willdot.net / tangled-fork
forked from tangled.org/core
Monorepo for Tangled
fork atom
tangled-fork / docs / DOCS.md
at master 1563 lines 44 kB view raw view rendered
1--- 2title: Tangled docs 3author: The Tangled Contributors 4date: 21 Sun, Dec 2025 5abstract: | 6 Tangled is a decentralized code hosting and collaboration 7 platform. Every component of Tangled is open-source and 8 self-hostable. [tangled.org](https://tangled.org) also 9 provides hosting and CI services that are free to use. 10 11 There are several models for decentralized code 12 collaboration platforms, ranging from ActivityPub’s 13 (Forgejo) federated model, to Radicle’s entirely P2P model. 14 Our approach attempts to be the best of both worlds by 15 adopting the AT Protocol—a protocol for building decentralized 16 social applications with a central identity 17 18 Our approach to this is the idea of “knots”. Knots are 19 lightweight, headless servers that enable users to host Git 20 repositories with ease. Knots are designed for either single 21 or multi-tenant use which is perfect for self-hosting on a 22 Raspberry Pi at home, or larger “community” servers. By 23 default, Tangled provides managed knots where you can host 24 your repositories for free. 25 26 The appview at tangled.org acts as a consolidated "view" 27 into the whole network, allowing users to access, clone and 28 contribute to repositories hosted across different knots 29 seamlessly. 30--- 31 32# Quick start guide 33 34## Login or sign up 35 36You can [login](https://tangled.org) by using your AT Protocol 37account. If you are unclear on what that means, simply head 38to the [signup](https://tangled.org/signup) page and create 39an account. By doing so, you will be choosing Tangled as 40your account provider (you will be granted a handle of the 41form `user.tngl.sh`). 42 43In the AT Protocol network, users are free to choose their account 44provider (known as a "Personal Data Service", or PDS), and 45login to applications that support AT accounts. 46 47You can think of it as "one account for all of the atmosphere"! 48 49If you already have an AT account (you may have one if you 50signed up to Bluesky, for example), you can login with the 51same handle on Tangled (so just use `user.bsky.social` on 52the login page). 53 54## Add an SSH key 55 56Once you are logged in, you can start creating repositories 57and pushing code. Tangled supports pushing git repositories 58over SSH. 59 60First, you'll need to generate an SSH key if you don't 61already have one: 62 63```bash 64ssh-keygen -t ed25519 -C "foo@bar.com" 65``` 66 67When prompted, save the key to the default location 68(`~/.ssh/id_ed25519`) and optionally set a passphrase. 69 70Copy your public key to your clipboard: 71 72```bash 73# on X11 74cat ~/.ssh/id_ed25519.pub | xclip -sel c 75 76# on wayland 77cat ~/.ssh/id_ed25519.pub | wl-copy 78 79# on macos 80cat ~/.ssh/id_ed25519.pub | pbcopy 81``` 82 83Now, navigate to 'Settings' -> 'Keys' and hit 'Add Key', 84paste your public key, give it a descriptive name, and hit 85save. 86 87## Create a repository 88 89Once your SSH key is added, create your first repository: 90 911. Hit the green `+` icon on the topbar, and select 92 repository 932. Enter a repository name 943. Add a description 954. Choose a knotserver to host this repository on 965. Hit create 97 98Knots are self-hostable, lightweight Git servers that can 99host your repository. Unlike traditional code forges, your 100code can live on any server. Read the [Knots](TODO) section 101for more. 102 103## Configure SSH 104 105To ensure Git uses the correct SSH key and connects smoothly 106to Tangled, add this configuration to your `~/.ssh/config` 107file: 108 109``` 110Host tangled.org 111 Hostname tangled.org 112 User git 113 IdentityFile ~/.ssh/id_ed25519 114 AddressFamily inet 115``` 116 117This tells SSH to use your specific key when connecting to 118Tangled and prevents authentication issues if you have 119multiple SSH keys. 120 121Note that this configuration only works for knotservers that 122are hosted by tangled.org. If you use a custom knot, refer 123to the [Knots](TODO) section. 124 125## Push your first repository 126 127Initialize a new Git repository: 128 129```bash 130mkdir my-project 131cd my-project 132 133git init 134echo "# My Project" > README.md 135``` 136 137Add some content and push! 138 139```bash 140git add README.md 141git commit -m "Initial commit" 142git remote add origin git@tangled.org:user.tngl.sh/my-project 143git push -u origin main 144``` 145 146That's it! Your code is now hosted on Tangled. 147 148## Migrating an existing repository 149 150Moving your repositories from GitHub, GitLab, Bitbucket, or 151any other Git forge to Tangled is straightforward. You'll 152simply change your repository's remote URL. At the moment, 153Tangled does not have any tooling to migrate data such as 154GitHub issues or pull requests. 155 156First, create a new repository on tangled.org as described 157in the [Quick Start Guide](#create-a-repository). 158 159Navigate to your existing local repository: 160 161```bash 162cd /path/to/your/existing/repo 163``` 164 165You can inspect your existing Git remote like so: 166 167```bash 168git remote -v 169``` 170 171You'll see something like: 172 173``` 174origin git@github.com:username/my-project (fetch) 175origin git@github.com:username/my-project (push) 176``` 177 178Update the remote URL to point to tangled: 179 180```bash 181git remote set-url origin git@tangled.org:user.tngl.sh/my-project 182``` 183 184Verify the change: 185 186```bash 187git remote -v 188``` 189 190You should now see: 191 192``` 193origin git@tangled.org:user.tngl.sh/my-project (fetch) 194origin git@tangled.org:user.tngl.sh/my-project (push) 195``` 196 197Push all your branches and tags to Tangled: 198 199```bash 200git push -u origin --all 201git push -u origin --tags 202``` 203 204Your repository is now migrated to Tangled! All commit 205history, branches, and tags have been preserved. 