docs/DOCS.md at 520d1ab2b24de9810eb3c943e8676b4894c002fa · tangled.org/core

tangled.org / core
Fork 66
Monorepo for Tangled tangled.org
Fork 66
core / docs / DOCS.md
at 520d1ab2b24de9810eb3c943e8676b4894c002fa 2561 lines 77 kB View raw View rendered
wrap content
dawn spindle,shuttle: microvm engine init 7d ago
afd329ee
   1---
   2title: Tangled docs
   3author: The Tangled Contributors
   4date: 21 Sun, Dec 2025
   5abstract: |
   6  Tangled is a decentralized code hosting and collaboration
   7  platform. Every component of Tangled is open-source and
   8  self-hostable. [tangled.org](https://tangled.org) also
   9  provides hosting and CI services that are free to use.
  10
  11  There are several models for decentralized code
  12  collaboration platforms, ranging from ActivityPub’s
  13  (Forgejo) federated model, to Radicle’s entirely P2P model.
  14  Our approach attempts to be the best of both worlds by
  15  adopting the AT Protocol—a protocol for building decentralized
  16  social applications with a central identity
  17
  18  Our approach to this is the idea of “knots”. Knots are
  19  lightweight, headless servers that enable users to host Git
  20  repositories with ease. Knots are designed for either single
  21  or multi-tenant use which is perfect for self-hosting on a
  22  Raspberry Pi at home, or larger “community” servers. By
  23  default, Tangled provides managed knots where you can host
  24  your repositories for free.
  25
  26  The appview at tangled.org acts as a consolidated "view"
  27  into the whole network, allowing users to access, clone and
  28  contribute to repositories hosted across different knots
  29  seamlessly.
  30---
  31
  32# Quick start guide
  33
  34## Login or sign up
  35
  36You can [login](https://tangled.org) by using your AT Protocol
  37account. If you are unclear on what that means, simply head
  38to the [signup](https://tangled.org/signup) page and create
  39an account. By doing so, you will be choosing Tangled as
  40your account provider (you will be granted a handle of the
  41form `user.tngl.sh`).
  42
  43In the AT Protocol network, users are free to choose their account
  44provider (known as a "Personal Data Service", or PDS), and
  45login to applications that support AT accounts.
  46
  47You can think of it as "one account for all of the atmosphere"!
  48
  49If you already have an AT account (you may have one if you
  50signed up to Bluesky, for example), you can login with the
  51same handle on Tangled (so just use `user.bsky.social` on
  52the login page).
  53
  54## Add an SSH key
  55
  56Once you are logged in, you can start creating repositories
  57and pushing code. Tangled supports pushing git repositories
  58over SSH.
  59
  60First, you'll need to generate an SSH key if you don't
  61already have one:
  62
  63```bash
  64ssh-keygen -t ed25519 -C "foo@bar.com"
  65```
  66
  67When prompted, save the key to the default location
  68(`~/.ssh/id_ed25519`) and optionally set a passphrase.
  69
  70Copy your public key to your clipboard:
  71
  72```bash
  73# on X11
  74cat ~/.ssh/id_ed25519.pub | xclip -sel c
  75
  76# on wayland
  77cat ~/.ssh/id_ed25519.pub | wl-copy
  78
  79# on macos
  80cat ~/.ssh/id_ed25519.pub | pbcopy
  81```
  82
  83Now, navigate to 'Settings' -> 'Keys' and hit 'Add Key',
  84paste your public key, give it a descriptive name, and hit
  85save.
  86
  87## Create a repository
  88
  89Once your SSH key is added, create your first repository:
  90
  911. Hit the green `+` icon on the topbar, and select
  92   repository
  932. Enter a repository name
  943. Add a description
  954. Choose a knotserver to host this repository on
  965. Hit create
  97
  98Knots are self-hostable, lightweight Git servers that can
  99host your repository. Unlike traditional code forges, your
 100code can live on any server. Read the [Knots](TODO) section
 101for more.
 102
 103## Configure SSH
 104
 105To ensure Git uses the correct SSH key and connects smoothly
 106to Tangled, add this configuration to your `~/.ssh/config`
 107file:
 108
 109```
 110Host tangled.org
 111    Hostname tangled.org
 112    User git
 113    IdentityFile ~/.ssh/id_ed25519
 114    AddressFamily inet
 115```
 116
 117This tells SSH to use your specific key when connecting to
 118Tangled and prevents authentication issues if you have
 119multiple SSH keys.
 120
 121Note that this configuration only works for knotservers that
 122are hosted by tangled.org. If you use a custom knot, refer
 123to the [Knots](TODO) section.
 124
 125## Push your first repository
 126
 127Initialize a new Git repository:
 128
 129```bash
 130mkdir my-project
 131cd my-project
 132
 133git init
 134echo "# My Project" > README.md
 135```
 136
 137Add some content and push!
 138
 139```bash
 140git add README.md
 141git commit -m "Initial commit"
 142git remote add origin git@tangled.org:user.tngl.sh/my-project
 143git push -u origin main
 144```
 145
 146That's it! Your code is now hosted on Tangled.
 147
 148## Migrating an existing repository
 149
 150Moving your repositories from GitHub, GitLab, Bitbucket, or
 151any other Git forge to Tangled is straightforward. You'll
 152simply change your repository's remote URL. At the moment,
 153Tangled does not have any tooling to migrate data such as
 154GitHub issues or pull requests.
 155
 156First, create a new repository on tangled.org as described
 157in the [Quick Start Guide](#create-a-repository).
 158
 159Navigate to your existing local repository:
 160
 161```bash
 162cd /path/to/your/existing/repo
 163```
 164
 165You can inspect your existing Git remote like so:
 166
 167```bash
 168git remote -v
 169```
 170
 171You'll see something like:
 172
 173```bash
 174origin  git@github.com:username/my-project.git (fetch)
 175origin  git@github.com:username/my-project.git (push)
 176```
 177
 178Update the remote URL to point to tangled:
 179
 180```bash
 181git remote set-url origin git@tangled.org:user.tngl.sh/my-project
 182```
 183
 184Verify the change:
 185
 186```bash
 187git remote -v
 188```
 189
 190You should now see:
 191
 192```bash
 193origin  git@tangled.org:user.tngl.sh/my-project (fetch)
 194origin  git@tangled.org:user.tngl.sh/my-project (push)
 195```
 196
 197Push all your branches and tags to Tangled:
 198
 199```bash
 200git push -u origin --all
 201git push -u origin --tags
 202```
 203
 204Your repository is now migrated to Tangled! All commit
 205history, branches, and tags have been preserved.
 206
 207## Mirroring a repository to Tangled
 208
 209If you want to maintain your repository on multiple forges
 210simultaneously, for example, keeping your primary repository
 211on GitHub while mirroring to Tangled for backup or
 212redundancy, you can do so by adding [multiple remotes](https://git-scm.com/docs/git-push#_remotes).
 213
 214You can configure your local repository to push to both
 215Tangled and, say, GitHub. You may already have the following
 216setup:
 217
 218```bash
 219$ git remote -v
 220origin  git@github.com:username/my-project.git (fetch)
 221origin  git@github.com:username/my-project.git (push)
 222```
 223
 224Now add Tangled as an additional push URL to the same
 225remote:
 226
 227```bash
 228git remote set-url --add --push origin git@tangled.org:user.tngl.sh/my-project
 229```
 230
 231You also need to re-add the original URL as a push
 232destination (Git will now use the original URL to fetch only):
 233
 234```bash
 235git remote set-url --add --push origin git@github.com:username/my-project.git
 236```
 237
 238Verify your configuration:
 239
 240```bash
 241$ git remote -v
 242origin  git@github.com:username/my-project.git (fetch)
 243origin  git@tangled.org:user.tngl.sh/my-project (push)
 244origin  git@github.com:username/my-project.git (push)
 245```
 246
 247Notice that there's one fetch URL (the primary remote) and
 248two push URLs. Now, whenever you push, Git will
 249automatically push to both remotes:
 250
 251```bash
 252git push origin main
 253```
 254
 255This single command pushes your `main` branch to both GitHub
 256and Tangled simultaneously.
 257
 258To push all branches and tags:
 259
 260```bash
 261git push origin --all
 262git push origin --tags
 263```
 264
 265If you prefer more control over which remote you push to,
 266you can maintain separate remotes:
 267
 268```bash
 269git remote add github git@github.com:username/my-project.git
 270git remote add tangled git@tangled.org:user.tngl.sh/my-project
 271```
 272
 273Then push to each explicitly:
 274
 275```bash
 276git push github main
 277git push tangled main
 278```
 279
 280# Hosting websites on Tangled
 281
 282You can serve static websites directly from your git repositories on
 283Tangled. If you've used GitHub Pages or Codeberg Pages, this should feel
 284familiar.
 285
 286## Overview
 287
 288Every user gets a sites domain. If you signed up through Tangled's own
 289PDS (`tngl.sh`), your sites domain is automatically
 290`<your-handle>.tngl.sh` no setup needed. Otherwise, you can claim a
 291`<subdomain>.tngl.io` domain from your settings.
 292
 293You can serve multiple sites per domain:
 294
 295- One **index site** served at the root of your domain (e.g.
 296  `alice.tngl.sh`)
 297- Any number of **sub-path sites** served under the repository name
 298  (e.g. `alice.tngl.sh/my-project`)
 299
 300## Claiming a domain
 301
 302If you don't have a `tngl.sh` handle, you need to claim a domain before
 303publishing sites:
 304
 3051. Go to **Settings → Sites**
 3062. Enter a subdomain (e.g. `alice` to claim `alice.tngl.io`)
 3073. Click **claim**
 308
 309You can only hold one domain at a time. Releasing a domain puts it in a
 31030-day cooldown before anyone else can claim it.
 311
 312## Configuring a site for a repository
 313
 3141. Navigate to your repository
 3152. Go to **Settings → Sites** 
 3163. Choose a **branch** to deploy from
 3174. Set the **deploy directory** — the path within the repository
 318   containing your `index.html`. Use `/` for the root, or a subdirectory
 319   like `/docs` or `/public`
 3205. Choose the **site type**:
 321   - **Index site** — served at the root of your domain (e.g.
 322     `alice.tngl.sh`)
 323   - **Sub-path site** — served under the repository name (e.g.
 324     `alice.tngl.sh/my-project`)
 3256. Click **save**
 326
 327The site will be deployed automatically. You can see the status of your
 328previous deploys in the **Recent Deploys** section at the bottom of the
 329page.
 330
 331Sites are redeployed automatically on every push to the configured
 332branch.
 333
 334## Custom domains
 335
 336Tangled currently doesn't support custom domains for sites. This will be
 337added in a future update.
 338
 339## Deploy directory
 340
 341The deploy directory is the path within your repository that Tangled
 342serves as the site root. It must contain an `index.html`.
 343
 344| Deploy directory | Result |
 345|---|---|
 346| `/` | Serves the repository root |
 347| `/docs` | Serves the `docs/` subdirectory |
 348| `/public` | Serves the `public/` subdirectory |
 349
 350Directories are served with automatic `index.html` resolution -- a
 351request to `/about` will serve `/about/index.html` if it exists.
