From 87d0286498b7d7d9e85a2ac0fa3af650723ca196 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Wed, 19 Feb 2020 16:37:46 +0000 Subject: [PATCH 01/16] Change the nix-bitcoin deployment from forking this repo to importing the module Instead of forking this repo, it is now recommended that users simply import the nix-bitcoin module. This commit adds an example directory that contains the network/ examples and a shell.nix for deployment with nixops. --- .gitignore | 2 +- .../configuration.nix | 2 -- .../nixops/node-libvirtd.nix | 0 .../nixops/node-vbox.nix | 0 .../network.nix => examples/nixops/node.nix | 2 +- examples/shell.nix | 29 +++++++++++++++++++ shell.nix | 6 ++-- 7 files changed, 33 insertions(+), 8 deletions(-) rename configuration.nix => examples/configuration.nix (99%) rename network/network-libvirtd.nix => examples/nixops/node-libvirtd.nix (100%) rename network/network-vbox.nix => examples/nixops/node-vbox.nix (100%) rename network/network.nix => examples/nixops/node.nix (93%) create mode 100644 examples/shell.nix diff --git a/.gitignore b/.gitignore index 5598d804..cad76d3a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/secrets/ +/example/secrets/ diff --git a/configuration.nix b/examples/configuration.nix similarity index 99% rename from configuration.nix rename to examples/configuration.nix index 8fe27142..d3bc6975 100644 --- a/configuration.nix +++ b/examples/configuration.nix @@ -4,8 +4,6 @@ { config, pkgs, lib, ... }: { imports = [ - ./modules/nix-bitcoin.nix - # Use hardened kernel profile. See # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix # for the enabled options. diff --git a/network/network-libvirtd.nix b/examples/nixops/node-libvirtd.nix similarity index 100% rename from network/network-libvirtd.nix rename to examples/nixops/node-libvirtd.nix diff --git a/network/network-vbox.nix b/examples/nixops/node-vbox.nix similarity index 100% rename from network/network-vbox.nix rename to examples/nixops/node-vbox.nix diff --git a/network/network.nix b/examples/nixops/node.nix similarity index 93% rename from network/network.nix rename to examples/nixops/node.nix index fa69939c..e1838704 100644 --- a/network/network.nix +++ b/examples/nixops/node.nix @@ -3,7 +3,7 @@ bitcoin-node = { config, pkgs, lib, ... }: { - imports = [ ../configuration.nix ]; + imports = [ ../configuration.nix ]; deployment.keys = builtins.mapAttrs (n: v: { keyFile = "${toString ../secrets}/${n}"; diff --git a/examples/shell.nix b/examples/shell.nix new file mode 100644 index 00000000..cb224d5a --- /dev/null +++ b/examples/shell.nix @@ -0,0 +1,29 @@ +let + # TODO: + # nix-bitcoin-path = builtins.fetchTarball { + # url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz"; + # sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7"; + # }; + nix-bitcoin-path = ../.; + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; + nixpkgs = import nixpkgs-path {}; + nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; +in +with nixpkgs; + +stdenv.mkDerivation rec { + name = "nix-bitcoin-environment"; + + buildInputs = [ nix-bitcoin.nixops19_09 figlet ]; + + shellHook = '' + export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + # ssh-agent and nixops don't play well together (see + # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect + # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few + # keys already added to my ssh-agent. + export SSH_AUTH_SOCK="" + figlet "nix-bitcoin" + (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets}) + ''; +} diff --git a/shell.nix b/shell.nix index 45ab2641..1838396c 100644 --- a/shell.nix +++ b/shell.nix @@ -1,13 +1,12 @@ let nixpkgs = (import ./pkgs/nixpkgs-pinned.nix).nixpkgs; in -with import nixpkgs { }; +with import nixpkgs {}; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; nixops19_09 = callPackage ./pkgs/nixops {}; - make-secrets = callPackage ./pkgs/generate-secrets/update-and-generate.nix {}; buildInputs = [ nixops19_09 figlet ]; @@ -18,7 +17,6 @@ stdenv.mkDerivation rec { # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few # keys already added to my ssh-agent. export SSH_AUTH_SOCK="" - figlet "nix-bitcoin" - (mkdir -p secrets; cd secrets; ${make-secrets}) + figlet "nix-bitcoin dev shell" ''; } From 0c0978c0073d18d195e8518ca4624592000fb8a9 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:19 +0100 Subject: [PATCH 02/16] extract module 'deployment/nixops.nix', add option 'deployment.secretsDir' --- examples/nixops/node.nix | 36 +++++++++-------------------------- modules/deployment/nixops.nix | 25 ++++++++++++++++++++++++ modules/secrets/secrets.nix | 7 +++++++ 3 files changed, 41 insertions(+), 27 deletions(-) create mode 100644 modules/deployment/nixops.nix diff --git a/examples/nixops/node.nix b/examples/nixops/node.nix index e1838704..a29cbf02 100644 --- a/examples/nixops/node.nix +++ b/examples/nixops/node.nix @@ -1,31 +1,13 @@ { network.description = "Bitcoin Core node"; - bitcoin-node = - { config, pkgs, lib, ... }: { - imports = [ ../configuration.nix ]; - - deployment.keys = builtins.mapAttrs (n: v: { - keyFile = "${toString ../secrets}/${n}"; - destDir = config.nix-bitcoin.secretsDir; - inherit (v) user group permissions; - }) config.nix-bitcoin.secrets; - - # nixops makes the secrets directory accessible only for users with group 'key'. - # For compatibility with other deployment methods besides nixops, we forego the - # use of the 'key' group and make the secrets dir world-readable instead. - # This is safe because all containing files have their specific private - # permissions set. - systemd.services.allowSecretsDirAccess = { - requires = [ "keys.target" ]; - after = [ "keys.target" ]; - script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; - serviceConfig.Type = "oneshot"; - }; - - systemd.targets.nix-bitcoin-secrets = { - requires = [ "allowSecretsDirAccess.service" ]; - after = [ "allowSecretsDirAccess.service" ]; - }; - }; + bitcoin-node = { config, pkgs, lib, ... }: { + imports = [ + ../configuration.nix + + + ]; + + nix-bitcoin.deployment.secretsDir = toString ../secrets; + }; } diff --git a/modules/deployment/nixops.nix b/modules/deployment/nixops.nix new file mode 100644 index 00000000..50f94680 --- /dev/null +++ b/modules/deployment/nixops.nix @@ -0,0 +1,25 @@ +{ config, ... }: +{ + deployment.keys = builtins.mapAttrs (n: v: { + keyFile = "${config.nix-bitcoin.deployment.secretsDir}/${n}"; + destDir = config.nix-bitcoin.secretsDir; + inherit (v) user group permissions; + }) config.nix-bitcoin.secrets; + + # nixops makes the secrets directory accessible only for users with group 'key'. + # For compatibility with other deployment methods besides nixops, we forego the + # use of the 'key' group and make the secrets dir world-readable instead. + # This is safe because all containing files have their specific private + # permissions set. + systemd.services.allowSecretsDirAccess = { + requires = [ "keys.target" ]; + after = [ "keys.target" ]; + script = "chmod o+x ${config.nix-bitcoin.secretsDir}"; + serviceConfig.Type = "oneshot"; + }; + + systemd.targets.nix-bitcoin-secrets = { + requires = [ "allowSecretsDirAccess.service" ]; + after = [ "allowSecretsDirAccess.service" ]; + }; +} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 01492896..36585c72 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -15,6 +15,13 @@ in description = "Directory to store secrets"; }; + deployment.secretsDir = mkOption { + type = types.path; + description = '' + Directory of local secrets that are transfered to the nix-bitcoin node on deployment + ''; + }; + secrets = mkOption { default = {}; type = with types; attrsOf (submodule ( From f3121892ef22e269fd799ce38bd2a7aea3f1370e Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:20 +0100 Subject: [PATCH 03/16] move main module import to configuration.nix --- examples/configuration.nix | 2 ++ examples/nixops/node.nix | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index d3bc6975..89a2ef40 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -4,6 +4,8 @@ { config, pkgs, lib, ... }: { imports = [ + + # Use hardened kernel profile. See # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix # for the enabled options. diff --git a/examples/nixops/node.nix b/examples/nixops/node.nix index a29cbf02..d8eac3bc 100644 --- a/examples/nixops/node.nix +++ b/examples/nixops/node.nix @@ -4,7 +4,6 @@ bitcoin-node = { config, pkgs, lib, ... }: { imports = [ ../configuration.nix - ]; From 0c74c365de8cb5df3b9f8433d5e9baecc8df1aac Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:21 +0100 Subject: [PATCH 04/16] mention performance loss with hardened kernel profile --- examples/configuration.