greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module 

b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
This commit is contained in:
Jonas Nick 2020-04-08 15:03:00 +00:00
parent b9fbb144ca b2e15c17b8
commit 9239268ab6
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
23 changed files with 833 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
/secrets/
/example/secrets/

28
README.md
View File

@ -4,7 +4,7 @@ nix-bitcoin
[![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin)
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
This is a work in progress - don't expect it to be bug free or secure.
This is a work in progress - don't expect it to be bug-free, secure or stable.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us
It should allow managing bitcoin (the currency) effectively and providing public infrastructure.
It should be a reproducible and extensible platform for applications building on Bitcoin.
Example
---
The easiest way to try out nix-bitcoin is to use one of the provided examples.
```
git clone https://github.com/fort-nix/nix-bitcoin
cd examples/
nix-shell
```
The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.
- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
This is the fastest way to set up a node.\
Requires: [NixOS](https://nixos.org/)
- `./deploy-qemu-vm.sh` creates a QEMU VM.\
Requires: [Nix](https://nixos.org/nix/)
- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
NixOps can be used to deploy to various other backends like cloud providers.\
Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
Available modules
---
By default the `configuration.nix` provides:
@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed
Installation
---
The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory.
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
See [install.md](docs/install.md) for a detailed tutorial.
Security

508
docs/install.md
View File

@ -18,35 +18,35 @@ The following steps are meant to be run on the machine you deploy from, not the
1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch)
```
echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
```
```
echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
```
2. Add Oracle VirtualBox public key
```
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
gpg2 oracle_vbox_2016.asc
```
```
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
gpg2 oracle_vbox_2016.asc
```
Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
```
sudo apt-key add oracle_vbox_2016.asc
```
```
sudo apt-key add oracle_vbox_2016.asc
```
3. Install virtualbox-5.2
```
sudo apt-get update
sudo apt-get install virtualbox-5.2
```
```
sudo apt-get update
sudo apt-get install virtualbox-5.2
```
3. Create Host Adapter in VirtualBox
```
vboxmanage hostonlyif create
```
```
vboxmanage hostonlyif create
```
## 2. Nix installation
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
@ -54,81 +54,105 @@ You can also build Nix from source by following the instructions at https://nixo
1. Install Dependencies (Debian 9 stretch)
```
sudo apt-get install curl git gnupg2 dirmngr
```
```
sudo apt-get install curl git gnupg2 dirmngr
```
2. Install latest Nix in "multi-user mode" with GPG Verification
```
curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
```
```
curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
```
Then follow the instructions. Open a new terminal window when you're done.
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Nixops deployment
## 3. Setup deployment directory
1. Clone this project
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
```
2. Setup environment
2. Obtain the hash of the latest nix-bitcoin release
```
nix-shell
```
```
cd nix-bitcoin/examples
nix-shell
```
This will set up your nix-bitcoin environment and might take a while without giving an output.
This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
3. Create nixops deployment in nix-shell.
```
fetch-release > nix-bitcoin-release.nix
```
```
nixops create network/network.nix network/network-vbox.nix -d bitcoin-node
```
3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
```
5. Deploy Nixops in nix-shell
## 4. Deploy with NixOps
```
nixops deploy -d bitcoin-node
```
1. Enter environment
This will now create a nix-bitcoin node on the target machine.
```
nix-shell
```
6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
Note that a new directory `secrets/` appeared which contains the secrets for your node.
```
nixops ssh operator@bitcoin-node
```
2. Create nixops deployment in nix-shell.
```
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
```
3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
4. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine.
5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
```
See [usage.md](usage.md) for usage instructions, such as how to update.
To resize the VM disk image, you can use this helper script from within nix-shell:
```
./helper/vbox-resize-disk1.sh --help
../nix-bitcoin/helper/vbox-resize-disk1.sh --help
```
----
@ -138,15 +162,15 @@ Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox (macOS host)
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
1. Download and install VirtualBox
Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)
Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)
Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle.
Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle.
2. Create Host Adapter in VirtualBox
```
vboxmanage hostonlyif create
```
```
vboxmanage hostonlyif create
```
## 2. Nix installation (macOS)
@ -157,20 +181,20 @@ In order to build binaries for your linux (NixOS) virtual machine on a macOS hos
1. Installation
```
nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder
```
nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder
nix-linuxkit-configure
```
```
You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs.
You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs.
2. Confirm that nix-linuxkit works
```
nix-build ~/.cache/nix-linuxkit-builder/example.nix
```
nix-build ~/.cache/nix-linuxkit-builder/example.nix
```
As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards.
