Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module

b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
This commit is contained in:
Jonas Nick 2020-04-08 15:03:00 +00:00
commit 9239268ab6
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
23 changed files with 833 additions and 459 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
/secrets/
/example/secrets/

View File

@ -4,7 +4,7 @@ nix-bitcoin
[![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin)
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
This is a work in progress - don't expect it to be bug free or secure.
This is a work in progress - don't expect it to be bug-free, secure or stable.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us
It should allow managing bitcoin (the currency) effectively and providing public infrastructure.
It should be a reproducible and extensible platform for applications building on Bitcoin.
Example
---
The easiest way to try out nix-bitcoin is to use one of the provided examples.
```
git clone https://github.com/fort-nix/nix-bitcoin
cd examples/
nix-shell
```
The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.
- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
This is the fastest way to set up a node.\
Requires: [NixOS](https://nixos.org/)
- `./deploy-qemu-vm.sh` creates a QEMU VM.\
Requires: [Nix](https://nixos.org/nix/)
- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
NixOps can be used to deploy to various other backends like cloud providers.\
Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
Available modules
---
By default the `configuration.nix` provides:
@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed
Installation
---
The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory.
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
See [install.md](docs/install.md) for a detailed tutorial.
Security

View File

@ -84,33 +84,57 @@ You can also build Nix from source by following the instructions at https://nixo
This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Nixops deployment
## 3. Setup deployment directory
1. Clone this project
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
2. Setup environment
2. Obtain the hash of the latest nix-bitcoin release
```
cd nix-bitcoin/examples
nix-shell
```
This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
```
fetch-release > nix-bitcoin-release.nix
```
3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
```
## 4. Deploy with NixOps
1. Enter environment
```
nix-shell
```
This will set up your nix-bitcoin environment and might take a while without giving an output.
Note that a new directory `secrets/` appeared which contains the secrets for your node.
3. Create nixops deployment in nix-shell.
2. Create nixops deployment in nix-shell.
```
nixops create network/network.nix network/network-vbox.nix -d bitcoin-node
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
```
4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
5. Deploy Nixops in nix-shell
4. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
@ -118,7 +142,7 @@ You can also build Nix from source by following the instructions at https://nixo
This will now create a nix-bitcoin node on the target machine.
6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
@ -128,7 +152,7 @@ See [usage.md](usage.md) for usage instructions, such as how to update.
To resize the VM disk image, you can use this helper script from within nix-shell:
```
./helper/vbox-resize-disk1.sh --help
../nix-bitcoin/helper/vbox-resize-disk1.sh --help
```
----
@ -193,17 +217,19 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information.
1. Obtain latest NixOS. For example:
1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
```
wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso
wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
# output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
2. Write NixOS iso to install media (USB/CD). For example:
```
dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX
cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
```
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
@ -318,55 +344,20 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
reboot
```
## 2. nix-bitcoin installation
On the machine you are deploying from:
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
## 2. Nix installation
Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
1. Install Dependencies (Debian 9 stretch)
## 3. Setup deployment directory
Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
## 4. Deploy with NixOps
1. Make sure you are in the deployment directory and create a nixops network file as follows
```
sudo apt-get install curl git gnupg2 dirmngr
```
2. Install Latest Nix with GPG Verification
```
curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
. /home/user/.nix-profile/etc/profile.d/nix.sh
```
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
4. Clone this project
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
5. Create network file
```
nano network/network-nixos.nix
nano nixops/node-nixos.nix
```
```
@ -380,7 +371,7 @@ You can also build Nix from source by following the instructions at https://nixo
Replace 1.2.3.4 with NixOS machine's IP address.
6. Edit `configuration.nix`
2. Edit `configuration.nix`
```
nano configuration.nix
@ -388,14 +379,14 @@ You can also build Nix from source by following the instructions at https://nixo
Uncomment `./hardware-configuration.nix` line by removing #.
7. Create `hardware-configuration.nix`
3. Create `hardware-configuration.nix`
```
nano hardware-configuration.nix
```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
8. Add boot option to `hardware-configuration.nix`
4. Add boot option to `hardware-configuration.nix`
Option 1: Enable systemd boot for UEFI
```
@ -403,27 +394,26 @@ You can also build Nix from source by following the instructions at https://nixo
```
Option 2: Set grub device for Legacy Boot (MBR)
```
```
boot.loader.grub.device = "/dev/sda";
```
9. Setup environment
5. Enter environment
```
nix-shell
```
This will set up your nix-bitcoin environment and might take a while without giving an output.
Note that a new directory `secrets/` appeared which contains the secrets for your node.
10. Create nixops deployment in nix-shell.
6. Create nixops deployment in nix-shell.
```
nixops create network/network.nix network/network-nixos.nix -d bitcoin-node
nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
```
11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
12. Deploy Nixops in nix-shell
8. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
@ -431,7 +421,7 @@ You can also build Nix from source by following the instructions at https://nixo
This will now create a nix-bitcoin node on the target machine.
13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node