206 207## Mirroring a repository to Tangled 208 209If you want to maintain your repository on multiple forges 210simultaneously, for example, keeping your primary repository 211on GitHub while mirroring to Tangled for backup or 212redundancy, you can do so by adding multiple remotes. 213 214You can configure your local repository to push to both 215Tangled and, say, GitHub. You may already have the following 216setup: 217 218``` 219$ git remote -v 220origin git@github.com:username/my-project (fetch) 221origin git@github.com:username/my-project (push) 222``` 223 224Now add Tangled as an additional push URL to the same 225remote: 226 227```bash 228git remote set-url --add --push origin git@tangled.org:user.tngl.sh/my-project 229``` 230 231You also need to re-add the original URL as a push 232destination (Git replaces the push URL when you use `--add` 233the first time): 234 235```bash 236git remote set-url --add --push origin git@github.com:username/my-project 237``` 238 239Verify your configuration: 240 241``` 242$ git remote -v 243origin git@github.com:username/repo (fetch) 244origin git@tangled.org:username/my-project (push) 245origin git@github.com:username/repo (push) 246``` 247 248Notice that there's one fetch URL (the primary remote) and 249two push URLs. Now, whenever you push, Git will 250automatically push to both remotes: 251 252```bash 253git push origin main 254``` 255 256This single command pushes your `main` branch to both GitHub 257and Tangled simultaneously. 258 259To push all branches and tags: 260 261```bash 262git push origin --all 263git push origin --tags 264``` 265 266If you prefer more control over which remote you push to, 267you can maintain separate remotes: 268 269```bash 270git remote add github git@github.com:username/my-project 271git remote add tangled git@tangled.org:username/my-project 272``` 273 274Then push to each explicitly: 275 276```bash 277git push github main 278git push tangled main 279``` 280 281# Knot self-hosting guide 282 283So you want to run your own knot server? Great! Here are a few prerequisites: 284 2851. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux distribution of some kind. 2862. A (sub)domain name. People generally use `knot.example.com`. 2873. A valid SSL certificate for your domain. 288 289## NixOS 290 291Refer to the [knot 292module](https://tangled.org/tangled.org/core/blob/master/nix/modules/knot.nix) 293for a full list of options. Sample configurations: 294 295- [The test VM](https://tangled.org/tangled.org/core/blob/master/nix/vm.nix#L85) 296- [@pyrox.dev/nix](https://tangled.org/pyrox.dev/nix/blob/d19571cc1b5fe01035e1e6951ec8cf8a476b4dee/hosts/marvin/services/tangled.nix#L15-25) 297 298## Docker 299 300Refer to 301[@tangled.org/knot-docker](https://tangled.org/@tangled.org/knot-docker). 302Note that this is community maintained. 303 304## Manual setup 305 306First, clone this repository: 307 308``` 309git clone https://tangled.org/@tangled.org/core 310``` 311 312Then, build the `knot` CLI. This is the knot administration 313and operation tool. For the purpose of this guide, we're 314only concerned with these subcommands: 315 316 * `knot server`: the main knot server process, typically 317 run as a supervised service 318 * `knot guard`: handles role-based access control for git 319 over SSH (you'll never have to run this yourself) 320 * `knot keys`: fetches SSH keys associated with your knot; 321 we'll use this to generate the SSH 322 `AuthorizedKeysCommand` 323 324``` 325cd core 326export CGO_ENABLED=1 327go build -o knot ./cmd/knot 328``` 329 330Next, move the `knot` binary to a location owned by `root` -- 331`/usr/local/bin/` is a good choice. Make sure the binary itself is also owned by `root`: 332 333``` 334sudo mv knot /usr/local/bin/knot 335sudo chown root:root /usr/local/bin/knot 336``` 337 338This is necessary because SSH `AuthorizedKeysCommand` requires [really 339specific permissions](https://stackoverflow.com/a/27638306). The 340`AuthorizedKeysCommand` specifies a command that is run by `sshd` to 341retrieve a user's public SSH keys dynamically for authentication. Let's 342set that up. 343 344``` 345sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF 346Match User git 347 AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys 348 AuthorizedKeysCommandUser nobody 349EOF 350``` 351 352Then, reload `sshd`: 353 354``` 355sudo systemctl reload ssh 356``` 357 358Next, create the `git` user. We'll use the `git` user's home directory 359to store repositories: 360 361``` 362sudo adduser git 363``` 364 365Create `/home/git/.knot.env` with the following, updating the values as 366necessary. The `KNOT_SERVER_OWNER` should be set to your 367DID, you can find your DID in the [Settings](https://tangled.sh/settings) page. 368 369``` 370KNOT_REPO_SCAN_PATH=/home/git 371KNOT_SERVER_HOSTNAME=knot.example.com 372APPVIEW_ENDPOINT=https://tangled.org 373KNOT_SERVER_OWNER=did:plc:foobar 374KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444 375KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555 376``` 377 378If you run a Linux distribution that uses systemd, you can 379use the provided service file to run the server. Copy 380[`knotserver.service`](https://tangled.org/tangled.org/core/blob/master/systemd/knotserver.service) 381to `/etc/systemd/system/`. Then, run: 382 383``` 384systemctl enable knotserver 385systemctl start knotserver 386``` 387 388The last step is to configure a reverse proxy like Nginx or Caddy to front your 389knot. Here's an example configuration for Nginx: 390 391``` 392server { 393 listen 80; 394 listen [::]:80; 395 server_name knot.example.com; 396 397 location / { 398 proxy_pass http://localhost:5555; 399 proxy_set_header Host $host; 400 proxy_set_header X-Real-IP $remote_addr; 401 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 402 proxy_set_header X-Forwarded-Proto $scheme; 403 } 404 405 # wss endpoint for git events 406 location /events { 407 proxy_set_header X-Forwarded-For $remote_addr; 408 proxy_set_header Host $http_host; 409 proxy_set_header Upgrade websocket; 410 proxy_set_header Connection Upgrade; 411 proxy_pass http://localhost:5555; 412 } 413 # additional config for SSL/TLS go here. 414} 415 416``` 417 418Remember to use Let's Encrypt or similar to procure a certificate for your 419knot domain. 