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index 89a2ef40..85bd665f 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -6,10 +6,11 @@ imports = [ - # Use hardened kernel profile. See - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix - # for the enabled options. - + # FIXME: The hardened kernel profile improves security but + # decreases performance by ~50%. + # Turn it off when not needed. + # Source: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix + # FIXME: Uncomment next line to import your hardware configuration. If so, # add the hardware configuration file to the same directory as this file. From 5dadea310cc0522c2bf6a6a7771c6889f0ad39e0 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:22 +0100 Subject: [PATCH 05/16] add deploy-nixops.sh --- examples/deploy-nixops.sh | 41 +++++++++++++++++++++++++++++++++++ pkgs/nixops/release.nix.patch | 11 ++++++++++ 2 files changed, 52 insertions(+) create mode 100755 examples/deploy-nixops.sh diff --git a/examples/deploy-nixops.sh b/examples/deploy-nixops.sh new file mode 100755 index 00000000..a50aba2d --- /dev/null +++ b/examples/deploy-nixops.sh @@ -0,0 +1,41 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to setup a VirtualBox nix-bitcoin node with nixops. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +# Cleanup on exit +cleanup() { + set +e + if nixops list | grep -q bitcoin-node; then + nixops destroy --confirm -d bitcoin-node + fi + rm -rf $tmpDir +} +trap "cleanup" EXIT + +tmpDir=/tmp/nix-bitcoin-nixops +mkdir -p $tmpDir + +# Don't write nixops and VirtualBox data to the $USER's home +export HOME=$tmpDir + +# Disable interactive queries and don't write to the $USER's known_hosts file +export NIXOPS_SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" + +nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node +nixops deploy -d bitcoin-node + +# Connect to node +nixops ssh bitcoin-node systemctl status bitcoind + +# Cleanup happens at exit (see above) diff --git a/pkgs/nixops/release.nix.patch b/pkgs/nixops/release.nix.patch index c54432a2..734159b6 100644 --- a/pkgs/nixops/release.nix.patch +++ b/pkgs/nixops/release.nix.patch @@ -43,3 +43,14 @@ ('destDir', 'string'), ('user', 'string'), ('group', 'string'), + +--- a/nixops/ssh_util.py ++++ b/nixops/ssh_util.py +@@ -278,6 +278,7 @@ class SSH(object): + + 'timeout' specifies the SSH connection timeout. + """ ++ flags = shlex.split(os.getenv('NIXOPS_SSH_OPTS', '')) + flags + master = self.get_master(flags, timeout, user) + flags = flags + self._get_flags() + if logged: From abcee651d3c24213b5efddf7e1532a6eafa70600 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Wed, 26 Feb 2020 17:11:23 +0100 Subject: [PATCH 06/16] add deploy-container.sh --- examples/deploy-container.sh | 83 ++++++++++++++++++++++++++++++++++++ examples/shell.nix | 9 +++- 2 files changed, 91 insertions(+), 1 deletion(-) create mode 100755 examples/deploy-container.sh diff --git a/examples/deploy-container.sh b/examples/deploy-container.sh new file mode 100755 index 00000000..48d76aba --- /dev/null +++ b/examples/deploy-container.sh @@ -0,0 +1,83 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to setup a nix-bitcoin node in a NixOS container. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +if [[ $(sysctl -n net.ipv4.ip_forward) != 1 ]]; then + echo "Error: IP forwarding (net.ipv4.ip_forward) is not enabled" + exit 1 +fi +if [[ ! -e /run/current-system/nixos-version ]]; then + echo "Error: This script needs NixOS to run" + exit 1 +fi + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +# Cleanup on exit +cleanup() { + echo + echo "Deleting container..." + sudo extra-container destroy demo-node +} +trap "cleanup" EXIT + +# Build container. +# You can re-run this command with a changed container config. +# The running container is then switched to the new config. +# Learn more: https://github.com/erikarvstedt/extra-container +# +sudo extra-container create --start <<'EOF' +{ pkgs, lib, ... }: let + containerName = "demo-node"; # container name length is limited to 11 chars + localAddress = "10.250.0.2"; # container address + hostAddress = "10.250.0.1"; +in { + containers.${containerName} = { + privateNetwork = true; + inherit localAddress hostAddress; + config = { pkgs, config, lib, ... }: { + imports = [ + + + ]; + # Speed up evaluation + documentation.nixos.enable = false; + }; + }; + # Allow WAN access + systemd.services."container@${containerName}" = { + preStart = "${pkgs.iptables}/bin/iptables -w -t nat -A POSTROUTING -s ${localAddress} -j MASQUERADE"; + # Delete rule + postStop = "${pkgs.iptables}/bin/iptables -w -t nat -D POSTROUTING -s ${localAddress} -j MASQUERADE || true"; + }; +} +EOF +# Run command in container +c() { sudo extra-container run demo-node -- "$@" | cat; } + +echo +echo "Bitcoind service:" +c systemctl status bitcoind +echo +echo "Bitcoind network:" +c bitcoin-cli getnetworkinfo +echo +echo "lightning-cli state:" +c lightning-cli getinfo +echo +echo "Node info:" +c nodeinfo +echo +echo "Bitcoind data dir:" +sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind + +# Cleanup happens at exit (see above) diff --git a/examples/shell.nix b/examples/shell.nix index cb224d5a..7a6b94a7 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -8,21 +8,28 @@ let nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; + + extraContainer = nixpkgs.callPackage (builtins.fetchTarball { + url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; + sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; + }) {}; in with nixpkgs; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; - buildInputs = [ nix-bitcoin.nixops19_09 figlet ]; + buildInputs = [ nix-bitcoin.nixops19_09 figlet extraContainer ]; shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few # keys already added to my ssh-agent. export SSH_AUTH_SOCK="" + figlet "nix-bitcoin" (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets}) ''; From 44ccbb91d0a03211f4b6c1a0349db38a21c0ab09 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 8 Mar 2020 14:14:38 +0000 Subject: [PATCH 07/16] Clean up development shell.nix --- shell.nix | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/shell.nix b/shell.nix index 1838396c..07a6f2d8 100644 --- a/shell.nix +++ b/shell.nix @@ -6,17 +6,7 @@ with import nixpkgs {}; stdenv.mkDerivation rec { name = "nix-bitcoin-environment"; - nixops19_09 = callPackage ./pkgs/nixops {}; - - buildInputs = [ nixops19_09 figlet ]; - shellHook = '' - export NIX_PATH="nixpkgs=${nixpkgs}:." - # ssh-agent and nixops don't play well together (see - # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect - # from 10.1.1.200 port 22:2: Too many authentication failures` if I have a few - # keys already added to my ssh-agent. - export SSH_AUTH_SOCK="" - figlet "nix-bitcoin dev shell" + export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=./:." ''; } From 548ced19943efd48d12bc4f52bf26b440c43a4f2 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 21 Mar 2020 21:40:15 +0000 Subject: [PATCH 08/16] README: Add Example section --- README.