From 52aaa8388e1faef7ba0074217fe20e7b47e9a914 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 13 Sep 2021 10:19:30 +0200 Subject: [PATCH 1/4] fetch-release: write error messages to stderr Previously, when used to update `nix-bitcoin-release`, the error wasn't displayed but instead written to `nix-bitcoin-release`. Also, show curl error messages. --- helper/fetch-release | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helper/fetch-release b/helper/fetch-release index 2fe87ee..dfac325 100755 --- a/helper/fetch-release +++ b/helper/fetch-release @@ -6,7 +6,7 @@ scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) repo=fort-nix/nix-bitcoin if [[ ! -v version ]]; then - version=$(curl --silent "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2) + version=$(curl -s --show-error "https://api.github.com/repos/$repo/releases/latest" | jq -r '.tag_name' | tail -c +2) fi TMPDIR=$(mktemp -d) @@ -23,12 +23,12 @@ gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > / # Fetch nar-hash of release cd $TMPDIR baseUrl=https://github.com/$repo/releases/download/v$version -curl --silent -L -O $baseUrl/nar-hash.txt -curl --silent -L -O $baseUrl/nar-hash.txt.asc +curl -s --show-error -L -O $baseUrl/nar-hash.txt +curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc # Verify signature for nar-hash gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || { - echo "Error: Signature verification failed. Please open an issue in the project repository." + >&2 echo "Error: Signature verification failed. Please open an issue in the project repository." exit 1 } From 77af2e45389f02595f8c5d8c11a1aef0c3bb9528 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 13 Sep 2021 10:23:49 +0200 Subject: [PATCH 2/4] makeShell: improve `update-nix-bitcoin` - Don't overwrite `nix-bitcoin-release.nix` on errors - Show a message to indicate whether `nix-bitcoin-release.nix` was updated - Don't start a shell when called noninteractively Also, update `usage.md` and reformat `shell.nix`. --- docs/usage.md | 5 +++-- examples/shell.nix | 2 +- helper/makeShell.nix | 29 +++++++++++++++++++++-------- 3 files changed, 25 insertions(+), 11 deletions(-) diff --git a/docs/usage.md b/docs/usage.md index 9130e26..f7612e5 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,9 +1,10 @@ Updating --- -In your deployment directory, enter the nix shell with `nix-shell` and run +In your deployment directory, enter the nix shell with `nix-shell` and run the +following to update `nix-bitcoin-release.nix`: ``` -fetch-release > nix-bitcoin-release.nix +update-nix-bitcoin ``` Nodeinfo diff --git a/examples/shell.nix b/examples/shell.nix index d378e67..882fc2f 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -4,5 +4,5 @@ in import "${nix-bitcoin}/helper/makeShell.nix" { configDir = ./.; # Set this to modify your shell - # extraShellInitCmds = (pkgs: ''''); + # extraShellInitCmds = pkgs: ''''; } diff --git a/helper/makeShell.nix b/helper/makeShell.nix index c674d82..ab92b68 100644 --- a/helper/makeShell.nix +++ b/helper/makeShell.nix @@ -17,6 +17,11 @@ stdenv.mkDerivation rec { export NIX_BITCOIN_EXAMPLES_DIR="${cfgDir}" + # Set isInteractive=1 if + # 1. stdout is a TTY, i.e. we're not piping the output + # 2. the shell is interactive + if [[ -t 1 && $- == *i* ]]; then isInteractive=1; else isInteractive=; fi + help() { echo "nix-bitcoin path: ${toString ../.}" echo @@ -47,10 +52,21 @@ stdenv.mkDerivation rec { ${toString ./fetch-release} } - update-nix-bitcoin() { - fetch-release > "${cfgDir}/nix-bitcoin-release.nix" - exec nix-shell - } + update-nix-bitcoin() {( + set -euo pipefail + releaseFile="${cfgDir}/nix-bitcoin-release.nix" + current=$(cat "$releaseFile" 2>/dev/null || true) + new=$(fetch-release) + if [[ $new == $current ]]; then + echo "nix-bitcoin-release.nix already contains the latest release" + else + echo "$new" > "$releaseFile" + echo "Updated nix-bitcoin-release.nix" + if [[ $isInteractive ]]; then + exec nix-shell + fi + fi + )} generate-secrets() {( set -euo pipefail @@ -94,10 +110,7 @@ stdenv.mkDerivation rec { done } - # Print welcome message if - # 1. stdout is a TTY, i.e. we're not piping the output - # 2. the shell is interactive - if [[ -t 1 && $- == *i* ]]; then + if [[ $isInteractive ]]; then ${figlet}/bin/figlet "nix-bitcoin" echo 'Enter "h" or "help" for documentation.' fi From 7356a34d88c09c3363a693c9510cf62e5a8e4e6c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 13 Sep 2021 14:07:08 +0200 Subject: [PATCH 3/4] docs/install.md: update --- docs/install.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/install.md b/docs/install.md index 4af65cf..b3c7fac 100644 --- a/docs/install.md +++ b/docs/install.md @@ -311,12 +311,10 @@ You can also build Nix from source by following the instructions at https://nixo nix-shell ``` - NOTE that a new directory `secrets/` appeared which contains the secrets for your node. - 7. Deploy with krops in nix-shell ``` - krops-deploy + deploy ``` This will now create a nix-bitcoin node on the target machine. From b49c74545fb57a429339dc448bb2c0f6a1cb3734 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 13 Sep 2021 15:29:32 +0200 Subject: [PATCH 4/4] fetch-release: make GPG key searchable The non-spaced version gives no matches in major search engines. This is useful for auditing this script. --- helper/fetch-release | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helper/fetch-release b/helper/fetch-release index dfac325..dce8a16 100755 --- a/helper/fetch-release +++ b/helper/fetch-release @@ -18,7 +18,7 @@ mkdir -p -m 700 "$GPG_HOME" # Import key gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null # Verify key fingerprint -gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null +gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null # Fetch nar-hash of release cd $TMPDIR