420 421You should now have a running knot server! You can finalize 422your registration by hitting the `verify` button on the 423[/settings/knots](https://tangled.org/settings/knots) page. This simply creates 424a record on your PDS to announce the existence of the knot. 425 426### Custom paths 427 428(This section applies to manual setup only. Docker users should edit the mounts 429in `docker-compose.yml` instead.) 430 431Right now, the database and repositories of your knot lives in `/home/git`. You 432can move these paths if you'd like to store them in another folder. Be careful 433when adjusting these paths: 434 435* Stop your knot when moving data (e.g. `systemctl stop knotserver`) to prevent 436any possible side effects. Remember to restart it once you're done. 437* Make backups before moving in case something goes wrong. 438* Make sure the `git` user can read and write from the new paths. 439 440#### Database 441 442As an example, let's say the current database is at `/home/git/knotserver.db`, 443and we want to move it to `/home/git/database/knotserver.db`. 444 445Copy the current database to the new location. Make sure to copy the `.db-shm` 446and `.db-wal` files if they exist. 447 448``` 449mkdir /home/git/database 450cp /home/git/knotserver.db* /home/git/database 451``` 452 453In the environment (e.g. `/home/git/.knot.env`), set `KNOT_SERVER_DB_PATH` to 454the new file path (_not_ the directory): 455 456``` 457KNOT_SERVER_DB_PATH=/home/git/database/knotserver.db 458``` 459 460#### Repositories 461 462As an example, let's say the repositories are currently in `/home/git`, and we 463want to move them into `/home/git/repositories`. 464 465Create the new folder, then move the existing repositories (if there are any): 466 467``` 468mkdir /home/git/repositories 469# move all DIDs into the new folder; these will vary for you! 470mv /home/git/did:plc:wshs7t2adsemcrrd4snkeqli /home/git/repositories 471``` 472 473In the environment (e.g. `/home/git/.knot.env`), update `KNOT_REPO_SCAN_PATH` 474to the new directory: 475 476``` 477KNOT_REPO_SCAN_PATH=/home/git/repositories 478``` 479 480Similarly, update your `sshd` `AuthorizedKeysCommand` to use the updated 481repository path: 482 483``` 484sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF 485Match User git 486 AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys -git-dir /home/git/repositories 487 AuthorizedKeysCommandUser nobody 488EOF 489``` 490 491Make sure to restart your SSH server! 492 493#### MOTD (message of the day) 494 495To configure the MOTD used ("Welcome to this knot!" by default), edit the 496`/home/git/motd` file: 497 498``` 499printf "Hi from this knot!\n" > /home/git/motd 500``` 501 502Note that you should add a newline at the end if setting a non-empty message 503since the knot won't do this for you. 504 505# Spindles 506 507## Pipelines 508 509Spindle workflows allow you to write CI/CD pipelines in a 510simple format. They're located in the `.tangled/workflows` 511directory at the root of your repository, and are defined 512using YAML. 513 514The fields are: 515 516- [Trigger](#trigger): A **required** field that defines 517 when a workflow should be triggered. 518- [Engine](#engine): A **required** field that defines which 519 engine a workflow should run on. 520- [Clone options](#clone-options): An **optional** field 521 that defines how the repository should be cloned. 522- [Dependencies](#dependencies): An **optional** field that 523 allows you to list dependencies you may need. 524- [Environment](#environment): An **optional** field that 525 allows you to define environment variables. 526- [Steps](#steps): An **optional** field that allows you to 527 define what steps should run in the workflow. 528 529### Trigger 530 531The first thing to add to a workflow is the trigger, which 532defines when a workflow runs. This is defined using a `when` 533field, which takes in a list of conditions. Each condition 534has the following fields: 535 536- `event`: This is a **required** field that defines when 537 your workflow should run. It's a list that can take one or 538 more of the following values: 539 - `push`: The workflow should run every time a commit is 540 pushed to the repository. 541 - `pull_request`: The workflow should run every time a 542 pull request is made or updated. 543 - `manual`: The workflow can be triggered manually. 544- `branch`: Defines which branches the workflow should run 545 for. If used with the `push` event, commits to the 546 branch(es) listed here will trigger the workflow. If used 547 with the `pull_request` event, updates to pull requests 548 targeting the branch(es) listed here will trigger the 549 workflow. This field has no effect with the `manual` 550 event. Supports glob patterns using `*` and `**` (e.g., 551 `main`, `develop`, `release-*`). Either `branch` or `tag` 552 (or both) must be specified for `push` events. 553- `tag`: Defines which tags the workflow should run for. 554 Only used with the `push` event - when tags matching the 555 pattern(s) listed here are pushed, the workflow will 556 trigger. This field has no effect with `pull_request` or 557 `manual` events. Supports glob patterns using `*` and `**` 558 (e.g., `v*`, `v1.*`, `release-**`). Either `branch` or 559 `tag` (or both) must be specified for `push` events. 