As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards.
## 4. Nixops deployment (macOS)
@ -193,53 +217,55 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information.
1. Obtain latest NixOS. For example:
1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
```
wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso
```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
```
wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
# output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
2. Write NixOS iso to install media (USB/CD). For example:
```
dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX
```
```
cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
```
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
3. Boot the system
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step.
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step.
4. Option 1: Partition and format for UEFI
```
parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart primary 512MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
parted /dev/sda -- set 3 boot on
mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mkfs.fat -F 32 -n boot /dev/sda3
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/sda2
```
```
parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart primary 512MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
parted /dev/sda -- set 3 boot on
mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mkfs.fat -F 32 -n boot /dev/sda3
mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/sda2
```
4. Option 2: Partition and format for Legacy Boot (MBR)
```
parted /dev/sda -- mklabel msdos
parted /dev/sda -- mkpart primary 1MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mount /dev/disk/by-label/nixos /mnt
swapon /dev/sda2
```
```
parted /dev/sda -- mklabel msdos
parted /dev/sda -- mkpart primary 1MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2
mount /dev/disk/by-label/nixos /mnt
swapon /dev/sda2
```
4. Option 3: Set up encrypted partitions:
@ -247,194 +273,158 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
5. Generate NixOS config
```
nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix
```
```
nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix
```
Option 1: Edit NixOS configuration for UEFI
Option 1: Edit NixOS configuration for UEFI
```
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
```
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.enable = true;
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
Option 2: Edit NixOS configuration for Legacy Boot (MBR)
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
```
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub.device = "/dev/sda";
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
Option 2: Edit NixOS configuration for Legacy Boot (MBR)
```
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub.device = "/dev/sda";
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
6. Do the installation
```
nixos-install
```
Set root password
```
setting root password...
Enter new UNIX password:
Retype new UNIX password:
```
```
nixos-install
```
Set root password
```
setting root password...
Enter new UNIX password:
Retype new UNIX password:
```
7. If everything went well
```
reboot
```
```
reboot
```
## 2. nix-bitcoin installation
On the machine you are deploying from:
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
## 2. Nix installation
Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
1. Install Dependencies (Debian 9 stretch)
```
sudo apt-get install curl git gnupg2 dirmngr
```
## 3. Setup deployment directory
Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
2. Install Latest Nix with GPG Verification
```
curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
. /home/user/.nix-profile/etc/profile.d/nix.sh
```
## 4. Deploy with NixOps
1. Make sure you are in the deployment directory and create a nixops network file as follows
Then follow the instructions. Open a new terminal window when you're done.
```
nano nixops/node-nixos.nix
```
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "1.2.3.4";
};
}
```
3. Optional: Disallow substitutes
Replace 1.2.3.4 with NixOS machine's IP address.
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
2. Edit `configuration.nix`
4. Clone this project
```
nano configuration.nix
```
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
Uncomment `./hardware-configuration.nix` line by removing #.
5. Create network file
3. Create `hardware-configuration.nix`
```
nano network/network-nixos.nix
```
```
nano hardware-configuration.nix
```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "1.2.3.4";
};
}
```
4. Add boot option to `hardware-configuration.nix`
Replace 1.2.3.4 with NixOS machine's IP address.
Option 1: Enable systemd boot for UEFI
```
boot.loader.grub.device = "/dev/sda";
```
Option 2: Set grub device for Legacy Boot (MBR)
```
boot.loader.grub.device = "/dev/sda";
```
6. Edit `configuration.nix`
5. Enter environment
```
nano configuration.nix
```
```
nix-shell
```
Uncomment `./hardware-configuration.nix` line by removing #.
Note that a new directory `secrets/` appeared which contains the secrets for your node.
7. Create `hardware-configuration.nix`
6. Create nixops deployment in nix-shell.
```
nano hardware-configuration.nix
```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
```
nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
```
8. Add boot option to `hardware-configuration.nix`
7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
Option 1: Enable systemd boot for UEFI
```
boot.loader.grub.device = "/dev/sda";
```
Option 2: Set grub device for Legacy Boot (MBR)
```
```
boot.loader.grub.device = "/dev/sda";
```
8. Deploy Nixops in nix-shell
9. Setup environment
```
nixops deploy -d bitcoin-node
```
```
nix-shell
```
This will now create a nix-bitcoin node on the target machine.
This will set up your nix-bitcoin environment and might take a while without giving an output.
9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
10. Create nixops deployment in nix-shell.
```
nixops create network/network.nix network/network-nixos.nix -d bitcoin-node
```
11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
12. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine.
