Merge #136: Change the nix-bitcoin deployment from forking this repo to importing the module

b2e15c17b8 docs: Update to new deployment method (import instead of fork) (Jonas Nick)
5ed0284db9 Add fetch-release script (Jonas Nick)
c303cd47e4 Add push-release.sh helper (Jonas Nick)
705d187a35 examples/shell.nix: don't run shellHook on subsequent nix-shells (Erik Arvstedt)
65039be656 docs: Remove duplicate instructions (Jonas Nick)
455c5664c9 docs: Replace tabs with spaces (Jonas Nick)
8aa4714979 docs: Update NixOS version (Jonas Nick)
9df22a2764 add deploy-qemu-vm.sh example (Erik Arvstedt)
548ced1994 README: Add Example section (Jonas Nick)
44ccbb91d0 Clean up development shell.nix (Jonas Nick)
abcee651d3 add deploy-container.sh (Erik Arvstedt)
5dadea310c add deploy-nixops.sh (Erik Arvstedt)
0c74c365de mention performance loss with hardened kernel profile (Erik Arvstedt)
f3121892ef move main module import to configuration.nix (Erik Arvstedt)
0c0978c007 extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' (Erik Arvstedt)
87d0286498 Change the nix-bitcoin deployment from forking this repo to importing the module (Jonas Nick)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 18e8b71f42715c5e82e2dafde9dcc965594d76aacc6be7ee2ec746a9510065749cc65331687a57d7140f45779c3b7867f6260ec224d361fb5a477062a27d6e4c

.gitignore

@@ -1 +1 @@
-/secrets/
+/example/secrets/

README.md

@@ -4,7 +4,7 @@ nix-bitcoin
 [![Build Status](https://travis-ci.org/fort-nix/nix-bitcoin.svg?branch=master)](https://travis-ci.org/fort-nix/nix-bitcoin)
 
 Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security.
-This is a work in progress - don't expect it to be bug free or secure.
+This is a work in progress - don't expect it to be bug-free, secure or stable.
 
 The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet.
 A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations.
@@ -24,6 +24,30 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us
 It should allow managing bitcoin (the currency) effectively and providing public infrastructure.
 It should be a reproducible and extensible platform for applications building on Bitcoin.
 
+Example
+---
+The easiest way to try out nix-bitcoin is to use one of the provided examples.
+
+```
+git clone https://github.com/fort-nix/nix-bitcoin
+cd examples/
+nix-shell
+```
+
+The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then
+shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.
+
+- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
+  This is the fastest way to set up a node.\
+  Requires: [NixOS](https://nixos.org/)
+
+- `./deploy-qemu-vm.sh` creates a QEMU VM.\
+  Requires: [Nix](https://nixos.org/nix/)
+
+- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\
+  NixOps can be used to deploy to various other backends like cloud providers.\
+  Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org)
+
 Available modules
 ---
 By default the `configuration.nix` provides:
@@ -48,8 +72,6 @@ The data directories of the services can be found in `/var/lib` on the deployed
 
 Installation
 ---
-The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory.
-Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell.
 See [install.md](docs/install.md) for a detailed tutorial.
 
 Security

docs/install.md

@@ -84,33 +84,57 @@ You can also build Nix from source by following the instructions at https://nixo
     This eliminates an attack vector where nix's build server or binary cache is compromised.
 
 
-## 3. Nixops deployment
+## 3. Setup deployment directory
 
 1. Clone this project
 
     ```
     cd
     git clone https://github.com/fort-nix/nix-bitcoin
-	cd ~/nix-bitcoin
     ```
 
-2. Setup environment
+2. Obtain the hash of the latest nix-bitcoin release
+
+   ```
+   cd nix-bitcoin/examples
+   nix-shell
+   ```
+
+    This will download the nix-bitcoin dependencies and might take a while without giving an output.
+    Now in the nix-shell run
+
+    ```
+    fetch-release > nix-bitcoin-release.nix
+    ```
+
+3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
+
+   ```
+   cd ../../
+   mkdir nix-bitcoin-node
+   cd nix-bitcoin-node
+   cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} .
+   ```
+
+## 4. Deploy with NixOps
+
+1. Enter environment
 
     ```
     nix-shell
     ```
 
-	This will set up your nix-bitcoin environment and might take a while without giving an output.
+    Note that a new directory `secrets/` appeared which contains the secrets for your node.
 
