besaid.zone / core
forked from tangled.org/core
Monorepo for Tangled
fork atom

add nixos module for knotserver

nearly there; some hardcoded paths need tweaking for push to work

oppi.li 018c58ae 6d117f8c

options
unified split
Changed files
+158 -1
flake.nix
+158 -1
flake.nix
··· 120 120 pkgs.litecli 121 121 pkgs.websocat 122 122 pkgs.tailwindcss 123 + pkgs.nixos-shell 123 124 ]; 124 125 shellHook = '' 125 126 cp -f ${htmx-src} appview/pages/static/htmx.min.js ··· 150 151 }; 151 152 }); 152 153 153 - nixosModules.default = { 154 + nixosModules.appview = { 154 155 config, 155 156 pkgs, 156 157 lib, ··· 196 197 }; 197 198 }; 198 199 }; 200 + 201 + nixosModules.knotserver = { 202 + config, 203 + pkgs, 204 + lib, 205 + ... 206 + }: 207 + with lib; { 208 + options = { 209 + services.tangled-knotserver = { 210 + enable = mkOption { 211 + type = types.bool; 212 + default = false; 213 + description = "Enable a tangled knotserver"; 214 + }; 215 + 216 + appviewEndpoint = mkOption { 217 + type = types.str; 218 + default = "https://tangled.sh"; 219 + description = "Appview endpoint"; 220 + }; 221 + 222 + gitUser = mkOption { 223 + type = types.str; 224 + default = "git"; 225 + description = "User that hosts git repos and performs git operations"; 226 + }; 227 + 228 + repo = { 229 + scanPath = mkOption { 230 + type = types.path; 231 + default = "/home/git"; 232 + description = "Path where repositories are scanned from"; 233 + }; 234 + 235 + mainBranch = mkOption { 236 + type = types.str; 237 + default = "main"; 238 + description = "Default branch name for repositories"; 239 + }; 240 + }; 241 + 242 + server = { 243 + listenAddr = mkOption { 244 + type = types.str; 245 + default = "0.0.0.0:5555"; 246 + description = "Address to listen on"; 247 + }; 248 + 249 + internalListenAddr = mkOption { 250 + type = types.str; 251 + default = "127.0.0.1:5444"; 252 + description = "Internal address for inter-service communication"; 253 + }; 254 + 255 + secret = mkOption { 256 + type = types.str; 257 + example = "super-secret-key"; 258 + description = "Secret key provided by appview (required)"; 259 + }; 260 + 261 + dbPath = mkOption { 262 + type = types.path; 263 + default = "knotserver.db"; 264 + description = "Path to the database file"; 265 + }; 266 + 267 + hostname = mkOption { 268 + type = types.str; 269 + example = "knot.tangled.sh"; 270 + description = "Hostname for the server (required)"; 271 + }; 272 + 273 + dev = mkOption { 274 + type = types.bool; 275 + default = false; 276 + description = "Enable development mode (disables signature verification)"; 277 + }; 278 + }; 279 + }; 280 + }; 281 + 282 + config = mkIf config.services.tangled-knotserver.enable { 283 + nixpkgs.overlays = [self.overlays.default]; 284 + 285 + environment.systemPackages = with pkgs; [git]; 286 + 287 + users.users.git = { 288 + isSystemUser = true; 289 + home = "/home/git"; 290 + createHome = true; 291 + shell = "${pkgs.shadow}/bin/nologin"; 292 + uid = 1000; 293 + group = "git"; 294 + extraGroups = ["sudo"]; 295 + }; 296 + 297 + users.groups.git = {}; 298 + 299 + services.openssh = { 300 + enable = true; 301 + extraConfig = '' 302 + Match User git 303 + AuthorizedKeysCommand ${pkgs.keyfetch}/bin/keyfetch -repoguard-path ${pkgs.repoguard}/bin/repoguard 304 + AuthorizedKeysCommandUser nobody 305 + ''; 306 + }; 307 + 308 + systemd.services.knotserver = { 309 + description = "knotserver service"; 310 + after = ["network.target" "sshd.service"]; 311 + wantedBy = ["multi-user.target"]; 312 + serviceConfig = { 313 + User = "git"; 314 + WorkingDirectory = "/home/git"; 315 + Environment = [ 316 + "KNOT_REPO_SCAN_PATH=${config.services.tangled-knotserver.repo.scanPath}" 317 + "APPVIEW_ENDPOINT=${config.services.tangled-knotserver.appviewEndpoint}" 318 + "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${config.services.tangled-knotserver.server.internalListenAddr}" 319 + "KNOT_SERVER_LISTEN_ADDR=${config.services.tangled-knotserver.server.listenAddr}" 320 + "KNOT_SERVER_SECRET=${config.services.tangled-knotserver.server.secret}" 321 + "KNOT_SERVER_HOSTNAME=${config.services.tangled-knotserver.server.hostname}" 322 + ]; 323 + ExecStart = "${pkgs.knotserver}/bin/knotserver"; 324 + Restart = "always"; 325 + }; 326 + }; 327 + 328 + networking.firewall.allowedTCPPorts = [22]; 329 + }; 330 + }; 331 + 332 + nixosConfigurations.knotVM = nixpkgs.lib.nixosSystem { 333 + system = "x86_64-linux"; 334 + modules = [ 335 + self.nixosModules.knotserver 336 + ({ 337 + config, 338 + pkgs, 339 + ... 340 + }: { 341 + virtualisation.memorySize = 2048; 342 + virtualisation.cores = 2; 343 + services.getty.autologinUser = "root"; 344 + environment.systemPackages = with pkgs; [curl vim git]; 345 + services.tangled-knotserver = { 346 + enable = true; 347 + server = { 348 + secret = "21c9c8b2a405bcfb14694481e32bab09d842c2f4cc0437906b68015d32f15b97"; 349 + hostname = "localhost:6000"; 350 + listenAddr = "0.0.0.0:6000"; 351 + }; 352 + }; 353 + }) 354 + ]; 355 + }; 199 356 }; 200 357 }