560 561For example, if you'd like to define a workflow that runs 562when commits are pushed to the `main` and `develop` 563branches, or when pull requests that target the `main` 564branch are updated, or manually, you can do so with: 565 566```yaml 567when: 568 - event: ["push", "manual"] 569 branch: ["main", "develop"] 570 - event: ["pull_request"] 571 branch: ["main"] 572``` 573 574You can also trigger workflows on tag pushes. For instance, 575to run a deployment workflow when tags matching `v*` are 576pushed: 577 578```yaml 579when: 580 - event: ["push"] 581 tag: ["v*"] 582``` 583 584You can even combine branch and tag patterns in a single 585constraint (the workflow triggers if either matches): 586 587```yaml 588when: 589 - event: ["push"] 590 branch: ["main", "release-*"] 591 tag: ["v*", "stable"] 592``` 593 594### Engine 595 596Next is the engine on which the workflow should run, defined 597using the **required** `engine` field. The currently 598supported engines are: 599 600- `nixery`: This uses an instance of 601 [Nixery](https://nixery.dev) to run steps, which allows 602 you to add [dependencies](#dependencies) from 603 Nixpkgs (https://github.com/NixOS/nixpkgs). You can 604 search for packages on https://search.nixos.org, and 605 there's a pretty good chance the package(s) you're looking 606 for will be there. 607 608Example: 609 610```yaml 611engine: "nixery" 612``` 613 614### Clone options 615 616When a workflow starts, the first step is to clone the 617repository. You can customize this behavior using the 618**optional** `clone` field. It has the following fields: 619 620- `skip`: Setting this to `true` will skip cloning the 621 repository. This can be useful if your workflow is doing 622 something that doesn't require anything from the 623 repository itself. This is `false` by default. 624- `depth`: This sets the number of commits, or the "clone 625 depth", to fetch from the repository. For example, if you 626 set this to 2, the last 2 commits will be fetched. By 627 default, the depth is set to 1, meaning only the most 628 recent commit will be fetched, which is the commit that 629 triggered the workflow. 630- `submodules`: If you use Git submodules 631 (https://git-scm.com/book/en/v2/Git-Tools-Submodules) 632 in your repository, setting this field to `true` will 633 recursively fetch all submodules. This is `false` by 634 default. 635 636The default settings are: 637 638```yaml 639clone: 640 skip: false 641 depth: 1 642 submodules: false 643``` 644 645### Dependencies 646 647Usually when you're running a workflow, you'll need 648additional dependencies. The `dependencies` field lets you 649define which dependencies to get, and from where. It's a 650key-value map, with the key being the registry to fetch 651dependencies from, and the value being the list of 652dependencies to fetch. 653 654Say you want to fetch Node.js and Go from `nixpkgs`, and a 655package called `my_pkg` you've made from your own registry 656at your repository at 657`https://tangled.org/@example.com/my_pkg`. You can define 658those dependencies like so: 659 660```yaml 661dependencies: 662 # nixpkgs 663 nixpkgs: 664 - nodejs 665 - go 666 # unstable 667 nixpkgs/nixpkgs-unstable: 668 - bun 669 # custom registry 670 git+https://tangled.org/@example.com/my_pkg: 671 - my_pkg 672``` 673 674Now these dependencies are available to use in your 675workflow! 676 677### Environment 678 679The `environment` field allows you define environment 680variables that will be available throughout the entire 681workflow. **Do not put secrets here, these environment 682variables are visible to anyone viewing the repository. You 683can add secrets for pipelines in your repository's 684settings.** 685 686Example: 687 688```yaml 689environment: 690 GOOS: "linux" 691 GOARCH: "arm64" 692 NODE_ENV: "production" 693 MY_ENV_VAR: "MY_ENV_VALUE" 694``` 695 696By default, the following environment variables set: 697 698- `CI` - Always set to `true` to indicate a CI environment 699- `TANGLED_PIPELINE_ID` - The AT URI of the current pipeline 700- `TANGLED_REPO_KNOT` - The repository's knot hostname 701- `TANGLED_REPO_DID` - The DID of the repository owner 702- `TANGLED_REPO_NAME` - The name of the repository 703- `TANGLED_REPO_DEFAULT_BRANCH` - The default branch of the 704 repository 705- `TANGLED_REPO_URL` - The full URL to the repository 706 707These variables are only available when the pipeline is 708triggered by a push: 709 710- `TANGLED_REF` - The full git reference (e.g., 711 `refs/heads/main` or `refs/tags/v1.0.0`) 712- `TANGLED_REF_NAME` - The short name of the reference 713 (e.g., `main` or `v1.0.0`) 714- `TANGLED_REF_TYPE` - The type of reference, either 715 `branch` or `tag` 716- `TANGLED_SHA` - The commit SHA that triggered the pipeline 717- `TANGLED_COMMIT_SHA` - Alias for `TANGLED_SHA` 718 719These variables are only available when the pipeline is 720triggered by a pull request: 721 722- `TANGLED_PR_SOURCE_BRANCH` - The source branch of the pull 723 request 724- `TANGLED_PR_TARGET_BRANCH` - The target branch of the pull 725 request 726- `TANGLED_PR_SOURCE_SHA` - The commit SHA of the source 727 branch 728 729### Steps 730 731The `steps` field allows you to define what steps should run 732in the workflow. It's a list of step objects, each with the 733following fields: 734 735- `name`: This field allows you to give your step a name. 736 This name is visible in your workflow runs, and is used to 737 describe what the step is doing. 738- `command`: This field allows you to define a command to 739 run in that step. The step is run in a Bash shell, and the 740 logs from the command will be visible in the pipelines 741 page on the Tangled website. The 742 [dependencies](#dependencies) you added will be available 743 to use here. 744- `environment`: Similar to the global 745 [environment](#environment) config, this **optional** 746 field is a key-value map that allows you to set 747 environment variables for the step. **Do not put secrets 748 here, these environment variables are visible to anyone 749 viewing the repository. You can add secrets for pipelines 750 in your repository's settings.