13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
```
```
nixops ssh operator@bitcoin-node
```
See [usage.md](usage.md) for usage instructions, such as how to update.

274
docs/usage.md
View File

@ -1,28 +1,10 @@
Updating
---
Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`.
In your deployment directory, enter the nix shell with `nix-shell` and run
### Verifying GPG Signatures (recommended)
1. Import jonasnick's gpg key
```
gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
```
2. Trust jonasnick's gpg key
```
gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
trust
4
quit
```
3. Verify commit after `git pull`
```
git verify-commit <hash of latest commit>
```
```
fetch-release > nix-bitcoin-release.nix
```
Nodeinfo
---
@ -36,45 +18,45 @@ Connect to spark-wallet
* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
1. Enable spark-wallet in `configuration.nix`
Change
```
# services.spark-wallet.enable = true;
```
to
```
services.spark-wallet.enable = true;
```
Change
```
# services.spark-wallet.enable = true;
```
to
```
services.spark-wallet.enable = true;
```
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
```
nixops deploy -d bitcoin-node
```
3. Enable Orbot VPN for spark-wallet
```
Open Orbot app
Turn on "VPN Mode"
Select Gear icon under "Tor-Enabled Apps"
Toggle checkbox under Spark icon
```
```
Open Orbot app
Turn on "VPN Mode"
Select Gear icon under "Tor-Enabled Apps"
Toggle checkbox under Spark icon
```
4. Get the onion address, access key and QR access code for the spark wallet android app
```
journalctl -eu spark-wallet
```
Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors.
```
journalctl -eu spark-wallet
```
Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors.
5. Connect to spark-wallet android app
```
Server Settings
Scan QR
Done
```
```
Server Settings
Scan QR
Done
```
Connect to electrs
---
@ -88,90 +70,90 @@ Connect to electrs
* [Electrum](https://electrum.org/#download) installed
1. Enable electrs in `configuration.nix`
Change
```
# services.electrs.enable = true;
```
to
```
services.electrs.enable = true;
```
Change
```
# services.electrs.enable = true;
```
to
```
services.electrs.enable = true;
```
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
```
nixops deploy -d bitcoin-node
```
3. Get electrs onion address
```
nodeinfo | grep 'ELECTRS_ONION'
```
```
nodeinfo | grep 'ELECTRS_ONION'
```
4. Connect to electrs
On electrum wallet laptop
```
electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050
```
On electrum wallet laptop
```
electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050
```
On electrum android phone
```
Three dots in the upper-right-hand corner
Network
Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
Ok
Server
Host: <ELECTRS_ONION>, Port: 50002
Ok
Auto-connect: OFF
One-server mode: ON
```
On electrum android phone
```
Three dots in the upper-right-hand corner
Network
Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
Ok
Server
Host: <ELECTRS_ONION>, Port: 50002
Ok
Auto-connect: OFF
One-server mode: ON
```
Connect to nix-bitcoin node through ssh Tor Hidden Service
---
1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION`
```
nixops ssh operator@bitcoin-node
nodeinfo | grep 'SSHD_ONION'
```
```
nixops ssh operator@bitcoin-node
nodeinfo | grep 'SSHD_ONION'
```
2. Create a SSH key
2. Create a SSH key
```
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
```
```
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
```
3. Place the ed25519 key's fingerprint in the `configuration.nix` `openssh.authorizedKeys.keys` field like so
```
# FIXME: Add your SSH pubkey
services.openssh.enable = true;
users.users.root = {
openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ];
};
```
```
# FIXME: Add your SSH pubkey
services.openssh.enable = true;
users.users.root = {
openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ];
};
```
4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server
```
ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION]
```
```
ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION]
```
5. Edit your `network-nixos.nix` to look like this
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "127.0.0.1";
deployment.targetPort = [random port of your choosing];
};
}
```
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "127.0.0.1";
deployment.targetPort = [random port of your choosing];
};
}
```
6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security.
