Compare commits

..

108 Commits

Author SHA1 Message Date
Greg Shuflin
ed567d67f2 Patch electrs to avoid chmod 2023-02-05 03:00:49 -08:00
Greg Shuflin
9538c63a76 Patch to prevent chmod 2023-02-05 03:00:49 -08:00
Jonas Nick
479e21a122
Merge fort-nix/nix-bitcoin#587: Fulcrum: Fix available memory detection
86dc7e2669 fulcrum: allow access to `/proc/meminfo` (Erik Arvstedt)
c948af2e18 dev/dev-features: add `enter_service` helper (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 86dc7e2669

Tree-SHA512: 5c2b7bc5e2247a7fb45e6c805162c02d87b4c917e4a1306134d634f418534b03e3152e402d17e054c410d3d72f3f5eb3d270fcb53019b2f96ea6b27ecae53755
2023-02-03 13:21:56 +00:00
Jonas Nick
475af2d6cb
Merge fort-nix/nix-bitcoin#586: Misc. improvements
addfa8ec6b test: support `run`, `debug` commands in basic NixOS tests (Erik Arvstedt)
ae733d887e tests/clightning-replication: reuse `pkgs` instance (Erik Arvstedt)
6cbd0d93ae tests: rename `clightningReplication` -> `clightning-replication` (Erik Arvstedt)
85310b533a secrets: use type `lines` for `generateSecretsCmds` (Erik Arvstedt)
bc2f66d4f1 bitcoind, liquid: increase start/stop timeouts (Erik Arvstedt)
519ae31202 netns-isolation: improve formatting (Erik Arvstedt)
a1023696e6 netns-isolation: reserve netns id for mempool (Erik Arvstedt)
34fe8675bd add option `nix-bitcoin.pkgOverlays` (Erik Arvstedt)
a3bdecb10b helper: add start-bash-session.sh (Erik Arvstedt)
690a8f6256 nodeinfo: extract fn `mkInfoLong` (Erik Arvstedt)
2af642f56a improve comments (Erik Arvstedt)
5634f08873 rtl: make `extraConfig` recursively mergeable (Erik Arvstedt)
b76728a1ec treewide: use bool literals for systemd (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK addfa8ec6b

Tree-SHA512: 46f779f8477b566ffc6d0dfb024f2098757f509b2b3e0cbb509cf3308de7029e913f6e6c3d6d3d226cc72f8a5031fd5586b2efdf7c2d9d15f4bdd7ed08b27425
2023-02-03 13:11:41 +00:00
Erik Arvstedt
addfa8ec6b
test: support run, debug commands in basic NixOS tests
Currently, this only affects the basic NixOS test `clightning-replication`.
2023-02-02 10:51:41 +01:00
Erik Arvstedt
ae733d887e
tests/clightning-replication: reuse pkgs instance
This reduces eval time by 30%.
2023-02-02 10:51:41 +01:00
Erik Arvstedt
6cbd0d93ae
tests: rename clightningReplication -> clightning-replication
The test name now matches the file name.
2023-02-02 10:51:41 +01:00
Erik Arvstedt
85310b533a
secrets: use type lines for generateSecretsCmds
This allows users to amend secrets cmds.
2023-02-02 10:51:41 +01:00
Erik Arvstedt
bc2f66d4f1
bitcoind, liquid: increase start/stop timeouts 2023-02-02 10:51:41 +01:00
Erik Arvstedt
519ae31202
netns-isolation: improve formatting 2023-02-02 10:51:41 +01:00
Erik Arvstedt
a1023696e6
netns-isolation: reserve netns id for mempool
This allows using the old id in the extension flake, so that
existing configs are not changed.
2023-02-02 10:51:41 +01:00
Erik Arvstedt
34fe8675bd
add option nix-bitcoin.pkgOverlays
This simplifies extending `nix-bitcoin.pkgs` and is required for
extension flakes.
For now, mark this as `internal`.
2023-02-02 10:51:40 +01:00
Erik Arvstedt
a3bdecb10b
helper: add start-bash-session.sh 2023-02-02 10:51:40 +01:00
Jonas Nick
397d2bab9b
Merge fort-nix/nix-bitcoin#589: rtl: 0.13.2 -> 0.13.4
6291d4fbea rtl: 0.13.2 -> 0.13.4 (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 6291d4fbea

Tree-SHA512: bc52cbdb12f311446eb79960c6500261c97ff5d12baaf1248056a1eb3507c64cb788db2ee25d05bf0bec6d4f78a544fdd037cf34fd3b56adcc6b0fe556e1158b
2023-01-28 22:42:48 +00:00
Jonas Nick
0e4af28df0
Merge fort-nix/nix-bitcoin#588: update nixpkgs
56c2abd91a update nixpkgs (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 56c2abd91a

Tree-SHA512: b2acbd4e944007448b821c4a02f2f8e925d006b3e92011497019db9fe247d6a130cf875203c2c2830a83042f87d1916163d2b1604077812edc7d11b073047a7f
2023-01-28 10:55:04 +00:00
Erik Arvstedt
6291d4fbea
rtl: 0.13.2 -> 0.13.4 2023-01-26 23:08:05 +01:00
Erik Arvstedt
690a8f6256
nodeinfo: extract fn mkInfoLong
This is required by the mempool extension flake.
2023-01-26 11:17:03 +01:00
Erik Arvstedt
2af642f56a
improve comments
The comment in python-packackges was obsolete.
2023-01-26 11:17:02 +01:00
Erik Arvstedt
56c2abd91a
update nixpkgs
btcpayserver: 1.7.2 -> 1.7.3
electrs: 0.9.10 -> 0.9.11
hwi: 2.1.1 -> 2.2.0
2023-01-25 23:57:29 +01:00
Erik Arvstedt
86dc7e2669
fulcrum: allow access to /proc/meminfo
This still hides the proc subdirectories for other processes.

Without this setting, fulcrum fails when the config value of
`fast-sync` is greater than 2^31 bytes.
2023-01-21 13:28:32 +01:00
Erik Arvstedt
c948af2e18
dev/dev-features: add enter_service helper 2023-01-21 13:20:49 +01:00
Erik Arvstedt
5634f08873
rtl: make extraConfig recursively mergeable
Previously, when merging different definitions of `extraConfig`,
only the top-level attrset was merged.

Example:
The two separate settings
  nodes.lnd.extraConfig.Settings.userPersona = "MERCHANT";
  nodes.lnd.extraConfig.Settings.logLevel = "DEBUG";
were previously merged into
  nodes.lnd.extraConfig.Settings = { logLevel = "DEBUG" };
(The last definition has precedence.)
2023-01-20 13:46:08 +01:00
Erik Arvstedt
b76728a1ec
treewide: use bool literals for systemd
Run this from the repo root to check that there are no more remaining
bool strings:
grep -P '"true"|"false"' -r --exclude-dir=.git
2023-01-20 13:46:08 +01:00
Jonas Nick
84fc4d48d3
Merge fort-nix/nix-bitcoin#574: Add dev helper and docs
b4d7e1aa8f add dev helper and docs (Erik Arvstedt)
b35d08d3f2 docs: move test docs from `examples/README` to `test/README` (Erik Arvstedt)
4d76eb9183 docs/configuration: fix typo (Erik Arvstedt)
dc0710f3f4 tests: add example scenario `customTest` (Erik Arvstedt)
9e30d2728b tests: formatting (Erik Arvstedt)
c6d85c6fe3 tests: fix broken unit file when clightning is disabled (Erik Arvstedt)
a51f7b419e run-tests: use arg instead of env var for scenario overrides (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b4d7e1aa8f

Tree-SHA512: f0ed8f8fe326c64eac3b7e9f48597dd00eedb9244333e199d18d1c2c06f369cd015f77aefd48e87235a68aee0b352057249525bf015e0a564fda380bdf7bb9d1
2023-01-18 20:53:24 +00:00
Erik Arvstedt
b4d7e1aa8f
add dev helper and docs 2023-01-15 20:28:49 +01:00
Erik Arvstedt
b35d08d3f2
docs: move test docs from examples/README to test/README 2023-01-15 20:28:48 +01:00
Erik Arvstedt
4d76eb9183
docs/configuration: fix typo 2023-01-15 20:28:48 +01:00
Erik Arvstedt
dc0710f3f4
tests: add example scenario customTest 2023-01-15 20:28:48 +01:00
Jonas Nick
dfeff7b17b
Merge fort-nix/nix-bitcoin#582: update nixpkgs
9019a17bfc versioning: add fulcrum db change info (Erik Arvstedt)
aae4b6bfc5 update nixpkgs (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 9019a17bfc

Tree-SHA512: d1620431beca7841d0e16deedef2c77364db1d7d2f8edf61cdf4ee2d2f8759736acf64fe9764bef0687a283e6d4eb45e4533e92fa1db601a0f2b331182135e10
2023-01-08 10:57:06 +00:00
Erik Arvstedt
9019a17bfc
versioning: add fulcrum db change info 2023-01-07 19:32:54 +00:00
Jonas Nick
aae4b6bfc5
update nixpkgs
btcpayserver: 1.7.1 -> 1.7.2
fulcrum: 1.8.2 -> 1.9.0
nbxplorer: 2.3.49 -> 2.3.54
2023-01-06 22:53:47 +00:00
Erik Arvstedt
9e30d2728b
tests: formatting
Move line next to `services.lnd` config for clarity.
2023-01-06 23:46:43 +01:00
Erik Arvstedt
c6d85c6fe3
tests: fix broken unit file when clightning is disabled
Previously, an incomplete clightning unit was always created because
attr `clightning` was always defined in option attrset `systemd.services`.
2023-01-06 23:46:43 +01:00
Erik Arvstedt
a51f7b419e
run-tests: use arg instead of env var for scenario overrides
This removes a source of implicit state and guarantees that regular
calls to `run-tests.sh` always run the builtin tests.
2023-01-06 23:46:43 +01:00
Jonas Nick
da612fe84f
Merge fort-nix/nix-bitcoin#577: Upgrade to NixOS 22.11
4b5b4eac58 examples/deploy-container: fix `sudo` env propagation (Erik Arvstedt)
8d476cfeaf nix-bitcoin/runAsUserCmd: remove workaround (Erik Arvstedt)
00cceca861 joinmarket: fix Python packages (Erik Arvstedt)
e4b8e14d3a clightning: fix Python packages (Erik Arvstedt)
d1ef2a6e1e pythonPackages: improve layout (Erik Arvstedt)
74c8593407 pythonPackages: add indentation (Erik Arvstedt)
109dccca27 treewide: use `mdDoc` for descriptions (Erik Arvstedt)
a9c1995ed9 treewide: rename maintainer `earvstedt` -> `erikarvstedt` (Erik Arvstedt)
9e456ea3a9 shellcheck-services.nix: update to NixOS 22.11 (Erik Arvstedt)
77d58162e7 test: update to NixOS 22.11 (Erik Arvstedt)
142cbcfb37 flake: remove 32-bit systems (Erik Arvstedt)
c9b1e59f20 update to NixOS 22.11 (Erik Arvstedt)
62515a5696 helper/update-flake: support updating NixOS versions (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 4b5b4eac58

Tree-SHA512: b6ff443c4c6721dee9e6bf8f068d72c819851d54cb52d3fec64475cd884825063c28a87b2e9d1645617b7d0e7c1d52ee1ccd898f833c720c25f1b07add938cd5
2023-01-06 22:37:46 +00:00
Erik Arvstedt
4b5b4eac58
examples/deploy-container: fix sudo env propagation
Env vars can't be reliably passed through `sudo`, so always
call nix-shell to setup the env after running sudo.
2023-01-06 23:23:54 +01:00
Erik Arvstedt
8d476cfeaf
nix-bitcoin/runAsUserCmd: remove workaround 2023-01-03 16:18:27 +01:00
Jonas Nick
700b6d8c90
Merge fort-nix/nix-bitcoin#580: minor typo
1b4c5749f6 minor typo (JayDeLux)

Pull request description:

Top commit has no ACKs.