** 751 752Example: 753 754```yaml 755steps: 756 - name: "Build backend" 757 command: "go build" 758 environment: 759 GOOS: "darwin" 760 GOARCH: "arm64" 761 - name: "Build frontend" 762 command: "npm run build" 763 environment: 764 NODE_ENV: "production" 765``` 766 767### Complete workflow 768 769```yaml 770# .tangled/workflows/build.yml 771 772when: 773 - event: ["push", "manual"] 774 branch: ["main", "develop"] 775 - event: ["pull_request"] 776 branch: ["main"] 777 778engine: "nixery" 779 780# using the default values 781clone: 782 skip: false 783 depth: 1 784 submodules: false 785 786dependencies: 787 # nixpkgs 788 nixpkgs: 789 - nodejs 790 - go 791 # custom registry 792 git+https://tangled.org/@example.com/my_pkg: 793 - my_pkg 794 795environment: 796 GOOS: "linux" 797 GOARCH: "arm64" 798 NODE_ENV: "production" 799 MY_ENV_VAR: "MY_ENV_VALUE" 800 801steps: 802 - name: "Build backend" 803 command: "go build" 804 environment: 805 GOOS: "darwin" 806 GOARCH: "arm64" 807 - name: "Build frontend" 808 command: "npm run build" 809 environment: 810 NODE_ENV: "production" 811``` 812 813If you want another example of a workflow, you can look at 814the one [Tangled uses to build the 815project](https://tangled.org/@tangled.org/core/blob/master/.tangled/workflows/build.yml). 816 817## Self-hosting guide 818 819### Prerequisites 820 821* Go 822* Docker (the only supported backend currently) 823 824### Configuration 825 826Spindle is configured using environment variables. The following environment variables are available: 827 828* `SPINDLE_SERVER_LISTEN_ADDR`: The address the server listens on (default: `"0.0.0.0:6555"`). 829* `SPINDLE_SERVER_DB_PATH`: The path to the SQLite database file (default: `"spindle.db"`). 830* `SPINDLE_SERVER_HOSTNAME`: The hostname of the server (required). 831* `SPINDLE_SERVER_JETSTREAM_ENDPOINT`: The endpoint of the Jetstream server (default: `"wss://jetstream1.us-west.bsky.network/subscribe"`). 832* `SPINDLE_SERVER_DEV`: A boolean indicating whether the server is running in development mode (default: `false`). 833* `SPINDLE_SERVER_OWNER`: The DID of the owner (required). 834* `SPINDLE_PIPELINES_NIXERY`: The Nixery URL (default: `"nixery.tangled.sh"`). 835* `SPINDLE_PIPELINES_WORKFLOW_TIMEOUT`: The default workflow timeout (default: `"5m"`). 836* `SPINDLE_PIPELINES_LOG_DIR`: The directory to store workflow logs (default: `"/var/log/spindle"`). 837 838### Running spindle 839 8401. **Set the environment variables.** For example: 841 842 ```shell 843 export SPINDLE_SERVER_HOSTNAME="your-hostname" 844 export SPINDLE_SERVER_OWNER="your-did" 845 ``` 846 8472. **Build the Spindle binary.** 848 849 ```shell 850 cd core 851 go mod download 852 go build -o cmd/spindle/spindle cmd/spindle/main.go 853 ``` 854 8553. **Create the log directory.** 856 857 ```shell 858 sudo mkdir -p /var/log/spindle 859 sudo chown $USER:$USER -R /var/log/spindle 860 ``` 861 8624. **Run the Spindle binary.** 863 864 ```shell 865 ./cmd/spindle/spindle 866 ``` 867 868Spindle will now start, connect to the Jetstream server, and begin processing pipelines. 869 870## Architecture 871 872Spindle is a small CI runner service. Here's a high-level overview of how it operates: 873 874* Listens for [`sh.tangled.spindle.member`](/lexicons/spindle/member.json) and 875[`sh.tangled.repo`](/lexicons/repo.json) records on the Jetstream. 876* When a new repo record comes through (typically when you add a spindle to a 877repo from the settings), spindle then resolves the underlying knot and 878subscribes to repo events (see: 879[`sh.tangled.pipeline`](/lexicons/pipeline.json)). 880* The spindle engine then handles execution of the pipeline, with results and 881logs beamed on the spindle event stream over WebSocket 882 883### The engine 884 885At present, the only supported backend is Docker (and Podman, if Docker 886compatibility is enabled, so that `/run/docker.sock` is created). spindle 887executes each step in the pipeline in a fresh container, with state persisted 888across steps within the `/tangled/workspace` directory. 889 890The base image for the container is constructed on the fly using 891[Nixery](https://nixery.dev), which is handy for caching layers for frequently 892used packages. 893 894The pipeline manifest is [specified here](https://docs.tangled.org/spindles.html#pipelines). 895 896## Secrets with openbao 897 898This document covers setting up spindle to use OpenBao for secrets 899management via OpenBao Proxy instead of the default SQLite backend. 900 901### Overview 902 903Spindle now uses OpenBao Proxy for secrets management. The proxy handles 904authentication automatically using AppRole credentials, while spindle 905connects to the local proxy instead of directly to the OpenBao server. 906 907This approach provides better security, automatic token renewal, and 908simplified application code. 909 910### Installation 911 912Install OpenBao from Nixpkgs: 913 914```bash 915nix shell nixpkgs#openbao # for a local server 916``` 917 918### Setup 919 920The setup process can is documented for both local development and production. 921 922#### Local development 923 924Start OpenBao in dev mode: 925 926```bash 927bao server -dev -dev-root-token-id="root" -dev-listen-address=127.0.0.1:8201 928``` 929 930This starts OpenBao on `http://localhost:8201` with a root token. 931 932Set up environment for bao CLI: 933 934```bash 935export BAO_ADDR=http://localhost:8200 936export BAO_TOKEN=root 937``` 938 939#### Production 940 941You would typically use a systemd service with a 942configuration file. Refer to 943[@tangled.org/infra](https://tangled.org/@tangled.org/infra) 944for how this can be achieved using Nix. 945 946Then, initialize the bao server: 947 948```bash 949bao operator init -key-shares=1 -key-threshold=1 950``` 951 952This will print out an unseal key and a root key. Save them 953somewhere (like a password manager). Then unseal the vault 954to begin setting it up: 955 956```bash 957bao operator unseal <unseal_key> 958``` 959 960All steps below remain the same across both dev and 961production setups. 