docs/DOCS.md at 88d05784f6373375f740685ea63a412eb32c2782

dzming.li / core
fork atom
A vibe coded tangled fork which supports pijul.
fork atom
core / docs / DOCS.md
at 88d05784f6373375f740685ea63a412eb32c2782 1912 lines 55 kB view raw view rendered
wrap content
Anirudh Oppiliappan docs: tangled sites 7d ago
7cc6d7d5
   1---
   2title: Tangled docs
   3author: The Tangled Contributors
   4date: 21 Sun, Dec 2025
   5abstract: |
   6  Tangled is a decentralized code hosting and collaboration
   7  platform. Every component of Tangled is open-source and
   8  self-hostable. [tangled.org](https://tangled.org) also
   9  provides hosting and CI services that are free to use.
  10
  11  There are several models for decentralized code
  12  collaboration platforms, ranging from ActivityPub’s
  13  (Forgejo) federated model, to Radicle’s entirely P2P model.
  14  Our approach attempts to be the best of both worlds by
  15  adopting the AT Protocol—a protocol for building decentralized
  16  social applications with a central identity
  17
  18  Our approach to this is the idea of “knots”. Knots are
  19  lightweight, headless servers that enable users to host Git
  20  repositories with ease. Knots are designed for either single
  21  or multi-tenant use which is perfect for self-hosting on a
  22  Raspberry Pi at home, or larger “community” servers. By
  23  default, Tangled provides managed knots where you can host
  24  your repositories for free.
  25
  26  The appview at tangled.org acts as a consolidated "view"
  27  into the whole network, allowing users to access, clone and
  28  contribute to repositories hosted across different knots
  29  seamlessly.
  30---
  31
  32# Quick start guide
  33
  34## Login or sign up
  35
  36You can [login](https://tangled.org) by using your AT Protocol
  37account. If you are unclear on what that means, simply head
  38to the [signup](https://tangled.org/signup) page and create
  39an account. By doing so, you will be choosing Tangled as
  40your account provider (you will be granted a handle of the
  41form `user.tngl.sh`).
  42
  43In the AT Protocol network, users are free to choose their account
  44provider (known as a "Personal Data Service", or PDS), and
  45login to applications that support AT accounts.
  46
  47You can think of it as "one account for all of the atmosphere"!
  48
  49If you already have an AT account (you may have one if you
  50signed up to Bluesky, for example), you can login with the
  51same handle on Tangled (so just use `user.bsky.social` on
  52the login page).
  53
  54## Add an SSH key
  55
  56Once you are logged in, you can start creating repositories
  57and pushing code. Tangled supports pushing git repositories
  58over SSH.
  59
  60First, you'll need to generate an SSH key if you don't
  61already have one:
  62
  63```bash
  64ssh-keygen -t ed25519 -C "foo@bar.com"
  65```
  66
  67When prompted, save the key to the default location
  68(`~/.ssh/id_ed25519`) and optionally set a passphrase.
  69
  70Copy your public key to your clipboard:
  71
  72```bash
  73# on X11
  74cat ~/.ssh/id_ed25519.pub | xclip -sel c
  75
  76# on wayland
  77cat ~/.ssh/id_ed25519.pub | wl-copy
  78
  79# on macos
  80cat ~/.ssh/id_ed25519.pub | pbcopy
  81```
  82
  83Now, navigate to 'Settings' -> 'Keys' and hit 'Add Key',
  84paste your public key, give it a descriptive name, and hit
  85save.
  86
  87## Create a repository
  88
  89Once your SSH key is added, create your first repository:
  90
  911. Hit the green `+` icon on the topbar, and select
  92   repository
  932. Enter a repository name
  943. Add a description
  954. Choose a knotserver to host this repository on
  965. Hit create
  97
  98Knots are self-hostable, lightweight Git servers that can
  99host your repository. Unlike traditional code forges, your
 100code can live on any server. Read the [Knots](TODO) section
 101for more.
 102
 103## Configure SSH
 104
 105To ensure Git uses the correct SSH key and connects smoothly
 106to Tangled, add this configuration to your `~/.ssh/config`
 107file:
 108
 109```
 110Host tangled.org
 111    Hostname tangled.org
 112    User git
 113    IdentityFile ~/.ssh/id_ed25519
 114    AddressFamily inet
 115```
 116
 117This tells SSH to use your specific key when connecting to
 118Tangled and prevents authentication issues if you have
 119multiple SSH keys.
 120
 121Note that this configuration only works for knotservers that
 122are hosted by tangled.org. If you use a custom knot, refer
 123to the [Knots](TODO) section.
 124
 125## Push your first repository
 126
 127Initialize a new Git repository:
 128
 129```bash
 130mkdir my-project
 131cd my-project
 132
 133git init
 134echo "# My Project" > README.md
 135```
 136
 137Add some content and push!
 138
 139```bash
 140git add README.md
 141git commit -m "Initial commit"
 142git remote add origin git@tangled.org:user.tngl.sh/my-project
 143git push -u origin main
 144```
 145
 146That's it! Your code is now hosted on Tangled.
 147
 148## Migrating an existing repository
 149
 150Moving your repositories from GitHub, GitLab, Bitbucket, or
 151any other Git forge to Tangled is straightforward. You'll
 152simply change your repository's remote URL. At the moment,
 153Tangled does not have any tooling to migrate data such as
 154GitHub issues or pull requests.
 155
 156First, create a new repository on tangled.org as described
 157in the [Quick Start Guide](#create-a-repository).
 158
 159Navigate to your existing local repository:
 160
 161```bash
 162cd /path/to/your/existing/repo
 163```
 164
 165You can inspect your existing Git remote like so:
 166
 167```bash
 168git remote -v
 169```
 170
 171You'll see something like:
 172
 173```
 174origin  git@github.com:username/my-project (fetch)
 175origin  git@github.com:username/my-project (push)
 176```
 177
 178Update the remote URL to point to tangled:
 179
 180```bash
 181git remote set-url origin git@tangled.org:user.tngl.sh/my-project
 182```
 183
 184Verify the change:
 185
 186```bash
 187git remote -v
 188```
 189
 190You should now see:
 191
 192```
 193origin  git@tangled.org:user.tngl.sh/my-project (fetch)
 194origin  git@tangled.org:user.tngl.sh/my-project (push)
 195```
 196
 197Push all your branches and tags to Tangled:
 198
 199```bash
 200git push -u origin --all
 201git push -u origin --tags
 202```
 203
 204Your repository is now migrated to Tangled! All commit
 205history, branches, and tags have been preserved.
 206
 207## Mirroring a repository to Tangled
 208
 209If you want to maintain your repository on multiple forges
 210simultaneously, for example, keeping your primary repository
 211on GitHub while mirroring to Tangled for backup or
 212redundancy, you can do so by adding multiple remotes.
 213
 214You can configure your local repository to push to both
 215Tangled and, say, GitHub. You may already have the following
 216setup:
 217
 218```
 219$ git remote -v
 220origin  git@github.com:username/my-project (fetch)
 221origin  git@github.com:username/my-project (push)
 222```
 223
 224Now add Tangled as an additional push URL to the same
 225remote:
 226
 227```bash
 228git remote set-url --add --push origin git@tangled.org:user.tngl.sh/my-project
 229```
 230
 231You also need to re-add the original URL as a push
 232destination (Git replaces the push URL when you use `--add`
 233the first time):
 234
 235```bash
 236git remote set-url --add --push origin git@github.com:username/my-project
 237```
 238
 239Verify your configuration:
 240
 241```
 242$ git remote -v
 243origin  git@github.com:username/repo (fetch)
 244origin  git@tangled.org:username/my-project (push)
 245origin  git@github.com:username/repo (push)
 246```
 247
 248Notice that there's one fetch URL (the primary remote) and
 249two push URLs. Now, whenever you push, Git will
 250automatically push to both remotes:
 251
 252```bash
 253git push origin main
 254```
 255
 256This single command pushes your `main` branch to both GitHub
 257and Tangled simultaneously.
