greg
/
nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #296: Remove nixops examples and as recommended deployment method; replace with krops 

520a983862 docs: nixops-krops migration guide (nixbitcoin)
7c0b521785 docs: describe deploying with krops in installation tutorial (Jonas Nick)
eb6dff5478 docs: various improvements to installation tutorial (Jonas Nick)
e8b47f099c examples: add deploy-krops.sh (Erik Arvstedt)
fe118b28ff examples: add krops deployment method (Jonas Nick)
e017675d5e krops: add package (Jonas Nick)
03db1a61b1 lnd, joinmarket: don't write to secrets dir (Erik Arvstedt)
55d87490ec secrets: make configuration more robust (Erik Arvstedt)
b0c223e716 secrets: don't stop services when the secrets target stops (Erik Arvstedt)
b701cb5603 secrets: add option 'generateSecrets' (Erik Arvstedt)
03515a8da6 examples/qemu: disable hardened preset (Erik Arvstedt)
908af3bfb8 examples/deploy-qemu-vm: show progress when waiting (Erik Arvstedt)
ccba86a0f0 examples: extract common features for running QEMU VMs (Erik Arvstedt)
cb3d5446c8 examples: use relative paths to example files (Erik Arvstedt)
a4dabc7390 Remove nixops examples and documentation (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 520a983862

Tree-SHA512: 380fcda3528e703e8a218f92a216befbee6cc279952388b2df48c1bcb803b72336bbe6e4deed87f3f26caba7a5cb5ab60c2bcabf2b13eba56f34c47eb02e128a
This commit is contained in:
Jonas Nick 2021-03-15 19:02:44 +00:00
parent b07185915a 520a983862
commit 4022f86b92
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
42 changed files with 826 additions and 669 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +0,0 @@
/examples/secrets/

30
docs/faq.md
View File

@ -1,33 +1,3 @@
* **Q:** When deploying or trying to SSH into the machine I see
```
bitcoin-node> waiting for SSH...
Received disconnect from 10.1.1.200 port 22:2: Too many authentication failures
```
* **A:** Somehow ssh-agent and nixops don't play well together. Try killing the ssh-agent.
* **Q:** When deploying or trying to SSH into the machine I see
```
root@xxx.xxx.xxx.xxx: Permission denied (publickey,password,keyboard-interactive).
```
Make sure you don't have something like
```
Host *
PubkeyAuthentication no
```
in your ssh config.
* **Q:** When deploying to virtualbox for the first time I see
```
bitcoin-node> Mar 19 09:22:27 bitcoin-node systemd[1]: Started Get NixOps SSH Key.
bitcoin-node> Mar 19 09:22:27 bitcoin-node get-vbox-nixops-client-key-start[2226]: VBoxControl: error: Failed to connect to the guest property service, error VERR_INTERNAL_ERROR
bitcoin-node> Mar 19 09:22:27 bitcoin-node systemd[1]: get-vbox-nixops-client-key.service: Main process exited, code=exited, status=1/FAILURE
bitcoin-node> Mar 19 09:22:27 bitcoin-node systemd[1]: get-vbox-nixops-client-key.service: Failed with result 'exit-code'.
bitcoin-node> error: Traceback (most recent call last):
File "/nix/store/6zyvpi0q6mvprycadz2dpdqag4742y18-python2.7-nixops-1.6pre0_abcdef/lib/python2.7/site-packages/nixops/deployment.py", line 731, in worker
raise Exception("unable to activate new configuration")
Exception: unable to activate new configuration
```
* **A:** This is issue https://github.com/NixOS/nixops/issues/908. The machine needs to be rebooted. You can do that by running `nixops deploy` with the `--force-reboot` flag once.
* **Q:** I'm deploying to virtualbox it's not able to connect anymore.
* **A:** Maybe the IP address of the box changed. Run `nixops deploy --check` to update nixops with the new IP address. Sometimes you need to run `nixops modify -d <deployment> network/network.nix network/network-vbox.nix`. Sometimes you also need to remove the old IP address from `~/.ssh/known_hosts`.
* **Q:** The clightning service is running but when I try to use it (f.e. by running `lightning-cli getinfo` as user operator) all I get is `lightning-cli: Connecting to 'lightning-rpc': Connection refused`.
* **A:** Check your clightning logs with `journalctl -eu clightning`. Do you see something like `bitcoin-cli getblock ... false` failed? Are you using pruned mode? That means that clightning hasn't seen all the blocks it needs to and it can't get that block because your node is pruned. If you're just setting up a new node you can `systemctl stop clightning` and wipe your `/var/lib/clightning` directory. Otherwise you need to reindex the Bitcoin node.
* **Q:** My disk space is getting low due to nix.

