tangled.org / core
Monorepo for Tangled tangled.org
fork atom

docs/knot-hosting.md: update to reflect latest knot cli change

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>

anirudh.fi d6eed49b 67887f7c

verified
options
unified split
Changed files
+30 -48
docs
knot-hosting.md
+30 -48
docs/knot-hosting.md
··· 34 34 git clone https://tangled.sh/@tangled.sh/core 35 35 ``` 36 36 37 - Then, build our binaries (you need to have Go installed): 38 - * `knotserver`: the main server program 39 - * `keyfetch`: utility to fetch ssh pubkeys 40 - * `repoguard`: enforces repository access control 37 + Then, build the `knot` CLI. This is the knot administration and operation tool. 38 + For the purpose of this guide, we're only concerned with these subcommands: 39 + 40 + * `knot server`: the main knot server process, typically run as a 41 + supervised service 42 + * `knot guard`: handles role-based access control for git over SSH 43 + (you'll never have to run this yourself) 44 + * `knot keys`: fetches SSH keys associated with your knot; we'll use 45 + this to generate the SSH `AuthorizedKeysCommand` 41 46 42 47 ``` 43 48 cd core 44 49 export CGO_ENABLED=1 45 - go build -o knot ./cmd/knotserver 46 - go build -o keyfetch ./cmd/keyfetch 47 - go build -o repoguard ./cmd/repoguard 50 + go build -o knot ./cmd/knot 48 51 ``` 49 52 50 - Next, move the `keyfetch` binary to a location owned by `root` -- 51 - `/usr/local/libexec/tangled-keyfetch` is a good choice: 53 + Next, move the `knot` binary to a location owned by `root` -- 54 + `/usr/local/bin/knot` is a good choice: 52 55 53 56 ``` 54 - sudo mv keyfetch /usr/local/libexec/tangled-keyfetch 55 - sudo chown root:root /usr/local/libexec/tangled-keyfetch 56 - sudo chmod 755 /usr/local/libexec/tangled-keyfetch 57 + sudo mv knot /usr/local/bin/knot 57 58 ``` 58 59 59 - This is necessary because SSH `AuthorizedKeysCommand` requires [really specific 60 - permissions](https://stackoverflow.com/a/27638306). Let's set that up: 60 + This is necessary because SSH `AuthorizedKeysCommand` requires [really 61 + specific permissions](https://stackoverflow.com/a/27638306). The 62 + `AuthorizedKeysCommand` specifies a command that is run by `sshd` to 63 + retrieve a user's public SSH keys dynamically for authentication. Let's 64 + set that up. 61 65 62 66 ``` 63 67 sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF 64 68 Match User git 65 - AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch 69 + AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys 66 70 AuthorizedKeysCommandUser nobody 67 71 EOF 68 72 ``` 69 73 70 - Next, create the `git` user: 74 + Next, create the `git` user. We'll use the `git` user's home directory 75 + to store repositories: 71 76 72 77 ``` 73 78 sudo adduser git 74 79 ``` 75 80 76 - Copy the `repoguard` binary to the `git` user's home directory: 77 - 78 - ``` 79 - sudo cp repoguard /home/git 80 - sudo chown git:git /home/git/repoguard 81 - ``` 82 - 83 - Now, let's set up the server. Copy the `knot` binary to 84 - `/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the 85 - following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be 86 - obtaind from the [/knots](/knots) page on Tangled. 81 + Create `/home/git/.knot.env` with the following, updating the values as 82 + necessary. The `KNOT_SERVER_SECRET` can be obtaind from the 83 + [/knots](/knots) page on Tangled. 87 84 88 85 ``` 89 86 KNOT_REPO_SCAN_PATH=/home/git ··· 96 93 97 94 If you run a Linux distribution that uses systemd, you can use the provided 98 95 service file to run the server. Copy 99 - [`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service) 96 + [`knotserver.service`](/systemd/knotserver.service) 100 97 to `/etc/systemd/system/`. Then, run: 101 98 102 99 ``` ··· 161 158 KNOT_REPO_SCAN_PATH=/home/git/repositories 162 159 ``` 163 160 164 - In your SSH config (e.g. `/etc/ssh/sshd_config.d/authorized_keys_command.conf`), 165 - update the `AuthorizedKeysCommand` line to use the new folder. For example: 161 + Similarly, update your `sshd` `AuthorizedKeysCommand` to use the updated 162 + repository path: 166 163 167 164 ``` 165 + sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF 168 166 Match User git 169 - AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch -git-dir /home/git/repositories 167 + AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys -git-dir /home/git/repositories 170 168 AuthorizedKeysCommandUser nobody 171 - ``` 172 - 173 - Make sure to restart your SSH server! 174 - 175 - #### git 176 - 177 - The keyfetch executable takes multiple arguments to change certain paths. You 178 - can view a full list by running `/usr/local/libexec/tangled-keyfetch -h`. 179 - 180 - As an example, if you wanted to change the path to the repoguard executable, 181 - you would edit your SSH config (e.g. `/etc/ssh/sshd_config.d/authorized_keys_command.conf`) 182 - and update the `AuthorizedKeysCommand` line: 183 - 184 - ``` 185 - Match User git 186 - AuthorizedKeysCommand /usr/local/libexec/tangled-keyfetch -repoguard-path /path/to/repoguard 187 - AuthorizedKeysCommandUser nobody 169 + EOF 188 170 ``` 189 171 190 172 Make sure to restart your SSH server!