From e1ed6a172ced8d9885c7bf0f5c4d6ada4dcee439 Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 16:21:14 -0700 Subject: [PATCH 01/13] Start working on deploy --- foo/bitcoind.service | 83 ++++++++++++++++++++++++++++++++++++++++++++ foo/ord.service | 58 +++++++++++++++++++++++++++++++ justfile | 2 ++ 3 files changed, 143 insertions(+) create mode 100644 foo/bitcoind.service create mode 100644 foo/ord.service diff --git a/foo/bitcoind.service b/foo/bitcoind.service new file mode 100644 index 0000000000..e44f0864ec --- /dev/null +++ b/foo/bitcoind.service @@ -0,0 +1,83 @@ +# It is not recommended to modify this file in-place, because it will +# be overwritten during package upgrades. If you want to add further +# options or overwrite existing ones then use +# $ systemctl edit bitcoind.service +# See "man systemd.service" for details. + +# Note that almost all daemon options could be specified in +# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly +# specified as arguments in ExecStart= will override those in the +# config file. + +[Unit] +Description=Bitcoin daemon +Documentation=https://github.com/bitcoin/bitcoin/blob/master/doc/init.md + +# https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ +After=network-online.target +Wants=network-online.target + +[Service] +ExecStart=/usr/local/bin/bitcoind \ + -daemonwait \ + -pid=/run/bitcoind/bitcoind.pid \ + -conf=/etc/bitcoin/bitcoin.conf \ + -datadir=/var/lib/bitcoind + +# Make sure the config directory is readable by the service user +PermissionsStartOnly=true +ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin + +# Process management +#################### + +Type=forking +PIDFile=/run/bitcoind/bitcoind.pid +Restart=on-failure +TimeoutStartSec=infinity +TimeoutStopSec=600 + +# Directory creation and permissions +#################################### + +# Run as bitcoin:bitcoin +User=bitcoin +Group=bitcoin + +# /run/bitcoind +RuntimeDirectory=bitcoind +RuntimeDirectoryMode=0710 + +# /etc/bitcoin +ConfigurationDirectory=bitcoin +ConfigurationDirectoryMode=0710 + +# /var/lib/bitcoind +StateDirectory=bitcoind +StateDirectoryMode=0710 + +# Hardening measures +#################### + +# Provide a private /tmp and /var/tmp. +PrivateTmp=true + +# Mount /usr, /boot/ and /etc read-only for the process. +ProtectSystem=full + +# Deny access to /home, /root and /run/user +ProtectHome=true + +# Disallow the process and all of its children to gain +# new privileges through execve(). +NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. +PrivateDevices=true + +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/foo/ord.service b/foo/ord.service new file mode 100644 index 0000000000..a77ec04fb4 --- /dev/null +++ b/foo/ord.service @@ -0,0 +1,58 @@ +[Unit] +After=network.target +Description=Ord server +StartLimitBurst=120 +StartLimitIntervalSec=10m + +[Service] +WorkingDirectory=/var/lib/ord +Environment="RUST_LOG=info" +ExecStart=/usr/local/bin/ord \ + --index-size 1TiB \ + --rpc-url 127.0.0.1:8332 \ + --cookie-file /var/lib/bitcoind/.cookie \ + index + +# Process management +#################### + +Type=simple +Restart=on-failure +TimeoutStopSec=10m +RestartSec=5s + +# Directory creation and permissions +#################################### + +User=ord +Group=ord + +# /var/lib/ord +StateDirectory=ord +StateDirectoryMode=0700 + +# Hardening measures +#################### + +# Provide a private /tmp and /var/tmp. +PrivateTmp=true + +# Mount /usr, /boot/ and /etc read-only for the process. +ProtectSystem=full + +# Deny access to /home, /root and /run/user +ProtectHome=true + +# Disallow the process and all of its children to gain +# new privileges through execve(). +NoNewPrivileges=true + +# Use a new /dev namespace only populated with API pseudo devices +# such as /dev/null, /dev/zero and /dev/random. +PrivateDevices=true + +# Deny the creation of writable and executable memory mappings. +MemoryDenyWriteExecute=true + +[Install] +WantedBy=multi-user.target diff --git a/justfile b/justfile index d939d1aeaa..cbcfd44309 100644 --- a/justfile +++ b/justfile @@ -23,3 +23,5 @@ watch +args='ltest': install-dev-deps: cargo install cargo-criterion + +deploy: From 6c96ab79c68517b2bb090d0c416edfec12c45c71 Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:47:07 -0700 Subject: [PATCH 02/13] Finish deploy script --- justfile | 7 +++++++ setup | 30 ++++++++++++++++++++++++++++++ {foo => system}/bitcoind.service | 0 {foo => system}/ord.service | 0 4 files changed, 37 insertions(+) create mode 100755 setup rename {foo => system}/bitcoind.service (100%) rename {foo => system}/ord.service (100%) diff --git a/justfile b/justfile index cbcfd44309..c5818b6310 100644 --- a/justfile +++ b/justfile @@ -25,3 +25,10 @@ install-dev-deps: cargo install cargo-criterion deploy: + ssh root@65.108.68.37 rm -rf deploy + ssh root@65.108.68.37 git clone https://github.com/casey/ord.git --branch deploy deploy/ord + ssh root@65.108.68.37 'cd ./deploy/ord && ./setup' + +status: + ssh root@65.108.68.37 systemctl status bitcoind + ssh root@65.108.68.37 systemctl status ord diff --git a/setup b/setup new file mode 100755 index 0000000000..8076f5b3a2 --- /dev/null +++ b/setup @@ -0,0 +1,30 @@ +#!