Tree-SHA512: 917421f7076cee73cdbac925b20cd84fc94fe350b35bb736a5b15d193200a72b5be80cc10e9adf5ffdb640e36db0a977be8aef8a5bb4d3a42224ebd7b4a62f29
2023-01-02 20:32:13 +00:00
JayDeLux
1b4c5749f6
minor typo 2022-12-28 16:31:03 +01:00
Jonas Nick
a6ab131e7d
Merge fort-nix/nix-bitcoin#578: rtl: 0.13.1 -> 0.13.2
314020b246 rtl: 0.13.1 -> 0.13.2 (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 314020b246

Tree-SHA512: 553dd1b34fce8847f650a187ab39c0827461bf49693c11c5329186fba7864538e13700f50bb30c59e1988ce72fcecb5a06c491c30e7a1fcc2d0457f398234dc2
2022-12-22 22:18:13 +00:00
Erik Arvstedt
314020b246
rtl: 0.13.1 -> 0.13.2 2022-12-20 23:24:24 +01:00
Erik Arvstedt
00cceca861
joinmarket: fix Python packages 2022-12-18 20:01:53 +01:00
Erik Arvstedt
e4b8e14d3a
clightning: fix Python packages
Patching `pyln-proto` to use cryptography 38 lets
us avoid adding many older Python pkg versions.

The backwards incompatible changes from cryptography 36 to 38
only include the removal of deprecated fns that pyln-proto
doesn't use.
See string "BACKWARDS INCOMPATIBLE" in
https://cryptography.io/en/latest/changelog/
2022-12-18 20:01:53 +01:00
Erik Arvstedt
d1ef2a6e1e
pythonPackages: improve layout
- Move the creation of the joinmarket Python pkgs from
  `joinmarket/default.nix` to `pkgs/python-packages/default.nix`.

- Move definitions of old pkg versions from the main Python pkgs
  to the joinmarket Python pkgs.
  These old versions are only required by joinmarket.
2022-12-18 20:01:52 +01:00
Erik Arvstedt
74c8593407
pythonPackages: add indentation
This makes the following commit more readable.
2022-12-18 20:01:52 +01:00
Erik Arvstedt
109dccca27
treewide: use mdDoc for descriptions
Enable markdown syntax (instead of docbook) for descriptions.
This only affects external doc tooling that renders the descriptions.
2022-12-18 20:01:52 +01:00
Erik Arvstedt
a9c1995ed9
treewide: rename maintainer earvstedt -> erikarvstedt 2022-12-18 20:01:52 +01:00
Erik Arvstedt
9e456ea3a9
shellcheck-services.nix: update to NixOS 22.11 2022-12-18 20:01:52 +01:00
Erik Arvstedt
77d58162e7
test: update to NixOS 22.11 2022-12-18 20:01:52 +01:00
Erik Arvstedt
142cbcfb37
flake: remove 32-bit systems 2022-12-18 20:01:52 +01:00
Erik Arvstedt
c9b1e59f20
update to NixOS 22.11
This includes no pkg version updates.
2022-12-18 20:01:52 +01:00
Erik Arvstedt
62515a5696
helper/update-flake: support updating NixOS versions 2022-12-18 20:01:48 +01:00
Jonas Nick
932e4c93bc
Merge fort-nix/nix-bitcoin#576: joinmarket: 0.9.7 -> 0.9.8
81166a012e joinmarket: 0.9.7 -> 0.9.8 (nixbitcoin)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 81166a012e

Tree-SHA512: 1a6416ed9b4829017411cec23e2c2f2fd28b02a26893339926b26e0ec4c55f087ec042b81aae5f4d34143cd78f4edc16d6e82b4b70e29fc1427f94417ed0dd3b
2022-12-17 13:52:42 +00:00
Jonas Nick
84382e3338
Merge fort-nix/nix-bitcoin#573: update nixpkgs
d1b3a4617d clightning: set "database-upgrade=true" for 22.11.1 (Jonas Nick)
875fac6862 update nixpkgs (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK d1b3a4617d

Tree-SHA512: 91c347006e0c47e3f365597be95469c2a547a442cd4adb9f906fb6ef63a3ce78ed788304a81870652b3b91f9dd180124a8b048cb69389889e346ab1420d8722b
2022-12-17 13:33:38 +00:00
Jonas Nick
d1b3a4617d
clightning: set "database-upgrade=true" for 22.11.1 2022-12-17 12:43:33 +00:00
nixbitcoin
81166a012e
joinmarket: 0.9.7 -> 0.9.8 2022-12-15 17:47:35 +00:00
Jonas Nick
875fac6862
update nixpkgs
btcpayserver: 1.6.12 -> 1.7.1
bitcoind: 24.0 -> 24.0.1
clightning: 0.12.1 -> 22.11.1
lnd: 0.15.4-beta -> 0.15.5-beta
nbxplorer: 2.3.41 -> 2.3.49
2022-12-14 14:48:54 +00:00
Jonas Nick
5cafafd027
Merge fort-nix/nix-bitcoin#572: update nixpkgs
d9fdc49e9a update nixpkgs (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK d9fdc49e9a

Tree-SHA512: b4e1ecfae7c5d549739d79b11bd379bd8e85206097301280a69301dd41e1b4fe1f82dedb7cf3dd805e1ac530d3ac43f108043af6b54a07519898d71a016b55fc
2022-11-28 14:40:13 +00:00
Jonas Nick
d9fdc49e9a
update nixpkgs
bitcoin: 23.0 -> 24.0
bitcoind: 23.0 -> 24.0
charge-lnd: 0.2.12 -> 0.2.13
2022-11-28 12:54:11 +00:00
Jonas Nick
8b091eb661
Merge fort-nix/nix-bitcoin#571: lnd: support INADDR_ANY addresses for bitcoind.zmqpubraw*
c5493717b7 lnd: support `INADDR_ANY` addresses for `bitcoind.zmqpubraw*` (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK c5493717b7

Tree-SHA512: 227e047a0c114beaed82c417d6c400aa8bc16763b9ebf5aa94e8132d68c0641af0b79cd7e5ab6f5ad16412dc9efb83080760f75aa22fc67ec9d93f623adb27b9
2022-11-20 22:11:28 +00:00
Erik Arvstedt
c5493717b7
lnd: support INADDR_ANY addresses for bitcoind.zmqpubraw*
Also use `mkDefault` when defining `bitcoind.zmqpubraw*` to simplify
overriding for users.
2022-11-11 12:10:00 +01:00
Jonas Nick
81350a03c9
Merge fort-nix/nix-bitcoin#570: Update nixpkgs
a333989ca8 update nixpkgs (Jonas Nick)
313e374774 Revert "pkgs: add lnd 0.15.4 (hotfix)" (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK a333989ca8

Tree-SHA512: cf9a0c42002f00eadcb6e97211358210c6ab214f467b25af23c70477c40134b3d9a26c7ff00ec15d5a06f2a4bfe9832b11e6ae0faa136249c1180f5ae2e59734
2022-11-10 12:56:47 +00:00
Jonas Nick
4a533d90ea
Merge fort-nix/nix-bitcoin#568: Minor improvements
0de16095e1 clightning-replication: switch system before waiting for server sshd (Erik Arvstedt)
d332177d3e clightning: extract var `bitcoind` (Erik Arvstedt)
1b5e51b7fe examples/vm-config: fix syntax error (Erik Arvstedt)
565deb770a examples/minimal-vm: add `lightning-cli` demo command (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 0de16095e1

Tree-SHA512: cafcc7a51152b480d26a55c926b21a01ef7565c948cf28926017565c1ef180e7500494eefb4b114ab371d4d0a62f9efd2ebf3722877d1c62f890827cd7b34574
2022-11-10 12:56:12 +00:00
Jonas Nick
1800ed7cb3
Merge fort-nix/nix-bitcoin#569: treewide: set shebang for bash scripts
0447c5bacb treewide: set shebang for bash scripts (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 0447c5bacb

