veryroundbird.house / core
forked from tangled.org/core
this repo has no description
fork atom
core / flake.nix
at push-zrkqwwrtxvzn 16 kB view raw
1{ 2 description = "atproto github"; 3 4 inputs = { 5 nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; 6 indigo = { 7 url = "github:oppiliappan/indigo"; 8 flake = false; 9 }; 10 htmx-src = { 11 url = "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"; 12 flake = false; 13 }; 14 lucide-src = { 15 url = "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"; 16 flake = false; 17 }; 18 inter-fonts-src = { 19 url = "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"; 20 flake = false; 21 }; 22 ibm-plex-mono-src = { 23 url = "https://github.com/IBM/plex/releases/download/%40ibm%2Fplex-mono%401.1.0/ibm-plex-mono.zip"; 24 flake = false; 25 }; 26 gitignore = { 27 url = "github:hercules-ci/gitignore.nix"; 28 inputs.nixpkgs.follows = "nixpkgs"; 29 }; 30 }; 31 32 outputs = { 33 self, 34 nixpkgs, 35 indigo, 36 htmx-src, 37 lucide-src, 38 gitignore, 39 inter-fonts-src, 40 ibm-plex-mono-src, 41 }: let 42 supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"]; 43 forAllSystems = nixpkgs.lib.genAttrs supportedSystems; 44 nixpkgsFor = forAllSystems (system: 45 import nixpkgs { 46 inherit system; 47 overlays = [self.overlays.default]; 48 }); 49 inherit (gitignore.lib) gitignoreSource; 50 in { 51 overlays.default = final: prev: let 52 goModHash = "sha256-HkmfHtnuixvDsLPthcguXToOFQo4eliZKQA2ibytdsE="; 53 in { 54 indigo-lexgen = final.buildGoModule { 55 pname = "indigo-lexgen"; 56 version = "0.1.0"; 57 src = indigo; 58 subPackages = ["cmd/lexgen"]; 59 vendorHash = "sha256-pGc29fgJFq8LP7n/pY1cv6ExZl88PAeFqIbFEhB3xXs="; 60 doCheck = false; 61 }; 62 63 appview = with final; 64 final.pkgsStatic.buildGoModule { 65 pname = "appview"; 66 version = "0.1.0"; 67 src = gitignoreSource ./.; 68 postUnpack = '' 69 pushd source 70 mkdir -p appview/pages/static/{fonts,icons} 71 cp -f ${htmx-src} appview/pages/static/htmx.min.js 72 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 73 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 74 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 75 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 76 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 77 popd 78 ''; 79 doCheck = false; 80 subPackages = ["cmd/appview"]; 81 vendorHash = goModHash; 82 env.CGO_ENABLED = 1; 83 stdenv = pkgsStatic.stdenv; 84 }; 85 86 appview-cross = with final; 87 final.pkgsCross.gnu64.pkgsStatic.buildGoModule { 88 pname = "appview"; 89 version = "0.1.0"; 90 src = gitignoreSource ./.; 91 postUnpack = '' 92 pushd source 93 mkdir -p appview/pages/static/{fonts,icons} 94 cp -f ${htmx-src} appview/pages/static/htmx.min.js 95 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 96 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 97 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 98 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 99 ${pkgs.tailwindcss}/bin/tailwindcss -i input.css -o appview/pages/static/tw.css 100 popd 101 ''; 102 doCheck = false; 103 subPackages = ["cmd/appview"]; 104 vendorHash = goModHash; 105 env.CGO_ENABLED = 1; 106 stdenv = pkgsStatic.stdenv; 107 }; 108 109 # cross-compile on darwin to x86_64-linux 110 knot-cross = with final; 111 final.pkgsCross.gnu64.pkgsStatic.buildGoModule { 112 pname = "knot"; 113 version = "0.1.0"; 114 src = gitignoreSource ./.; 115 subPackages = ["cmd/knot"]; 116 vendorHash = goModHash; 117 118 env.CGO_ENABLED = 1; 119 }; 120 121 knot = with final; 122 final.pkgsStatic.buildGoModule { 123 pname = "knot"; 124 version = "0.1.0"; 125 src = gitignoreSource ./.; 126 nativeBuildInputs = [final.makeWrapper]; 127 subPackages = ["cmd/knot"]; 128 vendorHash = goModHash; 129 installPhase = '' 130 runHook preInstall 131 132 mkdir -p $out/bin 133 cp $GOPATH/bin/knot $out/bin/knot 134 135 wrapProgram $out/bin/knot \ 136 --prefix PATH : ${pkgs.git}/bin 137 138 runHook postInstall 139 ''; 140 env.CGO_ENABLED = 1; 141 }; 142 knot-unwrapped = final.pkgsStatic.buildGoModule { 143 pname = "knot"; 144 version = "0.1.0"; 145 src = gitignoreSource ./.; 146 subPackages = ["cmd/knot"]; 147 vendorHash = goModHash; 148 env.CGO_ENABLED = 1; 149 }; 150 genjwks = final.buildGoModule { 151 pname = "genjwks"; 152 version = "0.1.0"; 153 src = gitignoreSource ./.; 154 subPackages = ["cmd/genjwks"]; 155 vendorHash = goModHash; 156 env.CGO_ENABLED = 0; 157 }; 158 }; 159 packages = forAllSystems (system: { 160 inherit 161 (nixpkgsFor."