Patch electrs to avoid chmod

86dc7e2669 fulcrum: allow access to `/proc/meminfo` (Erik Arvstedt)
c948af2e18 dev/dev-features: add `enter_service` helper (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 86dc7e2669

Tree-SHA512: 5c2b7bc5e2247a7fb45e6c805162c02d87b4c917e4a1306134d634f418534b03e3152e402d17e054c410d3d72f3f5eb3d270fcb53019b2f96ea6b27ecae53755

.cirrus.yml

@@ -27,7 +27,6 @@ task:
           - scenario: default
           - scenario: netns
           - scenario: netnsRegtest
-          - scenario: trustedcoin
       # This script is run as root
       build_script:
         - echo "sandbox = true" >> /etc/nix/nix.conf

README.md

@@ -79,22 +79,19 @@ NixOS modules ([src](modules/modules.nix))
     * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
     * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
     * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
-    * [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
     * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
   * [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
   * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
     * [Lightning Loop](https://github.com/lightninglabs/loop)
     * [Lightning Pool](https://github.com/lightninglabs/pool)
     * [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
-  * [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or
-    clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
-    [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
+  * [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
   * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
   * [spark-wallet](https://github.com/shesek/spark-wallet)
-  * [electrs](https://github.com/romanz/electrs): Electrum server
-  * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
+  * [electrs](https://github.com/romanz/electrs)
+  * [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
   * [btcpayserver](https://github.com/btcpayserver/btcpayserver)
-  * [liquid](https://github.com/elementsproject/elements): federated sidechain
+  * [liquid](https://github.com/elementsproject/elements)
   * [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
     * [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
   * [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
@@ -102,13 +99,7 @@ NixOS modules ([src](modules/modules.nix))
   * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
   * [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
   * [backups](modules/backups.nix): duplicity backups of all your node's important files
-  * [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
-
-### Extension modules
-Extension modules are maintained in separate repositories and have their own review
-and release process.
-
-* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
+  * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
 
 Security
 ---

dev/dev-features.sh

@@ -56,10 +56,9 @@ ls -al /var/lib/containers/nb-test
 # Start a shell in the context of a service process.
 # Must be run inside the container (enter with cmd `c`).
 enter_service() {
-    name=$1
-    pid=$(systemctl show -p MainPID --value "$name")
-    IFS=- read -r uid gid  < <(stat -c "%u-%g" "/proc/$pid")
-    nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
+    local name=$1
+    nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
+      --setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
 }
 enter_service clightning
 

dev/dev-scenarios.nix

@@ -9,9 +9,6 @@ with lib;
     services.btcpayserver.enable = true;
     test.container.exposeLocalhost = true;
     # services.btcpayserver.lbtc = false;
-
-    # Required for testing interactive plugin installation
-    test.container.enableWAN = true;
   };
 
   # A node with internet access to test joinmarket-ob-watcher
@@ -45,34 +42,4 @@ with lib;
     nix-bitcoin.nodeinfo.enable = true;
     # test.container.enableWAN = true;
   };
-
-  wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
-    imports = [
-      ../modules/presets/wireguard.nix
-      scenarios.regtestBase
-    ];
-
-    # 51820 (default wg port) + 1
-    networking.wireguard.interfaces.wg-nb.listenPort = 51821;
-    test.container.enableWAN = true;
-    # test.container.exposeLocalhost = true;
-
-    services.clightning.extraConfig = "disable-dns";
-
-    services.lnd = {
-      enable = true;
-      lndconnect = {
-        enable = true;
-        onion = true;
-      };
-    };
-    services.clightning-rest = {
-      enable = true;
-      lndconnect = {
-        enable = true;
-        onion = true;
-      };
-    };
-    nix-bitcoin.nodeinfo.enable = true;
-  };
 }

dev/topics/lndconnect-and-wireguard.sh

@@ -1,64 +0,0 @@
-#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-# Test Tor and WireGuard connections on a mobile device
-
-# 1. Run container
-run-tests.sh -s wireguard-lndconnect-online container
-
-# 2. Test connecting via Tor
-# Print QR codes for lnd, clightning-rest connections via Tor
-c lndconnect
-c lndconnect-clightning
-# Add these to Zeus >= 0.7.1.
-# To explicitly check if the connection is successful, press the node logo in the top
-# left corner, and then "Node Info".
-
-# Debug
-c lndconnect --url
-c lndconnect-clightning --url
-
-# 3. Test connecting via WireGuard
-
-# 3.1 Forward WireGuard port from the container host to the container
-iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
-
-# 3.2. Optional: When your container host has an external firewall,
-# forward the WireGuard port to the container host:
-# - Port: 51821
-# - Protocol: UDP
-# - Destination: IPv4 of the container host
-
-# 3.2 Print QR code and setup wireguard on the mobile device
-c nix-bitcoin-wg-connect
-c nix-bitcoin-wg-connect --text
-
-# Print QR codes for lnd, clightning-rest connections via WireGuard
-c lndconnect-wg
-c lndconnect-clightning-wg
-# Add these to Zeus >= 0.7.1.
-# To explicitly check if the connection is successful, press the node logo in the top
-# left corner, and then "Node Info".
-
-# Debug
-c lndconnect-wg --url
-c lndconnect-clightning-wg --url
-
-# 3.3.remove external firewall port forward, remove local port forward:
-iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
-# Now exit the container shell
-
-#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-# Debug lndconnect
-
-run-tests.sh -s wireguard-lndconnect-online container
-
-c nodeinfo
-
-c lndconnect --url
-c lndconnect-wg --url
-c lndconnect-clightning --url
-c lndconnect-clightning-wg --url
-
-c lndconnect
-c lndconnect-wg
-c lndconnect-clightning
-c lndconnect-clightning-wg

docs/services.md

@@ -142,154 +142,60 @@ You can find the `<onion-address>` with command `nodeinfo`.
 The default password location is `$secretsDir/rtl-password`.
 See: [Secrets dir](./configuration.md#secrets-dir)
 
-# Use Zeus (mobile lightning wallet) via Tor
-1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1)
+# Use LND or clightning with Zeus (mobile wallet) via Tor
+1. Install [Zeus](https://zeusln.app)
 
 2. Edit your `configuration.nix`
 
    ##### For lnd
 
    Add the following config:
-   ```nix
-   services.lnd.lndconnect = {
-     enable = true;
-     onion = true;
-   };
+   ```
+   services.lnd.lndconnectOnion.enable = true;
    ```
 
    ##### For clightning
 
    Add the following config:
-   ```nix
+   ```
    services.clightning-rest = {
      enable = true;
-     lndconnect = {
-       enable = true;
-       onion = true;
-     };
+     lndconnectOnion.enable = true;
    };
    ```
 
 3. Deploy your configuration
 
-4. Run the following command on your node (as user `operator`) to create a QR code
+3. Run the following command on your node (as user `operator`) to create a QR code
    with address and authentication information:
 