 352
 353## Site types
 354
 355| Type | URL |
 356|---|---|
 357| Index site | `alice.tngl.sh` |
 358| Sub-path site | `alice.tngl.sh/my-project` |
 359
 360Only one repository can be the index site for a given domain at a time.
 361If another repository already holds the index site, you will see a
 362notice in the settings and only the sub-path option will be available.
 363
 364## Deploy triggers
 365
 366A deployment is triggered automatically when:
 367
 368- You push to the configured branch
 369- You change the site configuration (branch, deploy directory, or site
 370  type)
 371
 372## Disabling a site
 373
 374To stop serving a site, go to **Settings → Sites** in your repository
 375and click **Disable**. This removes the site configuration and stops
 376serving the site. The deployed files are also deleted from storage.
 377
 378Releasing your domain from **Settings → Sites** at the account level
 379will disable all sites associated with it and delete their files.
 380
 381
 382# Knot self-hosting guide
 383
 384So you want to run your own knot server? Great! Here are a few prerequisites:
 385
 3861. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux distribution of some kind.
 3872. A (sub)domain name. People generally use `knot.example.com`.
 3883. A valid SSL certificate for your domain.
 389
 390## NixOS
 391
 392Refer to the [knot
 393module](https://tangled.org/tangled.org/core/blob/master/nix/modules/knot.nix)
 394for a full list of options. Sample configurations:
 395
 396- [The test VM](https://tangled.org/tangled.org/core/blob/master/nix/vm.nix#L85)
 397- [@pyrox.dev/nix](https://tangled.org/pyrox.dev/nix/blob/d19571cc1b5fe01035e1e6951ec8cf8a476b4dee/hosts/marvin/services/tangled.nix#L15-25)
 398
 399## Docker
 400
 401Refer to
 402[@tangled.org/knot-docker](https://tangled.org/@tangled.org/knot-docker).
 403Note that this is community maintained.
 404
 405## Manual setup
 406
 407First, clone this repository:
 408
 409```
 410git clone https://tangled.org/@tangled.org/core
 411```
 412
 413Then, build the `knot` CLI. This is the knot administration
 414and operation tool. For the purpose of this guide, we're
 415only concerned with these subcommands:
 416
 417- `knot server`: the main knot server process, typically
 418  run as a supervised service
 419- `knot guard`: handles role-based access control for git
 420  over SSH (you'll never have to run this yourself)
 421- `knot keys`: fetches SSH keys associated with your knot;
 422  we'll use this to generate the SSH
 423  `AuthorizedKeysCommand`
 424
 425```
 426cd core
 427export CGO_ENABLED=1
 428go build -o knot ./cmd/knot
 429```
 430
 431Next, move the `knot` binary to a location owned by `root` --
 432`/usr/local/bin/` is a good choice. Make sure the binary itself is also owned by `root`:
 433
 434```
 435sudo mv knot /usr/local/bin/knot
 436sudo chown root:root /usr/local/bin/knot
 437```
 438
 439This is necessary because SSH `AuthorizedKeysCommand` requires [really
 440specific permissions](https://stackoverflow.com/a/27638306). The
 441`AuthorizedKeysCommand` specifies a command that is run by `sshd` to
 442retrieve a user's public SSH keys dynamically for authentication. Let's
 443set that up.
 444
 445```
 446sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 447Match User git
 448  AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys
 449  AuthorizedKeysCommandUser nobody
 450EOF
 451```
 452
 453Then, reload `sshd`:
 454
 455```
 456sudo systemctl reload ssh
 457```
 458
 459Next, create the `git` user. We'll use the `git` user's home directory
 460to store repositories:
 461
 462```
 463sudo adduser git
 464```
 465
 466Create `/home/git/.knot.env` with the following, updating the values as
 467necessary. The `KNOT_SERVER_OWNER` should be set to your
 468DID, you can find your DID in the [Settings](https://tangled.sh/settings) page.
 469
 470```
 471KNOT_REPO_SCAN_PATH=/home/git
 472KNOT_SERVER_HOSTNAME=knot.example.com
 473APPVIEW_ENDPOINT=https://tangled.org
 474KNOT_SERVER_OWNER=did:plc:foobar
 475KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444
 476KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555
 477```
 478
 479If you run a Linux distribution that uses systemd, you can
 480use the provided service file to run the server. Copy
 481[`knotserver.service`](https://tangled.org/tangled.org/core/blob/master/systemd/knotserver.service)
 482to `/etc/systemd/system/`. Then, run:
 483
 484```
 485systemctl enable knotserver
 486systemctl start knotserver
 487```
 488
 489The last step is to configure a reverse proxy like Nginx or Caddy to front your
 490knot. Here's an example configuration for Nginx:
 491
 492```
 493server {
 494    listen 80;
 495    listen [::]:80;
 496    server_name knot.example.com;
 497
 498    location / {
 499        proxy_pass http://localhost:5555;
 500        proxy_set_header Host $host;
 501        proxy_set_header X-Real-IP $remote_addr;
 502        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 503        proxy_set_header X-Forwarded-Proto $scheme;
 504    }
 505
 506    # wss endpoint for git events
 507    location /events {
 508        proxy_set_header   X-Forwarded-For $remote_addr;
 509        proxy_set_header   Host $http_host;
 510        proxy_set_header Upgrade websocket;
 511        proxy_set_header Connection Upgrade;
 512        proxy_pass http://localhost:5555;
 513    }
 514  # additional config for SSL/TLS go here.
 515}
 516
 517```
 518
 519Remember to use Let's Encrypt or similar to procure a certificate for your
 520knot domain.
 521
 522You should now have a running knot server! You can finalize
 523your registration by hitting the `verify` button on the
 524[/settings/knots](https://tangled.org/settings/knots) page. This simply creates
 525a record on your PDS to announce the existence of the knot.
 526
 527### Custom paths
 528
 529(This section applies to manual setup only. Docker users should edit the mounts
 530in `docker-compose.yml` instead.)
 531
 532Right now, the database and repositories of your knot lives in `/home/git`. You
 533can move these paths if you'd like to store them in another folder. Be careful
 534when adjusting these paths:
 535
 536- Stop your knot when moving data (e.g. `systemctl stop knotserver`) to prevent
 537  any possible side effects. Remember to restart it once you're done.
 538- Make backups before moving in case something goes wrong.
 539- Make sure the `git` user can read and write from the new paths.
 540
 541#### Database
 542
 543As an example, let's say the current database is at `/home/git/knotserver.db`,
 544and we want to move it to `/home/git/database/knotserver.db`.
 545
 546Copy the current database to the new location. Make sure to copy the `.db-shm`
 547and `.db-wal` files if they exist.
 548
 549```
 550mkdir /home/git/database
 551cp /home/git/knotserver.db* /home/git/database
 552```
 553
 554In the environment (e.g. `/home/git/.knot.env`), set `KNOT_SERVER_DB_PATH` to
 555the new file path (_not_ the directory):
 556
 557```
 558KNOT_SERVER_DB_PATH=/home/git/database/knotserver.db
 559```
 560
 561#### Repositories
 562
 563As an example, let's say the repositories are currently in `/home/git`, and we
 564want to move them into `/home/git/repositories`.
 565
 566Create the new folder, then move the existing repositories (if there are any):
 567
 568```
 569mkdir /home/git/repositories
 570# move all DIDs into the new folder; these will vary for you!
 571mv /home/git/did:plc:wshs7t2adsemcrrd4snkeqli /home/git/repositories
 572```
 573
 574In the environment (e.g. `/home/git/.knot.env`), update `KNOT_REPO_SCAN_PATH`
 575to the new directory:
 576
 577```
 578KNOT_REPO_SCAN_PATH=/home/git/repositories
 579```
 580
 581Similarly, update your `sshd` `AuthorizedKeysCommand` to use the updated
 582repository path:
 583
 584```
 585sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 586Match User git
 587  AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys -git-dir /home/git/repositories
 588  AuthorizedKeysCommandUser nobody
 589EOF
 590```
 591
 592Make sure to restart your SSH server!
 593
 594#### MOTD (message of the day)
 595
 596To configure the MOTD used ("Welcome to this knot!" by default), edit the
 597`/home/git/motd` file:
 598
 599```
 600printf "Hi from this knot!\n" > /home/git/motd
 601```
 602
 603Note that you should add a newline at the end if setting a non-empty message
 604since the knot won't do this for you.
 605
 606## Secure Mode
 607
 608Secure Mode isolates each `git` subprocess to the repository it is
 609operating on, using two mechanisms:
 610
 611- **Linux Landlock** restricts the filesystem paths the subprocess
 612  can access -- it can only read/write its own repository and the
 613  system directories it needs to run.
 614- **UID isolation** runs each subprocess as a virtual UID assigned
 615  to the repository owner, so that repositories belonging to
 616  different owners are isolated from each other at the OS level
 617  even if Landlock were somehow bypassed.
 618
 619Secure Mode requires:
 620
 621- Linux kernel >= 5.19 (Landlock V2). This is the minimum needed
 622  for `git push` to work, because receive-pack's quarantine
 623  migration uses cross-directory rename which requires the
 624  Landlock `REFER` access right (added in V2). Kernels 5.13-5.18
 625  support Landlock V1 and clones will work, but pushes will fail
 626  with cross-device link errors. On kernels without any Landlock
 627  support (< 5.13), the sandbox call is a no-op: UID isolation
 628  still applies but no filesystem restriction is enforced.
 629- `CAP_SETUID`, `CAP_SETGID`, and `CAP_CHOWN` available to the
 630  knot process. The NixOS module grants these automatically; for
 631  manual setups see the `setcap` step below.
 632
 633### NixOS
 634
 635Add `server.secureMode = true;` to your knot module configuration:
 636
 637```nix
 638services.tangled.knot = {
 639  server.secureMode = true;
 640  # ... other options
 641};
 642```
 643
 644The NixOS module handles everything else automatically:
 645
 646- Grants the required capabilities to the knot service via
 647  `AmbientCapabilities` in the systemd unit.
 648- Installs a capability-bearing wrapper at
 649  `/run/wrappers/bin/knot` via `security.wrappers`, so that
 650  SSH-invoked git operations (pushes) also run under the correct
 651  UID without requiring the service to run as root.
 652- Runs `knot migrate-isolation` at service start to chown
 653  existing repositories to their virtual UIDs.
 654
 655### Manual setup
 656
 657**Step 1.** Grant the required capabilities to the knot binary.
 658This allows the knot process to switch to virtual UIDs at runtime
 659without running as root. You will need to repeat this step
 660whenever the binary is updated.
 661
 662```
 663sudo setcap cap_setuid,cap_setgid,cap_chown+eip /usr/local/bin/knot
 664```
 665
 666**Step 2.** Run the migration tool to assign virtual UIDs to all
 667existing repositories and set their filesystem permissions. This
 668must be run as root:
 669
 670```
 671sudo knot migrate-isolation \
 672  --git-dir /home/git \
 673  --db /home/git/knotserver.db \
 674  --internal-api 127.0.0.1:5444
 675```
 676
 677You can re-run this at any time with `--force` to reapply
 678permissions (e.g. after a manual repair or after updating the
 679binary).