 258
 259To push all branches and tags:
 260
 261```bash
 262git push origin --all
 263git push origin --tags
 264```
 265
 266If you prefer more control over which remote you push to,
 267you can maintain separate remotes:
 268
 269```bash
 270git remote add github git@github.com:username/my-project
 271git remote add tangled git@tangled.org:username/my-project
 272```
 273
 274Then push to each explicitly:
 275
 276```bash
 277git push github main
 278git push tangled main
 279```
 280
 281# Hosting websites on Tangled
 282
 283You can serve static websites directly from your git repositories on
 284Tangled. If you've used GitHub Pages or Codeberg Pages, this should feel
 285familiar.
 286
 287## Overview
 288
 289Every user gets a sites domain. If you signed up through Tangled's own
 290PDS (`tngl.sh`), your sites domain is automatically
 291`<your-handle>.tngl.sh` no setup needed. Otherwise, you can claim a
 292`<subdomain>.tngl.io` domain from your settings.
 293
 294You can serve multiple sites per domain:
 295
 296- One **index site** served at the root of your domain (e.g.
 297  `alice.tngl.sh`)
 298- Any number of **sub-path sites** served under the repository name
 299  (e.g. `alice.tngl.sh/my-project`)
 300
 301## Claiming a domain
 302
 303If you don't have a `tngl.sh` handle, you need to claim a domain before
 304publishing sites:
 305
 3061. Go to **Settings → Sites**
 3072. Enter a subdomain (e.g. `alice` to claim `alice.tngl.io`)
 3083. Click **claim**
 309
 310You can only hold one domain at a time. Releasing a domain puts it in a
 31130-day cooldown before anyone else can claim it.
 312
 313## Configuring a site for a repository
 314
 3151. Navigate to your repository
 3162. Go to **Settings → Sites** 
 3173. Choose a **branch** to deploy from
 3184. Set the **deploy directory** — the path within the repository
 319   containing your `index.html`. Use `/` for the root, or a subdirectory
 320   like `/docs` or `/public`
 3215. Choose the **site type**:
 322   - **Index site** — served at the root of your domain (e.g.
 323     `alice.tngl.sh`)
 324   - **Sub-path site** — served under the repository name (e.g.
 325     `alice.tngl.sh/my-project`)
 3266. Click **save**
 327
 328The site will be deployed automatically. You can see the status of your
 329previous deploys in the **Recent Deploys** section at the bottom of the
 330page.
 331
 332Sites are redeployed automatically on every push to the configured
 333branch.
 334
 335## Custom domains
 336
 337Tangled currently doesn't support custom domains for sites. This will be
 338added in a future update.
 339
 340## Deploy directory
 341
 342The deploy directory is the path within your repository that Tangled
 343serves as the site root. It must contain an `index.html`.
 344
 345| Deploy directory | Result |
 346|---|---|
 347| `/` | Serves the repository root |
 348| `/docs` | Serves the `docs/` subdirectory |
 349| `/public` | Serves the `public/` subdirectory |
 350
 351Directories are served with automatic `index.html` resolution -- a
 352request to `/about` will serve `/about/index.html` if it exists.
 353
 354## Site types
 355
 356| Type | URL |
 357|---|---|
 358| Index site | `alice.tngl.sh` |
 359| Sub-path site | `alice.tngl.sh/my-project` |
 360
 361Only one repository can be the index site for a given domain at a time.
 362If another repository already holds the index site, you will see a
 363notice in the settings and only the sub-path option will be available.
 364
 365## Deploy triggers
 366
 367A deployment is triggered automatically when:
 368
 369- You push to the configured branch
 370- You change the site configuration (branch, deploy directory, or site
 371  type)
 372
 373## Disabling a site
 374
 375To stop serving a site, go to **Settings → Sites** in your repository
 376and click **Disable**. This removes the site configuration and stops
 377serving the site. The deployed files are also deleted from storage.
 378
 379Releasing your domain from **Settings → Sites** at the account level
 380will disable all sites associated with it and delete their files.
 381
 382
 383# Knot self-hosting guide
 384
 385So you want to run your own knot server? Great! Here are a few prerequisites:
 386
 3871. A server of some kind (a VPS, a Raspberry Pi, etc.). Preferably running a Linux distribution of some kind.
 3882. A (sub)domain name. People generally use `knot.example.com`.
 3893. A valid SSL certificate for your domain.
 390
 391## NixOS
 392
 393Refer to the [knot
 394module](https://tangled.org/tangled.org/core/blob/master/nix/modules/knot.nix)
 395for a full list of options. Sample configurations:
 396
 397- [The test VM](https://tangled.org/tangled.org/core/blob/master/nix/vm.nix#L85)
 398- [@pyrox.dev/nix](https://tangled.org/pyrox.dev/nix/blob/d19571cc1b5fe01035e1e6951ec8cf8a476b4dee/hosts/marvin/services/tangled.nix#L15-25)
 399
 400## Docker
 401
 402Refer to
 403[@tangled.org/knot-docker](https://tangled.org/@tangled.org/knot-docker).
 404Note that this is community maintained.
 405
 406## Manual setup
 407
 408First, clone this repository:
 409
 410```
 411git clone https://tangled.org/@tangled.org/core
 412```
 413
 414Then, build the `knot` CLI. This is the knot administration
 415and operation tool. For the purpose of this guide, we're
 416only concerned with these subcommands:
 417
 418- `knot server`: the main knot server process, typically
 419  run as a supervised service
 420- `knot guard`: handles role-based access control for git
 421  over SSH (you'll never have to run this yourself)
 422- `knot keys`: fetches SSH keys associated with your knot;
 423  we'll use this to generate the SSH
 424  `AuthorizedKeysCommand`
 425
 426```
 427cd core
 428export CGO_ENABLED=1
 429go build -o knot ./cmd/knot
 430```
 431
 432Next, move the `knot` binary to a location owned by `root` --
 433`/usr/local/bin/` is a good choice. Make sure the binary itself is also owned by `root`:
 434
 435```
 436sudo mv knot /usr/local/bin/knot
 437sudo chown root:root /usr/local/bin/knot
 438```
 439
 440This is necessary because SSH `AuthorizedKeysCommand` requires [really
 441specific permissions](https://stackoverflow.com/a/27638306). The
 442`AuthorizedKeysCommand` specifies a command that is run by `sshd` to
 443retrieve a user's public SSH keys dynamically for authentication. Let's
 444set that up.
 445
 446```
 447sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 448Match User git
 449  AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys
 450  AuthorizedKeysCommandUser nobody
 451EOF
 452```
 453
 454Then, reload `sshd`:
 455
 456```
 457sudo systemctl reload ssh
 458```
 459
 460Next, create the `git` user. We'll use the `git` user's home directory
 461to store repositories:
 462
 463```
 464sudo adduser git
 465```
 466
 467Create `/home/git/.knot.env` with the following, updating the values as
 468necessary. The `KNOT_SERVER_OWNER` should be set to your
 469DID, you can find your DID in the [Settings](https://tangled.sh/settings) page.
 470
 471```
 472KNOT_REPO_SCAN_PATH=/home/git
 473KNOT_SERVER_HOSTNAME=knot.example.com
 474APPVIEW_ENDPOINT=https://tangled.org
 475KNOT_SERVER_OWNER=did:plc:foobar
 476KNOT_SERVER_INTERNAL_LISTEN_ADDR=127.0.0.1:5444
 477KNOT_SERVER_LISTEN_ADDR=127.0.0.1:5555
 478```
 479
 480If you run a Linux distribution that uses systemd, you can
 481use the provided service file to run the server. Copy
 482[`knotserver.service`](https://tangled.org/tangled.org/core/blob/master/systemd/knotserver.service)
 483to `/etc/systemd/system/`. Then, run:
 484
 485```
 486systemctl enable knotserver
 487systemctl start knotserver
 488```
 489
 490The last step is to configure a reverse proxy like Nginx or Caddy to front your
 491knot. Here's an example configuration for Nginx:
 492
 493```
 494server {
 495    listen 80;
 496    listen [::]:80;
 497    server_name knot.example.com;
 498
 499    location / {
 500        proxy_pass http://localhost:5555;
 501        proxy_set_header Host $host;
 502        proxy_set_header X-Real-IP $remote_addr;
 503        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 504        proxy_set_header X-Forwarded-Proto $scheme;
 505    }
 506
 507    # wss endpoint for git events
 508    location /events {
 509        proxy_set_header   X-Forwarded-For $remote_addr;
 510        proxy_set_header   Host $http_host;
 511        proxy_set_header Upgrade websocket;
 512        proxy_set_header Connection Upgrade;
 513        proxy_pass http://localhost:5555;
 514    }
 515  # additional config for SSL/TLS go here.