    ##### For lnd
    ```
-   lndconnect
+   lndconnect-onion
    ```
 
    ##### For clightning
    ```
-   lndconnect-clightning
+   lndconnect-onion-clightning
    ```
 
-5. Configure Zeus
-   - Add a new node and scan the QR code
+4. Configure Zeus
+   - Add a new node
+   - Select `Scan lndconnect config` (at the bottom) and scan the QR code
+   - For clightning: Set `Node interface` to `c-lightning-REST`
    - Click `Save node config`
    - Start sending and stacking sats privately
 
 ### Additional lndconnect features
-- Create a plain text URL:
-  ```bash
-  lndconnect --url
+Create plain text URLs or QR code images:
 ```
-- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
-  ```bash
-  lndconnect --host myhost
-  ```
-
-# Use Zeus (mobile lightning wallet) via WireGuard
-
-Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
-
-There are two ways to establish a secure, direct connection:
-
-- Connecting via TLS. This requires installing your lightning app's
-  TLS Certificate on your mobile device.
-
-- Connecting via WireGuard. This approach is simpler and more versatile, and is
-  described in this guide.
-
-1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
-   [WireGuard](https://www.wireguard.com/install/) on your mobile device.
-
-2. Add the following to your `configuration.nix`:
-   ```nix
-   imports = [
-     # Use this line when using the default deployment method
-     <nix-bitcoin/modules/presets/wireguard.nix>
-
-     # Use this line when using Flakes
-     (nix-bitcoin + /modules/presets/wireguard.nix)
-   ]
-
-   # For lnd
-   services.lnd.lndconnect.enable = true;
-
-   # For clightning
-   services.clightning-rest = {
-     enable = true;
-     lndconnect.enable = true;
-   };
-   ```
-3. Deploy your configuration.
-
-4. If your node is behind an external firewall or NAT, add the following port forwarding
-   rule to the external device:
-   - Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
-   - Protocol: UDP
-   - Destination: IP of your node
-
-5. Setup WireGuard on your mobile device.
-
-   Run the following command on your node (as user `operator`) to create a QR code
-   for WireGuard:
-   ```bash
-   nix-bitcoin-wg-connect
-
-   # For debugging: Show the WireGuard config as text
-   nix-bitcoin-wg-connect --text
-   ```
-   The above commands automatically detect your node's external IP.\
-   To set a custom IP or hostname, run the following:
-   ```
-   nix-bitcoin-wg-connect 93.184.216.34
-   nix-bitcoin-wg-connect mynode.org
-   ```
-
-   Configure WireGuard:
-   - Press the `+` button in the bottom right corner
-   - Scan the QR code
-   - Add the tunnel
-
-6. Setup Zeus
-
-   Run the following command on your node (as user `operator`) to create a QR code for Zeus:
-
-   ##### For lnd
-   ```
-   lndconnect-wg
-   ```
-
-   ##### For clightning
-   ```
-   lndconnect-clightning-wg
-   ```
-
-   Configure Zeus:
-   - Add a new node and scan the QR code
-   - Click `Save node config`
-   - On the certificate warning screen, click `I understand, save node config`.\
-     Certificates are not needed when connecting via WireGuard.
-   - Start sending and stacking sats privately
-
-### Additional lndconnect features
-Create a plain text URL:
-```bash
-lndconnect-wg --url
+lndconnect-onion --url
+lndconnect-onion --image
 ``````
+Create a QR code for a custom hostname:
+```
+lndconnect-onion --host=mynode.org
+```
 
 # Connect to spark-wallet
 ### Requirements
@@ -621,27 +527,3 @@ services.clightning = {
 ```
 
 Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
-
-### Trustedcoin hints
-The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
-proxy for all of its external connections by default. That's why you can
-sometimes face issues with your connections to esploras getting blocked.
-
-An example of clightning log error output in a case your connections are getting blocked:
-
-```
-lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
-```
-
-```
-lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
-lightningd[4933]: <meta http-equiv="content-type" content="text/html;
-```
-
-If you face these issues and you still need to use trustedcoin, use can disable
-clightning's tor hardening by setting this option in your `configuration.nix`
-file:
-
-```
-services.clightning.tor.enforce = false;
-```

examples/configuration.nix

@@ -56,18 +56,13 @@
   #
   # == REST server
   # Set this to create a clightning REST onion service.
-  # This also adds binary `lndconnect-clightning` to the system environment.
+  # This also adds binary `lndconnect-onion-clightning` to the system environment.
   # This binary creates QR codes or URLs for connecting applications to clightning
-  # via the REST onion service.
-  # You can also connect via WireGuard instead of Tor.
-  # See ../docs/services.md for details.
+  # via the REST onion service (see ../docs/services.md).
   #
   # services.clightning-rest = {
   #   enable = true;
-  #   lndconnect = {
-  #     enable = true;
-  #     onion = true;
-  #   };
+  #   lndconnectOnion.enable = true;
   # };
 
   ### LND
@@ -83,17 +78,11 @@
   # The onion service is automatically announced to peers.
   # nix-bitcoin.onionServices.lnd.public = true;
   #
-  # Set this to create a lnd REST onion service.
-  # This also adds binary `lndconnect` to the system environment.
+  # Set this to create an lnd REST onion service.
+  # This also adds binary `lndconnect-onion` to the system environment.
   # This binary generates QR codes or URLs for connecting applications to lnd via the
-  # REST onion service.
-  # You can also connect via WireGuard instead of Tor.
-  # See ../docs/services.md for details.
-  #
-  # services.lnd.lndconnect = {
-  #   enable = true;
-  #   onion = true;
-  # };
+  # REST onion service (see ../docs/services.md).
+  # services.lnd.lndconnectOnion.enable = true;
   #
   ## WARNING
   # If you use lnd, you should manually backup your wallet mnemonic

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1679648217,
-        "narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
+        "lastModified": 1671802034,
+        "narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
         "owner": "erikarvstedt",
         "repo": "extra-container",
-        "rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
+        "rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
         "type": "github"
       },
       "original": {
@@ -24,15 +24,12 @@
       }
     },
     "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
       "locked": {
-        "lastModified": 1681202837,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
@@ -43,11 +40,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1683207485,
-        "narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
+        "lastModified": 1674407282,
+        "narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
+        "rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
         "type": "github"
       },
       "original": {
@@ -59,11 +56,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1683353485,
-        "narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
+        "lastModified": 1674487464,
+        "narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
+        "rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
         "type": "github"
       },
       "original": {
@@ -80,21 +77,6 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }
-    },
-    "systems": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
     }
   },
   "root": "root",

modules/bitcoind.nix

@@ -427,8 +427,7 @@ in {
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
-        #ReadWritePaths = [ cfg.dataDir ];
-        ReadWritePaths = [ "/dummy" ];
+        ReadWritePaths = [ cfg.dataDir ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };

modules/btcpayserver.nix

@@ -236,16 +236,11 @@ in {
             --datadir='${cfg.btcpayserver.dataDir}'
         '';
         User = cfg.btcpayserver.user;
-        # Also restart after the program has exited successfully.
-        # This is required to support restarting from the web interface after
-        # interactive plugin installation.
-        # Restart rate limiting is implemented via the `startLimit*` options below.
-        Restart = "always";
+        Restart = "on-failure";
+        RestartSec = "10s";
         ReadWritePaths = [ cfg.btcpayserver.dataDir ];
         MemoryDenyWriteExecute = false;
       } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
-      startLimitIntervalSec = 30;
-      startLimitBurst = 10;
     }; in self;
 
     users.users.${cfg.nbxplorer.user} = {

modules/clightning-plugins/default.nix

@@ -17,7 +17,6 @@ in {
     ./feeadjuster.nix
     ./prometheus.nix
     ./summary.nix
-    ./trustedcoin.nix
     ./zmq.nix
   ];
 

modules/clightning-plugins/trustedcoin.nix

@@ -1,28 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let cfg = config.services.clightning.plugins.trustedcoin; in
-{
-  options.services.clightning.plugins.trustedcoin = {
-    enable = mkEnableOption "Trustedcoin (clightning plugin)";
-    package = mkOption {
-      type = types.package;
-      default = config.nix-bitcoin.pkgs.trustedcoin;
-      defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
-      description = mdDoc "The package providing trustedcoin binaries.";
-    };
-  };
-
-  config = mkIf cfg.enable {
-    services.clightning.extraConfig = ''
-      plugin=${cfg.package}/bin/trustedcoin
-      disable-plugin=bcli
-    '';
-
-    # Trustedcoin does not honor the clightning's proxy configuration.
-    # Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
-    systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
-      HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
-    };
-  };
-}

modules/clightning.nix

@@ -107,15 +107,13 @@ let
   network = bitcoind.makeNetworkName "bitcoin" "regtest";
   configFile = pkgs.writeText "config" ''
     network=${network}
-    ${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
+    bitcoin-datadir=${bitcoind.dataDir}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     always-use-proxy=${boolToString cfg.always-use-proxy}
     bind-addr=${cfg.address}:${toString cfg.port}
-
     bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
     bitcoin-rpcport=${toString bitcoind.rpc.port}
     bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
-
     rpc-file-mode=0660
     log-timestamps=false
     ${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@@ -163,7 +161,6 @@ in {
         {
           cat ${configFile}
           echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
-
           ${optionalString (cfg.getPublicAddressCmd != "") ''
             echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
           ''}

modules/electrs.nix

@@ -61,9 +61,10 @@ in {
       listenWhitelisted = true;
     };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-    ];
+    # Commented out to allow nfs mounts
+    # systemd.tmpfiles.rules = [
+    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # ];
 
     systemd.services.electrs = {
       wantedBy = [ "multi-user.target" ];

modules/joinmarket.nix

@@ -158,7 +158,7 @@ let
     onion_serving_host = ${cfg.messagingAddress}
     onion_serving_port = ${toString cfg.messagingPort}
     hidden_service_dir =
-    directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
+    directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
 
     # irc.darkscience.net
     [MESSAGING:server1]

modules/lndconnect-onion.nix

@@ -0,0 +1,126 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  options = {
+    services.lnd.lndconnectOnion.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = mdDoc ''
+        Create an onion service for the lnd REST server.
+        Add a `lndconnect-onion` binary to the system environment.
+        See: https://github.com/LN-Zap/lndconnect
+
+        Usage:
+        ```bash
+          # Print QR code
+          lndconnect-onion
+
+          # Print URL
+          lndconnect-onion --url
+        ```
+      '';
+    };
+
+    services.clightning-rest.lndconnectOnion.enable = mkOption {
+      type = types.bool;
+      default = false;
+      description = mdDoc ''
+        Create an onion service for clightning-rest.
+        Add a `lndconnect-onion-clightning` binary to the system environment.
+        See: https://github.com/LN-Zap/lndconnect
+
+        Usage:
+        ```bash
+          # Print QR code
+          lndconnect-onion-clightning
+
+          # Print URL
+          lndconnect-onion-clightning --url
+        ```
+      '';
+    };
+  };
+
+  nbLib = config.nix-bitcoin.lib;
+  runAsUser = config.nix-bitcoin.runAsUserCmd;
+
+  inherit (config.services)
+    lnd
+    clightning
+    clightning-rest;
+
+  mkLndconnect = {
+    name,
+    shebang ? "#!${pkgs.stdenv.shell} -e",
+    onionService,
+    port,
+    certPath,
+    macaroonPath
+  }:
+  # TODO-EXTERNAL:
+  # lndconnect requires a --configfile argument, although it's unused
+  # https://github.com/LN-Zap/lndconnect/issues/25
+  pkgs.writeScriptBin name ''
+    ${shebang}
+    exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
+     --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
+     --port=${toString port} \
+     --tlscertpath='${certPath}' \
+     --adminmacaroonpath='${macaroonPath}' \
+     --configfile=/dev/null "$@"
+  '';
+
+  operatorName = config.nix-bitcoin.operator.name;
+in {
+  inherit options;
+
+  config = mkMerge [
+    (mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
+      services.tor = {
+        enable = true;
+        relay.onionServices.lnd-rest = nbLib.mkOnionService {
+          target.addr = nbLib.address lnd.restAddress;
+          target.port = lnd.restPort;
+          port = lnd.restPort;
+        };
+      };
+      nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
+
+      environment.systemPackages = [(
+        mkLndconnect {
+          name = "lndconnect-onion";
+          # Run as lnd user because the macaroon and cert are not group-readable
+          shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
+          onionService = "${lnd.user}/lnd-rest";
+          port = lnd.restPort;
+          certPath = lnd.certPath;
+          macaroonPath = "${lnd.networkDir}/admin.macaroon";
+        }
+      )];
+    })
+
+    (mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
+      services.tor = {
+        enable = true;
+        relay.onionServices.clightning-rest = nbLib.mkOnionService {
+          target.addr = nbLib.address clightning-rest.address;
+          target.port = clightning-rest.port;
+          port = clightning-rest.port;
+        };
+      };
+      # This also allows nodeinfo to show the clightning-rest onion address
+      nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
+
+      environment.systemPackages = [(
+        mkLndconnect {
+          name = "lndconnect-onion-clightning";
+          onionService = "${operatorName}/clightning-rest";
+          port = clightning-rest.port;
+          certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
+          macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
+        }
+      )];
+    })
+  ];
+}

