- Update nixos iso - Make sure to be root before parting and give instructions for checking UEFI vs. legacy - Instead of making user replace automatically generated nixos config, explain how to add options. - Add boot.loader options directly to hardware-configuration.nix - Copy .gitignore when setting up a deployment dir - Stress that the first config that is deployed remotely must include ssh key. - Debian: 9 Strech -> Debian 10 Buster - nix: 2.3.3 -> 2.3.10
7.9 KiB
Preliminary steps
Get a machine to deploy nix-bitcoin on (see hardware.md).
Tutorials
Tutorial: install and configure NixOS for nix-bitcoin on your own hardware
0. Preparation
-
Optional: Make sure you have the latest firmware for your system (BIOS, microcode updates).
-
Optional: Disable Simultaneous Multi-Threading (SMT) in the BIOS
Researchers recommend disabling (SMT), also known as Hyper-Threading Technology in the Intel® world to significantly reduce the impact of speculative execution-based attacks (https://mdsattacks.com/).
1. NixOS installation
This is borrowed from the NixOS manual. Look there for more information.
-
Obtain latest NixOS. For example:
wget https://releases.nixos.org/nixos/20.09/nixos-20.09.2405.e065200fc90/nixos-minimal-20.09.2405.e065200fc90-i686-linux.iso sha256sum nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso # output: 5fc182e27a71a297b041b5c287558b21bdabde7068d4fc049752dad3025df867
Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
-
Write NixOS iso to install media (USB/CD). For example:
cp nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso /dev/sdX
Replace /dev/sdX with the correct device name. You can find this using
sudo fdisk -l
-
Boot the system and become root
sudo -i
You will have to find out if your hardware uses UEFI or Legacy Boot for the next step. You can do that, for example, by executing
ls /sys/firmware/efi
If the file exists exists, you should continue the installation for UEFI otherwise for Legacy Boot.
-
Option 1: Partition and format for UEFI
parted /dev/sda -- mklabel gpt parted /dev/sda -- mkpart primary 512MiB -8GiB parted /dev/sda -- mkpart primary linux-swap -8GiB 100% parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB parted /dev/sda -- set 3 boot on mkfs.ext4 -L nixos /dev/sda1 mkswap -L swap /dev/sda2 mkfs.fat -F 32 -n boot /dev/sda3 mount /dev/disk/by-label/nixos /mnt mkdir -p /mnt/boot mount /dev/disk/by-label/boot /mnt/boot swapon /dev/sda2
-
Option 2: Partition and format for Legacy Boot (MBR)
parted /dev/sda -- mklabel msdos parted /dev/sda -- mkpart primary 1MiB -8GiB parted /dev/sda -- mkpart primary linux-swap -8GiB 100% mkfs.ext4 -L nixos /dev/sda1 mkswap -L swap /dev/sda2 mount /dev/disk/by-label/nixos /mnt swapon /dev/sda2
-
Option 3: Set up encrypted partitions:
Follow the guide at https://gist.github.com/martijnvermaat/76f2e24d0239470dd71050358b4d5134.
-
Generate NixOS config
nixos-generate-config --root /mnt nano /mnt/etc/nixos/configuration.nix
We now need to adjust the configuration to make sure that we can ssh into the system and that it boots correctly. We add some lines to set
services.openssh
such that the configuration looks as follows:{ config, pkgs, ... }: { imports = [ ... ]; # Enable the OpenSSH server. services.openssh = { enable = true; permitRootLogin = "yes"; }; # The rest of the file are default options and hints. }
Now we open
hardware-configuration.nix
nano /mnt/etc/nixos/hardware-configuration.nix
which will look similar to
{ config, pkgs, ... }: { imports = [ ]; # Add line here as explained below # The rest of the file are generated options. }
Now add one of the following lines to the location mentioned in above example hardware config.
Option 1: UEFI
boot.loader.systemd-boot.enable = true;
Option 2: Legacy Boot (MBR)
boot.loader.grub.device = "/dev/sda";
Lastly, in rare circumstances the hardware configuration does not have a
fileSystems
option. In that case you need to add it with the folllowing line:fileSystems."/".device = "/dev/disk/by-label/nixos";
-
Do the installation
nixos-install
Set root password
setting root password... Enter new UNIX password: Retype new UNIX password:
-
If everything went well
reboot
2. Nix installation
The following steps are meant to be run on the machine you deploy from, not the machine you deploy to. You can also build Nix from source by following the instructions at https://nixos.org/nix/manual/#ch-installing-source.
-
Install Dependencies (Debian 10 Buster)
sudo apt-get install curl git gnupg2 dirmngr
-
Install latest Nix in "multi-user mode" with GPG Verification according to https://nixos.org/nix/download.html
curl -o install-nix-2.3.10 https://releases.nixos.org/nix/nix-2.3.10/install curl -o install-nix-2.3.10.asc https://releases.nixos.org/nix/nix-2.3.10/install.asc gpg2 --recv-keys B541D55301270E0BCF15CA5D8170B4726D7198DE gpg2 --verify ./install-nix-2.3.10.asc sh ./install-nix-2.3.10 --daemon
Then follow the instructions. Open a new terminal window when you're done.
If you get an error similar to
error: cloning builder process: Operation not permitted error: unable to start build process /tmp/nix-binary-tarball-unpack.hqawN4uSPr/unpack/nix-2.2.1-x86_64-linux/install: unable to install Nix into your default profile
you're likely not installing as multi-user because you forgot to pass the
--daemon
flag to the install script. -
Optional: Disallow substitutes
You can put
substitute = false
to yournix.conf
usually found in/etc/nix/
to build the packages from source. This eliminates an attack vector where nix's build server or binary cache is compromised.
3. Setup deployment directory
-
Clone this project
cd git clone https://github.com/fort-nix/nix-bitcoin
-
Obtain the hash of the latest nix-bitcoin release
cd nix-bitcoin/examples nix-shell
This will download the nix-bitcoin dependencies and might take a while without giving an output. Now in the nix-shell run
fetch-release > nix-bitcoin-release.nix
-
Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
cd ../../ mkdir nix-bitcoin-node cd nix-bitcoin-node # TODO cp -r ../nix-bitcoin/examples/{configuration.nix,shell.nix,nix-bitcoin-release.nix,.gitignore} .
4. Deploy with TODO
-
TODO
-
Edit
configuration.nix
nano configuration.nix
Uncomment
./hardware-configuration.nix
line by removing #. -
Create
hardware-configuration.nix
.nano hardware-configuration.nix
Copy contents of your NixOS machine's
/etc/nixos/hardware-configuration.nix
to this file. -
Enter environment
nix-shell
NOTE that a new directory
secrets/
appeared which contains the secrets for your node. -
TODO
-
Adjust configuration by opening the
configuration.nix
file and enable/disable the modules you want by editing this file. Pay particular attention to lines that are preceded byFIXME
comments. Make sure to set your SSH pubkey. Otherwise, you loose remote access because the config does not enablepermitRootLogin
(unless you add that manually). -
TODO
For security reasons, all normal system management tasks can and should be performed with the operator
user. Logging in as root
should be done as rarely as possible.
See usage.md for usage instructions, such as how to update.