-3. Create nixops deployment in nix-shell.
+2. Create nixops deployment in nix-shell.
 
     ```
-	nixops create network/network.nix network/network-vbox.nix -d bitcoin-node
+    nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
     ```
 
-4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
+3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
 
-5. Deploy Nixops in nix-shell
+4. Deploy Nixops in nix-shell
 
     ```
     nixops deploy -d bitcoin-node
@@ -118,7 +142,7 @@ You can also build Nix from source by following the instructions at https://nixo
 
     This will now create a nix-bitcoin node on the target machine.
 
-6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
+5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
 
     ```
     nixops ssh operator@bitcoin-node
@@ -128,7 +152,7 @@ See [usage.md](usage.md) for usage instructions, such as how to update.
 
 To resize the VM disk image, you can use this helper script from within nix-shell:
 ```
-./helper/vbox-resize-disk1.sh --help
+../nix-bitcoin/helper/vbox-resize-disk1.sh --help
 ```
 ----
 
@@ -193,17 +217,19 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
 
 This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information.
 
-1. Obtain latest NixOS. For example:
+1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
 
     ```
-	wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso
+    wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
+    sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso
+    # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e
     ```
     Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
 
 2. Write NixOS iso to install media (USB/CD). For example:
 
     ```
-	dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX
+    cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX
     ```
 
     Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
@@ -318,55 +344,20 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
     reboot
     ```
 
-## 2. nix-bitcoin installation
 
-On the machine you are deploying from:
-You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
+## 2. Nix installation
+Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from).
 
-1. Install Dependencies (Debian 9 stretch)
+
+## 3. Setup deployment directory
+Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from).
+
+
+## 4. Deploy with NixOps
+1. Make sure you are in the deployment directory and create a nixops network file as follows
 
     ```
-	sudo apt-get install curl git gnupg2 dirmngr
-	```
-
-2. Install Latest Nix with GPG Verification
-
-	```
-	curl -o install-nix https://nixos.org/nix/install
-	curl -o install-nix.sig https://nixos.org/nix/install.sig
-	gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE
-	gpg2 --verify ./install-nix.sig
-	sh ./install-nix --daemon
-	. /home/user/.nix-profile/etc/profile.d/nix.sh
-	```
-
-	Then follow the instructions. Open a new terminal window when you're done.
-
-	If you get an error similar to
-	```
-	error: cloning builder process: Operation not permitted
-	error: unable to start build process
-	/tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
-	```
-	you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script.
-
-3. Optional: Disallow substitutes
-
-	You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source.
-	This eliminates an attack vector where nix's build server or binary cache is compromised.
-
-4. Clone this project
-
-	```
-	cd
-	git clone https://github.com/fort-nix/nix-bitcoin
-	cd ~/nix-bitcoin
-	```
-
-5. Create network file
-
-	```
-	nano network/network-nixos.nix
+    nano nixops/node-nixos.nix
     ```
 
     ```
@@ -380,7 +371,7 @@ You can also build Nix from source by following the instructions at https://nixo
 
     Replace 1.2.3.4 with NixOS machine's IP address.
 
-6. Edit `configuration.nix`
+2. Edit `configuration.nix`
 
     ```
     nano configuration.nix
@@ -388,14 +379,14 @@ You can also build Nix from source by following the instructions at https://nixo
 
     Uncomment `./hardware-configuration.nix` line by removing #.
 
-7. Create `hardware-configuration.nix`
+3. Create `hardware-configuration.nix`
 
     ```
     nano hardware-configuration.nix
     ```
     Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file.
 
