greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module

Browse Source 
b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c
This commit is contained in:
Jonas Nick 2020-04-08 15:03:00 +00:00
commit 9239268ab6
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
23 changed files with 833 additions and 459 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
/secrets/ /example/secrets/

28
README.md
View File

@ -4,7 +4,7 @@ nix-bitcoin
[![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin) [![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin)
Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
This is a work in progress - don't expect it to be bug free or secure. This is a work in progress - don't expect it to be bug-free, secure or stable.
The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations. A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us
It should allow managing bitcoin (the currency) effectively and providing public infrastructure. It should allow managing bitcoin (the currency) effectively and providing public infrastructure.
It should be a reproducible and extensible platform for applications building on Bitcoin. It should be a reproducible and extensible platform for applications building on Bitcoin.
Example
---
The easiest way to try out nix-bitcoin is to use one of the provided examples.
```
git clone https://github.com/fort-nix/nix-bitcoin
cd examples/
nix-shell
```
The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then
shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.
- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
This is the fastest way to set up a node.\
Requires: [NixOS](https://nixos.org/)
- `./deploy-qemu-vm.sh` creates a QEMU VM.\
Requires: [Nix](https://nixos.org/nix/)
- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
NixOps can be used to deploy to various other backends like cloud providers.\
Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
Available modules Available modules
--- ---
By default the `configuration.nix` provides: By default the `configuration.nix` provides:
@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed
Installation Installation
--- ---
The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory.
Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
See [install.md](docs/install.md) for a detailed tutorial. See [install.md](docs/install.md) for a detailed tutorial.
Security Security

508
docs/install.md
View File

@ -18,35 +18,35 @@ The following steps are meant to be run on the machine you deploy from, not the
1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch) 1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch)
``` ```
echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
``` ```
2. Add Oracle VirtualBox public key 2. Add Oracle VirtualBox public key
``` ```
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
gpg2 oracle_vbox_2016.asc gpg2 oracle_vbox_2016.asc
``` ```
Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF
``` ```
sudo apt-key add oracle_vbox_2016.asc sudo apt-key add oracle_vbox_2016.asc
``` ```
3. Install virtualbox-5.2 3. Install virtualbox-5.2
``` ```
sudo apt-get update sudo apt-get update
sudo apt-get install virtualbox-5.2 sudo apt-get install virtualbox-5.2
``` ```
3. Create Host Adapter in VirtualBox 3. Create Host Adapter in VirtualBox
``` ```
vboxmanage hostonlyif create vboxmanage hostonlyif create
``` ```
## 2. Nix installation ## 2. Nix installation
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
@ -54,81 +54,105 @@ You can also build Nix from source by following the instructions at https://nixo
1. Install Dependencies (Debian 9 stretch) 1. Install Dependencies (Debian 9 stretch)
``` ```
sudo apt-get install curl git gnupg2 dirmngr sudo apt-get install curl git gnupg2 dirmngr
``` ```
2. Install latest Nix in "multi-user mode" with GPG Verification 2. Install latest Nix in "multi-user mode" with GPG Verification
``` ```
curl -o install-nix https://nixos.org/nix/install curl -o install-nix https://nixos.org/nix/install
curl -o install-nix.sig https://nixos.org/nix/install.sig curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon sh ./install-nix --daemon
``` ```
Then follow the instructions. Open a new terminal window when you're done. Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to If you get an error similar to
``` ```
error: cloning builder process: Operation not permitted error: cloning builder process: Operation not permitted
error: unable to start build process error: unable to start build process
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
``` ```
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
3. Optional: Disallow substitutes 3. Optional: Disallow substitutes
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
This eliminates an attack vector where nix's build server or binary cache is compromised. This eliminates an attack vector where nix's build server or binary cache is compromised.
## 3. Nixops deployment ## 3. Setup deployment directory
1. Clone this project 1. Clone this project
``` ```
cd cd
git clone https://github.com/fort-nix/nix-bitcoin git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin ```
```
2. Setup environment 2. Obtain the hash of the latest nix-bitcoin release
``` ```
nix-shell cd nix-bitcoin/examples
``` nix-shell
```
This will set up your nix-bitcoin environment and might take a while without giving an output. This will download the nix-bitcoin dependencies and might take a while without giving an output.