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2d02ff04..51b1989e 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ nix-bitcoin === Nix packages and nixos modules for easily installing Bitcoin nodes and higher layer protocols with an emphasis on security. -This is a work in progress - don't expect it to be bug free or secure. +This is a work in progress - don't expect it to be bug-free, secure or stable. The default configuration sets up a Bitcoin Core node and c-lightning. The user can enable spark-wallet in `configuration.nix` to make c-lightning accessible with a smartphone using spark-wallet. A simple webpage shows the lightning nodeid and links to nanopos letting the user receive donations. @@ -22,6 +22,20 @@ The goal is to make it easy to deploy a reasonably secure Bitcoin node with a us It should allow managing bitcoin (the currency) effectively and providing public infrastructure. It should be a reproducible and extensible platform for applications building on Bitcoin. +Example +--- +The easiest way is to try out nix-bitcoin is to use one of the provided examples. +This requires that you either have NixOS installed or another Linux distribution with [Nix](https://nixos.org/nix/) and [VirtualBox](https://www.virtualbox.org). + +``` +git clone https://github.com/fort-nix/nix-bitcoin +cd examples/ +nix-shell +``` + +Now you can run `./deploy-nixops.sh` to install nix-bitcoin in a VirtualBox or `./deploy-container.sh` to install in a [NixOS container](https://github.com/erikarvstedt/extra-container). +This will set up a nix-bitcoin according to `examples/configuration.nix` and then shut down immediately. + Available modules --- By default the `configuration.nix` provides: @@ -46,8 +60,6 @@ The data directories of the services can be found in `/var/lib` on the deployed Installation --- -The easiest way is to run `nix-shell` (on a Linux machine) in the nix-bitcoin directory and then create a [NixOps](https://nixos.org/nixops/manual/) deployment with the provided `network.nix` in the `network` directory. -Fix the FIXMEs in configuration.nix and deploy with nixops in nix-shell. See [install.md](docs/install.md) for a detailed tutorial. Security From 9df22a2764a550f0f9a94f759a091d1d8cdd1135 Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 29 Mar 2020 18:21:04 +0200 Subject: [PATCH 09/16] add deploy-qemu-vm.sh example --- README.md | 18 ++++++-- examples/deploy-qemu-vm.sh | 93 ++++++++++++++++++++++++++++++++++++++ examples/qemu-vm/id-vm | 7 +++ examples/qemu-vm/id-vm.pub | 1 + 4 files changed, 115 insertions(+), 4 deletions(-) create mode 100755 examples/deploy-qemu-vm.sh create mode 100644 examples/qemu-vm/id-vm create mode 100644 examples/qemu-vm/id-vm.pub diff --git a/README.md b/README.md index 51b1989e..28a0c83e 100644 --- a/README.md +++ b/README.md @@ -24,8 +24,7 @@ It should be a reproducible and extensible platform for applications building on Example --- -The easiest way is to try out nix-bitcoin is to use one of the provided examples. -This requires that you either have NixOS installed or another Linux distribution with [Nix](https://nixos.org/nix/) and [VirtualBox](https://www.virtualbox.org). +The easiest way to try out nix-bitcoin is to use one of the provided examples. ``` git clone https://github.com/fort-nix/nix-bitcoin @@ -33,8 +32,19 @@ cd examples/ nix-shell ``` -Now you can run `./deploy-nixops.sh` to install nix-bitcoin in a VirtualBox or `./deploy-container.sh` to install in a [NixOS container](https://github.com/erikarvstedt/extra-container). -This will set up a nix-bitcoin according to `examples/configuration.nix` and then shut down immediately. +The following example scripts set up a nix-bitcoin node according to `examples/configuration.nix` and then +shut down immediately. They leave no traces (outside of `/nix/store`) on the host system. + +- `./deploy-container.sh` creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\ + This is the fastest way to set up a node.\ + Requires: [NixOS](https://nixos.org/) + +- `./deploy-qemu-vm.sh` creates a QEMU VM.\ + Requires: [Nix](https://nixos.org/nix/) + +- `./deploy-nixops.sh` creates a VirtualBox VM via [NixOps](https://github.com/NixOS/nixops).\ + NixOps can be used to deploy to various other backends like cloud providers.\ + Requires: [Nix](https://nixos.org/nix/), [VirtualBox](https://www.virtualbox.org) Available modules --- diff --git a/examples/deploy-qemu-vm.sh b/examples/deploy-qemu-vm.sh new file mode 100755 index 00000000..9267c7ba --- /dev/null +++ b/examples/deploy-qemu-vm.sh @@ -0,0 +1,93 @@ +#!/usr/bin/env bash +set -euo pipefail + +# This script demonstrates how to run a nix-bitcoin node in QEMU. +# Running this script leaves no traces on your host system. + +# This demo is a template for your own experiments. +# Feel free to modify or to run nix-shell and execute individual statements of this +# script in the interactive shell. + +# MAKE SURE TO REPLACE the SSH identity file if you use this script for +# anything serious. + +if [[ ! -v IN_NIX_SHELL ]]; then + echo "Running script in nix shell env..." + exec nix-shell --run "${BASH_SOURCE[0]}" +fi + +tmpDir=/tmp/nix-bitcoin-qemu-vm +mkdir -p $tmpDir + +# Cleanup on exit +cleanup() { + set +eu + kill -9 $qemuPID + rm -rf $tmpDir +} +trap "cleanup" EXIT + +identityFile=qemu-vm/id-vm +chmod 0600 $identityFile + +echo "Building VM" +nix-build --out-link $tmpDir/vm - < { + configuration = { + imports = [ + + + ]; + virtualisation.graphics = false; + services.mingetty.autologinUser = "root"; + users.users.root = { + openssh.authorizedKeys.keys = [ "$(cat $identityFile.pub)" ]; + }; + }; +}).vm +EOF + +vmMemoryMiB=2048 +vmNumCPUs=4 +sshPort=60734 + +export NIX_DISK_IMAGE=$tmpDir/img +export QEMU_NET_OPTS=hostfwd=tcp::$sshPort-:22 +/dev/null & +qemuPID=$! + +# Run command in VM +c() { + ssh -p $sshPort -i $identityFile -o ConnectTimeout=1 \ + -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR \ + -o ControlMaster=auto -o ControlPath=$tmpDir/ssh-connection -o ControlPersist=60 \ + root@127.0.0.1 "$@" +} + +echo +echo "Waiting for SSH connection..." +while ! c : 2>/dev/null; do :; done + +echo +echo "Waiting until services are ready..." +c ' +attempts=300 +while ! systemctl is-active clightning &> /dev/null; do + ((attempts-- == 0)) && { echo "timeout"; exit 1; } + sleep 0.2 +done +' +echo +echo "Bitcoind service:" +c systemctl status bitcoind +echo +echo "Bitcoind network:" +c bitcoin-cli getnetworkinfo +echo +echo "lightning-cli state:" +c lightning-cli getinfo +echo +echo "Node info:" +c nodeinfo + +# Cleanup happens at exit (see above) diff --git a/examples/qemu-vm/id-vm b/examples/qemu-vm/id-vm new file mode 100644 index 00000000..ce391613 --- /dev/null +++ b/examples/qemu-vm/id-vm @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpgAAAIgDA7dzAwO3 +cwAAAAtzc2gtZWQyNTUxOQAAACBbda93/QYwDf4PGJp2KgJ1xwKPgKhEHeJrubXAeZWPpg +AAAECuRSsNFRQgAOid87b/2kIhgycAH5nPgZwkY4bUpq7LQFt1r3f9BjAN/g8YmnYqAnXH +Ao+AqEQd4mu5tcB5lY+mAAAABG5vbmUB +-----END OPENSSH PRIVATE KEY----- diff --git a/examples/qemu-vm/id-vm.pub b/examples/qemu-vm/id-vm.pub new file mode 100644 index 00000000..114cbff2 --- /dev/null +++ b/examples/qemu-vm/id-vm.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFt1r3f9BjAN/g8YmnYqAnXHAo+AqEQd4mu5tcB5lY+m none From 8aa4714979d8296fae023bb21a4a9fc3b0ca3095 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 21 Mar 2020 17:27:44 +0000 Subject: [PATCH 10/16] docs: Update NixOS version --- docs/install.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/install.md b/docs/install.md index 1c74e341..4c57e08d 100644 --- a/docs/install.md +++ b/docs/install.md @@ -193,17 +193,19 @@ Tutorial: install and configure NixOS for nix-bitcoin on your own hardware This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.html#ch-installation). Look there for more information. -1. Obtain latest NixOS. For example: +1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example: ``` - wget https://releases.nixos.org/nixos/19.03/nixos-19.03.172538.7bb74e65365/nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso + wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e ``` Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. 