Commit Graph

53 Commits

Author SHA1 Message Date
Erik Arvstedt
6510f269f6
release: add nixos-* version branch
Best practice for flakes containing NixOS modules.

`push-release` now pushes to an extra branch named `nixos-<version>`,
alongside branch `release`.
This allows users to track a specific NixOS release, so that their
config doesn't break when nix-bitcoin switches to a new NixOS
release.
2023-07-09 13:13:05 +02:00
Erik Arvstedt
dd532d4738
push-release: fix OAUTH_TOKEN error handling 2023-07-09 13:07:29 +02:00
Erik Arvstedt
a2b45e00c7
push-release: auto-create release version number 2023-07-09 13:07:29 +02:00
Erik Arvstedt
0ce3fb1c94
push-release: use curl -fSs
Best practice when using curl in scripts.
2023-07-09 13:07:29 +02:00
Erik Arvstedt
40c5419a75
push-release: rename TAG_NAME -> releaseVersion
More precise name.
2023-07-09 13:07:29 +02:00
Jonas Nick
5df123f3a4
Extend expiration date of key-jonasnick.bin
Exported with
`gpg --export-options export-minimal --export 0x4861DBF262123605! > key-jonasnick.bin`.
2023-05-07 19:18:05 +00:00
Erik Arvstedt
a3bdecb10b
helper: add start-bash-session.sh 2023-02-02 10:51:40 +01:00
Erik Arvstedt
62515a5696
helper/update-flake: support updating NixOS versions 2022-12-18 20:01:48 +01:00
Erik Arvstedt
af115d746b
internal scripts: use pinned, cached pkgs
Instead of setting up the script PATH via nix-shell, use
`nix shell` with inputs from the nix-bitcoin flake.
Advantages:
- Uses the nixpkgs version from the nix-bitcoin flake instead of
  `<nixpkgs>` from the user env (NIX_PATH), so the script runtime
  env is reproducible.
- The pkg derivations for the runtime env are cached, which greatly
  increases script startup speed.

This commit was generated by running the following script inside the
repo root dir:

def transform(path, src)
  if src =~ /#! *nix-shell +-i +bash +-p +(.*)/
    pkgs = $1
    if src =~ /^.*?(set -e.*?pipefail)\n/
      set_statement = $1
      src.sub!($&, '')
    end
    src.sub!(/\A.*?#! *nix-shell.*?\n/m, '')

    parents = ([ '..' ] * (path.split('/').count - 1)).join('/')

    [
      '#!/usr/bin/env bash',
      *set_statement,
      %(. "${BASH_SOURCE[0]%/*}/#{parents}/helper/run-in-nix-env" "#{pkgs}" "$@"),
      nil,
      src
    ].join("\n")
  end
end

Dir['**/*.sh'].each do |f|
  src = File.read(f)
  if new_src = transform(f, src)
    puts "Changed file #{f}"
    File.write(f, new_src)
  end
end
2022-08-28 23:49:12 +02:00
Otto Sabart
91a03ce7d2
shellcheck: fix lint of scripts in /helper 2022-08-28 18:25:37 +02:00
Erik Arvstedt
617ed4c8e8
rtl: 0.12.3-beta -> 0.13.0
- Use `fetch-node-modules` to remove the 4161 line file `node-packages.nix`
- Only use nodejs-slim as a runtime dependency
- Shrink package size by >500M by excluding certain dev-only dependencies
2022-08-21 19:11:51 +02:00
Erik Arvstedt
dad9679647
deployment shell: add command build-config 2022-07-17 22:17:48 +02:00
Erik Arvstedt
2926fc27dc
krops: enable evaluating nodes with non-native systems 2022-07-17 22:17:48 +02:00
Erik Arvstedt
96144fde81
update-flake.nix: fix stable pkgs selection
In rare cases, the nixpkgs stable version of a package can be newer
than in unstable nixpkgs. [1]
When this happens, choose the newer stable version instead of the
older unstable version.