491
docs/install.md
View File

@ -1,215 +1,15 @@
Preliminary steps
---
Get a machine to deploy nix-bitcoin on.
This could be a VirtualBox, a machine that is already running [NixOS](https://nixos.org/nixos/manual/index.html) or a cloud provider.
Have a look at the options in the [NixOps manual](https://nixos.org/nixops/manual/).
# Tutorial: Install and configure NixOS for nix-bitcoin on a dedicated machine
# Tutorials
1. [Install and configure NixOS for nix-bitcoin on VirtualBox](#tutorial-install-and-configure-nixos-for-nix-bitcoin-on-virtualbox)
2. [Install and configure NixOS for nix-bitcoin on VirtualBox (macOS host)](#tutorial-install-and-configure-nixos-for-nix-bitcoin-on-virtualbox-macOS-host)
3. [Install and configure NixOS for nix-bitcoin on your own hardware](#tutorial-install-and-configure-nixos-for-nix-bitcoin-on-your-own-hardware)
----
Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox
---
## 1. VirtualBox installation
1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch)
```
echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
```
2. Add Oracle VirtualBox public key
```
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
gpg2 oracle_vbox_2016.asc
```
Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
```
sudo apt-key add oracle_vbox_2016.asc
```
3. Install virtualbox-5.2
```
sudo apt-get update
sudo apt-get install virtualbox-5.2
```
3. Create Host Adapter in VirtualBox
```
vboxmanage hostonlyif create
```
## 2. Nix installation
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
1. Install Dependencies (Debian 9 stretch)
```
sudo apt-get install curl git gnupg2 dirmngr
```
2. Install latest Nix in "multi-user mode" with GPG Verification according to https://nixos.org/nix/download.html
```
curl -o install-nix-2.3.3 https://releases.nixos.org/nix/nix-2.3.3/install
curl -o install-nix-2.3.3.asc https://releases.nixos.org/nix/nix-2.3.3/install.asc
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix-2.3.3.asc
sh ./install-nix-2.3.3 --daemon
```
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Setup deployment directory
1. Clone this project
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
```
2. Obtain the hash of the latest nix-bitcoin release
```
cd nix-bitcoin/examples
nix-shell
```
This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
```
fetch-release > nix-bitcoin-release.nix
```
3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
```
## 4. Deploy with NixOps
1. Enter `nix-shell`, which drops you into an environment with all the project dependencies loaded ([docs](https://nixos.wiki/wiki/Development_environment_with_nix-shell)).
```
nix-shell
```
Note that a new directory `secrets/` appeared which contains the secrets for your node.
2. Create a [nixops deployment](https://nixos.org/nixops/manual/#sec-deploying-to-physical-nixos) in nix-shell.
```
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
```
3. Adjust your configuration by opening the `configuration.nix` file and enable/disable the modules you want by editing this file. Pay particular attention to lines that are preceded by `FIXME` comments.
4. Deploy with nixops in nix-shell
```
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine.
5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
```
For security reasons, all normal system management tasks can and should be performed with the `operator` user. Logging in as `root` should be done as rarely as possible.
See [usage.md](usage.md) for usage instructions, such as how to update.
To resize the VM disk image, you can use this helper script from within nix-shell:
```
../nix-bitcoin/helper/vbox-resize-disk1.sh --help
```
----
Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox (macOS host)
---
## 1. VirtualBox installation (macOS)
1. Download and install VirtualBox
Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)
Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle.
2. Create Host Adapter in VirtualBox
```
vboxmanage hostonlyif create
```
## 2. Nix installation (macOS)
Follow the instructions from [Nix installation on debian](#2-nix-installation). You will may need to replace `gpg2` with `gpg`.
## 3. LinuxKit Nix installation
In order to build binaries for your linux (NixOS) virtual machine on a macOS host machine, you need to use [linuxkit-nix](https://github.com/nix-community/linuxkit-nix). It uses hyperkit to spin up a separate VM on which it builds binaries. An alternative solution is [nix-docker-build-slave](https://github.com/LnL7/nix-docker/blob/master/start-docker-nix-build-slave).
1. Installation
```
nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder
nix-linuxkit-configure
```
You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs.
2. Confirm that nix-linuxkit works
```
nix-build ~/.cache/nix-linuxkit-builder/example.nix
```
As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards.
## 4. Nixops deployment (macOS)
Follow the instructions from [Nixops deployment on debian](#3-nixops-deployment). Add `--option system x86_64-linux` to the `nixops deploy` command in step 5 to force your system to use linuxkit-nix.
----
Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
---
This tutorial describes how to manage your Bitcoin node comfortably from your personal computer with the deployment tool [krops](https://github.com/krebs/krops).
However, nix-bitcoin is agnostic to the deployment method and can be used with different or without such tools (see [examples](../examples/README.md)).
## 0. Preparation
1. Optional: Make sure you have the latest firmware for your system (BIOS, microcode updates).
1. Find a machine to deploy nix-bitcoin on (see [hardware.md](hardware.md)).
2. Optional: Disable Simultaneous Multi-Threading (SMT) in the BIOS
2. Optional: Make sure you have the latest firmware for your system (BIOS, microcode updates).
3. Optional: Disable Simultaneous Multi-Threading (SMT) in the BIOS
Researchers recommend disabling (SMT), also known as Hyper-Threading Technology in the Intel® world to significantly reduce the impact of speculative execution-based attacks (https://mdsattacks.com/).
@ -220,23 +20,34 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
```
wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
# output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
wget https://releases.nixos.org/nixos/20.09/nixos-20.09.2405.e065200fc90/nixos-minimal-20.09.2405.e065200fc90-i686-linux.iso
sha256sum nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso
# output: 5fc182e27a71a297b041b5c287558b21bdabde7068d4fc049752dad3025df867
```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
2. Write NixOS iso to install media (USB/CD). For example:
```
cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
cp nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso /dev/sdX
```
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
3. Boot the system
3. Boot the system and become root
```
sudo -i
```
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. You can do that, for example, by executing
```
ls /sys/firmware/efi
```
If the file exists exists, you should continue the installation for UEFI otherwise for Legacy Boot.
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step.
4. Option 1: Partition and format for UEFI
@ -278,52 +89,64 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
nano /mnt/etc/nixos/configuration.nix
```
Option 1: Edit NixOS configuration for UEFI
We now need to adjust the configuration to make sure that we can ssh into the system and that it boots correctly. We add some lines to set `services.openssh` such that the configuration looks as follows:
```
{ config, pkgs, ... }: {
{ config, pkgs, ... }:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
...
];
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
# The rest of the file are default options and hints.
}
```
Now we open `hardware-configuration.nix`
```
nano /mnt/etc/nixos/hardware-configuration.nix
```
which will look similar to
```
{ config, pkgs, ... }:
{
imports = [ ];
# Add line here as explained below
# The rest of the file are generated options.
}
```
Now add one of the following lines to the location mentioned in above example hardware config.
**Option 1**: UEFI
```
boot.loader.systemd-boot.enable = true;
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
Option 2: Edit NixOS configuration for Legacy Boot (MBR)
**Option 2**: Legacy Boot (MBR)
```
{ config, pkgs, ... }: {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];
boot.loader.grub.device = "/dev/sda";
```
# Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos";
Lastly, in rare circumstances the hardware configuration does not have a `fileSystems` option. In that case you need to add it with the folllowing line:
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
fileSystems."/".device = "/dev/disk/by-label/nixos";
```
6. Do the installation
@ -331,7 +154,9 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
```
nixos-install
```
Set root password
```
setting root password...
Enter new UNIX password:
@ -344,90 +169,166 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
reboot
```
## 2. Nix installation
Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
1. Install Dependencies (Debian 10 Buster)
```
sudo apt-get install curl git gnupg2 dirmngr
```
2. Install latest Nix in "multi-user mode" with GPG Verification according to https://nixos.org/nix/download.html
```
curl -o install-nix-2.3.10 https://releases.nixos.org/nix/nix-2.3.10/install
curl -o install-nix-2.3.10.asc https://releases.nixos.org/nix/nix-2.3.10/install.asc
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix-2.3.10.asc
sh ./install-nix-2.3.10 --daemon
```
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Setup deployment directory
Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
## 4. Deploy with NixOps
1. Make sure you are in the deployment directory and create a nixops network file as follows
1. Clone this project
```
nano nixops/node-nixos.nix