modules/lndconnect.nix

@@ -1,205 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  options = {
-    services.lnd.lndconnect = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = mdDoc ''
-          Add a `lndconnect` binary to the system environment which prints
-          connection info for lnd clients.
-          See: https://github.com/LN-Zap/lndconnect
-
-          Usage:
-          ```bash
-            # Print QR code
-            lndconnect
-
-            # Print URL
-            lndconnect --url
-          ```
-        '';
-      };
-      onion = mkOption {
-        type = types.bool;
-        default = false;
-        description = mdDoc ''
-          Create an onion service for the lnd REST server,
-          which is used by lndconnect.
-        '';
-      };
-    };
-
-
-    services.clightning-rest.lndconnect = {
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = mdDoc ''
-        Add a `lndconnect-clightning` binary to the system environment which prints
-        connection info for clightning clients.
-        See: https://github.com/LN-Zap/lndconnect
-
-        Usage:
-        ```bash
-          # Print QR code
-          lndconnect-clightning
-
-          # Print URL
-          lndconnect-clightning --url
-        ```
-      '';
-      };
-      onion = mkOption {
-        type = types.bool;
-        default = false;
-        description = mdDoc ''
-          Create an onion service for the clightning REST server,
-          which is used by lndconnect.
-        '';
-      };
-    };
-
-    nix-bitcoin.mkLndconnect = mkOption {
-      readOnly = true;
-      default = mkLndconnect;
-      description = mdDoc ''
-        A function to create a lndconnect binary.
-        See the source for further details.
-      '';
-    };
-  };
-
-  nbLib = config.nix-bitcoin.lib;
-  runAsUser = config.nix-bitcoin.runAsUserCmd;
-
-  inherit (config.services)
-    lnd
-    clightning-rest;
-
-  mkLndconnect = {
-    name,
-    shebang ? "#!${pkgs.stdenv.shell} -e",
-    isClightning ? false,
-    port,
-    macaroonPath,
-    enableOnion,
-    onionService ? null,
-    certPath ? null
-  }:
-  # TODO-EXTERNAL:
-  # lndconnect requires a --configfile argument, although it's unused
-  # https://github.com/LN-Zap/lndconnect/issues/25
-  pkgs.hiPrio (pkgs.writeScriptBin name ''
-    ${shebang}
-    url=$(
-      ${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
-        ${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
-        --port=${toString port} \
-        ${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
-        --adminmacaroonpath='${macaroonPath}' \
-        --configfile=/dev/null "$@"
-    )
-
-    ${optionalString isClightning
-      # - Change URL procotcol to c-lightning-rest
-      # - Encode macaroon as hex (in uppercase) instead of base 64.
-      #   Because `macaroon` is always the last URL fragment, the
-      #   sed replacement below works correctly.
-      ''
-        macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
-        url=$(
-          echo "$url" | ${getExe pkgs.gnused} "
-            s|^lndconnect|c-lightning-rest|
-            s|macaroon=.*|macaroon=$macaroonHex|
-          ";
-        )
-      ''
-    }
-
-    # If --url is in args
-    if [[ " $* " =~ " --url " ]]; then
-      echo "$url"
-    else
-      # This UTF-8 encoding yields a smaller, more convenient output format
-      # compared to the native lndconnect output
-      echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
-    fi
-  '');
-
-  operatorName = config.nix-bitcoin.operator.name;
-in {
-  inherit options;
-
-  config = mkMerge [
-    (mkIf (lnd.enable && lnd.lndconnect.enable)
-      (mkMerge [
-        {
-          environment.systemPackages = [(
-            mkLndconnect {
-              name = "lndconnect";
-              # Run as lnd user because the macaroon and cert are not group-readable
-              shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
-              enableOnion = lnd.lndconnect.onion;
-              onionService = "${lnd.user}/lnd-rest";
-              port = lnd.restPort;
-              certPath = lnd.certPath;
-              macaroonPath = "${lnd.networkDir}/admin.macaroon";
-            }
-          )];
-
-          services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
-        }
-
-        (mkIf lnd.lndconnect.onion {
-          services.tor = {
-            enable = true;
-            relay.onionServices.lnd-rest = nbLib.mkOnionService {
-              target.addr = nbLib.address lnd.restAddress;
-              target.port = lnd.restPort;
-              port = lnd.restPort;
-            };
-          };
-          nix-bitcoin.onionAddresses.access = {
-            ${lnd.user} = [ "lnd-rest" ];
-            ${operatorName} = [ "lnd-rest" ];
-          };
-        })
-      ]))
-
-    (mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
-      (mkMerge [
-        {
-          environment.systemPackages = [(
-            mkLndconnect {
-              name = "lndconnect-clightning";
-              isClightning = true;
-              enableOnion = clightning-rest.lndconnect.onion;
-              onionService = "${operatorName}/clightning-rest";
-              port = clightning-rest.port;
-              certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
-              macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
-            }
-          )];
-
-          # clightning-rest always binds to all interfaces
-        }
-
-        (mkIf clightning-rest.lndconnect.onion {
-          services.tor = {
-            enable = true;
-            relay.onionServices.clightning-rest = nbLib.mkOnionService {
-              target.addr = nbLib.address clightning-rest.address;
-              target.port = clightning-rest.port;
-              port = clightning-rest.port;
-            };
-          };
-          # This also allows nodeinfo to show the clightning-rest onion address
-          nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
-        })
-      ])
-    )
-  ];
-}

modules/modules.nix

@@ -19,7 +19,7 @@
     ./lightning-loop.nix
     ./lightning-pool.nix
     ./charge-lnd.nix
-    ./lndconnect.nix # Requires onion-addresses.nix
+    ./lndconnect-onion.nix # Requires onion-addresses.nix
     ./rtl.nix
     ./electrs.nix
     ./fulcrum.nix

modules/nodeinfo.nix

@@ -63,7 +63,7 @@ let
     infos = OrderedDict()
     operator = "${config.nix-bitcoin.operator.name}"
 
-    def get_onion_address(name, port):
+    def set_onion_address(info, name, port):
         path = f"/var/lib/onion-addresses/{operator}/{name}"
         try:
             with open(path, "r") as f:
@@ -71,7 +71,7 @@ let
         except OSError:
             print(f"error reading file {path}", file=sys.stderr)
             return
-        return f"{onion_address}:{port}"
+        info["onion_address"] = f"{onion_address}:{port}"
 
     def add_service(service, make_info, systemd_service = None):
         systemd_service = systemd_service or service
@@ -106,7 +106,7 @@ let
       add_service("${name}", """
       info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
     '' + mkIfOnionPort name (onionPort: ''
-      info["onion_address"] = get_onion_address("${name}", ${onionPort})
+      set_onion_address(info, "${name}", ${onionPort})
     '') + extraCode + ''
 
       """, "${systemdServiceName}")
@@ -123,10 +123,8 @@ let
 in {
   inherit options;
 