View File

@ -1,28 +1,10 @@
Updating
---
Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`.
In your deployment directory, enter the nix shell with `nix-shell` and run
### Verifying GPG Signatures (recommended)
1. Import jonasnick's gpg key
```
gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
```
2. Trust jonasnick's gpg key
```
gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
trust
4
quit
```
3. Verify commit after `git pull`
```
git verify-commit <hash of latest commit>
```
```
fetch-release > nix-bitcoin-release.nix
```
Nodeinfo
---

View File

@ -4,11 +4,12 @@
{ config, pkgs, lib, ... }: {
imports = [
./modules/nix-bitcoin.nix
<nix-bitcoin/modules/nix-bitcoin.nix>
# Use hardened kernel profile. See
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
# for the enabled options.
# FIXME: The hardened kernel profile improves security but
# decreases performance by ~50%.
# Turn it off when not needed.
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so,

83
examples/deploy-container.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a nix-bitcoin node in a NixOS container.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then
echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled"
exit 1
fi
if [[ ! -e /run/current-system/nixos-version ]]; then
echo "Error: This script needs NixOS to run"
exit 1
fi
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
echo
echo "Deleting container..."
sudo extra-container destroy demo-node
}
trap "cleanup" EXIT
# Build container.
# You can re-run this command with a changed container config.
# The running container is then switched to the new config.
# Learn more: https://github.com/erikarvstedt/extra-container
#
sudo extra-container create --start <<'EOF'
{ pkgs, lib, ... }: let
containerName = "demo-node"; # container name length is limited to 11 chars
localAddress = "10.250.0.2"; # container address
hostAddress = "10.250.0.1";
in {
containers.${containerName} = {
privateNetwork = true;
inherit localAddress hostAddress;
config = { pkgs, config, lib, ... }: {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
# Speed up evaluation
documentation.nixos.enable = false;
};
};
# Allow WAN access
systemd.services."container@${containerName}" = {
preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE";
# Delete rule
postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true";
};
}
EOF
# Run command in container
c() { sudo extra-container run demo-node -- "$@" | cat; }
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
echo
echo "Bitcoind data dir:"
sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
# Cleanup happens at exit (see above)

41
examples/deploy-nixops.sh Executable file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
set +e
if nixops list | grep -q bitcoin-node; then
nixops destroy --confirm -d bitcoin-node
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
tmpDir=/tmp/nix-bitcoin-nixops
mkdir -p $tmpDir
# Don't write nixops and VirtualBox data to the $USER's home
export HOME=$tmpDir
# Disable interactive queries and don't write to the $USER's known_hosts file
export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
nixops deploy -d bitcoin-node
# Connect to node
nixops ssh bitcoin-node systemctl status bitcoind
# Cleanup happens at exit (see above)

93
examples/deploy-qemu-vm.sh Executable file
View File

@ -0,0 +1,93 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to run a nix-bitcoin node in QEMU.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
# MAKE SURE TO REPLACE the SSH identity file if you use this script for
# anything serious.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
kill -9 $qemuPID
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=qemu-vm/id-vm
chmod 0600 $identityFile
echo "Building VM"
nix-build --out-link $tmpDir/vm - <<EOF
(import <nixpkgs/nixos> {
configuration = {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
};
};
}).vm
EOF
vmMemoryMiB=2048
vmNumCPUs=4
sshPort=60734
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
echo
echo "Waiting for SSH connection..."
while ! c : 2>/dev/null; do :; done
echo
echo "Waiting until services are ready..."
c '
attempts=300
while ! systemctl is-active clightning &> /dev/null; do
((attempts-- == 0)) && { echo "timeout"; exit 1; }
sleep 0.2
done
'
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
# Cleanup happens at exit (see above)

View File

@ -0,0 +1 @@
../.

