veryroundbird.house / core
forked from tangled.org/core
this repo has no description
fork atom
core / flake.nix
at push-zlzkyrrnylxr 14 kB view raw
1{ 2 description = "atproto github"; 3 4 inputs = { 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 6 indigo = { 7 url = "github:oppiliappan/indigo"; 8 flake = false; 9 }; 10 htmx-src = { 11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"; 12 flake = false; 13 }; 14 lucide-src = { 15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"; 16 flake = false; 17 }; 18 inter-fonts-src = { 19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 20 flake = false; 21 }; 22 ibm-plex-mono-src = { 23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip"; 24 flake = false; 25 }; 26 gitignore = { 27 url = "github:hercules-ci/gitignore.nix"; 28 inputs.nixpkgs.follows = "nixpkgs"; 29 }; 30 }; 31 32 outputs = { 33 self, 34 nixpkgs, 35 indigo, 36 htmx-src, 37 lucide-src, 38 gitignore, 39 inter-fonts-src, 40 ibm-plex-mono-src, 41 }: let 42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"]; 43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems; 44 nixpkgsFor = forAllSystems (system: 45 import nixpkgs { 46 inherit system; 47 overlays = [self.overlays.default]; 48 }); 49 inherit (gitignore.lib) gitignoreSource; 50 in { 51 overlays.default = final: prev: let 52 goModHash = "sha256-H2gBkkuJaZtHlvW33aWZu0pS9vsS/A2ojeEUbp6o7Go="; 53 in { 54 indigo-lexgen = final.buildGoModule { 55 pname = "indigo-lexgen"; 56 version = "0.1.0"; 57 src = indigo; 58 subPackages = ["cmd/lexgen"]; 59 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs="; 60 doCheck = false; 61 }; 62 63 appview = with final; 64 final.pkgsStatic.buildGoModule { 65 pname = "appview"; 66 version = "0.1.0"; 67 src = gitignoreSource ./.; 68 postUnpack = '' 69 pushd source 70 mkdir -p appview/pages/static/{fonts,icons} 71 cp -f ${htmx-src} appview/pages/static/htmx.min.js 72 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 73 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 74 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 75 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 76 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 77 popd 78 ''; 79 doCheck = false; 80 subPackages = ["cmd/appview"]; 81 vendorHash = goModHash; 82 env.CGO_ENABLED = 1; 83 stdenv = pkgsStatic.stdenv; 84 }; 85 86 knot = with final; 87 final.pkgsStatic.buildGoModule { 88 pname = "knot"; 89 version = "0.1.0"; 90 src = gitignoreSource ./.; 91 nativeBuildInputs = [final.makeWrapper]; 92 subPackages = ["cmd/knot"]; 93 vendorHash = goModHash; 94 installPhase = '' 95 runHook preInstall 96 97 mkdir -p $out/bin 98 cp $GOPATH/bin/knot $out/bin/knot 99 100 wrapProgram $out/bin/knot \ 101 --prefix PATH : ${pkgs.git}/bin 102 103 runHook postInstall 104 ''; 105 env.CGO_ENABLED = 1; 106 }; 107 knot-unwrapped = final.pkgsStatic.buildGoModule { 108 pname = "knot"; 109 version = "0.1.0"; 110 src = gitignoreSource ./.; 111 subPackages = ["cmd/knot"]; 112 vendorHash = goModHash; 113 env.CGO_ENABLED = 1; 114 }; 115 genjwks = final.buildGoModule { 116 pname = "genjwks"; 117 version = "0.1.0"; 118 src = gitignoreSource ./.; 119 subPackages = ["cmd/genjwks"]; 120 vendorHash = goModHash; 121 env.CGO_ENABLED = 0; 122 }; 123 }; 124 packages = forAllSystems (system: { 125 inherit 126 (nixpkgsFor."${system}") 127 indigo-lexgen 128 appview 129 knot 130 knot-unwrapped 131 genjwks 132 ; 133 }); 134 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview); 135 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra); 136 devShells = forAllSystems (system: let 137 pkgs = nixpkgsFor.