-  config = mkIf cfg.enable {
-    environment.systemPackages = [ script ];
-
-    nix-bitcoin.operator.enable = true;
+  config = {
+    environment.systemPackages = optional cfg.enable script;
 
     nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
       bitcoind = mkInfo "";
@@ -135,13 +133,9 @@ in {
         if 'onion_address' in info:
             info["id"] = f"{info['nodeid']}@{info['onion_address']}"
       '';
-      lnd = name: cfg: mkInfo (''
-        info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
-      '' + mkIfOnionPort "lnd-rest" (onionPort: ''
-        info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
-      '') + ''
+      lnd = mkInfo ''
         info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
-      '') name cfg;
+      '';
       clightning-rest = mkInfo "";
       electrs = mkInfo "";
       fulcrum = mkInfo "";
@@ -152,7 +146,7 @@ in {
       rtl = mkInfo "";
       # Only add sshd when it has an onion service
       sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
-        add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
+        add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
       '');
     };
   };

modules/obsolete-options.nix

@@ -33,6 +33,7 @@ in {
     (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
     # 0.0.70
     (mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
+    (mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
 
     (mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
 
@@ -45,28 +46,6 @@ in {
       bitcoin peer connections for syncing blocks. This performs well on low and high
       memory systems.
     '')
-    # 0.0.86
-    (mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
-      Set the following options instead:
-      services.lnd.lndconnect = {
-        enable = true;
-        onion = true;
-      }
-    '')
-    (mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
-      Set the following options instead:
-      services.lnd.lndconnect = {
-        enable = true;
-        onion = true;
-      }
-    '')
-    (mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
-      Set the following options instead:
-      services.clightning-rest.lndconnect = {
-        enable = true;
-        onion = true;
-      }
-    '')
   ] ++
   # 0.0.59
   (map mkSplitEnforceTorOption [

modules/presets/wireguard.nix

@@ -1,214 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-# Create a WireGuard server with a single peer.
-# Private/public keys are created via the secrets system.
-# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
-
-# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
-# for usage instructions.
-
-# This is a rather opinionated implementation that lacks the flexibility offered by
-# other nix-bitcoin modules, so ship this as a `preset`.
-# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
-
-with lib;
-let
-  options.nix-bitcoin.wireguard = {
-    subnet = mkOption {
-      type = types.str;
-      default = "10.10.0";
-      description = mdDoc "The /24 subnet of the wireguard network.";
-    };
-    restrictPeer = mkOption {
-      type = types.bool;
-      default = true;
-      description = mdDoc ''
-        Prevent the peer from connecting to any addresses except for the WireGuard server address.
-      '';
-    };
-  };
-
-  cfg = config.nix-bitcoin.wireguard;
-  wgSubnet = cfg.subnet;
-  inherit (config.networking.wireguard.interfaces) wg-nb;
-  inherit (config.services)
-    lnd
-    clightning-rest;
-
-  lndconnect = lnd.enable && lnd.lndconnect.enable;
-  lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
-
-  serverAddress = "${wgSubnet}.1";
-  peerAddress = "${wgSubnet}.2";
-
-  secretsDir = config.nix-bitcoin.secretsDir;
-
-  wgConnectUser = if config.nix-bitcoin.operator.enable
-                  then config.nix-bitcoin.operator.name
-                  else "root";
-
-  # A script that prints a QR code to connect a peer to the server.
-  # The QR code encodes a wg-quick config that can be imported by the wireguard
-  # mobile app.
-  wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
-    set -euo pipefail
-    text=
-    host=
-    for arg in "$@"; do
-      case $arg in
-        --text)
-          text=1
-          ;;
-        *)
-          host=$arg
-          ;;
-      esac
-    done
-
-    if [[ ! $host ]]; then
-      # Use lndconnect to fetch the external ip.
-      # This internally uses https://github.com/GlenDC/go-external-ip, which
-      # queries a set of external ip providers.
-      host=$(
-        ${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
-          --configfile=/dev/null --adminmacaroonpath=/dev/null \
-          | sed -nE 's|.*?/(.*?):.*|\1|p'
-      )
-    fi
-
-    config="[Interface]
-    PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
-    Address = ${peerAddress}/24
-
-    [Peer]
-    PublicKey = $(cat ${secretsDir}/wg-server-public-key)
-    AllowedIPs = ${wgSubnet}.0/24
-    Endpoint = $host:${toString wg-nb.listenPort}
-    PersistentKeepalive = 25
-    "
-
-    if [[ $text ]]; then
-      echo "$config"
-    else
-      echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
-    fi
-  '';
-in {
-  inherit options;
-
-  config = {
-    assertions = [
-      {
-        # Don't support `netns-isolation` for now to keep things simple
-        assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
-        message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
-      }
-    ];
-
-    networking.wireguard.interfaces.wg-nb = {
-      ips = [ "${serverAddress}/24" ];
-      listenPort = mkDefault 51820;
-      privateKeyFile = "${secretsDir}/wg-server-private-key";
-      allowedIPsAsRoutes = false;
-      peers = [
-        {
-          # To use the actual public key from the secrets file, use dummy pubkey
-          # `peer0` and replace it via `getPubkeyFromFile` (see further below)
-          # at peer service runtime.
-          publicKey = "peer0";
-          allowedIPs = [ "${peerAddress}/32" ];
-        }
-      ];
-    };
-
-    systemd.services = {
-      wireguard-wg-nb = rec {
-        wants = [ "nix-bitcoin-secrets.target" ];
-        after = wants;
-      };
-
-      # HACK: Modify start/stop scripts of the peer setup service to read
-      # the pubkey from a secrets file.
-      wireguard-wg-nb-peer-peer0 = let
-        getPubkeyFromFile = mkBefore ''
-          if [[ ! -v inPatchedSrc ]]; then
-            export inPatchedSrc=1
-            publicKey=$(cat "${secretsDir}/wg-peer-public-key")
-            <"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
-            exit
-          fi
-        '';
-      in {
-        script = getPubkeyFromFile;
-        postStop = getPubkeyFromFile;
-      };
-    };
-
-    environment.systemPackages = [
-      wgConnect
-    ] ++ (optional lndconnect
-      (pkgs.writers.writeBashBin "lndconnect-wg" ''
-        exec lndconnect --host "${serverAddress}" --nocert "$@"
-      '')
-    ) ++ (optional lndconnect-clightning
-      (pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
-        exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
-      '')
-    );
-
-    networking.firewall = let
-      restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
-    in {
-      allowedUDPPorts = [ wg-nb.listenPort ];
-
-      extraCommands =
-        optionalString lndconnect ''
-          iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
-        ''
-        + optionalString lndconnect-clightning ''
-          iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
-        ''
-        + optionalString cfg.restrictPeer ''
-          iptables -w -A nixos-fw ${restrictPeerRule}
-          iptables -w -A FORWARD ${restrictPeerRule}
-        '';
-
-      extraStopCommands =
-        # Rules added to chain `nixos-fw` are automatically removed when restarting
-        # the NixOS firewall service.
-        mkIf cfg.restrictPeer ''
-          iptables -w -D FORWARD ${restrictPeerRule} || :
-        '';
-    };
-
-    # Listen on all addresses, including `serverAddress`.
-    # This is safe because the listen ports are secured by the firewall.
-    services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
-    # clightning-rest always listens on "0.0.0.0"
-
-    nix-bitcoin.secrets = {
-      wg-server-private-key = {};
-      wg-server-public-key = { user = wgConnectUser; group = "root"; };
-      wg-peer-private-key = { user = wgConnectUser; group = "root"; };
-      wg-peer-public-key = {};
-    };
-
-    nix-bitcoin.generateSecretsCmds.wireguard = let
-      wg = "${pkgs.wireguard-tools}/bin/wg";
-    in ''
-      makeWireguardKey() {
-        local name=$1
-        local priv=wg-$name-private-key
-        local pub=wg-$name-public-key
-        if [[ ! -e $priv ]]; then
-          ${wg} genkey > $priv
-        fi
-        if [[ $priv -nt $pub ]]; then
-          ${wg} pubkey < $priv > $pub
-        fi
-      }
-      makeWireguardKey server
-      makeWireguardKey peer
-    '';
-  };
-}