cd
git clone https://github.com/fort-nix/nix-bitcoin
```
2. Obtain the hash of the latest nix-bitcoin release
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "1.2.3.4";
};
}
cd nix-bitcoin/examples
nix-shell
```
Replace 1.2.3.4 with NixOS machine's IP address.
This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
2. Edit `configuration.nix`
```
fetch-release > nix-bitcoin-release.nix
```
3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{nix-bitcoin-release.nix,configuration.nix,shell.nix,krops,.gitignore} .
```
## 4. Deploy with krops
1. Edit your ssh config
```
nano ~/.ssh/config
```
and add the node with an entry similar to the following (make sure to fix `Hostname` and `IdentityFile`):
```
Host bitcoin-node
# FIXME
Hostname NODE_IP_ADDRESS_OR_HOST_NAME_HERE
User root
PubkeyAuthentication yes
# FIXME
IdentityFile ~/.ssh/id_...
AddKeysToAgent yes
```
2. Make sure you are in the deployment directory and edit `krops/deploy.nix`
```
nano krops/deploy.nix
```
Locate the `FIXME` and set the target to the name of the ssh config entry created earlier, i.e. `bitcoin-node`.
Note that any file imported by your `configuration.nix` must be copied to the target machine by krops.
For example, if there is an import of `networking.nix` you must add it to `extraSources` in `krops/deploy.nix` like this:
```
extraSources = {
"hardware-configuration.nix".file = toString ../hardware-configuration.nix;
"networking.nix".file = toString ../networking.nix;
};
```
3. Optional: Disallow substitutes
If you prefer to build the system from source instead of copying binaries from the Nix cache, add the following line to `configuration.nix`:
```
nix.extraOptions = "substitute = false";
```
If the build process fails for some reason when deploying with `krops-deploy` (see later step), it may be difficult to find the cause due to the missing output.
To see the build output, SSH into the target machine and run
```
nixos-rebuild -I /var/src switch
```
4. Copy `hardware-configuration.nix` from your node to the deployment directory.
```
scp root@bitcoin-node:/etc/nixos/hardware-configuration.nix .
```
5. Adjust configuration by opening the `configuration.nix` file and enable/disable the modules you want by editing this file.
```
nano configuration.nix
```
Uncomment `./hardware-configuration.nix` line by removing #.
Pay attention to lines that are preceded by `FIXME` comments. In particular:
1. Make sure to set your SSH pubkey. Otherwise, you loose remote access because the config does not enable `permitRootLogin` (unless you add that manually).
2. Uncomment the line `./hardware-configuration.nix` by removing `#`.
3. Create `hardware-configuration.nix`.
```
nano hardware-configuration.nix
```
Copy contents of your NixOS machine's `/etc/nixos/hardware-configuration.nix` to this file.
4. Add boot option to `hardware-configuration.nix`
Option 1: Enable systemd boot for UEFI
```
boot.loader.systemd-boot.enable = true;
```
Option 2: Set grub device for Legacy Boot (MBR)
```
boot.loader.grub.device = "/dev/sda";
```
5. Enter environment
6. Enter the deployment environment
```
nix-shell
```
Note that a new directory `secrets/` appeared which contains the secrets for your node.
NOTE that a new directory `secrets/` appeared which contains the secrets for your node.
6. Create nixops [deployment](https://nixos.org/nixops/manual/#sec-deploying-to-physical-nixos) in nix-shell.
7. Deploy with krops in nix-shell
```
nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
```
7. Adjust configuration by opening the `configuration.nix` file and enable/disable the modules you want by editing this file. Pay particular attention to lines that are preceded by `FIXME` comments.
8. Deploy with nixops in nix-shell
```
nixops deploy -d bitcoin-node
krops-deploy
```
This will now create a nix-bitcoin node on the target machine.
9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
8. You can now access `bitcoin-node` via ssh
```
nixops ssh operator@bitcoin-node
ssh operator@bitcoin-node
```
Note that you're able to log in as the unprivileged `operator` user because nix-bitcoin automatically authorizes the ssh key added to `root`.
For security reasons, all normal system management tasks can and should be performed with the `operator` user. Logging in as `root` should be done as rarely as possible.
See [usage.md](usage.md) for usage instructions, such as how to update.

130
docs/nixops-krops-migration.md Normal file
View File

@ -0,0 +1,130 @@
# Tutorial: Moving from a NixOps to a Krops deployment
1. Add a new ssh key to your nix-bitcoin node
Krops doesn't automatically generate ssh keys like NixOps, instead you add your own.
If you don't have a ssh key yet
```
ssh-keygen -t ed25519 -f ~/.ssh/bitcoin-node
```
Edit `configuration.nix`
```
users.users.root = {
openssh.authorizedKeys.keys = [
"<contents of ~/.ssh/bitcoin-node.pub or existing .pub key file>"
];
};
```
Deploy new key
```
nixops deploy -d bitcoin-node
```
2. Update your nix-bitcoin, depending on your setup either with `fetch-release` or `git`. Make sure you are at least on `v0.0.41`.
3. Pull the latest nix-bitcoin source
```
cd ~/nix-bitcoin
git pull
```
4. Copy new and updated files into your deployment folder
```
cd <deployment directory, for example `~/nix-bitcoin-node`>
cp -r ~/nix-bitcoin/examples/{krops,shell.nix} .
```
5. Edit your ssh config
```
nano ~/.ssh/config
```
and add the node with an entry similar to the following (make sure to fix `Hostname` and `IdentityFile`):
```
Host bitcoin-node
# FIXME
Hostname NODE_IP_ADDRESS_OR_HOST_NAME_HERE
User root
PubkeyAuthentication yes
# FIXME
IdentityFile <ssh key from step 1 or path to existing key>
AddKeysToAgent yes
```
6. Make sure you are in the deployment directory and edit `krops/deploy.nix`
```
nano krops/deploy.nix
```
Locate the `FIXME` and set the target to the name of the ssh config entry created earlier, i.e. `bitcoin-node`.
Note that any file imported by your `configuration.nix` must be copied to the target machine by krops.
For example, if there is an import of `networking.nix` you must add it to `extraSources` in `krops/deploy.nix` like this:
```
extraSources = {
"hardware-configuration.nix".file = toString ../hardware-configuration.nix;
"networking.nix".file = toString ../networking.nix;
};
```
7. If `lnd` or `joinmarket` is enabled on your node, run the commmand
```
nix-shell --run 'nix-instantiate --eval -E "
(import <nixpkgs/nixos> {
configuration = { lib, ... }: {
imports = [ ./configuration.nix ];
nix-bitcoin.configVersion = lib.mkDefault \"0.0.31\";
nix-bitcoin.secretsSetupMethod = lib.mkForce \"manual\";
};
}).vm.outPath
"'
```
and follow the migration instructions from the error message.
8. Optional: Disallow substitutes
You may have been building nix-bitcoin "without substitutes" to avoid pulling in binaries from the Nix cache. If you want to continue doing so, you have to add the following line to the `configuration.nix`:
```
nix.extraOptions = "substitute = false";
```
If the build process fails for some reason when deploying with `krops-deploy` (see later step), it may be difficult to find the cause due to the missing output.
In that case, it is possible to SSH into the target machine and run
```
nixos-rebuild -I /var/src switch
```
9. Deploy with krops
```
nix-shell --run krops-deploy
```
Remove the old secrets directory. For krops deployments, secrets are always
located at `/var/src/secrets`.
```
ssh bitcoin-node 'rm -rf /secrets'
```
9. You can now access `bitcoin-node` via ssh
```
ssh operator@bitcoin-node
```
10. You can remove the remaining traces of nixops as follows:
```
nix-shell
nix run -f '<nix-bitcoin>' nixops19_09 -c nixops delete -d bitcoin-node --force
git rm -r nixops
```

30
docs/usage.md
View File

@ -30,10 +30,6 @@ Connect to spark-wallet
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
3. Enable Orbot VPN for spark-wallet
```
@ -123,10 +119,6 @@ Connect to electrs
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
3. Get electrs onion address with format `<onion-address>:<port>`
```
@ -156,7 +148,7 @@ Connect to nix-bitcoin node through the SSH onion service
1. Get the SSH onion address (excluding the port suffix)
```
nixops ssh operator@bitcoin-node
ssh operator@bitcoin-node
nodeinfo | jq -r .sshd.onion_address | sed 's/:.*//'
```
@ -182,19 +174,11 @@ Connect to nix-bitcoin node through the SSH onion service
ssh -i ~/.ssh/id_ed25519 -L <random port of your choosing>:localhost:22 root@<SSH onion address>
```
5. Edit your `network-nixos.nix` to look like this
5. Edit your deployment tool's configuration and change the node's address to `localhost` and the ssh port to `<random port of your choosing>`.
If you use krops as described in the [installation tutorial](./install.md), set `target = "localhost:<random port of your choosing>";` in `krops/deploy.nix`.
```
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "127.0.0.1";
deployment.targetPort = <random port of your choosing>;
};
}
```
6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the SSH tunnel you established in step iv. This also allows you to do more complex SSH setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's SSH agent](https://github.com/romanz/trezor-agent), which provides extra security.
6. After deploying the new configuration, it will connect through the SSH tunnel you established in step iv. This also allows you to do more complex SSH setups that some deployment tools don't support. An example would be authenticating with [Trezor's SSH agent](https://github.com/romanz/trezor-agent), which provides extra security.
Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface
---
@ -212,14 +196,10 @@ Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface
2. Deploy new `configuration.nix`
```
nixops deploy -d bitcoin-node
```
3. Check that your nix-bitcoin node recognizes your Trezor
```
nixops ssh operator@bitcoin-node
ssh operator@bitcoin-node
lsusb
```
Should show something relating to your Trezor

