Add ProtectSystem=strict, remove PermissionStartOnly.
Extract the section of postStart that needs secrets dir write
access into a separate script with full privileges.
Simplify preStart and fix dataDir quoting.
Remove PermissionsStartOnly for bitcoind and spark-wallet (it was never
needed there)
Give reason for PermissionsStartOnly in lightning-charge
Replace PermissionsStartOnly in clightning, electrs and liquid
This is NixOS' recommended way to setup service dirs
https://github.com/NixOS/nixpkgs/pull/56265. This commit hands off the
initial data directory creation to systemd.tmpfiles.rules. All other
preStart scripts are left intact to limit this changes' scope.
In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
b8e10afe18 recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101 nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6 Remove bitcoinrpc group remnants (nixbitcoin)
563b210835 spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca3576 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef1 lightning-charge: add dedicated user (nixbitcoin)
e67a818297 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba clightning: remove config group read access (nixbitcoin)
04c6936ce9 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db4 electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d77 electrs: Make TLSProxy truly optional (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK b8e10afe18
Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
Previously, the sessions contained only explicitly exported variables
and functions.
This was fragile and in part buggy due to lacking exports.
Interactive features like user-defined aliases and functions are still
working as before.
Download shesek's github spark-npm.tgz, verify signature, unpack
spark-npm.tgz, patch package.json to include qrcode-terminal in
dependencies, run node2nix with tmpdir as local source, replace tmpdir
spark-wallet source with shesek's github spark-npm.tgz in
node-packages.nix.
spark-wallet: erikarvstedt fixups
move script to pkg dir, add hint to script in pkg def
remove unneeded script deps
add extended bash error checking
rename DIR -> TMPDIR
remove TMPDIR on exit
strip whitespace, simplify comments
gpg2 -> gpg
latesttagelectrs -> latest
tmpdir: don't use XDG_RUNTIME_DIR
XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger
workloads like repo downlaods
verify fingerprint of the imported key
remove trailing '-' in output
simplify output
Hide --fetch-key output
Output is not relevant to user, looks better without it
More accurately describe ./get-sha256 function
User might think that ./get-sha256 automatically updates sha256 in default.nix
Fetch key from sks keyservers instead of keybase.io
Using --recv-key simplifies getting the right key, and only the
right key, greatly. I try to refrain from using sks keyservers,
but the certificate spamming attack shouldn't be an issue in this
case because we create a temporary keychain just for the
verificaiton.
remove unneeded cargoDepsHook
Make clang nativeBuildInput instead of buildInput
e95f5981aa Remove KN countrycode (nixbitcoin)
742aef1e0f Only set dataDirReadableByGroup if cfg.high-memory is enabled (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK e95f5981aa
Tree-SHA512: e8253b934211e6fc6be11917f8acb05a05e390caafdf86f90670f9299d9c0d98596758ff021c65aae199c9a5a3f86f87854e1b8f50a53bab8ad28d9a7003d98e
47b2b110cc pinned: make it easy to use pinned packages (William Casarin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 47b2b110cc
Tree-SHA512: 4a45eee55ff87d8f00f7ef7af7bd6dfc4674c492d45a4875dc933edb5d21e06cd1bcedc73b07b8a2b804a4b1fe9d52223e623d382a348524621749beda8cc115
It appears the pinned attrset is a bit adhoc. This generalizes
pinned.nix so that you can do:
$ nix build -f . pinned.stable.hwi
$ nix build -f . pinned.unstable.hwi
etc
Signed-off-by: William Casarin <jb55@jb55.com>