[1] E.g., when a package is updated in both nixpkgs stable and unstable,
and nixpkgs stable is released before unstable.
2022-06-27 22:19:06 +02:00
Erik Arvstedt
84fe731c94
treewide: curl: exit with error status on HTTP errors
This makes scripts fail early on request errors.
Previously, curl exited with status 0 when enountering HTTP error status
codes.
`-fsS` equals `--fail --silent --show-error`.
2022-05-17 13:19:38 +02:00
Erik Arvstedt
63b3eec9cd
push-release.sh: fix pushing to master branch 2022-05-17 13:19:37 +02:00
Erik Arvstedt
4b800605e0
add release branch
Use this as the default in the example flake.
2022-05-06 16:49:31 +02:00
Erik Arvstedt
1af84e8b7e
makeShell: use actual system configuration in generate-secrets
This fixes a bug where the version update message for v0.0.65 is erroneously triggered
because the krops config is not included when evaluating secrets.
2022-02-12 21:33:23 +01:00
Jonas Nick
15b88cc1c5
update-flake: fix attribute path of pinned 2022-02-09 13:46:31 +00:00
Erik Arvstedt
d41a550355
fetch-release: export GNUPGHOME
This approach is less error-prone.
It is also used by our fetcher scripts.
2022-02-05 21:33:54 +01:00
Jonas Nick
296e103228
fetch-release: add missing homedir to gpg command 2022-01-21 14:20:38 +00:00
Jonas Nick
a2c01e5a56
update-flake: fix attribute path of pinned
This was missed in d69524143b.
2022-01-01 20:12:47 +00:00
Erik Arvstedt
bc7d3a2ed7
fetch-release: check that only one key is imported
Co-authored-by: nixbitcoin <nixbitcoin@i2pmail.org>
2021-12-15 15:44:55 +01:00
Erik Arvstedt
eaf98f92db
test: add test nixosSearch
This checks that creating module docs for search.nixos.org succceeds.
Errors can happen when complex `default` values can't be evaluated
or on malformed Docbook XML in descriptions.
2021-12-12 16:21:02 +01:00
Erik Arvstedt
627b11d21b
makeShell: use old nix tooling
The `nix` command is an experimental feature and should be avoided in
user-facing code.

I recently saw `nix eval` failing for a user who was asking for help
via Matrix.
2021-12-07 15:35:33 +01:00
Erik Arvstedt
7f77147b60
makeShell: minor improvements
- import pkgs without the global config to avoid pulling in external state
- rename `path` -> `setPath`
- export `nixpkgsUnstable`
  This avoids garbage collection of nixpkgs-unstable for gcrooted
  shell environments (like those created by lorri)
2021-11-08 12:46:27 +01:00
Erik Arvstedt
a5730eb736
makeShell: make the help msg a shell derivation variable
- The message is now a nix string, which simplifies formatting.
- The message can be now be modified via overrideAttrs in client shells.
  This is more effective than changing the message in Bash.
2021-11-08 12:46:27 +01:00
Erik Arvstedt
6584540828
makeShell: make help message extensible
Users can now override help and print more help messages alongside `nixBitcoinHelp`.
2021-11-02 17:40:43 +01:00
Erik Arvstedt
265fc1911d
extra-container: pin to nixpkgs-unstable
extra-container is now part of nixpkgs.
2021-10-06 15:34:24 +02:00
Erik Arvstedt
46af0b1a8d
examples: fix shell on non-Linux systems
extra-container is not supported on these systems.

Also mention that VM examples require Linux.
2021-09-26 23:58:46 +02:00
Erik Arvstedt
1f8f2b2139
examples/shell.nix: Add shell version variable
This simplifies future shell upgrades.
2021-09-15 12:22:10 +02:00
Erik Arvstedt
b49c74545f
fetch-release: make GPG key searchable
The non-spaced version gives no matches in major search engines.
This is useful for auditing this script.
2021-09-14 19:56:35 +02:00
Erik Arvstedt
77af2e4538
makeShell: improve update-nix-bitcoin
- Don't overwrite `nix-bitcoin-release.nix` on errors
- Show a message to indicate whether `nix-bitcoin-release.nix` was
  updated
- Don't start a shell when called noninteractively

Also, update `usage.md` and reformat `shell.nix`.
2021-09-14 19:56:35 +02:00
Erik Arvstedt
52aaa8388e
fetch-release: write error messages to stderr
Previously, when used to update `nix-bitcoin-release`, the error
wasn't displayed but instead written to `nix-bitcoin-release`.

Also, show curl error messages.
2021-09-14 19:56:23 +02:00
Erik Arvstedt
fdcb68e96e
examples/shell.nix: add new commands 2021-09-12 11:29:54 +02:00
Erik Arvstedt
a2466b1127
secrets: allow extending generate-secrets
`generate-secrets` is no longer a monolithic script. Instead, it's
composed of the values of option `nix-bitcoin.generateSecretsCmds`.

This has the following advantages:
- generate-secrets is now extensible by users
- Only secrets of enabled services are generated
- RPC IPs in the `lnd` and `loop` certs are no longer hardcoded.