 516}
 517
 518```
 519
 520Remember to use Let's Encrypt or similar to procure a certificate for your
 521knot domain.
 522
 523You should now have a running knot server! You can finalize
 524your registration by hitting the `verify` button on the
 525[/settings/knots](https://tangled.org/settings/knots) page. This simply creates
 526a record on your PDS to announce the existence of the knot.
 527
 528### Custom paths
 529
 530(This section applies to manual setup only. Docker users should edit the mounts
 531in `docker-compose.yml` instead.)
 532
 533Right now, the database and repositories of your knot lives in `/home/git`. You
 534can move these paths if you'd like to store them in another folder. Be careful
 535when adjusting these paths:
 536
 537- Stop your knot when moving data (e.g. `systemctl stop knotserver`) to prevent
 538  any possible side effects. Remember to restart it once you're done.
 539- Make backups before moving in case something goes wrong.
 540- Make sure the `git` user can read and write from the new paths.
 541
 542#### Database
 543
 544As an example, let's say the current database is at `/home/git/knotserver.db`,
 545and we want to move it to `/home/git/database/knotserver.db`.
 546
 547Copy the current database to the new location. Make sure to copy the `.db-shm`
 548and `.db-wal` files if they exist.
 549
 550```
 551mkdir /home/git/database
 552cp /home/git/knotserver.db* /home/git/database
 553```
 554
 555In the environment (e.g. `/home/git/.knot.env`), set `KNOT_SERVER_DB_PATH` to
 556the new file path (_not_ the directory):
 557
 558```
 559KNOT_SERVER_DB_PATH=/home/git/database/knotserver.db
 560```
 561
 562#### Repositories
 563
 564As an example, let's say the repositories are currently in `/home/git`, and we
 565want to move them into `/home/git/repositories`.
 566
 567Create the new folder, then move the existing repositories (if there are any):
 568
 569```
 570mkdir /home/git/repositories
 571# move all DIDs into the new folder; these will vary for you!
 572mv /home/git/did:plc:wshs7t2adsemcrrd4snkeqli /home/git/repositories
 573```
 574
 575In the environment (e.g. `/home/git/.knot.env`), update `KNOT_REPO_SCAN_PATH`
 576to the new directory:
 577
 578```
 579KNOT_REPO_SCAN_PATH=/home/git/repositories
 580```
 581
 582Similarly, update your `sshd` `AuthorizedKeysCommand` to use the updated
 583repository path:
 584
 585```
 586sudo tee /etc/ssh/sshd_config.d/authorized_keys_command.conf <<EOF
 587Match User git
 588  AuthorizedKeysCommand /usr/local/bin/knot keys -o authorized-keys -git-dir /home/git/repositories
 589  AuthorizedKeysCommandUser nobody
 590EOF
 591```
 592
 593Make sure to restart your SSH server!
 594
 595#### MOTD (message of the day)
 596
 597To configure the MOTD used ("Welcome to this knot!" by default), edit the
 598`/home/git/motd` file:
 599
 600```
 601printf "Hi from this knot!\n" > /home/git/motd
 602```
 603
 604Note that you should add a newline at the end if setting a non-empty message
 605since the knot won't do this for you.
 606
 607## Troubleshooting
 608
 609If you run your own knot, you may run into some of these
 610common issues. You can always join the
 611[IRC](https://web.libera.chat/#tangled) or
 612[Discord](https://chat.tangled.org/) if this section does
 613not help.
 614
 615### Unable to push
 616
 617If you are unable to push to your knot or repository:
 618
 6191. First, ensure that you have added your SSH public key to
 620   your account
 6212. Check to see that your knot has synced the key by running
 622   `knot keys`
 6233. Check to see if git is supplying the correct private key
 624   when pushing: `GIT_SSH_COMMAND="ssh -v" git push ...`
 6254. Check to see if `sshd` on the knot is rejecting the push
 626   for some reason: `journalctl -xeu ssh` (or `sshd`,
 627   depending on your machine). These logs are unavailable if
 628   using docker.
 6295. Check to see if the knot itself is rejecting the push,
 630   depending on your setup, the logs might be in one of the
 631   following paths:
 632   - `/tmp/knotguard.log`
 633   - `/home/git/log`
 634   - `/home/git/guard.log`
 635
 636# Spindles
 637
 638## Pipelines
 639
 640Spindle workflows allow you to write CI/CD pipelines in a
 641simple format. They're located in the `.tangled/workflows`
 642directory at the root of your repository, and are defined
 643using YAML.
 644
 645The fields are:
 646
 647- [Trigger](#trigger): A **required** field that defines
 648  when a workflow should be triggered.
 649- [Engine](#engine): A **required** field that defines which
 650  engine a workflow should run on.
 651- [Clone options](#clone-options): An **optional** field
 652  that defines how the repository should be cloned.
 653- [Dependencies](#dependencies): An **optional** field that
 654  allows you to list dependencies you may need.
 655- [Environment](#environment): An **optional** field that
 656  allows you to define environment variables.
 657- [Steps](#steps): An **optional** field that allows you to
 658  define what steps should run in the workflow.
 659
 660### Trigger
 661
 662The first thing to add to a workflow is the trigger, which
 663defines when a workflow runs. This is defined using a `when`
 664field, which takes in a list of conditions. Each condition
 665has the following fields:
 666
 667- `event`: This is a **required** field that defines when
 668  your workflow should run. It's a list that can take one or
 669  more of the following values:
 670  - `push`: The workflow should run every time a commit is
 671    pushed to the repository.
 672  - `pull_request`: The workflow should run every time a
 673    pull request is made or updated.
 674  - `manual`: The workflow can be triggered manually.
 675- `branch`: Defines which branches the workflow should run
 676  for. If used with the `push` event, commits to the
 677  branch(es) listed here will trigger the workflow. If used
 678  with the `pull_request` event, updates to pull requests
 679  targeting the branch(es) listed here will trigger the
 680  workflow. This field has no effect with the `manual`
 681  event. Supports glob patterns using `*` and `**` (e.g.,
 682  `main`, `develop`, `release-*`). Either `branch` or `tag`
 683  (or both) must be specified for `push` events.
 684- `tag`: Defines which tags the workflow should run for.
 685  Only used with the `push` event - when tags matching the
 686  pattern(s) listed here are pushed, the workflow will
 687  trigger. This field has no effect with `pull_request` or
 688  `manual` events. Supports glob patterns using `*` and `**`
 689  (e.g., `v*`, `v1.*`, `release-**`). Either `branch` or
 690  `tag` (or both) must be specified for `push` events.
