tangled.org / core
Monorepo for Tangled tangled.org
6
Fork 66

Configure Feed

Select the types of activity you want to include in your feed.

core / nix / modules / knot.nix
at icy/sntnrt 12 kB View raw
Anirudh Oppiliappan nix: add secureMode module support
0a75f8a0
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: let 7 cfg = config.services.tangled.knot; 8in 9 with lib; { 10 options = { 11 services.tangled.knot = { 12 enable = mkOption { 13 type = types.bool; 14 default = false; 15 description = "Enable a tangled knot"; 16 }; 17 18 package = mkOption { 19 type = types.package; 20 description = "Package to use for the knot"; 21 }; 22 23 appviewEndpoint = mkOption { 24 type = types.str; 25 default = "https://tangled.org"; 26 description = "Appview endpoint"; 27 }; 28 29 gitUser = mkOption { 30 type = types.str; 31 default = "git"; 32 description = "User that hosts git repos and performs git operations"; 33 }; 34 35 openFirewall = mkOption { 36 type = types.bool; 37 default = true; 38 description = "Open port 22 in the firewall for ssh"; 39 }; 40 41 stateDir = mkOption { 42 type = types.path; 43 default = "/home/${cfg.gitUser}"; 44 description = "Tangled knot data directory"; 45 }; 46 47 repo = { 48 scanPath = mkOption { 49 type = types.path; 50 default = cfg.stateDir; 51 description = "Path where repositories are scanned from"; 52 }; 53 54 readme = mkOption { 55 type = types.listOf types.str; 56 default = [ 57 "README.md" 58 "readme.md" 59 "README" 60 "readme" 61 "README.markdown" 62 "readme.markdown" 63 "README.txt" 64 "readme.txt" 65 "README.rst" 66 "readme.rst" 67 "README.org" 68 "readme.org" 69 "README.asciidoc" 70 "readme.asciidoc" 71 ]; 72 description = "List of README filenames to look for (in priority order)"; 73 }; 74 75 mainBranch = mkOption { 76 type = types.str; 77 default = "main"; 78 description = "Default branch name for repositories"; 79 }; 80 }; 81 82 git = { 83 userName = mkOption { 84 type = types.str; 85 default = "Tangled"; 86 description = "Git user name used as committer"; 87 }; 88 89 userEmail = mkOption { 90 type = types.str; 91 default = "noreply@tangled.org"; 92 description = "Git user email used as committer"; 93 }; 94 }; 95 96 motd = mkOption { 97 type = types.nullOr types.str; 98 default = null; 99 description = '' 100 Message of the day 101 102 The contents are shown as-is; eg. you will want to add a newline if 103 setting a non-empty message since the knot won't do this for you. 104 ''; 105 }; 106 107 motdFile = mkOption { 108 type = types.nullOr types.path; 109 default = null; 110 description = '' 111 File containing message of the day 112 113 The contents are shown as-is; eg. you will want to add a newline if 114 setting a non-empty message since the knot won't do this for you. 115 ''; 116 }; 117 118 knotmirrors = mkOption { 119 type = types.listOf types.str; 120 default = [ 121 "https://mirror.tangled.network" 122 ]; 123 description = "List of knotmirror hosts to request crawl"; 124 }; 125 126 server = { 127 listenAddr = mkOption { 128 type = types.str; 129 default = "0.0.0.0:5555"; 130 description = "Address to listen on"; 131 }; 132 133 internalListenAddr = mkOption { 134 type = types.str; 135 default = "127.0.0.1:5444"; 136 description = "Internal address for