Tree-SHA512: a3160833ae445a8b25f559f9e76a2c86537041d731b7404db05e388ec4e2afd7028a06cfbd1ba05b827b1270c3278836b603dab4b9bf3551795298e22bf9e734
2022-11-10 11:08:24 +00:00
Jonas Nick
a333989ca8
update nixpkgs
electrs: 0.9.9 -> 0.9.10
elementsd: 22.0 -> 22.0.2
extra-container: 0.10 -> 0.11
lnd: 0.15.2-beta -> 0.15.4-beta
2022-11-10 11:03:23 +00:00
Jonas Nick
313e374774
Revert "pkgs: add lnd 0.15.4 (hotfix)"
This reverts commit 57b76d4461.
2022-11-10 10:56:12 +00:00
Erik Arvstedt
0447c5bacb
treewide: set shebang for bash scripts
These scripts previously failed when called with syscalls like
`execve` (used by, e.g., Python's `subprocess.run`) that use no default
interpreter for scripts without a shebang.
2022-11-08 23:04:56 +01:00
Erik Arvstedt
0de16095e1
clightning-replication: switch system before waiting for server sshd
This is primarily a cosmetic change.
- Increases code clarity because all system test blocks now start with `switch_to_system`
- Optimizes dependency ordering because `switch_to_system` has no
  dependency on the server sshd
2022-11-04 11:51:44 +01:00
Erik Arvstedt
d332177d3e
clightning: extract var bitcoind
Follow the default module formatting style.
2022-11-04 11:07:36 +01:00
Erik Arvstedt
1b5e51b7fe
examples/vm-config: fix syntax error 2022-11-04 00:33:53 +01:00
Erik Arvstedt
565deb770a
examples/minimal-vm: add lightning-cli demo command 2022-11-04 00:33:31 +01:00
Jonas Nick
a576fa3afe
Merge fort-nix/nix-bitcoin#559: Define tests via flake
edbaeb9813 tests: define tests via flake (Erik Arvstedt)
90e942e5ae nodeinfo: rename `nodeinfoLib` -> `lib` (Erik Arvstedt)
8eaa4cce30 tests: move `mkIfTest` to `nix-bitcoin.lib` (Erik Arvstedt)
47a09ec214 flake: expose `supportedSystems` (Erik Arvstedt)
b0dfa69e84 nixos-search/flake: formatting (Erik Arvstedt)
d428755399 flake: rename input `nixpkgsUnstable` -> `nixpkgs-unstable` (Erik Arvstedt)
a12b701e75 tests/container: don't require `services.clightning` to be defined (Erik Arvstedt)
450de19803 tests/run-tests.sh: print examples before running (Erik Arvstedt)
5f1bb2a8fc tests/copy-src: always copy .git dir (Erik Arvstedt)
a87a59a86b make-container.sh: improve root handling (Erik Arvstedt)
b616d7ac1b profiles/hardened: support pure eval mode (Erik Arvstedt)
73d2fbb448 add compatibility with Nix PR #6530 (`Source tree abstraction`) (Erik Arvstedt)
3c816b862c tests/vmWithoutTests: poweroff on shell exit (Erik Arvstedt)
1d3f49f8da tests, example: avoid lengthy documentation build (Erik Arvstedt)
b840548d40 test/shellcheck-services: add configurable source prefix (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK edbaeb9813

Tree-SHA512: 824c028917816725fb12cd6808947994b13646514ae4dca092e11e6237314ac13157adbba7e79110820d54657eca4f5f4c80946216fa3cb4c7801aec2d0b517d
2022-11-03 22:15:05 +00:00
Erik Arvstedt
edbaeb9813
tests: define tests via flake
Advantages:
- Pure test evaluations
- The test framework can now be used by flakes that extend nix-bitcoin
- Most features of `run-tests.sh` are now accessible via `nix build`/`nix run`.
  We keep `run-tests.sh` for advanced features like `scenarioOverridesFile` and adhoc scenarios.

Other changes:
- `run-tests.sh` now builds aggregate VM tests like `basic` or
  `buildable` by creating all VMs in a single evaluation.
  This speeds up the tests and eases debugging by separating the eval and build steps.
- Use the new `nix` CLI which has improved build output logging
  by prefixing output lines with the origin drv name.
2022-11-03 23:08:06 +01:00
Erik Arvstedt
90e942e5ae
nodeinfo: rename nodeinfoLib -> lib 2022-11-03 23:08:06 +01:00
Erik Arvstedt
8eaa4cce30
tests: move mkIfTest to nix-bitcoin.lib 2022-11-03 23:08:06 +01:00
Erik Arvstedt
47a09ec214
flake: expose supportedSystems 2022-11-03 23:08:05 +01:00
Erik Arvstedt
b0dfa69e84
nixos-search/flake: formatting 2022-11-03 23:08:05 +01:00
Erik Arvstedt
d428755399
flake: rename input nixpkgsUnstable -> nixpkgs-unstable
This follows common flake naming conventions.
2022-11-03 23:08:05 +01:00
Erik Arvstedt
a12b701e75
tests/container: don't require services.clightning to be defined 2022-11-03 23:08:05 +01:00
Erik Arvstedt
450de19803
tests/run-tests.sh: print examples before running
This eases debugging example failures.
2022-11-03 23:08:05 +01:00
Erik Arvstedt
5f1bb2a8fc
tests/copy-src: always copy .git dir
This is required by a later commit that introduces flakes-based test
evaluation. Evaluating local flakes needs a repo dir.
2022-11-03 23:08:05 +01:00
Erik Arvstedt
a87a59a86b
make-container.sh: improve root handling
Don't auto-switch to root when executing make-container.sh, because
auto root switching is also implemented in extra-container.

Besides simplifying the code, this is useful for a later commit that
introduces flakes-based container building.
With this change, the container is built under the regular user
instead of root, thereby utilizing the user's regular fetcher and
evaluation caches.
2022-11-03 23:08:05 +01:00
Erik Arvstedt
b616d7ac1b
profiles/hardened: support pure eval mode 2022-11-03 23:08:05 +01:00
Erik Arvstedt
73d2fbb448
add compatibility with Nix PR #6530 (Source tree abstraction)
Avoid adding flake resource paths to the store (via string
interpolation).
This reduces performance and can lead to modules getting imported
twice, once through a local path and once through a store path.

This might not be needed in a future Nix release, in which case we can
revert this.
2022-11-03 23:08:05 +01:00
Erik Arvstedt
3c816b862c
tests/vmWithoutTests: poweroff on shell exit
This allows quitting the VM with Ctrl-D like in the minimal example VM.
2022-11-03 23:08:04 +01:00
Erik Arvstedt
1d3f49f8da
tests, example: avoid lengthy documentation build
This options manual rebuild takes 30-60s and is triggered by the extra
NixOS options defined by nix-bitcoin.
2022-11-03 23:08:04 +01:00
Erik Arvstedt
b840548d40
test/shellcheck-services: add configurable source prefix
This allows using this module for services defined outside of nix-bitcoin.
2022-11-03 23:08:04 +01:00
Jonas Nick
dcca4fb262
Merge fort-nix/nix-bitcoin#567: bitcoind: fix rare startup error
b412de3ad7 bitcoind: fix rare startup error (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK b412de3ad7

Tree-SHA512: 217f9c220b2906b4c5df2d9fbd2116c693eef25af18672ddf9065428a0946af45d704ece05963f4c8c41678397627580610b949bb0a086d8f9c559c08b3d308c
2022-11-03 22:02:59 +00:00
Erik Arvstedt
b412de3ad7
bitcoind: fix rare startup error
Previously, dhcpcd and bitcoind starting up in parallel could lead to
the following error in bitcoind:
```
bitcoind: libevent: getaddrinfo: address family for nodename not supported
bitcoind: Binding RPC on address 127.0.0.1 port 8332 failed.
bitcoind: Unable to bind any endpoint for
```
After the initial failure, the bitcoind service would always restart successfully.

This race condition, where both applications were simultaneously
manipulating network resources, was only triggered under specific
hardware conditions.

Fix it by running bitcoind after dhcp has started (by running after
`network-online.target`).
This bug and the fix only affect the default NixOS scripted
networking backend.
2022-11-02 12:02:03 +01:00
Jonas Nick
a174dc8093
Merge fort-nix/nix-bitcoin#565: pkgs: add lnd 0.15.4 (hotfix)
57b76d4461 pkgs: add lnd 0.15.4 (hotfix) (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 57b76d4461

Tree-SHA512: ab3ee937ffea5bae3b16bad8488c49a440d7c52ba77b9588badabd011798190c2592caf8039ec72615e803bc7a9ac337b055739888a69ae9203fc5bde3548bae
2022-11-01 13:30:34 +00:00
Erik Arvstedt
57b76d4461
pkgs: add lnd 0.15.4 (hotfix)
Includes an emergency hotfix:
https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta
2022-11-01 14:12:56 +01:00
Jonas Nick
7c16fc5865
Merge fort-nix/nix-bitcoin#563: lnd: fix missing RPC permissions when bitcoind is pruned
67949a002a lnd: fix missing RPC permissions when bitcoind is pruned (Erik Arvstedt)
49303be2e0 test/shellcheck-services: fix error by excluding unavailable services (Erik Arvstedt)
46f17fe313 test/shellcheck-services: simplify accessing service definitions (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 67949a002a

Tree-SHA512: 28652d8ec67a164aef068f3df32d1ae8df4e0920cafedc6e3d568b631333b29e57f7370e54a82e7cde9710a3df0a1494ed94272af101d31dd7859a08bb363e4b
2022-10-28 08:38:28 +00:00
Jonas Nick
a7357c1176
Merge fort-nix/nix-bitcoin#551: tests: Reenable flake-info
277510c7ee tests: run flake-info in sandbox (Erik Arvstedt)
d3b7e8c432 revert "tests: disable `nixosSearch`" (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 277510c7ee

Tree-SHA512: 2d242aeb65c65c4c3905cc66959092c1da923b9de9ce08ee68319b6475f4fd6f6148b5ac5ca312462b1fb38e8fc61706361f58886afc5052f65a18fb7a61de60
2022-10-26 07:25:27 +00:00
Erik Arvstedt
67949a002a
lnd: fix missing RPC permissions when bitcoind is pruned 2022-10-25 22:56:51 +02:00
Erik Arvstedt
49303be2e0
test/shellcheck-services: fix error by excluding unavailable services 2022-10-25 22:36:30 +02:00
Erik Arvstedt
46f17fe313
test/shellcheck-services: simplify accessing service definitions
This also improves performance by removing the extra module evaluation.
2022-10-25 22:36:30 +02:00
Erik Arvstedt
277510c7ee
tests: run flake-info in sandbox
Don't use sandboxing in Cirrus CI where namespace support is missing.
2022-10-25 22:04:17 +02:00
Jonas Nick
9d074e1985
Merge fort-nix/nix-bitcoin#560: Update nixpgks
c88acbb1bb btcpayserver: use new option `certfilepath` for lnd (Erik Arvstedt)
13a835e88f Revert "pkgs: add lnd 0.15.2" (Erik Arvstedt)
3549725b51 update nixpkgs (Erik Arvstedt)
61c539d5b6 defaultHardening: allow syscall `set_mempolicy` (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK c88acbb1bb

Tree-SHA512: 450fc27bb738d7465be829bc6ceda0030cdfc6bb75d15001986450c8189d675fe0fd0a0e6875c0224a239be0aae3acbecb74fb3b970fb6a8dfedd1d463a93d55
2022-10-25 07:57:01 +00:00
Erik Arvstedt
c88acbb1bb
btcpayserver: use new option certfilepath for lnd 2022-10-24 12:47:01 +02:00
Erik Arvstedt
13a835e88f
Revert "pkgs: add lnd 0.15.2"
This reverts commit cf836b5d3b.
2022-10-24 11:50:36 +02:00
Erik Arvstedt
3549725b51
update nixpkgs
btcpayserver: 1.6.10 -> 1.6.12
clightning: 0.12.0 -> 0.12.1
fulcrum: 1.8.1 -> 1.8.2
nbxplorer: 2.3.33 -> 2.3.41
2022-10-24 11:49:03 +02:00
Erik Arvstedt
61c539d5b6
defaultHardening: allow syscall set_mempolicy
This syscall is safe to allow.
It's required by the dotnet runtime (btcpayserver, nbxplorer) update
introduced in the following commit.
2022-10-22 23:54:08 +02:00
Jonas Nick
9fc05e384c
Merge fort-nix/nix-bitcoin#553: pkgs: add lnd 0.15.2
cf836b5d3b pkgs: add lnd 0.15.2 (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK cf836b5d3b

