back round 0 view raw

nix/vm: don't hardcode knot secret and spindle owner #435

merged
opened by winter.bsky.social targeting master from winter.bsky.social/core: push-ynzsmmzxzqzy
options
unified split
Changed files
+81 -75
docs
hacking.md
nix
vm.nix
+9 -10
docs/hacking.md 
···

       
56

       
 

       
`nixosConfiguration` to do so.


     

       
57

       
 

       



     

       
58

       
 

       
To begin, head to `http://localhost:3000/knots` in the browser


     

       
59

       
-

       
and generate a knot secret. Replace the existing secret in


     

       
60

       
-

       
`nix/vm.nix` (`KNOT_SERVER_SECRET`) with the newly generated


     

       
61

       
-

       
secret.


     

       
62

       
 

       



     

       
63

       
 

       
You can now start a lightweight NixOS VM using


     

       
64

       
 

       
`nixos-shell` like so:


     
···

       
91

       
 

       



     

       
92

       
 

       
## running a spindle


     

       
93

       
 

       



     

       
94

       
-

       
Be sure to change the `owner` field for the spindle in


     

       
95

       
-

       
`nix/vm.nix` to your own DID. The above VM should already


     

       
96

       
-

       
be running a spindle on `localhost:6555`. You can head to


     

       
97

       
-

       
the spindle dashboard on `http://localhost:3000/spindles`,


     

       
98

       
-

       
and register a spindle with hostname `localhost:6555`. It


     

       
99

       
-

       
should instantly be verified. You can then configure each


     

       
100

       
-

       
repository to use this spindle and run CI jobs.


     

       
101

       
 

       



     

       
102

       
 

       
Of interest when debugging spindles:


     

       
103

       
 

       



     
···

       
56

       
 

       
`nixosConfiguration` to do so.


     

       
57

       
 

       



     

       
58

       
 

       
To begin, head to `http://localhost:3000/knots` in the browser


     

       
59

       
+

       
and generate a knot secret. Set `$TANGLED_KNOT_SECRET` to it,


     

       
60

       
+

       
ideally in a `.envrc` with [direnv](https://direnv.net) so you


     

       
61

       
+

       
don't lose it.


     

       
62

       
 

       



     

       
63

       
 

       
You can now start a lightweight NixOS VM using


     

       
64

       
 

       
`nixos-shell` like so:


     
···

       
91

       
 

       



     

       
92

       
 

       
## running a spindle


     

       
93

       
 

       



     

       
94

       
+

       
Be sure to set `$TANGLED_SPINDLE_OWNER` to your own DID.


     

       
95

       
+

       
The above VM should already be running a spindle on `localhost:6555`.


     

       
96

       
+

       
You can head to the spindle dashboard on `http://localhost:3000/spindles`,


     

       
97

       
+

       
and register a spindle with hostname `localhost:6555`. It should instantly


     

       
98

       
+

       
be verified. You can then configure each repository to use this spindle


     

       
99

       
+

       
and run CI jobs.


     

       

       

       
     

       
100

       
 

       



     

       
101

       
 

       
Of interest when debugging spindles:


     

       
102
+72 -65
nix/vm.nix 
···

       
2

       
 

       
  nixpkgs,


     

       
3

       
 

       
  system,


     

       
4

       
 

       
  self,


     

       
5

       
-

       
}:


     

       
6

       
-

       
nixpkgs.lib.nixosSystem {


     

       
7

       
-

       
  inherit system;


     

       
8

       
-

       
  modules = [


     

       
9

       
-

       
    self.nixosModules.knot


     

       
10

       
-

       
    self.nixosModules.spindle


     

       
11

       
-

       
    ({


     

       
12

       
-

       
      config,


     

       
13

       
-

       
      pkgs,


     

       
14

       
-

       
      ...


     

       
15

       
-

       
    }: {


     

       
16

       
-

       
      virtualisation = {


     

       
17

       
-

       
        memorySize = 2048;


     

       
18

       
-

       
        diskSize = 10 * 1024;


     

       
19

       
-

       
        cores = 2;


     

       
20

       
-

       
        forwardPorts = [


     

       
21

       
-

       
          # ssh


     

       
22

       
-

       
          {


     

       
23

       
-

       
            from = "host";


     

       
24

       
-

       
            host.port = 2222;


     

       
25

       
-

       
            guest.port = 22;


     

       
26

       
-

       
          }


     

       
27

       
-

       
          # knot


     

       
28

       
-

       
          {


     

       
29

       
-

       
            from = "host";


     

       
30

       
-

       
            host.port = 6000;


     

       
31

       
-

       
            guest.port = 6000;


     

       
32

       
-

       
          }


     

       
33

       
-

       
          # spindle


     

       
34

       
-

       
          {


     

       
35

       
-

       
            from = "host";


     

       
36

       
-

       
            host.port = 6555;


     

       
37

       
-

       
            guest.port = 6555;


     

       
38

       
-

       
          }


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
39

       
 

       
        ];


     

       
40

       
-

       
      };


     

       
41

       
-

       
      services.getty.autologinUser = "root";


     

       
42

       
-

       
      environment.systemPackages = with pkgs; [curl vim git];


     

       
43

       
-

       
      systemd.tmpfiles.rules = let


     

       
44

       
-

       
        u = config.services.tangled-knot.gitUser;


     

       
45

       
-

       
        g = config.services.tangled-knot.gitUser;


     

       
46

       
-

       
      in [


     

       
47

       
-

       
        "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first


     

       
48

       
-

       
        "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=168c426fa6d9829fcbe85c96bdf144e800fb9737d6ca87f21acc543b1aa3e440"


     

       
49

       
-

       
      ];


