diff --git a/.gitignore b/.gitignore index 5598d80..cad76d3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/secrets/ +/example/secrets/ diff --git a/README.md b/README.md index 96e6ae9..8dad3bf 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ nix-bitcoin [![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin) Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. -This is a work in progress - don't expect it to be bug free or secure. +This is a work in progress - don't expect it to be bug-free, secure or stable. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations. @@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us It should allow managing bitcoin (the currency) effectively and providing public infrastructure. It should be a reproducible and extensible platform for applications building on Bitcoin. +Example +--- +The easiest way to try out nix-bitcoin is to use one of the provided examples. + +``` +git clone https://github.com/fort-nix/nix-bitcoin +cd examples/ +nix-shell +``` + +The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then +shut down immediately. They leave no traces (outside of `/nix/store`) on the host system. + +- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\ + This is the fastest way to set up a node.\ + Requires: [NixOS](https://nixos.org/) + +- `./deploy-qemu-vm.sh` creates a QEMU VM.\ + Requires: [Nix](https://nixos.org/nix/) + +- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\ + NixOps can be used to deploy to various other backends like cloud providers.\ + Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org) + Available modules --- By default the `configuration.nix` provides: @@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed Installation --- -The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory. -Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell. See [install.md](docs/install.md) for a detailed tutorial. Security diff --git a/docs/install.md b/docs/install.md index 1c74e34..58cee67 100644 --- a/docs/install.md +++ b/docs/install.md @@ -18,35 +18,35 @@ The following steps are meant to be run on the machine you deploy from, not the 1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch) - ``` - echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list - ``` + ``` + echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list + ``` 2. Add Oracle VirtualBox public key - ``` - wget https://www.virtualbox.org/download/oracle_vbox_2016.asc - gpg2 oracle_vbox_2016.asc - ``` + ``` + wget https://www.virtualbox.org/download/oracle_vbox_2016.asc + gpg2 oracle_vbox_2016.asc + ``` - Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF + Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF - ``` - sudo apt-key add oracle_vbox_2016.asc - ``` + ``` + sudo apt-key add oracle_vbox_2016.asc + ``` 3. Install virtualbox-5.2 - ``` - sudo apt-get update - sudo apt-get install virtualbox-5.2 - ``` + ``` + sudo apt-get update + sudo apt-get install virtualbox-5.2 + ``` 3. Create Host Adapter in VirtualBox - ``` - vboxmanage hostonlyif create - ``` + ``` + vboxmanage hostonlyif create + ``` ## 2. Nix installation The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. @@ -54,81 +54,105 @@ You can also build Nix from source by following the instructions at https://nixo 1. Install Dependencies (Debian 9 stretch) - ``` - sudo apt-get install curl git gnupg2 dirmngr - ``` + ``` + sudo apt-get install curl git gnupg2 dirmngr + ``` 2. Install latest Nix in "multi-user mode" with GPG Verification - ``` - curl -o install-nix https://nixos.org/nix/install - curl -o install-nix.sig https://nixos.org/nix/install.sig - gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE - gpg2 --verify ./install-nix.sig - sh ./install-nix --daemon - ``` + ``` + curl -o install-nix https://nixos.org/nix/install + curl -o install-nix.sig https://nixos.org/nix/install.sig + gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE + gpg2 --verify ./install-nix.sig + sh ./install-nix --daemon + ``` - Then follow the instructions. Open a new terminal window when you're done. + Then follow the instructions. Open a new terminal window when you're done. - If you get an error similar to - ``` - error: cloning builder process: Operation not permitted - error: unable to start build process - /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile - ``` - you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. + If you get an error similar to + ``` + error: cloning builder process: Operation not permitted + error: unable to start build process + /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile + ``` + you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. 