Compare commits

..

117 Commits

Author SHA1 Message Date
nixbitcoin
f2529154d4 joinmarket: 0.9.8 -> 0.9.9 2023-06-01 02:56:23 -07:00
Erik Arvstedt
376b344b90 lnd: fix non-static patch URL 2023-06-01 02:56:23 -07:00
Erik Arvstedt
d04549c0dc lnd: fix cert key format bug 2023-06-01 02:56:23 -07:00
Erik Arvstedt
de4bd2fb6f update nixpkgs
fulcrum: 1.9.0 -> 1.9.1
lightning-loop: 0.20.0-beta -> 0.23.0-beta
lnd: 0.15.5-beta -> 0.16.2-beta
2023-06-01 02:56:23 -07:00
Jonas Nick
82b2a95ccb Extend expiration date of key-jonasnick.bin
Exported with
`gpg --export-options export-minimal --export 0x4861DBF262123605! > key-jonasnick.bin`.
2023-06-01 02:56:23 -07:00
Otto Sabart
a0f2839817 docs: trustedcoin: add info about possible problems 2023-06-01 02:56:23 -07:00
Otto Sabart
fd000e7a14 trustedcoin: explicitly use the HTTPS_PROXY for external connections 2023-06-01 02:56:23 -07:00
Otto Sabart
bf6f9f8fae tests: add tests for trustedcoin clightning plugin 2023-06-01 02:56:23 -07:00
Otto Sabart
e99937991c trustedcoin: update to v0.6.1 2023-06-01 02:56:23 -07:00
Otto Sabart
60bf5fb8de trustedcoin: fix shellcheck 2023-06-01 02:56:23 -07:00
neverupdate
925492fc70 clightning-plugins: add trustedcoin 2023-06-01 02:56:23 -07:00
neverupdate
0c4ec63231 readme: reference trustedcoin source 2023-06-01 02:56:23 -07:00
neverupdate
cf10fbb74f trustedcoin: add module 2023-06-01 02:56:23 -07:00
neverupdate
fbe8f7c6cb trustedcoin: add pkg 2023-06-01 02:56:23 -07:00
Jonas Nick
356c5df9de update nixpkgs
electrs: 0.9.11 -> 0.9.13
elementsd: 22.1 -> 22.1.1
2023-06-01 02:56:23 -07:00
Jonas Nick
f6708ca2d7 update nixpkgs 2023-06-01 02:56:23 -07:00
Jonas Nick
4a28d53bcb update nixpkgs
clightning: 23.02 -> 23.02.2
2023-06-01 02:56:23 -07:00
Jonas Nick
c2d87b0b68 obsolete options: fix typo in removed lndconnectOnion option 2023-06-01 02:56:23 -07:00
Erik Arvstedt
0daf52bd3f nodeinfo: enable required option nix-bitcoin.operator 2023-06-01 02:56:23 -07:00
Erik Arvstedt
52810e6c88 nodeinfo/lnd: add onion_rest_address 2023-06-01 02:56:23 -07:00
Erik Arvstedt
5b6cd9fd49 nodeinfo/lnd: add rest_address 2023-06-01 02:56:23 -07:00
Erik Arvstedt
5f1e747270 add presets/wireguard.nix
This allows using `lndconnect` via a direct WireGuard connection.
2023-06-01 02:56:23 -07:00
Erik Arvstedt
05310fc02b lndconnect: update to Zeus 0.7.1
- Generate lndconnect URLs with protocol `c-lightning-rest` for clightning.
  (Zeus now auto-detects the lightning implementation by the URL protocol.)
- Use improved QR code format (via qrencode)  .
2023-06-01 02:56:23 -07:00
Erik Arvstedt
64304b6d66 lnd, clightning-rest: remove lndconnectOnion, add generic option lndconnect
For both lnd and clightning-rest, `lndconnectOnion` is replaced by
options `lndconnect.enable` and `lndconnect.onion`.

