core/localinfra/ at bfc7f49a039fe853fde3da7d960a66a509ac94df · tangled.org/core · Tangled

tangled.org / core

2

Monorepo for Tangled tangled.org

2

core / localinfra /

at bfc7f49a039fe853fde3da7d960a66a509ac94df 1 folder 8 files

dawn spindle,shuttle: microvm engine init 13d ago

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

appview.Dockerfile

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

knot.Dockerfile

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

knotmirror.Dockerfile

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

localinfra: sandboxed docker dev env sandboxing all microservices required to run Tangled including entire atproto infra in docker-compose. atproto infra: - did-method-plc (NOTE: linux/amd64 only) - pds - jetstream (NOTE: linux/amd64 only) tangled services: - knot - knotmirror - knotmirror-tap - appview (air hot reloaded) - tailwind-watch misc: - redis - postgres - caddy (reverse proxy) spindle is not included in this revision to make things simple. It needs some patches on appview mostly related to TLS handling in dev mode. Signed-off-by: Seongmin Lee <git@boltless.me>

1 month ago

postgres-init.sql

localinfra: sandboxed docker dev env sandboxing all microservices required to run Tangled including entire atproto infra in docker-compose. atproto infra: - did-method-plc (NOTE: linux/amd64 only) - pds - jetstream (NOTE: linux/amd64 only) tangled services: - knot - knotmirror - knotmirror-tap - appview (air hot reloaded) - tailwind-watch misc: - redis - postgres - caddy (reverse proxy) spindle is not included in this revision to make things simple. It needs some patches on appview mostly related to TLS handling in dev mode. Signed-off-by: Seongmin Lee <git@boltless.me>

1 month ago

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

spindle.Dockerfile

spindle,shuttle: microvm engine init spindle,shuttle,nix: add an alpine microvm image spindle/microvm: allow user defined binary caches in workflows shuttle,nix/microvm: get rid of the hacky nix config parsing / rendering, use nix directly so we can access module options spindle/engine: generalize scheduler out of microvm, make it work-conserving with aging and per-user fairness spindle/microvm: add resource budget limits and optional cgroup enforcement Signed-off-by: dawn <dawn@tangled.org>

1 week ago

readme.md

Heavily inspired by frontpage dev environment. Tangled's setup is slightly more involved because services inside the network need to reach the PDS over its public hostname with valid TLS — federation paths (DID resolution, OAuth, etc.) round-trip through the same URLs an external client would use.

For example, resolving alice.pds.tngl.boltless.dev yields an #atproto_pds service pointing at https://pds.tngl.boltless.dev. Knot and spindle running inside docker must hit that exact URL and trust its cert.

To make that work:

Caddy's dev root CA is mounted into every container that talks to another service over HTTPS.
The Docker network uses an unrouted "public" subnet so the SSRF dialer doesn't reject container IPs as private.

What's inside:#

did-method-plc (https://plc.tngl.boltless.dev)
atproto_pds (https://pds.tngl.boltless.dev)
jetstream (https://jetstream.tngl.boltless.dev)
knot (https://knot.tngl.boltless.dev)
spindle (https://spindle.tngl.boltless.dev)
knotmirror (https://knotmirror.tngl.boltless.dev)
appview (https://tngl.boltless.dev) (live reloading)
caddy reverse proxy

Setup#

Generate the dev CA from the repo root:

mkdir -p localinfra/certs &&
openssl req -x509 -newkey rsa:2048 \
    -keyout localinfra/certs/root.key \
    -out localinfra/certs/root.crt \
    -days 3650 -nodes \
    -subj "/CN=Tangled Dev CA" \
    -addext "basicConstraints=critical,CA:TRUE,pathlen:1" \
    -addext "keyUsage=critical,keyCertSign,cRLSign" \
    -addext "nameConstraints=critical,permitted;DNS:tngl.boltless.dev"

Trust generated localinfra/certs/root.crt in your system's trust store.

For example in MacOS, run

sudo security add-trusted-cert -d -r trustRoot \
  -k /Library/Keychains/System.keychain \
  ./localinfra/certs/root.crt

Depending on your browser you may have to import the certificate into your browser profiles too as some have their own certs do not use your system ones

run ./localinfra/scripts/appview-static-files.sh
Prepare the spindle microVM images:
```
./localinfra/scripts/prepare-spindle-images.sh
```
This writes the image directory under out/localinfra-spindle-images.
docker compose up
AppView will be running on 127.0.0.1:3000 with two test users: alice.pds.tngl.boltless.dev and bob.pds.tngl.boltless.dev. Both with password password.