inter-service communication"; 137 }; 138 139 owner = mkOption { 140 type = types.str; 141 example = "did:plc:qfpnj4og54vl56wngdriaxug"; 142 description = "DID of owner (required)"; 143 }; 144 145 dbPath = mkOption { 146 type = types.path; 147 default = "${cfg.stateDir}/knotserver.db"; 148 description = "Path to the database file"; 149 }; 150 151 hostname = mkOption { 152 type = types.str; 153 example = "my.knot.com"; 154 description = "Hostname for the server (required)"; 155 }; 156 157 plcUrl = mkOption { 158 type = types.str; 159 default = "https://plc.directory"; 160 description = "atproto PLC directory"; 161 }; 162 163 jetstreamEndpoint = mkOption { 164 type = types.str; 165 default = "wss://jetstream1.us-west.bsky.network/subscribe"; 166 description = "Jetstream endpoint to subscribe to"; 167 }; 168 169 logDids = mkOption { 170 type = types.bool; 171 default = true; 172 description = "Enable logging of DIDs"; 173 }; 174 175 dev = mkOption { 176 type = types.bool; 177 default = false; 178 description = "Enable development mode (disables signature verification)"; 179 }; 180 181 secureMode = mkOption { 182 type = types.bool; 183 default = false; 184 description = "Isolate git subprocesses with Landlock (requires kernel >= 5.13)"; 185 }; 186 187 maxResponseKB = mkOption { 188 type = types.int; 189 default = 5120; 190 description = "Maximum response size in kilobytes"; 191 }; 192 }; 193 }; 194 }; 195 196 config = mkIf cfg.enable { 197 environment.systemPackages = [ 198 pkgs.git 199 cfg.package 200 ]; 201 202 users.users.${cfg.gitUser} = { 203 isSystemUser = true; 204 useDefaultShell = true; 205 home = cfg.stateDir; 206 createHome = true; 207 group = cfg.gitUser; 208 }; 209 210 users.groups.${cfg.gitUser} = {}; 211 212 services.openssh = { 213 enable = true; 214 extraConfig = '' 215 Match User ${cfg.gitUser} 216 AuthorizedKeysCommand /etc/ssh/keyfetch_wrapper 217 AuthorizedKeysCommandUser nobody 218 ChallengeResponseAuthentication no 219 PasswordAuthentication no 220 ''; 221 }; 222 223 environment.etc."ssh/keyfetch_wrapper" = { 224 mode = "0555"; 225 text = '' 226 #!${pkgs.stdenv.shell} 227 ${cfg.package}/bin/knot keys \ 228 -output authorized-keys \ 229 -internal-api "http://${cfg.server.internalListenAddr}" \ 230 -git-dir "${cfg.repo.scanPath}" \ 231 -log-path /tmp/knotguard.log \ 232 ${optionalString cfg.server.secureMode "-secure-mode -guard-path /run/wrappers/bin/knot"} 233 ''; 234 }; 235 236 # In secure mode, the guard subcommand (run via sshd's forced command as 237 # the git user) needs CAP_SETUID to drop to the virtual UID before exec'ing 238 # git. security.wrappers installs a setcap'd wrapper around the binary. 239 security.wrappers = mkIf cfg.server.secureMode { 240 knot = { 241 source = "${cfg.package}/bin/knot"; 242 owner = "root"; 243 group = cfg.gitUser; 244 permissions = "u+rx,g+x"; 245 capabilities = "cap_setuid,cap_setgid,cap_chown+eip"; 246 }; 247 }; 248 249 systemd.services.knot = { 250 description = "knot service"; 251 after = ["network-online.target" "sshd.service"]; 252 wants = ["network-online.target"]; 253 wantedBy = ["multi-user.target"]; 254 enableStrictShellChecks = true; 255 256 preStart = let 257 setMotd = 258 if cfg.motdFile != null && cfg.motd != null 259 then throw "motdFile and