Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module

b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
This commit is contained in:
Jonas Nick 2020-04-08 15:03:00 +00:00
commit 9239268ab6
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
23 changed files with 833 additions and 459 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
/secrets/ /example/secrets/

View File

@ -4,7 +4,7 @@ nix-bitcoin
[![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin) [![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin)
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
This is a work in progress - don't expect it to be bug free or secure. This is a work in progress - don't expect it to be bug-free, secure or stable.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations. A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us
It should allow managing bitcoin (the currency) effectively and providing public infrastructure. It should allow managing bitcoin (the currency) effectively and providing public infrastructure.
It should be a reproducible and extensible platform for applications building on Bitcoin. It should be a reproducible and extensible platform for applications building on Bitcoin.
Example
---
The easiest way to try out nix-bitcoin is to use one of the provided examples.
```
git clone https://github.com/fort-nix/nix-bitcoin
cd examples/
nix-shell
```
The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.
- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
This is the fastest way to set up a node.\
Requires: [NixOS](https://nixos.org/)
- `./deploy-qemu-vm.sh` creates a QEMU VM.\
Requires: [Nix](https://nixos.org/nix/)
- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
NixOps can be used to deploy to various other backends like cloud providers.\
Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
Available modules Available modules
--- ---
By default the `configuration.nix` provides: By default the `configuration.nix` provides:
@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed
Installation Installation
--- ---
The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory.
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
See [install.md](docs/install.md) for a detailed tutorial. See [install.md](docs/install.md) for a detailed tutorial.
Security Security

View File

@ -84,33 +84,57 @@ You can also build Nix from source by following the instructions at https://nixo
This eliminates an attack vector where nix's build server or binary cache is compromised. This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Nixops deployment ## 3. Setup deployment directory
1. Clone this project 1. Clone this project
``` ```
cd cd
git clone https://github.com/fort-nix/nix-bitcoin git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
``` ```
2. Setup environment 2. Obtain the hash of the latest nix-bitcoin release
```
cd nix-bitcoin/examples
nix-shell
```
This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
```
fetch-release > nix-bitcoin-release.nix
```
3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
```
## 4. Deploy with NixOps
1. Enter environment
``` ```
nix-shell nix-shell
``` ```
This will set up your nix-bitcoin environment and might take a while without giving an output. Note that a new directory `secrets/` appeared which contains the secrets for your node.
3. Create nixops deployment in nix-shell. 2. Create nixops deployment in nix-shell.
``` ```
nixops create network/network.nix network/network-vbox.nix -d bitcoin-node nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
``` ```
4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. 3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
5. Deploy Nixops in nix-shell 4. Deploy Nixops in nix-shell
``` ```
nixops deploy -d bitcoin-node nixops deploy -d bitcoin-node
@ -118,7 +142,7 @@ You can also build Nix from source by following the instructions at https://nixo
This will now create a nix-bitcoin node on the target machine. This will now create a nix-bitcoin node on the target machine.
6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with 5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
``` ```
nixops ssh operator@bitcoin-node nixops ssh operator@bitcoin-node
@ -128,7 +152,7 @@ See [usage.md](usage.md) for usage instructions, such as how to update.
To resize the VM disk image, you can use this helper script from within nix-shell: To resize the VM disk image, you can use this helper script from within nix-shell:
``` ```
./helper/vbox-resize-disk1.sh --help ../nix-bitcoin/helper/vbox-resize-disk1.sh --help
``` ```
---- ----
@ -193,17 +217,19 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information. This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information.
1. Obtain latest NixOS. For example: 1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
``` ```
wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
# output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
``` ```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
2. Write NixOS iso to install media (USB/CD). For example: 2. Write NixOS iso to install media (USB/CD). For example:
``` ```
dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
``` ```
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
@ -318,55 +344,20 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
reboot reboot
``` ```
## 2. nix-bitcoin installation
On the machine you are deploying from: ## 2. Nix installation
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source. Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
1. Install Dependencies (Debian 9 stretch)
## 3. Setup deployment directory
Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
## 4. Deploy with NixOps
1. Make sure you are in the deployment directory and create a nixops network file as follows
``` ```
sudo apt-get install curl git gnupg2 dirmngr nano nixops/node-nixos.nix
```
2. Install Latest Nix with GPG Verification
```
curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
. /home/user/.nix-profile/etc/profile.d/nix.sh
```
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
```
error: cloning builder process: Operation not permitted
error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised.
4. Clone this project
```
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
5. Create network file
```
nano network/network-nixos.nix
``` ```
``` ```
@ -380,7 +371,7 @@ You can also build Nix from source by following the instructions at https://nixo
Replace 1.2.3.4 with NixOS machine's IP address. Replace 1.2.3.4 with NixOS machine's IP address.
6. Edit `configuration.nix` 2. Edit `configuration.nix`
``` ```
nano configuration.nix nano configuration.nix
@ -388,14 +379,14 @@ You can also build Nix from source by following the instructions at https://nixo
Uncomment `./hardware-configuration.nix` line by removing #. Uncomment `./hardware-configuration.nix` line by removing #.
7. Create `hardware-configuration.nix` 3. Create `hardware-configuration.nix`
``` ```
nano hardware-configuration.nix nano hardware-configuration.nix
``` ```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
8. Add boot option to `hardware-configuration.nix` 4. Add boot option to `hardware-configuration.nix`
Option 1: Enable systemd boot for UEFI Option 1: Enable systemd boot for UEFI
``` ```
@ -403,27 +394,26 @@ You can also build Nix from source by following the instructions at https://nixo
``` ```
Option 2: Set grub device for Legacy Boot (MBR) Option 2: Set grub device for Legacy Boot (MBR)
``` ```
```
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
``` ```
9. Setup environment 5. Enter environment
``` ```
nix-shell nix-shell
``` ```
This will set up your nix-bitcoin environment and might take a while without giving an output. Note that a new directory `secrets/` appeared which contains the secrets for your node.
10. Create nixops deployment in nix-shell. 6. Create nixops deployment in nix-shell.
``` ```
nixops create network/network.nix network/network-nixos.nix -d bitcoin-node nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
``` ```
11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. 7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
12. Deploy Nixops in nix-shell 8. Deploy Nixops in nix-shell
``` ```
nixops deploy -d bitcoin-node nixops deploy -d bitcoin-node
@ -431,7 +421,7 @@ You can also build Nix from source by following the instructions at https://nixo
This will now create a nix-bitcoin node on the target machine. This will now create a nix-bitcoin node on the target machine.
13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with 9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
``` ```
nixops ssh operator@bitcoin-node nixops ssh operator@bitcoin-node

View File

@ -1,27 +1,9 @@
Updating Updating
--- ---
Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. In your deployment directory, enter the nix shell with `nix-shell` and run
### Verifying GPG Signatures (recommended)
1. Import jonasnick's gpg key
``` ```
gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 fetch-release > nix-bitcoin-release.nix
```
2. Trust jonasnick's gpg key
```
gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
trust
4
quit
```
3. Verify commit after `git pull`
```
git verify-commit <hash of latest commit>
``` ```
Nodeinfo Nodeinfo

View File

@ -4,11 +4,12 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ imports = [
./modules/nix-bitcoin.nix <nix-bitcoin/modules/nix-bitcoin.nix>
# Use hardened kernel profile. See # FIXME: The hardened kernel profile improves security but
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix # decreases performance by ~50%.
# for the enabled options. # Turn it off when not needed.
# Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
<nixpkgs/nixos/modules/profiles/hardened.nix> <nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so, # FIXME: Uncomment next line to import your hardware configuration. If so,

83
examples/deploy-container.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a nix-bitcoin node in a NixOS container.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then
echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled"
exit 1
fi
if [[ ! -e /run/current-system/nixos-version ]]; then
echo "Error: This script needs NixOS to run"
exit 1
fi
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
