veryroundbird.house
1# tangled
2
3Hello Tanglers! This is the codebase for
4[Tangled](https://tangled.sh)—a code collaboration platform built
5on the [AT Protocol](https://atproto.com).
6
7Read the introduction to Tangled [here](https://blog.tangled.sh/intro).
8
9## knot self-hosting guide
10
11So you want to run your own knot server? Great! Here are a few prerequisites:
12
131. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux of some kind.
142. A (sub)domain name. People generally use `knot.example.com`.
153. A valid SSL certificate for your domain.
16
17There's a couple of ways to get started:
18* NixOS: refer to [flake.nix](https://tangled.sh/@tangled.sh/core/blob/master/flake.nix)
19* Manual: Documented below.
20
21### manual setup
22
23First, clone this repository:
24
25```
26git clone https://tangled.sh/@tangled.sh/core
27```
28
29Then, build our binaries (you need to have Go installed):
30* `knotserver`: the main server program
31* `keyfetch`: utility to fetch ssh pubkeys
32* `repoguard`: enforces repository access control
33
34```
35cd core
36export CGO_ENABLED=1
37go build -o knot ./cmd/knotserver
38go build -o keyfetch ./cmd/keyfetch
39go build -o repoguard ./cmd/repoguard
40```
41
42Next, move the `keyfetch` binary to a location owned by `root` --
43`/usr/local/libexec/tangled-keyfetch` is a good choice:
44
45```
46sudo mv keyfetch /usr/local/libexec/tangled-keyfetch
47sudo chown root:root /usr/local/libexec/tangled-keyfetch
48sudo chmod 755 /usr/local/libexec/tangled-keyfetch
49```
50
51This is necessary because SSH `AuthorizedKeysCommand` requires [really specific
52permissions](https://stackoverflow.com/a/27638306). Let's set that up:
53
54```
55sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
56Match User git
57 AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch
58 AuthorizedKeysCommandUser nobody
59EOF
60```
61
62Next, create the `git` user:
63
64```
65sudo adduser git
66```
67
68Copy the `repoguard` binary to the `git` user's home directory:
69
70```
71sudo cp repoguard /home/git
72sudo chown git:git /home/git/repoguard
73```
74
75Now, let's set up the server. Copy the `knot` binary to
76`/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the
77following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be
78obtaind from the [/knots](/knots) page on Tangled.
79
80```
81KNOT_REPO_SCAN_PATH=/home/git
82KNOT_SERVER_HOSTNAME=knot.example.com
83APPVIEW_ENDPOINT=https://tangled.sh
84KNOT_SERVER_SECRET=secret
85KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444
86KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555
87```
88
89If you run a Linux distribution that uses systemd, you can use the provided
90service file to run the server. Copy
91[`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service)
92to `/etc/systemd/system/`. Then, run:
93
94```
95systemctl enable knotserver
96systemctl start knotserver
97```
98
99You should now have a running knot server! You can finalize your registration by hitting the
100`initialize` button on the [/knots](/knots) page.