Tree-SHA512: 499cf4989f432946e0ec476cb0c22975614f05e8958c616a5897026098613dd7a20be83e144defdf19b0bf86c3cbd2f6cabb8397d40b1e3bcbda96d9b5e12860
2022-10-10 11:52:27 +00:00
Erik Arvstedt
cf836b5d3b
pkgs: add lnd 0.15.2
Includes an emergency hotfix:
https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta
2022-10-10 13:27:49 +02:00
Erik Arvstedt
d3b7e8c432
revert "tests: disable nixosSearch" 2022-09-23 09:04:57 +02:00
Jonas Nick
34f6eb90d7
Merge fort-nix/nix-bitcoin#550: Update nixpkgs
261f7a043f update nixpkgs (Jonas Nick)
09c765368f clightning-plugins: update packages (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK 261f7a043f

Tree-SHA512: 30cec6e06dc56b84daf058441a25dc7593b2754c7cbdbb48562528a81727f8a7abbaf5d31497a136903485534e41b171d55a60d9bc91548feb7ff7997985e364
2022-09-22 18:58:27 +00:00
Jonas Nick
261f7a043f
update nixpkgs
electrs: 0.9.7 -> 0.9.9
elementsd: 0.21.0.2 -> 22.0
fulcrum: 1.7.0 -> 1.8.1
2022-09-22 16:57:19 +00:00
Jonas Nick
09c765368f
clightning-plugins: update packages 2022-09-22 16:57:00 +00:00
47 changed files with 338 additions and 1114 deletions

View File

@ -27,7 +27,6 @@ task:
- scenario: default - scenario: default
- scenario: netns - scenario: netns
- scenario: netnsRegtest - scenario: netnsRegtest
- scenario: trustedcoin
# This script is run as root # This script is run as root
build_script: build_script:
- echo "sandbox = true" >> /etc/nix/nix.conf - echo "sandbox = true" >> /etc/nix/nix.conf

View File

@ -79,22 +79,19 @@ NixOS modules ([src](modules/modules.nix))
* [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
* [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
* [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
* [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
* [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
* [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning * [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
* [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md) * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
* [Lightning Loop](https://github.com/lightninglabs/loop) * [Lightning Loop](https://github.com/lightninglabs/loop)
* [Lightning Pool](https://github.com/lightninglabs/pool) * [Lightning Pool](https://github.com/lightninglabs/pool)
* [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager * [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or * [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
[Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning` * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
* [spark-wallet](https://github.com/shesek/spark-wallet) * [spark-wallet](https://github.com/shesek/spark-wallet)
* [electrs](https://github.com/romanz/electrs): Electrum server * [electrs](https://github.com/romanz/electrs)
* [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs) * [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
* [btcpayserver](https://github.com/btcpayserver/btcpayserver) * [btcpayserver](https://github.com/btcpayserver/btcpayserver)
* [liquid](https://github.com/elementsproject/elements): federated sidechain * [liquid](https://github.com/elementsproject/elements)
* [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver) * [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
* [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md) * [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI) * [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
@ -102,13 +99,7 @@ NixOS modules ([src](modules/modules.nix))
* [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
* [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services * [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
* [backups](modules/backups.nix): duplicity backups of all your node's important files * [backups](modules/backups.nix): duplicity backups of all your node's important files
* [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`) * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
### Extension modules
Extension modules are maintained in separate repositories and have their own review
and release process.
* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
Security Security
--- ---

View File

@ -56,10 +56,9 @@ ls -al /var/lib/containers/nb-test
# Start a shell in the context of a service process. # Start a shell in the context of a service process.
# Must be run inside the container (enter with cmd `c`). # Must be run inside the container (enter with cmd `c`).
enter_service() { enter_service() {
name=$1 local name=$1
pid=$(systemctl show -p MainPID --value "$name") nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
IFS=- read -r uid gid < <(stat -c "%u-%g" "/proc/$pid") --setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
} }
enter_service clightning enter_service clightning

View File

@ -9,9 +9,6 @@ with lib;
services.btcpayserver.enable = true; services.btcpayserver.enable = true;
test.container.exposeLocalhost = true; test.container.exposeLocalhost = true;
# services.btcpayserver.lbtc = false; # services.btcpayserver.lbtc = false;
# Required for testing interactive plugin installation
test.container.enableWAN = true;
}; };
# A node with internet access to test joinmarket-ob-watcher # A node with internet access to test joinmarket-ob-watcher
@ -45,34 +42,4 @@ with lib;
nix-bitcoin.nodeinfo.enable = true; nix-bitcoin.nodeinfo.enable = true;
# test.container.enableWAN = true; # test.container.enableWAN = true;
}; };
wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
imports = [
../modules/presets/wireguard.nix
scenarios.regtestBase
];
# 51820 (default wg port) + 1
networking.wireguard.interfaces.wg-nb.listenPort = 51821;
test.container.enableWAN = true;
# test.container.exposeLocalhost = true;
services.clightning.extraConfig = "disable-dns";
services.lnd = {
enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
services.clightning-rest = {
enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
nix-bitcoin.nodeinfo.enable = true;
};
} }

View File

@ -1,64 +0,0 @@
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
# Test Tor and WireGuard connections on a mobile device
# 1. Run container
run-tests.sh -s wireguard-lndconnect-online container
# 2. Test connecting via Tor
# Print QR codes for lnd, clightning-rest connections via Tor
c lndconnect
c lndconnect-clightning
# Add these to Zeus >= 0.7.1.
# To explicitly check if the connection is successful, press the node logo in the top
# left corner, and then "Node Info".
# Debug
c lndconnect --url
c lndconnect-clightning --url
# 3. Test connecting via WireGuard
# 3.1 Forward WireGuard port from the container host to the container
iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
# 3.2. Optional: When your container host has an external firewall,
# forward the WireGuard port to the container host:
# - Port: 51821
# - Protocol: UDP
# - Destination: IPv4 of the container host
# 3.2 Print QR code and setup wireguard on the mobile device
c nix-bitcoin-wg-connect
c nix-bitcoin-wg-connect --text
# Print QR codes for lnd, clightning-rest connections via WireGuard
c lndconnect-wg
c lndconnect-clightning-wg
# Add these to Zeus >= 0.7.1.
# To explicitly check if the connection is successful, press the node logo in the top
# left corner, and then "Node Info".
# Debug
c lndconnect-wg --url
c lndconnect-clightning-wg --url
# 3.3.remove external firewall port forward, remove local port forward:
iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
# Now exit the container shell
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
# Debug lndconnect
run-tests.sh -s wireguard-lndconnect-online container
c nodeinfo
c lndconnect --url
c lndconnect-wg --url
c lndconnect-clightning --url
c lndconnect-clightning-wg --url
c lndconnect
c lndconnect-wg
c lndconnect-clightning
c lndconnect-clightning-wg

