This script is potentially fetched from an untrusted source and should
be in good shape to be easily auditable.
- Create just one TMPDIR
- Improve comments
- Use `cut` to extract sha256
- Use camelCase var names like in other scripts
- Use idiomatic var name `pkgs` for the imported nixpkgs.
- Don't add `figlet` to PATH because it's only used internally.
- Only print figlet in interactive shells to avoid interfering with
stdout when running `nix-shell --run <cmd>`.
- Define `fetch-release` as a function to enable running it via
`nix-shell --run fetch-release`
- The scripts now work within arbitrary nix-shells.
Previously, they failed when run from nix shells other than
`examples/shell.nix`.
- The scripts now work from arbitrary working dirs.
- Update nixos iso
- Make sure to be root before parting and give instructions for checking
UEFI vs. legacy
- Instead of making user replace automatically generated nixos config,
explain how to add options.
- Add boot.loader options directly to hardware-configuration.nix
- Copy .gitignore when setting up a deployment dir
- Stress that the first config that is deployed remotely must include ssh key.
- Debian: 9 Strech -> Debian 10 Buster
- nix: 2.3.3 -> 2.3.10
Keeping the secrets dir read-only is more simple and robust.
- lnd seed mnemonic creation and joinmarket wallet creation can be
run as the regular service user instead of root.
- It is easier to switch to a third-party secrets deployment
method in the future.
Don't create a seed mnemonic for lnd when a wallet exists.
This avoids creating unused mnemonics and helps simplifying
the migration command in `versioning.nix`.
- Fail at evaluation when secrets setup is not configured.
Previously, bitcoind failed at runtime due to the missing secrets target.
- Fail at evaluation when conflicting secrets setup methods are used.
This happens when `secretsSetupMethod` has more than one definition.
With krops or nixops the secrets target is always restarted during
the deployment process.
This previously caused unnecessary restarts of all nix-bitcoin services.
Move this feature from a module preset to a regular option, so that it's
easily discoverable and accessible.
Simplify the implementation of `generateSecrets` by adding it to the
existing `setup-secrets` service script.
Also rename option setup-secrets -> setupSecrets.
ecc601a6d6 onion-addresses: mirror nix-bitcoin.onionAddresses.access behavior (nixbitcoin)
e873326bfe modules: use user & group options (nixbitcoin)
ccef870b74 spark-wallet: add user & group options (nixbitcoin)
85a1722545 lnd: add user & group options (nixbitcoin)
Pull request description:
ACKs for top commit:
erikarvstedt:
ACK ecc601a6d6
Tree-SHA512: 39da5f8e01b98a676af8a073c11df64df487b5c3ab01327a227d16f215826f5bf15ca9ac21b59934edc5e2bbb87e397c53fcbf7130bd10b00f1df359ab3328ba
This commit fixes an issue with LND, in which if both
nix-bitcoin.onionServices.lnd.public &
services.lnd.restOnionService.enable were enabled, one would try to
create a file named `lnd` and the other would try to create a directory
named `lnd` with a file named `lnd-rest` inside it. This would obiously
cause an error and fail the LND service.
47d257ad3a docs: add rationale for doas to README and FAQ (nixbitcoin)
b0039d68a0 docs: discourage users from ssh'ing into the root user (nixbitcoin)
2ca92a34a5 services: use doas if enabled (nixbitcoin)
ce2b445777 treewide: use runuser for dropping privileges (Erik Arvstedt)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 47d257ad3a
Tree-SHA512: 84bab7de1cc6fb3d405a4fc4589f2be825275f69e48dede6ff62d1a27e3a386fea530c91a234d006ec6305a46d0ec54ca836f52f197541a3df215369c9b7c1e2