Now in the nix-shell run
3. Create nixops deployment in nix-shell. ```
fetch-release > nix-bitcoin-release.nix
```
``` 3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
nixops create network/network.nix network/network-vbox.nix -d bitcoin-node
```
4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. ```
cd ../../
mkdir nix-bitcoin-node
cd nix-bitcoin-node
cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
```
5. Deploy Nixops in nix-shell ## 4. Deploy with NixOps
``` 1. Enter environment
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine. ```
nix-shell
```
6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with Note that a new directory `secrets/` appeared which contains the secrets for your node.
``` 2. Create nixops deployment in nix-shell.
nixops ssh operator@bitcoin-node
``` ```
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
```
3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
4. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine.
5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
```
See [usage.md](usage.md) for usage instructions, such as how to update. See [usage.md](usage.md) for usage instructions, such as how to update.
To resize the VM disk image, you can use this helper script from within nix-shell: To resize the VM disk image, you can use this helper script from within nix-shell:
``` ```
./helper/vbox-resize-disk1.sh --help ../nix-bitcoin/helper/vbox-resize-disk1.sh --help
``` ```
---- ----
@ -138,15 +162,15 @@ Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox (macOS host)
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. The following steps are meant to be run on the machine you deploy from, not the machine you deploy to.
1. Download and install VirtualBox 1. Download and install VirtualBox
Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads) Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads)
Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle. Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle.
2. Create Host Adapter in VirtualBox 2. Create Host Adapter in VirtualBox
``` ```
vboxmanage hostonlyif create vboxmanage hostonlyif create
``` ```
## 2. Nix installation (macOS) ## 2. Nix installation (macOS)
@ -157,20 +181,20 @@ In order to build binaries for your linux (NixOS) virtual machine on a macOS hos
1. Installation 1. Installation
``` ```
nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder
nix-linuxkit-configure nix-linuxkit-configure
``` ```
You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs. You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs.
2. Confirm that nix-linuxkit works 2. Confirm that nix-linuxkit works
``` ```
nix-build ~/.cache/nix-linuxkit-builder/example.nix nix-build ~/.cache/nix-linuxkit-builder/example.nix
``` ```
As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards. As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards.
## 4. Nixops deployment (macOS) ## 4. Nixops deployment (macOS)
@ -193,53 +217,55 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information. This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information.
1. Obtain latest NixOS. For example: 1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
``` ```
wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
``` sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
```
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
2. Write NixOS iso to install media (USB/CD). For example: 2. Write NixOS iso to install media (USB/CD). For example:
``` ```
dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
``` ```
Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
3. Boot the system 3. Boot the system
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. You will have to find out if your hardware uses UEFI or Legacy Boot for the next step.
4. Option 1: Partition and format for UEFI 4. Option 1: Partition and format for UEFI
``` ```
parted /dev/sda -- mklabel gpt parted /dev/sda -- mklabel gpt
parted /dev/sda -- mkpart primary 512MiB -8GiB parted /dev/sda -- mkpart primary 512MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100% parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB
parted /dev/sda -- set 3 boot on parted /dev/sda -- set 3 boot on
mkfs.ext4 -L nixos /dev/sda1 mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2 mkswap -L swap /dev/sda2
mkfs.fat -F 32 -n boot /dev/sda3 mkfs.fat -F 32 -n boot /dev/sda3
mount /dev/disk/by-label/nixos /mnt mount /dev/disk/by-label/nixos /mnt
mkdir -p /mnt/boot mkdir -p /mnt/boot
mount /dev/disk/by-label/boot /mnt/boot mount /dev/disk/by-label/boot /mnt/boot
swapon /dev/sda2 swapon /dev/sda2
``` ```
4. Option 2: Partition and format for Legacy Boot (MBR) 4. Option 2: Partition and format for Legacy Boot (MBR)
``` ```
parted /dev/sda -- mklabel msdos parted /dev/sda -- mklabel msdos
parted /dev/sda -- mkpart primary 1MiB -8GiB parted /dev/sda -- mkpart primary 1MiB -8GiB
parted /dev/sda -- mkpart primary linux-swap -8GiB 100% parted /dev/sda -- mkpart primary linux-swap -8GiB 100%
mkfs.ext4 -L nixos /dev/sda1 mkfs.ext4 -L nixos /dev/sda1
mkswap -L swap /dev/sda2 mkswap -L swap /dev/sda2
mount /dev/disk/by-label/nixos /mnt mount /dev/disk/by-label/nixos /mnt
swapon /dev/sda2 swapon /dev/sda2
``` ```
4. Option 3: Set up encrypted partitions: 4. Option 3: Set up encrypted partitions:
@ -247,194 +273,158 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
5. Generate NixOS config 5. Generate NixOS config
``` ```
nixos-generate-config --root /mnt nixos-generate-config --root /mnt
nano /mnt/etc/nixos/configuration.nix nano /mnt/etc/nixos/configuration.nix
``` ```
Option 1: Edit NixOS configuration for UEFI Option 1: Edit NixOS configuration for UEFI
``` ```
{ config, pkgs, ... }: { { config, pkgs, ... }: {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
# Note: setting fileSystems is generally not # Note: setting fileSystems is generally not
# necessary, since nixos-generate-config figures them out # necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix. # automatically in hardware-configuration.nix.
