Monorepo for Tangled
tangled.org
1Heavily inspired by [frontpage dev environment](https://github.com/frontpagefyi/frontpage/blob/10678df9c3f72cbd82f0856a9f99c74dd22326d8/apps/frontpage/local-infra/README.md).
2Tangled's setup is slightly more involved because services inside the network need to reach the PDS over its **public** hostname with **valid TLS** — federation paths (DID resolution, OAuth, etc.) round-trip through the same URLs an external client would use.
3
4For example, resolving `alice.pds.tngl.boltless.dev` yields an `#atproto_pds` service pointing at `https://pds.tngl.boltless.dev`. Knot and spindle running inside docker must hit that exact URL and trust its cert.
5
6To make that work:
7
8- Caddy's dev root CA is mounted into every container that talks to another service over HTTPS.
9- The Docker network uses an unrouted "public" subnet so the SSRF dialer doesn't reject container IPs as private.
10
11## What's inside:
12
13- [did-method-plc](https://github.com/did-method-plc/did-method-plc) (<https://plc.tngl.boltless.dev>)
14- atproto_pds (<https://pds.tngl.boltless.dev>)
15- jetstream (<https://jetstream.tngl.boltless.dev>)
16- knot (<https://knot.tngl.boltless.dev>)
17- spindle (<https://spindle.tngl.boltless.dev>)
18- knotmirror (<https://knotmirror.tngl.boltless.dev>)
19- appview (<https://tngl.boltless.dev>) (live reloading)
20- caddy reverse proxy
21
22## Setup
23
241. Generate the dev CA from the repo root:
25 ```bash
26 mkdir -p localinfra/certs &&
27 openssl req -x509 -newkey rsa:2048 \
28 -keyout localinfra/certs/root.key \
29 -out localinfra/certs/root.crt \
30 -days 3650 -nodes \
31 -subj "/CN=Tangled Dev CA" \
32 -addext "basicConstraints=critical,CA:TRUE,pathlen:1" \
33 -addext "keyUsage=critical,keyCertSign,cRLSign" \
34 -addext "nameConstraints=critical,permitted;DNS:tngl.boltless.dev"
35 ```
362. Trust generated `localinfra/certs/root.crt` in your system's trust store.
37 - For example in MacOS, run
38 ```bash
39 sudo security add-trusted-cert -d -r trustRoot \
40 -k /Library/Keychains/System.keychain \
41 ./localinfra/certs/root.crt
42 ```
43 - Depending on your browser you may have to import the certificate into your browser profiles too as some have their own certs do not use your system ones
443. run `./localinfra/scripts/appview-static-files.sh`
454. Prepare the spindle microVM images:
46 ```bash
47 ./localinfra/scripts/prepare-spindle-images.sh
48 ```
49 This writes the image directory under `out/localinfra-spindle-images`.
505. `docker compose up`
516. AppView will be running on `127.0.0.1:3000` with two test users: `alice.pds.tngl.boltless.dev` and `bob.pds.tngl.boltless.dev`. Both with password `password`.