 680
 681**Step 2a.** Ensure the home directory is traversable by
 682non-group users. Git subprocesses run as virtual UIDs that are
 683not in the git group, and they need to resolve
 684`$HOME/.config/git/config` to load the global config:
 685
 686```
 687sudo chmod o+x /home/git
 688```
 689
 690This adds only the execute bit, not read -- the virtual UIDs can
 691traverse to known paths but cannot list directory contents.
 692
 693**Step 3.** Enable Secure Mode in your environment file:
 694
 695```
 696KNOT_SERVER_SECURE_MODE=true
 697```
 698
 699Or pass it as a flag:
 700
 701```
 702knot server --secure-mode
 703```
 704
 705**Step 4.** Regenerate the `AuthorizedKeysCommand` with the
 706`-secure-mode` flag. This causes `knot keys` to emit guard
 707command lines that include `-secure-mode`, so SSH pushes also
 708get UID isolation:
 709
 710```
 711sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 712Match User git
 713  AuthorizedKeysCommand /usr/local/bin/knot keys \
 714    -o authorized-keys -secure-mode
 715  AuthorizedKeysCommandUser nobody
 716EOF
 717```
 718
 719Reload `sshd` after making this change.
 720
 721> **Note:** the server will refuse to start in Secure Mode if any
 722> repositories have not yet been isolation-migrated. Re-run
 723> `migrate-isolation` if you see this error.
 724
 725## Troubleshooting
 726
 727If you run your own knot, you may run into some of these
 728common issues. You can always join the
 729[IRC](https://web.libera.chat/#tangled) or
 730[Discord](https://chat.tangled.org/) if this section does
 731not help.
 732
 733### Unable to push
 734
 735If you are unable to push to your knot or repository:
 736
 7371. First, ensure that you have added your SSH public key to
 738   your account
 7392. Check to see that your knot has synced the key by running
 740   `knot keys`
 7413. Check to see if git is supplying the correct private key
 742   when pushing: `GIT_SSH_COMMAND="ssh -v" git push ...`
 7434. Check to see if `sshd` on the knot is rejecting the push
 744   for some reason: `journalctl -xeu ssh` (or `sshd`,
 745   depending on your machine). These logs are unavailable if
 746   using docker.
 7475. Check to see if the knot itself is rejecting the push,
 748   depending on your setup, the logs might be in one of the
 749   following paths:
 750   - `/tmp/knotguard.log`
 751   - `/home/git/log`
 752   - `/home/git/guard.log`
 753
 754# Spindles
 755
 756## Pipelines
 757
 758Spindle workflows allow you to write CI/CD pipelines in a
 759simple format. They're located in the `.tangled/workflows`
 760directory at the root of your repository, and are defined
 761using YAML.
 762
 763A workflow has a set of common fields that apply no matter
 764which engine you pick:
 765
 766- [Trigger](#trigger): A **required** field that defines
 767  when a workflow should be triggered.
 768- [Engine](#engine): A **required** field that defines which
 769  engine a workflow should run on.
 770- [Clone options](#clone-options): An **optional** field
 771  that defines how the repository should be cloned.
 772- [Environment](#environment): An **optional** field that
 773  allows you to define environment variables.
 774- [Steps](#steps): An **optional** field that allows you to
 775  define what steps should run in the workflow.
 776
 777On top of these, each engine has its own options for things
 778like dependencies and images. See [Engines](#engines) for
 779the per-engine fields.
 780
 781### Trigger
 782
 783The first thing to add to a workflow is the trigger, which
 784defines when a workflow runs. This is defined using a `when`
 785field, which takes in a list of conditions. Each condition
 786has the following fields:
 787
 788- `event`: This is a **required** field that defines when
 789  your workflow should run. It's a list that can take one or
 790  more of the following values:
 791  - `push`: The workflow should run every time a commit is
 792    pushed to the repository.
 793  - `pull_request`: The workflow should run every time a
 794    pull request is made or updated.
 795  - `manual`: The workflow can be triggered manually.
 796- `branch`: Defines which branches the workflow should run
 797  for. If used with the `push` event, commits to the
 798  branch(es) listed here will trigger the workflow. If used
 799  with the `pull_request` event, updates to pull requests
 800  targeting the branch(es) listed here will trigger the
 801  workflow. This field has no effect with the `manual`
 802  event. Supports glob patterns using `*` and `**` (e.g.,
 803  `main`, `develop`, `release-*`). Either `branch` or `tag`
 804  (or both) must be specified for `push` events.
 805- `tag`: Defines which tags the workflow should run for.
 806  Only used with the `push` event - when tags matching the
 807  pattern(s) listed here are pushed, the workflow will
 808  trigger. This field has no effect with `pull_request` or
 809  `manual` events. Supports glob patterns using `*` and `**`
 810  (e.g., `v*`, `v1.*`, `release-**`). Either `branch` or
 811  `tag` (or both) must be specified for `push` events.
 812
 813For example, if you'd like to define a workflow that runs
 814when commits are pushed to the `main` and `develop`
 815branches, or when pull requests that target the `main`
 816branch are updated, or manually, you can do so with:
 817
 818```yaml
 819when:
 820  - event: ["push", "manual"]
 821    branch: ["main", "develop"]
 822  - event: ["pull_request"]
 823    branch: ["main"]
 824```
 825
 826You can also trigger workflows on tag pushes. For instance,
 827to run a deployment workflow when tags matching `v*` are
 828pushed:
 829
 830```yaml
 831when:
 832  - event: ["push"]
 833    tag: ["v*"]
 834```
 835
 836You can even combine branch and tag patterns in a single
 837constraint (the workflow triggers if either matches):
 838
 839```yaml
 840when:
 841  - event: ["push"]
 842    branch: ["main", "release-*"]
 843    tag: ["v*", "stable"]
 844```
 845
 846### Engine
 847
 848Next is the engine on which the workflow should run, defined
 849using the **required** `engine` field. The currently
 850supported engines are:
 851
 852- `nixery`: This uses an instance of
 853  [Nixery](https://nixery.dev) to run steps, which allows
 854  you to add [dependencies](#dependencies) from
 855  Nixpkgs (https://github.com/NixOS/nixpkgs). You can
 856  search for packages on https://search.nixos.org, and
 857  there's a pretty good chance the package(s) you're looking
 858  for will be there.
 859  See [Nixery engine](#nixery-engine).
 860- `microvm`: Runs the whole workflow inside its own
 861  microVM. Has configuration features for NixOS images
 862  that will let you enable services, do Docker-in-VM, etc.
 863  See [microVM engine](#microvm-engine).
 864
 865Example:
 866
 867```yaml
 868engine: "nixery"
 869```
 870
 871Each engine also adds its own workflow fields (dependencies,
 872images, services, and so on). These are documented under
 873[Engines](#engines).
 874
 875### Clone options
 876
 877When a workflow starts, the first step is to clone the
 878repository. You can customize this behavior using the
 879**optional** `clone` field. It has the following fields:
 880
 881- `skip`: Setting this to `true` will skip cloning the
 882  repository. This can be useful if your workflow is doing
 883  something that doesn't require anything from the
 884  repository itself. This is `false` by default.
 885- `depth`: This sets the number of commits, or the "clone
 886  depth", to fetch from the repository. For example, if you
 887  set this to 2, the last 2 commits will be fetched. By
 888  default, the depth is set to 1, meaning only the most
 889  recent commit will be fetched, which is the commit that
 890  triggered the workflow.
 891- `submodules`: If you use Git submodules
 892  (https://git-scm.com/book/en/v2/Git-Tools-Submodules)
 893  in your repository, setting this field to `true` will
 894  recursively fetch all submodules. This is `false` by
 895  default.
 896
 897The default settings are:
 898
 899```yaml
 900clone:
 901  skip: false
 902  depth: 1
 903  submodules: false
 904```
 905
 906### Environment
 907
 908The `environment` field allows you define environment
 909variables that will be available throughout the entire
 910workflow. **Do not put secrets here, these environment
 911variables are visible to anyone viewing the repository. You
 912can add secrets for pipelines in your repository's
 913settings.**
 914
 915Example:
 916
 917```yaml
 918environment:
 919  GOOS: "linux"
 920  GOARCH: "arm64"
 921  NODE_ENV: "production"
 922  MY_ENV_VAR: "MY_ENV_VALUE"
 923```
 924
 925By default, the following environment variables are set:
 926
 927- `CI` - Always set to `true` to indicate a CI environment
 928- `TANGLED_PIPELINE_ID` - The AT URI of the current pipeline
 929- `TANGLED_PIPELINE_KIND` - One of `push`, `pull_request` or
 930  `manual`
 931- `TANGLED_REPO_KNOT` - The repository's knot hostname
 932- `TANGLED_REPO_DID` - The DID of the repository owner
 933- `TANGLED_REPO_NAME` - The name of the repository
 934- `TANGLED_REPO_DEFAULT_BRANCH` - The default branch of the
 935  repository
 936- `TANGLED_REPO_URL` - The full URL to the repository
 937
 938These variables are only available when the pipeline is
 939triggered by a push:
 940
 941- `TANGLED_REF` - The full git reference (e.g.,
 942  `refs/heads/main` or `refs/tags/v1.0.0`)
 943- `TANGLED_REF_NAME` - The short name of the reference
 944  (e.g., `main` or `v1.0.0`)
 945- `TANGLED_REF_TYPE` - The type of reference, either
 946  `branch` or `tag`
 947- `TANGLED_SHA` - The commit SHA that triggered the pipeline
 948- `TANGLED_COMMIT_SHA` - Alias for `TANGLED_SHA`
 949
 950These variables are only available when the pipeline is
 951triggered by a pull request:
 952
 953- `TANGLED_PR_SOURCE_BRANCH` - The source branch of the pull
 954  request
 955- `TANGLED_PR_TARGET_BRANCH` - The target branch of the pull
 956  request
 957- `TANGLED_PR_SOURCE_SHA` - The commit SHA of the source
 958  branch
 959
 960### Steps
 961
 962The `steps` field allows you to define what steps should run
 963in the workflow. It's a list of step objects, each with the
 964following fields:
 965
 966- `name`: This field allows you to give your step a name.
 967  This name is visible in your workflow runs, and is used to
 968  describe what the step is doing.
 969- `command`: This field allows you to define a command to
 970  run in that step. The step is run in a Bash shell, and the
 971  logs from the command will be visible in the pipelines
 972  page on the Tangled website. Any dependencies you added in
 973  your engine's section (see [Engines](#engines)) will be
 974  available to use here.