1
examples/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
secrets/

6
examples/README.md
View File

@ -20,9 +20,9 @@ By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `cli
- [`./deploy-qemu-vm.sh`](deploy-qemu-vm.sh) creates a QEMU VM.\
Requires: [Nix](https://nixos.org/nix/)
- [`./deploy-nixops.sh`](deploy-nixops.sh) creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
NixOps can be used to deploy to various other backends like cloud providers.\
Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
- [`./deploy-krops.sh`](deploy-krops.sh) creates a QEMU VM and deploys a
nix-bitcoin configuration to it using [krops](https://github.com/krebs/krops).\
Requires: [Nix](https://nixos.org/nix/)
- [`./deploy-container-minimal.sh`](deploy-container-minimal.sh) creates a
container defined by [minimal-configuration.nix](minimal-configuration.nix) that

14
examples/configuration.nix
View File

@ -13,7 +13,6 @@
# FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file.
# This is not needed when deploying to a virtual box.
#./hardware-configuration.nix
];
# FIXME: Enable modules by uncommenting their respective line. Disable
@ -72,11 +71,13 @@
## WARNING
# If you use lnd, you should manually backup your wallet mnemonic
# seed. This will allow you to recover on-chain funds. You can run the
# following command after the lnd service starts:
# nixops scp --from bitcoin-node /secrets/lnd-seed-mnemonic ./secrets/lnd-seed-mnemonic
# following commands after the lnd service starts:
# mkdir -p ./backups/lnd/
# scp bitcoin-node:/var/lib/lnd/lnd-seed-mnemonic ./backups/lnd/
#
# You should also backup your channel state after opening new channels.
# This will allow you to recover off-chain funds, by force-closing channels.
# nixops scp --from bitcoin-node /var/lib/lnd/chain/bitcoin/mainnet/channel.backup /my-backup-path/channel.backup
# scp bitcoin-node:/var/lib/lnd/chain/bitcoin/mainnet/channel.backup ./backups/lnd/
### SPARK WALLET
# Enable this module to use spark-wallet, a minimalistic wallet GUI for
@ -176,7 +177,7 @@
# /var/lib/localBackups once a day.
# services.backups.enable = true;
# You can pull the localBackups folder with
# `nixops scp --from bitcoin-node /var/lib/localBackups /my-backup-path/`
# `scp bitcoin-node:/var/lib/localBackups /my-backup-path/`
# Alternatively, you can also set a remote target url, for example
# services.backups.destination = "sftp://user@host[:port]/[relative|/absolute]_path";
# Supply the sftp password by appending the FTP_PASSWORD environment variable
@ -230,5 +231,6 @@
# The nix-bitcoin release version that your config is compatible with.
# When upgrading to a backwards-incompatible release, nix-bitcoin will display an
# an error and provide hints for migrating your config to the new release.
nix-bitcoin.configVersion = "0.0.30";
nix-bitcoin.configVersion = "0.0.41";
}

4
examples/deploy-container.sh
View File

@ -82,9 +82,9 @@ read -d '' src <<EOF || true
extra.enableWAN = true;
config = { pkgs, config, lib, ... }: {
imports = [
<nix-bitcoin/examples/${configuration}>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
<${configuration}>
];
nix-bitcoin.generateSecrets = true;
};
};
}

122
examples/deploy-krops.sh Executable file
View File

@ -0,0 +1,122 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a nix-bitcoin node with krops.
# The node is deployed to a minimal NixOS QEMU VM.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Run with option `--interactive` or `-i` to start a shell for interacting with
# the node.
# MAKE SURE TO REPLACE the SSH identity file if you use this script for
# anything serious.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
cd "${BASH_SOURCE[0]%/*}"
exec nix-shell --run "./${BASH_SOURCE[0]##*/} $*"
fi
source qemu-vm/run-vm.sh
echo "Building the target VM"
# Build the initial VM to which the nix-bitcoin node is deployed via krops
nix-build --out-link $tmpDir/vm - <<'EOF'
(import <nixpkgs/nixos> {
configuration = { lib, ... }: {
imports = [ <qemu-vm/vm-config.nix> ];
services.openssh.enable = true;
# Silence the following warning that appears when deploying via krops:
# warning: Nix search path entry '/nix/var/nix/profiles/per-user/root/channels' does not exist, ignoring
nix.nixPath = lib.mkForce [];
};
}).vm
EOF
vmNumCPUs=4
vmMemoryMiB=2048
sshPort=60734
# Start the VM in the background
runVM $tmpDir/vm $vmNumCPUs $vmMemoryMiB $sshPort
# Build the krops deploy script
export sshPort
nix-build --out-link $tmpDir/krops-deploy - <<'EOF'
let
krops = (import <nix-bitcoin> {}).krops;
extraSources = {
# Skip uploading nixpkgs to the target node.
# This works because /nix/store is shared with the target VM.
nixpkgs.symlink = toString <nixpkgs>;
nixos-config.file = toString <krops-vm-configuration.nix>;
qemu-vm.file = toString <qemu-vm>;
};
in
krops.pkgs.krops.writeCommand "krops-deploy" {
source = import <krops/sources.nix> { inherit extraSources krops; };
force = true;
target = {
user = "root";
host = "127.0.0.1";
port = builtins.getEnv "sshPort";
extraOptions = [
"-i" (toString <qemu-vm/id-vm>) "-oConnectTimeout=1"
"-oStrictHostKeyChecking=no" "-oUserKnownHostsFile=/dev/null" "-oLogLevel=ERROR"
"-oControlMaster=auto" "-oControlPath=${builtins.getEnv "tmpDir"}/ssh-connection" "-oControlPersist=60"
];
};
# "test" instead of "switch" to avoid installing a bootloader which
# is not possible in this VM
command = targetPath: ''
nixos-rebuild test -I /var/src
'';
}
EOF
echo "Building the nix-bitcoin node"
# Pre-build the nix-bitcoin node outside of the VM to save some time
nix-build --out-link $tmpDir/store-paths -E '
let
system = (import <nixpkgs/nixos> { configuration = <krops-vm-configuration.nix>; }).system;
pkgsUnstable = (import <nix-bitcoin/pkgs/nixpkgs-pinned.nix>).nixpkgs-unstable;
pkgs = import <nixpkgs> {};
in
pkgs.closureInfo { rootPaths = [ system pkgsUnstable ]; }
' > /dev/null
vmWaitForSSH
# Add the store paths that include the nix-bitcoin node
# to the nix store db in the VM
c "nix-store --load-db < $(realpath $tmpDir/store-paths)/registration"
echo
echo "Deploy with krops"
$tmpDir/krops-deploy
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
case ${1:-} in
-i|--interactive)
. start-bash-session.sh
;;
esac
# Cleanup happens at exit (defined in qemu-vm/run-vm.sh)

