From 62a0d6fe2f4c1845aedc80c533e4a5ad584db403 Mon Sep 17 00:00:00 2001
From: Winter <winter@winter.cafe>
Date: Sat, 9 Aug 2025 19:28:32 -0400
Subject: [PATCH] nix/vm: don't hardcode knot secret and spindle owner
Change-Id: ntztyonzltztqqvuxuuoxyvvuryvwkvw

Signed-off-by: Winter <winter@winter.cafe>
---
 docs/hacking.md |  19 ++++---
 nix/vm.nix      | 137 +++++++++++++++++++++++++-----------------------
 2 files changed, 81 insertions(+), 75 deletions(-)

diff --git a/docs/hacking.md b/docs/hacking.md
index e7d279b..a16c0ab 100644
--- a/docs/hacking.md
+++ b/docs/hacking.md
@@ -56,9 +56,9 @@ quite cumbersome. So the nix flake provides a
 `nixosConfiguration` to do so.
 
 To begin, head to `http://localhost:3000/knots` in the browser
-and generate a knot secret. Replace the existing secret in
-`nix/vm.nix` (`KNOT_SERVER_SECRET`) with the newly generated
-secret.
+and generate a knot secret. Set `$TANGLED_KNOT_SECRET` to it,
+ideally in a `.envrc` with [direnv](https://direnv.net) so you
+don't lose it.
 
 You can now start a lightweight NixOS VM using
 `nixos-shell` like so:
@@ -91,13 +91,12 @@ git push local-dev main
 
 ## running a spindle
 
-Be sure to change the `owner` field for the spindle in
-`nix/vm.nix` to your own DID. The above VM should already
-be running a spindle on `localhost:6555`. You can head to
-the spindle dashboard on `http://localhost:3000/spindles`,
-and register a spindle with hostname `localhost:6555`. It
-should instantly be verified. You can then configure each
-repository to use this spindle and run CI jobs.
+Be sure to set `$TANGLED_SPINDLE_OWNER` to your own DID.
+The above VM should already be running a spindle on `localhost:6555`.
+You can head to the spindle dashboard on `http://localhost:3000/spindles`,
+and register a spindle with hostname `localhost:6555`. It should instantly
+be verified. You can then configure each repository to use this spindle
+and run CI jobs.
 
 Of interest when debugging spindles:
 
diff --git a/nix/vm.nix b/nix/vm.nix
index 07498b0..e7c5d44 100644
--- a/nix/vm.nix
+++ b/nix/vm.nix
@@ -2,72 +2,79 @@
   nixpkgs,
   system,
   self,
-}:
-nixpkgs.lib.nixosSystem {
-  inherit system;
-  modules = [
-    self.nixosModules.knot
-    self.nixosModules.spindle
-    ({
-      config,
-      pkgs,
-      ...
-    }: {
-      virtualisation = {
-        memorySize = 2048;
-        diskSize = 10 * 1024;
-        cores = 2;
-        forwardPorts = [
-          # ssh
-          {
-            from = "host";
-            host.port = 2222;
-            guest.port = 22;
-          }
-          # knot
-          {
-            from = "host";
-            host.port = 6000;
-            guest.port = 6000;
-          }
-          # spindle
-          {
-            from = "host";
-            host.port = 6555;
-            guest.port = 6555;
-          }
+}: let
+  envVar = name: let
+    var = builtins.getEnv name;
+  in
+    if var == ""
+    then throw "\$${name} must be defined, see docs/hacking.md for more details"
+    else var;
+in
+  nixpkgs.lib.nixosSystem {
+    inherit system;
+    modules = [
+      self.nixosModules.knot
+      self.nixosModules.spindle
+      ({
+        config,
+        pkgs,
+        ...
+      }: {
+        virtualisation = {
+          memorySize = 2048;
+          diskSize = 10 * 1024;
+          cores = 2;
+          forwardPorts = [
+            # ssh
+            {
+              from = "host";
+              host.port = 2222;
+              guest.port = 22;
+            }
+            # knot
+            {
+              from = "host";
+              host.port = 6000;
+              guest.port = 6000;
+            }
+            # spindle
+            {
+              from = "host";
+              host.port = 6555;
+              guest.port = 6555;
+            }
+          ];
+        };
+        services.getty.autologinUser = "root";
+        environment.systemPackages = with pkgs; [curl vim git];
+        systemd.tmpfiles.rules = let
+          u = config.services.tangled-knot.gitUser;
+          g = config.services.tangled-knot.gitUser;
+        in [
+          "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first
+          "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=${envVar "TANGLED_VM_KNOT_SECRET"}"
         ];
-      };
-      services.getty.autologinUser = "root";
-      environment.systemPackages = with pkgs; [curl vim git];
-      systemd.tmpfiles.rules = let
-        u = config.services.tangled-knot.gitUser;
-        g = config.services.tangled-knot.gitUser;
-      in [
-        "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first
-        "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=168c426fa6d9829fcbe85c96bdf144e800fb9737d6ca87f21acc543b1aa3e440"
-      ];
-      services.tangled-knot = {
-        enable = true;
-        motd = "Welcome to the development knot!\n";
-        server = {
-          secretFile = "/var/lib/knot/secret";
-          hostname = "localhost:6000";
-          listenAddr = "0.0.0.0:6000";
+        services.tangled-knot = {
+          enable = true;
+          motd = "Welcome to the development knot!\n";
+          server = {
+            secretFile = "/var/lib/knot/secret";
+            hostname = "localhost:6000";
+            listenAddr = "0.0.0.0:6000";
+          };
         };
-      };
-      services.tangled-spindle = {
-        enable = true;
-        server = {
-          owner = "did:plc:qfpnj4og54vl56wngdriaxug";
-          hostname = "localhost:6555";
-          listenAddr = "0.0.0.0:6555";
-          dev = true;
-          secrets = {
-            provider = "sqlite";
+        services.tangled-spindle = {
+          enable = true;
+          server = {
+            owner = envVar "TANGLED_VM_SPINDLE_OWNER";
+            hostname = "localhost:6555";
+            listenAddr = "0.0.0.0:6555";
+            dev = true;
+            secrets = {
+              provider = "sqlite";
+            };
           };
         };
-      };
-    })
-  ];
-}
+      })
+    ];
+  }
-- 
2.43.0