3. Optional: Disallow substitutes - You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. - This eliminates an attack vector where nix's build server or binary cache is compromised. + You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. + This eliminates an attack vector where nix's build server or binary cache is compromised. -## 3. Nixops deployment +## 3. Setup deployment directory 1. Clone this project - ``` - cd - git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin - ``` + ``` + cd + git clone https://github.com/fort-nix/nix-bitcoin + ``` -2. Setup environment +2. Obtain the hash of the latest nix-bitcoin release - ``` - nix-shell - ``` + ``` + cd nix-bitcoin/examples + nix-shell + ``` - This will set up your nix-bitcoin environment and might take a while without giving an output. + This will download the nix-bitcoin dependencies and might take a while without giving an output. + Now in the nix-shell run -3. Create nixops deployment in nix-shell. + ``` + fetch-release > nix-bitcoin-release.nix + ``` - ``` - nixops create network/network.nix network/network-vbox.nix -d bitcoin-node - ``` +3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin -4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. + ``` + cd ../../ + mkdir nix-bitcoin-node + cd nix-bitcoin-node + cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} . + ``` -5. Deploy Nixops in nix-shell +## 4. Deploy with NixOps - ``` - nixops deploy -d bitcoin-node - ``` +1. Enter environment - This will now create a nix-bitcoin node on the target machine. + ``` + nix-shell + ``` -6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with + Note that a new directory `secrets/` appeared which contains the secrets for your node. - ``` - nixops ssh operator@bitcoin-node - ``` +2. Create nixops deployment in nix-shell. + + ``` + nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node + ``` + +3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. + +4. Deploy Nixops in nix-shell + + ``` + nixops deploy -d bitcoin-node + ``` + + This will now create a nix-bitcoin node on the target machine. + +5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with + + ``` + nixops ssh operator@bitcoin-node + ``` See [usage.md](usage.md) for usage instructions, such as how to update. To resize the VM disk image, you can use this helper script from within nix-shell: ``` -./helper/vbox-resize-disk1.sh --help +../nix-bitcoin/helper/vbox-resize-disk1.sh --help ``` ---- @@ -138,15 +162,15 @@ Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox (macOS host) The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. 1. Download and install VirtualBox - Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads) + Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads) - Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle. + Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle. 2. Create Host Adapter in VirtualBox - ``` - vboxmanage hostonlyif create - ``` + ``` + vboxmanage hostonlyif create + ``` ## 2. Nix installation (macOS) @@ -157,20 +181,20 @@ In order to build binaries for your linux (NixOS) virtual machine on a macOS hos 1. Installation - ``` - nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder + ``` + nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder nix-linuxkit-configure - ``` + ``` - You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs. + You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs. 2. Confirm that nix-linuxkit works ``` - nix-build ~/.cache/nix-linuxkit-builder/example.nix - ``` + nix-build ~/.cache/nix-linuxkit-builder/example.nix + ``` - As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards. + As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards. ## 4. Nixops deployment (macOS) @@ -193,53 +217,55 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information. -1. Obtain latest NixOS. For example: +1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example: - ``` - wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso - ``` - Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. + ``` + wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e + ``` + Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. 2. Write NixOS iso to install media (USB/CD). For example: - ``` - dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX - ``` + ``` + cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX + ``` - Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` + Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` 3. Boot the system - You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. + You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. 