tangled.sh knot

RyanGibb · RyanGibb · commit 8417511522b0 · 2025-03-20T12:26:02.000Z
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -21,6 +21,7 @@
     nix-rpi5.url = "gitlab:vriska/nix-rpi5?ref=main";
     nur.url = "github:nix-community/NUR/e9e77b7985ef9bdeca12a38523c63d47555cc89b";
     timewall.url = "github:bcyran/timewall/";
+    tangled.url = "github:RyanGibb/tangled/";
 
     # deduplicate flake inputs
     eilean.inputs.nixpkgs.follows = "nixpkgs";
@@ -38,6 +39,7 @@
     nix-rpi5.inputs.nixpkgs.follows = "nixpkgs";
     nur.inputs.nixpkgs.follows = "nixpkgs";
     timewall.inputs.nixpkgs.follows = "nixpkgs";
+    tangled.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
diff --git a/hosts/owl/default.nix b/hosts/owl/default.nix
@@ -53,6 +53,7 @@ in
     ../../modules/ryan-website.nix
     ../../modules/alec-website.nix
     ../../modules/fn06-website.nix
+    inputs.tangled.nixosModules.knotserver
   ];
 
   environment.systemPackages = with pkgs; [
@@ -241,6 +242,12 @@ in
           value = "vps";
         }
 
+        {
+          name = "knot";
+          type = "CNAME";
+          value = "vps";
+        }
+
         # generate with
         #   sudo openssl x509 -in /var/lib/acme/mail.freumh.org/fullchain.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "3 1 1", $1}'
         {
@@ -406,6 +413,7 @@ in
   security.acme-eon.nginxCerts = [
     "capybara.fn06.org"
     "shrew.freumh.org"
+    "knot.freumh.org"
   ];
   services.nginx.virtualHosts."capybara.fn06.org" = {
     forceSSL = true;
@@ -508,4 +516,30 @@ in
   networking.firewall.allowedTCPPorts = [ 7001 ];
 
   services.openssh.openFirewall = true;
+
+  age.secrets.tangled = {
+    file = ../../secrets/tangled.age;
+    mode = "660";
+    owner = "git";
+    group = "git";
+  };
+  services.tangled-knotserver = {
+    enable = true;
+    repo.mainBranch = "master";
+    server.hostname = "knot.freumh.org";
+    server = {
+      secretFile = config.age.secrets.tangled.path;
+      listenAddr = "127.0.0.1:5555";
+      internalListenAddr = "127.0.0.1:5444";
+    };
+  };
+  services.nginx.virtualHosts."knot.freumh.org" = {
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = ''
+        http://${config.services.tangled-knotserver.server.listenAddr}
+      '';
+      proxyWebsockets = true;
+    };
+  };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -47,4 +47,5 @@ in
     owl
   ];
   "eon-sirref-primary.cap.age".publicKeys = user ++ [ owl ];
+  "tangled.age".publicKeys = user ++ [ owl ];
 }
diff --git a/secrets/tangled.age b/secrets/tangled.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 2wDnOw Ttbl5LTzHDAP3kG7kbRErJr+ayerVYZIWZeLPmZmD0U
+Uvon5zchwp3jwP/wHJ5/jIrmDhSVOxGKEhLGPtnQj9w
+-> ssh-ed25519 suwb0g N+Z7lyQailIdkJMiCuFapSN3LhYphejMvB0x4Au1zBI
+dC6ju3bdhzyLB19/WFwgmr+HxTG9vd2fO/EB/WYjodM
+--- s2WjTwvpTi8jhAn0/yqBcTmzh77wbpYulovyEdGE7KQ
+G����}w����{� n�od&i,V���U��%�'!R46�{>� )>to�]Hh�����2F��A����Tv�!�;��)R�lM%U=|W"?*��e��"���i�KB�F

Original file line number	Diff line number	Diff line change
`@@ -47,4 +47,5 @@ in`
`47`	`47`	`owl`
`48`	`48`	`];`
`49`	`49`	`"eon-sirref-primary.cap.age".publicKeys = user ++ [ owl ];`
	`50`	`+ "tangled.age".publicKeys = user ++ [ owl ];`
`50`	`51`	`}`