962 963#### Configure openbao server 964 965Create the spindle KV mount: 966 967```bash 968bao secrets enable -path=spindle -version=2 kv 969``` 970 971Set up AppRole authentication and policy: 972 973Create a policy file `spindle-policy.hcl`: 974 975```hcl 976# Full access to spindle KV v2 data 977path "spindle/data/*" { 978 capabilities = ["create", "read", "update", "delete"] 979} 980 981# Access to metadata for listing and management 982path "spindle/metadata/*" { 983 capabilities = ["list", "read", "delete", "update"] 984} 985 986# Allow listing at root level 987path "spindle/" { 988 capabilities = ["list"] 989} 990 991# Required for connection testing and health checks 992path "auth/token/lookup-self" { 993 capabilities = ["read"] 994} 995``` 996 997Apply the policy and create an AppRole: 998 999```bash 1000bao policy write spindle-policy spindle-policy.hcl 1001bao auth enable approle 1002bao write auth/approle/role/spindle \ 1003 token_policies="spindle-policy" \ 1004 token_ttl=1h \ 1005 token_max_ttl=4h \ 1006 bind_secret_id=true \ 1007 secret_id_ttl=0 \ 1008 secret_id_num_uses=0 1009``` 1010 1011Get the credentials: 1012 1013```bash 1014# Get role ID (static) 1015ROLE_ID=$(bao read -field=role_id auth/approle/role/spindle/role-id) 1016 1017# Generate secret ID 1018SECRET_ID=$(bao write -f -field=secret_id auth/approle/role/spindle/secret-id) 1019 1020echo "Role ID: $ROLE_ID" 1021echo "Secret ID: $SECRET_ID" 1022``` 1023 1024#### Create proxy configuration 1025 1026Create the credential files: 1027 1028```bash 1029# Create directory for OpenBao files 1030mkdir -p /tmp/openbao 1031 1032# Save credentials 1033echo "$ROLE_ID" > /tmp/openbao/role-id 1034echo "$SECRET_ID" > /tmp/openbao/secret-id 1035chmod 600 /tmp/openbao/role-id /tmp/openbao/secret-id 1036``` 1037 1038Create a proxy configuration file `/tmp/openbao/proxy.hcl`: 1039 1040```hcl 1041# OpenBao server connection 1042vault { 1043 address = "http://localhost:8200" 1044} 1045 1046# Auto-Auth using AppRole 1047auto_auth { 1048 method "approle" { 1049 mount_path = "auth/approle" 1050 config = { 1051 role_id_file_path = "/tmp/openbao/role-id" 1052 secret_id_file_path = "/tmp/openbao/secret-id" 1053 } 1054 } 1055 1056 # Optional: write token to file for debugging 1057 sink "file" { 1058 config = { 1059 path = "/tmp/openbao/token" 1060 mode = 0640 1061 } 1062 } 1063} 1064 1065# Proxy listener for spindle 1066listener "tcp" { 1067 address = "127.0.0.1:8201" 1068 tls_disable = true 1069} 1070 1071# Enable API proxy with auto-auth token 1072api_proxy { 1073 use_auto_auth_token = true 1074} 1075 1076# Enable response caching 1077cache { 1078 use_auto_auth_token = true 1079} 1080 1081# Logging 1082log_level = "info" 1083``` 1084 1085#### Start the proxy 1086 1087Start OpenBao Proxy: 1088 1089```bash 1090bao proxy -config=/tmp/openbao/proxy.hcl 1091``` 1092 1093The proxy will authenticate with OpenBao and start listening on 1094`127.0.0.1:8201`. 1095 1096#### Configure spindle 1097 1098Set these environment variables for spindle: 1099 1100```bash 1101export SPINDLE_SERVER_SECRETS_PROVIDER=openbao 1102export SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR=http://127.0.0.1:8201 1103export SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT=spindle 1104``` 1105 1106On startup, spindle will now connect to the local proxy, 1107which handles all authentication automatically. 1108 1109### Production setup for proxy 1110 1111For production, you'll want to run the proxy as a service: 1112 1113Place your production configuration in 1114`/etc/openbao/proxy.hcl` with proper TLS settings for the 1115vault connection. 1116 1117### Verifying setup 1118 1119Test the proxy directly: 1120 1121```bash 1122# Check proxy health 1123curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/sys/health 1124 1125# Test token lookup through proxy 1126curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/auth/token/lookup-self 1127``` 1128 1129Test OpenBao operations through the server: 1130 1131```bash 1132# List all secrets 1133bao kv list spindle/ 1134 1135# Add a test secret via the spindle API, then check it exists 1136bao kv list spindle/repos/ 1137 1138# Get a specific secret 1139bao kv get spindle/repos/your_repo_path/SECRET_NAME 1140``` 1141 1142### How it works 1143 1144- Spindle connects to OpenBao Proxy on localhost (typically 1145 port 8200 or 8201) 1146- The proxy authenticates with OpenBao using AppRole 1147 credentials 1148- All spindle requests go through the proxy, which injects 1149 authentication tokens 1150- Secrets are stored at 1151 `spindle/repos/{sanitized_repo_path}/{secret_key}` 1152- Repository paths like `did:plc:alice/myrepo` become 1153 `did_plc_alice_myrepo` 1154- The proxy handles all token renewal automatically 1155- Spindle no longer manages tokens or authentication 1156 directly 1157 1158### Troubleshooting 1159 1160**Connection refused**: Check that the OpenBao Proxy is 1161running and listening on the configured address. 1162 1163**403 errors**: Verify the AppRole credentials are correct 1164and the policy has the necessary permissions. 1165 1166**404 route errors**: The spindle KV mount probably doesn't 1167exist—run the mount creation step again. 1168 1169**Proxy authentication failures**: Check the proxy logs and 1170verify the role-id and secret-id files are readable and 1171contain valid credentials. 1172 1173**Secret not found after writing**: This can indicate policy 1174permission issues. Verify the policy includes both 1175`spindle/data/*` and `spindle/metadata/*` paths with 1176appropriate capabilities. 1177 1178Check proxy logs: 1179 1180```bash 1181# If running as systemd service 1182journalctl -u openbao-proxy -f 1183 1184# If running directly, check the console output 1185``` 1186 1187Test AppRole authentication manually: 1188 1189```bash 1190bao write auth/approle/login \ 1191 role_id="$(cat /tmp/openbao/role-id)" \ 1192 secret_id="$(cat /tmp/openbao/secret-id)" 1193``` 1194 1195# Migrating knots and spindles 1196 1197Sometimes, non-backwards compatible changes are made to the 1198knot/spindle XRPC APIs. If you host a knot or a spindle, you 1199will need to follow this guide to upgrade. Typically, this 1200only requires you to deploy the newest version. 1201 1202This document is laid out in reverse-chronological order. 1203Newer migration guides are listed first, and older guides 1204are further down the page. 1205 1206## Upgrading from v1.8.x 1207 1208After v1.8.2, the HTTP API for knots and spindles has been 1209deprecated and replaced with XRPC. Repositories on outdated 1210knots will not be viewable from the appview. Upgrading is 1211straightforward however. 