2. Write NixOS iso to install media (USB/CD). For example: ``` - dd if=nixos-minimal-19.03.172538.7bb74e65365-x86_64-linux.iso of=/dev/sdX + cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX ``` Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` @@ -403,7 +405,6 @@ You can also build Nix from source by following the instructions at https://nixo ``` Option 2: Set grub device for Legacy Boot (MBR) ``` - ``` boot.loader.grub.device = "/dev/sda"; ``` From 455c5664c9beefc3fc68491523481988801e9536 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 21 Mar 2020 19:42:59 +0000 Subject: [PATCH 11/16] docs: Replace tabs with spaces --- docs/install.md | 474 ++++++++++++++++++++++++------------------------ docs/usage.md | 276 ++++++++++++++-------------- 2 files changed, 375 insertions(+), 375 deletions(-) diff --git a/docs/install.md b/docs/install.md index 4c57e08d..11015ac6 100644 --- a/docs/install.md +++ b/docs/install.md @@ -18,35 +18,35 @@ The following steps are meant to be run on the machine you deploy from, not the 1. Add virtualbox.list to /etc/apt/sources.list.d (Debian 9 stretch) - ``` - echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list - ``` + ``` + echo "deb http://download.virtualbox.org/virtualbox/debian stretch contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list + ``` 2. Add Oracle VirtualBox public key - ``` - wget https://www.virtualbox.org/download/oracle_vbox_2016.asc - gpg2 oracle_vbox_2016.asc - ``` + ``` + wget https://www.virtualbox.org/download/oracle_vbox_2016.asc + gpg2 oracle_vbox_2016.asc + ``` - Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF + Proceed _only_ if fingerprint reads B9F8 D658 297A F3EF C18D 5CDF A2F6 83C5 2980 AECF - ``` - sudo apt-key add oracle_vbox_2016.asc - ``` + ``` + sudo apt-key add oracle_vbox_2016.asc + ``` 3. Install virtualbox-5.2 - ``` - sudo apt-get update - sudo apt-get install virtualbox-5.2 - ``` + ``` + sudo apt-get update + sudo apt-get install virtualbox-5.2 + ``` 3. Create Host Adapter in VirtualBox - ``` - vboxmanage hostonlyif create - ``` + ``` + vboxmanage hostonlyif create + ``` ## 2. Nix installation The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. @@ -54,75 +54,75 @@ You can also build Nix from source by following the instructions at https://nixo 1. Install Dependencies (Debian 9 stretch) - ``` - sudo apt-get install curl git gnupg2 dirmngr - ``` + ``` + sudo apt-get install curl git gnupg2 dirmngr + ``` 2. Install latest Nix in "multi-user mode" with GPG Verification - ``` - curl -o install-nix https://nixos.org/nix/install - curl -o install-nix.sig https://nixos.org/nix/install.sig - gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE - gpg2 --verify ./install-nix.sig - sh ./install-nix --daemon - ``` + ``` + curl -o install-nix https://nixos.org/nix/install + curl -o install-nix.sig https://nixos.org/nix/install.sig + gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE + gpg2 --verify ./install-nix.sig + sh ./install-nix --daemon + ``` - Then follow the instructions. Open a new terminal window when you're done. + Then follow the instructions. Open a new terminal window when you're done. - If you get an error similar to - ``` - error: cloning builder process: Operation not permitted - error: unable to start build process - /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile - ``` - you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. + If you get an error similar to + ``` + error: cloning builder process: Operation not permitted + error: unable to start build process + /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile + ``` + you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. 3. Optional: Disallow substitutes - You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. - This eliminates an attack vector where nix's build server or binary cache is compromised. + You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. + This eliminates an attack vector where nix's build server or binary cache is compromised. ## 3. Nixops deployment 1. Clone this project - ``` - cd - git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin - ``` + ``` + cd + git clone https://github.com/fort-nix/nix-bitcoin + cd ~/nix-bitcoin + ``` 2. Setup environment - ``` - nix-shell - ``` + ``` + nix-shell + ``` - This will set up your nix-bitcoin environment and might take a while without giving an output. + This will set up your nix-bitcoin environment and might take a while without giving an output. 3. Create nixops deployment in nix-shell. - ``` - nixops create network/network.nix network/network-vbox.nix -d bitcoin-node - ``` + ``` + nixops create network/network.nix network/network-vbox.nix -d bitcoin-node + ``` 4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. 5. Deploy Nixops in nix-shell - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` - This will now create a nix-bitcoin node on the target machine. + This will now create a nix-bitcoin node on the target machine. 6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with - ``` - nixops ssh operator@bitcoin-node - ``` + ``` + nixops ssh operator@bitcoin-node + ``` See [usage.md](usage.md) for usage instructions, such as how to update. @@ -138,15 +138,15 @@ Tutorial: install and configure NixOS for nix-bitcoin on VirtualBox (macOS host) The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. 1. Download and install VirtualBox - Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads) + Use the official Downloads page: [https://www.virtualbox.org/wiki/Downloads](https://www.virtualbox.org/wiki/Downloads) - Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle. + Make sure that the installer you download shows a lock icon in the top right corner to make sure it is signed by Oracle. 2. Create Host Adapter in VirtualBox - ``` - vboxmanage hostonlyif create - ``` + ``` + vboxmanage hostonlyif create + ``` ## 2. Nix installation (macOS) @@ -157,20 +157,20 @@ In order to build binaries for your linux (NixOS) virtual machine on a macOS hos 1. Installation - ``` - nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder + ``` + nix-env -i /nix/store/jgq3savsyyrpsxvjlrz41nx09z7r0lch-linuxkit-builder nix-linuxkit-configure - ``` + ``` - You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs. + You may want to use `nix-linuxkit-configure -c 4` to give the builder 4 CPUs. 2. Confirm that nix-linuxkit works ``` - nix-build ~/.cache/nix-linuxkit-builder/example.nix - ``` + nix-build ~/.cache/nix-linuxkit-builder/example.nix + ``` - As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards. + As the installer says, run a `nix-build` to make sure that you are able to build linux binaries. The `example.nix` is specifically configured to force a x86_64-linux build. Remove the generated `result` folder afterwards. ## 4. Nixops deployment (macOS) @@ -195,53 +195,53 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht 1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example: - ``` - wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso - sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso - # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e - ``` - Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. + ``` + wget https://releases.nixos.org/nixos/19.09/nixos-19.09.2284.bf7c0f0461e/nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + sha256sum nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso + # output: 9768eb945bef410fccfb82cb3d2e7ce7c02c3430aed0f2f1527273cb080fff3e + ``` + Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd. 2. Write NixOS iso to install media (USB/CD). For example: - ``` - cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX - ``` + ``` + cp nixos-minimal-19.09.2284.bf7c0f0461e-x86_64-linux.iso /dev/sdX + ``` - Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` + Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l` 3. Boot the system - You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. + You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. 