Secrets are no longer automatically generated when entering nix-shell.
Instead, they are generated before deployment (via `krops-deploy`)
because secrets generation is now dependant on the node configuration.
2021-09-12 11:29:54 +02:00
Erik Arvstedt
24fd1e9bdc
improve examples/shell.nix
The user's local node configuration directory usually contains a copy of
examples/shell.nix.

1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix
   Because the shell is no longer defined locally in the user's config
   directory, we can now ship new shell features via nix-bitcoin updates.

2. Simplify examples/nix-bitcoin-release.nix
   nix-bitcoin-release.nix, as generated via `fetch-release`, now
   contains a simple fetchTarball statement which can be directly imported.
   This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation
   which adds a dependency on the user's local nixpkgs.

   To keep `fetch-release` as simple as possible for easy auditing, we just
   fetch and verify a `nar-hash.txt` file that is now uploaded
   via `push-release.sh`.

A migration guide for updating the user's local `shell.nix` is
automatically printed when the user starts a new shell after updating
nix-bitcoin.
This is achieved by throwing an error in `generate-secrets`, which is called
on shell startup.

This commit is required to deploy the new extensible `generate-secrets`
mechanism introduced in the next commit.
2021-09-12 11:29:54 +02:00
Erik Arvstedt
8a757e0486
push-release.sh: improve --dry-run mode
- Don't require OAUTH_TOKEN
- Skip interactive query
2021-09-11 15:07:24 +02:00
Erik Arvstedt
955b44404c
delete helper/fetch-channel
This script was obsoleted by switching to flakes.
2021-09-11 15:07:23 +02:00
Erik Arvstedt
87df809a88
add helper/update-flake.sh
This greatly simplifies updating nixpkgs.
See the comment at the top of update-flake.sh for a description.
2021-08-26 12:45:10 +02:00
Erik Arvstedt
84b3217c3d
fetch-release: minor improvements
This script is potentially fetched from an untrusted source and should
be in good shape to be easily auditable.

- Create just one TMPDIR
- Improve comments
- Use `cut` to extract sha256
- Use camelCase var names like in other scripts
2021-03-16 12:46:18 +01:00
Jonas Nick
a4dabc7390
Remove nixops examples and documentation 2021-03-15 12:42:47 +00:00
Jonas Nick
8e268c5ced
Fetch from the nixpkgs repo instead of nixpkgs-channels
nixpkgs-channels is deprecated.
2020-12-06 21:42:20 +00:00
Erik Arvstedt
1c0233c0a8
use Cirrus CI
- Make more economic use of the free CI resources by removing redundant build tasks:
  - Build unstable pkgs in a single separate task ("pkgs_unstable").
  - All stable pkgs are implicitly built by the modules tests.
- The build script (ci/build.sh) can now be executed locally for easier
  debugging.
- Use an explicit 'cachix push' command instead of helper/wait-for-network-idle.rb.
  This is simpler and more reliable.
2020-12-06 19:07:54 +01:00
Jonas Nick
0c1fb9fd44
push-release: fix bug where assets are not pushed
In a previous commit we found and replaced $1 with $TAG_NAME, but that wasn't
correct for the post_asset() function.
2020-09-24 16:10:23 +00:00
Jonas Nick
6554e69818
Merge #206: Add --dry-run option to push-release script
dd78d2b2a1 Add --dry-run option to push-release script (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK dd78d2b2a1
  nixbitcoin:
    utACK dd78d2b2a1

Tree-SHA512: 75351d8b60899912cbd7a76a5f98b5c19044c15297c268a097d44a0e6bb540aca6a737066290c66cbf82cfae200e8a4b03988d18d2d5e80d3a54284723f80871
2020-09-22 13:33:08 +00:00
Jonas Nick
dd78d2b2a1
Add --dry-run option to push-release script 2020-08-18 08:36:19 +00:00
Jonas Nick
d63bbd07b7
Update jonasnick's gpg key
The subkey used for signing releases recently expired (which is ignored when
verifying with gpg). The primary key would expire soon. Therefore this commit
adds a key with extended expiry date of both primary key and subkey.
2020-07-08 12:03:57 +00:00
Jonas Nick
5ed0284db9
Add fetch-release script
This allows getting the hash of the latest (or some other) release
using github releases and gpg verification.
2020-04-08 07:01:35 +00:00
Jonas Nick
c303cd47e4
Add push-release.sh helper
Prepares, signs and pushes a release to github.
2020-03-30 11:01:31 +02:00