${system}") 162 indigo-lexgen 163 appview 164 appview-cross 165 knot 166 knot-cross 167 knot-unwrapped 168 genjwks 169 ; 170 }); 171 defaultPackage = forAllSystems (system: nixpkgsFor.${system}.appview); 172 formatter = forAllSystems (system: nixpkgsFor."${system}".alejandra); 173 devShells = forAllSystems (system: let 174 pkgs = nixpkgsFor.${system}; 175 staticShell = pkgs.mkShell.override { 176 stdenv = pkgs.pkgsStatic.stdenv; 177 }; 178 in { 179 default = staticShell { 180 nativeBuildInputs = [ 181 pkgs.go 182 pkgs.air 183 pkgs.gopls 184 pkgs.httpie 185 pkgs.indigo-lexgen 186 pkgs.litecli 187 pkgs.websocat 188 pkgs.tailwindcss 189 pkgs.nixos-shell 190 pkgs.redis 191 ]; 192 shellHook = '' 193 mkdir -p appview/pages/static/{fonts,icons} 194 cp -f ${htmx-src} appview/pages/static/htmx.min.js 195 cp -rf ${lucide-src}/*.svg appview/pages/static/icons/ 196 cp -f ${inter-fonts-src}/web/InterVariable*.woff2 appview/pages/static/fonts/ 197 cp -f ${inter-fonts-src}/web/InterDisplay*.woff2 appview/pages/static/fonts/ 198 cp -f ${ibm-plex-mono-src}/fonts/complete/woff2/IBMPlexMono-Regular.woff2 appview/pages/static/fonts/ 199 export TANGLED_OAUTH_JWKS="$(${pkgs.genjwks}/bin/genjwks)" 200 ''; 201 env.CGO_ENABLED = 1; 202 }; 203 }); 204 apps = forAllSystems (system: let 205 pkgs = nixpkgsFor."${system}"; 206 air-watcher = name: arg: 207 pkgs.writeShellScriptBin "run" 208 '' 209 ${pkgs.air}/bin/air -c /dev/null \ 210 -build.cmd "${pkgs.go}/bin/go build -o ./out/${name}.out ./cmd/${name}/main.go" \ 211 -build.bin "./out/${name}.out ${arg}" \ 212 -build.stop_on_error "true" \ 213 -build.include_ext "go" 214 ''; 215 tailwind-watcher = 216 pkgs.writeShellScriptBin "run" 217 '' 218 ${pkgs.tailwindcss}/bin/tailwindcss -w -i input.css -o ./appview/pages/static/tw.css 219 ''; 220 in { 221 watch-appview = { 222 type = "app"; 223 program = ''${air-watcher "appview" ""}/bin/run''; 224 }; 225 watch-knot = { 226 type = "app"; 227 program = ''${air-watcher "knot" "server"}/bin/run''; 228 }; 229 watch-tailwind = { 230 type = "app"; 231 program = ''${tailwind-watcher}/bin/run''; 232 }; 233 }); 234 235 nixosModules.appview = { 236 config, 237 pkgs, 238 lib, 239 ... 240 }: 241 with lib; { 242 options = { 243 services.tangled-appview = { 244 enable = mkOption { 245 type = types.bool; 246 default = false; 247 description = "Enable tangled appview"; 248 }; 249 port = mkOption { 250 type = types.int; 251 default = 3000; 252 description = "Port to run the appview on"; 253 }; 254 cookie_secret = mkOption { 255 type = types.str; 256 default = "00000000000000000000000000000000"; 257 description = "Cookie secret"; 258 }; 259 }; 260 }; 261 262 config = mkIf config.services.tangled-appview.enable { 263 systemd.services.tangled-appview = { 264 description = "tangled appview service"; 265 wantedBy = ["multi-user.target"]; 266 267 serviceConfig = { 268 ListenStream = "0.0.0.0:${toString config.services.tangled-appview.port}"; 269 ExecStart = "${self.packages.${pkgs.system}.appview}/bin/appview"; 270 Restart = "always"; 271 }; 272 273 environment = { 274 TANGLED_DB_PATH = "appview.db"; 275 TANGLED_COOKIE_SECRET = config.services.tangled-appview.cookie_secret; 276 }; 277 }; 278 }; 279 }; 280 281 nixosModules.knot = { 282 config, 283 pkgs, 284 lib, 285 ... 286 }: let 287 cfg = config.services.tangled-knot; 288 in 289 with lib; { 290 options = { 291 services.tangled-knot = { 292 enable = mkOption { 293 type = types.bool; 294 default = false; 295 description = "Enable a tangled knot"; 296 }; 297 298 appviewEndpoint = mkOption { 299 type = types.str; 300 default = "https://tangled.sh"; 301 description = "Appview endpoint"; 302 }; 303 304 gitUser = mkOption { 305 type = types.str; 306 default = "git"; 307 description = "User that hosts git repos and performs git operations"; 308 }; 309 310 openFirewall = mkOption { 311 type = types.bool; 312 default = true; 313 description = "Open port 22 in the firewall for ssh"; 314 }; 315 316 stateDir = mkOption { 317 type = types.path; 318 default = "/home/${cfg.gitUser}"; 319 description = "Tangled knot data directory"; 320 }; 321 322 repo = { 323 scanPath = mkOption { 324 type = types.path; 325 