+9

machines/terebithia/default.nix

··· 115 115 file = ../../secrets/cloudflare.age; 116 116 owner = "caddy"; 117 117 }; 118 118 + github-knot-sync = { 119 119 + file = ../../secrets/github-knot-sync.age; 120 120 + owner = "git"; 121 121 + }; 118 122 }; 119 123 120 124 environment.sessionVariables = { ··· 266 270 hostname = "spindle.dunkirk.sh"; 267 271 listenAddr = "127.0.0.1:6555"; 268 272 }; 273 273 + }; 274 274 + 275 275 + atelier.services.knot-sync = { 276 276 + enable = true; 277 277 + secretsFile = config.age.secrets.github-knot-sync.path; 269 278 }; 270 279 271 280 boot.loader.systemd-boot.enable = true;

+29 -16

modules/home/system/shell.nix

··· 169 169 # Configuration variables - set these to your defaults 170 170 local default_plc_id="did:plc:krxbvxvis5skq7jj6eot23ul" 171 171 local default_github_username="taciturnaxolotl" 172 172 + local default_knot_host="knot.dunkirk.sh" 172 173 local extracted_github_username="" 173 174 174 175 # Check if current directory is a git repository ··· 180 181 # Get the repository name from the current directory 181 182 local repo_name=$(basename "$(git rev-parse --show-toplevel)") 182 183 183 183 - # Check if origin remote exists and points to ember 184 184 + # Check if origin remote exists and points to knot 184 185 local origin_url=$(git remote get-url origin 2>/dev/null) 185 185 - local origin_ember=false 186 186 + local origin_knot=false 186 187 187 188 if [[ -n "$origin_url" ]]; then 188 189 # Try to extract GitHub username if origin is a GitHub URL ··· 192 193 default_github_username=$extracted_github_username 193 194 fi 194 195 195 195 - if [[ "$origin_url" == *"ember"* ]]; then 196 196 - origin_ember=true 197 197 - echo "✅ Origin remote exists and points to ember" 196 196 + if [[ "$origin_url" == *"$default_knot_host"* || "$origin_url" == *"knot.dunkirk.sh"* ]]; then 197 197 + origin_knot=true 198 198 + echo "✅ Origin remote exists and points to knot" 198 199 else 199 199 - echo "⚠️ Origin remote exists but doesn't point to ember" 200 200 + echo "⚠️ Origin remote exists but doesn't point to knot" 200 201 fi 201 202 else 202 203 echo "⚠️ Origin remote doesn't exist" ··· 212 213 fi 213 214 214 215 # Fix remotes if needed 215 215 - if [[ "$origin_ember" = false || "$github_exists" = false ]]; then 216 216 - echo "Setting up remotes..." 217 217 - 216 216 + if [[ "$origin_knot" = false || "$github_exists" = false ]]; then 218 217 # Prompt for PLC identifier if needed 219 218 local plc_id="" 220 220 - if [[ "$origin_ember" = false ]]; then 221 221 - echo -n "Enter your PLC identifier [default: $default_plc_id]: " 222 222 - read plc_input 223 223 - plc_id=''${plc_input:-$default_plc_id} 219 219 + local should_fix_origin=false 220 220 + 221 221 + if [[ "$origin_knot" = false ]]; then 222 222 + if [[ -n "$origin_url" ]]; then 223 223 + echo -n "Migrate origin from $origin_url to knot.dunkirk.sh? [Y/n]: " 224 224 + read fix_input 225 225 + if [[ -z "$fix_input" || "$fix_input" =~ ^[Yy]$ ]]; then 226 226 + should_fix_origin=true 227 227 + fi 228 228 + else 229 229 + should_fix_origin=true 230 230 + fi 231 231 + 232 232 + if [[ "$should_fix_origin" = true ]]; then 233 233 + echo -n "Enter your PLC identifier [default: $default_plc_id]: " 234 234 + read plc_input 235 235 + plc_id=''${plc_input:-$default_plc_id} 236 236 + fi 224 237 fi 225 238 226 239 # Prompt for GitHub username with default from origin if available ··· 232 245 fi 233 246 234 247 # Set up origin remote if needed 235 235 - if [[ "$origin_ember" = false && -n "$plc_id" ]]; then 248 248 + if [[ "$should_fix_origin" = true && -n "$plc_id" ]]; then 236 249 if git remote get-url origin &>/dev/null; then 237 250 git remote remove origin 238 251 fi 239 239 - git remote add origin "git@ember:''${plc_id}/''${repo_name}" 240 240 - echo "✅ Set up origin remote: git@ember:''${plc_id}/''${repo_name}" 252 252 + git remote add origin "git@$default_knot_host:''${plc_id}/''${repo_name}" 253 253 + echo "✅ Set up origin remote: git@$default_knot_host:''${plc_id}/''${repo_name}" 241 254 fi 242 255 243 256 # Set up GitHub remote if needed

