improve examples/shell.nix

The user's local node configuration directory usually contains a copy of
examples/shell.nix.

1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix
   Because the shell is no longer defined locally in the user's config
   directory, we can now ship new shell features via nix-bitcoin updates.

2. Simplify examples/nix-bitcoin-release.nix
   nix-bitcoin-release.nix, as generated via `fetch-release`, now
   contains a simple fetchTarball statement which can be directly imported.
   This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation
   which adds a dependency on the user's local nixpkgs.

   To keep `fetch-release` as simple as possible for easy auditing, we just
   fetch and verify a `nar-hash.txt` file that is now uploaded
   via `push-release.sh`.

A migration guide for updating the user's local `shell.nix` is
automatically printed when the user starts a new shell after updating
nix-bitcoin.
This is achieved by throwing an error in `generate-secrets`, which is called
on shell startup.

This commit is required to deploy the new extensible `generate-secrets`
mechanism introduced in the next commit.

examples/shell.nix

@@ -1,53 +1,8 @@
 let
-  # This is either a path to a local nix-bitcoin source or an attribute set to
-  # be used as the fetchurl argument.
-  nix-bitcoin-release = import ./nix-bitcoin-release.nix;
-
-  nix-bitcoin-path =
-    if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
-    else nix-bitcoin-release;
-
-  nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
-  pkgs = import nixpkgs-path {};
-  nix-bitcoin = pkgs.callPackage nix-bitcoin-path {};
-
-  nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
-    mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
-  '';
+  nix-bitcoin = toString (import ./nix-bitcoin-release.nix);
 in
-with pkgs;
-stdenv.mkDerivation rec {
-  name = "nix-bitcoin-environment";
-
-  path = lib.makeBinPath [ nix-bitcoin.extra-container ];
-
-  shellHook = ''
-    export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
-    export PATH="${path}''${PATH:+:}$PATH"
-
-    export NIX_BITCOIN_EXAMPLES_DIR="${toString ./.}"
-
-    fetch-release() {
-      ${toString nix-bitcoin-path}/helper/fetch-release
-    }
-
-    krops-deploy() {
-      # Ensure strict permissions on secrets/ directory before rsyncing it to
-      # the target machine
-      chmod 700 ${toString ./secrets}
-      $(nix-build --no-out-link ${toString ./krops/deploy.nix})
-    }
-
-    # Print logo if
-    # 1. stdout is a TTY, i.e. we're not piping the output
-    # 2. the shell is interactive
-    if [[ -t 1 && $- == *i* ]]; then
-      ${figlet}/bin/figlet "nix-bitcoin"
-    fi
-
-    (mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets})
-
-    # Don't run this hook when another nix-shell is run inside this shell
-    unset shellHook
-  '';
-}
+  import "${nix-bitcoin}/helper/makeShell.nix" {
+    configDir = ./.;
+    # Set this to modify your shell
+    # extraShellInitCmds = (pkgs: ''<my bash code>'');
+  }

flake.nix

@@ -62,7 +62,7 @@
         nbPkgs = self.mkNbPkgs { inherit system pkgs; };
 
         packages = flake-utils.lib.flattenTree (removeAttrs nbPkgs [
-          "pinned" "modulesPkgs" "nixops19_09" "krops"
+          "pinned" "modulesPkgs" "nixops19_09" "krops" "generate-secrets"
         ]) // {
           runVM = mkVMScript packages.vm;
 

helper/fetch-release

@@ -15,26 +15,28 @@ trap "rm -rf $TMPDIR" EXIT
 GPG_HOME=$TMPDIR/gpg-home
 mkdir -p -m 700 "$GPG_HOME"
 
-cd $TMPDIR
-baseUrl=https://github.com/$repo/releases/download/v$version
-curl --silent -L -O $baseUrl/SHA256SUMS.txt
-curl --silent -L -O $baseUrl/SHA256SUMS.txt.asc
-
 # Import key
 gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
 # Verify key fingerprint
 gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
 
-# Verify signature for SHA256SUMS.txt
-gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
+# Fetch nar-hash of release
+cd $TMPDIR
+baseUrl=https://github.com/$repo/releases/download/v$version
+curl --silent -L -O $baseUrl/nar-hash.txt
+curl --silent -L -O $baseUrl/nar-hash.txt.asc
+
+# Verify signature for nar-hash
+gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
     echo "Error: Signature verification failed. Please open an issue in the project repository."
     exit 1
 }
 