View File

@ -142,154 +142,60 @@ You can find the `<onion-address>` with command `nodeinfo`.
The default password location is `$secretsDir/rtl-password`. The default password location is `$secretsDir/rtl-password`.
See: [Secrets dir](./configuration.md#secrets-dir) See: [Secrets dir](./configuration.md#secrets-dir)
# Use Zeus (mobile lightning wallet) via Tor # Use LND or clightning with Zeus (mobile wallet) via Tor
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) 1. Install [Zeus](https://zeusln.app)
2. Edit your `configuration.nix` 2. Edit your `configuration.nix`
##### For lnd ##### For lnd
Add the following config: Add the following config:
```nix ```
services.lnd.lndconnect = { services.lnd.lndconnectOnion.enable = true;
enable = true;
onion = true;
};
``` ```
##### For clightning ##### For clightning
Add the following config: Add the following config:
```nix ```
services.clightning-rest = { services.clightning-rest = {
enable = true; enable = true;
lndconnect = { lndconnectOnion.enable = true;
enable = true;
onion = true;
};
}; };
``` ```
3. Deploy your configuration 3. Deploy your configuration
4. Run the following command on your node (as user `operator`) to create a QR code 3. Run the following command on your node (as user `operator`) to create a QR code
with address and authentication information: with address and authentication information:
##### For lnd ##### For lnd
``` ```
lndconnect lndconnect-onion
``` ```
##### For clightning ##### For clightning
``` ```
lndconnect-clightning lndconnect-onion-clightning
``` ```
5. Configure Zeus 4. Configure Zeus
- Add a new node and scan the QR code - Add a new node
- Select `Scan lndconnect config` (at the bottom) and scan the QR code
- For clightning: Set `Node interface` to `c-lightning-REST`
- Click `Save node config` - Click `Save node config`
- Start sending and stacking sats privately - Start sending and stacking sats privately
### Additional lndconnect features ### Additional lndconnect features
- Create a plain text URL: Create plain text URLs or QR code images:
```bash ```
lndconnect --url lndconnect-onion --url
``` lndconnect-onion --image
- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
```bash
lndconnect --host myhost
```
# Use Zeus (mobile lightning wallet) via WireGuard
Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
There are two ways to establish a secure, direct connection:
- Connecting via TLS. This requires installing your lightning app's
TLS Certificate on your mobile device.
- Connecting via WireGuard. This approach is simpler and more versatile, and is
described in this guide.
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
[WireGuard](https://www.wireguard.com/install/) on your mobile device.
2. Add the following to your `configuration.nix`:
```nix
imports = [
# Use this line when using the default deployment method
<nix-bitcoin/modules/presets/wireguard.nix>
# Use this line when using Flakes
(nix-bitcoin + /modules/presets/wireguard.nix)
]
# For lnd
services.lnd.lndconnect.enable = true;
# For clightning
services.clightning-rest = {
enable = true;
lndconnect.enable = true;
};
```
3. Deploy your configuration.
4. If your node is behind an external firewall or NAT, add the following port forwarding
rule to the external device:
- Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
- Protocol: UDP
- Destination: IP of your node
5. Setup WireGuard on your mobile device.
Run the following command on your node (as user `operator`) to create a QR code
for WireGuard:
```bash
nix-bitcoin-wg-connect
# For debugging: Show the WireGuard config as text
nix-bitcoin-wg-connect --text
```
The above commands automatically detect your node's external IP.\
To set a custom IP or hostname, run the following:
```
nix-bitcoin-wg-connect 93.184.216.34
nix-bitcoin-wg-connect mynode.org
```
Configure WireGuard:
- Press the `+` button in the bottom right corner
- Scan the QR code
- Add the tunnel
6. Setup Zeus
Run the following command on your node (as user `operator`) to create a QR code for Zeus:
##### For lnd
```
lndconnect-wg
```
##### For clightning
```
lndconnect-clightning-wg
```
Configure Zeus:
- Add a new node and scan the QR code
- Click `Save node config`
- On the certificate warning screen, click `I understand, save node config`.\
Certificates are not needed when connecting via WireGuard.
- Start sending and stacking sats privately
### Additional lndconnect features
Create a plain text URL:
```bash
lndconnect-wg --url
`````` ``````
Create a QR code for a custom hostname:
```
lndconnect-onion --host=mynode.org
```
# Connect to spark-wallet # Connect to spark-wallet
### Requirements ### Requirements
@ -621,27 +527,3 @@ services.clightning = {
``` ```
Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options. Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
### Trustedcoin hints
The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
proxy for all of its external connections by default. That's why you can
sometimes face issues with your connections to esploras getting blocked.
An example of clightning log error output in a case your connections are getting blocked:
```
lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
```
```
lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
lightningd[4933]: <meta http-equiv="content-type" content="text/html;
```
If you face these issues and you still need to use trustedcoin, use can disable
clightning's tor hardening by setting this option in your `configuration.nix`
file:
```
services.clightning.tor.enforce = false;
```

View File

@ -56,18 +56,13 @@
# #
# == REST server # == REST server
# Set this to create a clightning REST onion service. # Set this to create a clightning REST onion service.
# This also adds binary `lndconnect-clightning` to the system environment. # This also adds binary `lndconnect-onion-clightning` to the system environment.
# This binary creates QR codes or URLs for connecting applications to clightning # This binary creates QR codes or URLs for connecting applications to clightning
# via the REST onion service. # via the REST onion service (see ../docs/services.md).
# You can also connect via WireGuard instead of Tor.
# See ../docs/services.md for details.
# #
# services.clightning-rest = { # services.clightning-rest = {
# enable = true; # enable = true;
# lndconnect = { # lndconnectOnion.enable = true;
# enable = true;
# onion = true;
# };
# }; # };
### LND ### LND
@ -83,17 +78,11 @@
# The onion service is automatically announced to peers. # The onion service is automatically announced to peers.
# nix-bitcoin.onionServices.lnd.public = true; # nix-bitcoin.onionServices.lnd.public = true;
# #
# Set this to create a lnd REST onion service. # Set this to create an lnd REST onion service.
# This also adds binary `lndconnect` to the system environment. # This also adds binary `lndconnect-onion` to the system environment.
# This binary generates QR codes or URLs for connecting applications to lnd via the # This binary generates QR codes or URLs for connecting applications to lnd via the
# REST onion service. # REST onion service (see ../docs/services.md).
# You can also connect via WireGuard instead of Tor. # services.lnd.lndconnectOnion.enable = true;
# See ../docs/services.md for details.
#
# services.lnd.lndconnect = {
# enable = true;
# onion = true;
# };
# #
## WARNING ## WARNING
# If you use lnd, you should manually backup your wallet mnemonic # If you use lnd, you should manually backup your wallet mnemonic

View File

@ -10,11 +10,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1679648217, "lastModified": 1671802034,
"narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=", "narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
"owner": "erikarvstedt", "owner": "erikarvstedt",
"repo": "extra-container", "repo": "extra-container",
"rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb", "rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -24,15 +24,12 @@
} }
}, },
"flake-utils": { "flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1667395993,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -43,11 +40,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1683207485, "lastModified": 1674407282,
"narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=", "narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1", "rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -59,11 +56,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1683353485, "lastModified": 1674487464,
"narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=", "narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75", "rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -80,21 +77,6 @@
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable"
} }
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

Binary file not shown.

View File

@ -427,8 +427,7 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'"; ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure"; Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027"; UMask = mkIf cfg.dataDirReadableByGroup "0027";
#ReadWritePaths = [ cfg.dataDir ]; ReadWritePaths = [ cfg.dataDir ];
ReadWritePaths = [ "/dummy" ];
} // nbLib.allowedIPAddresses cfg.tor.enforce } // nbLib.allowedIPAddresses cfg.tor.enforce
// optionalAttrs zmqServerEnabled nbLib.allowNetlink; // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
}; };

View File

@ -236,16 +236,11 @@ in {
--datadir='${cfg.btcpayserver.dataDir}' --datadir='${cfg.btcpayserver.dataDir}'
''; '';
User = cfg.btcpayserver.user; User = cfg.btcpayserver.user;
# Also restart after the program has exited successfully. Restart = "on-failure";
# This is required to support restarting from the web interface after RestartSec = "10s";
# interactive plugin installation.
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ]; ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
}; in self; }; in self;
users.users.${cfg.nbxplorer.user} = { users.users.${cfg.nbxplorer.user} = {

View File

@ -17,7 +17,6 @@ in {
./feeadjuster.nix ./feeadjuster.nix
./prometheus.nix ./prometheus.nix
./summary.nix ./summary.nix
./trustedcoin.nix
./zmq.nix ./zmq.nix
]; ];

View File

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.clightning.plugins.trustedcoin; in
{
options.services.clightning.plugins.trustedcoin = {
enable = mkEnableOption "Trustedcoin (clightning plugin)";
package = mkOption {
type = types.package;
default = config.nix-bitcoin.pkgs.trustedcoin;
defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
description = mdDoc "The package providing trustedcoin binaries.";
};
};
config = mkIf cfg.enable {
services.clightning.extraConfig = ''
plugin=${cfg.package}/bin/trustedcoin
disable-plugin=bcli
'';
# Trustedcoin does not honor the clightning's proxy configuration.
# Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
};
};
}

View File

@ -107,15 +107,13 @@ let
network = bitcoind.makeNetworkName "bitcoin" "regtest"; network = bitcoind.makeNetworkName "bitcoin" "regtest";
configFile = pkgs.writeText "config" '' configFile = pkgs.writeText "config" ''
network=${network} network=${network}
${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"} bitcoin-datadir=${bitcoind.dataDir}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
always-use-proxy=${boolToString cfg.always-use-proxy} always-use-proxy=${boolToString cfg.always-use-proxy}
bind-addr=${cfg.address}:${toString cfg.port} bind-addr=${cfg.address}:${toString cfg.port}
bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address} bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
bitcoin-rpcport=${toString bitcoind.rpc.port} bitcoin-rpcport=${toString bitcoind.rpc.port}
bitcoin-rpcuser=${bitcoind.rpc.users.public.name} bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
rpc-file-mode=0660 rpc-file-mode=0660
log-timestamps=false log-timestamps=false
${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"} ${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@ -163,7 +161,6 @@ in {
{ {
cat ${configFile} cat ${configFile}
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)" echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
${optionalString (cfg.getPublicAddressCmd != "") '' ${optionalString (cfg.getPublicAddressCmd != "") ''
echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}" echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
''} ''}

View File

@ -61,9 +61,10 @@ in {
listenWhitelisted = true; listenWhitelisted = true;
}; };
systemd.tmpfiles.rules = [ # Commented out to allow nfs mounts
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -" # systemd.tmpfiles.rules = [
]; # "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
# ];
systemd.services.electrs = { systemd.services.electrs = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];

View File

@ -158,7 +158,7 @@ let
onion_serving_host = ${cfg.messagingAddress} onion_serving_host = ${cfg.messagingAddress}