1212 1213For knots: 1214 1215- Upgrade to the latest tag (v1.9.0 or above) 1216- Head to the [knot dashboard](https://tangled.org/settings/knots) and 1217 hit the "retry" button to verify your knot 1218 1219For spindles: 1220 1221- Upgrade to the latest tag (v1.9.0 or above) 1222- Head to the [spindle 1223 dashboard](https://tangled.org/settings/spindles) and hit the 1224 "retry" button to verify your spindle 1225 1226## Upgrading from v1.7.x 1227 1228After v1.7.0, knot secrets have been deprecated. You no 1229longer need a secret from the appview to run a knot. All 1230authorized commands to knots are managed via [Inter-Service 1231Authentication](https://atproto.com/specs/xrpc#inter-service-authentication-jwt). 1232Knots will be read-only until upgraded. 1233 1234Upgrading is quite easy, in essence: 1235 1236- `KNOT_SERVER_SECRET` is no more, you can remove this 1237 environment variable entirely 1238- `KNOT_SERVER_OWNER` is now required on boot, set this to 1239 your DID. You can find your DID in the 1240 [settings](https://tangled.org/settings) page. 1241- Restart your knot once you have replaced the environment 1242 variable 1243- Head to the [knot dashboard](https://tangled.org/settings/knots) and 1244 hit the "retry" button to verify your knot. This simply 1245 writes a `sh.tangled.knot` record to your PDS. 1246 1247If you use the nix module, simply bump the flake to the 1248latest revision, and change your config block like so: 1249 1250```diff 1251 services.tangled.knot = { 1252 enable = true; 1253 server = { 1254- secretFile = /path/to/secret; 1255+ owner = "did:plc:foo"; 1256 }; 1257 }; 1258``` 1259 1260# Hacking on Tangled 1261 1262We highly recommend [installing 1263Nix](https://nixos.org/download/) (the package manager) 1264before working on the codebase. The Nix flake provides a lot 1265of helpers to get started and most importantly, builds and 1266dev shells are entirely deterministic. 1267 1268To set up your dev environment: 1269 1270```bash 1271nix develop 1272``` 1273 1274Non-Nix users can look at the `devShell` attribute in the 1275`flake.nix` file to determine necessary dependencies. 1276 1277## Running the appview 1278 1279The Nix flake also exposes a few `app` attributes (run `nix 1280flake show` to see a full list of what the flake provides), 1281one of the apps runs the appview with the `air` 1282live-reloader: 1283 1284```bash 1285TANGLED_DEV=true nix run .#watch-appview 1286 1287# TANGLED_DB_PATH might be of interest to point to 1288# different sqlite DBs 1289 1290# in a separate shell, you can live-reload tailwind 1291nix run .#watch-tailwind 1292``` 1293 1294To authenticate with the appview, you will need Redis and 1295OAuth JWKs to be set up: 1296 1297``` 1298# OAuth JWKs should already be set up by the Nix devshell: 1299echo $TANGLED_OAUTH_CLIENT_SECRET 1300z42ty4RT1ovnTopY8B8ekz9NuziF2CuMkZ7rbRFpAR9jBqMc 1301 1302echo $TANGLED_OAUTH_CLIENT_KID 13031761667908 1304 1305# if not, you can set it up yourself: 1306goat key generate -t P-256 1307Key Type: P-256 / secp256r1 / ES256 private key 1308Secret Key (Multibase Syntax): save this securely (eg, add to password manager) 1309 z42tuPDKRfM2mz2Kv953ARen2jmrPA8S9LX9tRq4RVcUMwwL 1310Public Key (DID Key Syntax): share or publish this (eg, in DID document) 1311 did:key:zDnaeUBxtG6Xuv3ATJE4GaWeyXM3jyamJsZw3bSPpxx4bNXDR 1312 1313# the secret key from above 1314export TANGLED_OAUTH_CLIENT_SECRET="z42tuP..." 1315 1316# Run Redis in a new shell to store OAuth sessions 1317redis-server 1318``` 1319 1320## Running knots and spindles 1321 1322An end-to-end knot setup requires setting up a machine with 1323`sshd`, `AuthorizedKeysCommand`, and a Git user, which is 1324quite cumbersome. So the Nix flake provides a 1325`nixosConfiguration` to do so. 1326 1327<details> 1328 <summary><strong>macOS users will have to set up a Nix Builder first</strong></summary> 1329 1330 In order to build Tangled's dev VM on macOS, you will 1331 first need to set up a Linux Nix builder. The recommended 1332 way to do so is to run a [`darwin.linux-builder` 1333 VM](https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder) 1334 and to register it in `nix.conf` as a builder for Linux 1335 with the same architecture as your Mac (`linux-aarch64` if 1336 you are using Apple Silicon). 1337 1338 > IMPORTANT: You must build `darwin.linux-builder` somewhere other than inside 1339 > the Tangled repo so that it doesn't conflict with the other VM. For example, 1340 > you can do 1341 > 1342 > ```shell 1343 > cd $(mktemp -d buildervm.XXXXX) && nix run nixpkgs#darwin.linux-builder 1344 > ``` 1345 > 1346 > to store the builder VM in a temporary dir. 1347 > 1348 > You should read and follow [all the other intructions][darwin builder vm] to 1349 > avoid subtle problems. 1350 1351 Alternatively, you can use any other method to set up a 1352 Linux machine with Nix installed that you can `sudo ssh` 1353 into (in other words, root user on your Mac has to be able 1354 to ssh into the Linux machine without entering a password) 1355 and that has the same architecture as your Mac. See 1356 [remote builder 1357 instructions](https://nix.dev/manual/nix/2.28/advanced-topics/distributed-builds.html#requirements) 1358 for how to register such a builder in `nix.conf`. 1359 1360 > WARNING: If you'd like to use 1361 > [`nixos-lima`](https://github.com/nixos-lima/nixos-lima) or 1362 > [Orbstack](https://orbstack.dev/), note that setting them up so that `sudo 1363 > ssh` works can be tricky. It seems to be [possible with 1364 > Orbstack](https://github.com/orgs/orbstack/discussions/1669). 1365 1366</details> 1367 1368To begin, grab your DID from http://localhost:3000/settings. 1369Then, set `TANGLED_VM_KNOT_OWNER` and 1370`TANGLED_VM_SPINDLE_OWNER` to your DID. You can now start a 1371lightweight NixOS VM like so: 1372 1373```bash 1374nix run --impure .#vm 1375 1376# type `poweroff` at the shell to exit the VM 1377``` 1378 1379This starts a knot on port 6444, a spindle on port 6555 1380with `ssh` exposed on port 2222. 