4. Option 1: Partition and format for UEFI - ``` - parted /dev/sda -- mklabel gpt - parted /dev/sda -- mkpart primary 512MiB -8GiB - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB - parted /dev/sda -- set 3 boot on - mkfs.ext4 -L nixos /dev/sda1 - mkswap -L swap /dev/sda2 - mkfs.fat -F 32 -n boot /dev/sda3 - mount /dev/disk/by-label/nixos /mnt - mkdir -p /mnt/boot - mount /dev/disk/by-label/boot /mnt/boot - swapon /dev/sda2 - ``` + ``` + parted /dev/sda -- mklabel gpt + parted /dev/sda -- mkpart primary 512MiB -8GiB + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB + parted /dev/sda -- set 3 boot on + mkfs.ext4 -L nixos /dev/sda1 + mkswap -L swap /dev/sda2 + mkfs.fat -F 32 -n boot /dev/sda3 + mount /dev/disk/by-label/nixos /mnt + mkdir -p /mnt/boot + mount /dev/disk/by-label/boot /mnt/boot + swapon /dev/sda2 + ``` 4. Option 2: Partition and format for Legacy Boot (MBR) - ``` - parted /dev/sda -- mklabel msdos - parted /dev/sda -- mkpart primary 1MiB -8GiB - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - mkfs.ext4 -L nixos /dev/sda1 - mkswap -L swap /dev/sda2 - mount /dev/disk/by-label/nixos /mnt - swapon /dev/sda2 - ``` + ``` + parted /dev/sda -- mklabel msdos + parted /dev/sda -- mkpart primary 1MiB -8GiB + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + mkfs.ext4 -L nixos /dev/sda1 + mkswap -L swap /dev/sda2 + mount /dev/disk/by-label/nixos /mnt + swapon /dev/sda2 + ``` 4. Option 3: Set up encrypted partitions: @@ -249,76 +249,76 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht 5. Generate NixOS config - ``` - nixos-generate-config --root /mnt - nano /mnt/etc/nixos/configuration.nix - ``` - - Option 1: Edit NixOS configuration for UEFI - - ``` - { config, pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - boot.loader.systemd-boot.enable = true; - - # Note: setting fileSystems is generally not - # necessary, since nixos-generate-config figures them out - # automatically in hardware-configuration.nix. - #fileSystems."/".device = "/dev/disk/by-label/nixos"; - - # Enable the OpenSSH server. - services.openssh = { - enable = true; - permitRootLogin = "yes"; - }; - } - ``` - - Option 2: Edit NixOS configuration for Legacy Boot (MBR) - - ``` - { config, pkgs, ... }: { - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; - - boot.loader.grub.device = "/dev/sda"; - - # Note: setting fileSystems is generally not - # necessary, since nixos-generate-config figures them out - # automatically in hardware-configuration.nix. - #fileSystems."/".device = "/dev/disk/by-label/nixos"; - - # Enable the OpenSSH server. - services.openssh = { - enable = true; - permitRootLogin = "yes"; - }; - } - ``` + ``` + nixos-generate-config --root /mnt + nano /mnt/etc/nixos/configuration.nix + ``` + + Option 1: Edit NixOS configuration for UEFI + + ``` + { config, pkgs, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.systemd-boot.enable = true; + + # Note: setting fileSystems is generally not + # necessary, since nixos-generate-config figures them out + # automatically in hardware-configuration.nix. + #fileSystems."/".device = "/dev/disk/by-label/nixos"; + + # Enable the OpenSSH server. + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + } + ``` + + Option 2: Edit NixOS configuration for Legacy Boot (MBR) + + ``` + { config, pkgs, ... }: { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + boot.loader.grub.device = "/dev/sda"; + + # Note: setting fileSystems is generally not + # necessary, since nixos-generate-config figures them out + # automatically in hardware-configuration.nix. + #fileSystems."/".device = "/dev/disk/by-label/nixos"; + + # Enable the OpenSSH server. + services.openssh = { + enable = true; + permitRootLogin = "yes"; + }; + } + ``` 6. Do the installation - ``` - nixos-install - ``` - Set root password - ``` - setting root password... - Enter new UNIX password: - Retype new UNIX password: - ``` + ``` + nixos-install + ``` + Set root password + ``` + setting root password... + Enter new UNIX password: + Retype new UNIX password: + ``` 7. If everything went well - ``` - reboot - ``` + ``` + reboot + ``` ## 2. nix-bitcoin installation @@ -327,115 +327,115 @@ You can also build Nix from source by following the instructions at https://nixo 1. Install Dependencies (Debian 9 stretch) - ``` - sudo apt-get install curl git gnupg2 dirmngr - ``` + ``` + sudo apt-get install curl git gnupg2 dirmngr + ``` 2. Install Latest Nix with GPG Verification - ``` - curl -o install-nix https://nixos.org/nix/install - curl -o install-nix.sig https://nixos.org/nix/install.sig - gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE - gpg2 --verify ./install-nix.sig - sh ./install-nix --daemon - . /home/user/.nix-profile/etc/profile.d/nix.sh - ``` - - Then follow the instructions. Open a new terminal window when you're done. - - If you get an error similar to - ``` - error: cloning builder process: Operation not permitted - error: unable to start build process - /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile - ``` - you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. + ``` + curl -o install-nix https://nixos.org/nix/install + curl -o install-nix.sig https://nixos.org/nix/install.sig + gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE + gpg2 --verify ./install-nix.sig + sh ./install-nix --daemon + . /home/user/.nix-profile/etc/profile.d/nix.sh + ``` + + Then follow the instructions. Open a new terminal window when you're done. + + If you get an error similar to + ``` + error: cloning builder process: Operation not permitted + error: unable to start build process + /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile + ``` + you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. 3. Optional: Disallow substitutes - You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. - This eliminates an attack vector where nix's build server or binary cache is compromised. + You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. + This eliminates an attack vector where nix's build server or binary cache is compromised. 4. Clone this project - ``` - cd - git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin - ``` + ``` + cd + git clone https://github.com/fort-nix/nix-bitcoin + cd ~/nix-bitcoin + ``` 5. Create network file - ``` - nano network/network-nixos.nix - ``` + ``` + nano network/network-nixos.nix + ``` - ``` - { - bitcoin-node = - { config, pkgs, ... }: - { deployment.targetHost = "1.2.3.4"; - }; - } - ``` + ``` + { + bitcoin-node = + { config, pkgs, ... }: + { deployment.targetHost = "1.2.3.4"; + }; + } + ``` - Replace 1.2.3.4 with NixOS machine's IP address. + Replace 1.2.3.4 with NixOS machine's IP address. 6. Edit `configuration.nix` - ``` - nano configuration.nix - ``` + ``` + nano configuration.nix + ``` - Uncomment `./hardware-configuration.nix` line by removing #. + Uncomment `./hardware-configuration.nix` line by removing #. 7. Create `hardware-configuration.nix` - ``` - nano hardware-configuration.nix - ``` - Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. + ``` + nano hardware-configuration.nix + ``` + Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. 8. Add boot option to `hardware-configuration.nix` - Option 1: Enable systemd boot for UEFI - ``` - boot.loader.grub.device = "/dev/sda"; - ``` - Option 2: Set grub device for Legacy Boot (MBR) - ``` - boot.loader.grub.device = "/dev/sda"; - ``` + Option 1: Enable systemd boot for UEFI + ``` + boot.loader.grub.device = "/dev/sda"; + ``` + Option 2: Set grub device for Legacy Boot (MBR) + ``` + boot.loader.grub.device = "/dev/sda"; + ``` 9. Setup environment - ``` - nix-shell - ``` + ``` + nix-shell + ``` - This will set up your nix-bitcoin environment and might take a while without giving an output. + This will set up your nix-bitcoin environment and might take a while without giving an output. 10. Create nixops deployment in nix-shell. - ``` - nixops create network/network.nix network/network-nixos.nix -d bitcoin-node - ``` + ``` + nixops create network/network.nix network/network-nixos.nix -d bitcoin-node + ``` 11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. 12. Deploy Nixops in nix-shell - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` - This will now create a nix-bitcoin node on the target machine. + This will now create a nix-bitcoin node on the target machine. 