-8. Add boot option to `hardware-configuration.nix`
+4. Add boot option to `hardware-configuration.nix`
 
     Option 1: Enable systemd boot for UEFI
     ```
@@ -403,27 +394,26 @@ You can also build Nix from source by following the instructions at https://nixo
     ```
     Option 2: Set grub device for Legacy Boot (MBR)
     ```
-	```
     boot.loader.grub.device = "/dev/sda";
     ```
 
-9. Setup environment
+5. Enter environment
 
     ```
     nix-shell
     ```
 
-	This will set up your nix-bitcoin environment and might take a while without giving an output.
+    Note that a new directory `secrets/` appeared which contains the secrets for your node.
 
-10. Create nixops deployment in nix-shell.
+6. Create nixops deployment in nix-shell.
 
     ```
-	nixops create network/network.nix network/network-nixos.nix -d bitcoin-node
+    nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node
     ```
 
-11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
+7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`.
 
-12. Deploy Nixops in nix-shell
+8. Deploy Nixops in nix-shell
 
     ```
     nixops deploy -d bitcoin-node
@@ -431,7 +421,7 @@ You can also build Nix from source by following the instructions at https://nixo
 
     This will now create a nix-bitcoin node on the target machine.
 
-13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
+9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with
 
     ```
     nixops ssh operator@bitcoin-node

docs/usage.md

@@ -1,27 +1,9 @@
 Updating
 ---
-Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`.
-
-### Verifying GPG Signatures (recommended)
-1. Import jonasnick's gpg key
+In your deployment directory, enter the nix shell with `nix-shell` and run
 