#fileSystems."/".device = "/dev/disk/by-label/nixos"; #fileSystems."/".device = "/dev/disk/by-label/nixos";
# Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
Option 2: Edit NixOS configuration for Legacy Boot (MBR) # Enable the OpenSSH server.
services.openssh = {
enable = true;
permitRootLogin = "yes";
};
}
```
``` Option 2: Edit NixOS configuration for Legacy Boot (MBR)
{ config, pkgs, ... }: {
imports = [ ```
# Include the results of the hardware scan. { config, pkgs, ... }: {
./hardware-configuration.nix imports = [
]; # Include the results of the hardware scan.
./hardware-configuration.nix
boot.loader.grub.device = "/dev/sda"; ];
# Note: setting fileSystems is generally not boot.loader.grub.device = "/dev/sda";
# necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix. # Note: setting fileSystems is generally not
#fileSystems."/".device = "/dev/disk/by-label/nixos"; # necessary, since nixos-generate-config figures them out
# automatically in hardware-configuration.nix.
# Enable the OpenSSH server. #fileSystems."/".device = "/dev/disk/by-label/nixos";
services.openssh = {
enable = true; # Enable the OpenSSH server.
permitRootLogin = "yes"; services.openssh = {
}; enable = true;
} permitRootLogin = "yes";
``` };
}
```
6. Do the installation 6. Do the installation
``` ```
nixos-install nixos-install
``` ```
Set root password Set root password
``` ```
setting root password... setting root password...
Enter new UNIX password: Enter new UNIX password:
Retype new UNIX password: Retype new UNIX password:
``` ```
7. If everything went well 7. If everything went well
``` ```
reboot reboot
``` ```
## 2. nix-bitcoin installation
On the machine you are deploying from: ## 2. Nix installation
You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source. Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
1. Install Dependencies (Debian 9 stretch)
``` ## 3. Setup deployment directory
sudo apt-get install curl git gnupg2 dirmngr Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
```
2. Install Latest Nix with GPG Verification
``` ## 4. Deploy with NixOps
curl -o install-nix https://nixos.org/nix/install 1. Make sure you are in the deployment directory and create a nixops network file as follows
curl -o install-nix.sig https://nixos.org/nix/install.sig
gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
gpg2 --verify ./install-nix.sig
sh ./install-nix --daemon
. /home/user/.nix-profile/etc/profile.d/nix.sh
```
Then follow the instructions. Open a new terminal window when you're done. ```
nano nixops/node-nixos.nix
```
If you get an error similar to ```
``` {
error: cloning builder process: Operation not permitted bitcoin-node =
error: unable to start build process { config, pkgs, ... }:
/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile { deployment.targetHost = "1.2.3.4";
``` };
you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. }
```
3. Optional: Disallow substitutes Replace 1.2.3.4 with NixOS machine's IP address.
You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. 2. Edit `configuration.nix`
This eliminates an attack vector where nix's build server or binary cache is compromised.