 975- `environment`: Similar to the global
 976  [environment](#environment) config, this **optional**
 977  field is a key-value map that allows you to set
 978  environment variables for the step. **Do not put secrets
 979  here, these environment variables are visible to anyone
 980  viewing the repository. You can add secrets for pipelines
 981  in your repository's settings.**
 982
 983Example:
 984
 985```yaml
 986steps:
 987  - name: "Build backend"
 988    command: "go build"
 989    environment:
 990      GOOS: "darwin"
 991      GOARCH: "arm64"
 992  - name: "Build frontend"
 993    command: "npm run build"
 994    environment:
 995      NODE_ENV: "production"
 996```
 997
 998## Engines
 999
1000The common fields above apply to every workflow. Each engine
1001then adds its own fields on top. Pick an engine with the
1002[`engine`](#engine) field and use the matching section below.
1003
1004### Nixery engine
1005
1006#### Dependencies
1007
1008When you're running a workflow you'll usually need additional
1009dependencies. The `dependencies` field lets you define which
1010dependencies to get, and from where. It's a key-value map,
1011with the key being the registry to fetch dependencies from,
1012and the value being the list of dependencies to fetch.
1013
1014The registry URL syntax can be found [on the nix
1015manual](https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-registry-add).
1016
1017Say you want to fetch Node.js and Go from `nixpkgs`, and a
1018package called `my_pkg` you've made from your own registry
1019at your repository at
1020`https://tangled.org/@example.com/my_pkg`. You can define
1021those dependencies like so:
1022
1023```yaml
1024dependencies:
1025  # nixpkgs
1026  nixpkgs:
1027    - nodejs
1028    - go
1029  # unstable
1030  nixpkgs/nixpkgs-unstable:
1031    - bun
1032  # custom registry
1033  git+https://tangled.org/@example.com/my_pkg:
1034    - my_pkg
1035```
1036
1037Now these dependencies are available to use in your
1038workflow!
1039
1040#### Complete nixery workflow
1041
1042```yaml
1043# .tangled/workflows/build.yml
1044
1045when:
1046  - event: ["push", "manual"]
1047    branch: ["main", "develop"]
1048  - event: ["pull_request"]
1049    branch: ["main"]
1050
1051engine: "nixery"
1052
1053# using the default values
1054clone:
1055  skip: false
1056  depth: 1
1057  submodules: false
1058
1059dependencies:
1060  # nixpkgs
1061  nixpkgs:
1062    - nodejs
1063    - go
1064  # custom registry
1065  git+https://tangled.org/@example.com/my_pkg:
1066    - my_pkg
1067
1068environment:
1069  GOOS: "linux"
1070  GOARCH: "arm64"
1071  NODE_ENV: "production"
1072  MY_ENV_VAR: "MY_ENV_VALUE"
1073
1074steps:
1075  - name: "Build backend"
1076    command: "go build"
1077    environment:
1078      GOOS: "darwin"
1079      GOARCH: "arm64"
1080  - name: "Build frontend"
1081    command: "npm run build"
1082    environment:
1083      NODE_ENV: "production"
1084```
1085
1086If you want another example of a workflow, you can look at
1087the one [Tangled uses to build the
1088project](https://tangled.org/@tangled.org/core/blob/master/.tangled/workflows/build.yml).
1089
1090### microVM engine
1091
1092#### Image
1093
1094A workflow picks the image to boot with the top-level `image`
1095field:
1096
1097```yaml
1098engine: microvm
1099image: nixos
1100```
1101
1102There are two flavours of images:
1103
1104- **NixOS images** (e.g. `nixos`): the whole guest is built
1105  with Nix, so you can configure it from the workflow file
1106  itself. The `dependencies`, `services`, `virtualisation`,
1107  `registry` and `caches` fields below are all understood
1108  here, and the guest builds and activates that configuration
1109  before any of your steps run.
1110- **Non-NixOS images** (e.g. `alpine`): there's no NixOS to
1111  configure, so the workflow-level config fields above have
1112  no effect. You still get a full machine to run steps in.
1113
1114The available image names depend on what the spindle operator
1115has installed. `nixos` and `alpine` are examples. If `image`
1116is omitted, the spindle's configured default image is used.
1117
1118#### Dependencies
1119
1120On the microVM engine, `dependencies` is a flat list of
1121packages that get added to the guest's `PATH` (via
1122`environment.systemPackages`). This field only applies to
1123**NixOS images**, for other images you can use the package
1124manager included in a step.
1125
1126A bare name like `go` is looked up in nixpkgs. You can also
1127point at any flake with the `flakeref#attr` syntax, so
1128`github:nixos/nixpkgs#hello` pulls `hello` straight out of
1129that flake.
1130
1131```yaml
1132dependencies:
1133  - go
1134  - github:nixos/nixpkgs#hello
1135```
1136
1137#### Registry
1138
1139The `registry` field remaps flake references, the same way
1140`nix registry` does. This lets you pin or alias the flakes
1141used by `dependencies`.
1142
1143For example, pin `nixpkgs` to `nixos-unstable` so that the
1144bare `go` above resolves from unstable, and alias your own
1145flake so you can use `myflake#tool` in `dependencies`:
1146
1147```yaml
1148registry:
1149  nixpkgs: github:nixos/nixpkgs/nixos-unstable
1150  myflake: github:me/x
1151```
1152
1153#### Caches
1154
1155The `caches` field is a map of Nix binary cache URL to its
1156trusted public key. These are fed into the spindle's read
1157proxy, so the guest can substitute prebuilt paths from them
1158instead of building everything from scratch.
1159
1160```yaml
1161caches:
1162  https://nix-community.cachix.org: "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
1163```
1164
1165#### Services and virtualisation
1166
1167The `services` and `virtualisation` fields are passed straight
1168through to NixOS. Anything you could write under
1169`services.*` or `virtualisation.*` in a NixOS configuration,
1170you can write here, and it's brought up before any of your
1171steps run.
1172
1173As a convenience, `true` works as shorthand for
1174`.enable = true` anywhere an `enable` option exists (e.g.
1175`virtualisation.docker: true`).
1176
1177```yaml
1178services:
1179  postgresql:
1180    enable: true
1181    ensureDatabases: ["spindle-workflow"]
1182    ensureUsers:
1183      - name: spindle-workflow
1184        ensureDBOwnership: true
1185
1186virtualisation:
1187  docker: true
1188```
1189
1190## Self-hosting guide
1191
1192### Prerequisites
1193
1194- Go
1195- For the **nixery** engine: Docker (or Podman with Docker
1196  compatibility enabled).
1197- For the **microVM** engine: a Linux host with KVM, plus the
1198  microVM host dependencies described in [Running microVM
1199  workflows](#running-microvm-workflows).
1200
1201### Configuration
1202
1203Spindle is configured using environment variables. The following environment variables are available:
1204
1205- `SPINDLE_SERVER_LISTEN_ADDR`: The address the server listens on (default: `"0.0.0.0:6555"`).
1206- `SPINDLE_SERVER_DB_PATH`: The path to the SQLite database file (default: `"spindle.db"`).
1207- `SPINDLE_SERVER_HOSTNAME`: The hostname of the server (required).
1208- `SPINDLE_SERVER_JETSTREAM_ENDPOINT`: The endpoint of the Jetstream server (default: `"wss://jetstream1.us-west.bsky.network/subscribe"`).
1209- `SPINDLE_SERVER_DEV`: A boolean indicating whether the server is running in development mode (default: `false`).
1210- `SPINDLE_SERVER_OWNER`: The DID of the owner (required).
1211- `SPINDLE_SERVER_LOG_DIR`: The directory to store workflow logs (default: `"/var/log/spindle"`).
1212- `SPINDLE_SERVER_DOCKER_SOCKET`: Path to Docker socket to expose to invoked Spindle containers (default: `""`).
1213- `SPINDLE_PIPELINES_NIXERY`: The Nixery URL (default: `"nixery.tangled.sh"`).
1214- `SPINDLE_PIPELINES_WORKFLOW_TIMEOUT`: The default workflow timeout (default: `"5m"`).
1215
1216For the microVM engine, the following are also available
1217(prefix `SPINDLE_MICROVM_PIPELINES_`):
1218
1219- `SPINDLE_MICROVM_PIPELINES_IMAGE_DIR`: Directory containing
1220  microVM images (**required** to use the engine). See
1221  [Running microVM workflows](#running-microvm-workflows).
1222- `SPINDLE_MICROVM_PIPELINES_DEFAULT_IMAGE`: Image used when a
1223  workflow doesn't set `image` (default: `"nixos-x86_64"`).
1224- `SPINDLE_MICROVM_PIPELINES_OVERLAY_DIR`: Where per-workflow
1225  temporary disks are created (default: the system temp dir).
1226- `SPINDLE_MICROVM_PIPELINES_ENABLE_KVM`: Use KVM hardware
1227  acceleration (default: `true`). Without KVM, guests fall
1228  back to slow software emulation.
1229- `SPINDLE_MICROVM_PIPELINES_WORKFLOW_TIMEOUT`: Default
1230  workflow timeout (default: `"5m"`).
1231
1232Optional resource limits (a value of `0` disables that
1233limit). The limits cap usage across all running microVM
1234workflows:
1235
1236- `SPINDLE_MICROVM_PIPELINES_MAX_TOTAL_MEMORY_MIB`
1237- `SPINDLE_MICROVM_PIPELINES_MAX_TOTAL_VCPUS`
1238- `SPINDLE_MICROVM_PIPELINES_MAX_TOTAL_DISK_MIB`
1239
1240Optional cgroup enforcement:
1241
1242- `SPINDLE_MICROVM_PIPELINES_ENABLE_CGROUPS`: Place each
1243  workflow's QEMU and slirp4netns in a per-workflow cgroup=
1244  (default: `false`).
1245- `SPINDLE_MICROVM_PIPELINES_CGROUP_PARENT`: Parent cgroup;
1246  `self` resolves the spindle service's own cgroup (default:
1247  `"self"`).
1248- `SPINDLE_MICROVM_PIPELINES_CGROUP_PIDS_MAX`: Max processes
1249  per workflow cgroup (default: `4096`).
1250- `SPINDLE_MICROVM_PIPELINES_CGROUP_SWAP_MAX_MIB`: Max swap
1251  per workflow cgroup (default: `0`, no swap).
1252- `SPINDLE_MICROVM_PIPELINES_CGROUP_SUPERVISOR_MEMORY_MIN_MIB`:
1253  Memory protected for spindle itself so it isn't OOM-killed
1254  before the workflows (default: `512`).
1255
1256To push paths built inside microVMs back to a shared Nix
1257cache (and read from it), configure the cache (prefix
1258`SPINDLE_NIX_CACHE_`):
1259
1260- `SPINDLE_NIX_CACHE_READ_URLS`: Comma-separated binary cache
1261  URLs the guest reads from.
1262- `SPINDLE_NIX_CACHE_TRUSTED_PUBLIC_KEYS`: Comma-separated
1263  trusted public keys for those caches.
1264- `SPINDLE_NIX_CACHE_UPLOAD_URL`: Cache URL that paths built
1265  in the guest are uploaded to.