modules/rtl.nix

@@ -191,7 +191,6 @@ in {
                  optional cfg.nodes.lnd.enable "lnd.service";
       after = requires;
       environment.RTL_CONFIG_PATH = cfg.dataDir;
-      environment.DB_DIRECTORY_PATH = cfg.dataDir;
       serviceConfig = nbLib.defaultHardening // {
         ExecStartPre = [
           (nbLib.script "rtl-setup-config" ''

modules/versioning.nix

@@ -228,7 +228,7 @@ let
       version = "0.0.70";
       condition = config.services.lnd.lndconnectOnion.enable;
       message = ''
-        The `lndconnect-rest-onion` binary has been renamed to `lndconnect`.
+        The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
       '';
     }
     {

pkgs/clightning-plugins/default.nix

@@ -32,7 +32,7 @@ let
       extraPkgs = [ prometheus_client ];
       patchRequirements =
         "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
-        + " --replace pyln-client~=0.9.3 pyln-client~=23.02";
+        + " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
     };
     rebalance = {
       description = "Keeps your channels balanced";

pkgs/default.nix

@@ -20,12 +20,6 @@ let self = {
   # The secp256k1 version used by joinmarket
   secp256k1 = pkgs.callPackage ./secp256k1 { };
   spark-wallet = pkgs.callPackage ./spark-wallet { };
-  trustedcoin = pkgs.callPackage ./trustedcoin { };
-
-  # TODO-EXTERNAL:
-  # Remove this when https://github.com/lightningnetwork/lnd/pull/7672
-  # has been resolved
-  lnd = pkgsUnstable.callPackage ./lnd { };
 
   pyPkgs = import ./python-packages self pkgs.python3;
   inherit (self.pyPkgs)

pkgs/joinmarket/default.nix

@@ -1,12 +1,10 @@
-{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
+{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
 
 let
-  version = "0.9.9";
-  src = fetchFromGitHub {
-    owner = "joinmarket-org";
-    repo = "joinmarket-clientserver";
-    rev = "v${version}";
-    sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
+  version = "0.9.8";
+  src = fetchurl {
+    url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
+    sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
   };
 
   runtimePackages = with nbPython3PackagesJoinmarket; [

pkgs/joinmarket/get-sha256.sh

@@ -1,23 +1,25 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p git gnupg jq
-
+#!/usr/bin/env bash
 set -euo pipefail
-newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
 
-# Fetch release and GPG-verify the content hash
-tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
-repo=$tmpdir/repo
-git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
-export GNUPGHOME=$tmpdir
+TMPDIR="$(mktemp -d -p /tmp)"
+trap 'rm -rf $TMPDIR' EXIT
+cd "$TMPDIR"
+
+echo "Fetching latest release"
+git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
+cd joinmarket-clientserver
+latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
+echo "Latest release is $latest"
+
+# GPG verification
+export GNUPGHOME=$TMPDIR
 echo "Fetching Adam Gibson's key"
 gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
-echo
-echo "Verifying commit"
-git -C "$repo" verify-commit HEAD
-rm -rf "$repo"/.git
-newHash=$(nix hash path "$repo")
-rm -rf "$tmpdir"
-echo
+echo "Verifying latest release"
+git verify-tag "$latest"
 
-echo "tag: $newVersion"
-echo "hash: $newHash"
+echo "tag: $latest"
+# The prefix option is necessary because GitHub prefixes the archive contents in this format
+echo "sha256: $(nix-hash --type sha256 --flat --base32 \
+                <(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"

pkgs/lnd/default.nix

@@ -1,12 +0,0 @@
-{ lnd, fetchpatch }:
-
-lnd.overrideAttrs (_: {
-  patches = [
-    (fetchpatch {
-      # https://github.com/lightningnetwork/lnd/pull/7672
-      name = "fix-PKCS8-cert-key-support";
-      url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
-      hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
-    })
-  ];
-})

pkgs/pinned.nix

@@ -4,20 +4,21 @@ pkgs: pkgsUnstable:
   inherit (pkgs)
     bitcoin
     bitcoind
+    elementsd
     extra-container
+    lightning-loop
     lightning-pool
-    lndconnect;
+    lndconnect
+    nbxplorer;
 
   inherit (pkgsUnstable)
     btcpayserver
     charge-lnd
     clightning
     electrs
-    elementsd
     fulcrum
     hwi
-    lightning-loop
-    nbxplorer;
+    lnd;
 
   inherit pkgs pkgsUnstable;
 }

pkgs/python-packages/bencoderpyx/default.nix

@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "bencoder.pyx";
-  version = "3.0.1";
+  version = "2.0.1";
 
   src = fetchurl {
-    url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
-    sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
+    url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
+    sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
   };
 
   nativeBuildInputs = [ cython ];

pkgs/python-packages/default.nix

@@ -22,6 +22,7 @@ rec {
       };
       runes = callPackage ./runes {};
       sha256 = callPackage ./sha256 {};
+      urldecode = callPackage ./urldecode {};
     };
 
   # Joinmarket requires a custom package set because it uses older versions of Python pkgs
@@ -46,10 +47,12 @@ rec {
       # autobahn 20.12.3, required by joinmarketclient
       autobahn = callPackage ./specific-versions/autobahn.nix {};
 
-      # pyopenssl 21.0.0, required by joinmarketdaemon
-      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
+      # pyopenssl 20.0.1, required by joinmarketdaemon
+      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
+        openssl = super.pkgs.openssl_1_1;
+      };
 
