+2

.gitignore

··· 1 1 + result 2 2 + .direnv

+12

flake.nix

··· 1 1 + { 2 2 + description = "read if cute"; 3 3 + 4 4 + inputs = { 5 5 + # nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; # probably not needed until we add checks 6 6 + tangledCore.url = "git+https://tangled.sh/@tangled.sh/core"; 7 7 + }; 8 8 + 9 9 + outputs = { self, tangledCore }: { 10 10 + nixosModules.default = import ./module.nix tangledCore; 11 11 + }; 12 12 + }

+174

module.nix

··· 1 1 + # modified from https://tangled.sh/@tangled.sh/core/blob/master/flake.nix 2 2 + tangledFlake: 3 3 + { 4 4 + config, 5 5 + pkgs, 6 6 + lib, 7 7 + ... 8 8 + }: 9 9 + let 10 10 + inherit (lib) 11 11 + mkOption 12 12 + types 13 13 + mkIf 14 14 + optional 15 15 + ; 16 16 + cfg = config.services.tangled-knotserver; 17 17 + tangledPkgs = tangledFlake.packages.${pkgs.system}; 18 18 + 19 19 + keyfetchWrapper = pkgs.writeShellScriptBin { 20 20 + name = "keyfetch-wrapper"; 21 21 + runtimeInputs = [ tangledPkgs.keyfetch ]; 22 22 + text = '' 23 23 + keyfetch -repoguard-path ${lib.getExe tangledPkgs.repoguard} -log-path /tmp/repoguard.log 24 24 + ''; 25 25 + }; 26 26 + in 27 27 + { 28 28 + options = { 29 29 + services.tangled-knotserver = { 30 30 + enable = mkOption { 31 31 + type = types.bool; 32 32 + default = false; 33 33 + description = "Enable a tangled knotserver"; 34 34 + }; 35 35 + 36 36 + appviewEndpoint = mkOption { 37 37 + type = types.str; 38 38 + default = "https://tangled.sh"; 39 39 + description = "Appview endpoint"; 40 40 + }; 41 41 + 42 42 + gitUser = mkOption { 43 43 + type = types.str; 44 44 + default = "git"; 45 45 + description = "User that hosts git repos and performs git operations"; 46 46 + }; 47 47 + 48 48 + repo = { 49 49 + scanPath = mkOption { 50 50 + type = types.path; 51 51 + default = "/var/lib/tangled-knot"; 52 52 + description = "Path where repositories are scanned from"; 53 53 + }; 54 54 + 55 55 + mainBranch = mkOption { 56 56 + type = types.str; 57 57 + default = "main"; 58 58 + description = "Default branch name for repositories"; 59 59 + }; 60 60 + }; 61 61 + 62 62 + server = { 63 63 + listenAddr = mkOption { 64 64 + type = types.str; 65 65 + default = "0.0.0.0:5555"; 66 66 + description = "Address to listen on"; 67 67 + }; 68 68 + 69 69 + internalListenAddr = mkOption { 70 70 + type = types.str; 71 71 + default = "127.0.0.1:5444"; 72 72 + description = "Internal address for inter-service communication"; 73 73 + }; 74 74 + 75 75 + dbPath = mkOption { 76 76 + type = types.path; 77 77 + default = "knotserver.db"; 78 78 + description = "Path to the database file"; 79 79 + }; 80 80 + 81 81 + hostname = mkOption { 82 82 + type = types.str; 83 83 + example = "knot.tangled.sh"; 84 84 + description = "Hostname for the server (required)"; 85 85 + }; 86 86 + 87 87 + dev = mkOption { 88 88 + type = types.bool; 89 89 + default = false; 90 90 + description = "Enable development mode (disables signature verification)"; 91 91 + internal = true; 92 92 + }; 93 93 + }; 94 94 + 95 95 + extraConfig = mkOption { 96 96 + type = types.attrsOf types.str; 97 97 + default = { }; 98 98 + example = lib.literalExpression '' 99 99 + { 100 100 + # this is only an example, do NOT do this! your secret will end up readable by *everyone*! 101 101 + KNOT_SERVER_SECRET = "verysecuresecret"; 102 102 + } 103 103 + ''; 104 104 + description = "Additional environment variables. Use `environmentFile` for secrets."; 105 105 + }; 106 106 + 107 107 + environmentFile = mkOption { 108 108 + type = types.nullOr types.path; 109 109 + default = null; 110 110 + example = "/etc/tangled/knotserver.env"; 111 111 + description = '' 112 112 + Environment file to set additional configuration and secrets for the knotserver. 113 113 + 114 114 + `KNOT_SERVER_SECRET` must be set for the knotserver to work, and can be obtained from 115 115 + [this page](https://tangled.sh/knots). 116 116 + ''; 117 117 + }; 118 118 + }; 119 119 + }; 120 120 + 121 121 + config = mkIf config.enable { 122 122 + warnings = optional cfg.server.dev '' 123 123 + tangled-knotserver: development mode is enabled. This is not recommended in production as signature checks are disabled. 124 124 + ''; 125 125 + 126 126 + environment.systemPackages = with pkgs; [ git ]; 127 127 + 128 128 + users.users.${cfg.gitUser} = { 129 129 + home = cfg.repo.scanPath; 130 130 + group = cfg.gitUser; 131 131 + isSystemUser = true; 132 132 + useDefaultShell = true; 133 133 + }; 134 134 + 135 135 + users.groups.${cfg.gitUser} = { }; 136 136 + 137 137 + services.openssh = { 138 138 + enable = true; 139 139 + extraConfig = '' 140 140 + Match User ${cfg.gitUser} 141 141 + AuthorizedKeysCommand ${keyfetchWrapper} 142 142 + AuthorizedKeysCommandUser nobody 143 143 + ''; 144 144 + }; 145 145 + 146 146 + systemd.services.knotserver = { 147 147 + description = "knotserver service"; 148 148 + after = [ 149 149 + "network-online.target" 150 150 + "sshd.service" 151 151 + ]; 152 152 + wants = [ 153 153 + "network-online.target" 154 154 + "sshd.service" 155 155 + ]; 156 156 + wantedBy = [ "multi-user.target" ]; 157 157 + serviceConfig = { 158 158 + User = cfg.gitUser; 159 159 + WorkingDirectory = cfg.repo.scanPath; 160 160 + ExecStart = lib.getExe tangledPkgs.knotserver; 161 161 + Restart = "always"; 162 162 + EnvironmentFile = cfg.environmentFile; 163 163 + }; 164 164 + 165 165 + environment = { 166 166 + KNOT_REPO_SCANPATH = cfg.repo.scanPath; 167 167 + APPVIEW_ENDPOINT = cfg.appviewEndpoint; 168 168 + KNOT_SERVER_INTERNAL_LISTEN_ADDR = cfg.server.internalListenAddr; 169 169 + KNOT_SERVER_LISTEN_ADDR = cfg.server.listenAddr; 170 170 + KNOT_SERVER_HOSTNAME = cfg.server.hostname; 171 171 + } // cfg.extraConfig; 172 172 + }; 173 173 + }; 174 174 + }