onion_serving_port = ${toString cfg.messagingPort} onion_serving_port = ${toString cfg.messagingPort}
hidden_service_dir = hidden_service_dir =
directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222 directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
# irc.darkscience.net # irc.darkscience.net
[MESSAGING:server1] [MESSAGING:server1]

View File

@ -0,0 +1,126 @@
{ config, lib, pkgs, ... }:
with lib;
let
options = {
services.lnd.lndconnectOnion.enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the lnd REST server.
Add a `lndconnect-onion` binary to the system environment.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-onion
# Print URL
lndconnect-onion --url
```
'';
};
services.clightning-rest.lndconnectOnion.enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for clightning-rest.
Add a `lndconnect-onion-clightning` binary to the system environment.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-onion-clightning
# Print URL
lndconnect-onion-clightning --url
```
'';
};
};
nbLib = config.nix-bitcoin.lib;
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services)
lnd
clightning
clightning-rest;
mkLndconnect = {
name,
shebang ? "#!${pkgs.stdenv.shell} -e",
onionService,
port,
certPath,
macaroonPath
}:
# TODO-EXTERNAL:
# lndconnect requires a --configfile argument, although it's unused
# https://github.com/LN-Zap/lndconnect/issues/25
pkgs.writeScriptBin name ''
${shebang}
exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
--port=${toString port} \
--tlscertpath='${certPath}' \
--adminmacaroonpath='${macaroonPath}' \
--configfile=/dev/null "$@"
'';
operatorName = config.nix-bitcoin.operator.name;
in {
inherit options;
config = mkMerge [
(mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
services.tor = {
enable = true;
relay.onionServices.lnd-rest = nbLib.mkOnionService {
target.addr = nbLib.address lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort;
};
};
nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-onion";
# Run as lnd user because the macaroon and cert are not group-readable
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
onionService = "${lnd.user}/lnd-rest";
port = lnd.restPort;
certPath = lnd.certPath;
macaroonPath = "${lnd.networkDir}/admin.macaroon";
}
)];
})
(mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
services.tor = {
enable = true;
relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port;
port = clightning-rest.port;
};
};
# This also allows nodeinfo to show the clightning-rest onion address
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-onion-clightning";
onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
}
)];
})
];
}

View File

@ -1,205 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
options = {
services.lnd.lndconnect = {
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Add a `lndconnect` binary to the system environment which prints
connection info for lnd clients.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect
# Print URL
lndconnect --url
```
'';
};
onion = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the lnd REST server,
which is used by lndconnect.
'';
};
};
services.clightning-rest.lndconnect = {
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Add a `lndconnect-clightning` binary to the system environment which prints
connection info for clightning clients.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-clightning
# Print URL
lndconnect-clightning --url
```
'';
};
onion = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the clightning REST server,
which is used by lndconnect.
'';
};
};
nix-bitcoin.mkLndconnect = mkOption {
readOnly = true;
default = mkLndconnect;
description = mdDoc ''
A function to create a lndconnect binary.
See the source for further details.
'';
};
};
nbLib = config.nix-bitcoin.lib;
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services)
lnd
clightning-rest;
mkLndconnect = {
name,
shebang ? "#!${pkgs.stdenv.shell} -e",
isClightning ? false,
port,
macaroonPath,
enableOnion,
onionService ? null,
certPath ? null
}:
# TODO-EXTERNAL:
# lndconnect requires a --configfile argument, although it's unused
# https://github.com/LN-Zap/lndconnect/issues/25
pkgs.hiPrio (pkgs.writeScriptBin name ''
${shebang}
url=$(
${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
--port=${toString port} \
${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
--adminmacaroonpath='${macaroonPath}' \
--configfile=/dev/null "$@"
)
${optionalString isClightning
# - Change URL procotcol to c-lightning-rest
# - Encode macaroon as hex (in uppercase) instead of base 64.
# Because `macaroon` is always the last URL fragment, the
# sed replacement below works correctly.
''
macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
url=$(
echo "$url" | ${getExe pkgs.gnused} "
s|^lndconnect|c-lightning-rest|
s|macaroon=.*|macaroon=$macaroonHex|
";
)
''
}
# If --url is in args
if [[ " $* " =~ " --url " ]]; then
echo "$url"
else
# This UTF-8 encoding yields a smaller, more convenient output format
# compared to the native lndconnect output
echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
fi
'');
operatorName = config.nix-bitcoin.operator.name;
in {
inherit options;
config = mkMerge [
(mkIf (lnd.enable && lnd.lndconnect.enable)
(mkMerge [
{
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect";
# Run as lnd user because the macaroon and cert are not group-readable
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
enableOnion = lnd.lndconnect.onion;
onionService = "${lnd.user}/lnd-rest";
port = lnd.restPort;
certPath = lnd.certPath;
macaroonPath = "${lnd.networkDir}/admin.macaroon";
}
)];
services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
}
(mkIf lnd.lndconnect.onion {
services.tor = {
enable = true;
relay.onionServices.lnd-rest = nbLib.mkOnionService {
target.addr = nbLib.address lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort;
};
};
nix-bitcoin.onionAddresses.access = {
${lnd.user} = [ "lnd-rest" ];
${operatorName} = [ "lnd-rest" ];
};
})
]))
(mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
(mkMerge [
{
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-clightning";
isClightning = true;
enableOnion = clightning-rest.lndconnect.onion;
onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
}
)];
# clightning-rest always binds to all interfaces
}
(mkIf clightning-rest.lndconnect.onion {
services.tor = {
enable = true;
relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port;
port = clightning-rest.port;
};
};
# This also allows nodeinfo to show the clightning-rest onion address
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
})
])
)
];
}

View File

@ -19,7 +19,7 @@
./lightning-loop.nix ./lightning-loop.nix
./lightning-pool.nix ./lightning-pool.nix
./charge-lnd.nix ./charge-lnd.nix
./lndconnect.nix # Requires onion-addresses.nix ./lndconnect-onion.nix # Requires onion-addresses.nix
./rtl.nix ./rtl.nix
./electrs.nix ./electrs.nix
./fulcrum.nix ./fulcrum.nix

View File

@ -63,7 +63,7 @@ let
infos = OrderedDict() infos = OrderedDict()
operator = "${config.nix-bitcoin.operator.name}" operator = "${config.nix-bitcoin.operator.name}"
def get_onion_address(name, port): def set_onion_address(info, name, port):
path = f"/var/lib/onion-addresses/{operator}/{name}" path = f"/var/lib/onion-addresses/{operator}/{name}"
try: try:
with open(path, "r") as f: with open(path, "r") as f:
@ -71,7 +71,7 @@ let
except OSError: except OSError:
print(f"error reading file {path}", file=sys.stderr) print(f"error reading file {path}", file=sys.stderr)
return return
return f"{onion_address}:{port}" info["onion_address"] = f"{onion_address}:{port}"
def add_service(service, make_info, systemd_service = None): def add_service(service, make_info, systemd_service = None):
systemd_service = systemd_service or service systemd_service = systemd_service or service
@ -106,7 +106,7 @@ let
add_service("${name}", """ add_service("${name}", """
info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}" info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
'' + mkIfOnionPort name (onionPort: '' '' + mkIfOnionPort name (onionPort: ''
info["onion_address"] = get_onion_address("${name}", ${onionPort}) set_onion_address(info, "${name}", ${onionPort})
'') + extraCode + '' '') + extraCode + ''
""", "${systemdServiceName}") """, "${systemdServiceName}")
@ -123,10 +123,8 @@ let
in { in {
inherit options; inherit options;
config = mkIf cfg.enable { config = {
environment.systemPackages = [ script ]; environment.systemPackages = optional cfg.enable script;
nix-bitcoin.operator.enable = true;
nix-bitcoin.nodeinfo.services = with nodeinfoLib; { nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
bitcoind = mkInfo ""; bitcoind = mkInfo "";
@ -135,13 +133,9 @@ in {
if 'onion_address' in info: if 'onion_address' in info:
info["id"] = f"{info['nodeid']}@{info['onion_address']}" info["id"] = f"{info['nodeid']}@{info['onion_address']}"
''; '';
lnd = name: cfg: mkInfo ('' lnd = mkInfo ''
info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
'' + mkIfOnionPort "lnd-rest" (onionPort: ''
info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
'') + ''
info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'") info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
'') name cfg; '';
clightning-rest = mkInfo ""; clightning-rest = mkInfo "";
electrs = mkInfo ""; electrs = mkInfo "";
fulcrum = mkInfo ""; fulcrum = mkInfo "";
@ -152,7 +146,7 @@ in {
rtl = mkInfo ""; rtl = mkInfo "";
# Only add sshd when it has an onion service # Only add sshd when it has an onion service
sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: '' sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""") add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
''); '');
}; };
}; };

View File

@ -33,6 +33,7 @@ in {
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ]) (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
# 0.0.70 # 0.0.70
(mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ]) (mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
(mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ]) (mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
@ -45,28 +46,6 @@ in {
bitcoin peer connections for syncing blocks. This performs well on low and high bitcoin peer connections for syncing blocks. This performs well on low and high
memory systems. memory systems.
'') '')
# 0.0.86
(mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
Set the following options instead:
services.lnd.lndconnect = {
enable = true;
onion = true;
}
'')
(mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
Set the following options instead:
services.lnd.lndconnect = {
enable = true;
onion = true;
}
'')
(mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
Set the following options instead:
services.clightning-rest.lndconnect = {
enable = true;
onion = true;
}
'')
] ++ ] ++
# 0.0.59 # 0.0.59
(map mkSplitEnforceTorOption [ (map mkSplitEnforceTorOption [

View File

@ -1,214 +0,0 @@
{ config, pkgs, lib, ... }:
# Create a WireGuard server with a single peer.
# Private/public keys are created via the secrets system.
# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
# for usage instructions.
# This is a rather opinionated implementation that lacks the flexibility offered by
# other nix-bitcoin modules, so ship this as a `preset`.
# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
with lib;
let
options.nix-bitcoin.wireguard = {
subnet = mkOption {
type = types.str;
default = "10.10.0";
description = mdDoc "The /24 subnet of the wireguard network.";
};
restrictPeer = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Prevent the peer from connecting to any addresses except for the WireGuard server address.
'';
};
};
cfg = config.nix-bitcoin.wireguard;
wgSubnet = cfg.subnet;
inherit (config.networking.wireguard.interfaces) wg-nb;
inherit (config.services)
lnd
clightning-rest;
lndconnect = lnd.enable && lnd.lndconnect.enable;
lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
serverAddress = "${wgSubnet}.1";
peerAddress = "${wgSubnet}.2";
secretsDir = config.nix-bitcoin.secretsDir;
wgConnectUser = if config.nix-bitcoin.operator.enable
then config.nix-bitcoin.operator.name
else "root";
# A script that prints a QR code to connect a peer to the server.
# The QR code encodes a wg-quick config that can be imported by the wireguard
# mobile app.
wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
set -euo pipefail
text=
host=
for arg in "$@"; do
case $arg in
--text)
text=1
;;
*)
host=$arg
;;
esac
done
if [[ ! $host ]]; then
# Use lndconnect to fetch the external ip.
# This internally uses https://github.com/GlenDC/go-external-ip, which
# queries a set of external ip providers.
host=$(
${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
--configfile=/dev/null --adminmacaroonpath=/dev/null \
| sed -nE 's|.*?/(.*?):.*|\1|p'