12
examples/nixops/node.nix Normal file
View File

@ -0,0 +1,12 @@
{
network.description = "Bitcoin Core node";
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/nixops.nix>
];
nix-bitcoin.deployment.secretsDir = toString ../secrets;
};
}

7
examples/qemu-vm/id-vm Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3
cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg
AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH
Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB
-----END OPENSSH PRIVATE KEY-----

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none

46
examples/shell.nix Normal file
View File

@ -0,0 +1,46 @@
let
# This is either a path to a local nix-bitcoin source or an attribute set to
# be used as the fetchurl argument.
nix-bitcoin-release = import ./nix-bitcoin-release.nix;
nix-bitcoin-path =
if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
else nix-bitcoin-release;
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
nixpkgs = import nixpkgs-path {};
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
extraContainer = nixpkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
}) {};
nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
'';
in
with nixpkgs;
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets})
# Don't run this hook when another nix-shell is run inside this shell
unset shellHook
'';
}

36
helper/fetch-release Executable file
View File

@ -0,0 +1,36 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
REPO=fort-nix/nix-bitcoin
if [[ ! -v VERSION ]]; then
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi
TMPDIR=$(mktemp -d)
GPG_HOME=$(mktemp -d)
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
cd $TMPDIR
BASEURL=https://github.com/$REPO/releases/download/v$VERSION
curl --silent -L -O $BASEURL/SHA256SUMS.txt
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
# Import key and verify fingerprint
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
echo "ERROR: Signature verification failed. Please open an issue in the project repository."
exit 1
}
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
cat <<EOF
{
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
sha256 = "$SHA256";
}
EOF

BIN
helper/key-jonasnick.bin Normal file

Binary file not shown.

59
helper/push-release.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
set -euo pipefail
REPO=fort-nix/nix-bitcoin
BRANCH=master
OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
if [[ ! $OAUTH_TOKEN ]]; then
echo "Please set OAUTH_TOKEN variable"
fi
if [[ $# < 1 ]]; then
echo "$0 <tag_name>"
exit
fi
TAG_NAME=$1
RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
while true; do
read -p "Create release $1? [yn] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer y or n.";;
esac
done
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
ARCHIVE=$TMPDIR/$ARCHIVE_NAME
# Need to be in the repositories root directory for archiving
(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
SHA256SUMS=$TMPDIR/SHA256SUMS.txt
# Want to use relative path with sha256sums because it'll output the first
# argument
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
ID=$(echo $RESPONSE | jq -r '.id')
if [[ $ID == null ]]; then
echo "Failed to create release with $POST_DATA"
exit 1
fi
post_asset() {
GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
$GH_ASSET/$(basename $1) &> /dev/null
}
post_asset $ARCHIVE
post_asset $SHA256SUMS
post_asset $SHA256SUMS.asc
echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)

View File

@ -0,0 +1,25 @@
{ config, ... }:
{
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}

View File

@ -15,6 +15,13 @@ in
description = "Directory to store secrets";
};
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
'';
};
secrets = mkOption {
default = {};
type = with types; attrsOf (submodule (

View File

@ -1,31 +0,0 @@
{
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
}

View File

@ -43,3 +43,14 @@
('destDir', 'string'),
('user', 'string'),
('group', 'string'),
--- a/nixops/ssh_util.py
+++ b/nixops/ssh_util.py
@@ -278,6 +278,7 @@ class SSH(object):
'timeout' specifies the SSH connection timeout.
"""
+ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags
master = self.get_master(flags, timeout, user)
flags = flags + self._get_flags()
if logged:

View File

@ -1,24 +1,12 @@
let
nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs;
in
with import nixpkgs { };
with import nixpkgs {};
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
nixops19_09 = callPackage ./pkgs/nixops {};
make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {};
buildInputs = [ nixops19_09 figlet ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs}:."
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${make-secrets})
export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:."
'';
}