50
examples/deploy-nixops.sh
View File

@ -1,50 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Run with option `--interactive` or `-i` to start a shell for interacting with
# the node.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
cd "${BASH_SOURCE[0]%/*}"
exec nix-shell --run "./${BASH_SOURCE[0]##*/} $*"
fi
# Cleanup on exit
cleanup() {
set +e
if nixops list | grep -q bitcoin-node; then
nixops destroy --confirm -d bitcoin-node
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
tmpDir=/tmp/nix-bitcoin-nixops
mkdir -p $tmpDir
# Don't write nixops and VirtualBox data to the $USER's home
export HOME=$tmpDir
# Disable interactive queries and don't write to the $USER's known_hosts file
export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
nixops deploy -d bitcoin-node
# Connect to node
nixops ssh bitcoin-node systemctl status bitcoind
c() { nixops ssh bitcoin-node "$@"; }
case ${1:-} in
-i|--interactive)
. start-bash-session.sh
;;
esac
# Cleanup happens at exit (see above)

63
examples/deploy-qemu-vm.sh
View File

@ -17,69 +17,34 @@ if [[ ! -v IN_NIX_SHELL ]]; then
exec nix-shell --run "./${BASH_SOURCE[0]##*/} $*"
fi
cd "${BASH_SOURCE[0]%/*}"
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
kill -9 $qemuPID
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=qemu-vm/id-vm
chmod 0600 $identityFile
source qemu-vm/run-vm.sh
echo "Building VM"
nix-build --out-link $tmpDir/vm - <<EOF
nix-build --out-link $tmpDir/vm - <<'EOF'
(import <nixpkgs/nixos> {
configuration = {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
<configuration.nix>
<qemu-vm/vm-config.nix>
];
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
};
nix-bitcoin.generateSecrets = true;
};
}).vm
EOF
vmMemoryMiB=2048
vmNumCPUs=4
vmMemoryMiB=2048
sshPort=60734
runVM $tmpDir/vm $vmNumCPUs $vmMemoryMiB $sshPort
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
vmWaitForSSH
printf "Waiting until services are ready"
c "
$(cat qemu-vm/wait-until.sh)
waitUntil 'systemctl is-active clightning &> /dev/null' 100
"
echo
echo "Waiting for SSH connection..."
while ! c : 2>/dev/null; do :; done
echo
echo "Waiting until services are ready..."
c '
attempts=300
while ! systemctl is-active clightning &> /dev/null; do
((attempts-- == 0)) && { echo "timeout"; exit 1; }
sleep 0.2
done
'
echo
echo "Bitcoind service:"
c systemctl status bitcoind
@ -99,4 +64,4 @@ case ${1:-} in
;;
esac
# Cleanup happens at exit (see above)
# Cleanup happens at exit (defined in qemu-vm/run-vm.sh)

8
examples/krops-vm-configuration.nix Normal file
View File

@ -0,0 +1,8 @@
{ lib, ... }: {
imports = [
./configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
<qemu-vm/vm-config.nix>
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
];
}

20
examples/krops/deploy.nix Normal file
View File

@ -0,0 +1,20 @@
let
# FIXME:
target = "root@HOSTNAME_OR_IP_ADDRESS";
extraSources = {
"hardware-configuration.nix".file = toString ../hardware-configuration.nix;
};
krops = (import <nix-bitcoin> {}).krops;
in
krops.pkgs.krops.writeDeploy "deploy" {
inherit target;
source = import ./sources.nix { inherit extraSources krops; };
# Avoid having to create a sentinel file.
# Otherwise /var/src/.populate must be created on the target node to signal krops
# that it is allowed to deploy.
force = true;
}

7
examples/krops/krops-configuration.nix Normal file
View File

@ -0,0 +1,7 @@
# This file allows you to build your krops configuration locally
{
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
];
}

33
examples/krops/sources.nix Normal file
View File

@ -0,0 +1,33 @@
{ extraSources, krops }:
krops.lib.evalSource [({
nixos-config.file = builtins.toFile "nixos-config" ''
{
imports = [
./configuration.nix
<nix-bitcoin/modules/deployment/krops.nix>
];
}
'';
"configuration.nix".file = toString ../configuration.nix;
# Enable `useChecksum` for sources which might be located in the nix store
# and which therefore might have static timestamps.
nixpkgs.file = {
path = toString <nixpkgs>;
useChecksum = true;
};
nix-bitcoin.file = {
path = toString <nix-bitcoin>;
useChecksum = true;
filters = [{
type = "exclude";
pattern = ".git";
}];
};
secrets.file = toString ../secrets;
} // extraSources)]

3
examples/minimal-configuration.nix
View File

@ -1,9 +1,10 @@
{ config, pkgs, lib, ... }: {
imports = [
<nix-bitcoin/modules/nix-bitcoin.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
nix-bitcoin.generateSecrets = true;
services.bitcoind.enable = true;
services.clightning.enable = true;

30
examples/nixops/node-libvirtd.nix
View File

@ -1,30 +0,0 @@
{
bitcoin-node =
{ config, pkgs, ... }:
{
deployment.targetEnv = "libvirtd";
deployment.libvirtd.memorySize = 8192; # megabytes
deployment.libvirtd.vcpu = 4; # number of cpus
deployment.libvirtd.headless = true;
deployment.libvirtd.baseImageSize = 400;
boot.kernelParams = [ "console=ttyS0,115200" ];
deployment.libvirtd.extraDevicesXML = ''
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
'';
# Remove when fixed: https://github.com/NixOS/nixops/issues/931
system.activationScripts.nixops-vm-fix-931 = {
text = ''
if ls -l /nix/store | grep sudo | grep -q nogroup; then
mount -o remount,rw /nix/store
chown -R root:nixbld /nix/store
fi
'';
deps = [];
};
};
}

13
examples/nixops/node-vbox.nix
View File

@ -1,13 +0,0 @@
{
bitcoin-node =
{ config, pkgs, ... }:
{
deployment.targetEnv = "virtualbox";
deployment.virtualbox = {
memorySize = 4096; # megabytes
vcpu = 4; # number of cpus
disks.disk1.size = 358400; # 350 GiB
headless = true;
};
};
}