1266
1267### Running spindle
1268
12691.  **Set the environment variables.** For example:
1270
1271    ```shell
1272    export SPINDLE_SERVER_HOSTNAME="your-hostname"
1273    export SPINDLE_SERVER_OWNER="your-did"
1274    ```
1275
12762.  **Build the Spindle binary.**
1277
1278    ```shell
1279    cd core
1280    go mod download
1281    go build -o cmd/spindle/spindle cmd/spindle/main.go
1282    ```
1283
12843.  **Create the log directory.**
1285
1286    ```shell
1287    sudo mkdir -p /var/log/spindle
1288    sudo chown $USER:$USER -R /var/log/spindle
1289    ```
1290
12914.  **Run the Spindle binary.**
1292
1293    ```shell
1294    ./cmd/spindle/spindle
1295    ```
1296
1297Spindle will now start, connect to the Jetstream server, and begin processing pipelines.
1298
1299### Running microVM workflows
1300
1301The microVM engine needs a few extra things on the host, and
1302it needs images to boot.
1303
1304#### Host dependencies
1305
1306microVM workflows depend on a handful of host tools and
1307devices. spindle checks for the ones an image needs right
1308before it launches, so a missing dependency surfaces as a
1309clear error. You'll need:
1310
1311- `qemu`: the runner. The QEMU binary for the image's arch
1312  must be present (e.g. `qemu-system-x86_64`).
1313- `mkfs.ext4` (from `e2fsprogs`): to format the per-workflow
1314  writable volumes.
1315- [`slirp4netns`](https://github.com/rootless-containers/slirp4netns#install),
1316  `ip` (from `iproute2`), `mount` and `unshare` (from `util-linux`):
1317  used to sandbox guest networking.
1318- `/dev/kvm`: for hardware acceleration (unless you disable
1319  KVM with `SPINDLE_MICROVM_PIPELINES_ENABLE_KVM=false`).
1320- `/dev/vhost-vsock`: the guest agent talks to spindle over
1321  vsock.
1322
1323On NixOS, the [spindle
1324module](https://tangled.org/tangled.org/core/blob/master/nix/modules/spindle.nix)
1325puts `qemu`, `e2fsprogs`, `slirp4netns`, `iproute2` and
1326`util-linux` on the service's `PATH` for you.
1327
1328#### Building images
1329
1330Images are built with Nix. The flake exposes packages for the
1331two stock images (use the `-tarball` prefixed ones for a gzipped
1332tarball you can copy to another host):
1333
1334```shell
1335# a NixOS image
1336nix build .#spindle-nixos-image
1337# an Alpine image
1338nix build .#spindle-alpine-image
1339```
1340
1341#### Installing images
1342
1343Spindle looks for images in
1344`SPINDLE_MICROVM_PIPELINES_IMAGE_DIR`. An image is resolved by
1345the name a workflow puts in its `image` field, matched
1346literally against what's on disk:
1347
13481. a directory `<name>/` containing a `spec.json` (next to the
1349   kernel/initrd/store-disk), or
13502. a flat `<name>.json` self-contained spec.
1351
1352Resolution depends only on the name and what's on disk, never
1353on the host doing the resolving, so the same workflow resolves
1354to the same image on every spindle. If you keep multiple
1355arches side by side, you can name them `<name>-<arch>` (e.g.
1356`nixos-x86_64`, `alpine-aarch64`); the suffix is just part of
1357the name. To make a name like `nixos` work if you are hosting
1358multiple arches, you can use symlinks.
1359
1360On NixOS, you'll most likely want to use `systemd.tmpfiles.rules`
1361to set these up declaratively.
1362
1363## Architecture
1364
1365Spindle is a small CI runner service. Here's a high-level overview of how it operates:
1366
1367- Listens for [`sh.tangled.spindle.member`](/lexicons/spindle/member.json) and
1368  [`sh.tangled.repo`](/lexicons/repo.json) records on the Jetstream.
1369- When a new repo record comes through (typically when you add a spindle to a
1370  repo from the settings), spindle then resolves the underlying knot and
1371  subscribes to repo events (see:
1372  [`sh.tangled.pipeline`](/lexicons/pipeline.json)).
1373- The spindle engine then handles execution of the pipeline, with results and
1374  logs beamed on the spindle event stream over WebSocket
1375
1376### The engines
1377
1378Spindle has two execution backends, picked per-workflow with
1379the [`engine`](#engine) field:
1380
1381- **nixery**: executes each step in a fresh Docker container
1382  (Podman works too, if Docker compatibility is enabled so
1383  that `/run/docker.sock` is created), with state persisted
1384  across steps within the `/tangled/workspace` directory. The
1385  base image for the container is constructed on the fly using
1386  [Nixery](https://nixery.dev), which is/rhandy for caching
1387  layers for frequently used packages.
1388- **microvm**: runs the whole workflow inside its own
1389  microVM, supporting different images, with extra
1390  configuration for NixOS images (e.g. services in workflow file)
1391  See the [engine
1392  README](https://tangled.org/tangled.org/core/blob/master/spindle/engines/microvm/README.md)
1393  for the architecture in depth.
1394
1395The pipeline manifest is [specified here](https://docs.tangled.org/spindles.html#pipelines).
1396
1397## Secrets with openbao
1398
1399This document covers setting up spindle to use OpenBao for secrets
1400management via OpenBao Proxy instead of the default SQLite backend.
1401
1402### Overview
1403
1404Spindle now uses OpenBao Proxy for secrets management. The proxy handles
1405authentication automatically using AppRole credentials, while spindle
1406connects to the local proxy instead of directly to the OpenBao server.
1407
1408This approach provides better security, automatic token renewal, and
1409simplified application code.
1410
1411### Installation
1412
1413Install OpenBao from Nixpkgs:
1414
1415```bash
1416nix shell nixpkgs#openbao   # for a local server
1417```
1418
1419### Setup
1420
1421The setup process can is documented for both local development and production.
1422
1423#### Local development
1424
1425Start OpenBao in dev mode:
1426
1427```bash
1428bao server -dev -dev-root-token-id="root" -dev-listen-address=127.0.0.1:8201
1429```
1430
1431This starts OpenBao on `http://localhost:8201` with a root token.
1432
1433Set up environment for bao CLI:
1434
1435```bash
1436export BAO_ADDR=http://localhost:8200
1437export BAO_TOKEN=root
1438```
1439
1440#### Production
1441
1442You would typically use a systemd service with a
1443configuration file. Refer to
1444[@tangled.org/infra](https://tangled.org/@tangled.org/infra)
1445for how this can be achieved using Nix.
1446
1447Then, initialize the bao server:
1448
1449```bash
1450bao operator init -key-shares=1 -key-threshold=1
1451```
1452
1453This will print out an unseal key and a root key. Save them
1454somewhere (like a password manager). Then unseal the vault
1455to begin setting it up:
1456
1457```bash
1458bao operator unseal <unseal_key>
1459```
1460
1461All steps below remain the same across both dev and
1462production setups.
1463
1464#### Configure openbao server
1465
1466Create the spindle KV mount:
1467
1468```bash
1469bao secrets enable -path=spindle -version=2 kv
1470```
1471
1472Set up AppRole authentication and policy:
1473
1474Create a policy file `spindle-policy.hcl`:
1475
1476```hcl
1477# Full access to spindle KV v2 data
1478path "spindle/data/*" {
1479  capabilities = ["create", "read", "update", "delete"]
1480}
1481
1482# Access to metadata for listing and management
1483path "spindle/metadata/*" {
1484  capabilities = ["list", "read", "delete", "update"]
1485}
1486
1487# Allow listing at root level
1488path "spindle/" {
1489  capabilities = ["list"]
1490}
1491
1492# Required for connection testing and health checks
1493path "auth/token/lookup-self" {
1494  capabilities = ["read"]
1495}
1496```
1497
1498Apply the policy and create an AppRole:
1499
1500```bash
1501bao policy write spindle-policy spindle-policy.hcl
1502bao auth enable approle
1503bao write auth/approle/role/spindle \
1504    token_policies="spindle-policy" \
1505    token_ttl=1h \
1506    token_max_ttl=4h \
1507    bind_secret_id=true \
1508    secret_id_ttl=0 \
1509    secret_id_num_uses=0
1510```
1511
1512Get the credentials:
1513
1514```bash
1515# Get role ID (static)
1516ROLE_ID=$(bao read -field=role_id auth/approle/role/spindle/role-id)
1517
1518# Generate secret ID
1519SECRET_ID=$(bao write -f -field=secret_id auth/approle/role/spindle/secret-id)
1520
1521echo "Role ID: $ROLE_ID"
1522echo "Secret ID: $SECRET_ID"
1523```
1524
1525#### Create proxy configuration
1526
1527Create the credential files:
1528
1529```bash
1530# Create directory for OpenBao files
1531mkdir -p /tmp/openbao
1532
1533# Save credentials
1534echo "$ROLE_ID" > /tmp/openbao/role-id
1535echo "$SECRET_ID" > /tmp/openbao/secret-id
1536chmod 600 /tmp/openbao/role-id /tmp/openbao/secret-id
1537```
1538
1539Create a proxy configuration file `/tmp/openbao/proxy.hcl`:
1540
1541```hcl
1542# OpenBao server connection
1543vault {
1544  address = "http://localhost:8200"
1545}
1546
1547# Auto-Auth using AppRole
1548auto_auth {
1549  method "approle" {
1550    mount_path = "auth/approle"
1551    config = {
1552      role_id_file_path   = "/tmp/openbao/role-id"
1553      secret_id_file_path = "/tmp/openbao/secret-id"
1554    }
1555  }
1556
1557  # Optional: write token to file for debugging
1558  sink "file" {
1559    config = {
1560      path = "/tmp/openbao/token"
1561      mode = 0640
1562    }
1563  }
1564}
1565
1566# Proxy listener for spindle
1567listener "tcp" {
1568  address     = "127.0.0.1:8201"
1569  tls_disable = true
1570}
1571
1572# Enable API proxy with auto-auth token
1573api_proxy {
1574  use_auto_auth_token = true
1575}
1576
1577# Enable response caching
1578cache {
1579  use_auto_auth_token = true
1580}
1581
1582# Logging
1583log_level = "info"
1584```
1585
1586#### Start the proxy
1587
1588Start OpenBao Proxy:
1589
1590```bash
1591bao proxy -config=/tmp/openbao/proxy.hcl
1592```
1593
1594The proxy will authenticate with OpenBao and start listening on
1595`127.0.0.1:8201`.
1596
1597#### Configure spindle
1598
1599Set these environment variables for spindle:
1600
1601```bash
1602export SPINDLE_SERVER_SECRETS_PROVIDER=openbao
1603export SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR=http://127.0.0.1:8201
1604export SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT=spindle
1605```
1606
1607On startup, spindle will now connect to the local proxy,
1608which handles all authentication automatically.
1609
1610### Production setup for proxy
1611
1612For production, you'll want to run the proxy as a service:
1613
1614Place your production configuration in
1615`/etc/openbao/proxy.hcl` with proper TLS settings for the
1616vault connection.
