tjh.dev / test
forked from tangled.org/core
Mirror of @tangled.org/core. Running on a Raspberry Pi Zero 2 (Please be gentle).
fork atom

readme: knot hosting guide

anirudh.fi b5e99384 c5f06849

+93
+93
readme.md
··· 5 5 on the [AT Protocol](https://atproto.com). 6 6 7 7 Read the introduction to Tangled [here](https://blog.tangled.sh/intro). 8 + 9 + ## knot self-hosting guide 10 + 11 + So you want to run your own knot server? Great! Here are a few prerequisites: 12 + 13 + 1. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux of some kind. 14 + 2. A (sub)domain name. People generally use `knot.example.com`. 15 + 3. A valid SSL certificate for your domain. 16 + 17 + There's a couple of ways to get started: 18 + * NixOS: refer to [flake.nix](https://tangled.sh/@tangled.sh/core/blob/master/flake.nix) 19 + * Manual: Documented below. 20 + 21 + ### manual setup 22 + 23 + First, clone this repository: 24 + 25 + ``` 26 + git clone https://tangled.sh/@tangled.sh/core 27 + ``` 28 + 29 + Then, build our binaries (you need to have Go installed): 30 + * `knotserver`: the main server program 31 + * `keyfetch`: utility to fetch ssh pubkeys 32 + * `repoguard`: enforces repository access control 33 + 34 + ``` 35 + cd core 36 + export CGO_ENABLED=1 37 + go build -o knot ./cmd/knotserver 38 + go build -o keyfetch ./cmd/keyfetch 39 + go build -o repoguard ./cmd/repoguard 40 + ``` 41 + 42 + Next, move the `keyfetch` binary to a location owned by `root` -- `/keyfetch` is 43 + a good choice: 44 + 45 + ``` 46 + sudo mv keyfetch /keyfetch 47 + sudo chown root:root /keyfetch 48 + sudo chmod 755 /keyfetch 49 + ``` 50 + 51 + This is necessary because SSH `AuthorizedKeysCommand` requires [really specific 52 + permissions](https://stackoverflow.com/a/27638306). Let's set that up: 53 + 54 + ``` 55 + sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF 56 + Match User git 57 + AuthorizedKeysCommand /keyfetch 58 + AuthorizedKeysCommandUser nobody 59 + EOF 60 + ``` 61 + 62 + Next, create the `git` user: 63 + 64 + ``` 65 + sudo adduser git 66 + ``` 67 + 68 + Copy the `repoguard` binary to the `git` user's home directory: 69 + 70 + ``` 71 + sudo cp repoguard /home/git 72 + sudo chown git:git /home/git/repoguard 73 + ``` 74 + 75 + Now, let's set up the server. Copy the `knot` binary to 76 + `/usr/local/bin/knotserver`. Then, create `/home/git/.knot.env` with the 77 + following, updating the values as necessary. The `KNOT_SERVER_SECRET` can be 78 + obtaind from the [/knots](/knots) page on Tangled. 79 + 80 + ``` 81 + KNOT_REPO_SCAN_PATH=/home/git 82 + KNOT_SERVER_HOSTNAME=knot.example.com 83 + APPVIEW_ENDPOINT=https://tangled.sh 84 + KNOT_SERVER_SECRET=secret 85 + KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444 86 + KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555 87 + ``` 88 + 89 + If you run a Linux distribution that uses systemd, you can use the provided 90 + service file to run the server. Copy 91 + [`knotserver.service`](https://tangled.sh/did:plc:wshs7t2adsemcrrd4snkeqli/core/blob/master/systemd/knotserver.service) 92 + to `/etc/systemd/system/`. Then, run: 93 + 94 + ``` 95 + systemctl enable knotserver 96 + systemctl start knotserver 97 + ``` 98 + 99 + You should now have a running knot server! You can finalize your registration by hitting the 100 + `initialize` button on the [/knots](/knots) page.