/usr/bin/env bash + +# N.B. This setup script is missing some steps needed to initialize a +# freshly provisioned server: +# +# - useradd --system ord +# - useradd --system bitcoin +# - install bitcoind to /usr/local/bin +# - install rustup +# - install git and clang + +set -euxo pipefail + +apt update +apt upgrade +apt install clang + +cp system/bitcoind.service /etc/systemd/system/ +systemctl daemon-reload +systemctl enable bitcoind +systemctl restart bitcoind + +setfacl -m ord:x /var/lib/bitcoind +setfacl -dm ord:r /var/lib/bitcoind +setfacl -m ord:r /var/lib/bitcoind/.cookie + +cp system/ord.service /etc/systemd/system/ +systemctl daemon-reload +systemctl enable ord +systemctl restart ord diff --git a/foo/bitcoind.service b/system/bitcoind.service similarity index 100% rename from foo/bitcoind.service rename to system/bitcoind.service diff --git a/foo/ord.service b/system/ord.service similarity index 100% rename from foo/ord.service rename to system/ord.service From f4297bdb97b89cffa4ea28db75fd4ba71b05c3ba Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:52:52 -0700 Subject: [PATCH 03/13] Make setup script more comprehensive --- setup | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/setup b/setup index 8076f5b3a2..e6bc0017e3 100755 --- a/setup +++ b/setup @@ -1,13 +1,6 @@ #!/usr/bin/env bash -# N.B. This setup script is missing some steps needed to initialize a -# freshly provisioned server: -# -# - useradd --system ord -# - useradd --system bitcoin -# - install bitcoind to /usr/local/bin -# - install rustup -# - install git and clang +# N.B. Bitcoind must be installed as /usr/local/bin/bitcoind. set -euxo pipefail @@ -15,6 +8,11 @@ apt update apt upgrade apt install clang +which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh + +id --user ord || useradd --system ord +id --user bitcoin || useradd --system bitcoin + cp system/bitcoind.service /etc/systemd/system/ systemctl daemon-reload systemctl enable bitcoind From b21ae68ff1e42ccf4381a6f314244a41ac60cd0e Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:53:36 -0700 Subject: [PATCH 04/13] Use apt-get --- setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup b/setup index e6bc0017e3..2146822875 100755 --- a/setup +++ b/setup @@ -4,9 +4,9 @@ set -euxo pipefail -apt update -apt upgrade -apt install clang +apt-get update --yes +apt-get upgrade --yes +apt-get install --yes clang which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh From 25564485f54280b7e21780db6abeaa4c636e8a6b Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:54:30 -0700 Subject: [PATCH 05/13] Run rustup non-interactively --- setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup b/setup index 2146822875..b23ea1a6d4 100755 --- a/setup +++ b/setup @@ -8,7 +8,7 @@ apt-get update --yes apt-get upgrade --yes apt-get install --yes clang -which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh +which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y id --user ord || useradd --system ord id --user bitcoin || useradd --system bitcoin From 647211001caf433472da5d717a1f9933801feb4b Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:55:28 -0700 Subject: [PATCH 06/13] Build and install ord binary --- setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup b/setup index b23ea1a6d4..7be82ab8dc 100755 --- a/setup +++ b/setup @@ -10,6 +10,9 @@ apt-get install --yes clang which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +cargo build --release +cp target/release/ord /usr/local/bin/ord + id --user ord || useradd --system ord id --user bitcoin || useradd --system bitcoin From 3cb8563783cfc76fe81df92bf0144e90eb54fa84 Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:57:02 -0700 Subject: [PATCH 07/13] Source cargo .env file --- setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup b/setup index 7be82ab8dc..646d790247 100755 --- a/setup +++ b/setup @@ -9,6 +9,7 @@ apt-get upgrade --yes apt-get install --yes clang which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +source ~/.cargo/env cargo build --release cp target/release/ord /usr/local/bin/ord From 661c2284a576c506bbb1af3343ddf9cb64398367 Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:59:21 -0700 Subject: [PATCH 08/13] Fix rustup install --- setup | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup b/setup index 646d790247..6dbec86d02 100755 --- a/setup +++ b/setup @@ -8,7 +8,10 @@ apt-get update --yes apt-get upgrade --yes apt-get install --yes clang -which rustup || curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +if [[ ! -e ~/.cargo/env ]]; then + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +else + source ~/.cargo/env cargo build --release From 0ce465070cb2b66f7e5f65ddfb99cc0706e454ff Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 19:59:54 -0700 Subject: [PATCH 09/13] Fix else block --- setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup b/setup index 6dbec86d02..3c95d2564b 100755 --- a/setup +++ b/setup @@ -10,7 +10,7 @@ apt-get install --yes clang if [[ ! -e ~/.cargo/env ]]; then curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y -else +fi source ~/.cargo/env From 612faa77f04d8993282c02863b5433a959b4aaee Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 20:01:45 -0700 Subject: [PATCH 10/13] Remove deploy branch reference --- justfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/justfile b/justfile index c5818b6310..834c355b86 100644 --- a/justfile +++ b/justfile @@ -26,7 +26,7 @@ install-dev-deps: deploy: ssh root@65.108.68.37 rm -rf deploy - ssh root@65.108.68.37 git clone https://github.com/casey/ord.git --branch deploy deploy/ord + ssh root@65.108.68.37 git clone https://github.com/casey/ord.git deploy/ord ssh root@65.108.68.37 'cd ./deploy/ord && ./setup' status: From d882bff34f51033aed22c289ea5958853d4be0db Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 20:18:31 -0700 Subject: [PATCH 11/13] Reorgoanize things --- {system => deploy}/bitcoind.service | 0 deploy/checkout | 15 +++++++++++++++ {system => deploy}/ord.service | 0 setup => deploy/setup | 0 justfile | 6 +++--- 5 files changed, 18 insertions(+), 3 deletions(-) rename {system => deploy}/bitcoind.service (100%) create mode 100755 deploy/checkout rename {system => deploy}/ord.service (100%) rename setup => deploy/setup (100%) diff --git a/system/bitcoind.service b/deploy/bitcoind.service similarity index 100% rename from system/bitcoind.service rename to deploy/bitcoind.service diff --git a/deploy/checkout b/deploy/checkout new file mode 100755 index 0000000000..7937d78ee1 --- /dev/null +++ b/deploy/checkout @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -euxo pipefail + +if [[ ! -d ord ]]; then + git clone https://github.com/casey/ord.git +fi + +cd ord + +git fetch origin +git checkout -B deploy +git reset --hard origin/deploy +git clean --force -d +./deploy/setup diff --git a/system/ord.service b/deploy/ord.service similarity index 100% rename from system/ord.service rename to deploy/ord.service diff --git a/setup b/deploy/setup similarity index 100% rename from setup rename to deploy/setup diff --git a/justfile b/justfile index 834c355b86..8728e8e723 100644 --- a/justfile +++ b/justfile @@ -25,9 +25,9 @@ install-dev-deps: cargo install cargo-criterion deploy: - ssh root@65.108.68.37 rm -rf deploy - ssh root@65.108.68.37 git clone https://github.com/casey/ord.git deploy/ord - ssh root@65.108.68.37 'cd ./deploy/ord && ./setup' + ssh root@65.108.68.37 mkdir -p deploy + rsync -avz deploy/checkout root@65.108.68.37:deploy/checkout + ssh root@65.108.68.37 'cd deploy && ./checkout' status: ssh root@65.108.68.37 systemctl status bitcoind From 16d31559622eb862e6ebb1d330e973d2d9f44998 Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 20:19:23 -0700 Subject: [PATCH 12/13] Fix things --- deploy/setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/setup b/deploy/setup index 3c95d2564b..c941f2a44c 100755 --- a/deploy/setup +++ b/deploy/setup @@ -20,7 +20,7 @@ cp target/release/ord /usr/local/bin/ord id --user ord || useradd --system ord id --user bitcoin || useradd --system bitcoin -cp system/bitcoind.service /etc/systemd/system/ +cp deploy/bitcoind.service /etc/systemd/system/ systemctl daemon-reload systemctl enable bitcoind systemctl restart bitcoind @@ -29,7 +29,7 @@ setfacl -m ord:x /var/lib/bitcoind setfacl -dm ord:r /var/lib/bitcoind setfacl -m ord:r /var/lib/bitcoind/.cookie -cp system/ord.service /etc/systemd/system/ +cp deploy/ord.service /etc/systemd/system/ systemctl daemon-reload systemctl enable ord systemctl restart ord From da55f2a9d1e5882bf5a6b9d41e46dd12fa319a1b Mon Sep 17 00:00:00 2001 From: Casey Rodarmor Date: Fri, 18 Mar 2022 20:19:59 -0700 Subject: [PATCH 13/13] Tweak --- deploy/setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/setup b/deploy/setup index c941f2a44c..a28ca6f3e9 100755 --- a/deploy/setup +++ b/deploy/setup @@ -17,8 +17,8 @@ source ~/.cargo/env cargo build --release cp target/release/ord /usr/local/bin/ord -id --user ord || useradd --system ord id --user bitcoin || useradd --system bitcoin +id --user ord || useradd --system ord cp deploy/bitcoind.service /etc/systemd/system/ systemctl daemon-reload