4. Option 1: Partition and format for UEFI - ``` - parted /dev/sda -- mklabel gpt - parted /dev/sda -- mkpart primary 512MiB -8GiB - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB - parted /dev/sda -- set 3 boot on - mkfs.ext4 -L nixos /dev/sda1 - mkswap -L swap /dev/sda2 - mkfs.fat -F 32 -n boot /dev/sda3 - mount /dev/disk/by-label/nixos /mnt - mkdir -p /mnt/boot - mount /dev/disk/by-label/boot /mnt/boot - swapon /dev/sda2 - ``` + ``` + parted /dev/sda -- mklabel gpt + parted /dev/sda -- mkpart primary 512MiB -8GiB + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB + parted /dev/sda -- set 3 boot on + mkfs.ext4 -L nixos /dev/sda1 + mkswap -L swap /dev/sda2 + mkfs.fat -F 32 -n boot /dev/sda3 + mount /dev/disk/by-label/nixos /mnt + mkdir -p /mnt/boot + mount /dev/disk/by-label/boot /mnt/boot + swapon /dev/sda2 + ``` 4. Option 2: Partition and format for Legacy Boot (MBR) - ``` - parted /dev/sda -- mklabel msdos - parted /dev/sda -- mkpart primary 1MiB -8GiB - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - mkfs.ext4 -L nixos /dev/sda1 - mkswap -L swap /dev/sda2 - mount /dev/disk/by-label/nixos /mnt - swapon /dev/sda2 - ``` + ``` + parted /dev/sda -- mklabel msdos + parted /dev/sda -- mkpart primary 1MiB -8GiB + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + mkfs.ext4 -L nixos /dev/sda1 + mkswap -L swap /dev/sda2 + mount /dev/disk/by-label/nixos /mnt + swapon /dev/sda2 + ``` 4. Option 3: Set up encrypted partitions: @@ -247,194 +273,158 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht 5. Generate NixOS config - ``` - nixos-generate-config --root /mnt - nano /mnt/etc/nixos/configuration.nix - ``` + ``` + nixos-generate-config --root /mnt + nano /mnt/etc/nixos/configuration.nix + ``` - Option 1: Edit NixOS configuration for UEFI + Option 1: Edit NixOS configuration for UEFI - ``` - { config, pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + ``` + { config, pkgs, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; - boot.loader.systemd-boot.enable = true; + boot.loader.systemd-boot.enable = true; - # Note: setting fileSystems is generally not - # necessary, since nixos-generate-config figures them out - # automatically in hardware-configuration.nix. - #fileSystems."/".device = "/dev/disk/by-label/nixos"; - - # Enable the OpenSSH server. - services.openssh = { - enable = true; - permitRootLogin = "yes"; - }; - } - ``` + # Note: setting fileSystems is generally not + # necessary, since nixos-generate-config figures them out + # automatically in hardware-configuration.nix. + #fileSystems."/".device = "/dev/disk/by-label/nixos"; - Option 2: Edit NixOS configuration for Legacy Boot (MBR) + # Enable the OpenSSH server. + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + } + ``` - ``` - { config, pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - boot.loader.grub.device = "/dev/sda"; - - # Note: setting fileSystems is generally not - # necessary, since nixos-generate-config figures them out - # automatically in hardware-configuration.nix. - #fileSystems."/".device = "/dev/disk/by-label/nixos"; - - # Enable the OpenSSH server. - services.openssh = { - enable = true; - permitRootLogin = "yes"; - }; - } - ``` + Option 2: Edit NixOS configuration for Legacy Boot (MBR) + + ``` + { config, pkgs, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.device = "/dev/sda"; + + # Note: setting fileSystems is generally not + # necessary, since nixos-generate-config figures them out + # automatically in hardware-configuration.nix. + #fileSystems."/".device = "/dev/disk/by-label/nixos"; + + # Enable the OpenSSH server. + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + } + ``` 6. Do the installation - ``` - nixos-install - ``` - Set root password - ``` - setting root password... - Enter new UNIX password: - Retype new UNIX password: - ``` + ``` + nixos-install + ``` + Set root password + ``` + setting root password... + Enter new UNIX password: + Retype new UNIX password: + ``` 7. If everything went well - ``` - reboot - ``` + ``` + reboot + ``` -## 2. nix-bitcoin installation -On the machine you are deploying from: -You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source. +## 2. Nix installation +Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from). -1. Install Dependencies (Debian 9 stretch) - ``` - sudo apt-get install curl git gnupg2 dirmngr - ``` +## 3. Setup deployment directory +Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from). -2. Install Latest Nix with GPG Verification - ``` - curl -o install-nix https://nixos.org/nix/install - curl -o install-nix.sig https://nixos.org/nix/install.sig - gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE - gpg2 --verify ./install-nix.sig - sh ./install-nix --daemon - . /home/user/.nix-profile/etc/profile.d/nix.sh - ``` +## 4. Deploy with NixOps +1. Make sure you are in the deployment directory and create a nixops network file as follows - Then follow the instructions. Open a new terminal window when you're done. + ``` + nano nixops/node-nixos.nix + ``` - If you get an error similar to - ``` - error: cloning builder process: Operation not permitted - error: unable to start build process - /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile - ``` - you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. + ``` + { + bitcoin-node = + { config, pkgs, ... }: + { deployment.targetHost = "1.2.3.4"; + }; + } + ``` -3. Optional: Disallow substitutes + Replace 1.2.3.4 with NixOS machine's