 691
 692For example, if you'd like to define a workflow that runs
 693when commits are pushed to the `main` and `develop`
 694branches, or when pull requests that target the `main`
 695branch are updated, or manually, you can do so with:
 696
 697```yaml
 698when:
 699  - event: ["push", "manual"]
 700    branch: ["main", "develop"]
 701  - event: ["pull_request"]
 702    branch: ["main"]
 703```
 704
 705You can also trigger workflows on tag pushes. For instance,
 706to run a deployment workflow when tags matching `v*` are
 707pushed:
 708
 709```yaml
 710when:
 711  - event: ["push"]
 712    tag: ["v*"]
 713```
 714
 715You can even combine branch and tag patterns in a single
 716constraint (the workflow triggers if either matches):
 717
 718```yaml
 719when:
 720  - event: ["push"]
 721    branch: ["main", "release-*"]
 722    tag: ["v*", "stable"]
 723```
 724
 725### Engine
 726
 727Next is the engine on which the workflow should run, defined
 728using the **required** `engine` field. The currently
 729supported engines are:
 730
 731- `nixery`: This uses an instance of
 732  [Nixery](https://nixery.dev) to run steps, which allows
 733  you to add [dependencies](#dependencies) from
 734  Nixpkgs (https://github.com/NixOS/nixpkgs). You can
 735  search for packages on https://search.nixos.org, and
 736  there's a pretty good chance the package(s) you're looking
 737  for will be there.
 738
 739Example:
 740
 741```yaml
 742engine: "nixery"
 743```
 744
 745### Clone options
 746
 747When a workflow starts, the first step is to clone the
 748repository. You can customize this behavior using the
 749**optional** `clone` field. It has the following fields:
 750
 751- `skip`: Setting this to `true` will skip cloning the
 752  repository. This can be useful if your workflow is doing
 753  something that doesn't require anything from the
 754  repository itself. This is `false` by default.
 755- `depth`: This sets the number of commits, or the "clone
 756  depth", to fetch from the repository. For example, if you
 757  set this to 2, the last 2 commits will be fetched. By
 758  default, the depth is set to 1, meaning only the most
 759  recent commit will be fetched, which is the commit that
 760  triggered the workflow.
 761- `submodules`: If you use Git submodules
 762  (https://git-scm.com/book/en/v2/Git-Tools-Submodules)
 763  in your repository, setting this field to `true` will
 764  recursively fetch all submodules. This is `false` by
 765  default.
 766
 767The default settings are:
 768
 769```yaml
 770clone:
 771  skip: false
 772  depth: 1
 773  submodules: false
 774```
 775
 776### Dependencies
 777
 778Usually when you're running a workflow, you'll need
 779additional dependencies. The `dependencies` field lets you
 780define which dependencies to get, and from where. It's a
 781key-value map, with the key being the registry to fetch
 782dependencies from, and the value being the list of
 783dependencies to fetch.
 784
 785The registry URL syntax can be found [on the nix
 786manual](https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-registry-add).
 787
 788Say you want to fetch Node.js and Go from `nixpkgs`, and a
 789package called `my_pkg` you've made from your own registry
 790at your repository at
 791`https://tangled.org/@example.com/my_pkg`. You can define
 792those dependencies like so:
 793
 794```yaml
 795dependencies:
 796  # nixpkgs
 797  nixpkgs:
 798    - nodejs
 799    - go
 800  # unstable
 801  nixpkgs/nixpkgs-unstable:
 802    - bun
 803  # custom registry
 804  git+https://tangled.org/@example.com/my_pkg:
 805    - my_pkg
 806```
 807
 808Now these dependencies are available to use in your
 809workflow!
 810
 811### Environment
 812
 813The `environment` field allows you define environment
 814variables that will be available throughout the entire
 815workflow. **Do not put secrets here, these environment
 816variables are visible to anyone viewing the repository. You
 817can add secrets for pipelines in your repository's
 818settings.**
 819
 820Example:
 821
 822```yaml
 823environment:
 824  GOOS: "linux"
 825  GOARCH: "arm64"
 826  NODE_ENV: "production"
 827  MY_ENV_VAR: "MY_ENV_VALUE"
 828```
 829
 830By default, the following environment variables set:
 831
 832- `CI` - Always set to `true` to indicate a CI environment
 833- `TANGLED_PIPELINE_ID` - The AT URI of the current pipeline
 834- `TANGLED_REPO_KNOT` - The repository's knot hostname
 835- `TANGLED_REPO_DID` - The DID of the repository owner
 836- `TANGLED_REPO_NAME` - The name of the repository
 837- `TANGLED_REPO_DEFAULT_BRANCH` - The default branch of the
 838  repository
 839- `TANGLED_REPO_URL` - The full URL to the repository
 840
 841These variables are only available when the pipeline is
 842triggered by a push:
 843
 844- `TANGLED_REF` - The full git reference (e.g.,
 845  `refs/heads/main` or `refs/tags/v1.0.0`)
 846- `TANGLED_REF_NAME` - The short name of the reference
 847  (e.g., `main` or `v1.0.0`)
 848- `TANGLED_REF_TYPE` - The type of reference, either
 849  `branch` or `tag`
 850- `TANGLED_SHA` - The commit SHA that triggered the pipeline
 851- `TANGLED_COMMIT_SHA` - Alias for `TANGLED_SHA`
 852
 853These variables are only available when the pipeline is
 854triggered by a pull request:
 855
 856- `TANGLED_PR_SOURCE_BRANCH` - The source branch of the pull
 857  request
 858- `TANGLED_PR_TARGET_BRANCH` - The target branch of the pull
 859  request
 860- `TANGLED_PR_SOURCE_SHA` - The commit SHA of the source
 861  branch
 862
 863### Steps
 864
 865The `steps` field allows you to define what steps should run
 866in the workflow. It's a list of step objects, each with the
 867following fields:
 868
 869- `name`: This field allows you to give your step a name.
 870  This name is visible in your workflow runs, and is used to
 871  describe what the step is doing.
 872- `command`: This field allows you to define a command to
 873  run in that step. The step is run in a Bash shell, and the
 874  logs from the command will be visible in the pipelines
 875  page on the Tangled website. The
 876  [dependencies](#dependencies) you added will be available
 877  to use here.
 878- `environment`: Similar to the global
 879  [environment](#environment) config, this **optional**
 880  field is a key-value map that allows you to set
 881  environment variables for the step. **Do not put secrets
 882  here, these environment variables are visible to anyone
 883  viewing the repository. You can add secrets for pipelines
 884  in your repository's settings.**
 885
 886Example:
 887
 888```yaml
 889steps:
 890  - name: "Build backend"
 891    command: "go build"
 892    environment:
 893      GOOS: "darwin"
 894      GOARCH: "arm64"
 895  - name: "Build frontend"
 896    command: "npm run build"
 897    environment:
 898      NODE_ENV: "production"
 899```
 900
 901### Complete workflow
 902
 903```yaml
 904# .tangled/workflows/build.yml
 905
 906when:
 907  - event: ["push", "manual"]
 908    branch: ["main", "develop"]
 909  - event: ["pull_request"]
 910    branch: ["main"]
 911
 912engine: "nixery"
 913
 914# using the default values
 915clone:
 916  skip: false
 917  depth: 1
 918  submodules: false
 919
 920dependencies:
 921  # nixpkgs
 922  nixpkgs:
 923    - nodejs
 924    - go
 925  # custom registry
 926  git+https://tangled.org/@example.com/my_pkg:
 927    - my_pkg
 928
 929environment:
 930  GOOS: "linux"
 931  GOARCH: "arm64"
 932  NODE_ENV: "production"
 933  MY_ENV_VAR: "MY_ENV_VALUE"
 934
 935steps:
 936  - name: "Build backend"
 937    command: "go build"
 938    environment:
 939      GOOS: "darwin"
 940      GOARCH: "arm64"
 941  - name: "Build frontend"
 942    command: "npm run build"
 943    environment:
 944      NODE_ENV: "production"
 945```
 946
 947If you want another example of a workflow, you can look at
 948the one [Tangled uses to build the
 949project](https://tangled.org/@tangled.org/core/blob/master/.tangled/workflows/build.yml).
 950
 951## Self-hosting guide
 952
 953### Prerequisites
 954
 955- Go
 956- Docker (the only supported backend currently)
 957
 958### Configuration
 959
 960Spindle is configured using environment variables. The following environment variables are available:
 961
 962- `SPINDLE_SERVER_LISTEN_ADDR`: The address the server listens on (default: `"0.0.0.0:6555"`).
