bram.gotink.be / macharian
A lowly tech priest's attempt to please Mars
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add knot

Bram Gotink 41bed229 3ea0b7e9

+269 -4
+50
containers/knot/Dockerfile
··· 1 + FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:add602d55daca18914838a78221f6bbe4284114b452c86a48f96d59aeb00f5c6 AS xx 2 + FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder 3 + COPY --from=xx / / 4 + ENV KNOT_REPO_SCAN_PATH=/repositories 5 + ENV CGO_ENABLED=1 6 + 7 + WORKDIR /app 8 + RUN apk add clang lld git && git clone --depth 1 -b v1.10.0-alpha https://tangled.org/@tangled.org/core . 9 + ARG TARGETPLATFORM 10 + RUN xx-apk add gcc musl-dev 11 + RUN xx-go build -o /knot -ldflags '-s -w -extldflags "-static"' ./cmd/knot 12 + 13 + FROM alpine:3.22.2 14 + 15 + EXPOSE 5555 16 + EXPOSE 2222 17 + 18 + LABEL org.opencontainers.image.title='knot' 19 + LABEL org.opencontainers.image.description='data server for tangled' 20 + LABEL org.opencontainers.image.source='https://codeberg.org/bgotink/macharian/src/branch/main/containers/knot' 21 + LABEL org.opencontainers.image.url='https://tangled.org' 22 + LABEL org.opencontainers.image.vendor='tangled.org' 23 + LABEL org.opencontainers.image.licenses='MIT' 24 + 25 + RUN apk add --no-cache shadow openssl \ 26 + && addgroup -g 10999 git \ 27 + && adduser -u 10999 -G git -D -h /home/git git \ 28 + && openssl rand -hex 16 | passwd --stdin git \ 29 + && apk del shadow openssl 30 + 31 + ENV KNOT_REPO_SCAN_PATH=/repositories 32 + RUN apk add --no-cache \ 33 + openssh=10.0_p1-r9 \ 34 + git=2.49.1-r0 \ 35 + catatonit=0.2.1-r0 \ 36 + && mkdir -p ${KNOT_REPO_SCAN_PATH} /data /ssh-keys \ 37 + && chown -R git:git ${KNOT_REPO_SCAN_PATH} /data /ssh-keys \ 38 + && chmod 700 /ssh-keys 39 + 40 + COPY --chmod=755 --chown=root:root sshd-keys-wrapper /usr/local/sbin/sshd-keys-wrapper 41 + COPY --chmod=600 --chown=git:git sshd_config /sshd_config 42 + COPY --chmod=755 --chown=root:root start.sh /usr/bin/start-knot 43 + 44 + COPY --from=builder --chmod=755 --chown=root:root /knot /usr/sbin/knot 45 + 46 + HEALTHCHECK --interval=60s --timeout=30s --start-period=5s --retries=3 \ 47 + CMD curl -f http://localhost:5555 || exit 1 48 + 49 + ENTRYPOINT [ "/usr/bin/catatonit", "--" ] 50 + CMD [ "start-knot" ]
+6
containers/knot/sshd-keys-wrapper
··· 1 + #!/bin/sh 2 + 3 + exec /usr/sbin/knot keys -output authorized-keys \ 4 + -internal-api "http://${KNOT_SERVER_INTERNAL_LISTEN_ADDR:-localhost:5444}" \ 5 + -git-dir "${KNOT_REPO_SCAN_PATH:-/repositories}" \ 6 + -log-path "${SSH_KEY_LOGDIR:-/tmp}/knotguard.log"