1381 1382Once the services are running, head to 1383http://localhost:3000/settings/knots and hit "Verify". It should 1384verify the ownership of the services instantly if everything 1385went smoothly. 1386 1387You can push repositories to this VM with this ssh config 1388block on your main machine: 1389 1390```bash 1391Host nixos-shell 1392 Hostname localhost 1393 Port 2222 1394 User git 1395 IdentityFile ~/.ssh/my_tangled_key 1396``` 1397 1398Set up a remote called `local-dev` on a git repo: 1399 1400```bash 1401git remote add local-dev git@nixos-shell:user/repo 1402git push local-dev main 1403``` 1404 1405The above VM should already be running a spindle on 1406`localhost:6555`. Head to http://localhost:3000/settings/spindles and 1407hit "Verify". You can then configure each repository to use 1408this spindle and run CI jobs. 1409 1410Of interest when debugging spindles: 1411 1412``` 1413# Service logs from journald: 1414journalctl -xeu spindle 1415 1416# CI job logs from disk: 1417ls /var/log/spindle 1418 1419# Debugging spindle database: 1420sqlite3 /var/lib/spindle/spindle.db 1421 1422# litecli has a nicer REPL interface: 1423litecli /var/lib/spindle/spindle.db 1424``` 1425 1426If for any reason you wish to disable either one of the 1427services in the VM, modify [nix/vm.nix](/nix/vm.nix) and set 1428`services.tangled.spindle.enable` (or 1429`services.tangled.knot.enable`) to `false`. 1430 1431# Contribution guide 1432 1433## Commit guidelines 1434 1435We follow a commit style similar to the Go project. Please keep commits: 1436 1437* **atomic**: each commit should represent one logical change 1438* **descriptive**: the commit message should clearly describe what the 1439change does and why it's needed 1440 1441### Message format 1442 1443``` 1444<service/top-level directory>/<affected package/directory>: <short summary of change> 1445 1446Optional longer description can go here, if necessary. Explain what the 1447change does and why, especially if not obvious. Reference relevant 1448issues or PRs when applicable. These can be links for now since we don't 1449auto-link issues/PRs yet. 1450``` 1451 1452Here are some examples: 1453 1454``` 1455appview/state: fix token expiry check in middleware 1456 1457The previous check did not account for clock drift, leading to premature 1458token invalidation. 1459``` 1460 1461``` 1462knotserver/git/service: improve error checking in upload-pack 1463``` 1464 1465 1466### General notes 1467 1468- PRs get merged "as-is" (fast-forward)—like applying a patch-series 1469using `git am`. At present, there is no squashing—so please author 1470your commits as they would appear on `master`, following the above 1471guidelines. 1472- If there is a lot of nesting, for example "appview: 1473pages/templates/repo/fragments: ...", these can be truncated down to 1474just "appview: repo/fragments: ...". If the change affects a lot of 1475subdirectories, you may abbreviate to just the top-level names, e.g. 1476"appview: ..." or "knotserver: ...". 1477- Keep commits lowercased with no trailing period. 1478- Use the imperative mood in the summary line (e.g., "fix bug" not 1479"fixed bug" or "fixes bug"). 1480- Try to keep the summary line under 72 characters, but we aren't too 1481fussed about this. 1482- Follow the same formatting for PR titles if filled manually. 1483- Don't include unrelated changes in the same commit. 1484- Avoid noisy commit messages like "wip" or "final fix"—rewrite history 1485before submitting if necessary. 1486 1487## Code formatting 1488 1489We use a variety of tools to format our code, and multiplex them with 1490[`treefmt`](https://treefmt.com). All you need to do to format your changes 1491is run `nix run .#fmt` (or just `treefmt` if you're in the devshell). 1492 1493## Proposals for bigger changes 1494 1495Small fixes like typos, minor bugs, or trivial refactors can be 1496submitted directly as PRs. 1497 1498For larger changes—especially those introducing new features, significant 1499refactoring, or altering system behavior—please open a proposal first. This 1500helps us evaluate the scope, design, and potential impact before implementation. 1501 1502Create a new issue titled: 1503 1504``` 1505proposal: <affected scope>: <summary of change> 1506``` 1507 1508In the description, explain: 1509 1510- What the change is 1511- Why it's needed 1512- How you plan to implement it (roughly) 1513- Any open questions or tradeoffs 1514 1515We'll use the issue thread to discuss and refine the idea before moving 1516forward. 1517 1518## Developer Certificate of Origin (DCO) 1519 1520We require all contributors to certify that they have the right to 1521submit the code they're contributing. To do this, we follow the 1522[Developer Certificate of Origin 1523(DCO)](https://developercertificate.org/). 1524 1525By signing your commits, you're stating that the contribution is your 1526own work, or that you have the right to submit it under the project's 1527license. This helps us keep things clean and legally sound. 1528 1529To sign your commit, just add the `-s` flag when committing: 1530 1531```sh 1532git commit -s -m "your commit message" 1533``` 1534 1535This appends a line like: 1536 1537``` 1538Signed-off-by: Your Name <your.email@example.com> 1539``` 1540 1541We won't merge commits if they aren't signed off. If you forget, you can 1542amend the last commit like this: 1543 1544```sh 1545git commit --amend -s 1546``` 1547 1548If you're submitting a PR with multiple commits, make sure each one is 1549signed. 1550 1551For [jj](https://jj-vcs.github.io/jj/latest/) users, you can run the following command 1552to make it sign off commits in the tangled repo: 1553 1554```shell 1555# Safety check, should say "No matching config key..." 1556jj config list templates.commit_trailers 1557# The command below may need to be adjusted if the command above returned something. 1558jj config set --repo templates.commit_trailers "format_signed_off_by_trailer(self)" 1559``` 1560 1561Refer to the [jujutsu 1562documentation](https://jj-vcs.github.io/jj/latest/config/#commit-trailers) 1563for more information.