1617
1618### Verifying setup
1619
1620Test the proxy directly:
1621
1622```bash
1623# Check proxy health
1624curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/sys/health
1625
1626# Test token lookup through proxy
1627curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/auth/token/lookup-self
1628```
1629
1630Test OpenBao operations through the server:
1631
1632```bash
1633# List all secrets
1634bao kv list spindle/
1635
1636# Add a test secret via the spindle API, then check it exists
1637bao kv list spindle/repos/
1638
1639# Get a specific secret
1640bao kv get spindle/repos/your_repo_path/SECRET_NAME
1641```
1642
1643### How it works
1644
1645- Spindle connects to OpenBao Proxy on localhost (typically
1646  port 8200 or 8201)
1647- The proxy authenticates with OpenBao using AppRole
1648  credentials
1649- All spindle requests go through the proxy, which injects
1650  authentication tokens
1651- Secrets are stored at
1652  `spindle/repos/{sanitized_repo_path}/{secret_key}`
1653- Repository paths like `did:plc:alice/myrepo` become
1654  `did_plc_alice_myrepo`
1655- The proxy handles all token renewal automatically
1656- Spindle no longer manages tokens or authentication
1657  directly
1658
1659### Troubleshooting
1660
1661**Connection refused**: Check that the OpenBao Proxy is
1662running and listening on the configured address.
1663
1664**403 errors**: Verify the AppRole credentials are correct
1665and the policy has the necessary permissions.
1666
1667**404 route errors**: The spindle KV mount probably doesn't
1668exist—run the mount creation step again.
1669
1670**Proxy authentication failures**: Check the proxy logs and
1671verify the role-id and secret-id files are readable and
1672contain valid credentials.
1673
1674**Secret not found after writing**: This can indicate policy
1675permission issues. Verify the policy includes both
1676`spindle/data/*` and `spindle/metadata/*` paths with
1677appropriate capabilities.
1678
1679Check proxy logs:
1680
1681```bash
1682# If running as systemd service
1683journalctl -u openbao-proxy -f
1684
1685# If running directly, check the console output
1686```
1687
1688Test AppRole authentication manually:
1689
1690```bash
1691bao write auth/approle/login \
1692    role_id="$(cat /tmp/openbao/role-id)" \
1693    secret_id="$(cat /tmp/openbao/secret-id)"
1694```
1695
1696# Webhooks
1697
1698Webhooks allow you to receive HTTP POST notifications when events occur in your repositories. This enables you to integrate Tangled with external services, trigger CI/CD pipelines, send notifications, or automate workflows.
1699
1700## Overview
1701
1702Webhooks send HTTP POST requests to URLs you configure whenever specific events happen. Currently, Tangled supports push events, with more event types coming soon.
1703
1704## Configuring webhooks
1705
1706To set up a webhook for your repository:
1707
17081. Navigate to your repository
17092. Go to **Settings → Hooks**
17103. Click **new webhook**
17114. Configure your webhook:
1712   - **Payload URL**: The endpoint that will receive the webhook POST requests
1713   - **Secret**: An optional secret key for verifying webhook authenticity (leave blank to send unsigned webhooks)
1714   - **Events**: Select which events trigger the webhook (currently only push events)
1715   - **Active**: Toggle whether the webhook is enabled
1716
1717## Webhook payload
1718
1719### Push
1720
1721When a push event occurs, Tangled sends a POST request with a JSON payload of the format:
1722
1723```json
1724{
1725  "after": "7b320e5cbee2734071e4310c1d9ae401d8f6cab5",
1726  "before": "c04ddf64eddc90e4e2a9846ba3b43e67a0e2865e",
1727  "pusher": { 
1728    "did": "did:plc:hwevmowznbiukdf6uk5dwrrq" 
1729  },
1730  "ref": "refs/heads/main",
1731  "repository": {
1732    "clone_url": "https://tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1733    "created_at": "2025-09-15T08:57:23Z",
1734    "description": "an example repository",
1735    "fork": false,
1736    "full_name": "did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1737    "html_url": "https://tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1738    "name": "some-repo",
1739    "open_issues_count": 5,
1740    "owner": { 
1741      "did": "did:plc:hwevmowznbiukdf6uk5dwrrq" 
1742    },
1743    "ssh_url": "ssh://git@tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1744    "stars_count": 1,
1745    "updated_at": "2025-09-15T08:57:23Z"
1746  }
1747}
1748```
1749
1750## HTTP headers
1751
1752Each webhook request includes the following headers:
1753
1754- `Content-Type: application/json`
1755- `User-Agent: Tangled-Hook/<short-sha>` — User agent with short SHA of the commit
1756- `X-Tangled-Event: push` — The event type
1757- `X-Tangled-Hook-ID: <webhook-id>` — The webhook ID
1758- `X-Tangled-Delivery: <uuid>` — Unique delivery ID
1759- `X-Tangled-Signature-256: sha256=<hmac>` — HMAC-SHA256 signature (if secret configured)
1760
1761## Verifying webhook signatures
1762
1763If you configured a secret, you should verify the webhook signature to ensure requests are authentic. For example, in Go:
1764
1765```go
1766package main
1767
1768import (
1769    "crypto/hmac"
1770    "crypto/sha256"
1771    "encoding/hex"
1772    "io"
1773    "net/http"
1774    "strings"
1775)
1776
1777func verifySignature(payload []byte, signatureHeader, secret string) bool {
1778    // Remove 'sha256=' prefix from signature header
1779    signature := strings.TrimPrefix(signatureHeader, "sha256=")
1780    
1781    // Compute expected signature
1782    mac := hmac.New(sha256.New, []byte(secret))
1783    mac.Write(payload)
1784    expected := hex.EncodeToString(mac.Sum(nil))
1785    
1786    // Use constant-time comparison to prevent timing attacks
1787    return hmac.Equal([]byte(signature), []byte(expected))
1788}
1789
1790func webhookHandler(w http.ResponseWriter, r *http.Request) {
1791    // Read the request body
1792    payload, err := io.ReadAll(r.Body)
1793    if err != nil {
1794        http.Error(w, "Bad request", http.StatusBadRequest)
1795        return
1796    }
1797    
1798    // Get signature from header
1799    signatureHeader := r.Header.Get("X-Tangled-Signature-256")
1800    
1801    // Verify signature
1802    if signatureHeader != "" && verifySignature(payload, signatureHeader, yourSecret) {
1803        // Webhook is authentic, process it
1804        processWebhook(payload)
1805        w.WriteHeader(http.StatusOK)
1806    } else {
1807        http.Error(w, "Invalid signature", http.StatusUnauthorized)
1808    }
1809}
1810```
1811
1812## Delivery retries
1813
1814Webhooks are automatically retried on failure:
1815
1816- **3 total attempts** (1 initial + 2 retries)
1817- **Exponential backoff** starting at 1 second, max 10 seconds
1818- **Retried on**:
1819  - Network errors
1820  - HTTP 5xx server errors
1821- **Not retried on**:
1822  - HTTP 4xx client errors (bad request, unauthorized, etc.)
1823
1824### Timeouts
1825
1826Webhook requests timeout after 30 seconds. If your endpoint needs more time:
1827
18281. Respond with 200 OK immediately
18292. Process the webhook asynchronously in the background
1830
1831## Example integrations
1832
1833### Discord notifications
1834
1835```javascript
1836app.post("/webhook", (req, res) => {
1837  const payload = req.body;
1838
1839  fetch("https://discord.com/api/webhooks/...", {
1840    method: "POST",
1841    headers: { "Content-Type": "application/json" },
1842    body: JSON.stringify({
1843      content: `New push to ${payload.repository.full_name}`,
1844      embeds: [
1845        {
1846          title: `${payload.pusher.did} pushed to ${payload.ref}`,
1847          url: payload.repository.html_url,
1848          color: 0x00ff00,
1849        },
1850      ],
1851    }),
1852  });
1853
1854  res.status(200).send("OK");
1855});
1856```
1857
1858# Migrating knots and spindles
1859
1860Sometimes, non-backwards compatible changes are made to the
1861knot/spindle XRPC APIs. If you host a knot or a spindle, you
1862will need to follow this guide to upgrade. Typically, this
1863only requires you to deploy the newest version.
1864
1865This document is laid out in reverse-chronological order.
1866Newer migration guides are listed first, and older guides
1867are further down the page.
1868
1869## Upgrading to v1.15.0-alpha
1870
1871With v1.15.0-alpha, a knot itself owns its members and
1872per-repo collaborators directly. Previously this data was sourced from
1873PDS records (`sh.tangled.knot.member` and `sh.tangled.repo.collaborator`)
1874that the appview and the knot both read off the firehose.
1875The knot is now the source of truth and serves them over XRPC instead:
1876
1877- `sh.tangled.knot.addMember`, `sh.tangled.knot.removeMember`, `sh.tangled.knot.listMembers`
1878- `sh.tangled.repo.addCollaborator`, `sh.tangled.repo.removeCollaborator`, `sh.tangled.repo.listCollaborators`
1879
1880Until your knot is upgraded, the appview keeps reading its
1881members and collaborators from the old firehose-sourced records.
1882Upgrade to move your knot onto knot-owned access control.
1883
1884- Upgrade to the latest tag (v1.15.0 or above)
1885- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1886  hit the "retry" button to verify your knot
1887
1888## Upgrading to v1.14.0-alpha
1889
1890Starting with v1.14.0-alpha, the fully knot uses the repoDID as its
1891canonical handle for repositories. This unlocks repository
1892renames from the appview UI and changes the wire format for
1893the following lexicons (`sh.tangled.repo.pull`, `sh.tangled.repo.collaborator`,
1894`sh.tangled.repo.issue`, `sh.tangled.git.refUpdate`).
1895
1896Knots that have not been upgraded may silently drop new push
1897events, pull requests, issues, and collaborator invites for
1898repositories they host until upgraded. So upgrade please!!!
1899
1900- Upgrade to the latest tag (v1.14.0 or above)
1901- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1902  hit the "retry" button to verify your knot
1903
1904## Upgrading to v1.13.0-alpha
1905
1906Starting with v1.13.0-alpha, every repository on a knot is
1907assigned a DID. This makes repositories stable across
1908renames and transfers.
1909
1910When you upgrade your knot to this version, the server will
1911automatically mint DIDs for all existing repositories on
1912startup. This is a one-time process and you may see
1913additional log output during the first boot as DIDs are
1914assigned.
1915
1916- Upgrade to the latest tag (v1.13.0 or above)
1917- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1918  hit the "retry" button to verify your knot
1919
1920## Upgrading from v1.8.x
1921
1922After v1.8.2, the HTTP API for knots and spindles has been
1923deprecated and replaced with XRPC. Repositories on outdated
1924knots will not be viewable from the appview. Upgrading is
1925straightforward however.
1926
1927For knots:
1928
1929- Upgrade to the latest tag (v1.9.0 or above)
1930- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1931  hit the "retry" button to verify your knot
1932
1933For spindles:
1934
1935- Upgrade to the latest tag (v1.9.0 or above)
1936- Head to the [spindle
1937  dashboard](https://tangled.org/settings/spindles) and hit the
1938  "retry" button to verify your spindle
1939
1940## Upgrading from v1.7.x
1941
1942After v1.7.0, knot secrets have been deprecated. You no
1943longer need a secret from the appview to run a knot. All
1944authorized commands to knots are managed via [Inter-Service
1945Authentication](https://atproto.com/specs/xrpc#inter-service-authentication-jwt).