+15
containers/knot/sshd_config
··· 1 + Port 2222 2 + 3 + HostKey /ssh-keys/ssh_host_rsa_key 4 + HostKey /ssh-keys/ssh_host_ecdsa_key 5 + HostKey /ssh-keys/ssh_host_ed25519_key 6 + 7 + PasswordAuthentication no 8 + 9 + Match User git 10 + AuthorizedKeysCommand /usr/local/sbin/sshd-keys-wrapper 11 + AuthorizedKeysCommandUser git 12 + 13 + AllowTcpForwarding no 14 + GatewayPorts no 15 + X11Forwarding no
+22
containers/knot/start.sh
··· 1 + #!/bin/ash 2 + set -e 3 + 4 + if [ ! -f /ssh-keys/ssh_host_rsa_key ]; then 5 + ssh-keygen -t rsa -f /ssh-keys/ssh_host_rsa_key -q -N "" 6 + fi 7 + if [ ! -f /ssh-keys/ssh_host_ecdsa_key ]; then 8 + ssh-keygen -t ecdsa -f /ssh-keys/ssh_host_ecdsa_key -q -N "" 9 + fi 10 + if [ ! -f /ssh-keys/ssh_host_ed25519_key ]; then 11 + ssh-keygen -t ed25519 -f /ssh-keys/ssh_host_ed25519_key -q -N "" 12 + fi 13 + 14 + /usr/sbin/sshd -f /sshd_config & 15 + sshd_pid=$! 16 + 17 + /usr/sbin/knot server & 18 + server_pid=$! 19 + 20 + # Wait for any of the two background commands to exit and exit the container if that happens. 21 + wait -n $sshd_pid $server_pid 22 + exit $?
+2 -2
kubernetes/apps/at/pds/helmrelease.yaml kubernetes/apps/at/pds/pds.yaml
··· 33 33 LOG_ENABLED: true 34 34 35 35 # service 36 - PDS_HOSTNAME: "pds.${ATPROTO_HOST}" 36 + PDS_HOSTNAME: &hostname "pds.${ATPROTO_HOST}" 37 37 PDS_PORT: '3000' 38 38 # PDS_SERVICE_DID: '' 39 39 # PDS_SERVICE_NAME: '' ··· 223 223 namespace: ingress 224 224 sectionName: atproto-https 225 225 hostnames: 226 - - "pds.${ATPROTO_HOST}" 226 + - *hostname 227 227 rules: 228 228 - backendRefs: 229 229 - identifier: pds
+141
kubernetes/apps/at/pds/knot.yaml
··· 1 + apiVersion: helm.toolkit.fluxcd.io/v2 2 + kind: HelmRelease 3 + metadata: 4 + name: knot 5 + spec: 6 + interval: 30m 7 + chartRef: 8 + kind: OCIRepository 9 + namespace: global-shared 10 + name: app-template 11 + 12 + install: 13 + remediation: 14 + retries: 3 15 + upgrade: 16 + cleanupOnFail: true 17 + remediation: 18 + strategy: rollback 19 + retries: 3 20 + 21 + values: 22 + controllers: 23 + knot: 24 + annotations: 25 + reloader.stakater.com/auto: "true" 26 + initContainers: 27 + init-ssh-keys: 28 + image: 29 + repository: alpine 30 + tag: 3.22.2 31 + command: ash 32 + args: 33 + - -e 34 + - -c 35 + - | 36 + mkdir -p /ssh/keys 37 + chmod 700 /ssh/keys 38 + securityContext: 39 + allowPrivilegeEscalation: false 40 + capabilities: { drop: ["ALL"] } 41 + containers: 42 + app: 43 + image: 44 + repository: harbor.