IP address. - You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. - This eliminates an attack vector where nix's build server or binary cache is compromised. +2. Edit `configuration.nix` -4. Clone this project + ``` + nano configuration.nix + ``` - ``` - cd - git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin - ``` + Uncomment `./hardware-configuration.nix` line by removing #. -5. Create network file +3. Create `hardware-configuration.nix` - ``` - nano network/network-nixos.nix - ``` + ``` + nano hardware-configuration.nix + ``` + Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. - ``` - { - bitcoin-node = - { config, pkgs, ... }: - { deployment.targetHost = "1.2.3.4"; - }; - } - ``` +4. Add boot option to `hardware-configuration.nix` - Replace 1.2.3.4 with NixOS machine's IP address. + Option 1: Enable systemd boot for UEFI + ``` + boot.loader.grub.device = "/dev/sda"; + ``` + Option 2: Set grub device for Legacy Boot (MBR) + ``` + boot.loader.grub.device = "/dev/sda"; + ``` -6. Edit `configuration.nix` +5. Enter environment - ``` - nano configuration.nix - ``` + ``` + nix-shell + ``` - Uncomment `./hardware-configuration.nix` line by removing #. + Note that a new directory `secrets/` appeared which contains the secrets for your node. -7. Create `hardware-configuration.nix` +6. Create nixops deployment in nix-shell. - ``` - nano hardware-configuration.nix - ``` - Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. + ``` + nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node + ``` -8. Add boot option to `hardware-configuration.nix` +7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. - Option 1: Enable systemd boot for UEFI - ``` - boot.loader.grub.device = "/dev/sda"; - ``` - Option 2: Set grub device for Legacy Boot (MBR) - ``` - ``` - boot.loader.grub.device = "/dev/sda"; - ``` +8. Deploy Nixops in nix-shell -9. Setup environment + ``` + nixops deploy -d bitcoin-node + ``` - ``` - nix-shell - ``` + This will now create a nix-bitcoin node on the target machine. - This will set up your nix-bitcoin environment and might take a while without giving an output. +9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with -10. Create nixops deployment in nix-shell. - - ``` - nixops create network/network.nix network/network-nixos.nix -d bitcoin-node - ``` - -11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. - -12. Deploy Nixops in nix-shell - - ``` - nixops deploy -d bitcoin-node - ``` - - This will now create a nix-bitcoin node on the target machine. - -13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with - - ``` - nixops ssh operator@bitcoin-node - ``` + ``` + nixops ssh operator@bitcoin-node + ``` See [usage.md](usage.md) for usage instructions, such as how to update. diff --git a/docs/usage.md b/docs/usage.md index bffca25..be7675c 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,28 +1,10 @@ Updating --- -Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. +In your deployment directory, enter the nix shell with `nix-shell` and run -### Verifying GPG Signatures (recommended) -1. Import jonasnick's gpg key - - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` - -2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` - -3. Verify commit after `git pull` - - ``` - git verify-commit - ``` +``` +fetch-release > nix-bitcoin-release.nix +``` Nodeinfo --- @@ -36,45 +18,45 @@ Connect to spark-wallet * [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet) 1. Enable spark-wallet in `configuration.nix` - - Change - ``` - # services.spark-wallet.enable = true; - ``` - to - ``` - services.spark-wallet.enable = true; - ``` + + Change + ``` + # services.spark-wallet.enable = true; + ``` + to + ``` + services.spark-wallet.enable = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Enable Orbot VPN for spark-wallet - ``` - Open Orbot app - Turn on "VPN Mode" - Select Gear icon under "Tor-Enabled Apps" - Toggle checkbox under Spark icon - ``` + ``` + Open Orbot app + Turn on "VPN Mode" + Select Gear icon under "Tor-Enabled Apps" + Toggle checkbox under Spark icon + ``` 4. Get the onion address, access key and QR access code for the spark wallet android app - ``` - journalctl -eu spark-wallet - ``` - Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors. + ``` + journalctl -eu spark-wallet + ``` + Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors. 5. Connect to spark-wallet android app - ``` - Server Settings - Scan QR - Done - ``` + ``` + Server Settings + Scan QR + Done + ``` Connect to electrs --- @@ -88,90 +70,90 @@ Connect to electrs * [Electrum](https://electrum.org/#download) installed 1. Enable electrs in `configuration.nix` - - Change - ``` - # services.electrs.enable = true; - ``` - to - ``` - services.electrs.enable = true; - ``` + + Change + ``` + # services.electrs.enable = true; + ``` + to + ``` + services.electrs.enable = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Get electrs onion