-sha256=$(cat SHA256SUMS.txt | cut -d\  -f1)
+>&2 echo "Fetched and verified release $version"
+
 cat <<EOF
-{
-  url = "$baseUrl/nix-bitcoin-$version.tar.gz";
-  sha256 = "$sha256";
+builtins.fetchTarball {
+  url = "https://github.com/$repo/archive/v$version.tar.gz";
+  sha256 = "$(cat nar-hash.txt)";
 }
 EOF

helper/makeShell.nix

@@ -0,0 +1,43 @@
+{ configDir, extraShellInitCmds ? (pkgs: "") }:
+let
+  nixpkgs = (import ../pkgs/nixpkgs-pinned.nix).nixpkgs;
+  pkgs = import nixpkgs {};
+  nbPkgs = import ../pkgs { inherit pkgs; };
+  cfgDir = toString configDir;
+in
+with pkgs;
+stdenv.mkDerivation rec {
+  name = "nix-bitcoin-environment";
+
+  path = lib.makeBinPath [ nbPkgs.extra-container ];
+
+  shellHook = ''
+    export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=${toString ../.}:."
+    export PATH="${path}''${PATH:+:}$PATH"
+
+    export NIX_BITCOIN_EXAMPLES_DIR="${cfgDir}"
+
+    fetch-release() {
+      ${toString ./fetch-release}
+    }
+
+    krops-deploy() {
+      # Ensure strict permissions on secrets/ directory before rsyncing it to
+      # the target machine
+      chmod 700 "${cfgDir}/secrets"
+      $(nix-build --no-out-link "${cfgDir}/krops/deploy.nix")
+    }
+
+    # Print logo if
+    # 1. stdout is a TTY, i.e. we're not piping the output
+    # 2. the shell is interactive
+    if [[ -t 1 && $- == *i* ]]; then
+      ${figlet}/bin/figlet "nix-bitcoin"
+    fi
+
+    # Don't run this hook when another nix-shell is run inside this shell
+    unset shellHook
+
+    ${extraShellInitCmds pkgs}
+  '';
+}

helper/push-release.sh

@@ -59,6 +59,10 @@ SHA256SUMS=$TMPDIR/SHA256SUMS.txt
 (cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
 gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
 
+cd $TMPDIR
+nix hash to-sri --type sha256 $(nix-prefetch-url --unpack file://$ARCHIVE 2> /dev/null) > nar-hash.txt
+gpg -o nar-hash.txt.asc -a --detach-sig nar-hash.txt
+
 if [[ $DRY_RUN ]]; then
     echo "Created v$TAG_NAME in $TMPDIR"
     exit 0
@@ -77,6 +81,10 @@ post_asset() {
     curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
          $GH_ASSET/$(basename $1) &> /dev/null
 }
+post_asset nar-hash.txt
+post_asset nar-hash.txt.asc
+# Post additional assets for backwards compatibility.
+# This allows older nix-bitcoin installations to upgrade via `fetch-release`.
 post_asset $ARCHIVE
 post_asset $SHA256SUMS
 post_asset $SHA256SUMS.asc

pkgs/default.nix

@@ -9,7 +9,7 @@ let self = {
   spark-wallet = pkgs.callPackage ./spark-wallet { };
   liquid-swap = pkgs.python3Packages.callPackage ./liquid-swap { };
   joinmarket = pkgs.callPackage ./joinmarket { inherit (self) nbPython3Packages; };
-  generate-secrets = pkgs.callPackage ./generate-secrets { };
+  generate-secrets = import ./generate-secrets-deprecated.nix;
   nixops19_09 = pkgs.callPackage ./nixops { };
   krops = import ./krops { };
   netns-exec = pkgs.callPackage ./netns-exec { };

pkgs/generate-secrets-deprecated.nix

@@ -0,0 +1,14 @@
+throw ''
+  Please update the `shell.nix` of your node configuration.
+
+  To update, do the following:
+  1. Switch to the directory containing your `configuration.nix` and `shell.nix`.
+  2. Run the following Bash expression (Warning: This overwrites your `shell.nix`):
+
+  # Only update nix-bitcoin-release.nix if it contains a release hash
+  if grep -q sha256 nix-bitcoin-release.nix; then
+    ${toString ../helper/fetch-release} > nix-bitcoin-release.nix && cp ${toString ../examples/shell.nix} .
+  else
+    cp ${toString ../examples/shell.nix} .
+  fi
+''