default = cfg.stateDir; 326 description = "Path where repositories are scanned from"; 327 }; 328 329 mainBranch = mkOption { 330 type = types.str; 331 default = "main"; 332 description = "Default branch name for repositories"; 333 }; 334 }; 335 336 server = { 337 listenAddr = mkOption { 338 type = types.str; 339 default = "0.0.0.0:5555"; 340 description = "Address to listen on"; 341 }; 342 343 internalListenAddr = mkOption { 344 type = types.str; 345 default = "127.0.0.1:5444"; 346 description = "Internal address for inter-service communication"; 347 }; 348 349 secretFile = mkOption { 350 type = lib.types.path; 351 example = "KNOT_SERVER_SECRET=<hash>"; 352 description = "File containing secret key provided by appview (required)"; 353 }; 354 355 dbPath = mkOption { 356 type = types.path; 357 default = "${cfg.stateDir}/knotserver.db"; 358 description = "Path to the database file"; 359 }; 360 361 hostname = mkOption { 362 type = types.str; 363 example = "knot.tangled.sh"; 364 description = "Hostname for the server (required)"; 365 }; 366 367 dev = mkOption { 368 type = types.bool; 369 default = false; 370 description = "Enable development mode (disables signature verification)"; 371 }; 372 }; 373 }; 374 }; 375 376 config = mkIf cfg.enable { 377 environment.systemPackages = with pkgs; [git]; 378 379 system.activationScripts.gitConfig = '' 380 mkdir -p "${cfg.repo.scanPath}" 381 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 382 "${cfg.repo.scanPath}" 383 384 mkdir -p "${cfg.stateDir}/.config/git" 385 cat > "${cfg.stateDir}/.config/git/config" << EOF 386 [user] 387 name = Git User 388 email = git@example.com 389 EOF 390 chown -R ${cfg.gitUser}:${cfg.gitUser} \ 391 "${cfg.stateDir}" 392 ''; 393 394 users.users.${cfg.gitUser} = { 395 isSystemUser = true; 396 useDefaultShell = true; 397 home = cfg.stateDir; 398 createHome = true; 399 group = cfg.gitUser; 400 }; 401 402 users.groups.${cfg.gitUser} = {}; 403 404 services.openssh = { 405 enable = true; 406 extraConfig = '' 407 Match User ${cfg.gitUser} 408 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 409 AuthorizedKeysCommandUser nobody 410 ''; 411 }; 412 413 environment.etc."ssh/keyfetch_wrapper" = { 414 mode = "0555"; 415 text = '' 416 #!${pkgs.stdenv.shell} 417 ${self.packages.${pkgs.system}.knot}/bin/knot keys \ 418 -output authorized-keys \ 419 -internal-api "http://${cfg.server.internalListenAddr}" \ 420 -git-dir "${cfg.repo.scanPath}" \ 421 -log-path /tmp/knotguard.log 422 ''; 423 }; 424 425 systemd.services.knot = { 426 description = "knot service"; 427 after = ["network.target" "sshd.service"]; 428 wantedBy = ["multi-user.target"]; 429 serviceConfig = { 430 User = cfg.gitUser; 431 WorkingDirectory = cfg.stateDir; 432 Environment = [ 433 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 434 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 435 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 436 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 437 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 438 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 439 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 440 ]; 441 EnvironmentFile = cfg.server.secretFile; 442 ExecStart = "${self.packages.${pkgs.system}.knot}/bin/knot server"; 443 Restart = "always"; 444 }; 445 }; 446 447 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 448 }; 449 }; 450 451 nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 452 system = "x86_64-linux"; 453 modules = [ 454 self.nixosModules.knot 455 ({ 456 config, 457 pkgs, 458 ... 459 }: { 460 virtualisation.memorySize = 2048; 461 virtualisation.diskSize = 10 * 1024; 462 virtualisation.cores = 2; 463 services.getty.autologinUser = "root"; 464 environment.systemPackages = with pkgs; [curl vim git]; 465 systemd.tmpfiles.rules = let 466 u = config.services.tangled-knot.gitUser; 467 g = config.services.tangled-knot.gitUser; 468 in [ 469 "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first 470 "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=38a7c3237c2a585807e06a5bcfac92eb39442063f3da306b7acb15cfdc51d19d" 471 ]; 472 services.tangled-knot = { 473 enable = true; 474 server = { 475 secretFile = "/var/lib/knot/secret"; 476 hostname = "localhost:6000"; 477 listenAddr = "0.0.0.0:6000"; 478 }; 479 }; 480 }) 481 ]; 482 }; 483 }; 484}