/static/htmx.min.js 171 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 172 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 173 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 174 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 175 ''; 176 }; 177 }); 178 apps = forAllSystems (system: let 179 pkgs = nixpkgsFor."${system}"; 180 air-watcher = name: 181 pkgs.writeShellScriptBin "run" 182 '' 183 ${pkgs.air}/bin/air -c /dev/null \ 184 -build.cmd "${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o ./appview/pages/static/tw.css && ${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \ 185 -build.bin "./out/${name}.out" \ 186 -build.include_ext "go,html,css" 187 ''; 188 in { 189 watch-appview = { 190 type = "app"; 191 program = ''${air-watcher "appview"}/bin/run''; 192 }; 193 watch-knotserver = { 194 type = "app"; 195 program = ''${air-watcher "knotserver"}/bin/run''; 196 }; 197 }); 198 199 nixosModules.appview = { 200 config, 201 pkgs, 202 lib, 203 ... 204 }: 205 with lib; { 206 options = { 207 services.tangled-appview = { 208 enable = mkOption { 209 type = types.bool; 210 default = false; 211 description = "Enable tangled appview"; 212 }; 213 port = mkOption { 214 type = types.int; 215 default = 3000; 216 description = "Port to run the appview on"; 217 }; 218 cookie_secret = mkOption { 219 type = types.str; 220 default = "00000000000000000000000000000000"; 221 description = "Cookie secret"; 222 }; 223 }; 224 }; 225 226 config = mkIf config.services.tangled-appview.enable { 227 systemd.services.tangled-appview = { 228 description = "tangled appview service"; 229 wantedBy = ["multi-user.target"]; 230 231 serviceConfig = { 232 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}"; 233 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview"; 234 Restart = "always"; 235 }; 236 237 environment = { 238 TANGLED_DB_PATH = "appview.db"; 239 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret; 240 }; 241 }; 242 }; 243 }; 244 245 nixosModules.knotserver = { 246 config, 247 pkgs, 248 lib, 249 ... 250 }: let 251 cfg = config.services.tangled-knotserver; 252 in 253 with lib; { 254 options = { 255 services.tangled-knotserver = { 256 enable = mkOption { 257 type = types.bool; 258 default = false; 259 description = "Enable a tangled knotserver"; 260 }; 261 262 appviewEndpoint = mkOption { 263 type = types.str; 264 default = "https://tangled.sh"; 265 description = "Appview endpoint"; 266 }; 267 268 gitUser = mkOption { 269 type = types.str; 270 default = "git"; 271 description = "User that hosts git repos and performs git operations"; 272 }; 273 274 openFirewall = mkOption { 275 type = types.bool; 276 default = true; 277 description = "Open port 22 in the firewall for ssh"; 278 }; 279 280 stateDir = mkOption { 281 type = types.path; 282 default = "/home/${cfg.gitUser}"; 283 description = "Tangled knot data directory"; 284 }; 285 286 repo = { 287 scanPath = mkOption { 288 type = types.path; 289 default = cfg.stateDir; 290 description = "Path where repositories are scanned from"; 291 }; 292 293 mainBranch = mkOption { 294 type = types.str; 295 default = "main"; 296 description = "Default branch name for repositories"; 297 }; 298 }; 299 300 server = { 301 listenAddr = mkOption { 302 type = types.str; 303 default = "0.0.0.0:5555"; 304 description = "Address to listen on"; 305 }; 306 307 internalListenAddr = mkOption { 308 type = types.str; 309 default = "127.0.0.1:5444"; 310 description = "Internal address for inter-service communication"; 311 }; 312 313 secretFile = mkOption { 314 type = lib.types.path; 315 example = "KNOT_SERVER_SECRET=<hash>"; 316 description = "File containing secret key provided by appview (required)"; 317 }; 318 319 dbPath = mkOption { 320 type = types.path; 321 default = "${cfg.stateDir}/knotserver.db"; 322 description = "Path to the database file"; 323 }; 324 325 hostname = mkOption { 326 type = types.str; 327 example = "knot.tangled.sh"; 328 description = "Hostname for the server (required)"; 329 }; 330 331 dev = mkOption { 332 type = types.bool; 333 default = false; 334 description = "Enable development mode (disables signature verification)"; 335 }; 336 }; 337 }; 338 }; 339 340 config = mkIf cfg.enable { 341 environment.systemPackages = with pkgs; [git]; 342 343 system.activationScripts.gitConfig = '' 344 mkdir -p "${cfg.repo.scanPath}" 345 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 346 "${cfg.repo.scanPath}" 347 348 mkdir -p "${cfg.stateDir}/.config/git" 349 cat > "${cfg.stateDir}/.config/git/config" << EOF 350 [user] 351 name = Git User 352 email = git@example.com 353 EOF 354 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 355 "${cfg.stateDir}" 356 ''; 357 358 users.users.${cfg.gitUser} = { 359 isSystemUser = true; 360 useDefaultShell = true; 361 home = cfg.stateDir; 362 createHome = true; 363 group = cfg.gitUser; 364 }; 365 366 users.groups.${cfg.gitUser} = {}; 367 368 services.openssh = { 369 enable = true; 370 extraConfig = '' 371 Match User ${cfg.gitUser} 372 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 373 AuthorizedKeysCommandUser nobody 374 ''; 375 }; 376 377 environment.etc."ssh/keyfetch_wrapper" = { 378 mode = "0555"; 379 text = '' 380 #!${pkgs.stdenv.shell} 381 ${self.packages.${pkgs.system}.keyfetch}/bin/keyfetch \ 382 -repoguard-path ${self.packages.${pkgs.system}.repoguard}/bin/repoguard \ 383 -internal-api "http://${cfg.server.internalListenAddr}" \ 384 -git-dir "${cfg.repo.scanPath}" \ 385 -log-path /tmp/repoguard.log 386 ''; 387 }; 388 389 systemd.services.knotserver = { 390 description = "knotserver service"; 391 after = ["network.target" "sshd.service"]; 392 wantedBy = ["multi-user.target"]; 393 serviceConfig = { 394 User = cfg.gitUser; 395 WorkingDirectory = cfg.stateDir; 396 Environment = [ 397 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 398 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 399 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 400 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 401 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 402 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 403 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 404 ]; 405 EnvironmentFile = cfg.server.secretFile; 406 ExecStart = "${self.packages.${pkgs.system}.knotserver}/bin/knotserver"; 407 Restart = "always"; 408 }; 409 }; 410 411 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 412 }; 413 }; 414 415 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 416 system = "x86_64-linux"; 417 modules = [ 418 self.nixosModules.knotserver 419 ({ 420 config, 421 pkgs, 422 ... 423 }: { 424 virtualisation.memorySize = 2048; 425 virtualisation.cores = 2; 426 services.getty.autologinUser = "root"; 427 environment.systemPackages = with pkgs; [curl vim git]; 428 systemd.tmpfiles.rules = let 429 u = config.services.tangled-knotserver.gitUser; 430 g = config.services.tangled-knotserver.gitUser; 431 in [ 432 "d /var/lib/knotserver 0770 ${u} ${g} - -" # Create the directory first 433 "f+ /var/lib/knotserver/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=5b42390da4c6659f34c9a545adebd8af82c4a19960d735f651e3d582623ba9f2" 434 ]; 435 services.tangled-knotserver = { 436 enable = true; 437 server = { 438 secretFile = "/var/lib/knotserver/secret"; 439 hostname = "localhost:6000"; 440 listenAddr = "0.0.0.0:6000"; 441 }; 442 }; 443 }) 444 ]; 445 }; 446 }; 447}