     

       
50

       
-

       
      services.tangled-knot = {


     

       
51

       
-

       
        enable = true;


     

       
52

       
-

       
        motd = "Welcome to the development knot!\n";


     

       
53

       
-

       
        server = {


     

       
54

       
-

       
          secretFile = "/var/lib/knot/secret";


     

       
55

       
-

       
          hostname = "localhost:6000";


     

       
56

       
-

       
          listenAddr = "0.0.0.0:6000";


     

       
57

       
 

       
        };


     

       
58

       
-

       
      };


     

       
59

       
-

       
      services.tangled-spindle = {


     

       
60

       
-

       
        enable = true;


     

       
61

       
-

       
        server = {


     

       
62

       
-

       
          owner = "did:plc:qfpnj4og54vl56wngdriaxug";


     

       
63

       
-

       
          hostname = "localhost:6555";


     

       
64

       
-

       
          listenAddr = "0.0.0.0:6555";


     

       
65

       
-

       
          dev = true;


     

       
66

       
-

       
          secrets = {


     

       
67

       
-

       
            provider = "sqlite";


     

       
68

       
 

       
          };


     

       
69

       
 

       
        };


     

       
70

       
-

       
      };


     

       
71

       
-

       
    })


     

       
72

       
-

       
  ];


     

       
73

       
-

       
}


     
···

       
2

       
 

       
  nixpkgs,


     

       
3

       
 

       
  system,


     

       
4

       
 

       
  self,


     

       
5

       
+

       
}: let


     

       
6

       
+

       
  envVar = name: let


     

       
7

       
+

       
    var = builtins.getEnv name;


     

       
8

       
+

       
  in


     

       
9

       
+

       
    if var == ""


     

       
10

       
+

       
    then throw "\$${name} must be defined, see docs/hacking.md for more details"


     

       
11

       
+

       
    else var;


     

       
12

       
+

       
in


     

       
13

       
+

       
  nixpkgs.lib.nixosSystem {


     

       
14

       
+

       
    inherit system;


     

       
15

       
+

       
    modules = [


     

       
16

       
+

       
      self.nixosModules.knot


     

       
17

       
+

       
      self.nixosModules.spindle


     

       
18

       
+

       
      ({


     

       
19

       
+

       
        config,


     

       
20

       
+

       
        pkgs,


     

       
21

       
+

       
        ...


     

       
22

       
+

       
      }: {


     

       
23

       
+

       
        virtualisation = {


     

       
24

       
+

       
          memorySize = 2048;


     

       
25

       
+

       
          diskSize = 10 * 1024;


     

       
26

       
+

       
          cores = 2;


     

       
27

       
+

       
          forwardPorts = [


     

       
28

       
+

       
            # ssh


     

       
29

       
+

       
            {


     

       
30

       
+

       
              from = "host";


     

       
31

       
+

       
              host.port = 2222;


     

       
32

       
+

       
              guest.port = 22;


     

       
33

       
+

       
            }


     

       
34

       
+

       
            # knot


     

       
35

       
+

       
            {


     

       
36

       
+

       
              from = "host";


     

       
37

       
+

       
              host.port = 6000;


     

       
38

       
+

       
              guest.port = 6000;


     

       
39

       
+

       
            }


     

       
40

       
+

       
            # spindle


     

       
41

       
+

       
            {


     

       
42

       
+

       
              from = "host";


     

       
43

       
+

       
              host.port = 6555;


     

       
44

       
+

       
              guest.port = 6555;


     

       
45

       
+

       
            }


     

       
46

       
+

       
          ];


     

       
47

       
+

       
        };


     

       
48

       
+

       
        services.getty.autologinUser = "root";


     

       
49

       
+

       
        environment.systemPackages = with pkgs; [curl vim git];


     

       
50

       
+

       
        systemd.tmpfiles.rules = let


     

       
51

       
+

       
          u = config.services.tangled-knot.gitUser;


     

       
52

       
+

       
          g = config.services.tangled-knot.gitUser;


     

       
53

       
+

       
        in [


     

       
54

       
+

       
          "d /var/lib/knot 0770 ${u} ${g} - -" # Create the directory first


     

       
55

       
+

       
          "f+ /var/lib/knot/secret 0660 ${u} ${g} - KNOT_SERVER_SECRET=${envVar "TANGLED_VM_KNOT_SECRET"}"


     

       
56

       
 

       
        ];


     

       
57

       
+

       
        services.tangled-knot = {


     

       
58

       
+

       
          enable = true;


     

       
59

       
+

       
          motd = "Welcome to the development knot!\n";


     

       
60

       
+

       
          server = {


     

       
61

       
+

       
            secretFile = "/var/lib/knot/secret";


     

       
62

       
+

       
            hostname = "localhost:6000";


     

       
63

       
+

       
            listenAddr = "0.0.0.0:6000";


     

       
64

       
+

       
          };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
65

       
 

       
        };


     

       
66

       
+

       
        services.tangled-spindle = {


     

       
67

       
+

       
          enable = true;


     

       
68

       
+

       
          server = {


     

       
69

       
+

       
            owner = envVar "TANGLED_VM_SPINDLE_OWNER";


     

       
70

       
+

       
            hostname = "localhost:6555";


     

       
71

       
+

       
            listenAddr = "0.0.0.0:6555";


     

       
72

       
+

       
            dev = true;


     

       
73

       
+

       
            secrets = {


     

       
74

       
+

       
              provider = "sqlite";


     

       
75

       
+

       
            };


     

       
76

       
 

       
          };


     

       
77

       
 

       
        };


     

       
78

       
+

       
      })


     

       
79

       
+

       
    ];


     

       
80

       
+

       
  }