+185

modules/nixos/services/knot-sync.nix

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 7 7 + 8 8 + let 9 9 + cfg = config.atelier.services.knot-sync; 10 10 + in 11 11 + { 12 12 + options.atelier.services.knot-sync = { 13 13 + enable = lib.mkEnableOption "Knot to GitHub sync service"; 14 14 + 15 15 + repoDir = lib.mkOption { 16 16 + type = lib.types.str; 17 17 + default = "/home/git/did:plc:krxbvxvis5skq7jj6eot23ul"; 18 18 + description = "Directory containing git repositories"; 19 19 + }; 20 20 + 21 21 + githubUsername = lib.mkOption { 22 22 + type = lib.types.str; 23 23 + default = "taciturnaxolotl"; 24 24 + description = "GitHub username"; 25 25 + }; 26 26 + 27 27 + secretsFile = lib.mkOption { 28 28 + type = lib.types.path; 29 29 + description = "Path to secrets file containing GITHUB_TOKEN"; 30 30 + }; 31 31 + 32 32 + logFile = lib.mkOption { 33 33 + type = lib.types.str; 34 34 + default = "/home/git/knot-sync.log"; 35 35 + description = "Log file location"; 36 36 + }; 37 37 + 38 38 + interval = lib.mkOption { 39 39 + type = lib.types.str; 40 40 + default = "*/5 * * * *"; 41 41 + description = "Cron schedule for sync (default: every 5 minutes)"; 42 42 + }; 43 43 + }; 44 44 + 45 45 + config = lib.mkIf cfg.enable { 46 46 + systemd.services.knot-sync = { 47 47 + description = "Sync Knot repositories to GitHub"; 48 48 + serviceConfig = { 49 49 + Type = "oneshot"; 50 50 + User = "git"; 51 51 + EnvironmentFile = cfg.secretsFile; 52 52 + ExecStart = pkgs.writeShellScript "knot-sync" '' 53 53 + set -euo pipefail 54 54 + 55 55 + # Variables 56 56 + REPO_DIR="${cfg.repoDir}" 57 57 + GITHUB_USERNAME="${cfg.githubUsername}" 58 58 + LOG_FILE="${cfg.logFile}" 59 59 + 60 60 + # Log function 61 61 + log() { echo "$(date +'%Y-%m-%d %H:%M:%S'): $1" >> "$LOG_FILE"; } 62 62 + 63 63 + # Create the post-receive hook template 64 64 + cat <<'EOF' > /tmp/post-receive.template 65 65 + #!${pkgs.bash}/bin/bash 66 66 + # post-receive hook to sync to GitHub - AUTOGENERATED 67 67 + 68 68 + # Load environment variables from secrets file 69 69 + if [ -f "${cfg.secretsFile}" ]; then 70 70 + source "${cfg.secretsFile}" 71 71 + fi 72 72 + 73 73 + # Variables 74 74 + GITHUB_USERNAME="${cfg.githubUsername}" 75 75 + LOG_FILE="${cfg.logFile}" 76 76 + REPO_NAME=$(basename $(pwd)) 77 77 + 78 78 + # Log function 79 79 + log() { echo "$(date +'%Y-%m-%d %H:%M:%S'): $1" >> "''${LOG_FILE}"; } 80 80 + 81 81 + # Check for nosync marker 82 82 + if [ -f "$(pwd)/.nosync" ]; then 83 83 + log "Skipping sync for $REPO_NAME (nosync marker present)" 84 84 + exit 0 85 85 + fi 86 86 + 87 87 + # Function to sync to GitHub 88 88 + sync_to_github() { 89 89 + log "Syncing $REPO_NAME to GitHub" 90 90 + expected_url="https://''${GITHUB_USERNAME}:''${GITHUB_TOKEN}@github.com/''${GITHUB_USERNAME}/''${REPO_NAME}.git" 91 91 + current_url=$(${pkgs.git}/bin/git remote get-url origin 2>/dev/null || echo "") 92 92 + 93 93 + if [ -z "$current_url" ]; then 94 94 + log "Adding origin remote" 95 95 + ${pkgs.git}/bin/git remote add origin "$expected_url" 96 96 + elif [ "$current_url" != "$expected_url" ]; then 97 97 + log "Updating origin remote URL" 98 98 + ${pkgs.git}/bin/git remote set-url origin "$expected_url" 99 99 + fi 100 100 + 101 101 + # Mirror push everything (refs, tags, branches) 102 102 + if ${pkgs.git}/bin/git push --mirror origin 2>&1 | tee -a "''${LOG_FILE}"; then 103 103 + log "Sync succeeded for $REPO_NAME" 104 104 + return 0 105 105 + else 106 106 + log "Sync failed for $REPO_NAME" 107 107 + return 1 108 108 + fi 109 109 + } 110 110 + 111 111 + # Main 112 112 + while read oldrev newrev refname; do 113 113 + log "Received push for ref '$refname' (old revision: $oldrev, new revision: $newrev)" 114 114 + sync_to_github 115 115 + done 116 116 + EOF 117 117 + 118 118 + HOOK_TEMPLATE="/tmp/post-receive.template" 119 119 + 120 120 + # Create the post-receive hook 121 121 + create_hook() { 122 122 + local new_repo_path="$1" 123 123 + local hook_path="$new_repo_path/hooks/post-receive.d/forward" 124 124 + local nosync_marker="$new_repo_path/.nosync" 125 125 + 126 126 + # Skip if .nosync marker exists 127 127 + if [ -f "$nosync_marker" ]; then 128 128 + log "Skipping $new_repo_path (nosync marker present)" 129 129 + return 0 130 130 + fi 131 131 + 132 132 + if [ -d "$new_repo_path" ] && [ ! -f "$hook_path" ]; then 133 133 + # Check that it's a git repository, specifically a bare repo 134 134 + if [ -f "$new_repo_path/config" ]; then 135 135 + # Create hooks directory if it doesn't exist 136 136 + mkdir -p "$(dirname "$hook_path")" 137 137 + # Create hook from the template file, substituting variables. 138 138 + if cat "$HOOK_TEMPLATE" > "$hook_path" && chmod +x "$hook_path"; then 139 139 + log "Created hook for $new_repo_path" 140 140 + # Check if repo has any commits before pushing 141 141 + if (cd "$new_repo_path" && ${pkgs.git}/bin/git rev-parse HEAD >/dev/null 2>&1); then 142 142 + # Auto push by simulating a post-receive hook trigger 143 143 + log "Triggering initial push for $new_repo_path" 144 144 + (cd "$new_repo_path" && \ 145 145 + echo "0000000000000000000000000000000000000000 $(${pkgs.git}/bin/git rev-parse HEAD) refs/heads/main" | \ 146 146 + "$hook_path") 147 147 + fi 148 148 + else 149 149 + log "Hook creation failed for $new_repo_path" 150 150 + fi 151 151 + fi 152 152 + fi 153 153 + } 154 154 + 155 155 + # Keep track of hooks created 156 156 + hooks_created=0 157 157 + 158 158 + # Find all directories that look like bare Git repos without a post-receive hook 159 159 + ${pkgs.findutils}/bin/find "$REPO_DIR" -mindepth 1 -maxdepth 1 -type d \! -name ".*" -print0 | 160 160 + while IFS= read -r -d $'\0' repo_path; do 161 161 + create_hook "$repo_path" 162 162 + if [ $? -eq 0 ]; then 163 163 + hooks_created=$((hooks_created + 1)) 164 164 + fi 165 165 + done 166 166 + 167 167 + # Only log completion if hooks were actually created 168 168 + if [ $hooks_created -gt 0 ]; then 169 169 + log "Sync job complete - Created $hooks_created hooks" 170 170 + fi 171 171 + ''; 172 172 + }; 173 173 + }; 174 174 + 175 175 + systemd.paths.knot-sync = { 176 176 + description = "Watch for new Knot repositories"; 177 177 + wantedBy = [ "multi-user.target" ]; 178 178 + pathConfig = { 179 179 + PathModified = cfg.repoDir; 180 180 + Unit = "knot-sync.service"; 181 181 + MakeDirectory = true; 182 182 + }; 183 183 + }; 184 184 + }; 185 185 + }