motd cannot be both set" 260 else '' 261 ${optionalString (cfg.motdFile != null) "cat ${cfg.motdFile} > ${cfg.stateDir}/motd"} 262 ${optionalString (cfg.motd != null) ''printf "${cfg.motd}" > ${cfg.stateDir}/motd''} 263 ''; 264 in '' 265 mkdir -p "${cfg.repo.scanPath}" 266 mkdir -p "${cfg.stateDir}/.config/git" 267 cat > "${cfg.stateDir}/.config/git/config" << EOF 268 [user] 269 name = ${cfg.git.userName} 270 email = ${cfg.git.userEmail} 271 [receive] 272 advertisePushOptions = true 273 [uploadpack] 274 allowFilter = true 275 allowReachableSHA1InWant = true 276 [safe] 277 directory = * 278 EOF 279 ${setMotd} 280 chown ${cfg.gitUser}:${cfg.gitUser} "${cfg.repo.scanPath}" 281 chown -R ${cfg.gitUser}:${cfg.gitUser} "${cfg.stateDir}/.config" 282 ${optionalString cfg.server.secureMode '' 283 # secure mode runs git subprocesses as virtual UIDs that are not in 284 # the git group. they need execute (traverse) permission on the 285 # state dir so they can resolve $HOME/.config/git/config; read 286 # permission is intentionally withheld so they can't list other 287 # repos by name. 288 chmod o+x "${cfg.stateDir}" 289 ''} 290 ${optionalString (cfg.motdFile != null || cfg.motd != null) "chown ${cfg.gitUser}:${cfg.gitUser} ${cfg.stateDir}/motd"} 291 ${optionalString cfg.server.secureMode '' 292 ${cfg.package}/bin/knot migrate-isolation \ 293 --force \ 294 --git-dir "${cfg.repo.scanPath}" \ 295 --db "${cfg.server.dbPath}" \ 296 --internal-api "${cfg.server.internalListenAddr}" 297 chown ${cfg.gitUser}:${cfg.gitUser} "${cfg.server.dbPath}" 298 ''} 299 ''; 300 301 serviceConfig = 302 { 303 User = cfg.gitUser; 304 PermissionsStartOnly = true; 305 WorkingDirectory = cfg.stateDir; 306 Environment = [ 307 "PATH=${lib.makeBinPath [pkgs.bash pkgs.git pkgs.coreutils]}:/run/current-system/sw/bin" 308 "KNOT_REPO_SCAN_PATH=${cfg.repo.scanPath}" 309 "KNOT_REPO_README=${concatStringsSep "," cfg.repo.readme}" 310 "KNOT_REPO_MAIN_BRANCH=${cfg.repo.mainBranch}" 311 "KNOT_GIT_USER_NAME=${cfg.git.userName}" 312 "KNOT_GIT_USER_EMAIL=${cfg.git.userEmail}" 313 "APPVIEW_ENDPOINT=${cfg.appviewEndpoint}" 314 "KNOT_SERVER_INTERNAL_LISTEN_ADDR=${cfg.server.internalListenAddr}" 315 "KNOT_SERVER_LISTEN_ADDR=${cfg.server.listenAddr}" 316 "KNOT_SERVER_DB_PATH=${cfg.server.dbPath}" 317 "KNOT_SERVER_HOSTNAME=${cfg.server.hostname}" 318 "KNOT_SERVER_PLC_URL=${cfg.server.plcUrl}" 319 "KNOT_SERVER_JETSTREAM_ENDPOINT=${cfg.server.jetstreamEndpoint}" 320 "KNOT_SERVER_OWNER=${cfg.server.owner}" 321 "KNOT_MIRRORS=${concatStringsSep "," cfg.knotmirrors}" 322 "KNOT_SERVER_LOG_DIDS=${ 323 if cfg.server.logDids 324 then "true" 325 else "false" 326 }" 327 "KNOT_SERVER_DEV=${ 328 if cfg.server.dev 329 then "true" 330 else "false" 331 }" 332 "KNOT_SERVER_MAX_RESPONSE_KB=${toString cfg.server.maxResponseKB}" 333 "KNOT_SERVER_SECURE_MODE=${ 334 if cfg.server.secureMode 335 then "true" 336 else "false" 337 }" 338 ]; 339 ExecStart = "${cfg.package}/bin/knot server"; 340 Restart = "always"; 341 } 342 // optionalAttrs cfg.server.secureMode { 343 AmbientCapabilities = ["CAP_CHOWN" "CAP_SETUID" "CAP_SETGID"]; 344 CapabilityBoundingSet = ["CAP_CHOWN" "CAP_SETUID" "CAP_SETGID"]; 345 }; 346 }; 347 348 networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [22]; 349 }; 350 }