${SECRET_HOST}/library/knot 45 + tag: 1.10.0-alpha@sha256:4bdfd2fcf66af1c25fd01a5ef8fdba3272c84422b83e86c30e8ed4f5c9e2eff0 46 + env: 47 + TZ: ${TIMEZONE} 48 + 49 + KNOT_SERVER_HOSTNAME: &hostname "knot.${ATPROTO_HOST}" 50 + # KNOT_SERVER_OWNER set via secret 51 + KNOT_SERVER_DB_PATH: /data/knotserver.db 52 + KNOT_REPO_SCAN_PATH: /repositories 53 + envFrom: 54 + - secretRef: 55 + name: knot-secrets 56 + probes: 57 + liveness: &probe 58 + enabled: true 59 + path: / 60 + readiness: *probe 61 + startup: *probe 62 + securityContext: 63 + allowPrivilegeEscalation: false 64 + capabilities: { drop: ["ALL"] } 65 + resources: 66 + requests: 67 + cpu: 10m 68 + limits: 69 + memory: 512Mi 70 + 71 + defaultPodOptions: 72 + securityContext: 73 + runAsNonRoot: true 74 + runAsUser: 10999 75 + runAsGroup: 10999 76 + fsGroup: 10999 77 + fsGroupChangePolicy: OnRootMismatch 78 + seccompProfile: { type: RuntimeDefault } 79 + 80 + service: 81 + knot: 82 + primary: true 83 + controller: knot 84 + ports: 85 + http: 86 + primary: true 87 + port: &port 5555 88 + protocol: HTTP 89 + ssh: 90 + type: LoadBalancer 91 + annotations: 92 + metallb.io/address-pool: manual-pool 93 + metallb.io/loadBalancerIPs: ${IP_ADDR_INGRESS} 94 + metallb.io/allow-shared-ip: share-${IP_ADDR_INGRESS} 95 + tailscale.com/expose: "true" 96 + controller: knot 97 + ports: 98 + ssh: 99 + port: 22 100 + targetPort: 2222 101 + protocol: TCP 102 + 103 + route: 104 + knot: 105 + annotations: 106 + route.proteus/redirect-http: 'true' 107 + parentRefs: 108 + - name: ingress-gateway 109 + namespace: ingress 110 + sectionName: atproto-https 111 + hostnames: 112 + - *hostname 113 + rules: 114 + - backendRefs: 115 + - identifier: knot 116 + port: *port 117 + 118 + persistence: 119 + data: 120 + type: persistentVolumeClaim 121 + accessMode: ReadWriteOncePod 122 + size: 2Gi 123 + retain: true 124 + repositories: 125 + type: persistentVolumeClaim 126 + accessMode: ReadWriteOncePod 127 + size: 10Gi 128 + retain: true 129 + ssh-keys: 130 + type: persistentVolumeClaim 131 + accessMode: ReadWriteOncePod 132 + size: 128Mi 133 + advancedMounts: 134 + knot: 135 + init-ssh-keys: 136 + - path: /ssh 137 + app: 138 + - path: /ssh-keys 139 + subPath: keys 140 + tmp: 141 + type: emptyDir
+33 -2
kubernetes/apps/at/pds/secrets.yaml