+13

secrets/github-knot-sync.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa DqcG0Q 3 3 + eG7RPDx4xt/jE8lDjJ/whTT6ekS5ccZgLLzEqvJZ1bOsZm7ycfKRUjs5mZoNn8/Y 4 4 + n6Rk6FyhTXSb0HrhCpSOSH23nCHwMFK/1H/pKdFpXTJAdx2LkX4VRI807/XjPHK4 5 5 + Iyy0E1xL53RepvC6JPHmmW/Z7h/yamvP8MDE4Mds7oiBZYf/0Whdfw+PlKA5Xy7s 6 6 + 0xAQgQlODwSSwlNdtwgf0i1tcEkhDC1ts2o8/2NSoLj3s2348RAkv2n8yV0eu1bh 7 7 + 9UaeCOuyUxhCOYta7vWNp9xLy6MQuqptT2MNAjjYGHMZ0i5xH0lnvU1twqvN52Kf 8 8 + wGuzKLw//qz13XWWgMaPbLz6L38j4gvl7eWd51vRQGX9Z9QDOHpu7iFcyY6bUeLh 9 9 + 3n9Quin11JrFl2Fx2qqDi8aILua9/Oq4bPchPURqbTUnZ+SR/aRFgN3aFVHmC0gL 10 10 + l0BGhkCTFmb9+FrhILhmyKiln4dTaGigMhaSs9GuuXZ85FmCKjkp+6eRDDWP4WS9 11 11 + 12 12 + --- T+md4gE0kZczI05P8evIAnS6wGnFPnMoTpaQM5DS1ao 13 13 + mn̂�;�צ$`_�p�vR�1�7Fl�ç������+!����3�-�EYG��Q�*���������V�Զ����a�F��O����'}H��b���IHG�Z)t
�����$�lXv�����F~sw%]G��H�s�LTv(�

+3

secrets/secrets.nix

··· 32 32 "hn-alerts.age".publicKeys = [ 33 33 kierank 34 34 ]; 35 35 + "github-knot-sync.age".publicKeys = [ 36 36 + kierank 37 37 + ]; 35 38 }