 ```
-	gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
-	```
-
-2. Trust jonasnick's gpg key
-	
-	```
-	gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366
-	trust
-	4
-	quit
-	```
-
-3.  Verify commit after `git pull`
-
-	```
-	git verify-commit <hash of latest commit>
+fetch-release > nix-bitcoin-release.nix
 ```
 
 Nodeinfo

examples/configuration.nix

@@ -4,11 +4,12 @@
 
 { config, pkgs, lib, ... }: {
   imports = [
-    ./modules/nix-bitcoin.nix
+    <nix-bitcoin/modules/nix-bitcoin.nix>
 
-    # Use hardened kernel profile. See
-    # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
-    # for the enabled options.
+    # FIXME: The hardened kernel profile improves security but
+    # decreases performance by ~50%.
+    # Turn it off when not needed.
+    # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
     <nixpkgs/nixos/modules/profiles/hardened.nix>
 
     # FIXME: Uncomment next line to import your hardware configuration. If so,

examples/deploy-container.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script demonstrates how to setup a nix-bitcoin node in a NixOS container.
+# Running this script leaves no traces on your host system.
+
+# This demo is a template for your own experiments.
+# Feel free to modify or to run nix-shell and execute individual statements of this
+# script in the interactive shell.
+
+if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then
+    echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled"
+    exit 1
+fi
+if [[ ! -e /run/current-system/nixos-version ]]; then
+    echo "Error: This script needs NixOS to run"
+    exit 1
+fi
+
+if [[ ! -v IN_NIX_SHELL ]]; then
+    echo "Running script in nix shell env..."
+    exec nix-shell --run "${BASH_SOURCE[0]}"
+fi
+
+# Cleanup on exit
+cleanup() {
+    echo
+    echo "Deleting container..."
+    sudo extra-container destroy demo-node
+}
+trap "cleanup" EXIT
+
+# Build container.
+# You can re-run this command with a changed container config.
+# The running container is then switched to the new config.
+# Learn more: https://github.com/erikarvstedt/extra-container
+#
+sudo extra-container create --start <<'EOF'
+{ pkgs, lib, ... }: let
+    containerName = "demo-node"; # container name length is limited to 11 chars
+    localAddress = "10.250.0.2"; # container address
+    hostAddress = "10.250.0.1";
+in {
+  containers.${containerName} = {
+    privateNetwork = true;
+    inherit localAddress hostAddress;
+    config = { pkgs, config, lib, ... }: {
+      imports = [
+        <nix-bitcoin/examples/configuration.nix>
+        <nix-bitcoin/modules/secrets/generate-secrets.nix>
+      ];
+      # Speed up evaluation
+      documentation.nixos.enable = false;
+    };
+  };
+  # Allow WAN access
+  systemd.services."container@${containerName}" = {
+    preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE";
+    # Delete rule
+    postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true";
+  };
+}
+EOF
+# Run command in container
+c() { sudo extra-container run demo-node -- "$@" | cat; }
+
+echo
+echo "Bitcoind service:"
+c systemctl status bitcoind
+echo
+echo "Bitcoind network:"
+c bitcoin-cli getnetworkinfo
+echo
+echo "lightning-cli state:"
+c lightning-cli getinfo
+echo
+echo "Node info:"
+c nodeinfo
+echo
+echo "Bitcoind data dir:"
+sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
+
+# Cleanup happens at exit (see above)

examples/deploy-nixops.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops.
+# Running this script leaves no traces on your host system.
+
+# This demo is a template for your own experiments.
+# Feel free to modify or to run nix-shell and execute individual statements of this
+# script in the interactive shell.
+
+if [[ ! -v IN_NIX_SHELL ]]; then
+    echo "Running script in nix shell env..."
+    exec nix-shell --run "${BASH_SOURCE[0]}"
+fi
+
+# Cleanup on exit
+cleanup() {
+    set +e
+    if nixops list | grep -q bitcoin-node; then
+        nixops destroy --confirm -d bitcoin-node
+    fi
+    rm -rf $tmpDir
+}
+trap "cleanup" EXIT
+
+tmpDir=/tmp/nix-bitcoin-nixops
+mkdir -p $tmpDir
+
+# Don't write nixops and VirtualBox data to the $USER's home
+export HOME=$tmpDir
+
+# Disable interactive queries and don't write to the $USER's known_hosts file
+export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
+
+nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node
+nixops deploy -d bitcoin-node
+
+# Connect to node
+nixops ssh bitcoin-node systemctl status bitcoind
+
+# Cleanup happens at exit (see above)

examples/deploy-qemu-vm.sh

@@ -0,0 +1,93 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script demonstrates how to run a nix-bitcoin node in QEMU.
+# Running this script leaves no traces on your host system.
+
+# This demo is a template for your own experiments.
+# Feel free to modify or to run nix-shell and execute individual statements of this
+# script in the interactive shell.
+
+# MAKE SURE TO REPLACE the SSH identity file if you use this script for
+# anything serious.
+
+if [[ ! -v IN_NIX_SHELL ]]; then
+    echo "Running script in nix shell env..."
+    exec nix-shell --run "${BASH_SOURCE[0]}"
+fi
+
+tmpDir=/tmp/nix-bitcoin-qemu-vm
+mkdir -p $tmpDir
+
+# Cleanup on exit
+cleanup() {
+    set +eu
+    kill -9 $qemuPID
+    rm -rf $tmpDir
+}