4. Clone this project ```
nano configuration.nix
```
``` Uncomment `./hardware-configuration.nix` line by removing #.
cd
git clone https://github.com/fort-nix/nix-bitcoin
cd ~/nix-bitcoin
```
5. Create network file 3. Create `hardware-configuration.nix`
``` ```
nano network/network-nixos.nix nano hardware-configuration.nix
``` ```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
``` 4. Add boot option to `hardware-configuration.nix`
{
bitcoin-node =
{ config, pkgs, ... }:
{ deployment.targetHost = "1.2.3.4";
};
}
```
Replace 1.2.3.4 with NixOS machine's IP address. Option 1: Enable systemd boot for UEFI
```
boot.loader.grub.device = "/dev/sda";
```
Option 2: Set grub device for Legacy Boot (MBR)
```
boot.loader.grub.device = "/dev/sda";
```
6. Edit `configuration.nix` 5. Enter environment
``` ```
nano configuration.nix nix-shell
``` ```
Uncomment `./hardware-configuration.nix` line by removing #. Note that a new directory `secrets/` appeared which contains the secrets for your node.
7. Create `hardware-configuration.nix` 6. Create nixops deployment in nix-shell.
``` ```
nano hardware-configuration.nix nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
``` ```
Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
8. Add boot option to `hardware-configuration.nix` 7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
Option 1: Enable systemd boot for UEFI 8. Deploy Nixops in nix-shell
```
boot.loader.grub.device = "/dev/sda";
```
Option 2: Set grub device for Legacy Boot (MBR)
```
```
boot.loader.grub.device = "/dev/sda";
```
9. Setup environment ```
nixops deploy -d bitcoin-node
```
``` This will now create a nix-bitcoin node on the target machine.
nix-shell
```
This will set up your nix-bitcoin environment and might take a while without giving an output. 9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
10. Create nixops deployment in nix-shell. ```
nixops ssh operator@bitcoin-node
``` ```
nixops create network/network.nix network/network-nixos.nix -d bitcoin-node
```
11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
12. Deploy Nixops in nix-shell
```
nixops deploy -d bitcoin-node
```
This will now create a nix-bitcoin node on the target machine.
13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
```
nixops ssh operator@bitcoin-node
```
See [usage.md](usage.md) for usage instructions, such as how to update. See [usage.md](usage.md) for usage instructions, such as how to update.

274
docs/usage.md
View File

@ -1,28 +1,10 @@
Updating Updating
--- ---
Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. In your deployment directory, enter the nix shell with `nix-shell` and run
### Verifying GPG Signatures (recommended) ```
1. Import jonasnick's gpg key fetch-release > nix-bitcoin-release.nix
```
```
gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
```
2. Trust jonasnick's gpg key
```
gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
trust
4
quit
```
3. Verify commit after `git pull`
```
git verify-commit <hash of latest commit>
```
Nodeinfo Nodeinfo
--- ---
@ -36,45 +18,45 @@ Connect to spark-wallet
* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet) * [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
1. Enable spark-wallet in `configuration.nix` 1. Enable spark-wallet in `configuration.nix`
Change Change
``` ```
# services.spark-wallet.enable = true; # services.spark-wallet.enable = true;
``` ```
to to
``` ```
services.spark-wallet.enable = true; services.spark-wallet.enable = true;
``` ```
2. Deploy new `configuration.nix` 2. Deploy new `configuration.nix`
``` ```
nixops deploy -d bitcoin-node nixops deploy -d bitcoin-node
``` ```
3. Enable Orbot VPN for spark-wallet 3. Enable Orbot VPN for spark-wallet
``` ```
Open Orbot app Open Orbot app
Turn on "VPN Mode" Turn on "VPN Mode"
Select Gear icon under "Tor-Enabled Apps" Select Gear icon under "Tor-Enabled Apps"
Toggle checkbox under Spark icon Toggle checkbox under Spark icon
``` ```
4. Get the onion address, access key and QR access code for the spark wallet android app 4. Get the onion address, access key and QR access code for the spark wallet android app
``` ```
journalctl -eu spark-wallet journalctl -eu spark-wallet
``` ```
Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors. Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors.