9
examples/nixops/node.nix
View File

@ -1,5 +1,8 @@
# This is an example network definition for deploying a nix-bitcoin node via NixOps.
# NixOps deployment is currently untested.
{
network.description = "Bitcoin Core node";
network.description = "Bitcoin node";
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
@ -8,5 +11,9 @@
];
nix-bitcoin.deployment.secretsDir = toString ../secrets;
#FIXME:
# Set `deployment.*` options like
# deployment.targetHost = "<address_or_hostname>";
};
}

50
examples/qemu-vm/run-vm.sh Normal file
View File

@ -0,0 +1,50 @@
qemuDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
source "$qemuDir/wait-until.sh"
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
if [[ $qemuPID ]]; then
kill -9 $qemuPID
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=$qemuDir/id-vm
chmod 0600 $identityFile
runVM() {
vm=$1
vmNumCPUs=$2
vmMemoryMiB=$3
sshPort=$4
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
}
vmWaitForSSH() {
echo
printf "Waiting for SSH connection..."
waitUntil "c : 2>/dev/null" 500
echo
}
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
export identityFile
export sshPort
export tmpDir
export -f c

12
examples/qemu-vm/vm-config.nix Normal file
View File

@ -0,0 +1,12 @@
{
# Disable the hardened preset to improve VM performance
disabledModules = [ <nix-bitcoin/modules/presets/hardened.nix> ];
config = {
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keyFiles = [ ./id-vm.pub ];
};
};
}

21
examples/qemu-vm/wait-until.sh Normal file
View File

@ -0,0 +1,21 @@
# Wait until $condition is true, retrying every $intervalMs milliseconds.
# Print a '.' character every second as a progress indicator.
waitUntil() {
condition=$1
intervalMs=$2
lastDotTime=$(getTimeMs)
while ! { t0=$(getTimeMs); eval "$condition"; }; do
now=$(getTimeMs)
if ((now - lastDotTime >= 1000)); then
printf .
lastDotTime=$now
fi
toSleep=$((t0 + intervalMs - now))
if ((toSleep > 0)); then
sleep $((toSleep / 1000)).$((toSleep % 1000));
fi
done
}
getTimeMs() { date +%s%3N; }

13
examples/shell.nix
View File

@ -20,7 +20,7 @@ with nixpkgs;
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
path = lib.makeBinPath [ nix-bitcoin.nixops19_09 nix-bitcoin.extra-container figlet ];
path = lib.makeBinPath [ nix-bitcoin.extra-container figlet ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
@ -28,11 +28,12 @@ stdenv.mkDerivation rec {
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
krops-deploy() {
# Ensure strict permissions on secrets/ directory before rsyncing it to
# the target machine
chmod 700 ${toString ./secrets}
$(nix-build --no-out-link ${toString ./krops/deploy.nix})
}
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; env -i ${nix-bitcoin.generate-secrets})

81
helper/vbox-resize-disk1.sh
View File

@ -1,81 +0,0 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p jq
while getopts ":d:m:s:f:yh" opt; do
case $opt in
d)
DEPLOYMENT="$OPTARG"
;;
m)
MACHINE="$OPTARG"
;;
s)
NEW_SIZE="$OPTARG"
;;
f)
DISK_FILE="$OPTARG"
;;
y)
YES="yes"
;;
h)
echo "Usage: $0 [-d <deployment>] [-m <machine>] [-s <size>] [-f <file>] [-y]"
echo ""
echo "Options:"
echo " -d <deployment> NixOps deployment name. Default: bitcoin-node."
echo " -m <machine> NixOps machine name. Default: bitcoin-node."
echo " -s <size> New disk size in megabytes. Default: 358400 (350gb)."
echo " -f <file> Path to vbox disk file/VDI. Default: read from nixops export."
echo " -y Don't ask for confirmation."
exit 0
;;
\?)
echo "Invalid option: -$OPTARG" >&2
exit 1
;;
:)
echo "Option -$OPTARG requires an argument." >&2
exit 1
;;
esac
done
DEPLOYMENT=${DEPLOYMENT:-"bitcoin-node"}
MACHINE=${MACHINE:-"bitcoin-node"}
NEW_SIZE=${NEW_SIZE:-358400}
DISK_FILE=${DISK_FILE:-$(nixops export -d $DEPLOYMENT | jq -r '..|."virtualbox.disks"?|select(.!=null)' | jq -r .disk1.path)}
echo "Resizing virtualbox disk for use with nixops and nix-bitcoin."
echo "Using deployment: $DEPLOYMENT"
echo "Using machine: $MACHINE"
echo "Using size: $NEW_SIZE"
echo "Using disk file: $DISK_FILE"
if [ "$YES" != "yes" ]; then
read -p "Continue? [Y/n] " -n 1 -r
echo
if [[ ! "$REPLY" =~ ^[Yy]$ ]]; then
exit 1
fi
fi
set -ex
nixops stop -d $DEPLOYMENT
VBoxManage modifyhd --resize $NEW_SIZE "$DISK_FILE"
nixops start -d $DEPLOYMENT
# (
# echo d # [d]elete 50gb partition
# echo n # [n]ew partition
# echo p # [p]rimary partition
# echo # partition number (Accept default: 1)
# echo # first sector (Accept default: 1)
# echo # last sector (Accept default: determined by $NEW_SIZE)
# echo w # [w]rite changes
# ) | fdisk
nixops ssh -d $DEPLOYMENT $MACHINE -- '(echo d; echo n; echo p; echo; echo; echo; echo w; ) | fdisk /dev/sda'
nixops reboot -d $DEPLOYMENT
nixops ssh -d $DEPLOYMENT $MACHINE -- resize2fs /dev/sda1
nixops ssh -d $DEPLOYMENT $MACHINE -- df -h

4
modules/backups.nix
View File

@ -4,7 +4,6 @@ with lib;
let
cfg = config.services.backups;
secretsDir = config.nix-bitcoin.secretsDir;
filelist = pkgs.writeText "filelist.txt" ''
${optionalString (!cfg.with-bulk-data) "- ${config.services.bitcoind.dataDir}/blocks"}
@ -12,7 +11,6 @@ let
${config.services.bitcoind.dataDir}
${config.services.clightning.dataDir}
${config.services.lnd.dataDir}
${secretsDir}/lnd-seed-mnemonic
${optionalString (!cfg.with-bulk-data) "- ${config.services.liquidd.dataDir}/*/blocks"}
${optionalString (!cfg.with-bulk-data) "- ${config.services.liquidd.dataDir}/*/chainstate"}
${config.services.liquidd.dataDir}
@ -20,8 +18,8 @@ let
${config.services.nbxplorer.dataDir}
${config.services.btcpayserver.dataDir}
${config.services.joinmarket.dataDir}
${secretsDir}/jm-wallet-seed
${config.services.postgresqlBackup.location}/btcpaydb.sql.gz
${optionalString config.nix-bitcoin.generateSecrets "${config.nix-bitcoin.secretsDir}"}
/var/lib/tor
# Extra files
${cfg.extraFiles}