-      # twisted 22.4.0, required by joinmarketbase
+      # twisted 22.4.0, compatible with pyopenssl 20.0.1
       twisted = callPackage ./specific-versions/twisted.nix {};
     };
 

pkgs/python-packages/jmbitcoin/default.nix

@@ -1,4 +1,4 @@
-{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
+{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
 
 buildPythonPackage rec {
   pname = "joinmarketbitcoin";
@@ -6,7 +6,7 @@ buildPythonPackage rec {
 
   postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
 
-  propagatedBuildInputs = [ pyaes python-bitcointx ];
+  propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
 
   checkInputs = [ joinmarketbase ];
 

pkgs/python-packages/jmdaemon/default.nix

@@ -8,12 +8,6 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
 
-  # libnacl 1.8.0 is not on github
-  patchPhase = ''
-    substituteInPlace setup.py \
-      --replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
-  '';
-
   meta = with lib; {
     description = "Client library for Bitcoin coinjoins";
     homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";

pkgs/python-packages/specific-versions/pyopenssl.nix

@@ -6,50 +6,17 @@
 , cryptography
 , pyasn1
 , idna
-, pytestCheckHook
+, pytest
 , pretend
 , flaky
 , glibcLocales
 , six
 }:
 
-buildPythonPackage rec {
-  pname = "pyopenssl";
-  version = "21.0.0";
-
-  src = fetchPypi {
-    pname = "pyOpenSSL";
-    inherit version;
-    sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
-  };
-
-  outputs = [ "out" "dev" ];
-
-  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
-  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
-  doCheck = !stdenv.isDarwin;
-
-  nativeBuildInputs = [ openssl ];
-  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
-
-  checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
-
-  preCheck = ''
-    export LANG="en_US.UTF-8"
-  '';
-
-  disabledTests = [
-    # https://github.com/pyca/pyopenssl/issues/692
-    # These tests, we disable always.
-    "test_set_default_verify_paths"
-    "test_fallback_default_verify_paths"
-    # https://github.com/pyca/pyopenssl/issues/768
-    "test_wantWriteError"
-    # https://github.com/pyca/pyopenssl/issues/1043
-    "test_alpn_call_failure"
-  ] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
+let
   # https://github.com/pyca/pyopenssl/issues/791
   # These tests, we disable in the case that libressl is passed in as openssl.
+  failingLibresslTests = [
     "test_op_no_compression"
     "test_npn_advertise_error"
     "test_npn_select_error"
@@ -62,21 +29,64 @@ buildPythonPackage rec {
     "test_verify_with_revoked"
     "test_set_notAfter"
     "test_set_notBefore"
-  ] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
-    # these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
+  ];
+
+  # these tests are extremely tightly wed to the exact output of the openssl cli tool,
+  # including exact punctuation.
+  failingOpenSSL_1_1Tests = [
     "test_dump_certificate"
     "test_dump_privatekey_text"
     "test_dump_certificate_request"
     "test_export_text"
-  ] ++ lib.optionals stdenv.is32bit [
-    # https://github.com/pyca/pyopenssl/issues/974
-    "test_verify_with_time"
   ];
 
-  meta = with lib; {
-    description = "Python wrapper around the OpenSSL library";
-    homepage = "https://github.com/pyca/pyopenssl";
-    license = licenses.asl20;
-    maintainers = with maintainers; [ SuperSandro2000 ];
+  disabledTests = [
+    # https://github.com/pyca/pyopenssl/issues/692
+    # These tests, we disable always.
+    "test_set_default_verify_paths"
+    "test_fallback_default_verify_paths"
+    # https://github.com/pyca/pyopenssl/issues/768
+    "test_wantWriteError"
+  ] ++ (
+    lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
+  ) ++ (
+    lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
+  ) ++ (
+    # https://github.com/pyca/pyopenssl/issues/974
+    lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
+  );
+
+  # Compose the final string expression, including the "-k" and the single quotes.
+  testExpression = lib.optionalString (disabledTests != [])
+    "-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
+
+in
+
+buildPythonPackage rec {
+  pname = "pyopenssl";
+  version = "20.0.1";
+
+  src = fetchPypi {
+    pname = "pyOpenSSL";
+    inherit version;
+    sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
   };
+
+  outputs = [ "out" "dev" ];
+
+  checkPhase = ''
+    runHook preCheck
+    export LANG="en_US.UTF-8"
+    py.test tests ${testExpression}
+    runHook postCheck
+  '';
+
+  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
+  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
+  doCheck = !stdenv.isDarwin;
+
+  nativeBuildInputs = [ openssl ];
+  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
+
+  checkInputs = [ pytest pretend flaky glibcLocales ];
 }

pkgs/python-packages/urldecode/default.nix

@@ -0,0 +1,16 @@
+{ lib, buildPythonPackage, fetchPypi }:
+buildPythonPackage rec {
+  pname = "urldecode";
+  version = "0.1";
+
+  src = fetchPypi {
+    inherit pname version;
+    sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
+  };
+
+  meta = with lib; {
+    description = "A simple function to decode an encoded url";
+    homepage = "https://github.com/jennyq/urldecode";
+    maintainers = with maintainers; [ nixbitcoin ];
+  };
+}

pkgs/rtl/default.nix

@@ -10,11 +10,11 @@
 }:
 let self = stdenvNoCC.mkDerivation {
   pname = "rtl";
-  version = "0.13.6";
+  version = "0.13.4";
 
   src = fetchurl {
     url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
+    hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
   };
 
   passthru = {
@@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
       # TODO-EXTERNAL: Remove `npmFlags` when no longer required
       # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
       npmFlags = "--legacy-peer-deps";
-      hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
+      hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
     };
   };
 

pkgs/rtl/generate.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
 
-version="0.13.6"
+version="0.13.4"
 repo=https://github.com/Ride-The-Lightning/RTL
 
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

pkgs/trustedcoin/default.nix

@@ -1,23 +0,0 @@
-{ lib, buildGoModule, fetchFromGitHub }:
-
-buildGoModule rec {
-  pname = "trustedcoin";
-  version = "0.6.1";
-  src = fetchFromGitHub {
-    owner = "nbd-wtf";
-    repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
-  };
-
-  vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
-
-  subPackages = [ "." ];
-
-  meta = with lib; {
-    description = "Light bitcoin node implementation";
-    homepage = "https://github.com/nbd-wtf/trustedcoin";
-    maintainers = with maintainers; [ seberm fort-nix ];
-    platforms = platforms.linux;
-  };
-}

pkgs/trustedcoin/get-sha256.sh

@@ -1,20 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git gnupg curl jq
-set -euo pipefail
-
-
-TMPDIR="$(mktemp -d -p /tmp)"
-trap 'rm -rf $TMPDIR' EXIT
-cd "$TMPDIR"
-
-echo "Fetching latest release"
-repo='nbd-wtf/trustedcoin'
-latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
-echo "Latest release is $latest"
-git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
-cd trustedcoin
-
-echo "tag: $latest"
-git checkout -q "tags/$latest"
-rm -rf .git
-nix --extra-experimental-features nix-command hash path .

test/nixos-search/ci-test.sh

@@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
 fi
 
 echo "Running flake-info (nixos-search)"
-flake-info --json flake ../.. >/dev/null
+flake-info flake ../..

