frozenkrill
frozenkrill copied to clipboard
planktonlabs
nixify
the README suggests a QEMUlated Alpine box as a mechanism for system isolation
an interesting alternative approach could be a nix derivation
that could open up some interesting possibilities
cc @realeinherjar
QEMU is used for demostration purposes, for real world usage we suggest a bare metal machine booted with a minimal linux/unix distribution without any network access. Right now we only create images for Alpine: https://github.com/planktonlabs/bootable-frozenkrill
We could offer NixOS ISO support perhaps using something like: https://nixos.wiki/wiki/Creating_a_NixOS_live_CD
Another related idea is nixifying the dev environment so you don't need to pre-install rust or other libraries
my inspiration actually comes from nix-bitcoin
Flakes-based quick start If you use a Flakes-enabled version of Nix, run the following command to start a minimal nix-bitcoin QEMU VM:
nix run github:fort-nix/nix-bitcoin/releaseThe VM (defined in flake.nix) runs in the terminal and has bitcoind and clightning installed. It leaves no traces (outside of /nix/store) on the host system.
ISO implies extra steps that I believe nix allows us to bypass
a flake.nix would allow for a one-command kind of UX while deploying the entire QEMU setup in an automated way.
The fact that "it leaves no traces on the host system" can be leveraged for a more straightforward UX with little (?) security tradeoffs.
The question is: what's is the security of the host system? In particular, at any moment in past or future will it be connected to the internet?
Note that if you run the whole nix run github:fort-nix/nix-bitcoin/release inside something like xterm, then it's trivial for a keylogger to grab the password and if you connect to the Internet without completely wiping out your system, it will be able to upload this data to a remote server.
If you want to use it as a hot wallet, then it's okay, but I would say that the risk is too high for a cold wallet.