7
modules/bitcoind.nix
View File

@ -312,9 +312,14 @@ in {
];
systemd.services.bitcoind = {
requires = [ "nix-bitcoin-secrets.target" ];
# Use `wants` instead of `requires` so that bitcoind and all dependent services
# are not restarted when the secrets target restarts.
# The secrets target always restarts when deploying with one of the methods
# in ./deployment.
wants = [ "nix-bitcoin-secrets.target" ];
after = [ "network.target" "nix-bitcoin-secrets.target" ];
wantedBy = [ "multi-user.target" ];
preStart = let
extraRpcauth = concatMapStrings (name: let
user = cfg.rpc.users.${name};

24
modules/deployment/krops.nix Normal file
View File

@ -0,0 +1,24 @@
{ lib, ... }:
{
nix-bitcoin = {
secretsDir = "/var/src/secrets";
setupSecrets = true;
};
environment.variables.NIX_PATH = lib.mkForce "/var/src";
# The file syncing step in krops resets the secrets file permissions.
# So force `setup-secrets.service` to restart on deployment.
# Stop it at activation start so that it gets restarted at the end.
system.activationScripts.nixBitcoinStopSetupSecrets = ''
${/* Skip this step if systemd is not running, i.e. when booting or in nixos-install */ ""}
if [[ -e /run/systemd/system ]]; then
if ! output=$(/run/current-system/systemd/bin/systemctl stop setup-secrets.service --no-block 2>&1); then
# Ignore if the unit is not loaded, which can happen on the first deployment
if [[ $output != *setup-secrets.service\ not\ loaded* ]]; then
echo "$output"
false
fi
fi
fi
'';
}

2
modules/deployment/nixops.nix
View File

@ -1,5 +1,7 @@
{ config, ... }:
{
nix-bitcoin.secretsSetupMethod = "nixops";
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;

9
modules/joinmarket.nix
View File

@ -240,20 +240,19 @@ in {
'';
# Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
ExecStartPost = mkIf (bitcoind.network == "mainnet")
(nbLib.privileged "joinmarket-create-wallet" ''
(nbLib.script "joinmarket-create-wallet" ''
walletname=wallet.jmdat
wallet=${cfg.dataDir}/wallets/$walletname
if [[ ! -f $wallet ]]; then
echo "Create wallet"
pw=$(cat "${secretsDir}"/jm-wallet-password)
cd ${cfg.dataDir}
if ! ${pkgs.utillinux}/bin/runuser -u ${cfg.user} -- \
${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
| grep 'recovery_seed' \
| cut -d ':' -f2 \
| (umask u=r,go=; cat > "${secretsDir}/jm-wallet-seed"); then
| (umask u=r,go=; cat > jm-wallet-seed); then
echo "wallet creation failed"
rm -f "$wallet" "${secretsDir}/jm-wallet-seed"
rm -f "$wallet" jm-wallet-seed
exit 1
fi
fi

29
modules/lnd.nix
View File

@ -200,32 +200,28 @@ in {
ExecStartPost = let
restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1";
in [
# Run fully privileged for secrets dir write access
(nbLib.privileged "lnd-create-mnemonic" ''
(nbLib.script "lnd-create-wallet" ''
attempts=250
while ! { exec 3>/dev/tcp/${cfg.restAddress}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do
((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; }
sleep 0.1
done
mnemonic=${secretsDir}/lnd-seed-mnemonic
if [[ ! -f $mnemonic ]]; then
echo Create lnd seed
umask u=r,go=
${pkgs.curl}/bin/curl -s \
--cacert ${secretsDir}/lnd-cert \
-X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi
chown ${cfg.user}: "$mnemonic"
'')
(nbLib.script "lnd-create-wallet" ''
if [[ ! -f ${networkDir}/wallet.db ]]; then
echo Create lnd wallet
mnemonic="${cfg.dataDir}/lnd-seed-mnemonic"
if [[ ! -f "$mnemonic" ]]; then
echo Create lnd seed
umask u=r,go=
${pkgs.curl}/bin/curl -s \
--cacert ${secretsDir}/lnd-cert \
-X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
fi
echo Create lnd wallet
${pkgs.curl}/bin/curl -s --output /dev/null --show-error \
--cacert ${secretsDir}/lnd-cert \
-X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
\"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \
\"cipher_seed_mnemonic\": $(cat "$mnemonic" | tr -d '\n')}" \
${restUrl}/initwallet
# Guarantees that RPC calls with cfg.cli succeed after the service is started
@ -248,9 +244,8 @@ in {
while ! { exec 3>/dev/tcp/${cfg.rpcAddress}/${toString cfg.rpcPort}; } &>/dev/null; do
sleep 0.1
done
'')
# Run fully privileged for chown
# Setting macaroon permission for other users needs root permissions
(nbLib.privileged "lnd-create-macaroons" ''
umask ug=r,o=
${lib.concatMapStrings (macaroon: ''

2
modules/obsolete-options.nix
View File

@ -22,6 +22,8 @@ in {
(mkRenamedOptionModule [ "services" "liquidd" "bind" ] [ "services" "liquidd" "address" ])
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
(mkRenamedAnnounceTorOption "clightning")
(mkRenamedAnnounceTorOption "lnd")
];

7
modules/presets/secure-node.nix
View File

@ -57,12 +57,5 @@ in {
users.users.${operatorName} = {
openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys;
};
# Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
systemd.services.get-vbox-nixops-client-key =
mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
postStart = ''
cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
'';
};
};
}

30
modules/secrets/generate-secrets.nix
View File

@ -1,26 +1,4 @@
{ config, pkgs, lib, ... }:
# This is mainly for testing.
# When using this for regular deployments, make sure to create a backup of the
# generated secrets.
with lib;
{
nix-bitcoin.setup-secrets = true;
systemd.services.generate-secrets = {
requiredBy = [ "setup-secrets.service" ];
before = [ "setup-secrets.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
mkdir -p "${config.nix-bitcoin.secretsDir}"
cd "${config.nix-bitcoin.secretsDir}"
chown root: .
chmod 0700 .
${config.nix-bitcoin.pkgs.generate-secrets}
'';
};
}
throw ''
The module `generate-secrets.nix` has been removed.
Set option `nix-bitcoin.generateSecrets = true;` instead.
''