test/nixos-search/flake-info-sandboxed.sh

@@ -41,4 +41,4 @@ bwrap \
   --ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
   --ro-bind /usr /usr \
   --ro-bind-try /run /run \
-  -- flake-info --json flake "$nbFlake" >/dev/null
+  -- flake-info flake "$nbFlake"

test/nixos-search/flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "nixos-org-configurations": {
       "flake": false,
       "locked": {
-        "lastModified": 1679995724,
-        "narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
+        "lastModified": 1674564797,
+        "narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
         "owner": "NixOS",
         "repo": "nixos-org-configurations",
-        "rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
+        "rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "npmlock2nix": "npmlock2nix"
       },
       "locked": {
-        "lastModified": 1683204679,
-        "narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
+        "lastModified": 1674593115,
+        "narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
         "owner": "nixos",
         "repo": "nixos-search",
-        "rev": "0498effc4137095938f16fd752cc81a96901554f",
+        "rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1680213900,
-        "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
+        "lastModified": 1667629849,
+        "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
+        "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     "npmlock2nix": {
       "flake": false,
       "locked": {
-        "lastModified": 1673447413,
-        "narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=",
+        "lastModified": 1666460237,
+        "narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
         "owner": "nix-community",
         "repo": "npmlock2nix",
-        "rev": "9197bbf397d76059a76310523d45df10d2e4ca81",
+        "rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
         "type": "github"
       },
       "original": {

test/run-tests.sh

@@ -274,7 +274,6 @@ buildable=(
     hardened
     clightning-replication
     lndPruned
-    wireguard-lndconnect
 )
 buildable() { buildTests buildable "$@"; }
 

test/tests.nix

@@ -45,7 +45,7 @@ let
       services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
       test.data.clightning-plugins = let
         plugins = config.services.clightning.plugins;
-        removed = [ "commando" "trustedcoin" ];
+        removed = [ "commando" ];
         enabled = builtins.filter (plugin: plugins.${plugin}.enable)
                                   (subtractLists removed (builtins.attrNames plugins));
         nbPkgs = config.nix-bitcoin.pkgs;
@@ -86,8 +86,8 @@ let
 
       nix-bitcoin.onionServices.lnd.public = true;
 
-      tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion;
-      tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion;
+      tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
+      tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
 
       tests.lightning-loop = cfg.lightning-loop.enable;
       services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
@@ -187,9 +187,9 @@ let
       services.rtl.enable = true;
       services.spark-wallet.enable = true;
       services.clightning-rest.enable = true;
-      services.clightning-rest.lndconnect = { enable = true; onion = true; };
+      services.clightning-rest.lndconnectOnion.enable = true;
       services.lnd.enable = true;
-      services.lnd.lndconnect = { enable = true; onion = true; };
+      services.lnd.lndconnectOnion.enable = true;
       services.lightning-loop.enable = true;
       services.lightning-pool.enable = true;
       services.charge-lnd.enable = true;
@@ -315,15 +315,6 @@ let
       services.lnd.enable = true;
       services.bitcoind.prune = 1000;
     };
-
-    # Test the special clightning setup where trustedcoin plugin is used
-    trustedcoin = {
-      tests.trustedcoin = true;
-      services.clightning = {
-        enable = true;
-        plugins.trustedcoin.enable = true;
-      };
-    };
   } // (import ../dev/dev-scenarios.nix {
     inherit lib scenarios;
   });
@@ -414,7 +405,6 @@ in {
     in
       {
         clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
-        wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
       } // mainTests;
 
     tests = makeTests scenarios;

test/tests.py

@@ -177,12 +177,12 @@ def _():
 @test("lndconnect-onion-lnd")
 def _():
     assert_running("lnd")
-    assert_matches("runuser -u operator -- lndconnect --url", ".onion")
+    assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
 
 @test("lndconnect-onion-clightning")
 def _():
     assert_running("clightning-rest")
-    assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion")
+    assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
 
 @test("lightning-loop")
 def _():
@@ -433,18 +433,6 @@ def _():
     if enabled("btcpayserver"):
         machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
 
-@test("trustedcoin")
-def _():
-    machine.wait_for_unit("bitcoind")
-    machine.wait_for_unit("clightning")
-
-    # Let's check the trustedcoin plugin was correctly initialized
-    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
-    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
-    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
-    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
-
-
 if "netns-isolation" in enabled_tests:
     def ip(name):
         return test_data["netns"][name]["address"]

test/wireguard-lndconnect.nix

@@ -1,103 +0,0 @@
-# You can run this test via `run-tests.sh -s wireguard-lndconnect`
-
-makeTestVM: pkgs:
-with pkgs.lib;
-
-makeTestVM {
-  name = "wireguard-lndconnect";
-
-  nodes = {
-    server = {
-      imports = [
-        ../modules/modules.nix
-        ../modules/presets/wireguard.nix
-      ];
-
-      nixpkgs.pkgs = pkgs;
-
-      nix-bitcoin.generateSecrets = true;
-      nix-bitcoin.operator.enable = true;
-
-      services.clightning-rest = {
-        enable = true;
-        lndconnect.enable = true;
-      };
-      # TODO-EXTERNAL:
-      # When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
-      services.clightning.extraConfig = "disable-dns";
-
-      services.lnd = {
-        enable = true;
-        lndconnect.enable = true;
-        port = 9736;
-      };
-    };
-
-    client = {
-      nixpkgs.pkgs = pkgs;
-
-      environment.systemPackages = with pkgs; [
-        wireguard-tools
-      ];
-    };
-  };
-
-  testScript =  ''
-    import base64
-    import urllib.parse as Url
-    from types import SimpleNamespace
-
-    def parse_lndconnect_url(url):
-        u = Url.urlparse(url)
-        queries = Url.parse_qs(u.query)
-        macaroon = queries['macaroon'][0]
-        is_clightning = url.startswith("c-lightning-rest")
-
-        return SimpleNamespace(
-            host = u.hostname,
-            port = u.port,
-            macaroon_hex =
-              macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
-        )
-
-    client.start()
-    server.connect()
-
-    if not "is_interactive" in vars():
-
-      with subtest("connect client to server via WireGuard"):
-          server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
-
-          # Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
-          wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
-          # Encode to base64
-          b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
-          client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
-
-          # Connect to server via WireGuard
-          client.succeed("wg-quick up /tmp/wireguard.conf")
-
-          # Ping server from client
-          print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
-
-      with subtest("lndconnect-wg"):
-          server.wait_for_unit("lnd.service")
-          lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
-          api = parse_lndconnect_url(lndconnect_url)
-          # Make lnd REST API call
-          client.succeed(
-              f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
-              f"-X GET https://{api.host}:{api.port}/v1/getinfo"
-          )
-
-      with subtest("lndconnect-clightning-wg"):
-          server.wait_for_unit("clightning-rest.service")
-          lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
-          api = parse_lndconnect_url(lndconnect_url)
-          # Make clightning-rest API call
-          client.succeed(
-              f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
-              f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
-          )
-  '';
-}