 963- `SPINDLE_SERVER_DB_PATH`: The path to the SQLite database file (default: `"spindle.db"`).
 964- `SPINDLE_SERVER_HOSTNAME`: The hostname of the server (required).
 965- `SPINDLE_SERVER_JETSTREAM_ENDPOINT`: The endpoint of the Jetstream server (default: `"wss://jetstream1.us-west.bsky.network/subscribe"`).
 966- `SPINDLE_SERVER_DEV`: A boolean indicating whether the server is running in development mode (default: `false`).
 967- `SPINDLE_SERVER_OWNER`: The DID of the owner (required).
 968- `SPINDLE_PIPELINES_NIXERY`: The Nixery URL (default: `"nixery.tangled.sh"`).
 969- `SPINDLE_PIPELINES_WORKFLOW_TIMEOUT`: The default workflow timeout (default: `"5m"`).
 970- `SPINDLE_PIPELINES_LOG_DIR`: The directory to store workflow logs (default: `"/var/log/spindle"`).
 971
 972### Running spindle
 973
 9741.  **Set the environment variables.** For example:
 975
 976    ```shell
 977    export SPINDLE_SERVER_HOSTNAME="your-hostname"
 978    export SPINDLE_SERVER_OWNER="your-did"
 979    ```
 980
 9812.  **Build the Spindle binary.**
 982
 983    ```shell
 984    cd core
 985    go mod download
 986    go build -o cmd/spindle/spindle cmd/spindle/main.go
 987    ```
 988
 9893.  **Create the log directory.**
 990
 991    ```shell
 992    sudo mkdir -p /var/log/spindle
 993    sudo chown $USER:$USER -R /var/log/spindle
 994    ```
 995
 9964.  **Run the Spindle binary.**
 997
 998    ```shell
 999    ./cmd/spindle/spindle
1000    ```
1001
1002Spindle will now start, connect to the Jetstream server, and begin processing pipelines.
1003
1004## Architecture
1005
1006Spindle is a small CI runner service. Here's a high-level overview of how it operates:
1007
1008- Listens for [`sh.tangled.spindle.member`](/lexicons/spindle/member.json) and
1009  [`sh.tangled.repo`](/lexicons/repo.json) records on the Jetstream.
1010- When a new repo record comes through (typically when you add a spindle to a
1011  repo from the settings), spindle then resolves the underlying knot and
1012  subscribes to repo events (see:
1013  [`sh.tangled.pipeline`](/lexicons/pipeline.json)).
1014- The spindle engine then handles execution of the pipeline, with results and
1015  logs beamed on the spindle event stream over WebSocket
1016
1017### The engine
1018
1019At present, the only supported backend is Docker (and Podman, if Docker
1020compatibility is enabled, so that `/run/docker.sock` is created). spindle
1021executes each step in the pipeline in a fresh container, with state persisted
1022across steps within the `/tangled/workspace` directory.
1023
1024The base image for the container is constructed on the fly using
1025[Nixery](https://nixery.dev), which is handy for caching layers for frequently
1026used packages.
1027
1028The pipeline manifest is [specified here](https://docs.tangled.org/spindles.html#pipelines).
1029
1030## Secrets with openbao
1031
1032This document covers setting up spindle to use OpenBao for secrets
1033management via OpenBao Proxy instead of the default SQLite backend.
1034
1035### Overview
1036
1037Spindle now uses OpenBao Proxy for secrets management. The proxy handles
1038authentication automatically using AppRole credentials, while spindle
1039connects to the local proxy instead of directly to the OpenBao server.
1040
1041This approach provides better security, automatic token renewal, and
1042simplified application code.
1043
1044### Installation
1045
1046Install OpenBao from Nixpkgs:
1047
1048```bash
1049nix shell nixpkgs#openbao   # for a local server
1050```
1051
1052### Setup
1053
1054The setup process can is documented for both local development and production.
1055
1056#### Local development
1057
1058Start OpenBao in dev mode:
1059
1060```bash
1061bao server -dev -dev-root-token-id="root" -dev-listen-address=127.0.0.1:8201
1062```
1063
1064This starts OpenBao on `http://localhost:8201` with a root token.
1065
1066Set up environment for bao CLI:
1067
1068```bash
1069export BAO_ADDR=http://localhost:8200
1070export BAO_TOKEN=root
1071```
1072
1073#### Production
1074
1075You would typically use a systemd service with a
1076configuration file. Refer to
1077[@tangled.org/infra](https://tangled.org/@tangled.org/infra)
1078for how this can be achieved using Nix.
1079
1080Then, initialize the bao server:
1081
1082```bash
1083bao operator init -key-shares=1 -key-threshold=1
1084```
1085
1086This will print out an unseal key and a root key. Save them
1087somewhere (like a password manager). Then unseal the vault
1088to begin setting it up:
1089
1090```bash
1091bao operator unseal <unseal_key>
1092```
1093
1094All steps below remain the same across both dev and
1095production setups.
1096
1097#### Configure openbao server
1098
1099Create the spindle KV mount:
1100
1101```bash
1102bao secrets enable -path=spindle -version=2 kv
1103```
1104
1105Set up AppRole authentication and policy:
1106
1107Create a policy file `spindle-policy.hcl`:
1108
1109```hcl
1110# Full access to spindle KV v2 data
1111path "spindle/data/*" {
1112  capabilities = ["create", "read", "update", "delete"]
1113}
1114
1115# Access to metadata for listing and management
1116path "spindle/metadata/*" {
1117  capabilities = ["list", "read", "delete", "update"]
1118}
1119
1120# Allow listing at root level
1121path "spindle/" {
1122  capabilities = ["list"]
1123}
1124
1125# Required for connection testing and health checks
1126path "auth/token/lookup-self" {
1127  capabilities = ["read"]
1128}
1129```
1130
1131Apply the policy and create an AppRole:
1132
1133```bash
1134bao policy write spindle-policy spindle-policy.hcl
1135bao auth enable approle
1136bao write auth/approle/role/spindle \
1137    token_policies="spindle-policy" \
1138    token_ttl=1h \
1139    token_max_ttl=4h \
1140    bind_secret_id=true \
1141    secret_id_ttl=0 \
1142    secret_id_num_uses=0
1143```
1144
1145Get the credentials:
1146
1147```bash
1148# Get role ID (static)
1149ROLE_ID=$(bao read -field=role_id auth/approle/role/spindle/role-id)
1150
1151# Generate secret ID
1152SECRET_ID=$(bao write -f -field=secret_id auth/approle/role/spindle/secret-id)
1153
1154echo "Role ID: $ROLE_ID"
1155echo "Secret ID: $SECRET_ID"
1156```
1157
1158#### Create proxy configuration
1159
1160Create the credential files:
1161
1162```bash
1163# Create directory for OpenBao files
1164mkdir -p /tmp/openbao
1165
1166# Save credentials
1167echo "$ROLE_ID" > /tmp/openbao/role-id
1168echo "$SECRET_ID" > /tmp/openbao/secret-id
1169chmod 600 /tmp/openbao/role-id /tmp/openbao/secret-id
1170```
1171
1172Create a proxy configuration file `/tmp/openbao/proxy.hcl`:
1173
1174```hcl
1175# OpenBao server connection
1176vault {
1177  address = "http://localhost:8200"
1178}
1179
1180# Auto-Auth using AppRole
1181auto_auth {
1182  method "approle" {
1183    mount_path = "auth/approle"
1184    config = {
1185      role_id_file_path   = "/tmp/openbao/role-id"
1186      secret_id_file_path = "/tmp/openbao/secret-id"
1187    }
1188  }
1189
1190  # Optional: write token to file for debugging
1191  sink "file" {
1192    config = {
1193      path = "/tmp/openbao/token"
1194      mode = 0640
1195    }
1196  }
1197}
1198
1199# Proxy listener for spindle
1200listener "tcp" {
1201  address     = "127.0.0.1:8201"
1202  tls_disable = true
1203}
1204
1205# Enable API proxy with auto-auth token
1206api_proxy {
1207  use_auto_auth_token = true
1208}
1209
1210# Enable response caching
1211cache {
1212  use_auto_auth_token = true
1213}
1214
1215# Logging
1216log_level = "info"
1217```
1218
1219#### Start the proxy
1220
1221Start OpenBao Proxy:
1222
1223```bash
1224bao proxy -config=/tmp/openbao/proxy.hcl
1225```
1226
1227The proxy will authenticate with OpenBao and start listening on
1228`127.0.0.1:8201`.