5. Connect to spark-wallet android app 5. Connect to spark-wallet android app
``` ```
Server Settings Server Settings
Scan QR Scan QR
Done Done
``` ```
Connect to electrs Connect to electrs
--- ---
@ -88,90 +70,90 @@ Connect to electrs
* [Electrum](https://electrum.org/#download) installed * [Electrum](https://electrum.org/#download) installed
1. Enable electrs in `configuration.nix` 1. Enable electrs in `configuration.nix`
Change Change
``` ```
# services.electrs.enable = true; # services.electrs.enable = true;
``` ```
to to
``` ```
services.electrs.enable = true; services.electrs.enable = true;
``` ```
2. Deploy new `configuration.nix` 2. Deploy new `configuration.nix`
``` ```
nixops deploy -d bitcoin-node nixops deploy -d bitcoin-node
``` ```
3. Get electrs onion address 3. Get electrs onion address
``` ```
nodeinfo | grep 'ELECTRS_ONION' nodeinfo | grep 'ELECTRS_ONION'
``` ```
4. Connect to electrs 4. Connect to electrs
On electrum wallet laptop On electrum wallet laptop
``` ```
electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050 electrum --oneserver --server=<ELECTRS_ONION>:50002:s --proxy=socks5:localhost:9050
``` ```
On electrum android phone On electrum android phone
``` ```
Three dots in the upper-right-hand corner Three dots in the upper-right-hand corner
Network Network
Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 Proxy mode: socks5, Host: 127.0.0.1, Port: 9050
Ok Ok
Server Server
Host: <ELECTRS_ONION>, Port: 50002 Host: <ELECTRS_ONION>, Port: 50002
Ok Ok
Auto-connect: OFF Auto-connect: OFF
One-server mode: ON One-server mode: ON
``` ```
Connect to nix-bitcoin node through ssh Tor Hidden Service Connect to nix-bitcoin node through ssh Tor Hidden Service
--- ---
1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION` 1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION`
``` ```
nixops ssh operator@bitcoin-node nixops ssh operator@bitcoin-node
nodeinfo | grep 'SSHD_ONION' nodeinfo | grep 'SSHD_ONION'
``` ```
2. Create a SSH key 2. Create a SSH key
``` ```
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519
``` ```
3. Place the ed25519 key's fingerprint in the `configuration.nix` `openssh.authorizedKeys.keys` field like so 3. Place the ed25519 key's fingerprint in the `configuration.nix` `openssh.authorizedKeys.keys` field like so
``` ```
# FIXME: Add your SSH pubkey # FIXME: Add your SSH pubkey
services.openssh.enable = true; services.openssh.enable = true;
users.users.root = { users.users.root = {
openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ]; openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ];
}; };
``` ```
4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server 4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server
``` ```
ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION] ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION]
``` ```
5. Edit your `network-nixos.nix` to look like this 5. Edit your `network-nixos.nix` to look like this
``` ```
{ {
bitcoin-node = bitcoin-node =
{ config, pkgs, ... }: { config, pkgs, ... }:
{ deployment.targetHost = "127.0.0.1"; { deployment.targetHost = "127.0.0.1";
deployment.targetPort = [random port of your choosing]; deployment.targetPort = [random port of your choosing];
}; };
} }
``` ```
6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security. 6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security.
@ -180,64 +162,64 @@ Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface
1. Enable Trezor in `configuration.nix` 1. Enable Trezor in `configuration.nix`
Change Change
``` ```
# services.hardware-wallets.trezor = true; # services.hardware-wallets.trezor = true;
``` ```
to to
``` ```
services.hardware-wallets.trezor = true; services.hardware-wallets.trezor = true;
``` ```
2. Deploy new `configuration.nix` 2. Deploy new `configuration.nix`
``` ```
nixops deploy -d bitcoin-node nixops deploy -d bitcoin-node
``` ```
3. Check that your nix-bitcoin node recognizes your Trezor 3. Check that your nix-bitcoin node recognizes your Trezor
``` ```
nixops ssh operator@bitcoin-node nixops ssh operator@bitcoin-node
lsusb lsusb
``` ```
Should show something relating to your Trezor Should show something relating to your Trezor
4. If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode 4. If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode
Trezor v1 Trezor v1
``` ```
Plug in your Trezor with both buttons depressed Plug in your Trezor with both buttons depressed
``` ```
Trezor v2 Trezor v2
``` ```
Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through
``` ```
5. If your Trezor's firmware is outdated: Update your Trezor's firmware 5. If your Trezor's firmware is outdated: Update your Trezor's firmware
``` ```
trezorctl firmware-update trezorctl firmware-update
``` ```
Follow the on-screen instructions Follow the on-screen instructions
**Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.** **Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.**
6. If your Trezor is not yet initialized: Set up your Trezor 6. If your Trezor is not yet initialized: Set up your Trezor