)
fi
config="[Interface]
PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
Address = ${peerAddress}/24
[Peer]
PublicKey = $(cat ${secretsDir}/wg-server-public-key)
AllowedIPs = ${wgSubnet}.0/24
Endpoint = $host:${toString wg-nb.listenPort}
PersistentKeepalive = 25
"
if [[ $text ]]; then
echo "$config"
else
echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
fi
'';
in {
inherit options;
config = {
assertions = [
{
# Don't support `netns-isolation` for now to keep things simple
assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
}
];
networking.wireguard.interfaces.wg-nb = {
ips = [ "${serverAddress}/24" ];
listenPort = mkDefault 51820;
privateKeyFile = "${secretsDir}/wg-server-private-key";
allowedIPsAsRoutes = false;
peers = [
{
# To use the actual public key from the secrets file, use dummy pubkey
# `peer0` and replace it via `getPubkeyFromFile` (see further below)
# at peer service runtime.
publicKey = "peer0";
allowedIPs = [ "${peerAddress}/32" ];
}
];
};
systemd.services = {
wireguard-wg-nb = rec {
wants = [ "nix-bitcoin-secrets.target" ];
after = wants;
};
# HACK: Modify start/stop scripts of the peer setup service to read
# the pubkey from a secrets file.
wireguard-wg-nb-peer-peer0 = let
getPubkeyFromFile = mkBefore ''
if [[ ! -v inPatchedSrc ]]; then
export inPatchedSrc=1
publicKey=$(cat "${secretsDir}/wg-peer-public-key")
<"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
exit
fi
'';
in {
script = getPubkeyFromFile;
postStop = getPubkeyFromFile;
};
};
environment.systemPackages = [
wgConnect
] ++ (optional lndconnect
(pkgs.writers.writeBashBin "lndconnect-wg" ''
exec lndconnect --host "${serverAddress}" --nocert "$@"
'')
) ++ (optional lndconnect-clightning
(pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
'')
);
networking.firewall = let
restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
in {
allowedUDPPorts = [ wg-nb.listenPort ];
extraCommands =
optionalString lndconnect ''
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
''
+ optionalString lndconnect-clightning ''
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
''
+ optionalString cfg.restrictPeer ''
iptables -w -A nixos-fw ${restrictPeerRule}
iptables -w -A FORWARD ${restrictPeerRule}
'';
extraStopCommands =
# Rules added to chain `nixos-fw` are automatically removed when restarting
# the NixOS firewall service.
mkIf cfg.restrictPeer ''
iptables -w -D FORWARD ${restrictPeerRule} || :
'';
};
# Listen on all addresses, including `serverAddress`.
# This is safe because the listen ports are secured by the firewall.
services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
# clightning-rest always listens on "0.0.0.0"
nix-bitcoin.secrets = {
wg-server-private-key = {};
wg-server-public-key = { user = wgConnectUser; group = "root"; };
wg-peer-private-key = { user = wgConnectUser; group = "root"; };
wg-peer-public-key = {};
};
nix-bitcoin.generateSecretsCmds.wireguard = let
wg = "${pkgs.wireguard-tools}/bin/wg";
in ''
makeWireguardKey() {
local name=$1
local priv=wg-$name-private-key
local pub=wg-$name-public-key
if [[ ! -e $priv ]]; then
${wg} genkey > $priv
fi
if [[ $priv -nt $pub ]]; then
${wg} pubkey < $priv > $pub
fi
}
makeWireguardKey server
makeWireguardKey peer
'';
};
}

View File

@ -191,7 +191,6 @@ in {
optional cfg.nodes.lnd.enable "lnd.service"; optional cfg.nodes.lnd.enable "lnd.service";
after = requires; after = requires;
environment.RTL_CONFIG_PATH = cfg.dataDir; environment.RTL_CONFIG_PATH = cfg.dataDir;
environment.DB_DIRECTORY_PATH = cfg.dataDir;
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
ExecStartPre = [ ExecStartPre = [
(nbLib.script "rtl-setup-config" '' (nbLib.script "rtl-setup-config" ''

View File

@ -228,7 +228,7 @@ let
version = "0.0.70"; version = "0.0.70";
condition = config.services.lnd.lndconnectOnion.enable; condition = config.services.lnd.lndconnectOnion.enable;
message = '' message = ''
The `lndconnect-rest-onion` binary has been renamed to `lndconnect`. The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
''; '';
} }
{ {

View File

@ -32,7 +32,7 @@ let
extraPkgs = [ prometheus_client ]; extraPkgs = [ prometheus_client ];
patchRequirements = patchRequirements =
"--replace prometheus-client==0.6.0 prometheus-client==0.15.0" "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
+ " --replace pyln-client~=0.9.3 pyln-client~=23.02"; + " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
}; };
rebalance = { rebalance = {
description = "Keeps your channels balanced"; description = "Keeps your channels balanced";

View File

@ -20,12 +20,6 @@ let self = {
# The secp256k1 version used by joinmarket # The secp256k1 version used by joinmarket
secp256k1 = pkgs.callPackage ./secp256k1 { }; secp256k1 = pkgs.callPackage ./secp256k1 { };
spark-wallet = pkgs.callPackage ./spark-wallet { }; spark-wallet = pkgs.callPackage ./spark-wallet { };
trustedcoin = pkgs.callPackage ./trustedcoin { };
# TODO-EXTERNAL:
# Remove this when https://github.com/lightningnetwork/lnd/pull/7672
# has been resolved
lnd = pkgsUnstable.callPackage ./lnd { };
pyPkgs = import ./python-packages self pkgs.python3; pyPkgs = import ./python-packages self pkgs.python3;
inherit (self.pyPkgs) inherit (self.pyPkgs)

View File

@ -1,12 +1,10 @@
{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }: { stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
let let
version = "0.9.9"; version = "0.9.8";
src = fetchFromGitHub { src = fetchurl {
owner = "joinmarket-org"; url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
repo = "joinmarket-clientserver"; sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
rev = "v${version}";
sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
}; };
runtimePackages = with nbPython3PackagesJoinmarket; [ runtimePackages = with nbPython3PackagesJoinmarket; [

View File

@ -1,23 +1,25 @@
#!/usr/bin/env nix-shell #!/usr/bin/env bash
#!nix-shell -i bash -p git gnupg jq
set -euo pipefail set -euo pipefail
newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name') . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
# Fetch release and GPG-verify the content hash TMPDIR="$(mktemp -d -p /tmp)"
tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX) trap 'rm -rf $TMPDIR' EXIT
repo=$tmpdir/repo cd "$TMPDIR"
git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
export GNUPGHOME=$tmpdir echo "Fetching latest release"
git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
cd joinmarket-clientserver
latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
echo "Latest release is $latest"
# GPG verification
export GNUPGHOME=$TMPDIR
echo "Fetching Adam Gibson's key" echo "Fetching Adam Gibson's key"
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
echo echo "Verifying latest release"
echo "Verifying commit" git verify-tag "$latest"
git -C "$repo" verify-commit HEAD
rm -rf "$repo"/.git
newHash=$(nix hash path "$repo")
rm -rf "$tmpdir"
echo
echo "tag: $newVersion" echo "tag: $latest"
echo "hash: $newHash" # The prefix option is necessary because GitHub prefixes the archive contents in this format
echo "sha256: $(nix-hash --type sha256 --flat --base32 \
<(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"

View File

@ -1,12 +0,0 @@
{ lnd, fetchpatch }:
lnd.overrideAttrs (_: {
patches = [
(fetchpatch {
# https://github.com/lightningnetwork/lnd/pull/7672
name = "fix-PKCS8-cert-key-support";
url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
})
];
})

View File

@ -4,20 +4,21 @@ pkgs: pkgsUnstable:
inherit (pkgs) inherit (pkgs)
bitcoin bitcoin
bitcoind bitcoind
elementsd
extra-container extra-container
lightning-loop
lightning-pool lightning-pool
lndconnect; lndconnect
nbxplorer;
inherit (pkgsUnstable) inherit (pkgsUnstable)
btcpayserver btcpayserver
charge-lnd charge-lnd
clightning clightning
electrs electrs
elementsd
fulcrum fulcrum
hwi hwi
lightning-loop lnd;
nbxplorer;
inherit pkgs pkgsUnstable; inherit pkgs pkgsUnstable;
} }

View File

@ -2,11 +2,11 @@
buildPythonPackage rec { buildPythonPackage rec {
pname = "bencoder.pyx"; pname = "bencoder.pyx";
version = "3.0.1"; version = "2.0.1";
src = fetchurl { src = fetchurl {
url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz"; url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz"; sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
}; };
nativeBuildInputs = [ cython ]; nativeBuildInputs = [ cython ];

View File

@ -22,6 +22,7 @@ rec {
}; };
runes = callPackage ./runes {}; runes = callPackage ./runes {};
sha256 = callPackage ./sha256 {}; sha256 = callPackage ./sha256 {};
urldecode = callPackage ./urldecode {};
}; };
# Joinmarket requires a custom package set because it uses older versions of Python pkgs # Joinmarket requires a custom package set because it uses older versions of Python pkgs
@ -46,10 +47,12 @@ rec {
# autobahn 20.12.3, required by joinmarketclient # autobahn 20.12.3, required by joinmarketclient
autobahn = callPackage ./specific-versions/autobahn.nix {}; autobahn = callPackage ./specific-versions/autobahn.nix {};
# pyopenssl 21.0.0, required by joinmarketdaemon # pyopenssl 20.0.1, required by joinmarketdaemon
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {}; pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
openssl = super.pkgs.openssl_1_1;
};
# twisted 22.4.0, required by joinmarketbase # twisted 22.4.0, compatible with pyopenssl 20.0.1
twisted = callPackage ./specific-versions/twisted.nix {}; twisted = callPackage ./specific-versions/twisted.nix {};
}; };

View File

@ -1,4 +1,4 @@
{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }: { version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
buildPythonPackage rec { buildPythonPackage rec {
pname = "joinmarketbitcoin"; pname = "joinmarketbitcoin";
@ -6,7 +6,7 @@ buildPythonPackage rec {
postUnpack = "sourceRoot=$sourceRoot/jmbitcoin"; postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
propagatedBuildInputs = [ pyaes python-bitcointx ]; propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
checkInputs = [ joinmarketbase ]; checkInputs = [ joinmarketbase ];

View File

@ -8,12 +8,6 @@ buildPythonPackage rec {
propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ]; propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
# libnacl 1.8.0 is not on github
patchPhase = ''
substituteInPlace setup.py \
--replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
'';
meta = with lib; { meta = with lib; {
description = "Client library for Bitcoin coinjoins"; description = "Client library for Bitcoin coinjoins";
homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver"; homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";

View File

@ -6,50 +6,17 @@
, cryptography , cryptography
, pyasn1 , pyasn1
, idna , idna
, pytestCheckHook , pytest
, pretend , pretend
, flaky , flaky
, glibcLocales , glibcLocales
, six , six
}: }:
buildPythonPackage rec { let
pname = "pyopenssl";
version = "21.0.0";
src = fetchPypi {
pname = "pyOpenSSL";
inherit version;
sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
};
outputs = [ "out" "dev" ];
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
doCheck = !stdenv.isDarwin;
nativeBuildInputs = [ openssl ];
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
preCheck = ''
export LANG="en_US.UTF-8"
'';
disabledTests = [
# https://github.com/pyca/pyopenssl/issues/692
# These tests, we disable always.
"test_set_default_verify_paths"
"test_fallback_default_verify_paths"
# https://github.com/pyca/pyopenssl/issues/768
"test_wantWriteError"
# https://github.com/pyca/pyopenssl/issues/1043
"test_alpn_call_failure"
] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
# https://github.com/pyca/pyopenssl/issues/791 # https://github.com/pyca/pyopenssl/issues/791
# These tests, we disable in the case that libressl is passed in as openssl. # These tests, we disable in the case that libressl is passed in as openssl.
failingLibresslTests = [
"test_op_no_compression" "test_op_no_compression"
"test_npn_advertise_error" "test_npn_advertise_error"
"test_npn_select_error" "test_npn_select_error"
@ -62,21 +29,64 @@ buildPythonPackage rec {
"test_verify_with_revoked" "test_verify_with_revoked"
"test_set_notAfter" "test_set_notAfter"
"test_set_notBefore" "test_set_notBefore"
] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [ ];
# these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
# these tests are extremely tightly wed to the exact output of the openssl cli tool,
# including exact punctuation.
failingOpenSSL_1_1Tests = [
"test_dump_certificate" "test_dump_certificate"
"test_dump_privatekey_text" "test_dump_privatekey_text"
"test_dump_certificate_request" "test_dump_certificate_request"
"test_export_text" "test_export_text"
] ++ lib.optionals stdenv.is32bit [
# https://github.com/pyca/pyopenssl/issues/974
"test_verify_with_time"
]; ];
meta = with lib; { disabledTests = [