@ -180,64 +162,64 @@ Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface
1. Enable Trezor in `configuration.nix`
Change
```
# services.hardware-wallets.trezor = true;
```
to
```
services.hardware-wallets.trezor = true;
```
Change
```
# services.hardware-wallets.trezor = true;
```
to
```
services.hardware-wallets.trezor = true;
```
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
```
nixops deploy -d bitcoin-node
```
3. Check that your nix-bitcoin node recognizes your Trezor
```
nixops ssh operator@bitcoin-node
lsusb
```
Should show something relating to your Trezor
```
nixops ssh operator@bitcoin-node
lsusb
```
Should show something relating to your Trezor
4. If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode
Trezor v1
```
Plug in your Trezor with both buttons depressed
```
Trezor v1
```
Plug in your Trezor with both buttons depressed
```
Trezor v2
```
Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through
```
Trezor v2
```
Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through
```
5. If your Trezor's firmware is outdated: Update your Trezor's firmware
```
trezorctl firmware-update
```
Follow the on-screen instructions
```
trezorctl firmware-update
```
Follow the on-screen instructions
**Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.**
**Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.**
6. If your Trezor is not yet initialized: Set up your Trezor
```
trezorctl reset-device -p
```
Follow the on-screen instructions
```
trezorctl reset-device -p
```
Follow the on-screen instructions
7. Find your Trezor
```
hwi enumerate
hwi -t trezor -d <path from previous command> promptpin
hwi -t trezor -d <path> sendpin <number positions for the PIN as displayed on your device's screen>
hwi enumerate
```
```
hwi enumerate
hwi -t trezor -d <path from previous command> promptpin
hwi -t trezor -d <path> sendpin <number positions for the PIN as displayed on your device's screen>
hwi enumerate
```
8. Follow Bitcoin Core's instructions on [Using Bitcoin Core with Hardware Wallets](https://github.com/bitcoin-core/HWI/blob/master/docs/bitcoin-core-usage.md) to use your Trezor with `bitcoin-cli` on your nix-bitcoin node

11
configuration.nix → examples/configuration.nix
View File

@ -4,12 +4,13 @@
{ config, pkgs, lib, ... }: {
imports = [
./modules/nix-bitcoin.nix
<nix-bitcoin/modules/nix-bitcoin.nix>
# Use hardened kernel profile. See
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
# for the enabled options.
<nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: The hardened kernel profile improves security but
# decreases performance by ~50%.
# Turn it off when not needed.
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file.

83
examples/deploy-container.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a nix-bitcoin node in a NixOS container.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then
echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled"
exit 1
fi
if [[ ! -e /run/current-system/nixos-version ]]; then
echo "Error: This script needs NixOS to run"
exit 1
fi
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
echo
echo "Deleting container..."
sudo extra-container destroy demo-node
}
trap "cleanup" EXIT
# Build container.
# You can re-run this command with a changed container config.
# The running container is then switched to the new config.
# Learn more: https://github.com/erikarvstedt/extra-container
#
sudo extra-container create --start <<'EOF'
{ pkgs, lib, ... }: let
containerName = "demo-node"; # container name length is limited to 11 chars
localAddress = "10.250.0.2"; # container address
hostAddress = "10.250.0.1";
in {
containers.${containerName} = {
privateNetwork = true;
inherit localAddress hostAddress;
config = { pkgs, config, lib, ... }: {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
# Speed up evaluation
documentation.nixos.enable = false;
};
};
# Allow WAN access
systemd.services."container@${containerName}" = {
preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE";
# Delete rule
postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true";
};
}
EOF
# Run command in container
c() { sudo extra-container run demo-node -- "$@" | cat; }
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
echo
echo "Bitcoind data dir:"
sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
# Cleanup happens at exit (see above)

41
examples/deploy-nixops.sh Executable file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
set +e
if nixops list | grep -q bitcoin-node; then
nixops destroy --confirm -d bitcoin-node
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
tmpDir=/tmp/nix-bitcoin-nixops
mkdir -p $tmpDir
# Don't write nixops and VirtualBox data to the $USER's home
export HOME=$tmpDir
# Disable interactive queries and don't write to the $USER's known_hosts file
export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
nixops deploy -d bitcoin-node
# Connect to node
nixops ssh bitcoin-node systemctl status bitcoind
# Cleanup happens at exit (see above)

93
examples/deploy-qemu-vm.sh Executable file
View File

@ -0,0 +1,93 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to run a nix-bitcoin node in QEMU.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
# MAKE SURE TO REPLACE the SSH identity file if you use this script for
# anything serious.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
kill -9 $qemuPID
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=qemu-vm/id-vm
chmod 0600 $identityFile
echo "Building VM"
nix-build --out-link $tmpDir/vm - <<EOF
(import <nixpkgs/nixos> {
configuration = {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
};
};
}).vm
EOF
vmMemoryMiB=2048
vmNumCPUs=4
sshPort=60734
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
echo
echo "Waiting for SSH connection..."
while ! c : 2>/dev/null; do :; done
echo
echo "Waiting until services are ready..."
c '
attempts=300
while ! systemctl is-active clightning &> /dev/null; do
((attempts-- == 0)) && { echo "timeout"; exit 1; }
sleep 0.2
done
'
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
# Cleanup happens at exit (see above)

1
examples/nix-bitcoin-release.nix Normal file
View File

@ -0,0 +1 @@
../.