1229
1230#### Configure spindle
1231
1232Set these environment variables for spindle:
1233
1234```bash
1235export SPINDLE_SERVER_SECRETS_PROVIDER=openbao
1236export SPINDLE_SERVER_SECRETS_OPENBAO_PROXY_ADDR=http://127.0.0.1:8201
1237export SPINDLE_SERVER_SECRETS_OPENBAO_MOUNT=spindle
1238```
1239
1240On startup, spindle will now connect to the local proxy,
1241which handles all authentication automatically.
1242
1243### Production setup for proxy
1244
1245For production, you'll want to run the proxy as a service:
1246
1247Place your production configuration in
1248`/etc/openbao/proxy.hcl` with proper TLS settings for the
1249vault connection.
1250
1251### Verifying setup
1252
1253Test the proxy directly:
1254
1255```bash
1256# Check proxy health
1257curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/sys/health
1258
1259# Test token lookup through proxy
1260curl -H "X-Vault-Request: true" http://127.0.0.1:8201/v1/auth/token/lookup-self
1261```
1262
1263Test OpenBao operations through the server:
1264
1265```bash
1266# List all secrets
1267bao kv list spindle/
1268
1269# Add a test secret via the spindle API, then check it exists
1270bao kv list spindle/repos/
1271
1272# Get a specific secret
1273bao kv get spindle/repos/your_repo_path/SECRET_NAME
1274```
1275
1276### How it works
1277
1278- Spindle connects to OpenBao Proxy on localhost (typically
1279  port 8200 or 8201)
1280- The proxy authenticates with OpenBao using AppRole
1281  credentials
1282- All spindle requests go through the proxy, which injects
1283  authentication tokens
1284- Secrets are stored at
1285  `spindle/repos/{sanitized_repo_path}/{secret_key}`
1286- Repository paths like `did:plc:alice/myrepo` become
1287  `did_plc_alice_myrepo`
1288- The proxy handles all token renewal automatically
1289- Spindle no longer manages tokens or authentication
1290  directly
1291
1292### Troubleshooting
1293
1294**Connection refused**: Check that the OpenBao Proxy is
1295running and listening on the configured address.
1296
1297**403 errors**: Verify the AppRole credentials are correct
1298and the policy has the necessary permissions.
1299
1300**404 route errors**: The spindle KV mount probably doesn't
1301exist—run the mount creation step again.
1302
1303**Proxy authentication failures**: Check the proxy logs and
1304verify the role-id and secret-id files are readable and
1305contain valid credentials.
1306
1307**Secret not found after writing**: This can indicate policy
1308permission issues. Verify the policy includes both
1309`spindle/data/*` and `spindle/metadata/*` paths with
1310appropriate capabilities.
1311
1312Check proxy logs:
1313
1314```bash
1315# If running as systemd service
1316journalctl -u openbao-proxy -f
1317
1318# If running directly, check the console output
1319```
1320
1321Test AppRole authentication manually:
1322
1323```bash
1324bao write auth/approle/login \
1325    role_id="$(cat /tmp/openbao/role-id)" \
1326    secret_id="$(cat /tmp/openbao/secret-id)"
1327```
1328
1329# Webhooks
1330
1331Webhooks allow you to receive HTTP POST notifications when events occur in your repositories. This enables you to integrate Tangled with external services, trigger CI/CD pipelines, send notifications, or automate workflows.
1332
1333## Overview
1334
1335Webhooks send HTTP POST requests to URLs you configure whenever specific events happen. Currently, Tangled supports push events, with more event types coming soon.
1336
1337## Configuring webhooks
1338
1339To set up a webhook for your repository:
1340
13411. Navigate to your repository
13422. Go to **Settings → Hooks**
13433. Click **new webhook**
13444. Configure your webhook:
1345   - **Payload URL**: The endpoint that will receive the webhook POST requests
1346   - **Secret**: An optional secret key for verifying webhook authenticity (leave blank to send unsigned webhooks)
1347   - **Events**: Select which events trigger the webhook (currently only push events)
1348   - **Active**: Toggle whether the webhook is enabled
1349
1350## Webhook payload
1351
1352### Push
1353
1354When a push event occurs, Tangled sends a POST request with a JSON payload of the format:
1355
1356```json
1357{
1358  "after": "7b320e5cbee2734071e4310c1d9ae401d8f6cab5",
1359  "before": "c04ddf64eddc90e4e2a9846ba3b43e67a0e2865e",
1360  "pusher": { 
1361    "did": "did:plc:hwevmowznbiukdf6uk5dwrrq" 
1362  },
1363  "ref": "refs/heads/main",
1364  "repository": {
1365    "clone_url": "https://tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1366    "created_at": "2025-09-15T08:57:23Z",
1367    "description": "an example repository",
1368    "fork": false,
1369    "full_name": "did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1370    "html_url": "https://tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1371    "name": "some-repo",
1372    "open_issues_count": 5,
1373    "owner": { 
1374      "did": "did:plc:hwevmowznbiukdf6uk5dwrrq" 
1375    },
1376    "ssh_url": "ssh://git@tangled.org/did:plc:hwevmowznbiukdf6uk5dwrrq/some-repo",
1377    "stars_count": 1,
1378    "updated_at": "2025-09-15T08:57:23Z"
1379  }
1380}
1381```
1382
1383## HTTP headers
1384
1385Each webhook request includes the following headers:
1386
1387- `Content-Type: application/json`
1388- `User-Agent: Tangled-Hook/<short-sha>` — User agent with short SHA of the commit
1389- `X-Tangled-Event: push` — The event type
1390- `X-Tangled-Hook-ID: <webhook-id>` — The webhook ID
1391- `X-Tangled-Delivery: <uuid>` — Unique delivery ID
1392- `X-Tangled-Signature-256: sha256=<hmac>` — HMAC-SHA256 signature (if secret configured)
1393
1394## Verifying webhook signatures
1395
1396If you configured a secret, you should verify the webhook signature to ensure requests are authentic. For example, in Go:
1397
1398```go
1399package main
1400
1401import (
1402    "crypto/hmac"
1403    "crypto/sha256"
1404    "encoding/hex"
1405    "io"
1406    "net/http"
1407    "strings"
1408)
1409
1410func verifySignature(payload []byte, signatureHeader, secret string) bool {
1411    // Remove 'sha256=' prefix from signature header
1412    signature := strings.TrimPrefix(signatureHeader, "sha256=")
1413    
1414    // Compute expected signature
1415    mac := hmac.New(sha256.New, []byte(secret))
1416    mac.Write(payload)
1417    expected := hex.EncodeToString(mac.Sum(nil))
1418    
1419    // Use constant-time comparison to prevent timing attacks
1420    return hmac.Equal([]byte(signature), []byte(expected))
1421}
1422
1423func webhookHandler(w http.ResponseWriter, r *http.Request) {
1424    // Read the request body
1425    payload, err := io.ReadAll(r.Body)
1426    if err != nil {
1427        http.Error(w, "Bad request", http.StatusBadRequest)
1428        return
1429    }
1430    
1431    // Get signature from header
1432    signatureHeader := r.Header.Get("X-Tangled-Signature-256")
1433    
1434    // Verify signature
1435    if signatureHeader != "" && verifySignature(payload, signatureHeader, yourSecret) {
1436        // Webhook is authentic, process it
1437        processWebhook(payload)
1438        w.WriteHeader(http.StatusOK)
1439    } else {
1440        http.Error(w, "Invalid signature", http.StatusUnauthorized)
1441    }
1442}
1443```
1444
1445## Delivery retries
1446
1447Webhooks are automatically retried on failure:
1448
1449- **3 total attempts** (1 initial + 2 retries)
1450- **Exponential backoff** starting at 1 second, max 10 seconds
1451- **Retried on**:
1452  - Network errors
1453  - HTTP 5xx server errors
1454- **Not retried on**:
1455  - HTTP 4xx client errors (bad request, unauthorized, etc.)