description = "Python wrapper around the OpenSSL library"; # https://github.com/pyca/pyopenssl/issues/692
homepage = "https://github.com/pyca/pyopenssl"; # These tests, we disable always.
license = licenses.asl20; "test_set_default_verify_paths"
maintainers = with maintainers; [ SuperSandro2000 ]; "test_fallback_default_verify_paths"
# https://github.com/pyca/pyopenssl/issues/768
"test_wantWriteError"
] ++ (
lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
) ++ (
lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
) ++ (
# https://github.com/pyca/pyopenssl/issues/974
lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
);
# Compose the final string expression, including the "-k" and the single quotes.
testExpression = lib.optionalString (disabledTests != [])
"-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
in
buildPythonPackage rec {
pname = "pyopenssl";
version = "20.0.1";
src = fetchPypi {
pname = "pyOpenSSL";
inherit version;
sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
}; };
outputs = [ "out" "dev" ];
checkPhase = ''
runHook preCheck
export LANG="en_US.UTF-8"
py.test tests ${testExpression}
runHook postCheck
'';
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
doCheck = !stdenv.isDarwin;
nativeBuildInputs = [ openssl ];
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
checkInputs = [ pytest pretend flaky glibcLocales ];
} }

View File

@ -0,0 +1,16 @@
{ lib, buildPythonPackage, fetchPypi }:
buildPythonPackage rec {
pname = "urldecode";
version = "0.1";
src = fetchPypi {
inherit pname version;
sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
};
meta = with lib; {
description = "A simple function to decode an encoded url";
homepage = "https://github.com/jennyq/urldecode";
maintainers = with maintainers; [ nixbitcoin ];
};
}

View File

@ -10,11 +10,11 @@
}: }:
let self = stdenvNoCC.mkDerivation { let self = stdenvNoCC.mkDerivation {
pname = "rtl"; pname = "rtl";
version = "0.13.6"; version = "0.13.4";
src = fetchurl { src = fetchurl {
url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz"; url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4="; hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
}; };
passthru = { passthru = {
@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
# TODO-EXTERNAL: Remove `npmFlags` when no longer required # TODO-EXTERNAL: Remove `npmFlags` when no longer required
# See: https://github.com/Ride-The-Lightning/RTL/issues/1182 # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
npmFlags = "--legacy-peer-deps"; npmFlags = "--legacy-peer-deps";
hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k="; hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
}; };
}; };

View File

@ -2,7 +2,7 @@
set -euo pipefail set -euo pipefail
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@" . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
version="0.13.6" version="0.13.4"
repo=https://github.com/Ride-The-Lightning/RTL repo=https://github.com/Ride-The-Lightning/RTL
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd) scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

View File

@ -1,23 +0,0 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "trustedcoin";
version = "0.6.1";
src = fetchFromGitHub {
owner = "nbd-wtf";
repo = pname;
rev = "v${version}";
sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
};
vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
subPackages = [ "." ];
meta = with lib; {
description = "Light bitcoin node implementation";
homepage = "https://github.com/nbd-wtf/trustedcoin";
maintainers = with maintainers; [ seberm fort-nix ];
platforms = platforms.linux;
};
}

View File

@ -1,20 +0,0 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p git gnupg curl jq
set -euo pipefail
TMPDIR="$(mktemp -d -p /tmp)"
trap 'rm -rf $TMPDIR' EXIT
cd "$TMPDIR"
echo "Fetching latest release"
repo='nbd-wtf/trustedcoin'
latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
echo "Latest release is $latest"
git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
cd trustedcoin
echo "tag: $latest"
git checkout -q "tags/$latest"
rm -rf .git
nix --extra-experimental-features nix-command hash path .

View File

@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
fi fi
echo "Running flake-info (nixos-search)" echo "Running flake-info (nixos-search)"
flake-info --json flake ../.. >/dev/null flake-info flake ../..

View File

@ -41,4 +41,4 @@ bwrap \
--ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \ --ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
--ro-bind /usr /usr \ --ro-bind /usr /usr \
--ro-bind-try /run /run \ --ro-bind-try /run /run \
-- flake-info --json flake "$nbFlake" >/dev/null -- flake-info flake "$nbFlake"

View File

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"flake-utils": { "flake-utils": {
"locked": { "locked": {
"lastModified": 1678901627, "lastModified": 1667395993,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -18,11 +18,11 @@
"nixos-org-configurations": { "nixos-org-configurations": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1679995724, "lastModified": 1674564797,
"narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=", "narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-org-configurations", "repo": "nixos-org-configurations",
"rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49", "rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -39,11 +39,11 @@
"npmlock2nix": "npmlock2nix" "npmlock2nix": "npmlock2nix"
}, },
"locked": { "locked": {
"lastModified": 1683204679, "lastModified": 1674593115,
"narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=", "narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-search", "repo": "nixos-search",
"rev": "0498effc4137095938f16fd752cc81a96901554f", "rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1680213900, "lastModified": 1667629849,
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=", "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2", "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -70,11 +70,11 @@
"npmlock2nix": { "npmlock2nix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673447413, "lastModified": 1666460237,
"narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=", "narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
"owner": "nix-community", "owner": "nix-community",
"repo": "npmlock2nix", "repo": "npmlock2nix",
"rev": "9197bbf397d76059a76310523d45df10d2e4ca81", "rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
"type": "github" "type": "github"
}, },
"original": { "original": {

View File

@ -274,7 +274,6 @@ buildable=(
hardened hardened
clightning-replication clightning-replication
lndPruned lndPruned
wireguard-lndconnect
) )
buildable() { buildTests buildable "$@"; } buildable() { buildTests buildable "$@"; }

View File

@ -45,7 +45,7 @@ let
services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns"; services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
test.data.clightning-plugins = let test.data.clightning-plugins = let
plugins = config.services.clightning.plugins; plugins = config.services.clightning.plugins;
removed = [ "commando" "trustedcoin" ]; removed = [ "commando" ];
enabled = builtins.filter (plugin: plugins.${plugin}.enable) enabled = builtins.filter (plugin: plugins.${plugin}.enable)
(subtractLists removed (builtins.attrNames plugins)); (subtractLists removed (builtins.attrNames plugins));
nbPkgs = config.nix-bitcoin.pkgs; nbPkgs = config.nix-bitcoin.pkgs;
@ -86,8 +86,8 @@ let
nix-bitcoin.onionServices.lnd.public = true; nix-bitcoin.onionServices.lnd.public = true;
tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion; tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion; tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
tests.lightning-loop = cfg.lightning-loop.enable; tests.lightning-loop = cfg.lightning-loop.enable;
services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ]; services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
@ -187,9 +187,9 @@ let
services.rtl.enable = true; services.rtl.enable = true;
services.spark-wallet.enable = true; services.spark-wallet.enable = true;
services.clightning-rest.enable = true; services.clightning-rest.enable = true;
services.clightning-rest.lndconnect = { enable = true; onion = true; }; services.clightning-rest.lndconnectOnion.enable = true;
services.lnd.enable = true; services.lnd.enable = true;
services.lnd.lndconnect = { enable = true; onion = true; }; services.lnd.lndconnectOnion.enable = true;
services.lightning-loop.enable = true; services.lightning-loop.enable = true;
services.lightning-pool.enable = true; services.lightning-pool.enable = true;
services.charge-lnd.enable = true; services.charge-lnd.enable = true;
@ -315,15 +315,6 @@ let
services.lnd.enable = true; services.lnd.enable = true;
services.bitcoind.prune = 1000; services.bitcoind.prune = 1000;
}; };
# Test the special clightning setup where trustedcoin plugin is used
trustedcoin = {
tests.trustedcoin = true;
services.clightning = {
enable = true;
plugins.trustedcoin.enable = true;
};
};
} // (import ../dev/dev-scenarios.nix { } // (import ../dev/dev-scenarios.nix {
inherit lib scenarios; inherit lib scenarios;
}); });
@ -414,7 +405,6 @@ in {
in in
{ {
clightning-replication = import ./clightning-replication.nix makeTestVM pkgs; clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
} // mainTests; } // mainTests;
tests = makeTests scenarios; tests = makeTests scenarios;

View File

@ -177,12 +177,12 @@ def _():
@test("lndconnect-onion-lnd") @test("lndconnect-onion-lnd")
def _(): def _():
assert_running("lnd") assert_running("lnd")
assert_matches("runuser -u operator -- lndconnect --url", ".onion") assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
@test("lndconnect-onion-clightning") @test("lndconnect-onion-clightning")
def _(): def _():
assert_running("clightning-rest") assert_running("clightning-rest")
assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion") assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
@test("lightning-loop") @test("lightning-loop")
def _(): def _():
@ -433,18 +433,6 @@ def _():
if enabled("btcpayserver"): if enabled("btcpayserver"):
machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}")) machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
@test("trustedcoin")
def _():
machine.wait_for_unit("bitcoind")
machine.wait_for_unit("clightning")
# Let's check the trustedcoin plugin was correctly initialized
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
if "netns-isolation" in enabled_tests: if "netns-isolation" in enabled_tests:
def ip(name): def ip(name):
return test_data["netns"][name]["address"] return test_data["netns"][name]["address"]

View File

@ -1,103 +0,0 @@
# You can run this test via `run-tests.sh -s wireguard-lndconnect`
makeTestVM: pkgs:
with pkgs.lib;
makeTestVM {
name = "wireguard-lndconnect";
nodes = {
server = {
imports = [
../modules/modules.nix
../modules/presets/wireguard.nix
];
nixpkgs.pkgs = pkgs;
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator.enable = true;
services.clightning-rest = {
enable = true;
lndconnect.enable = true;
};
# TODO-EXTERNAL:
# When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
services.clightning.extraConfig = "disable-dns";
services.lnd = {
enable = true;
lndconnect.enable = true;
port = 9736;
};
};
client = {
nixpkgs.pkgs = pkgs;
environment.systemPackages = with pkgs; [
wireguard-tools
];
};
};
testScript = ''
import base64
import urllib.parse as Url
from types import SimpleNamespace
def parse_lndconnect_url(url):
u = Url.urlparse(url)
queries = Url.parse_qs(u.query)
macaroon = queries['macaroon'][0]
is_clightning = url.startswith("c-lightning-rest")
return SimpleNamespace(
host = u.hostname,
port = u.port,
macaroon_hex =
macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
)
client.start()
server.connect()
if not "is_interactive" in vars():
with subtest("connect client to server via WireGuard"):
server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
# Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
# Encode to base64
b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
# Connect to server via WireGuard
client.succeed("wg-quick up /tmp/wireguard.conf")
# Ping server from client
print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
with subtest("lndconnect-wg"):
server.wait_for_unit("lnd.service")
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
api = parse_lndconnect_url(lndconnect_url)
# Make lnd REST API call
client.succeed(
f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
f"-X GET https://{api.host}:{api.port}/v1/getinfo"
)
with subtest("lndconnect-clightning-wg"):
server.wait_for_unit("clightning-rest.service")
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
api = parse_lndconnect_url(lndconnect_url)
# Make clightning-rest API call
client.succeed(
f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
)
'';
}