1946Knots will be read-only until upgraded.
1947
1948Upgrading is quite easy, in essence:
1949
1950- `KNOT_SERVER_SECRET` is no more, you can remove this
1951  environment variable entirely
1952- `KNOT_SERVER_OWNER` is now required on boot, set this to
1953  your DID. You can find your DID in the
1954  [settings](https://tangled.org/settings) page.
1955- Restart your knot once you have replaced the environment
1956  variable
1957- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1958  hit the "retry" button to verify your knot. This simply
1959  writes a `sh.tangled.knot` record to your PDS.
1960
1961If you use the nix module, simply bump the flake to the
1962latest revision, and change your config block like so:
1963
1964```diff
1965 services.tangled.knot = {
1966   enable = true;
1967   server = {
1968-    secretFile = /path/to/secret;
1969+    owner = "did:plc:foo";
1970   };
1971 };
1972```
1973
1974# Bobbin
1975
1976Bobbin is an API appview for Tangled records. It serves XRPC
1977endpoints for `sh.tangled.*`, with it you can get repos,
1978issues, pulls, comments, follows, stars, labels, pipelines,
1979and profiles. It is read-only, there is no auth, since that
1980should all be handled direct-to-PDS and knot respectively.
1981
1982**Bobbin has no permanent storage**.
1983
1984It is only a glorified edge index, in the graph theory
1985sense. Additionally it has a record cache, re-filled on
1986demand. All other data that Bobbin serves comes live from
1987PDSes & knots.
1988
1989## What Bobbin needs
1990
1991The way that Bobbin is able to pull off being
1992so stateless is by moving state upstream.
1993Primarily it depends on an instance of
1994[Hydrant](https://tangled.org/did:plc:6v3ul2ptnqctyxwkz5ti4amn)
1995, which is the service that gives an event stream
1996for Bobbin to quickly backfill from on every restart.
1997Backfilling ought to take less than a couple of minutes
1998maximum. If the upstream instance of Hydrant fails
1999while Bobbin is live, its list/count endpoints stop
2000advancing and report a stale cursor. Single-lookups
2001will continue working, due to the second dependency:
2002[Slingshot](https://tangled.org/did:plc:c7mc2fn47ihdihul4vjwsuy3/tree/main/slingshot).
2003Slingshot fetches individual records & resolves identities.
2004If the upstream instance of Slingshot fails, single-lookups
2005will fail with a `502` error. There are some aggregation
2006endpoints that use Slingshot for hydrating, which will also
2007fail.
2008
2009A soft dependency that ought to exist for Bobbin to operate
2010correctly is simply the plethora of knots that are out
2011there, that Bobbin talks to directly for git data and, for
2012knots at v1.15+, members & collaborators.
2013
2014## Building Bobbin
2015
2016Bobbin is under [Tangled's core monorepo, under bobbin/](https://tangled.org/did:plc:j5hmlfdrwkvtxm7cjmu7j2is/tree/master/bobbin).
2017Here's an easy local debug-build:
2018
2019```sh
2020cargo build -p bobbin
2021```
2022
2023Bobbin loves being in a container. When using
2024`bobbin/containerfiles/bobbin.Containerfile`, it runs `cargo
2025build --release --bin bobbin --package bobbin` within a
2026little Debian runtime, exposing port 8090.
2027
2028## Configuration
2029
2030The best way to configure Bobbin is via a toml config file.
2031There's an `example.toml` in [Bobbin's subdir](https://tangled.org/did:plc:j5hmlfdrwkvtxm7cjmu7j2is/blob/master/bobbin/example.toml).
2032Every value is overridable by a `BOBBIN_*` env var.
2033The load order is env, then `--config <path>`, then
2034`/etc/bobbin/config.toml`, then built-in defaults.
2035
2036Load and check a config without starting the server:
2037
2038```sh
2039bobbin --config config.toml validate
2040```
2041
2042Minimal config is the two upstream URLs. The hydrant URL
2043takes `ws://` or `wss://`. An `http://` or `https://`
2044URL is rewritten to the matching websocket scheme at
2045connection-time.
2046
2047```toml
2048[server]
2049binds = ["127.0.0.1:8090"]
2050
2051# Loopback-only & can leave empty to disable debug introspection.
2052debug_bind = "127.0.0.1:8091"
2053
2054[hydrant]
2055url = "https://hydrant.example.com"
2056
2057[slingshot]
2058url = "https://slingshot.example.com"
2059```
2060
2061> 🦪 Lewis
2062>
2063> At time of writing, we (Tangled) don't host public
2064> instances of Hydrant or Slingshot. You will have to
2065> find public instances or spin these up yourself! :P
2066
2067Take a gander in the project's example.toml for an
2068exhaustive list of things to configure.
2069
2070You will discover fun things such as a configurable adaptive
2071loop that watches the cgroup memory limit & throttles heavy
2072requests under pressure. It only works if it detects a
2073cgroup limit is present. The config for that is in the
2074`[backpressure]` block of the config template.
2075
2076## Running Bobbin
2077
2078Start the server using a config toml:
2079
2080```bash
2081bobbin --config config.toml
2082```
2083Bobbin wakes up in a cold sweat and immediately gets to
2084work:
20851. It binds its listeners, connects to the Hydrant stream
2086  in the background.
20872. It serves requests from the first
2088  moment it's alive, even before the Hydrant stream connects
2089  or finishes catching up. Having a cold Hydrant itself
2090  costs only latency and approximate counts.
2091
2092## The API
2093
2094**Single lookups** take a record's AT-URI.
2095
2096- `getRepo` takes the repo URI:
2097
2098```sh
2099curl "$BOBBIN/xrpc/sh.tangled.repo.getRepo?repo=at://did:plc:boltless/sh.tangled.repo/squid"
2100```
2101```json
2102{
2103  "uri": "at://did:plc:boltless/sh.tangled.repo/squid",
2104  "cid": "bafyrei...",
2105  "value": { "$type": "sh.tangled.repo", "knot": "knot1.tangled.sh", "description": "...", "createdAt": "..." }
2106}
2107```
2108
2109- `getProfile` takes the full profile record URI, so a bare
2110  handle or DID will not resolve:
2111
2112```sh
2113curl "$BOBBIN/xrpc/sh.tangled.actor.getProfile?actor=at://did:plc:boltless/sh.tangled.actor.profile/self"
2114```
2115
2116- If Slingshot cannot serve the record, the response is `502`:
2117
2118```json
2119{ "error": "UpstreamFailed", "message": "upstream unavailable: ..." }
2120```
2121
2122**Aggregation** endpoints come in `list*` and `count*` pairs,
2123each with a `*By` sibling, and require a `subject` query param.
2124
2125- `listRepos` and `countRepos` key on the owner DID:
2126
2127```sh
2128curl "$BOBBIN/xrpc/sh.tangled.repo.countRepos?subject=did:plc:boltless"
2129```
2130```json
2131{ "count": 7, "distinctAuthors": 1 }
2132```
2133
2134```sh
2135curl "$BOBBIN/xrpc/sh.tangled.repo.listRepos?subject=did:plc:boltless&limit=3"
2136```
2137```json
2138{ "items": [ { "uri": "at://did:plc:boltless/sh.tangled.repo/squid", "cid": "bafyrei...", "value": { } } ], "cursor": null }
2139```
2140
2141- Bobbin validates the subject per collection. Here a repo URI
2142  is passed where a bare DID is required, so the call returns a
2143  `400`:
2144
2145```sh
2146curl "$BOBBIN/xrpc/sh.tangled.graph.listFollows?subject=at://did:plc:boltless/sh.tangled.repo/squid"
2147```
2148```json
2149{ "error": "InvalidRequest", "message": "invalid request: subject must be a bare did, got at-uri with collection sh.tangled.repo" }
2150```
2151
2152**Search** is a single endpoint over an in-mem full-text
2153index:
2154
2155```sh
2156curl "$BOBBIN/xrpc/sh.tangled.search.query?q=tangled&limit=2"
2157```
2158```json
2159{ "hits": [ { "uri": "at://...", "cid": "...", "nsid": "sh.tangled.repo", "score": 27.1, "value": { } } ], "cursor": null }
2160```
2161
2162**Git data** such as blob, tree, diff, log, and archive proxies
2163straight to the repo's knot, streamed back without caching.
2164
2165## Coverage and warm-up
2166
2167- While the edge index is catching up from Hydrant,
2168  the aggregation count is a lower bound & may still climb.
2169- One endpoint reports how far along the backfill it is:
2170
2171```sh
2172curl "$BOBBIN/xrpc/sh.tangled.bobbin.getCoverage"
2173```
2174
2175While warming up:
2176
2177```json
2178{ "ready": false, "eventsProcessed": 45588, "lastCursor": 51658 }
2179```
2180
2181Once caught up, Bobbin flips to ready:
2182
2183```json
2184{ "ready": true, "eventsProcessed": 106085, "lastCursor": 116527 }
2185```
2186
2187If starting up Hydrant for the first time, Hydrant itself
2188will take a decent while (a couple of hours) to backfill
2189from PDSes. Hydrant stores its backfill on disk. Bobbin
2190restart reaches `ready` in minutes by replaying event from
2191an already-populated Hydrant. If your Hydrant is new, expect
2192Bobbin to backfill in that same couple of hours that Hydrant
2193takes.
2194
2195## Loose ends and not-gonna-impl
2196
2197- **No coverage signal for per-knot rosters yet.**
2198  Coverage tracks the hydrant stream only. A v1.15 knot
2199  that is unreachable serves a stale or empty member set
2200  with nothing to flag it.
2201- **Knot eventstream fan-out isn't pooled.**
2202  Bobbin opens one websocket per v1.15
2203  knot on top of the hydrant subscription. A network with
2204  thousands of knots wants pooling or a shared subscription.
2205- **No sequential issue or PR numbers.** bobbin returns rkeys,
2206  not `#42` style ids like the web appview. A client
2207  deriving a display number does it from creation order. But
2208  why bother? rkeys are the IDs.
2209
2210# Hacking on Tangled
2211
2212We highly recommend [installing
2213Nix](https://nixos.org/download/) (the package manager)
2214before working on the codebase. The Nix flake provides a lot
2215of helpers to get started and most importantly, builds and
2216dev shells are entirely deterministic.
2217
2218To set up your dev environment:
2219
2220```bash
2221nix develop
2222```
2223
2224Non-Nix users can look at the `devShell` attribute in the
2225`flake.nix` file to determine necessary dependencies.
2226
2227## Running the appview
2228
2229The appview requires Redis and OAuth JWKs. Start these
2230first, before launching the appview itself.