``` ```
trezorctl reset-device -p trezorctl reset-device -p
``` ```
Follow the on-screen instructions Follow the on-screen instructions
7. Find your Trezor 7. Find your Trezor
``` ```
hwi enumerate hwi enumerate
hwi -t trezor -d <path from previous command> promptpin hwi -t trezor -d <path from previous command> promptpin
hwi -t trezor -d <path> sendpin <number positions for the PIN as displayed on your device's screen> hwi -t trezor -d <path> sendpin <number positions for the PIN as displayed on your device's screen>
hwi enumerate hwi enumerate
``` ```
8. Follow Bitcoin Core's instructions on [Using Bitcoin Core with Hardware Wallets](https://github.com/bitcoin-core/HWI/blob/master/docs/bitcoin-core-usage.md) to use your Trezor with `bitcoin-cli` on your nix-bitcoin node 8. Follow Bitcoin Core's instructions on [Using Bitcoin Core with Hardware Wallets](https://github.com/bitcoin-core/HWI/blob/master/docs/bitcoin-core-usage.md) to use your Trezor with `bitcoin-cli` on your nix-bitcoin node

11
configuration.nix → examples/configuration.nix
View File

@ -4,12 +4,13 @@
{ config, pkgs, lib, ... }: { { config, pkgs, lib, ... }: {
imports = [ imports = [
./modules/nix-bitcoin.nix <nix-bitcoin/modules/nix-bitcoin.nix>
# Use hardened kernel profile. See # FIXME: The hardened kernel profile improves security but
# https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix # decreases performance by ~50%.
# for the enabled options. # Turn it off when not needed.
<nixpkgs/nixos/modules/profiles/hardened.nix> # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
<nixpkgs/nixos/modules/profiles/hardened.nix>
# FIXME: Uncomment next line to import your hardware configuration. If so, # FIXME: Uncomment next line to import your hardware configuration. If so,
# add the hardware configuration file to the same directory as this file. # add the hardware configuration file to the same directory as this file.

83
examples/deploy-container.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a nix-bitcoin node in a NixOS container.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then
echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled"
exit 1
fi
if [[ ! -e /run/current-system/nixos-version ]]; then
echo "Error: This script needs NixOS to run"
exit 1
fi
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
echo
echo "Deleting container..."
sudo extra-container destroy demo-node
}
trap "cleanup" EXIT
# Build container.
# You can re-run this command with a changed container config.
# The running container is then switched to the new config.
# Learn more: https://github.com/erikarvstedt/extra-container
#
sudo extra-container create --start <<'EOF'
{ pkgs, lib, ... }: let
containerName = "demo-node"; # container name length is limited to 11 chars
localAddress = "10.250.0.2"; # container address
hostAddress = "10.250.0.1";
in {
containers.${containerName} = {
privateNetwork = true;
inherit localAddress hostAddress;
config = { pkgs, config, lib, ... }: {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
# Speed up evaluation
documentation.nixos.enable = false;
};
};
# Allow WAN access
systemd.services."container@${containerName}" = {
preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE";
# Delete rule
postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true";
};
}
EOF
# Run command in container
c() { sudo extra-container run demo-node -- "$@" | cat; }
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
echo
echo "Bitcoind data dir:"
sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
# Cleanup happens at exit (see above)

41
examples/deploy-nixops.sh Executable file
View File

@ -0,0 +1,41 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
# Cleanup on exit
cleanup() {
set +e
if nixops list | grep -q bitcoin-node; then
nixops destroy --confirm -d bitcoin-node
fi
rm -rf $tmpDir
}
trap "cleanup" EXIT
tmpDir=/tmp/nix-bitcoin-nixops
mkdir -p $tmpDir
# Don't write nixops and VirtualBox data to the $USER's home
export HOME=$tmpDir
# Disable interactive queries and don't write to the $USER's known_hosts file
export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
nixops deploy -d bitcoin-node
# Connect to node
nixops ssh bitcoin-node systemctl status bitcoind
# Cleanup happens at exit (see above)

93
examples/deploy-qemu-vm.sh Executable file
View File

@ -0,0 +1,93 @@
#!/usr/bin/env bash
set -euo pipefail
# This script demonstrates how to run a nix-bitcoin node in QEMU.
# Running this script leaves no traces on your host system.
# This demo is a template for your own experiments.
# Feel free to modify or to run nix-shell and execute individual statements of this
# script in the interactive shell.
# MAKE SURE TO REPLACE the SSH identity file if you use this script for
# anything serious.
if [[ ! -v IN_NIX_SHELL ]]; then
echo "Running script in nix shell env..."