13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with - ``` - nixops ssh operator@bitcoin-node - ``` + ``` + nixops ssh operator@bitcoin-node + ``` See [usage.md](usage.md) for usage instructions, such as how to update. diff --git a/docs/usage.md b/docs/usage.md index bffca254..377f5a15 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -5,24 +5,24 @@ Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell ### Verifying GPG Signatures (recommended) 1. Import jonasnick's gpg key - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` + ``` + gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 + ``` 2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` + + ``` + gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 + trust + 4 + quit + ``` 3. Verify commit after `git pull` - ``` - git verify-commit - ``` + ``` + git verify-commit + ``` Nodeinfo --- @@ -36,45 +36,45 @@ Connect to spark-wallet * [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet) 1. Enable spark-wallet in `configuration.nix` - - Change - ``` - # services.spark-wallet.enable = true; - ``` - to - ``` - services.spark-wallet.enable = true; - ``` + + Change + ``` + # services.spark-wallet.enable = true; + ``` + to + ``` + services.spark-wallet.enable = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Enable Orbot VPN for spark-wallet - ``` - Open Orbot app - Turn on "VPN Mode" - Select Gear icon under "Tor-Enabled Apps" - Toggle checkbox under Spark icon - ``` + ``` + Open Orbot app + Turn on "VPN Mode" + Select Gear icon under "Tor-Enabled Apps" + Toggle checkbox under Spark icon + ``` 4. Get the onion address, access key and QR access code for the spark wallet android app - ``` - journalctl -eu spark-wallet - ``` - Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors. + ``` + journalctl -eu spark-wallet + ``` + Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlightning the entire output to invert the colors. 5. Connect to spark-wallet android app - ``` - Server Settings - Scan QR - Done - ``` + ``` + Server Settings + Scan QR + Done + ``` Connect to electrs --- @@ -88,90 +88,90 @@ Connect to electrs * [Electrum](https://electrum.org/#download) installed 1. Enable electrs in `configuration.nix` - - Change - ``` - # services.electrs.enable = true; - ``` - to - ``` - services.electrs.enable = true; - ``` + + Change + ``` + # services.electrs.enable = true; + ``` + to + ``` + services.electrs.enable = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Get electrs onion address - ``` - nodeinfo | grep 'ELECTRS_ONION' - ``` + ``` + nodeinfo | grep 'ELECTRS_ONION' + ``` 4. Connect to electrs - On electrum wallet laptop - ``` - electrum --oneserver --server=:50002:s --proxy=socks5:localhost:9050 - ``` - - On electrum android phone - ``` - Three dots in the upper-right-hand corner - Network - Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 - Ok - Server - Host: , Port: 50002 - Ok - Auto-connect: OFF - One-server mode: ON - ``` + On electrum wallet laptop + ``` + electrum --oneserver --server=:50002:s --proxy=socks5:localhost:9050 + ``` + + On electrum android phone + ``` + Three dots in the upper-right-hand corner + Network + Proxy mode: socks5, Host: 127.0.0.1, Port: 9050 + Ok + Server + Host: , Port: 50002 + Ok + Auto-connect: OFF + One-server mode: ON + ``` Connect to nix-bitcoin node through ssh Tor Hidden Service --- 1. Run `nodeinfo` on your nix-bitcoin node and note the `SSHD_ONION` - ``` - nixops ssh operator@bitcoin-node - nodeinfo | grep 'SSHD_ONION' - ``` + ``` + nixops ssh operator@bitcoin-node + nodeinfo | grep 'SSHD_ONION' + ``` -2. Create a SSH key +2. Create a SSH key - ``` - ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 - ``` + ``` + ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 + ``` 3. Place the ed25519 key's fingerprint in the `configuration.nix` `openssh.authorizedKeys.keys` field like so - ``` - # FIXME: Add your SSH pubkey - services.openssh.enable = true; - users.users.root = { - openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ]; - }; - ``` + ``` + # FIXME: Add your SSH pubkey + services.openssh.enable = true; + users.users.root = { + openssh.authorizedKeys.keys = [ "[contents of ~/.ssh/id_ed25519.pub]" ]; + }; + ``` 4. Connect to your nix-bitcoin node's ssh Tor Hidden Service, forwarding a local port to the nix-bitcoin node's ssh server - ``` - ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION] - ``` + ``` + ssh -i ~/.ssh/id_ed25519 -L [random port of your choosing]:localhost:22 root@[your SSHD_ONION] + ``` 5. Edit your `network-nixos.nix` to look like this - ``` - { - bitcoin-node = - { config, pkgs, ... }: - { deployment.targetHost = "127.0.0.1"; - deployment.targetPort = [random port of your choosing]; - }; - } - ``` + ``` + { + bitcoin-node = + { config, pkgs, ... }: + { deployment.targetHost = "127.0.0.1"; + deployment.targetPort = [random port of your choosing]; + }; + } + ``` 6. Now you can run `nixops deploy -d bitcoin-node` and it will connect through the ssh tunnel you established in step iv. This also allows you to do more complex ssh setups that `nixops ssh` doesn't support. An example would be authenticating with [Trezor's ssh agent](https://github.com/romanz/trezor-agent), which provides extra security. @@ -180,64 +180,64 @@ Initialize a Trezor for Bitcoin Core's Hardware Wallet Interface 1. Enable Trezor in `configuration.nix` - Change - ``` - # services.hardware-wallets.trezor = true; - ``` - to - ``` - services.hardware-wallets.trezor = true; - ``` + Change + ``` + # services.hardware-wallets.trezor = true; + ``` + to + ``` + services.hardware-wallets.trezor = true; + ``` 2. Deploy new `configuration.nix` - ``` - nixops deploy -d bitcoin-node - ``` + ``` + nixops deploy -d bitcoin-node + ``` 3. Check that your nix-bitcoin node recognizes your Trezor - ``` - nixops ssh operator@bitcoin-node - lsusb - ``` - Should show something relating to your Trezor + ``` + nixops ssh operator@bitcoin-node + lsusb + ``` + Should show something relating to your Trezor 4. If your Trezor has outdated firmware or is not yet initialized: Start your Trezor in bootloader mode - Trezor v1 - ``` - Plug in your Trezor with both buttons depressed - ``` + Trezor v1 + ``` + Plug in your Trezor with both buttons depressed + ``` - Trezor v2 - ``` - Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through - ``` + Trezor v2 + ``` + Start swiping your finger across your Trezor's touchscreen and plug in the USB cable when your finger is halfway through + ``` 5. If your Trezor's firmware is outdated: Update your Trezor's firmware - ``` - trezorctl firmware-update - ``` - Follow the on-screen instructions + ``` + trezorctl firmware-update + ``` + Follow the on-screen instructions - **Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.** + **Caution: This command _will_ wipe your Trezor. If you already store Bitcoin on it, only do this with the recovery seed nearby.** 6. If your Trezor is not yet initialized: Set up your Trezor - ``` - trezorctl reset-device -p - ``` - Follow the on-screen instructions + ``` + trezorctl reset-device -p + ``` + Follow the on-screen instructions 7. Find your Trezor - ``` - hwi enumerate - hwi -t trezor -d promptpin - hwi -t trezor -d sendpin - hwi enumerate - ``` + ``` + hwi enumerate + hwi -t trezor -d promptpin + hwi -t trezor -d sendpin + hwi enumerate + ``` 8. Follow Bitcoin Core's instructions on [Using Bitcoin Core with Hardware Wallets](https://github.com/bitcoin-core/HWI/blob/master/docs/bitcoin-core-usage.md) to use your Trezor with `bitcoin-cli` on your nix-bitcoin node From 65039be65692fee706b03d9049dd08028dfecf11 Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 21 Mar 2020 20:02:51 +0000 Subject: [PATCH 12/16] docs: Remove duplicate instructions --- docs/install.md | 37 +++---------------------------------- 1 file changed, 3 insertions(+), 34 deletions(-) diff --git a/docs/install.md b/docs/install.md index 11015ac6..17185817 100644 --- a/docs/install.md +++ b/docs/install.md @@ -320,42 +320,11 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht reboot ``` -## 2. nix-bitcoin installation - -On the machine you are deploying from: -You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source. - -1. Install Dependencies (Debian 9 stretch) - - ``` - sudo apt-get install curl git gnupg2 dirmngr - ``` - -2. Install Latest Nix with GPG Verification - - ``` - curl -o install-nix https://nixos.org/nix/install - curl -o install-nix.sig https://nixos.org/nix/install.sig - gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE - gpg2 --verify ./install-nix.sig - sh ./install-nix --daemon - . /home/user/.nix-profile/etc/profile.d/nix.sh - ``` - - Then follow the instructions. Open a new terminal window when you're done. - - If you get an error similar to - ``` - error: cloning builder process: Operation not permitted - error: unable to start build process - /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile - ``` - you're likely not installing as multi-user because you forgot to pass the `--daemon` flag to the install script. +## 2. Nix installation -3. Optional: Disallow substitutes +Follow the instructions from [Nix installation on debian](#2-nix-installation) (on the machine you are going to deploy from). - You can put `substitute = false` to your `nix.conf` usually found in `/etc/nix/` to build the packages from source. - This eliminates an attack vector where nix's build server or binary cache is compromised. +## 3. Nixops deployment 4. Clone this project From 705d187a35b728e6091428be3fd07da576516e2a Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sun, 29 Mar 2020 18:21:12 +0200 Subject: [PATCH 13/16] examples/shell.nix: don't run shellHook on subsequent nix-shells This avoids an extra delay and the unexpected creation of secrets when run in another dir. Needed for the 'fetch-release' script introduced in a later commit. --- examples/shell.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/shell.nix b/examples/shell.nix index 7a6b94a7..3f0c7c9c 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -32,5 +32,8 @@ stdenv.mkDerivation rec { figlet "nix-bitcoin" (mkdir -p secrets; cd secrets; ${nix-bitcoin.generate-secrets}) + + # Don't run this hook when another nix-shell is run inside this shell + unset shellHook ''; } From c303cd47e4880dae59f8ada846f0c61f0931058f Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Tue, 24 Mar 2020 21:09:34 +0000 Subject: [PATCH 14/16] Add push-release.sh helper Prepares, signs and pushes a release to github. --- helper/push-release.sh | 59 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100755 helper/push-release.sh diff --git a/helper/push-release.sh b/helper/push-release.sh new file mode 100755 index 00000000..b471d009 --- /dev/null +++ b/helper/push-release.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +set -euo pipefail + +REPO=fort-nix/nix-bitcoin +BRANCH=master +OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token) + +if [[ ! $OAUTH_TOKEN ]]; then + echo "Please set OAUTH_TOKEN variable" +fi + +if [[ $# < 1 ]]; then + echo "$0 " + exit +fi +TAG_NAME=$1 + +RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null) +echo "Latest release" $(echo $RESPONSE | jq -r '.tag_name' | tail -c +2) +while true; do + read -p "Create release $1? [yn] " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) exit;; + * ) echo "Please answer y or n.";; + esac +done + +TMPDIR=$(mktemp -d) +trap "rm -rf $TMPDIR" EXIT +ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz +ARCHIVE=$TMPDIR/$ARCHIVE_NAME + +# Need to be in the repositories root directory for archiving +(cd $(git rev-parse --show-toplevel); git archive --format=tar.gz -o $ARCHIVE $BRANCH) + +SHA256SUMS=$TMPDIR/SHA256SUMS.txt +# Want to use relative path with sha256sums because it'll output the first +# argument +(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS) +gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS + +POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }" +RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null) +ID=$(echo $RESPONSE | jq -r '.id') +if [[ $ID == null ]]; then + echo "Failed to create release with $POST_DATA" + exit 1 +fi + +post_asset() { + GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name=" + curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \ + $GH_ASSET/$(basename $1) &> /dev/null +} +post_asset $ARCHIVE +post_asset $SHA256SUMS +post_asset $SHA256SUMS.asc +echo "Successfully created" $(echo $POST_DATA | jq -r .tag_name) From 5ed0284db99e6659b8be3065db44648d6660d57c Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sun, 22 Mar 2020 16:14:20 +0000 Subject: [PATCH 15/16] Add fetch-release script This allows getting the hash of the latest (or some other) release using github releases and gpg verification. --- docs/usage.md | 26 ++++------------------ examples/nix-bitcoin-release.nix | 1 + examples/shell.nix | 19 ++++++++++------ helper/fetch-release | 36 +++++++++++++++++++++++++++++++ helper/key-jonasnick.bin | Bin 0 -> 2811 bytes 5 files changed, 54 insertions(+), 28 deletions(-) create mode 100644 examples/nix-bitcoin-release.nix create mode 100755 helper/fetch-release create mode 100644 helper/key-jonasnick.bin diff --git a/docs/usage.md b/docs/usage.md index 377f5a15..be7675c0 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -1,28 +1,10 @@ Updating --- -Run `git pull` in the nix-bitcoin directory, enter the nix shell with `nix-shell` and redeploy with `nixops deploy -d bitcoin-node`. +In your deployment directory, enter the nix shell with `nix-shell` and run -### Verifying GPG Signatures (recommended) -1. Import jonasnick's gpg key - - ``` - gpg2 --receive-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - ``` - -2. Trust jonasnick's gpg key - - ``` - gpg2 --edit-key 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 - trust - 4 - quit - ``` - -3. Verify commit after `git pull` - - ``` - git verify-commit - ``` +``` +fetch-release > nix-bitcoin-release.nix +``` Nodeinfo --- diff --git a/examples/nix-bitcoin-release.nix b/examples/nix-bitcoin-release.nix new file mode 100644 index 00000000..a87522de --- /dev/null +++ b/examples/nix-bitcoin-release.nix @@ -0,0 +1 @@ +../. diff --git a/examples/shell.nix b/examples/shell.nix index 3f0c7c9c..22981341 100644 --- a/examples/shell.nix +++ b/examples/shell.nix @@ -1,10 +1,12 @@ let - # TODO: - # nix-bitcoin-path = builtins.fetchTarball { - # url = "https://github.com/fort-nix/nix-bitcoin/archive/master.tar.gz"; - # sha256 = "1mlvfakjgbl67k4k9mgafp5gvi2gb2p57xwxwffqr4chx8g848n7"; - # }; - nix-bitcoin-path = ../.; + # This is either a path to a local nix-bitcoin source or an attribute set to + # be used as the fetchurl argument. + nix-bitcoin-release = import ./nix-bitcoin-release.nix; + + nix-bitcoin-path = + if builtins.isAttrs nix-bitcoin-release then nix-bitcoin-unpacked + else nix-bitcoin-release; + nixpkgs-path = (import "${toString nix-bitcoin-path}/pkgs/nixpkgs-pinned.nix").nixpkgs; nixpkgs = import nixpkgs-path {}; nix-bitcoin = nixpkgs.callPackage nix-bitcoin-path {}; @@ -13,6 +15,10 @@ let url = "https://github.com/erikarvstedt/extra-container/archive/6cced2c26212cc1c8cc7cac3547660642eb87e71.tar.gz"; sha256 = "0qr41mma2iwxckdhqfabw3vjcbp2ffvshnc3k11kwriwj14b766v"; }) {}; + + nix-bitcoin-unpacked = (import {}).runCommand "nix-bitcoin-src" {} '' + mkdir $out; tar xf ${builtins.fetchurl nix-bitcoin-release} -C $out + ''; in with nixpkgs; @@ -23,6 +29,7 @@ stdenv.mkDerivation rec { shellHook = '' export NIX_PATH="nixpkgs=${nixpkgs-path}:nix-bitcoin=${toString nix-bitcoin-path}:." + alias fetch-release="${toString nix-bitcoin-path}/helper/fetch-release" # ssh-agent and nixops don't play well together (see # https://github.com/NixOS/nixops/issues/256). I'm getting `Received disconnect diff --git a/helper/fetch-release b/helper/fetch-release new file mode 100755 index 00000000..65293864 --- /dev/null +++ b/helper/fetch-release @@ -0,0 +1,36 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p bash coreutils curl jq gnugrep gnupg +set -euo pipefail + +scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) + +REPO=fort-nix/nix-bitcoin +if [[ ! -v VERSION ]]; then + VERSION=$(curl --silent "https://api.github.com/repos/$REPO/releases/latest" | jq -r '.tag_name' | tail -c +2) +fi + +TMPDIR=$(mktemp -d) +GPG_HOME=$(mktemp -d) +trap "rm -rf $TMPDIR $GPG_HOME" EXIT + +cd $TMPDIR +BASEURL=https://github.com/$REPO/releases/download/v$VERSION +curl --silent -L -O $BASEURL/SHA256SUMS.txt +curl --silent -L -O $BASEURL/SHA256SUMS.txt.asc + +# Import key and verify fingerprint +gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null +gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null + +gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || { + echo "ERROR: Signature verification failed. Please open an issue in the project repository." + exit 1 +} + +SHA256=$(cat SHA256SUMS.txt | grep -Eo '^[^ ]+') +cat <7xKocV)ZSEe+bXy%v$v2gSkf%ThA<3%%-ij&1I+1^zFc2Uvi&`0m zzI{i8bqsQ2pF`eRmBC7Ls9f|l5g7C0bSpSGhzv%X50Ju?