2231
2232```bash
2233# OAuth JWKs should already be set up by the Nix devshell:
2234echo $TANGLED_OAUTH_CLIENT_SECRET
2235z42ty4RT1ovnTopY8B8ekz9NuziF2CuMkZ7rbRFpAR9jBqMc
2236
2237echo $TANGLED_OAUTH_CLIENT_KID
22381761667908
2239
2240# if not, you can set it up yourself:
2241goat key generate -t P-256
2242Key Type: P-256 / secp256r1 / ES256 private key
2243Secret Key (Multibase Syntax): save this securely (eg, add to password manager)
2244        z42tuPDKRfM2mz2Kv953ARen2jmrPA8S9LX9tRq4RVcUMwwL
2245Public Key (DID Key Syntax): share or publish this (eg, in DID document)
2246        did:key:zDnaeUBxtG6Xuv3ATJE4GaWeyXM3jyamJsZw3bSPpxx4bNXDR
2247
2248# the secret key from above
2249export TANGLED_OAUTH_CLIENT_SECRET="z42tuP..."
2250
2251# Run Redis in a new shell to store OAuth sessions
2252redis-server
2253```
2254
2255The Nix flake exposes a few `app` attributes (run `nix
2256flake show` to see a full list of what the flake provides),
2257one of the apps runs the appview with the `air`
2258live-reloader:
2259
2260```bash
2261TANGLED_DEV=true nix run .#watch-appview
2262
2263# TANGLED_DB_PATH might be of interest to point to
2264# different sqlite DBs
2265
2266# in a separate shell, you can live-reload tailwind
2267nix run .#watch-tailwind
2268```
2269
2270## Running knots and spindles
2271
2272An end-to-end knot setup requires setting up a machine with
2273`sshd`, `AuthorizedKeysCommand`, and a Git user, which is
2274quite cumbersome. So the Nix flake provides a
2275`nixosConfiguration` to do so.
2276
2277<details>
2278  <summary><strong>macOS users will have to set up a Nix Builder first</strong></summary>
2279
2280In order to build Tangled's dev VM on macOS, you will
2281first need to set up a Linux Nix builder. The recommended
2282way to do so is to run a [`darwin.linux-builder`
2283VM](https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder)
2284and to register it in `nix.conf` as a builder for Linux
2285with the same architecture as your Mac (`linux-aarch64` if
2286you are using Apple Silicon).
2287
2288If you're on nix-darwin, you can simply add
2289
2290```
2291nix.linux-builder.enable = true;
2292```
2293
2294to your host's `configuration.nix`.
2295
2296Alternatively, you can use any other method to set up a
2297Linux machine with Nix installed that you can `sudo ssh`
2298into (in other words, root user on your Mac has to be able
2299to ssh into the Linux machine without entering a password)
2300and that has the same architecture as your Mac. See
2301[remote builder
2302instructions](https://nix.dev/manual/nix/2.28/advanced-topics/distributed-builds.html#requirements)
2303for how to register such a builder in `nix.conf`.
2304
2305> WARNING: If you'd like to use
2306> [`nixos-lima`](https://github.com/nixos-lima/nixos-lima) or
2307> [Orbstack](https://orbstack.dev/), note that setting them up so that `sudo
2308ssh` works can be tricky. It seems to be [possible with
2309> Orbstack](https://github.com/orgs/orbstack/discussions/1669).
2310
2311</details>
2312
2313To begin, grab your DID from http://localhost:3000/settings.
2314Then, set `TANGLED_VM_KNOT_OWNER` and
2315`TANGLED_VM_SPINDLE_OWNER` to your DID. You can now start a
2316lightweight NixOS VM like so:
2317
2318```bash
2319nix run --impure .#vm
2320
2321# type `poweroff` at the shell to exit the VM
2322```
2323
2324This starts a knot on port 6444, a spindle on port 6555
2325with `ssh` exposed on port 2222.
2326
2327Once the services are running, head to
2328http://localhost:3000/settings/knots and hit "Verify". It should
2329verify the ownership of the services instantly if everything
2330went smoothly.
2331
2332You can push repositories to this VM with this ssh config
2333block on your main machine:
2334
2335```bash
2336Host nixos-shell
2337    Hostname localhost
2338    Port 2222
2339    User git
2340    IdentityFile ~/.ssh/my_tangled_key
2341```
2342
2343Set up a remote called `local-dev` on a git repo:
2344
2345```bash
2346git remote add local-dev git@nixos-shell:user/repo
2347git push local-dev main
2348```
2349
2350The above VM should already be running a spindle on
2351`localhost:6555`. Head to http://localhost:3000/settings/spindles and
2352hit "Verify". You can then configure each repository to use
2353this spindle and run CI jobs.
2354
2355Of interest when debugging spindles:
2356
2357```
2358# Service logs from journald:
2359journalctl -xeu spindle
2360
2361# CI job logs from disk:
2362ls /var/log/spindle
2363
2364# Debugging spindle database:
2365sqlite3 /var/lib/spindle/spindle.db
2366
2367# litecli has a nicer REPL interface:
2368litecli /var/lib/spindle/spindle.db
2369```
2370
2371If for any reason you wish to disable either one of the
2372services in the VM, modify [nix/vm.nix](/nix/vm.nix) and set
2373`services.tangled.spindle.enable` (or
2374`services.tangled.knot.enable`) to `false`.
2375
2376# Contribution guide
2377
2378## Commit guidelines
2379
2380We follow a commit style similar to the Go project. Please keep commits:
2381
2382- **atomic**: each commit should represent one logical change
2383- **descriptive**: the commit message should clearly describe what the
2384  change does and why it's needed
2385
2386### Message format
2387
2388```
2389<service/top-level directory>/<affected package/directory>: <short summary of change>
2390
2391Optional longer description can go here, if necessary. Explain what the
2392change does and why, especially if not obvious. Reference relevant
2393issues or PRs when applicable. These can be links for now since we don't
2394auto-link issues/PRs yet.
2395```
2396
2397Here are some examples:
2398
2399```
2400appview/state: fix token expiry check in middleware
2401
2402The previous check did not account for clock drift, leading to premature
2403token invalidation.
2404```
2405
2406```
2407knotserver/git/service: improve error checking in upload-pack
2408```
2409
2410### General notes
2411
2412- PRs get merged "as-is" (fast-forward)—like applying a patch-series
2413  using `git am`. At present, there is no squashing—so please author
2414  your commits as they would appear on `master`, following the above
2415  guidelines.
2416- If there is a lot of nesting, for example "appview:
2417  pages/templates/repo/fragments: ...", these can be truncated down to
2418  just "appview: repo/fragments: ...". If the change affects a lot of
2419  subdirectories, you may abbreviate to just the top-level names, e.g.
2420  "appview: ..." or "knotserver: ...".
2421- Keep commits lowercased with no trailing period.
2422- Use the imperative mood in the summary line (e.g., "fix bug" not
2423  "fixed bug" or "fixes bug").
2424- Try to keep the summary line under 72 characters, but we aren't too
2425  fussed about this.
2426- Follow the same formatting for PR titles if filled manually.
2427- Don't include unrelated changes in the same commit.
2428- Avoid noisy commit messages like "wip" or "final fix"—rewrite history
2429  before submitting if necessary.
2430
2431## Code formatting
2432
2433We use a variety of tools to format our code, and multiplex them with
2434[`treefmt`](https://treefmt.com). All you need to do to format your changes
2435is run `nix run .#fmt` (or just `treefmt` if you're in the devshell).
2436
2437## Proposals for bigger changes
2438
2439Small fixes like typos, minor bugs, or trivial refactors can be
2440submitted directly as PRs.
2441
2442For larger changes—especially those introducing new features, significant
2443refactoring, or altering system behavior—please open a proposal first. This
2444helps us evaluate the scope, design, and potential impact before implementation.
2445
2446Create a new issue titled:
2447
2448```
2449proposal: <affected scope>: <summary of change>
2450```
2451
2452In the description, explain:
2453
2454- What the change is
2455- Why it's needed
2456- How you plan to implement it (roughly)
2457- Any open questions or tradeoffs
2458
2459We'll use the issue thread to discuss and refine the idea before moving
2460forward.
2461
2462## Developer Certificate of Origin (DCO)
2463
2464We require all contributors to certify that they have the right to
2465submit the code they're contributing. To do this, we follow the
2466[Developer Certificate of Origin
2467(DCO)](https://developercertificate.org/).
2468
2469By signing your commits, you're stating that the contribution is your
2470own work, or that you have the right to submit it under the project's
2471license. This helps us keep things clean and legally sound.
2472
2473To sign your commit, just add the `-s` flag when committing:
2474
2475```sh
2476git commit -s -m "your commit message"
2477```
2478
2479This appends a line like:
2480
2481```
2482Signed-off-by: Your Name <your.email@example.com>
2483```
2484
2485We won't merge commits if they aren't signed off. If you forget, you can
2486amend the last commit like this:
2487
2488```sh
2489git commit --amend -s
2490```
2491
2492If you're submitting a PR with multiple commits, make sure each one is
2493signed.
2494
2495For [jj](https://jj-vcs.github.io/jj/latest/) users, you can run the following command
2496to make it sign off commits in the tangled repo:
2497
2498```shell
2499# Safety check, should say "No matching config key..."
2500jj config list templates.commit_trailers
2501# The command below may need to be adjusted if the command above returned something.
2502jj config set --repo templates.commit_trailers "format_signed_off_by_trailer(self)"
2503```
2504
2505Refer to the [jujutsu
2506documentation](https://jj-vcs.github.io/jj/latest/config/#commit-trailers)
2507for more information.
2508
2509# Troubleshooting guide
2510
2511## Login issues
2512
2513Owing to the distributed nature of OAuth on AT Protocol, you
2514may run into issues with logging in. If you run a
2515self-hosted PDS:
2516
2517- You may need to ensure that your PDS is timesynced using
2518  NTP:
2519  - Enable the `ntpd` service
2520  - Run `ntpd -qg` to synchronize your clock
2521- You may need to increase the default request timeout:
2522  `NODE_OPTIONS="--network-family-autoselection-attempt-timeout=500"`
2523
2524## Empty punchcard
2525
2526For Tangled to register commits that you make across the
2527network, you need to setup one of following:
2528
2529- The committer email should be a verified email associated
2530  to your account. You can add and verify emails on the
2531  settings page.
2532- Or, the committer email should be set to your account's
2533  DID: `git config user.email "did:plc:foobar"`. You can find
2534  your account's DID on the settings page
2535
2536## Commit is not marked as verified
2537
2538Presently, Tangled only supports SSH commit signatures.
2539
2540To sign commits using an SSH key with git:
2541
2542```
2543git config --global gpg.format ssh
2544git config --global user.signingkey ~/.ssh/tangled-key
2545```
2546
2547To sign commits using an SSH key with jj, add this to your
2548config:
2549
2550```
2551[signing]
2552behavior = "own"
2553backend = "ssh"
2554key = "~/.ssh/tangled-key"
2555```
2556
2557## Self-hosted knot issues
2558
2559If you need help troubleshooting a self-hosted knot, check
2560out the [knot troubleshooting
2561guide](/knot-self-hosting-guide.html#troubleshooting).
Configure Feed

Configure Feed