··· 29 29 T0NvQ0p3SHlNZm5ETmo1VitzRWhobWsKDL26hIDYVlyUhMUZ/T4zASdLSZp6ZOTs 30 30 57TRvz73ueG4h9EKq3zIrQBmofE33tBUa8edL4k5Udg2IAE/7phTSw== 31 31 -----END AGE ENCRYPTED FILE----- 32 - lastmodified: "2025-11-09T22:41:05Z" 33 - mac: ENC[AES256_GCM,data:0ICs1hWJu36mq0AnnyySJQDpiGVBOKU4dKt7i87NIR9/BUuKbyJn3FA0nyAR0Kc1Xfr/LTCERr6qGjoHwNFdnyPpLUtX2pKydgaDb3jzktJ9wsJWPsozUiBrVsKmVPzuDIDL/izI5LOcZPgf6xaH2DQHqU3Ljwd5b3T4dCA6Dcw=,iv:n7H7c50it1NhHcoP5ywj1/Gjt3fzm4oxrEYCar6swjA=,tag:5eIYaqYyt4xX0G61D1q+gg==,type:str] 32 + lastmodified: "2025-11-12T17:55:19Z" 33 + mac: ENC[AES256_GCM,data:oyZqSIy9VMVF9dI8VHywL84R6m+mdV/ErZ3VHRr5DeNqZYr1oPOSBFTm2NyQVp8pllJ1DINB4/ic2Q/pr6cHX1+M3S9Fofes5+KMJ00UqwN6GPjtktVuabglrKmVJXRix2m9ORB2d6eXZ3dPCJj4cgWvr9NJDFNp24mz+nR45TE=,iv:607PiC6odpn19lRdXBy03hwmZDfUN7xRp2agys5QhFM=,tag:4LSrG9ysswrgfv1NKjzPkQ==,type:str] 34 + encrypted_regex: ^(data|stringData)$ 35 + version: 3.11.0 36 + --- 37 + apiVersion: v1 38 + kind: Secret 39 + metadata: 40 + name: knot-secrets 41 + stringData: 42 + KNOT_SERVER_OWNER: ENC[AES256_GCM,data:1pScJiGX1+dhGFzK0kR6YQuonCTDlV2pSf90hFf01Qw=,iv:duH3NBYRGrDv7txc3vAFdN1OskvfzR9nIfk4xYX9HH0=,tag:4I6z16cfnFBovJfA82qHMA==,type:str] 43 + sops: 44 + age: 45 + - recipient: age13u6nqs8jgp268mya8rht9gyhu86cc53j74f5va65077rsrvkr9gsjeqk88 46 + enc: | 47 + -----BEGIN AGE ENCRYPTED FILE----- 48 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzUDU4RUYvZ0JHUG5HeVlE 49 + cmZ5YUhMQ0k1TFhSUDVaTXcvR0R1VHNXOFY0Ck1WbG9yRlU3U1RjUCtmYUs1NGFh 50 + Q3VqUkJqS21HdDRLM1VZcit2MjlTeFEKLS0tIGNaQW5xR1ppSnJvRWppMzZ4RXYz 51 + Ynl4NTJzdE5yY296bktWNHh2K2pCZ00K9SSFhatky5xXldG3/fZqUUoT98MT3juP 52 + /pLi389UP9+sphwhEQpIwqh8ZHeXY1GgaTzHd2b5v7cnydGCPsWV/A== 53 + -----END AGE ENCRYPTED FILE----- 54 + - recipient: age16tv9zf54wf4txwjx39wz9phw7zggtxe7k0p2lkhtx59u4he72erq4d9xh9 55 + enc: | 56 + -----BEGIN AGE ENCRYPTED FILE----- 57 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdG1CeXU0V0N6eWZtRlQw 58 + TkxPVHIzL0c5cjFJcTFkZ1NENEdQMkhtYW5NClVzMHZZNjhaWFAwQXFRSDRxYW1X 59 + RWZ1T3dySFBjem1DU1ZQVkxmeXFhbW8KLS0tIE9UalNMSFkwZksyZnBqa21iZElH 60 + T0NvQ0p3SHlNZm5ETmo1VitzRWhobWsKDL26hIDYVlyUhMUZ/T4zASdLSZp6ZOTs 61 + 57TRvz73ueG4h9EKq3zIrQBmofE33tBUa8edL4k5Udg2IAE/7phTSw== 62 + -----END AGE ENCRYPTED FILE----- 63 + lastmodified: "2025-11-12T17:55:19Z" 64 + mac: ENC[AES256_GCM,data:oyZqSIy9VMVF9dI8VHywL84R6m+mdV/ErZ3VHRr5DeNqZYr1oPOSBFTm2NyQVp8pllJ1DINB4/ic2Q/pr6cHX1+M3S9Fofes5+KMJ00UqwN6GPjtktVuabglrKmVJXRix2m9ORB2d6eXZ3dPCJj4cgWvr9NJDFNp24mz+nR45TE=,iv:607PiC6odpn19lRdXBy03hwmZDfUN7xRp2agys5QhFM=,tag:4LSrG9ysswrgfv1NKjzPkQ==,type:str] 34 65 encrypted_regex: ^(data|stringData)$ 35 66 version: 3.11.0