From abcee651d3c24213b5efddf7e1532a6eafa70600 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:23 +0100 Subject: [PATCH] add deploy-container.sh --- examples/deploy-container.sh | 83 ++++++++++++++++++++++++++++++++++++ examples/shell.nix | 9 +++- 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100755 examples/deploy-container.sh diff --git a/examples/deploy-container.sh b/examples/deploy-container.sh new file mode 100755 index 0000000..48d76ab --- /dev/null +++ b/examples/deploy-container.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to setup a nix-bitcoin node in a NixOS container. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then + echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled" + exit 1 +fi +if [[ ! -e /run/current-system/nixos-version ]]; then + echo "Error: This script needs NixOS to run" + exit 1 +fi + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +# Cleanup on exit +cleanup() { + echo + echo "Deleting container..." + sudo extra-container destroy demo-node +} +trap "cleanup" EXIT + +# Build container. +# You can re-run this command with a changed container config. +# The running container is then switched to the new config. +# Learn more: https://github.com/erikarvstedt/extra-container +# +sudo extra-container create --start <<'EOF' +{ pkgs, lib, ... }: let + containerName = "demo-node"; # container name length is limited to 11 chars + localAddress = "10.250.0.2"; # container address + hostAddress = "10.250.0.1"; +in { + containers.${containerName} = { + privateNetwork = true; + inherit localAddress hostAddress; + config = { pkgs, config, lib, ... }: { + imports = [ + + + ]; + # Speed up evaluation + documentation.nixos.enable = false; + }; + }; + # Allow WAN access + systemd.services."container@${containerName}" = { + preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE"; + # Delete rule + postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true"; + }; +} +EOF +# Run command in container +c() { sudo extra-container run demo-node -- "$@" | cat; } + +echo +echo "Bitcoind service:" +c systemctl status bitcoind +echo +echo "Bitcoind network:" +c bitcoin-cli getnetworkinfo +echo +echo "lightning-cli state:" +c lightning-cli getinfo +echo +echo "Node info:" +c nodeinfo +echo +echo "Bitcoind data dir:" +sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind + +# Cleanup happens at exit (see above) diff --git a/examples/shell.nix b/examples/shell.nix index cb224d5..7a6b94a 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -8,21 +8,28 @@ let nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; + + extraContainer = nixpkgs.callPackage (builtins.fetchTarball { + url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; + sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; + }) {}; in with nixpkgs; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; - buildInputs = [ nix-bitcoin.nixops19_09 figlet ]; + buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ]; shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few # keys already added to my ssh-agent. export SSH_AUTH_SOCK="" + figlet "nix-bitcoin" (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets}) '';