Merge fort-nix/nix-bitcoin#512: Remove bitcoind banlist

8dc4858872 bitcoind: remove banlist loader (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK 8dc4858872
  jonasnick:
    ACK 8dc4858872

Tree-SHA512: a3002863b1bcf97f2553d977006bffe0d0554df4d27f6a50898e9dc3a200a5a95878ba2038d5a32d8c3e54ced7a1bf6a8735e954b496fecb20af42637844329e

README.md

@@ -65,7 +65,7 @@ A [configuration preset](modules/presets/secure-node.nix) for setting up a secur
 
 NixOS modules ([src](modules/modules.nix))
 * Application services
-  * [bitcoind](https://github.com/bitcoin/bitcoin), with a default banlist against spy nodes
+  * [bitcoind](https://github.com/bitcoin/bitcoin)
   * [clightning](https://github.com/ElementsProject/lightning) with support for announcing an onion service\
     Available plugins:
     * [clboss](https://github.com/ZmnSCPxj/clboss): automated C-Lightning Node Manager

modules/bitcoind.nix

@@ -428,31 +428,6 @@ in {
         // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };
 
-    # Use this to update the banlist:
-    # wget https://people.xiph.org/~greg/banlist.cli.txt
-    systemd.services.bitcoind-import-banlist = {
-      description = "Bitcoin daemon banlist importer";
-      wantedBy = [ "bitcoind.service" ];
-      bindsTo = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
-      script = ''
-        cd ${cfg.cli}/bin
-        echo "Importing node banlist..."
-        cat ${./banlist.cli.txt} | while read line; do
-          if ! err=$(eval "$line" 2>&1) && [[ $err != *already\ banned* ]]; then
-            # unexpected error
-            echo "$err"
-            exit 1
-          fi
-        done
-      '';
-      serviceConfig = nbLib.defaultHardening // {
-        User = cfg.user;
-        Group = cfg.group;
-        ReadWritePaths = [ cfg.dataDir ];
-      } // nbLib.allowLocalIPAddresses;
-    };
-
     users.users.${cfg.user} = {
       isSystemUser = true;
       group = cfg.group;

modules/netns-isolation.nix

@@ -303,7 +303,6 @@ in {
         netns.bitcoind.address
       ] ++ map (n: netns.${n}.address) netns.bitcoind.availableNetns;
     };
-    systemd.services.bitcoind-import-banlist.serviceConfig.NetworkNamespacePath = "/var/run/netns/nb-bitcoind";
 
     services.clightning.address = netns.clightning.address;
 

test/tests.nix

@@ -214,7 +214,7 @@ let
         ../modules/presets/secure-node.nix
       ];
       tests.secure-node = true;
-      tests.banlist-and-restart = true;
+      tests.restart-bitcoind = true;
 
       # Stop electrs from spamming the test log with 'WARN - wait until IBD is over' messages
       tests.stop-electrs = true;

test/tests.py

@@ -361,31 +361,18 @@ def _():
     assert_file_exists("secrets/lnd-wallet-password")
 
 # Impure: restarts services
-@test("banlist-and-restart")
+@test("restart-bitcoind")
 def _():
-    machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
-    assert_no_failure("bitcoind-import-banlist")
-
-    # Current time in µs
-    pre_restart = succeed("date +%s.%6N").rstrip()
-
     # Sanity-check system by restarting bitcoind.
     # This also restarts all services depending on bitcoind.
     succeed("systemctl restart bitcoind")
 
-    # Now that the bitcoind restart triggered a banlist import restart, check that
-    # re-importing already banned addresses works
-    machine.wait_until_succeeds(
-        log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
-    )
-    assert_no_failure("bitcoind-import-banlist")
-
 @test("regtest")
 def _():
     def enabled(unit):
         if unit in enabled_tests:
             # Wait because the unit might have been restarted in the preceding
-            # 'banlist-and-restart' test
+            # 'restart-bitcoind' test
             machine.wait_for_unit(unit)
             return True
         else: