From ed480a35affaa1fd05905ae61ef952aa653331be Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Sun, 8 Aug 2021 10:58:47 +0200
Subject: [PATCH 1/4] joinmarket: 0.8.2 -> 0.8.3

Includes
- coincurve: 13.0.0 -> 15.0.0
- Update Darkscience Tor onion address
---
 modules/joinmarket-ob-watcher.nix          |  2 +-
 modules/joinmarket.nix                     |  2 +-
 pkgs/joinmarket/default.nix                |  4 ++--
 pkgs/python-packages/coincurve/default.nix | 14 ++++++--------
 4 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/modules/joinmarket-ob-watcher.nix b/modules/joinmarket-ob-watcher.nix
index 62f670b..c668dde 100644
--- a/modules/joinmarket-ob-watcher.nix
+++ b/modules/joinmarket-ob-watcher.nix
@@ -11,7 +11,7 @@ let
     blockchain_source = no-blockchain
 
     [MESSAGING:server1]
-    host = darksci3bfoka7tw.onion
+    host = darkirc6tqgpnwd3blln3yfv5ckl47eg7llfxkmtovrv7c7iwohhb6ad.onion
     channel = joinmarket-pit
     port = 6697
     usessl = true
diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
index 8f46652..ca8fd29 100644
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@@ -30,7 +30,7 @@ let
     ${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file=${cfg.rpcWalletFile}"}
 
     [MESSAGING:server1]
-    host = darksci3bfoka7tw.onion
+    host = darkirc6tqgpnwd3blln3yfv5ckl47eg7llfxkmtovrv7c7iwohhb6ad.onion
     channel = joinmarket-pit
     port = 6697
     usessl = true
diff --git a/pkgs/joinmarket/default.nix b/pkgs/joinmarket/default.nix
index 6a180ee..a94c691 100644
--- a/pkgs/joinmarket/default.nix
+++ b/pkgs/joinmarket/default.nix
@@ -1,10 +1,10 @@
 { stdenv, lib, fetchurl, python3, nbPython3Packages, pkgs }:
 
 let
-  version = "0.8.2";
+  version = "0.8.3";
   src = fetchurl {
     url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
-    sha256 = "0bi1d49kn57b0775cd8gzsc13dbiivvnhrc61d1xb4z1cr3ih8q2";
+    sha256 = "0kcgp8lsgnbaxfv13lrg6x7vcbdi5yj526lq9vmvbbidyw4km3r2";
   };
 
   runtimePackages = with nbPython3Packages; [
diff --git a/pkgs/python-packages/coincurve/default.nix b/pkgs/python-packages/coincurve/default.nix
index 67e9a57..042ac67 100644
--- a/pkgs/python-packages/coincurve/default.nix
+++ b/pkgs/python-packages/coincurve/default.nix
@@ -1,20 +1,18 @@
-{ lib, buildPythonPackage, fetchPypi, asn1crypto, cffi, pkg-config, libtool, libffi, requests, gmp }:
+{ lib, stdenv, buildPythonPackage, fetchPypi, asn1crypto, cffi, pkg-config,
+autoconf, automake, libtool, libffi, requests }:
 
 buildPythonPackage rec {
   pname = "coincurve";
-  version = "13.0.0";
+  version = "15.0.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1x8dpbq6bwswfyi1g4r421hnswp904l435rf7n6fj7y8q1yn51cr";
+    sha256 = "0ras7qb4ib9sik703fcb9f3jrgq7nx5wvdgx9k1pshmrxl8lnlh6";
   };
 
-  nativeBuildInputs = [ pkg-config libtool libffi gmp ];
-
-  propagatedBuildInputs = [ asn1crypto cffi requests ];
-
-  # enable when https://github.com/ofek/coincurve/issues/47 is resolved
   doCheck = false;
+  nativeBuildInputs = [ autoconf automake libtool pkg-config ];
+  propagatedBuildInputs = [ asn1crypto cffi libffi requests ];
 
   meta = with lib; {
     description = "Cross-platform Python CFFI bindings for libsecp256k1";

From 6258d64cb63815e1d58af29b6b04427c09bee8c3 Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Sun, 8 Aug 2021 10:58:48 +0200
Subject: [PATCH 2/4] joinmarket: run with group 'bitcoin'

Don't copy bitcoin-rpcpassword-privileged as root, instead run service
with group "bitcoin".
Same effect, less complexity. Note, PoLP still obeyed for joinmarket-ob-watcher.
---
 modules/joinmarket.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
index ca8fd29..5bd7e1e 100644
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@@ -232,7 +232,7 @@ in {
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
       serviceConfig = nbLib.defaultHardening // {
-        ExecStartPre = nbLib.privileged "joinmarket-create-config" ''
+        ExecStartPre = nbLib.script "joinmarket-create-config" ''
           install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
           sed -i \
              "s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
@@ -270,7 +270,7 @@ in {
       group = cfg.group;
       home = cfg.dataDir;
       # Allow access to the tor control socket, needed for payjoin onion service creation
-      extraGroups = [ "tor" ];
+      extraGroups = [ "tor" "bitcoin" ];
     };
     users.groups.${cfg.group} = {};
     nix-bitcoin.operator = {

From e2c6eb66814ef05096e99d128cbc78c822f13cfa Mon Sep 17 00:00:00 2001
From: nixbitcoin <nixbitcoin@i2pmail.org>
Date: Sun, 8 Aug 2021 10:58:49 +0200
Subject: [PATCH 3/4] joinmarket: create bitcoind wallet

Starting with 0.21.0, bitcoin no longer automatically creates and loads
a default wallet.
This was being ignored because of a JoinMarket issue [1] in CI builds prior
to this version. Now a watch-only Bitcoin Core wallet is created in ExecStartPost.

[1] https://github.com/JoinMarket-Org/joinmarket-clientserver/issues/812
---
 examples/configuration.nix |  2 +-
 modules/joinmarket.nix     | 11 ++++++++---
 modules/versioning.nix     | 16 ++++++++++++++++
 3 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/examples/configuration.nix b/examples/configuration.nix
index 65a5f98..f6f293b 100644
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@@ -245,6 +245,6 @@
   # The nix-bitcoin release version that your config is compatible with.
   # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
   # an error and provide hints for migrating your config to the new release.
-  nix-bitcoin.configVersion = "0.0.41";
+  nix-bitcoin.configVersion = "0.0.49";
 
 }
diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
index 5bd7e1e..cd4bed0 100644
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@@ -27,7 +27,7 @@ let
     rpc_port = ${toString bitcoind.rpc.port}
     rpc_user = ${bitcoind.rpc.users.privileged.name}
     @@RPC_PASSWORD@@
-    ${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file=${cfg.rpcWalletFile}"}
+    ${optionalString (cfg.rpcWalletFile != null) "rpc_wallet_file = ${cfg.rpcWalletFile}"}
 
     [MESSAGING:server1]
     host = darkirc6tqgpnwd3blln3yfv5ckl47eg7llfxkmtovrv7c7iwohhb6ad.onion
@@ -129,7 +129,7 @@ in {
     };
     rpcWalletFile = mkOption {
       type = types.nullOr types.str;
-      default = null;
+      default = "jm_wallet";
       description = ''
         Name of the watch-only bitcoind wallet the JoinMarket addresses are imported to.
       '';
@@ -244,7 +244,12 @@ in {
             walletname=wallet.jmdat
             wallet=${cfg.dataDir}/wallets/$walletname
             if [[ ! -f $wallet ]]; then
-              echo "Create wallet"
+              ${optionalString (cfg.rpcWalletFile != null) ''
+                echo "Create watch-only wallet ${cfg.rpcWalletFile}"
+                ${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
+                  wallet_name="${cfg.rpcWalletFile}" \
+                  disable_private_keys=true
+              ''}
               pw=$(cat "${secretsDir}"/jm-wallet-password)
               cd ${cfg.dataDir}
               if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
diff --git a/modules/versioning.nix b/modules/versioning.nix
index f34eaac..445edf8 100644
--- a/modules/versioning.nix
+++ b/modules/versioning.nix
@@ -91,6 +91,22 @@ let
           rm -f "${secretsDir}"/{lnd-seed-mnemonic,jm-wallet-seed}
       '';
     }
+    {
+      version = "0.0.49";
+      condition = config.services.joinmarket.enable;
+      message = ''
+        Starting with 0.21.0, bitcoind no longer automatically creates and loads a
+        default wallet named `wallet.dat` [1].
+        The joinmarket service now automatically creates a watch-only bitcoind wallet
+        (named by option `services.joinmarket.rpcWalletFile`) when creating a joinmarket wallet.
+
+        If you've used JoinMarket before, add the following to your configuration to
+        continue using the default `wallet.dat` wallet:
+        services.joinmarket.rpcWalletFile = null;
+
+        [1] https://github.com/bitcoin/bitcoin/pull/15454
+      '';
+    }
   ];
 
   incompatibleChanges = optionals

From 881a3aa0043ec9b66cce3fc8d8f587c4767e243a Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sun, 8 Aug 2021 10:58:52 +0200
Subject: [PATCH 4/4] joinmarket: use preStart, postStart

---
 modules/joinmarket.nix | 56 ++++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 29 deletions(-)

diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix
index cd4bed0..bf5bac4 100644
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@@ -231,37 +231,35 @@ in {
       wantedBy = [ "multi-user.target" ];
       requires = [ "bitcoind.service" ];
       after = [ "bitcoind.service" ];
-      serviceConfig = nbLib.defaultHardening // {
-        ExecStartPre = nbLib.script "joinmarket-create-config" ''
-          install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
+      preStart = ''
+        install -o '${cfg.user}' -g '${cfg.group}' -m 640 ${configFile} ${cfg.dataDir}/joinmarket.cfg
           sed -i \
-             "s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
-             '${cfg.dataDir}/joinmarket.cfg'
+            "s|@@RPC_PASSWORD@@|rpc_password = $(cat ${secretsDir}/bitcoin-rpcpassword-privileged)|" \
+            '${cfg.dataDir}/joinmarket.cfg'
         '';
-        # Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
-        ExecStartPost = mkIf (bitcoind.network == "mainnet")
-          (nbLib.script "joinmarket-create-wallet" ''
-            walletname=wallet.jmdat
-            wallet=${cfg.dataDir}/wallets/$walletname
-            if [[ ! -f $wallet ]]; then
-              ${optionalString (cfg.rpcWalletFile != null) ''
-                echo "Create watch-only wallet ${cfg.rpcWalletFile}"
-                ${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
-                  wallet_name="${cfg.rpcWalletFile}" \
-                  disable_private_keys=true
-              ''}
-              pw=$(cat "${secretsDir}"/jm-wallet-password)
-              cd ${cfg.dataDir}
-              if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
-                     | grep 'recovery_seed' \
-                     | cut -d ':' -f2 \
-                     | (umask u=r,go=; cat > jm-wallet-seed); then
-                echo "wallet creation failed"
-                rm -f "$wallet" jm-wallet-seed
-                exit 1
-              fi
-            fi
-          '');
+      # Generating wallets (jmclient/wallet.py) is only supported for mainnet or testnet
+      postStart = mkIf (bitcoind.network == "mainnet") ''
+        walletname=wallet.jmdat
+        wallet=${cfg.dataDir}/wallets/$walletname
+        if [[ ! -f $wallet ]]; then
+          ${optionalString (cfg.rpcWalletFile != null) ''
+            echo "Create watch-only wallet ${cfg.rpcWalletFile}"
+            ${bitcoind.cli}/bin/bitcoin-cli -named createwallet \
+              wallet_name="${cfg.rpcWalletFile}" disable_private_keys=true
+          ''}
+          pw=$(cat "${secretsDir}"/jm-wallet-password)
+          cd ${cfg.dataDir}
+          if ! ${nbPkgs.joinmarket}/bin/jm-genwallet --datadir=${cfg.dataDir} $walletname $pw \
+                 | grep 'recovery_seed' \
+                 | cut -d ':' -f2 \
+                 | (umask u=r,go=; cat > jm-wallet-seed); then
+            echo "wallet creation failed"
+            rm -f "$wallet" jm-wallet-seed
+            exit 1
+          fi
+        fi
+      '';
+      serviceConfig = nbLib.defaultHardening // {
         ExecStart = "${nbPkgs.joinmarket}/bin/joinmarketd";
         WorkingDirectory = cfg.dataDir; # The service creates 'commitmentlist' in the working dir
         User = cfg.user;