address - ``` - nodeinfo | grep 'ELECTRS_ONION' - ``` + ``` + nodeinfo | grep 'ELECTRS_ONION' + ``` 4. Connect to electrs - On electrum wallet laptop - ``` - electrum --oneserver --server=:50002:s --proxy=socks5:localhost:9050 - ``` + On electrum wallet laptop + ``` + electrum --oneserver --server=:50002:s --proxy=socks5:localhost:9050 + ``` - On electrum android phone - ``` - Three dots in the upper-right-hand corner - Network - Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 - Ok - Server - Host: , Port: 50002 - Ok - Auto-connect: OFF - One-server mode: ON - ``` + On electrum android phone + ``` + Three dots in the upper-right-hand corner + Network + Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 + Ok + Server + Host: , Port: 50002 + Ok + Auto-connect: OFF + One-server mode: ON + ``` Connect to nix-bitcoin node through ssh Tor Hidden Service --- 1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION` - ``` - nixops ssh operator@bitcoin-node - nodeinfo | grep 'SSHD_ONION' - ``` + ``` + nixops ssh operator@bitcoin-node + nodeinfo | grep 'SSHD_ONION' + ``` -2. Create a SSH key +2. Create a SSH key - ``` - ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 - ``` + ``` + ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 + ``` 3. Place the ed25519 key's fingerprint in the `configuration.nix` `openssh.authorizedKeys.keys` field like so - ``` - # FIXME: Add your SSH pubkey - services.openssh.enable = true; - users.users.root = { - openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ]; - }; - ``` + ``` + # FIXME: Add your SSH pubkey + services.openssh.enable = true; + users.users.root = { + openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ]; + }; + ``` 4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server - ``` - ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION] - ``` + ``` + ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION] + ``` 5. Edit your `network-nixos.nix` to look like this - ``` - { - bitcoin-node = - { config, pkgs, ... }: - { deployment.targetHost = "127.0.0.1"; - deployment.targetPort = [random port of your choosing]; - }; - } - ``` + ``` + { + bitcoin-node = + { config, pkgs, ... }: + { deployment.targetHost = "127.0.0.1"; + deployment.targetPort = [random port of your choosing]; + }; + } + ``` 6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security. @@ -180,64 +162,64 @@ Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface 1. Enable Trezor in `configuration.nix` - Change - ``` - # services.hardware-wallets.trezor = true; - ``` - to - ``` - services.hardware-wallets.trezor = true; - ``` + Change + ``` + # services.hardware-wallets.trezor = true; + ``` + to + ``` + services.hardware-wallets.trezor = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Check that your nix-bitcoin node recognizes your Trezor - ``` - nixops ssh operator@bitcoin-node - lsusb - ``` - Should show something relating to your Trezor + ``` + nixops ssh operator@bitcoin-node + lsusb + ``` + Should show something relating to your Trezor 4. If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode - Trezor v1 - ``` - Plug in your Trezor with both buttons depressed - ``` + Trezor v1 + ``` + Plug in your Trezor with both buttons depressed + ``` - Trezor v2 - ``` - Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through - ``` + Trezor v2 + ``` + Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through + ``` 5. If your Trezor's firmware is outdated: Update your Trezor's firmware - ``` - trezorctl firmware-update - ``` - Follow the on-screen instructions + ``` + trezorctl firmware-update + ``` + Follow the on-screen instructions - **Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.** + **Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.** 6. If your Trezor is not yet initialized: Set up your Trezor - ``` - trezorctl reset-device -p - ``` - Follow the on-screen instructions + ``` + trezorctl reset-device -p + ``` + Follow the on-screen instructions 7. Find your Trezor - ``` - hwi enumerate - hwi -t trezor -d promptpin - hwi -t trezor -d sendpin - hwi enumerate - ``` + ``` + hwi enumerate + hwi -t trezor -d promptpin + hwi -t trezor -d sendpin + hwi enumerate + ``` 8. Follow Bitcoin Core's instructions on [Using Bitcoin Core with Hardware Wallets](https://github.com/bitcoin-core/HWI/blob/master/docs/bitcoin-core-usage.md) to use your Trezor with `bitcoin-cli` on your nix-bitcoin node diff --git a/configuration.nix b/examples/configuration.nix similarity index 94% rename from configuration.nix rename to examples/configuration.nix index 8fe2714..85bd665 100644 --- a/configuration.nix +++ b/examples/configuration.nix @@ -4,12 +4,13 @@ { config, pkgs, lib, ... }: { imports = [ - ./modules/nix-bitcoin.nix + - # Use hardened kernel profile. See - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - # for the enabled options. - + # FIXME: The hardened kernel profile improves security but + # decreases performance by ~50%. + # Turn it off when not needed. + # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix + # FIXME: Uncomment next line to import your hardware configuration. If so, # add the hardware configuration file to the same directory as this file. diff --git a/examples/deploy-container.sh b/examples/deploy-container.sh new file mode 100755 index 0000000..48d76ab --- /dev/null +++ b/examples/deploy-container.