0
network/network-libvirtd.nix → examples/nixops/node-libvirtd.nix
View File

0
network/network-vbox.nix → examples/nixops/node-vbox.nix
View File

12
examples/nixops/node.nix Normal file
View File

@ -0,0 +1,12 @@
{
network.description = "Bitcoin Core node";
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/nixops.nix>
];
nix-bitcoin.deployment.secretsDir = toString ../secrets;
};
}

7
examples/qemu-vm/id-vm Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3
cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg
AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH
Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB
-----END OPENSSH PRIVATE KEY-----

1
examples/qemu-vm/id-vm.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none

46
examples/shell.nix Normal file
View File

@ -0,0 +1,46 @@
let
# This is either a path to a local nix-bitcoin source or an attribute set to
# be used as the fetchurl argument.
nix-bitcoin-release = import ./nix-bitcoin-release.nix;
nix-bitcoin-path =
if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
else nix-bitcoin-release;
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
nixpkgs = import nixpkgs-path {};
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
extraContainer = nixpkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
}) {};
nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
'';
in
with nixpkgs;
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets})
# Don't run this hook when another nix-shell is run inside this shell
unset shellHook
'';
}

36
helper/fetch-release Executable file
View File

@ -0,0 +1,36 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
REPO=fort-nix/nix-bitcoin
if [[ ! -v VERSION ]]; then
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi
TMPDIR=$(mktemp -d)
GPG_HOME=$(mktemp -d)
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
cd $TMPDIR
BASEURL=https://github.com/$REPO/releases/download/v$VERSION
curl --silent -L -O $BASEURL/SHA256SUMS.txt
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
# Import key and verify fingerprint
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
echo "ERROR: Signature verification failed. Please open an issue in the project repository."
exit 1
}
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
cat <<EOF
{
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
sha256 = "$SHA256";
}
EOF

BIN
helper/key-jonasnick.bin Normal file
View File

Binary file not shown.

59
helper/push-release.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
set -euo pipefail
REPO=fort-nix/nix-bitcoin
BRANCH=master
OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
if [[ ! $OAUTH_TOKEN ]]; then
echo "Please set OAUTH_TOKEN variable"
fi
if [[ $# < 1 ]]; then
echo "$0 <tag_name>"
exit
fi
TAG_NAME=$1
RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
while true; do
read -p "Create release $1? [yn] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer y or n.";;
esac
done
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
ARCHIVE=$TMPDIR/$ARCHIVE_NAME
# Need to be in the repositories root directory for archiving
(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
SHA256SUMS=$TMPDIR/SHA256SUMS.txt
# Want to use relative path with sha256sums because it'll output the first
# argument
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
ID=$(echo $RESPONSE | jq -r '.id')
if [[ $ID == null ]]; then
echo "Failed to create release with $POST_DATA"
exit 1
fi
post_asset() {
GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
$GH_ASSET/$(basename $1) &> /dev/null
}
post_asset $ARCHIVE
post_asset $SHA256SUMS
post_asset $SHA256SUMS.asc
echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)

25
modules/deployment/nixops.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, ... }:
{
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}

7
modules/secrets/secrets.nix
View File

@ -15,6 +15,13 @@ in
description = "Directory to store secrets";
};
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
'';
};
secrets = mkOption {
default = {};
type = with types; attrsOf (submodule (

31
network/network.nix
View File

@ -1,31 +0,0 @@
{
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
}

11
pkgs/nixops/release.nix.patch
View File

@ -43,3 +43,14 @@
('destDir', 'string'),
('user', 'string'),
('group', 'string'),
--- a/nixops/ssh_util.py
+++ b/nixops/ssh_util.py
@@ -278,6 +278,7 @@ class SSH(object):
'timeout' specifies the SSH connection timeout.
"""
+ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags
master = self.get_master(flags, timeout, user)
flags = flags + self._get_flags()
if logged:

16
shell.nix
View File

@ -1,24 +1,12 @@
let
nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs;
in
with import nixpkgs { };
with import nixpkgs {};
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
nixops19_09 = callPackage ./pkgs/nixops {};
make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {};
buildInputs = [ nixops19_09 figlet ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs}:."
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${make-secrets})
export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:."
'';
}