1456
1457### Timeouts
1458
1459Webhook requests timeout after 30 seconds. If your endpoint needs more time:
1460
14611. Respond with 200 OK immediately
14622. Process the webhook asynchronously in the background
1463
1464## Example integrations
1465
1466### Discord notifications
1467
1468```javascript
1469app.post("/webhook", (req, res) => {
1470  const payload = req.body;
1471
1472  fetch("https://discord.com/api/webhooks/...", {
1473    method: "POST",
1474    headers: { "Content-Type": "application/json" },
1475    body: JSON.stringify({
1476      content: `New push to ${payload.repository.full_name}`,
1477      embeds: [
1478        {
1479          title: `${payload.pusher.did} pushed to ${payload.ref}`,
1480          url: payload.repository.html_url,
1481          color: 0x00ff00,
1482        },
1483      ],
1484    }),
1485  });
1486
1487  res.status(200).send("OK");
1488});
1489```
1490
1491# Migrating knots and spindles
1492
1493Sometimes, non-backwards compatible changes are made to the
1494knot/spindle XRPC APIs. If you host a knot or a spindle, you
1495will need to follow this guide to upgrade. Typically, this
1496only requires you to deploy the newest version.
1497
1498This document is laid out in reverse-chronological order.
1499Newer migration guides are listed first, and older guides
1500are further down the page.
1501
1502## Upgrading from v1.8.x
1503
1504After v1.8.2, the HTTP API for knots and spindles has been
1505deprecated and replaced with XRPC. Repositories on outdated
1506knots will not be viewable from the appview. Upgrading is
1507straightforward however.
1508
1509For knots:
1510
1511- Upgrade to the latest tag (v1.9.0 or above)
1512- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1513  hit the "retry" button to verify your knot
1514
1515For spindles:
1516
1517- Upgrade to the latest tag (v1.9.0 or above)
1518- Head to the [spindle
1519  dashboard](https://tangled.org/settings/spindles) and hit the
1520  "retry" button to verify your spindle
1521
1522## Upgrading from v1.7.x
1523
1524After v1.7.0, knot secrets have been deprecated. You no
1525longer need a secret from the appview to run a knot. All
1526authorized commands to knots are managed via [Inter-Service
1527Authentication](https://atproto.com/specs/xrpc#inter-service-authentication-jwt).
1528Knots will be read-only until upgraded.
1529
1530Upgrading is quite easy, in essence:
1531
1532- `KNOT_SERVER_SECRET` is no more, you can remove this
1533  environment variable entirely
1534- `KNOT_SERVER_OWNER` is now required on boot, set this to
1535  your DID. You can find your DID in the
1536  [settings](https://tangled.org/settings) page.
1537- Restart your knot once you have replaced the environment
1538  variable
1539- Head to the [knot dashboard](https://tangled.org/settings/knots) and
1540  hit the "retry" button to verify your knot. This simply
1541  writes a `sh.tangled.knot` record to your PDS.
1542
1543If you use the nix module, simply bump the flake to the
1544latest revision, and change your config block like so:
1545
1546```diff
1547 services.tangled.knot = {
1548   enable = true;
1549   server = {
1550-    secretFile = /path/to/secret;
1551+    owner = "did:plc:foo";
1552   };
1553 };
1554```
1555
1556# Hacking on Tangled
1557
1558We highly recommend [installing
1559Nix](https://nixos.org/download/) (the package manager)
1560before working on the codebase. The Nix flake provides a lot
1561of helpers to get started and most importantly, builds and
1562dev shells are entirely deterministic.
1563
1564To set up your dev environment:
1565
1566```bash
1567nix develop
1568```
1569
1570Non-Nix users can look at the `devShell` attribute in the
1571`flake.nix` file to determine necessary dependencies.
1572
1573## Running the appview
1574
1575The appview requires Redis and OAuth JWKs. Start these
1576first, before launching the appview itself.
1577
1578```bash
1579# OAuth JWKs should already be set up by the Nix devshell:
1580echo $TANGLED_OAUTH_CLIENT_SECRET
1581z42ty4RT1ovnTopY8B8ekz9NuziF2CuMkZ7rbRFpAR9jBqMc
1582
1583echo $TANGLED_OAUTH_CLIENT_KID
15841761667908
1585
1586# if not, you can set it up yourself:
1587goat key generate -t P-256
1588Key Type: P-256 / secp256r1 / ES256 private key
1589Secret Key (Multibase Syntax): save this securely (eg, add to password manager)
1590        z42tuPDKRfM2mz2Kv953ARen2jmrPA8S9LX9tRq4RVcUMwwL
1591Public Key (DID Key Syntax): share or publish this (eg, in DID document)
1592        did:key:zDnaeUBxtG6Xuv3ATJE4GaWeyXM3jyamJsZw3bSPpxx4bNXDR
1593
1594# the secret key from above
1595export TANGLED_OAUTH_CLIENT_SECRET="z42tuP..."
1596
1597# Run Redis in a new shell to store OAuth sessions
1598redis-server
1599```
1600
1601The Nix flake exposes a few `app` attributes (run `nix
1602flake show` to see a full list of what the flake provides),
1603one of the apps runs the appview with the `air`
1604live-reloader:
1605
1606```bash
1607TANGLED_DEV=true nix run .#watch-appview
1608
1609# TANGLED_DB_PATH might be of interest to point to
1610# different sqlite DBs
1611
1612# in a separate shell, you can live-reload tailwind
1613nix run .#watch-tailwind
1614```
1615
1616## Running knots and spindles
1617
1618An end-to-end knot setup requires setting up a machine with
1619`sshd`, `AuthorizedKeysCommand`, and a Git user, which is
1620quite cumbersome. So the Nix flake provides a
1621`nixosConfiguration` to do so.
1622
1623<details>
1624  <summary><strong>macOS users will have to set up a Nix Builder first</strong></summary>
1625
1626In order to build Tangled's dev VM on macOS, you will
1627first need to set up a Linux Nix builder. The recommended
1628way to do so is to run a [`darwin.linux-builder`
1629VM](https://nixos.org/manual/nixpkgs/unstable/#sec-darwin-builder)
1630and to register it in `nix.conf` as a builder for Linux
1631with the same architecture as your Mac (`linux-aarch64` if
1632you are using Apple Silicon).
1633
1634> IMPORTANT: You must build `darwin.linux-builder` somewhere other than inside
1635> the Tangled repo so that it doesn't conflict with the other VM. For example,
1636> you can do
1637>
1638> ```shell
1639> cd $(mktemp -d buildervm.XXXXX) && nix run nixpkgs#darwin.linux-builder
1640> ```
1641>
1642> to store the builder VM in a temporary dir.
1643>
1644> You should read and follow [all the other intructions][darwin builder vm] to
1645> avoid subtle problems.
1646
1647Alternatively, you can use any other method to set up a
1648Linux machine with Nix installed that you can `sudo ssh`
1649into (in other words, root user on your Mac has to be able
1650to ssh into the Linux machine without entering a password)
1651and that has the same architecture as your Mac. See
1652[remote builder
1653instructions](https://nix.dev/manual/nix/2.28/advanced-topics/distributed-builds.html#requirements)
1654for how to register such a builder in `nix.conf`.
1655
1656> WARNING: If you'd like to use
1657> [`nixos-lima`](https://github.com/nixos-lima/nixos-lima) or
1658> [Orbstack](https://orbstack.dev/), note that setting them up so that `sudo
1659ssh` works can be tricky. It seems to be [possible with
1660> Orbstack](https://github.com/orgs/orbstack/discussions/1669).