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to setup a nix-bitcoin node in a NixOS container. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then + echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled" + exit 1 +fi +if [[ ! -e /run/current-system/nixos-version ]]; then + echo "Error: This script needs NixOS to run" + exit 1 +fi + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +# Cleanup on exit +cleanup() { + echo + echo "Deleting container..." + sudo extra-container destroy demo-node +} +trap "cleanup" EXIT + +# Build container. +# You can re-run this command with a changed container config. +# The running container is then switched to the new config. +# Learn more: https://github.com/erikarvstedt/extra-container +# +sudo extra-container create --start <<'EOF' +{ pkgs, lib, ... }: let + containerName = "demo-node"; # container name length is limited to 11 chars + localAddress = "10.250.0.2"; # container address + hostAddress = "10.250.0.1"; +in { + containers.${containerName} = { + privateNetwork = true; + inherit localAddress hostAddress; + config = { pkgs, config, lib, ... }: { + imports = [ + + + ]; + # Speed up evaluation + documentation.nixos.enable = false; + }; + }; + # Allow WAN access + systemd.services."container@${containerName}" = { + preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE"; + # Delete rule + postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true"; + }; +} +EOF +# Run command in container +c() { sudo extra-container run demo-node -- "$@" | cat; } + +echo +echo "Bitcoind service:" +c systemctl status bitcoind +echo +echo "Bitcoind network:" +c bitcoin-cli getnetworkinfo +echo +echo "lightning-cli state:" +c lightning-cli getinfo +echo +echo "Node info:" +c nodeinfo +echo +echo "Bitcoind data dir:" +sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind + +# Cleanup happens at exit (see above) diff --git a/examples/deploy-nixops.sh b/examples/deploy-nixops.sh new file mode 100755 index 0000000..a50aba2 --- /dev/null +++ b/examples/deploy-nixops.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +# Cleanup on exit +cleanup() { + set +e + if nixops list | grep -q bitcoin-node; then + nixops destroy --confirm -d bitcoin-node + fi + rm -rf $tmpDir +} +trap "cleanup" EXIT + +tmpDir=/tmp/nix-bitcoin-nixops +mkdir -p $tmpDir + +# Don't write nixops and VirtualBox data to the $USER's home +export HOME=$tmpDir + +# Disable interactive queries and don't write to the $USER's known_hosts file +export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" + +nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node +nixops deploy -d bitcoin-node + +# Connect to node +nixops ssh bitcoin-node systemctl status bitcoind + +# Cleanup happens at exit (see above) diff --git a/examples/deploy-qemu-vm.sh b/examples/deploy-qemu-vm.sh new file mode 100755 index 0000000..9267c7b --- /dev/null +++ b/examples/deploy-qemu-vm.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to run a nix-bitcoin node in QEMU. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +# MAKE SURE TO REPLACE the SSH identity file if you use this script for +# anything serious. + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +tmpDir=/tmp/nix-bitcoin-qemu-vm +mkdir -p $tmpDir + +# Cleanup on exit +cleanup() { + set +eu + kill -9 $qemuPID + rm -rf $tmpDir +} +trap "cleanup" EXIT + +identityFile=qemu-vm/id-vm +chmod 0600 $identityFile + +echo "Building VM" +nix-build --out-link $tmpDir/vm - < { + configuration = { + imports = [ + + + ]; + virtualisation.graphics = false; + services.mingetty.autologinUser = "root"; + users.users.root = { + openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ]; + }; + }; +}).vm +EOF + +vmMemoryMiB=2048 +vmNumCPUs=4 +sshPort=60734 + +export NIX_DISK_IMAGE=$tmpDir/img +export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22 +/dev/null & +qemuPID=$! + +# Run command in VM +c() { + ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \ + -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \ + -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \ + root@127.0.0.1 "$@" +} + +echo +echo "Waiting for SSH connection..." +while ! c : 2>/dev/null; do :; done + +echo +echo "Waiting until services are ready..." +c ' +attempts=300 +while ! systemctl is-active clightning &> /dev/null; do + ((attempts-- == 0)) && { echo "timeout"; exit 1; } + sleep 0.2 +done +' +echo +echo "Bitcoind service:" +c systemctl status bitcoind +echo +echo "Bitcoind network:" +c bitcoin-cli getnetworkinfo +echo +echo "lightning-cli state:" +c lightning-cli getinfo +echo +echo "Node info:" +c nodeinfo + +# Cleanup happens at exit (see above) diff --git a/examples/nix-bitcoin-release.nix b/examples/nix-bitcoin-release.nix new file mode 100644 index 0000000..a87522d --- /dev/null +++ b/examples/nix-bitcoin-release.nix @@ -0,0 +1 @@ +../. diff --git a/network/network-libvirtd.nix b/examples/nixops/node-libvirtd.nix similarity index 100% rename from network/network-libvirtd.nix rename to examples/nixops/node-libvirtd.nix diff --git a/network/network-vbox.nix b/examples/nixops/node-vbox.nix similarity index 100% rename from network/network-vbox.nix rename to examples/nixops/node-vbox.nix diff --git a/examples/nixops/node.nix b/examples/nixops/node.nix new file mode 100644 index 0000000..d8eac3b --- /dev/null +++ b/examples/nixops/node.nix @@ -0,0 +1,12 @@ +{ + network.description = "Bitcoin Core node"; + + bitcoin-node = { config, pkgs, lib, ... }: { + imports = [ + ../configuration.nix + + ]; + + nix-bitcoin.deployment.secretsDir = toString ../secrets; + }; +} diff --git a/examples/qemu-vm/id-vm b/examples/qemu-vm/id-vm new file mode 100644 index 0000000..ce39161 --- /dev/null +++ b/examples/qemu-vm/id-vm @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3 +cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg +AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH +Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB +-----END OPENSSH PRIVATE KEY----- diff --git a/examples/qemu-vm/id-vm.pub b/examples/qemu-vm/id-vm.pub new file mode 100644 index 0000000..114cbff --- /dev/null +++ b/examples/qemu-vm/id-vm.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none diff --git a/examples/shell.nix b/examples/shell.nix new file mode 100644 index 0000000..2298134 --- /dev/null +++ b/examples/shell.nix @@ -0,0 +1,46 @@ +let + # This is either a path to a local nix-bitcoin source or an attribute set to + # be used as the fetchurl argument. + nix-bitcoin-release = import ./nix-bitcoin-release.nix; + + nix-bitcoin-path = + if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked + else nix-bitcoin-release; + + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; + nixpkgs = import nixpkgs-path {}; + nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; + + extraContainer = nixpkgs.callPackage (builtins.fetchTarball { + url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; + sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; + }) {}; + + nix-bitcoin-unpacked = (import {}).runCommand "nix-bitcoin-src" {} '' + mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out + ''; +in +with nixpkgs; + +stdenv.mkDerivation rec { + name = "nix-bitcoin-environment"; + + buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ]; + + shellHook = '' + export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" + + # ssh-agent and nixops don't play well together (see + # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect + # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few + # keys already added to my ssh-agent. + export SSH_AUTH_SOCK="" + + figlet "nix-bitcoin" + (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets}) + + # Don't run this hook when another nix-shell is run inside this shell + unset shellHook + ''; +} diff --git a/helper/fetch-release b/helper/fetch-release new file mode 100755 index 0000000..6529386 --- /dev/null +++ b/helper/fetch-release @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg +set -euo pipefail + +scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) + +REPO=fort-nix/nix-bitcoin +if [[ ! -v VERSION ]]; then + VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) +fi + +TMPDIR=$(mktemp -d) +GPG_HOME=$(mktemp -d) +trap "rm -rf $TMPDIR $GPG_HOME" EXIT + +cd $TMPDIR +BASEURL=https://github.com/$REPO/releases/download/v$VERSION +curl --silent -L -O $BASEURL/SHA256SUMS.txt +curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc + +# Import key and verify fingerprint +gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null + +gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { + echo "ERROR: Signature verification failed. Please open an issue in the project repository." + exit 1 +} + +SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') +cat <" + exit +fi +TAG_NAME=$1 + +RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null) +echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2) +while true; do + read -p "Create release $1? [yn] " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) exit;; + * ) echo "Please answer y or n.";; + esac +done + +TMPDIR=$(mktemp -d) +trap "rm -rf $TMPDIR" EXIT +ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz +ARCHIVE=$TMPDIR/$ARCHIVE_NAME + +# Need to be in the repositories root directory for archiving +(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH) + +SHA256SUMS=$TMPDIR/SHA256SUMS.txt +# Want to use relative path with sha256sums because it'll output the first +# argument +(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS) +gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS + +POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }" +RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null) +ID=$(echo $RESPONSE | jq -r '.id') +if [[ $ID == null ]]; then + echo "Failed to create release with $POST_DATA" + exit 1 +fi + +post_asset() { + GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name=" + curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \ + $GH_ASSET/$(basename $1) &> /dev/null +} +post_asset $ARCHIVE +post_asset $SHA256SUMS +post_asset $SHA256SUMS.asc +echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name) diff --git a/modules/deployment/nixops.nix b/modules/deployment/nixops.nix new file mode 100644 index 0000000..50f9468 --- /dev/null +++ b/modules/deployment/nixops.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + deployment.keys = builtins.mapAttrs (n: v: { + keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}"; + destDir = config.nix-bitcoin.secretsDir; + inherit (v) user group permissions; + }) config.nix-bitcoin.secrets; + + # nixops makes the secrets directory accessible only for users with group 'key'. + # For compatibility with other deployment methods besides nixops, we forego the + # use of the 'key' group and make the secrets dir world-readable instead. + # This is safe because all containing files have their specific private + # permissions set. + systemd.services.allowSecretsDirAccess = { + requires = [ "keys.target" ]; + after = [ "keys.target" ]; + script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; + serviceConfig.Type = "oneshot"; + }; + + systemd.targets.nix-bitcoin-secrets = { + requires = [ "allowSecretsDirAccess.service" ]; + after = [ "allowSecretsDirAccess.service" ]; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index c79ca52..b066393 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -15,6 +15,13 @@ in description = "Directory to store secrets"; }; + deployment.secretsDir = mkOption { + type = types.path; + description = '' + Directory of local secrets that are transfered to the nix-bitcoin node on deployment + ''; + }; + secrets = mkOption { default = {}; type = with types; attrsOf (submodule ( diff --git a/network/network.nix b/network/network.nix deleted file mode 100644 index fa69939..0000000 --- a/network/network.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - network.description = "Bitcoin Core node"; - - bitcoin-node = - { config, pkgs, lib, ... }: { - imports = [ ../configuration.nix ]; - - deployment.keys = builtins.mapAttrs (n: v: { - keyFile = "${toString ../secrets}/${n}"; - destDir = config.nix-bitcoin.secretsDir; - inherit (v) user group permissions; - }) config.nix-bitcoin.secrets; - - # nixops makes the secrets directory accessible only for users with group 'key'. - # For compatibility with other deployment methods besides nixops, we forego the - # use of the 'key' group and make the secrets dir world-readable instead. - # This is safe because all containing files have their specific private - # permissions set. - systemd.services.allowSecretsDirAccess = { - requires = [ "keys.target" ]; - after = [ "keys.target" ]; - script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; - serviceConfig.Type = "oneshot"; - }; - - systemd.targets.nix-bitcoin-secrets = { - requires = [ "allowSecretsDirAccess.service" ]; - after = [ "allowSecretsDirAccess.service" ]; - }; - }; -} diff --git a/pkgs/nixops/release.nix.patch b/pkgs/nixops/release.nix.patch index c54432a..734159b 100644 --- a/pkgs/nixops/release.nix.patch +++ b/pkgs/nixops/release.nix.patch @@ -43,3 +43,14 @@ ('destDir', 'string'), ('user', 'string'), ('group', 'string'), + +--- a/nixops/ssh_util.py ++++ b/nixops/ssh_util.py +@@ -278,6 +278,7 @@ class SSH(object): + + 'timeout' specifies the SSH connection timeout. + """ ++ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags + master = self.get_master(flags, timeout, user) + flags = flags + self._get_flags() + if logged: diff --git a/shell.nix b/shell.nix index 45ab264..07a6f2d 100644 --- a/shell.nix +++ b/shell.nix @@ -1,24 +1,12 @@ let nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs; in -with import nixpkgs { }; +with import nixpkgs {}; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; - nixops19_09 = callPackage ./pkgs/nixops {}; - make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {}; - - buildInputs = [ nixops19_09 figlet ]; - shellHook = '' - export NIX_PATH="nixpkgs=${nixpkgs}:." - # ssh-agent and nixops don't play well together (see - # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect - # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few - # keys already added to my ssh-agent. - export SSH_AUTH_SOCK="" - figlet "nix-bitcoin" - (mkdir -p secrets; cd secrets; ${make-secrets}) + export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:." ''; }