exec nix-shell --run "${BASH_SOURCE[0]}"
fi
tmpDir=/tmp/nix-bitcoin-qemu-vm
mkdir -p $tmpDir
# Cleanup on exit
cleanup() {
set +eu
kill -9 $qemuPID
rm -rf $tmpDir
}
trap "cleanup" EXIT
identityFile=qemu-vm/id-vm
chmod 0600 $identityFile
echo "Building VM"
nix-build --out-link $tmpDir/vm - <<EOF
(import <nixpkgs/nixos> {
configuration = {
imports = [
<nix-bitcoin/examples/configuration.nix>
<nix-bitcoin/modules/secrets/generate-secrets.nix>
];
virtualisation.graphics = false;
services.mingetty.autologinUser = "root";
users.users.root = {
openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
};
};
}).vm
EOF
vmMemoryMiB=2048
vmNumCPUs=4
sshPort=60734
export NIX_DISK_IMAGE=$tmpDir/img
export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
qemuPID=$!
# Run command in VM
c() {
ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
-o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
root@127.0.0.1 "$@"
}
echo
echo "Waiting for SSH connection..."
while ! c : 2>/dev/null; do :; done
echo
echo "Waiting until services are ready..."
c '
attempts=300
while ! systemctl is-active clightning &> /dev/null; do
((attempts-- == 0)) && { echo "timeout"; exit 1; }
sleep 0.2
done
'
echo
echo "Bitcoind service:"
c systemctl status bitcoind
echo
echo "Bitcoind network:"
c bitcoin-cli getnetworkinfo
echo
echo "lightning-cli state:"
c lightning-cli getinfo
echo
echo "Node info:"
c nodeinfo
# Cleanup happens at exit (see above)

1
examples/nix-bitcoin-release.nix Normal file
View File

@ -0,0 +1 @@
../.

0
network/network-libvirtd.nix → examples/nixops/node-libvirtd.nix
View File

0
network/network-vbox.nix → examples/nixops/node-vbox.nix
View File

12
examples/nixops/node.nix Normal file
View File

@ -0,0 +1,12 @@
{
network.description = "Bitcoin Core node";
bitcoin-node = { config, pkgs, lib, ... }: {
imports = [
../configuration.nix
<nix-bitcoin/modules/deployment/nixops.nix>
];
nix-bitcoin.deployment.secretsDir = toString ../secrets;
};
}

7
examples/qemu-vm/id-vm Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3
cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg
AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH
Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB
-----END OPENSSH PRIVATE KEY-----

1
examples/qemu-vm/id-vm.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none

46
examples/shell.nix Normal file
View File

@ -0,0 +1,46 @@
let
# This is either a path to a local nix-bitcoin source or an attribute set to
# be used as the fetchurl argument.
nix-bitcoin-release = import ./nix-bitcoin-release.nix;
nix-bitcoin-path =
if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
else nix-bitcoin-release;
nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
nixpkgs = import nixpkgs-path {};
nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
extraContainer = nixpkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
}) {};
nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
'';
in
with nixpkgs;
stdenv.mkDerivation rec {
name = "nix-bitcoin-environment";
buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ];
shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets})
# Don't run this hook when another nix-shell is run inside this shell
unset shellHook
'';
}

36
helper/fetch-release Executable file
View File

@ -0,0 +1,36 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
set -euo pipefail
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
REPO=fort-nix/nix-bitcoin
if [[ ! -v VERSION ]]; then
VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
fi
TMPDIR=$(mktemp -d)
GPG_HOME=$(mktemp -d)
trap "rm -rf $TMPDIR $GPG_HOME" EXIT
cd $TMPDIR
BASEURL=https://github.com/$REPO/releases/download/v$VERSION
curl --silent -L -O $BASEURL/SHA256SUMS.txt
curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
# Import key and verify fingerprint
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
echo "ERROR: Signature verification failed. Please open an issue in the project repository."
exit 1
}
SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
cat <<EOF
{
url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
sha256 = "$SHA256";
}
EOF

BIN
helper/key-jonasnick.bin Normal file
View File

Binary file not shown.

