tjh.dev / test
forked from tangled.org/core
Mirror of @tangled.org/core. Running on a Raspberry Pi Zero 2 (Please be gentle).
fork atom

nix/vm: don't hardcode knot secret and spindle owner

Signed-off-by: Winter <winter@winter.cafe>

authored by winter.bsky.social and committed by

Tangled cf07090e 3d6e9ffc

+82 -76
+9 -10
docs/hacking.md
··· 56 56 `nixosConfiguration` to do so. 57 57 58 58 To begin, head to `http://localhost:3000/knots` in the browser 59 - and generate a knot secret. Replace the existing secret in 60 - `nix/vm.nix` (`KNOT_SERVER_SECRET`) with the newly generated 61 - secret. 59 + and generate a knot secret. Set `$TANGLED_KNOT_SECRET` to it, 60 + ideally in a `.envrc` with [direnv](https://direnv.net) so you 61 + don't lose it. 62 62 63 63 You can now start a lightweight NixOS VM using 64 64 `nixos-shell` like so: ··· 91 91 92 92 ## running a spindle 93 93 94 - Be sure to change the `owner` field for the spindle in 95 - `nix/vm.nix` to your own DID. The above VM should already 96 - be running a spindle on `localhost:6555`. You can head to 97 - the spindle dashboard on `http://localhost:3000/spindles`, 98 - and register a spindle with hostname `localhost:6555`. It 99 - should instantly be verified. You can then configure each 100 - repository to use this spindle and run CI jobs. 94 + Be sure to set `$TANGLED_SPINDLE_OWNER` to your own DID. 95 + The above VM should already be running a spindle on `localhost:6555`. 96 + You can head to the spindle dashboard on `http://localhost:3000/spindles`, 97 + and register a spindle with hostname `localhost:6555`. It should instantly 98 + be verified. You can then configure each repository to use this spindle 99 + and run CI jobs. 101 100 102 101 Of interest when debugging spindles: 103 102
+73 -66
nix/vm.nix
··· 2 2 nixpkgs, 3 3 system, 4 4 self, 5 - }: 6 - nixpkgs.lib.nixosSystem { 7 - inherit system; 8 - modules = [ 9 - self.nixosModules.knot 10 - self.nixosModules.spindle 11 - ({ 12 - config, 13 - pkgs, 14 - ... 15 - }: { 16 - virtualisation = { 17 - memorySize = 2048; 18 - diskSize = 10 * 1024; 19 - cores = 2; 20 - forwardPorts = [ 21 - # ssh 22 - { 23 - from = "host"; 24 - host.port = 2222; 25 - guest.port = 22; 26 - } 27 - # knot 28 - { 29 - from = "host"; 30 - host.port = 6000; 31 - guest.port = 6000; 32 - } 33 - # spindle 34 - { 35 - from = "host"; 36 - host.port = 6555; 37 - guest.port = 6555; 38 - } 39 - ]; 40 - }; 41 - services.getty.autologinUser = "root"; 42 - environment.systemPackages = with pkgs; [curl vim git]; 43 - systemd.tmpfiles.rules = let 44 - u = config.services.tangled-knot.gitUser; 45 - g = config.services.tangled-knot.gitUser; 46 - in [ 47 - "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first 48 - "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=168c426fa6d9829fcbe85c96bdf144e800fb9737d6ca87f21acc543b1aa3e440" 49 - ]; 50 - services.tangled-knot = { 51 - enable = true; 52 - motd = "Welcome to the development knot!\n"; 53 - server = { 54 - secretFile = "/var/lib/knot/secret"; 55 - hostname = "localhost:6000"; 56 - listenAddr = "0.0.0.0:6000"; 5 + }: let 6 + envVar = name: let 7 + var = builtins.getEnv name; 8 + in 9 + if var == "" 10 + then throw "\$${name} must be defined, see docs/hacking.md for more details" 11 + else var; 12 + in 13 + nixpkgs.lib.nixosSystem { 14 + inherit system; 15 + modules = [ 16 + self.nixosModules.knot 17 + self.nixosModules.spindle 18 + ({ 19 + config, 20 + pkgs, 21 + ... 22 + }: { 23 + virtualisation = { 24 + memorySize = 2048; 25 + diskSize = 10 * 1024; 26 + cores = 2; 27 + forwardPorts = [ 28 + # ssh 29 + { 30 + from = "host"; 31 + host.port = 2222; 32 + guest.port = 22; 33 + } 34 + # knot 35 + { 36 + from = "host"; 37 + host.port = 6000; 38 + guest.port = 6000; 39 + } 40 + # spindle 41 + { 42 + from = "host"; 43 + host.port = 6555; 44 + guest.port = 6555; 45 + } 46 + ]; 57 47 }; 58 - }; 59 - services.tangled-spindle = { 60 - enable = true; 61 - server = { 62 - owner = "did:plc:qfpnj4og54vl56wngdriaxug"; 63 - hostname = "localhost:6555"; 64 - listenAddr = "0.0.0.0:6555"; 65 - dev = true; 66 - secrets = { 67 - provider = "sqlite"; 48 + services.getty.autologinUser = "root"; 49 + environment.systemPackages = with pkgs; [curl vim git]; 50 + systemd.tmpfiles.rules = let 51 + u = config.services.tangled-knot.gitUser; 52 + g = config.services.tangled-knot.gitUser; 53 + in [ 54 + "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first 55 + "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=${envVar "TANGLED_VM_KNOT_SECRET"}" 56 + ]; 57 + services.tangled-knot = { 58 + enable = true; 59 + motd = "Welcome to the development knot!\n"; 60 + server = { 61 + secretFile = "/var/lib/knot/secret"; 62 + hostname = "localhost:6000"; 63 + listenAddr = "0.0.0.0:6000"; 68 64 }; 69 65 }; 70 - }; 71 - }) 72 - ]; 73 - } 66 + services.tangled-spindle = { 67 + enable = true; 68 + server = { 69 + owner = envVar "TANGLED_VM_SPINDLE_OWNER"; 70 + hostname = "localhost:6555"; 71 + listenAddr = "0.0.0.0:6555"; 72 + dev = true; 73 + secrets = { 74 + provider = "sqlite"; 75 + }; 76 + }; 77 + }; 78 + }) 79 + ]; 80 + }