Skip to content

Commit

Permalink
Automate deployment (#187)
Browse files Browse the repository at this point in the history
  • Loading branch information
casey authored Mar 19, 2022
1 parent 412d055 commit 74b58ad
Show file tree
Hide file tree
Showing 5 changed files with 200 additions and 0 deletions.
83 changes: 83 additions & 0 deletions deploy/bitcoind.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
# options or overwrite existing ones then use
# $ systemctl edit bitcoind.service
# See "man systemd.service" for details.

# Note that almost all daemon options could be specified in
# /etc/bitcoin/bitcoin.conf, but keep in mind those explicitly
# specified as arguments in ExecStart= will override those in the
# config file.

[Unit]
Description=Bitcoin daemon
Documentation=https://github.com/bitcoin/bitcoin/blob/master/doc/init.md

# https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/local/bin/bitcoind \
-daemonwait \
-pid=/run/bitcoind/bitcoind.pid \
-conf=/etc/bitcoin/bitcoin.conf \
-datadir=/var/lib/bitcoind

# Make sure the config directory is readable by the service user
PermissionsStartOnly=true
ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin

# Process management
####################

Type=forking
PIDFile=/run/bitcoind/bitcoind.pid
Restart=on-failure
TimeoutStartSec=infinity
TimeoutStopSec=600

# Directory creation and permissions
####################################

# Run as bitcoin:bitcoin
User=bitcoin
Group=bitcoin

# /run/bitcoind
RuntimeDirectory=bitcoind
RuntimeDirectoryMode=0710

# /etc/bitcoin
ConfigurationDirectory=bitcoin
ConfigurationDirectoryMode=0710

# /var/lib/bitcoind
StateDirectory=bitcoind
StateDirectoryMode=0710

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Deny access to /home, /root and /run/user
ProtectHome=true

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
15 changes: 15 additions & 0 deletions deploy/checkout
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env bash

set -euxo pipefail

if [[ ! -d ord ]]; then
git clone https://github.com/casey/ord.git
fi

cd ord

git fetch origin
git checkout -B deploy
git reset --hard origin/deploy
git clean --force -d
./deploy/setup
58 changes: 58 additions & 0 deletions deploy/ord.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
[Unit]
After=network.target
Description=Ord server
StartLimitBurst=120
StartLimitIntervalSec=10m

[Service]
WorkingDirectory=/var/lib/ord
Environment="RUST_LOG=info"
ExecStart=/usr/local/bin/ord \
--index-size 1TiB \
--rpc-url 127.0.0.1:8332 \
--cookie-file /var/lib/bitcoind/.cookie \
index

# Process management
####################

Type=simple
Restart=on-failure
TimeoutStopSec=10m
RestartSec=5s

# Directory creation and permissions
####################################

User=ord
Group=ord

# /var/lib/ord
StateDirectory=ord
StateDirectoryMode=0700

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Deny access to /home, /root and /run/user
ProtectHome=true

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true

# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true

[Install]
WantedBy=multi-user.target
35 changes: 35 additions & 0 deletions deploy/setup
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/usr/bin/env bash

# N.B. Bitcoind must be installed as /usr/local/bin/bitcoind.

set -euxo pipefail

apt-get update --yes
apt-get upgrade --yes
apt-get install --yes clang

if [[ ! -e ~/.cargo/env ]]; then
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
fi

source ~/.cargo/env

cargo build --release
cp target/release/ord /usr/local/bin/ord

id --user bitcoin || useradd --system bitcoin
id --user ord || useradd --system ord

cp deploy/bitcoind.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable bitcoind
systemctl restart bitcoind

setfacl -m ord:x /var/lib/bitcoind
setfacl -dm ord:r /var/lib/bitcoind
setfacl -m ord:r /var/lib/bitcoind/.cookie

cp deploy/ord.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable ord
systemctl restart ord
9 changes: 9 additions & 0 deletions justfile
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,12 @@ watch +args='ltest':

install-dev-deps:
cargo install cargo-criterion

deploy:
ssh root@65.108.68.37 mkdir -p deploy
rsync -avz deploy/checkout root@65.108.68.37:deploy/checkout
ssh root@65.108.68.37 'cd deploy && ./checkout'

status:
ssh root@65.108.68.37 systemctl status bitcoind
ssh root@65.108.68.37 systemctl status ord

0 comments on commit 74b58ad

Please sign in to comment.