echo
echo "Deleting container..."
sudo extra-container destroy demo-node
}
trap "cleanup" EXIT
# Build container.
# You can re-run this command with a changed container config.
# The running container is then switched to the new config.
# Learn more: https://github.com/erikarvstedt/extra-container
#
sudo extra-container create --start <<'EOF'
{ pkgs, lib, ... }: let
containerName = "demo-node"; # container name length is limited to 11 chars
localAddress = "10.250.0.2"; # container address
hostAddress = "10.250.0.1";
in {
containers.${containerName} = {
privateNetwork = true;
inherit localAddress hostAddress;
config = { pkgs, config, lib, ... }: {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
# Speed up evaluation
documentation.nixos.enable = false;
};
};
# Allow WAN access
systemd.services."container@${containerName}" = {
preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE";
# Delete rule
postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true";
};
}
EOF
# Run command in container
c() { sudo extra-container run demo-node -- "$@" | cat; }
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
echo
echo "Bitcoind data dir:"
sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
# Cleanup happens at exit (see above)

41
examples/deploy-nixops.sh Executable file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
set +e
if nixops list | grep -q bitcoin-node; then
nixops destroy --confirm -d bitcoin-node
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
tmpDir=/tmp/nix-bitcoin-nixops
mkdir -p $tmpDir
# Don't write nixops and VirtualBox data to the $USER's home
export HOME=$tmpDir
# Disable interactive queries and don't write to the $USER's known_hosts file
export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
nixops deploy -d bitcoin-node
# Connect to node
nixops ssh bitcoin-node systemctl status bitcoind
# Cleanup happens at exit (see above)

93
examples/deploy-qemu-vm.sh Executable file
View File

@ -0,0 +1,93 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to run a nix-bitcoin node in QEMU.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
# MAKE SURE TO REPLACE the SSH identity file if you use this script for
# anything serious.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
kill -9 $qemuPID
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=qemu-vm/id-vm
chmod 0600 $identityFile
echo "Building VM"
nix-build --out-link $tmpDir/vm - <<EOF
(import <nixpkgs/nixos> {
configuration = {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
};
};
}).vm
EOF
vmMemoryMiB=2048
vmNumCPUs=4
sshPort=60734
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
echo
echo "Waiting for SSH connection..."
while ! c : 2>/dev/null; do :; done
echo
echo "Waiting until services are ready..."
c '
attempts=300
while ! systemctl is-active clightning &> /dev/null; do
((attempts-- == 0)) && { echo "timeout"; exit 1; }
sleep 0.2
done
'
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
# Cleanup happens at exit (see above)

View File

@ -0,0 +1 @@
../.

12
examples/nixops/node.nix Normal file
View File

@ -0,0 +1,12 @@
{
network.description = "Bitcoin Core node";
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/nixops.nix>
];
nix-bitcoin.deployment.secretsDir = toString ../secrets;
};
}

7
examples/qemu-vm/id-vm Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3
cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg
AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH
Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB
-----END OPENSSH PRIVATE KEY-----

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none

46
examples/shell.nix Normal file
View File

@ -0,0 +1,46 @@
let
# This is either a path to a local nix-bitcoin source or an attribute set to
# be used as the fetchurl argument.
nix-bitcoin-release = import ./nix-bitcoin-release.nix;
nix-bitcoin-path =
if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
else nix-bitcoin-release;
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
nixpkgs = import nixpkgs-path {};
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
extraContainer = nixpkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
}) {};
nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
'';
in
with nixpkgs;
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets})
# Don't run this hook when another nix-shell is run inside this shell
unset shellHook
'';
}

36
helper/fetch-release Executable file
View File

@ -0,0 +1,36 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
REPO=fort-nix/nix-bitcoin
if [[ ! -v VERSION ]]; then
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi
TMPDIR=$(mktemp -d)
GPG_HOME=$(mktemp -d)
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
cd $TMPDIR
BASEURL=https://github.com/$REPO/releases/download/v$VERSION
curl --silent -L -O $BASEURL/SHA256SUMS.txt
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
# Import key and verify fingerprint
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
echo "ERROR: Signature verification failed. Please open an issue in the project repository."
exit 1
}
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
cat <<EOF
{
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
sha256 = "$SHA256";
}
EOF

BIN
helper/key-jonasnick.bin Normal file

Binary file not shown.

59
helper/push-release.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
set -euo pipefail
REPO=fort-nix/nix-bitcoin
BRANCH=master
OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
if [[ ! $OAUTH_TOKEN ]]; then
echo "Please set OAUTH_TOKEN variable"
fi
if [[ $# < 1 ]]; then
echo "$0 <tag_name>"
exit
fi
TAG_NAME=$1
RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
while true; do
read -p "Create release $1? [yn] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer y or n.";;
esac
done
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
ARCHIVE=$TMPDIR/$ARCHIVE_NAME
# Need to be in the repositories root directory for archiving
(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
SHA256SUMS=$TMPDIR/SHA256SUMS.txt
# Want to use relative path with sha256sums because it'll output the first
# argument
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
ID=$(echo $RESPONSE | jq -r '.id')
if [[ $ID == null ]]; then
echo "Failed to create release with $POST_DATA"
exit 1
fi
post_asset() {
GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
$GH_ASSET/$(basename $1) &> /dev/null
}
post_asset $ARCHIVE
post_asset $SHA256SUMS
post_asset $SHA256SUMS.asc
echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)

View File

@ -0,0 +1,25 @@
{ config, ... }:
{
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}

View File

@ -15,6 +15,13 @@ in
description = "Directory to store secrets"; description = "Directory to store secrets";
}; };
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
'';
};
secrets = mkOption { secrets = mkOption {
default = {}; default = {};
type = with types; attrsOf (submodule ( type = with types; attrsOf (submodule (

View File

@ -1,31 +0,0 @@
{
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
}

View File

@ -43,3 +43,14 @@
('destDir', 'string'), ('destDir', 'string'),
('user', 'string'), ('user', 'string'),
('group', 'string'), ('group', 'string'),
--- a/nixops/ssh_util.py
+++ b/nixops/ssh_util.py
@@ -278,6 +278,7 @@ class SSH(object):
'timeout' specifies the SSH connection timeout.
"""
+ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags
master = self.get_master(flags, timeout, user)
flags = flags + self._get_flags()
if logged:

View File

@ -6,19 +6,7 @@ with import nixpkgs { };
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "nix-bitcoin-environment"; name = "nix-bitcoin-environment";
nixops19_09 = callPackage ./pkgs/nixops {};
make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {};
buildInputs = [ nixops19_09 figlet ];
shellHook = '' shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs}:." export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:."
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${make-secrets})
''; '';
} }