69
modules/secrets/secrets.nix
View File

@ -3,9 +3,6 @@
with lib;
let
cfg = config.nix-bitcoin;
setupSecrets = concatStrings (mapAttrsToList (n: v: ''
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
'') cfg.secrets);
in
{
options.nix-bitcoin = {
@ -15,6 +12,24 @@ in
description = "Directory to store secrets";
};
setupSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Set permissions for existing secrets in `nix-bitcoin.secretsDir`.
'';
};
generateSecrets = mkOption {
type = types.bool;
default = false;
description = ''
Automatically generate all required secrets.
Make sure to create a backup of the generated secrets.
'';
};
# Currently, this is used only by ../deployment/nixops.nix
deployment.secretsDir = mkOption {
type = types.path;
description = ''
@ -44,26 +59,56 @@ in
));
};
setup-secrets = mkEnableOption "Set permissions for secrets generated by 'generate-secrets.sh'";
secretsSetupMethod = mkOption {
type = types.str;
default = throw ''
Error: No secrets setup method has been defined.
To fix this, choose one of the following:
- Use one of the deployment methods in ${toString ./../deployment}
- Set `nix-bitcoin.generateSecrets = true` to automatically generate secrets
- Set `nix-bitcoin.secretsSetupMethod = "manual"` if you want to manually setup secrets
'';
};
};
config = mkIf cfg.setup-secrets {
systemd.targets.nix-bitcoin-secrets = {
requires = [ "setup-secrets.service" ];
after = [ "setup-secrets.service" ];
config = {
# This target is active when secrets have been setup successfully.
systemd.targets.nix-bitcoin-secrets = mkIf (cfg.secretsSetupMethod != "manual") {
# This ensures that the secrets target is always activated when switching
# configurations.
# In this way `switch-to-configuration` is guaranteed to show an error
# when activating the secrets target fails on deployment.
wantedBy = [ "multi-user.target" ];
};
nix-bitcoin.setupSecrets = mkIf cfg.generateSecrets true;
nix-bitcoin.secretsSetupMethod = mkIf cfg.setupSecrets "setup-secrets";
# Operation of this service:
# - Set owner and permissions for all used secrets
# - Make all other secrets accessible to root only
# For all steps make sure that no secrets are copied to the nix store.
#
systemd.services.setup-secrets = {
systemd.services.setup-secrets = mkIf cfg.setupSecrets {
requiredBy = [ "nix-bitcoin-secrets.target" ];
before = [ "nix-bitcoin-secrets.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
${optionalString cfg.generateSecrets ''
mkdir -p "${cfg.secretsDir}"
cd "${cfg.secretsDir}"
chown root: .
chmod 0700 .
${cfg.pkgs.generate-secrets}
''}
setupSecret() {
file="$1"
user="$2"
@ -87,7 +132,11 @@ in
cd "$dir"
processedFiles=()
${setupSecrets}
${
concatStrings (mapAttrsToList (n: v: ''
setupSecret ${n} ${v.user} ${v.group} ${v.permissions} }
'') cfg.secrets)
}
# Make all other files accessible to root only
unprocessedFiles=$(comm -23 <(printf '%s\n' *) <(printf '%s\n' "''${processedFiles[@]}" | sort))

22
modules/versioning.nix
View File

@ -69,6 +69,28 @@ let
(mkOnionServiceChange "clightning")
(mkOnionServiceChange "lnd")
(mkOnionServiceChange "btcpayserver")
{
version = "0.0.41";
condition = config.services.lnd.enable || config.services.joinmarket.enable;
message = let
secretsDir = config.nix-bitcoin.secretsDir;
lnd = config.services.lnd;
jm = config.services.joinmarket;
in ''
Secret files generated by services at runtime are now stored in the service
data dirs instead of the global secrets dir.
To migrate, run the following Bash script as root on your nix-bitcoin node:
if [[ -e ${secretsDir}/lnd-seed-mnemonic ]]; then
install -o ${lnd.user} -g ${lnd.group} -m400 "${secretsDir}/lnd-seed-mnemonic" "${lnd.dataDir}"
fi
if [[ -e ${secretsDir}/jm-wallet-seed ]]; then
install -o ${jm.user} -g ${jm.group} -m400 "${secretsDir}/jm-wallet-seed" "${jm.dataDir}"
fi
rm -f "${secretsDir}"/{lnd-seed-mnemonic,jm-wallet-seed}
'';
}
];
incompatibleChanges = optionals

1
pkgs/default.nix
View File

@ -8,6 +8,7 @@ let self = {
joinmarket = pkgs.callPackage ./joinmarket { inherit (self) nbPython3Packages; };
generate-secrets = pkgs.callPackage ./generate-secrets { };
nixops19_09 = pkgs.callPackage ./nixops { };
krops = import ./krops { };
netns-exec = pkgs.callPackage ./netns-exec { };
lightning-loop = pkgs.callPackage ./lightning-loop { };
lightning-pool = pkgs.callPackage ./lightning-pool { };

12
pkgs/krops/default.nix Normal file
View File

@ -0,0 +1,12 @@
{ pkgs ? import <nixpkgs> {} }:
let
src = pkgs.fetchgit {
url = "https://cgit.krebsco.de/krops";
rev = "804c79a14dc8f81a602d31d5a1eed5f82b3f2457";
sha256 = "1k20l7zqprsrm9s38xslr7190vssf4sjdprd9gh146hxlvln2qrf";
};
in {
lib = import "${src}/lib";
pkgs = import "${src}/pkgs" {};
}

14
pkgs/krops/get-sha256.sh Executable file
View File

@ -0,0 +1,14 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p git
set -euo pipefail
archive_hash () {
repo=$1
rev=$2
nix-prefetch-url --unpack "https://github.com/${repo}/archive/${rev}.tar.gz" 2> /dev/null | tail -n 1
}
echo "Fetching latest krops commit"
latest=$(git ls-remote https://github.com/krebs/krops master | cut -f 1)
echo "rev: ${latest}"
echo "sha256: $(archive_hash krebs/krops $latest)"

1
test/run-tests.sh
View File

@ -249,6 +249,7 @@ examples() {
set -e
./deploy-container.sh
./deploy-qemu-vm.sh
./deploy-krops.sh
"
(cd $scriptDir/../examples && nix-shell --run "$script")
}

6
test/tests.nix
View File

@ -12,10 +12,10 @@ let testEnv = rec {
imports = [
./lib/test-lib.nix
../modules/modules.nix
../modules/secrets/generate-secrets.nix
{
# Features required by the Python test suite
nix-bitcoin.secretsDir = "/secrets";
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator.enable = true;
environment.systemPackages = with pkgs; [ jq ];
}
@ -80,8 +80,8 @@ let testEnv = rec {
tests.backups = cfg.backups.enable;
# To test that unused secrets are made inaccessible by 'setup-secrets'
systemd.services.generate-secrets.postStart = mkIfTest "security" ''
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
systemd.services.setup-secrets.preStart = mkIfTest "security" ''
install -D -o nobody -g nogroup -m777 <(:) /secrets/dummy
'';
}
(mkIf config.test.features.clightningPlugins {

14
test/tests.py
View File

@ -326,16 +326,22 @@ def _():
files = {
"bitcoind": "var/lib/bitcoind/test/wallet.dat",
"clightning": "var/lib/clightning/bitcoin/hsm_secret",
"lnd": "secrets/lnd-seed-mnemonic",
"joinmarket": "secrets/jm-wallet-seed",
"lnd": "var/lib/lnd/lnd-seed-mnemonic",
"joinmarket": "var/lib/joinmarket/jm-wallet-seed",
"btcpayserver": "var/backup/postgresql/btcpaydb.sql.gz",
}
actual_files = succeed(f"{run_duplicity} list-current-files file:///var/lib/localBackups")
for test, file in files.items():
if test in enabled_tests and file not in actual_files:
def assert_file_exists(file):
if file not in actual_files:
raise Exception(f"Backup file '{file}' is missing.")
for test, file in files.items():
if test in enabled_tests:
assert_file_exists(file)
assert_file_exists("secrets/lnd-wallet-password")
# Impure: restarts services
@test("banlist-and-restart")