improve examples/shell.nix
The user's local node configuration directory usually contains a copy of examples/shell.nix. 1. Move the shell implementation from shell.nix to nix-bitcoin/helper/makeShell.nix Because the shell is no longer defined locally in the user's config directory, we can now ship new shell features via nix-bitcoin updates. 2. Simplify examples/nix-bitcoin-release.nix nix-bitcoin-release.nix, as generated via `fetch-release`, now contains a simple fetchTarball statement which can be directly imported. This allows us to get rid of the extra `nix-bitcoin-unpacked` derivation which adds a dependency on the user's local nixpkgs. To keep `fetch-release` as simple as possible for easy auditing, we just fetch and verify a `nar-hash.txt` file that is now uploaded via `push-release.sh`. A migration guide for updating the user's local `shell.nix` is automatically printed when the user starts a new shell after updating nix-bitcoin. This is achieved by throwing an error in `generate-secrets`, which is called on shell startup. This commit is required to deploy the new extensible `generate-secrets` mechanism introduced in the next commit.
This commit is contained in:
Erik Arvstedt
@@ -15,26 +15,28 @@ trap "rm -rf $TMPDIR" EXIT
|
||||
GPG_HOME=$TMPDIR/gpg-home
|
||||
mkdir -p -m 700 "$GPG_HOME"
|
||||
|
||||
cd $TMPDIR
|
||||
baseUrl=https://github.com/$repo/releases/download/v$version
|
||||
curl --silent -L -O $baseUrl/SHA256SUMS.txt
|
||||
curl --silent -L -O $baseUrl/SHA256SUMS.txt.asc
|
||||
|
||||
# Import key
|
||||
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||
# Verify key fingerprint
|
||||
gpg --homedir $GPG_HOME --list-keys 36C71A37C9D988BDE82508D9B1A70E4F8DCD0366 > /dev/null
|
||||
|
||||
# Verify signature for SHA256SUMS.txt
|
||||
gpg --homedir $GPG_HOME --verify SHA256SUMS.txt.asc &> /dev/null || {
|
||||
# Fetch nar-hash of release
|
||||
cd $TMPDIR
|
||||
baseUrl=https://github.com/$repo/releases/download/v$version
|
||||
curl --silent -L -O $baseUrl/nar-hash.txt
|
||||
curl --silent -L -O $baseUrl/nar-hash.txt.asc
|
||||
|
||||
# Verify signature for nar-hash
|
||||
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
|
||||
echo "Error: Signature verification failed. Please open an issue in the project repository."
|
||||
exit 1
|
||||
}
|
||||
|
||||
sha256=$(cat SHA256SUMS.txt | cut -d\ -f1)
|
||||
>&2 echo "Fetched and verified release $version"
|
||||
|
||||
cat <<EOF
|
||||
{
|
||||
url = "$baseUrl/nix-bitcoin-$version.tar.gz";
|
||||
sha256 = "$sha256";
|
||||
builtins.fetchTarball {
|
||||
url = "https://github.com/$repo/archive/v$version.tar.gz";
|
||||
sha256 = "$(cat nar-hash.txt)";
|
||||
}
|
||||
EOF
|
||||
|
||||
43
helper/makeShell.nix
Normal file
43
helper/makeShell.nix
Normal file
@@ -0,0 +1,43 @@
|
||||
{ configDir, extraShellInitCmds ? (pkgs: "") }:
|
||||
let
|
||||
nixpkgs = (import ../pkgs/nixpkgs-pinned.nix).nixpkgs;
|
||||
pkgs = import nixpkgs {};
|
||||
nbPkgs = import ../pkgs { inherit pkgs; };
|
||||
cfgDir = toString configDir;
|
||||
in
|
||||
with pkgs;
|
||||
stdenv.mkDerivation rec {
|
||||
name = "nix-bitcoin-environment";
|
||||
|
||||
path = lib.makeBinPath [ nbPkgs.extra-container ];
|
||||
|
||||
shellHook = ''
|
||||
export NIX_PATH="nixpkgs=${nixpkgs}:nix-bitcoin=${toString ../.}:."
|
||||
export PATH="${path}''${PATH:+:}$PATH"
|
||||
|
||||
export NIX_BITCOIN_EXAMPLES_DIR="${cfgDir}"
|
||||
|
||||
fetch-release() {
|
||||
${toString ./fetch-release}
|
||||
}
|
||||
|
||||
krops-deploy() {
|
||||
# Ensure strict permissions on secrets/ directory before rsyncing it to
|
||||
# the target machine
|
||||
chmod 700 "${cfgDir}/secrets"
|
||||
$(nix-build --no-out-link "${cfgDir}/krops/deploy.nix")
|
||||
}
|
||||
|
||||
# Print logo if
|
||||
# 1. stdout is a TTY, i.e. we're not piping the output
|
||||
# 2. the shell is interactive
|
||||
if [[ -t 1 && $- == *i* ]]; then
|
||||
${figlet}/bin/figlet "nix-bitcoin"
|
||||
fi
|
||||
|
||||
# Don't run this hook when another nix-shell is run inside this shell
|
||||
unset shellHook
|
||||
|
||||
${extraShellInitCmds pkgs}
|
||||
'';
|
||||
}
|
||||
@@ -59,6 +59,10 @@ SHA256SUMS=$TMPDIR/SHA256SUMS.txt
|
||||
(cd $TMPDIR; sha256sum $ARCHIVE_NAME > $SHA256SUMS)
|
||||
gpg -o $SHA256SUMS.asc -a --detach-sig $SHA256SUMS
|
||||
|
||||
cd $TMPDIR
|
||||
nix hash to-sri --type sha256 $(nix-prefetch-url --unpack file://$ARCHIVE 2> /dev/null) > nar-hash.txt
|
||||
gpg -o nar-hash.txt.asc -a --detach-sig nar-hash.txt
|
||||
|
||||
if [[ $DRY_RUN ]]; then
|
||||
echo "Created v$TAG_NAME in $TMPDIR"
|
||||
exit 0
|
||||
@@ -77,6 +81,10 @@ post_asset() {
|
||||
curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
|
||||
$GH_ASSET/$(basename $1) &> /dev/null
|
||||
}
|
||||
post_asset nar-hash.txt
|
||||
post_asset nar-hash.txt.asc
|
||||
# Post additional assets for backwards compatibility.
|
||||
# This allows older nix-bitcoin installations to upgrade via `fetch-release`.
|
||||
post_asset $ARCHIVE
|
||||
post_asset $SHA256SUMS
|
||||
post_asset $SHA256SUMS.asc
|
||||
|
||||
Reference in New Issue
Block a user