@!8e8Ueenzn^u?x(ER>q zy>d^ICE5q(y#pq-!cNm=)p51;G}Iu}9?|BIP~_T?nU!jHf_W1jt>vq6yq9_PqkBvdvEq+aBCRpnSJd=lu1(Mds$PKv1_(IA<7wB2YLlEb% zWPVF>KEE&n1h7Fd1TAL80Q(v5KJF#yiZ10QOjZ~vtqiyEva)UB2E`_AnDcD~|0uYq zKvI^-eCDd?8V}%0Zh3h>zbKv;72+aB#W$w+rZ{99ycHW>$EYfvRpIm1kPsz9+^94F zJ*TAw{rp99+j#&H0RRECB1&&=VRIl(X=7_3JZf)lVRK|IZfRp{Kxb`XX>2ZIZ*4w_ z0zU*30RjLi0viJd3ke7Z0|EgC6$k=)Igf+GvTB_Rpu&#)`_hE7i(oKL-GJ@WaBN`a>UjC3DD}Y z^ta5+p>qquvUj_zyP?$s#mwFK)q<$La5+SUp*}{TVii(jYA(g2Q7S-c1Mvcr96ClY z&?b@ikR!aD?BlT~wf~(ONbpJ2uyM4qTsMi~x{|u^EXU%l(sSn!H$O{bcR%1p!L=ex z8V6R^p0YBBiW2n5lSu7GXEEJIxL9QIXC9NSzdslfbLDT1` z0x|QTUvU3m%;Vt8Q^Xset-_=>cXo$rD|UN4a_{ztq6t+6#wN5U))Zu#?$$9!b8tZX z2Wa55v5zGi8%YB~H(k6DCP0Z6<;|6@M>AsoAPC~{i9vou`ke6mMn=v^zLZ2f>*Cm&q zP@`w0$ylrCZna2e?+|> z>nA|eB3i(F4OhQa2>YG(ruekgpoOVm=o4G!JN>mjQz=ZyQ&f~ta*zlvNG5e9G=jv< zmh}#^IsY!d(|(5DQ>8QFUiR_gWWe=BuHeZmYqwsj47v2hV!EVY1q>V?rI>*|wAl6= zF%0R&1djynFE_WpNyTXbSJO|OvV#Q?Z_j=Mg3!!eEh%de3zkkdkzZA^;MCJ8lt7NJ zSP!PVlr~n)Y_pi1S9+f9WB&5Wy@-%6@N=MYcwdn(MsC4|OJH;>gyqM(d81SrlAZQN z2R5j4oTYv}<^m(X1OX5jG~`CtEN&6} zP|477mg~1OkHk*6(~Ub*LP;uFUTyP;S4yGNa%qcO`Qh*&We{jB>6dUFKf)=2 zR15I00$|f&01*KI0f_{11Q-Db045e81UAPSH_6$Ez33$f*|Db%PmRq3W&#@m1p-|f zLWczj1*$|{0zkoZAOsl!2ml=xAp}digj#P}Wu~3_>?25F+wx)(HU$L&Sy3^n0162Z zNMYOZViGn5Ek+OjY2cRyJdomQf8NaVFWROn+{3{8Us91Pqu&wz=>be8C!Y}nzi2jN z!;>w;+}0xYC1yC0^P2@mR_Mj&KEjq)Qt;|i=*#@*0=$nrn;_zW-?8fw&C9GsbRAZ0y%^DO3sfgGejddbUZsT3fm3Zr2gpGxAi=zwp z5skFe(L~Z)Ll3yl2>G9-eDImi30PRLAj!ALFVRYOm{k{5+|RM-nrfZLOU>OjC!hiw z#5I0`sWVkk(LA|21OmG^33}idlgHc{U;?mzh}V~`_9Q$-AIz&Y`R7jt4w<3gvk{iZ zrJg-ouRuH28Y>m3%(uGpX7lbp@)If}QDaWfOMK1|ki^7njLDv;KZy5k%z~fv@-auu zCt|&0@nUhSr$)HU(Ib8KQe}lX86a-Yl4f>xX9uy-rk+9;PuKQu!g$oZ)osRadV~cT zS>tuxZmE<(b>eQ*V>tqT7nTqKEuA8v$h>~e30__~MV!gPFz{nO_SF9paboEmgJA7) z{Q{sG2@tWT4o{8E17_e|5CEdTwKkT)`N-yL-2vTiA-9p(u(LI*yF*{74R3}ViNKbw zcdkrriwHo}?L6mZk;*Q*k6cp!s1L^Or?J$erG}B9QVOeMDxk!FSzS2_$!dYl znkfg46y%-au%{k|T2ss&{-00is|_v;DxGobdN9?pK(+t? literal 0 HcmV?d00001 From b2e15c17b8c9fe5c55a271204b5c12e80aba15ec Mon Sep 17 00:00:00 2001 From: Jonas Nick Date: Sat, 21 Mar 2020 21:08:51 +0000 Subject: [PATCH 16/16] docs: Update to new deployment method (import instead of fork) Now you clone nix-bitcoin and start out from the examples. --- docs/install.md | 82 ++++++++++++++++++++++++++++++------------------- 1 file changed, 51 insertions(+), 31 deletions(-) diff --git a/docs/install.md b/docs/install.md index 17185817..58cee674 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,33 +84,57 @@ You can also build Nix from source by following the instructions at https://nixo This eliminates an attack vector where nix's build server or binary cache is compromised. -## 3. Nixops deployment +## 3. Setup deployment directory 1. Clone this project ``` cd git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin ``` -2. Setup environment +2. Obtain the hash of the latest nix-bitcoin release + + ``` + cd nix-bitcoin/examples + nix-shell + ``` + + This will download the nix-bitcoin dependencies and might take a while without giving an output. + Now in the nix-shell run + + ``` + fetch-release > nix-bitcoin-release.nix + ``` + +3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin + + ``` + cd ../../ + mkdir nix-bitcoin-node + cd nix-bitcoin-node + cp -r ../nix-bitcoin/examples/{configuration.nix,nixops,shell.nix,nix-bitcoin-release.nix} . + ``` + +## 4. Deploy with NixOps + +1. Enter environment ``` nix-shell ``` - This will set up your nix-bitcoin environment and might take a while without giving an output. + Note that a new directory `secrets/` appeared which contains the secrets for your node. -3. Create nixops deployment in nix-shell. +2. Create nixops deployment in nix-shell. ``` - nixops create network/network.nix network/network-vbox.nix -d bitcoin-node + nixops create nixops/node.nix nixops/node-vbox.nix -d bitcoin-node ``` -4. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. +3. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. -5. Deploy Nixops in nix-shell +4. Deploy Nixops in nix-shell ``` nixops deploy -d bitcoin-node @@ -118,7 +142,7 @@ You can also build Nix from source by following the instructions at https://nixo This will now create a nix-bitcoin node on the target machine. -6. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with +5. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with ``` nixops ssh operator@bitcoin-node @@ -128,7 +152,7 @@ See [usage.md](usage.md) for usage instructions, such as how to update. To resize the VM disk image, you can use this helper script from within nix-shell: ``` -./helper/vbox-resize-disk1.sh --help +../nix-bitcoin/helper/vbox-resize-disk1.sh --help ``` ---- @@ -320,24 +344,20 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht reboot ``` -## 2. Nix installation -Follow the instructions from [Nix installation on debian](#2-nix-installation) (on the machine you are going to deploy from). +## 2. Nix installation +Follow the [Nix installation](#2-nix-installation) instructions from the tutorial above (on the machine you are going to deploy from). -## 3. Nixops deployment -4. Clone this project +## 3. Setup deployment directory +Follow the [Setup deployment directory](#3-setup-deployment-directory) instructions from the tutorial above (on the machine you are going to deploy from). - ``` - cd - git clone https://github.com/fort-nix/nix-bitcoin - cd ~/nix-bitcoin - ``` -5. Create network file +## 4. Deploy with NixOps +1. Make sure you are in the deployment directory and create a nixops network file as follows ``` - nano network/network-nixos.nix + nano nixops/node-nixos.nix ``` ``` @@ -351,7 +371,7 @@ Follow the instructions from [Nix installation on debian](#2-nix-installation) ( Replace 1.2.3.4 with NixOS machine's IP address. -6. Edit `configuration.nix` +2. Edit `configuration.nix` ``` nano configuration.nix @@ -359,14 +379,14 @@ Follow the instructions from [Nix installation on debian](#2-nix-installation) ( Uncomment `./hardware-configuration.nix` line by removing #. -7. Create `hardware-configuration.nix` +3. Create `hardware-configuration.nix` ``` nano hardware-configuration.nix ``` Copy contents of NixOS machine's `/etc/nixos/hardware-configuration.nix` to file. -8. Add boot option to `hardware-configuration.nix` +4. Add boot option to `hardware-configuration.nix` Option 1: Enable systemd boot for UEFI ``` @@ -377,23 +397,23 @@ Follow the instructions from [Nix installation on debian](#2-nix-installation) ( boot.loader.grub.device = "/dev/sda"; ``` -9. Setup environment +5. Enter environment ``` nix-shell ``` - This will set up your nix-bitcoin environment and might take a while without giving an output. + Note that a new directory `secrets/` appeared which contains the secrets for your node. -10. Create nixops deployment in nix-shell. +6. Create nixops deployment in nix-shell. ``` - nixops create network/network.nix network/network-nixos.nix -d bitcoin-node + nixops create nixops/node.nix nixops/node-nixos.nix -d bitcoin-node ``` -11. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. +7. Adjust configuration by opening `configuration.nix` and removing FIXMEs. Enable/disable the modules you want in `configuration.nix`. -12. Deploy Nixops in nix-shell +8. Deploy Nixops in nix-shell ``` nixops deploy -d bitcoin-node @@ -401,7 +421,7 @@ Follow the instructions from [Nix installation on debian](#2-nix-installation) ( This will now create a nix-bitcoin node on the target machine. -13. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with +9. Nixops automatically creates an ssh key for use with `nixops ssh`. Access `bitcoin-node` through ssh in nix-shell with ``` nixops ssh operator@bitcoin-node