1661
1662</details>
1663
1664To begin, grab your DID from http://localhost:3000/settings.
1665Then, set `TANGLED_VM_KNOT_OWNER` and
1666`TANGLED_VM_SPINDLE_OWNER` to your DID. You can now start a
1667lightweight NixOS VM like so:
1668
1669```bash
1670nix run --impure .#vm
1671
1672# type `poweroff` at the shell to exit the VM
1673```
1674
1675This starts a knot on port 6444, a spindle on port 6555
1676with `ssh` exposed on port 2222.
1677
1678Once the services are running, head to
1679http://localhost:3000/settings/knots and hit "Verify". It should
1680verify the ownership of the services instantly if everything
1681went smoothly.
1682
1683You can push repositories to this VM with this ssh config
1684block on your main machine:
1685
1686```bash
1687Host nixos-shell
1688    Hostname localhost
1689    Port 2222
1690    User git
1691    IdentityFile ~/.ssh/my_tangled_key
1692```
1693
1694Set up a remote called `local-dev` on a git repo:
1695
1696```bash
1697git remote add local-dev git@nixos-shell:user/repo
1698git push local-dev main
1699```
1700
1701The above VM should already be running a spindle on
1702`localhost:6555`. Head to http://localhost:3000/settings/spindles and
1703hit "Verify". You can then configure each repository to use
1704this spindle and run CI jobs.
1705
1706Of interest when debugging spindles:
1707
1708```
1709# Service logs from journald:
1710journalctl -xeu spindle
1711
1712# CI job logs from disk:
1713ls /var/log/spindle
1714
1715# Debugging spindle database:
1716sqlite3 /var/lib/spindle/spindle.db
1717
1718# litecli has a nicer REPL interface:
1719litecli /var/lib/spindle/spindle.db
1720```
1721
1722If for any reason you wish to disable either one of the
1723services in the VM, modify [nix/vm.nix](/nix/vm.nix) and set
1724`services.tangled.spindle.enable` (or
1725`services.tangled.knot.enable`) to `false`.
1726
1727# Contribution guide
1728
1729## Commit guidelines
1730
1731We follow a commit style similar to the Go project. Please keep commits:
1732
1733- **atomic**: each commit should represent one logical change
1734- **descriptive**: the commit message should clearly describe what the
1735  change does and why it's needed
1736
1737### Message format
1738
1739```
1740<service/top-level directory>/<affected package/directory>: <short summary of change>
1741
1742Optional longer description can go here, if necessary. Explain what the
1743change does and why, especially if not obvious. Reference relevant
1744issues or PRs when applicable. These can be links for now since we don't
1745auto-link issues/PRs yet.
1746```
1747
1748Here are some examples:
1749
1750```
1751appview/state: fix token expiry check in middleware
1752
1753The previous check did not account for clock drift, leading to premature
1754token invalidation.
1755```
1756
1757```
1758knotserver/git/service: improve error checking in upload-pack
1759```
1760
1761### General notes
1762
1763- PRs get merged "as-is" (fast-forward)—like applying a patch-series
1764  using `git am`. At present, there is no squashing—so please author
1765  your commits as they would appear on `master`, following the above
1766  guidelines.
1767- If there is a lot of nesting, for example "appview:
1768  pages/templates/repo/fragments: ...", these can be truncated down to
1769  just "appview: repo/fragments: ...". If the change affects a lot of
1770  subdirectories, you may abbreviate to just the top-level names, e.g.
1771  "appview: ..." or "knotserver: ...".
1772- Keep commits lowercased with no trailing period.
1773- Use the imperative mood in the summary line (e.g., "fix bug" not
1774  "fixed bug" or "fixes bug").
1775- Try to keep the summary line under 72 characters, but we aren't too
1776  fussed about this.
1777- Follow the same formatting for PR titles if filled manually.
1778- Don't include unrelated changes in the same commit.
1779- Avoid noisy commit messages like "wip" or "final fix"—rewrite history
1780  before submitting if necessary.
1781
1782## Code formatting
1783
1784We use a variety of tools to format our code, and multiplex them with
1785[`treefmt`](https://treefmt.com). All you need to do to format your changes
1786is run `nix run .#fmt` (or just `treefmt` if you're in the devshell).
1787
1788## Proposals for bigger changes
1789
1790Small fixes like typos, minor bugs, or trivial refactors can be
1791submitted directly as PRs.
1792
1793For larger changes—especially those introducing new features, significant
1794refactoring, or altering system behavior—please open a proposal first. This
1795helps us evaluate the scope, design, and potential impact before implementation.
1796
1797Create a new issue titled:
1798
1799```
1800proposal: <affected scope>: <summary of change>
1801```
1802
1803In the description, explain:
1804
1805- What the change is
1806- Why it's needed
1807- How you plan to implement it (roughly)
1808- Any open questions or tradeoffs
1809
1810We'll use the issue thread to discuss and refine the idea before moving
1811forward.
1812
1813## Developer Certificate of Origin (DCO)
1814
1815We require all contributors to certify that they have the right to
1816submit the code they're contributing. To do this, we follow the
1817[Developer Certificate of Origin
1818(DCO)](https://developercertificate.org/).
1819
1820By signing your commits, you're stating that the contribution is your
1821own work, or that you have the right to submit it under the project's
1822license. This helps us keep things clean and legally sound.
1823
1824To sign your commit, just add the `-s` flag when committing:
1825
1826```sh
1827git commit -s -m "your commit message"
1828```
1829
1830This appends a line like:
1831
1832```
1833Signed-off-by: Your Name <your.email@example.com>
1834```
1835
1836We won't merge commits if they aren't signed off. If you forget, you can
1837amend the last commit like this:
1838
1839```sh
1840git commit --amend -s
1841```
1842
1843If you're submitting a PR with multiple commits, make sure each one is
1844signed.
1845
1846For [jj](https://jj-vcs.github.io/jj/latest/) users, you can run the following command
1847to make it sign off commits in the tangled repo:
1848
1849```shell
1850# Safety check, should say "No matching config key..."
1851jj config list templates.commit_trailers
1852# The command below may need to be adjusted if the command above returned something.
1853jj config set --repo templates.commit_trailers "format_signed_off_by_trailer(self)"
1854```
1855
1856Refer to the [jujutsu
1857documentation](https://jj-vcs.github.io/jj/latest/config/#commit-trailers)
1858for more information.
1859
1860# Troubleshooting guide
1861
1862## Login issues
1863
1864Owing to the distributed nature of OAuth on AT Protocol, you
1865may run into issues with logging in. If you run a
1866self-hosted PDS:
1867
1868- You may need to ensure that your PDS is timesynced using
1869  NTP:
1870  - Enable the `ntpd` service
1871  - Run `ntpd -qg` to synchronize your clock
1872- You may need to increase the default request timeout:
1873  `NODE_OPTIONS="--network-family-autoselection-attempt-timeout=500"`
1874
1875## Empty punchcard
1876
1877For Tangled to register commits that you make across the
1878network, you need to setup one of following:
1879
1880- The committer email should be a verified email associated
1881  to your account. You can add and verify emails on the
1882  settings page.
1883- Or, the committer email should be set to your account's
1884  DID: `git config user.email "did:plc:foobar"`. You can find
1885  your account's DID on the settings page
1886
1887## Commit is not marked as verified
1888
1889Presently, Tangled only supports SSH commit signatures.
1890
1891To sign commits using an SSH key with git:
1892
1893```
1894git config --global gpg.format ssh
1895git config --global user.signingkey ~/.ssh/tangled-key
1896```
1897
1898To sign commits using an SSH key with jj, add this to your
1899config:
1900
1901```
1902[signing]
1903behavior = "own"
1904backend = "ssh"
1905key = "~/.ssh/tangled-key"
1906```
1907
1908## Self-hosted knot issues
1909
1910If you need help troubleshooting a self-hosted knot, check
1911out the [knot troubleshooting
1912guide](/knot-self-hosting-guide.html#troubleshooting).