+trap "cleanup" EXIT
+
+identityFile=qemu-vm/id-vm
+chmod 0600 $identityFile
+
+echo "Building VM"
+nix-build --out-link $tmpDir/vm - <<EOF
+(import <nixpkgs/nixos> {
+  configuration = {
+    imports = [
+      <nix-bitcoin/examples/configuration.nix>
+      <nix-bitcoin/modules/secrets/generate-secrets.nix>
+    ];
+    virtualisation.graphics = false;
+    services.mingetty.autologinUser = "root";
+    users.users.root = {
+      openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ];
+    };
+  };
+}).vm
+EOF
+
+vmMemoryMiB=2048
+vmNumCPUs=4
+sshPort=60734
+
+export NIX_DISK_IMAGE=$tmpDir/img
+export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22
+</dev/null $tmpDir/vm/bin/run-*-vm -m $vmMemoryMiB -smp $vmNumCPUs &>/dev/null &
+qemuPID=$!
+
+# Run command in VM
+c() {
+    ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \
+        -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \
+        -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \
+        root@127.0.0.1 "$@"
+}
+
+echo
+echo "Waiting for SSH connection..."
+while ! c : 2>/dev/null; do :; done
+
+echo
+echo "Waiting until services are ready..."
+c '
+attempts=300
+while ! systemctl is-active clightning &> /dev/null; do
+    ((attempts-- == 0)) && { echo "timeout"; exit 1; }
+    sleep 0.2
+done
+'
+echo
+echo "Bitcoind service:"
+c systemctl status bitcoind
+echo
+echo "Bitcoind network:"
+c bitcoin-cli getnetworkinfo
+echo
+echo "lightning-cli state:"
+c lightning-cli getinfo
+echo
+echo "Node info:"
+c nodeinfo
+
+# Cleanup happens at exit (see above)

examples/nix-bitcoin-release.nix

@@ -0,0 +1 @@
+../.

examples/nixops/node.nix

@@ -0,0 +1,12 @@
+{
+  network.description = "Bitcoin Core node";
+
+  bitcoin-node = { config, pkgs, lib, ... }: {
+    imports = [
+      ../configuration.nix
+      <nix-bitcoin/modules/deployment/nixops.nix>
+    ];
+
+    nix-bitcoin.deployment.secretsDir = toString ../secrets;
+  };
+}

examples/qemu-vm/id-vm

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3
+cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg
+AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH
+Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB
+-----END OPENSSH PRIVATE KEY-----

examples/qemu-vm/id-vm.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none

examples/shell.nix

@@ -0,0 +1,46 @@
+let
+  # This is either a path to a local nix-bitcoin source or an attribute set to
+  # be used as the fetchurl argument.
+  nix-bitcoin-release = import ./nix-bitcoin-release.nix;
+
+  nix-bitcoin-path =
+    if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked
+    else nix-bitcoin-release;
+
+  nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs;
+  nixpkgs = import nixpkgs-path {};
+  nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {};
+
+  extraContainer = nixpkgs.callPackage (builtins.fetchTarball {
+    url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz";
+    sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v";
+  }) {};
+
+  nix-bitcoin-unpacked = (import <nixpkgs> {}).runCommand "nix-bitcoin-src" {} ''
+    mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out
+  '';
+in
+with nixpkgs;
+
+stdenv.mkDerivation rec {
+  name = "nix-bitcoin-environment";
+
+  buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ];
+
+  shellHook = ''
+    export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:."
+    alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release"
+
+    # ssh-agent and nixops don't play well together (see
+    # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
+    # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
+    # keys already added to my ssh-agent.
+    export SSH_AUTH_SOCK=""
+
+    figlet "nix-bitcoin"
+    (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets})
+
+    # Don't run this hook when another nix-shell is run inside this shell
+    unset shellHook
+  '';
+}

helper/fetch-release

@@ -0,0 +1,36 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg
+set -euo pipefail
+
+scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
+
+REPO=fort-nix/nix-bitcoin
+if [[ ! -v VERSION ]]; then
+    VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2)
+fi
+
+TMPDIR=$(mktemp -d)
+GPG_HOME=$(mktemp -d)
+trap "rm -rf $TMPDIR $GPG_HOME" EXIT
+
+cd $TMPDIR
+BASEURL=https://github.com/$REPO/releases/download/v$VERSION
+curl --silent -L -O $BASEURL/SHA256SUMS.txt
+curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc
+
+# Import key and verify fingerprint
+gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
+gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
+
+gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
+    echo "ERROR: Signature verification failed. Please open an issue in the project repository."
+    exit 1
+}
+
+SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+')
+cat <<EOF
+{
+  url = "$BASEURL/nix-bitcoin-$VERSION.tar.gz";
+  sha256 = "$SHA256";
+}
+EOF

helper/push-release.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO=fort-nix/nix-bitcoin
+BRANCH=master
+OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
+
+if [[ ! $OAUTH_TOKEN ]]; then
+    echo "Please set OAUTH_TOKEN variable"
+fi
+
+if [[ $# < 1 ]]; then
+    echo "$0 <tag_name>"
+    exit
+fi
+TAG_NAME=$1
+
+RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
+echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2)
+while true; do
+    read -p "Create release $1? [yn] " yn
+    case $yn in
+        [Yy]* ) break;;
+        [Nn]* ) exit;;
+        * ) echo "Please answer y or n.";;
+    esac
+done
+
+TMPDIR=$(mktemp -d)
+trap "rm -rf $TMPDIR" EXIT
+ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
+ARCHIVE=$TMPDIR/$ARCHIVE_NAME
+
+# Need to be in the repositories root directory for archiving
+(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH)
+
+SHA256SUMS=$TMPDIR/SHA256SUMS.txt
+# Want to use relative path with sha256sums because it'll output the first
+# argument
+(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
+gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
+
+POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
+RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
+ID=$(echo $RESPONSE | jq -r '.id')
+if [[ $ID == null ]]; then
+    echo "Failed to create release with $POST_DATA"
+    exit 1
+fi
+
+post_asset() {
+    GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
+    curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
+         $GH_ASSET/$(basename $1) &> /dev/null
+}
+post_asset $ARCHIVE
+post_asset $SHA256SUMS
+post_asset $SHA256SUMS.asc
+echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name)

modules/deployment/nixops.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+  deployment.keys = builtins.mapAttrs (n: v: {
+    keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}";
+    destDir = config.nix-bitcoin.secretsDir;
+    inherit (v) user group permissions;
+  }) config.nix-bitcoin.secrets;
+
+  # nixops makes the secrets directory accessible only for users with group 'key'.
+  # For compatibility with other deployment methods besides nixops, we forego the
+  # use of the 'key' group and make the secrets dir world-readable instead.
+  # This is safe because all containing files have their specific private
+  # permissions set.
+  systemd.services.allowSecretsDirAccess = {
+    requires = [ "keys.target" ];
+    after = [ "keys.target" ];
+    script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
+    serviceConfig.Type = "oneshot";
+  };
+
+  systemd.targets.nix-bitcoin-secrets = {
+    requires = [ "allowSecretsDirAccess.service" ];
+    after = [ "allowSecretsDirAccess.service" ];
+  };
+}

modules/secrets/secrets.nix

@@ -15,6 +15,13 @@ in
       description = "Directory to store secrets";
     };
 
+    deployment.secretsDir = mkOption {
+      type = types.path;
+      description = ''
+        Directory of local secrets that are transfered to the nix-bitcoin node on deployment
+      '';
+    };
+
     secrets = mkOption {
       default = {};
       type = with types; attrsOf (submodule (

network/network.nix

@@ -1,31 +0,0 @@
-{
-  network.description = "Bitcoin Core node";
-
-  bitcoin-node =
-    { config, pkgs, lib, ... }: {
-      imports = [ ../configuration.nix ];
-
-      deployment.keys = builtins.mapAttrs (n: v: {
-        keyFile = "${toString ../secrets}/${n}";
-        destDir = config.nix-bitcoin.secretsDir;
-        inherit (v) user group permissions;
-      }) config.nix-bitcoin.secrets;
-
-      # nixops makes the secrets directory accessible only for users with group 'key'.
-      # For compatibility with other deployment methods besides nixops, we forego the
-      # use of the 'key' group and make the secrets dir world-readable instead.
-      # This is safe because all containing files have their specific private
-      # permissions set.
-      systemd.services.allowSecretsDirAccess = {
-        requires = [ "keys.target" ];
-        after = [ "keys.target" ];
-        script = "chmod o+x ${config.nix-bitcoin.secretsDir}";
-        serviceConfig.Type = "oneshot";
-      };
-
-      systemd.targets.nix-bitcoin-secrets = {
-        requires = [ "allowSecretsDirAccess.service" ];
-        after = [ "allowSecretsDirAccess.service" ];
-      };
-    };
-}

pkgs/nixops/release.nix.patch

@@ -43,3 +43,14 @@
                                     ('destDir',     'string'),
                                     ('user',        'string'),
                                     ('group',       'string'),
+
+--- a/nixops/ssh_util.py
++++ b/nixops/ssh_util.py
+@@ -278,6 +278,7 @@ class SSH(object):
+
+         'timeout' specifies the SSH connection timeout.
+         """
++        flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags
+         master = self.get_master(flags, timeout, user)
+         flags = flags + self._get_flags()
+         if logged:

shell.nix

@@ -6,19 +6,7 @@ with import nixpkgs { };
 stdenv.mkDerivation rec {
   name = "nix-bitcoin-environment";
 
-  nixops19_09 = callPackage ./pkgs/nixops {};
-  make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {};
-
-  buildInputs = [ nixops19_09 figlet ];
-
   shellHook = ''
-    export NIX_PATH="nixpkgs=${nixpkgs}:."
-    # ssh-agent and nixops don't play well together (see
-    # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect
-    # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few
-    # keys already added to my ssh-agent.
-    export SSH_AUTH_SOCK=""
-    figlet "nix-bitcoin"
-    (mkdir -p secrets; cd secrets; ${make-secrets})
+    export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:."
   '';
 }