59
helper/push-release.sh Executable file
View File

@ -0,0 +1,59 @@
#!/usr/bin/env bash
set -euo pipefail
REPO=fort-nix/nix-bitcoin
BRANCH=master
OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
if [[ ! $OAUTH_TOKEN ]]; then
echo "Please set OAUTH_TOKEN variable"
fi
if [[ $# < 1 ]]; then
echo "$0 <tag_name>"
exit
fi
TAG_NAME=$1
RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
while true; do
read -p "Create release $1? [yn] " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer y or n.";;
esac
done
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
ARCHIVE=$TMPDIR/$ARCHIVE_NAME
# Need to be in the repositories root directory for archiving
(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
SHA256SUMS=$TMPDIR/SHA256SUMS.txt
# Want to use relative path with sha256sums because it'll output the first
# argument
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
ID=$(echo $RESPONSE | jq -r '.id')
if [[ $ID == null ]]; then
echo "Failed to create release with $POST_DATA"
exit 1
fi
post_asset() {
GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
$GH_ASSET/$(basename $1) &> /dev/null
}
post_asset $ARCHIVE
post_asset $SHA256SUMS
post_asset $SHA256SUMS.asc
echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)

25
modules/deployment/nixops.nix Normal file
View File

@ -0,0 +1,25 @@
{ config, ... }:
{
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
}

7
modules/secrets/secrets.nix
View File

@ -15,6 +15,13 @@ in
description = "Directory to store secrets"; description = "Directory to store secrets";
}; };
deployment.secretsDir = mkOption {
type = types.path;
description = ''
Directory of local secrets that are transfered to the nix-bitcoin node on deployment
'';
};
secrets = mkOption { secrets = mkOption {
default = {}; default = {};
type = with types; attrsOf (submodule ( type = with types; attrsOf (submodule (

31
network/network.nix
View File

@ -1,31 +0,0 @@
{
network.description = "Bitcoin Core node";
bitcoin-node =
{ config, pkgs, lib, ... }: {
imports = [ ../configuration.nix ];
deployment.keys = builtins.mapAttrs (n: v: {
keyFile = "${toString ../secrets}/${n}";
destDir = config.nix-bitcoin.secretsDir;
inherit (v) user group permissions;
}) config.nix-bitcoin.secrets;
# nixops makes the secrets directory accessible only for users with group 'key'.
# For compatibility with other deployment methods besides nixops, we forego the
# use of the 'key' group and make the secrets dir world-readable instead.
# This is safe because all containing files have their specific private
# permissions set.
systemd.services.allowSecretsDirAccess = {
requires = [ "keys.target" ];
after = [ "keys.target" ];
script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
serviceConfig.Type = "oneshot";
};
systemd.targets.nix-bitcoin-secrets = {
requires = [ "allowSecretsDirAccess.service" ];
after = [ "allowSecretsDirAccess.service" ];
};
};
}

11
pkgs/nixops/release.nix.patch
View File

@ -43,3 +43,14 @@
('destDir', 'string'), ('destDir', 'string'),
('user', 'string'), ('user', 'string'),
('group', 'string'), ('group', 'string'),
--- a/nixops/ssh_util.py
+++ b/nixops/ssh_util.py
@@ -278,6 +278,7 @@ class SSH(object):
'timeout' specifies the SSH connection timeout.
"""
+ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags
master = self.get_master(flags, timeout, user)
flags = flags + self._get_flags()
if logged:

16
shell.nix
View File

@ -1,24 +1,12 @@
let let
nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs; nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs;
in in
with import nixpkgs { }; with import nixpkgs {};
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "nix-bitcoin-environment"; name = "nix-bitcoin-environment";
nixops19_09 = callPackage ./pkgs/nixops {};
make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {};
buildInputs = [ nixops19_09 figlet ];
shellHook = '' shellHook = ''
export NIX_PATH="nixpkgs=${nixpkgs}:." export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:."
# ssh-agent and nixops don't play well together (see
# https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
# from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
# keys already added to my ssh-agent.
export SSH_AUTH_SOCK=""
figlet "nix-bitcoin"
(mkdir -p secrets; cd secrets; ${make-secrets})
''; '';
} }