Add deploy script

deploy/bitcoind.service

@@ -0,0 +1,83 @@
+# It is not recommended to modify this file in-place, because it will
+# be overwritten during package upgrades. If you want to add further
+# options or overwrite existing ones then use
+# $ systemctl edit bitcoind.service
+# See "man systemd.service" for details.
+
+# Note that almost all daemon options could be specified in
+# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
+# specified as arguments in ExecStart= will override those in the
+# config file.
+
+[Unit]
+Description=Bitcoin daemon
+Documentation=https://github.com/bitcoin/bitcoin/blob/master/doc/init.md
+
+# https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/bitcoind \
+	-daemonwait \
+	-pid=/run/bitcoind/bitcoind.pid \
+	-conf=/etc/bitcoin/bitcoin.conf \
+	-datadir=/var/lib/bitcoind
+
+# Make sure the config directory is readable by the service user
+PermissionsStartOnly=true
+ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
+
+# Process management
+####################
+
+Type=forking
+PIDFile=/run/bitcoind/bitcoind.pid
+Restart=on-failure
+TimeoutStartSec=infinity
+TimeoutStopSec=600
+
+# Directory creation and permissions
+####################################
+
+# Run as bitcoin:bitcoin
+User=bitcoin
+Group=bitcoin
+
+# /run/bitcoind
+RuntimeDirectory=bitcoind
+RuntimeDirectoryMode=0710
+
+# /etc/bitcoin
+ConfigurationDirectory=bitcoin
+ConfigurationDirectoryMode=0710
+
+# /var/lib/bitcoind
+StateDirectory=bitcoind
+StateDirectoryMode=0710
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
+PrivateTmp=true
+
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

deploy/checkout

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -euxo pipefail
+
+if [[ ! -d ord ]]; then
+  git clone https://github.com/casey/ord.git
+fi
+
+cd ord
+
+git fetch origin
+git checkout -B deploy
+git reset --hard origin/deploy
+git clean --force -d
+./deploy/setup

deploy/ord.service

@@ -0,0 +1,58 @@
+[Unit]
+After=network.target
+Description=Ord server
+StartLimitBurst=120
+StartLimitIntervalSec=10m
+
+[Service]
+WorkingDirectory=/var/lib/ord
+Environment="RUST_LOG=info"
+ExecStart=/usr/local/bin/ord \
+  --index-size 1TiB \
+  --rpc-url 127.0.0.1:8332 \
+  --cookie-file /var/lib/bitcoind/.cookie \
+  index
+
+# Process management
+####################
+
+Type=simple
+Restart=on-failure
+TimeoutStopSec=10m
+RestartSec=5s
+
+# Directory creation and permissions
+####################################
+
+User=ord
+Group=ord
+
+# /var/lib/ord
+StateDirectory=ord
+StateDirectoryMode=0700
+
+# Hardening measures
+####################
+
+# Provide a private /tmp and /var/tmp.
+PrivateTmp=true
+
+# Mount /usr, /boot/ and /etc read-only for the process.
+ProtectSystem=full
+
+# Deny access to /home, /root and /run/user
+ProtectHome=true
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
+NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
+PrivateDevices=true
+
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
+[Install]
+WantedBy=multi-user.target

deploy/setup

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+# N.B. Bitcoind must be installed as /usr/local/bin/bitcoind.
+
+set -euxo pipefail
+
+apt-get update --yes
+apt-get upgrade --yes
+apt-get install --yes clang
+
+if [[ ! -e ~/.cargo/env ]]; then
+  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
+fi
+
+source ~/.cargo/env
+
+cargo build --release
+cp target/release/ord /usr/local/bin/ord
+
+id --user bitcoin || useradd --system bitcoin
+id --user ord || useradd --system ord
+
+cp deploy/bitcoind.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable bitcoind
+systemctl restart bitcoind
+
+setfacl -m ord:x /var/lib/bitcoind
+setfacl -dm ord:r /var/lib/bitcoind
+setfacl -m ord:r /var/lib/bitcoind/.cookie
+
+cp deploy/ord.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable ord
+systemctl restart ord

justfile

@@ -23,3 +23,12 @@ watch +args='ltest':
 
 install-dev-deps:
   cargo install cargo-criterion
+
+deploy:
+  ssh [email protected] mkdir -p deploy
+  rsync -avz deploy/checkout [email protected]:deploy/checkout
+  ssh [email protected] 'cd deploy && ./checkout'
+
+status:
+  ssh [email protected] systemctl status bitcoind
+  ssh [email protected] systemctl status ord