${system}; 138 staticShell = pkgs.mkShell.override { 139 stdenv = pkgs.pkgsStatic.stdenv; 140 }; 141 in { 142 default = staticShell { 143 nativeBuildInputs = [ 144 pkgs.go 145 pkgs.air 146 pkgs.gopls 147 pkgs.httpie 148 pkgs.indigo-lexgen 149 pkgs.litecli 150 pkgs.websocat 151 pkgs.tailwindcss 152 pkgs.nixos-shell 153 pkgs.redis 154 ]; 155 shellHook = '' 156 mkdir -p appview/pages/static/{fonts,icons} 157 cp -f ${htmx-src} appview/pages/static/htmx.min.js 158 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 159 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 160 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 161 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 162 export TANGLED_OAUTH_JWKS="$(${pkgs.genjwks}/bin/genjwks)" 163 ''; 164 env.CGO_ENABLED = 1; 165 }; 166 }); 167 apps = forAllSystems (system: let 168 pkgs = nixpkgsFor."${system}"; 169 air-watcher = name: arg: 170 pkgs.writeShellScriptBin "run" 171 '' 172 ${pkgs.air}/bin/air -c /dev/null \ 173 -build.cmd "${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \ 174 -build.bin "./out/${name}.out ${arg}" \ 175 -build.stop_on_error "true" \ 176 -build.include_ext "go" 177 ''; 178 tailwind-watcher = 179 pkgs.writeShellScriptBin "run" 180 '' 181 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css 182 ''; 183 in { 184 watch-appview = { 185 type = "app"; 186 program = ''${air-watcher "appview" ""}/bin/run''; 187 }; 188 watch-knot = { 189 type = "app"; 190 program = ''${air-watcher "knot" "server"}/bin/run''; 191 }; 192 watch-tailwind = { 193 type = "app"; 194 program = ''${tailwind-watcher}/bin/run''; 195 }; 196 }); 197 198 nixosModules.appview = { 199 config, 200 pkgs, 201 lib, 202 ... 203 }: 204 with lib; { 205 options = { 206 services.tangled-appview = { 207 enable = mkOption { 208 type = types.bool; 209 default = false; 210 description = "Enable tangled appview"; 211 }; 212 port = mkOption { 213 type = types.int; 214 default = 3000; 215 description = "Port to run the appview on"; 216 }; 217 cookie_secret = mkOption { 218 type = types.str; 219 default = "00000000000000000000000000000000"; 220 description = "Cookie secret"; 221 }; 222 }; 223 }; 224 225 config = mkIf config.services.tangled-appview.enable { 226 systemd.services.tangled-appview = { 227 description = "tangled appview service"; 228 wantedBy = ["multi-user.target"]; 229 230 serviceConfig = { 231 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}"; 232 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview"; 233 Restart = "always"; 234 }; 235 236 environment = { 237 TANGLED_DB_PATH = "appview.db"; 238 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret; 239 }; 240 }; 241 }; 242 }; 243 244 nixosModules.knot = { 245 config, 246 pkgs, 247 lib, 248 ... 249 }: let 250 cfg = config.services.tangled-knot; 251 in 252 with lib; { 253 options = { 254 services.tangled-knot = { 255 enable = mkOption { 256 type = types.bool; 257 default = false; 258 description = "Enable a tangled knot"; 259 }; 260 261 appviewEndpoint = mkOption { 262 type = types.str; 263 default = "https://tangled.sh"; 264 description = "Appview endpoint"; 265 }; 266 267 gitUser = mkOption { 268 type = types.str; 269 default = "git"; 270 description = "User that hosts git repos and performs git operations"; 271 }; 272 273 openFirewall = mkOption { 274 type = types.bool; 275 default = true; 276 description = "Open port 22 in the firewall for ssh"; 277 }; 278 279 stateDir = mkOption { 280 type = types.path; 281 default = "/home/${cfg.gitUser}"; 282 description = "Tangled knot data directory"; 283 }; 284 285 repo = { 286 scanPath = mkOption { 287 type = types.path; 288 default = cfg.stateDir; 289 description = "Path where repositories are scanned from"; 290 }; 291 292 mainBranch = mkOption { 293 type = types.str; 294 default = "main"; 295 description = "Default branch name for repositories"; 296 }; 297 }; 298 299 server = { 300 listenAddr = mkOption { 301 type = types.str; 302 default = "0.0.0.0:5555"; 303 description = "Address to listen on"; 304 }; 305 306 internalListenAddr = mkOption { 307 type = types.str; 308 default = "127.0.0.1:5444"; 309 description = "Internal address for inter-service communication"; 310 }; 311 312 secretFile = mkOption { 313 type = lib.types.path; 314 example = "KNOT_SERVER_SECRET=<hash>"; 315 description = "File containing secret key provided by appview (required)"; 316 }; 317 318 dbPath = mkOption { 319 type = types.path; 320 default = "${cfg.stateDir}/knotserver.db"; 321 description = "Path to the database file"; 322 }; 323 324 hostname = mkOption { 325 type = types.str; 326 example = "knot.tangled.sh"; 327 description = "Hostname for the server (required)"; 328 }; 329 330 dev = mkOption { 331 type = types.bool; 332 default = false; 333 description = "Enable development mode (disables signature verification)"; 334 }; 335 }; 336 }; 337 }; 338 339 config = mkIf cfg.enable { 340 environment.systemPackages = with pkgs; [git]; 341 342 system.activationScripts.gitConfig = '' 343 mkdir -p "${cfg.repo.scanPath}" 344 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 345 "${cfg.repo.scanPath}" 346 347 mkdir -p "${cfg.stateDir}/.config/git" 348 cat > "${cfg.stateDir}/.config/git/config" << EOF 349 [user] 350 name = Git User 351 email = git@example.com 352 EOF 353 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 354 "${cfg.stateDir}" 355 ''; 356 357 users.users.${cfg.gitUser} = { 358 isSystemUser = true; 359 useDefaultShell = true; 360 home = cfg.stateDir; 361 createHome = true; 362 group = cfg.gitUser; 363 }; 364 365 users.groups.${cfg.gitUser} = {}; 366 367 services.openssh = { 368 enable = true; 369 extraConfig = '' 370 Match User ${cfg.gitUser} 371 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 372 AuthorizedKeysCommandUser nobody 373 ''; 374 }; 375 376 environment.etc."ssh/keyfetch_wrapper" = { 377 mode = "0555"; 378 text = '' 379 #!${pkgs.stdenv.shell} 380 ${self.packages.${pkgs.system}.knot}/bin/knot keys \ 381 -output authorized-keys \ 382 -internal-api "http://${cfg.server.internalListenAddr}" \ 383 -git-dir "${cfg.repo.scanPath}" \ 384 -log-path /tmp/knotguard.log 385 ''; 386 }; 387 388 systemd.services.knot = { 389 description = "knot service"; 390 after = ["network.target" "sshd.service"]; 391 wantedBy = ["multi-user.target"]; 392 serviceConfig = { 393 User = cfg.gitUser; 394 WorkingDirectory = cfg.stateDir; 395 Environment = [ 396 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 397 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 398 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 399 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 400 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 401 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 402 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 403 ]; 404 EnvironmentFile = cfg.server.secretFile; 405 ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server"; 406 Restart = "always"; 407 }; 408 }; 409 410 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 411 }; 412 }; 413 414 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 415 system = "x86_64-linux"; 416 modules = [ 417 self.nixosModules.knot 418 ({ 419 config, 420 pkgs, 421 ... 422 }: { 423 virtualisation.memorySize = 2048; 424 virtualisation.diskSize = 10 * 1024; 425 virtualisation.cores = 2; 426 services.getty.autologinUser = "root"; 427 environment.systemPackages = with pkgs; [curl vim git]; 428 systemd.tmpfiles.rules = let 429 u = config.services.tangled-knot.gitUser; 430 g = config.services.tangled-knot.gitUser; 431 in [ 432 "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first 433 "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=38a7c3237c2a585807e06a5bcfac92eb39442063f3da306b7acb15cfdc51d19d" 434 ]; 435 services.tangled-knot = { 436 enable = true; 437 server = { 438 secretFile = "/var/lib/knot/secret"; 439 hostname = "localhost:6000"; 440 listenAddr = "0.0.0.0:6000"; 441 }; 442 }; 443 }) 444 ]; 445 }; 446 }; 447}