This allows using lndconnect without Tor.
2023-06-01 02:56:23 -07:00
Erik Arvstedt
992946f20e rename lndconnect-onion.nix -> lndconnect.nix 2023-06-01 02:56:23 -07:00
Erik Arvstedt
22de1a5353 docs/services: improve title, fix numbering 2023-06-01 02:56:23 -07:00
Jonas Nick
d04cad8ed1 update nixpkgs
clightning: 22.11.1 -> 23.02
hwi: 2.2.0 -> 2.2.1
2023-06-01 02:56:23 -07:00
Jonas Nick
ce332177be rtl: set DB_DIRECTORY_PATH
This prevents RTL from trying to create a database in the directory that
contains the RTL executable.
2023-06-01 02:56:23 -07:00
Jonas Nick
560efcb7f1 rtl: 0.13.4 -> 0.13.6 2023-06-01 02:56:23 -07:00
Erik Arvstedt
2344acbf42 btcpayserver: support restarting from the web interface
This is required since version 1.7.4.
See: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.4
2023-06-01 02:56:23 -07:00
Jonas Nick
f26216b624 update nixpkgs
btcpayserver: 1.7.3 -> 1.7.12
elementsd: 22.0.2 -> 22.1
nbxplorer: 2.3.54 -> 2.3.62

Also add new required argument to flake-info in CI test script.
2023-06-01 02:56:23 -07:00
Erik Arvstedt
5b672fe82a README: add mempool extension module 2023-06-01 02:56:23 -07:00
Erik Arvstedt
7489c10999 README: add some module descriptions 2023-06-01 02:56:23 -07:00
Erik Arvstedt
6244e3a6ed dev/features: improve enter_service
Read uid/gid directly from the service pid.

This makes this fn work with arbitrary services, and with `bitcoind`,
where, for historical reasons, the service user name (`bitcoin`) doesn't
equal the service name.
2023-06-01 02:56:23 -07:00
Erik Arvstedt
a71c60bfe4 fulcrum: allow access to /proc/meminfo
This still hides the proc subdirectories for other processes.

Without this setting, fulcrum fails when the config value of
`fast-sync` is greater than 2^31 bytes.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
e9b6b3123d dev/dev-features: add enter_service helper 2023-06-01 02:56:22 -07:00
Erik Arvstedt
b5293b7e53 test: support run, debug commands in basic NixOS tests
Currently, this only affects the basic NixOS test `clightning-replication`.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
72f09458b6 tests/clightning-replication: reuse pkgs instance
This reduces eval time by 30%.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
2a073a1d64 tests: rename clightningReplication -> clightning-replication
The test name now matches the file name.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
3550ed1e32 secrets: use type lines for generateSecretsCmds
This allows users to amend secrets cmds.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
336a3fccf1 bitcoind, liquid: increase start/stop timeouts 2023-06-01 02:56:22 -07:00
Erik Arvstedt
c8f9e167c1 netns-isolation: improve formatting 2023-06-01 02:56:22 -07:00
Erik Arvstedt
9cb5a7295a netns-isolation: reserve netns id for mempool
This allows using the old id in the extension flake, so that
existing configs are not changed.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
11f91f83e6 add option nix-bitcoin.pkgOverlays
This simplifies extending `nix-bitcoin.pkgs` and is required for
extension flakes.
For now, mark this as `internal`.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
1645451275 helper: add start-bash-session.sh 2023-06-01 02:56:22 -07:00
Erik Arvstedt
a7bc488b17 nodeinfo: extract fn mkInfoLong
This is required by the mempool extension flake.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
9184db69dd improve comments
The comment in python-packackges was obsolete.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
0c354ee9eb rtl: make extraConfig recursively mergeable
Previously, when merging different definitions of `extraConfig`,
only the top-level attrset was merged.

Example:
The two separate settings
  nodes.lnd.extraConfig.Settings.userPersona = "MERCHANT";
  nodes.lnd.extraConfig.Settings.logLevel = "DEBUG";
were previously merged into
  nodes.lnd.extraConfig.Settings = { logLevel = "DEBUG" };
(The last definition has precedence.)
2023-06-01 02:56:22 -07:00
Erik Arvstedt
c9cfcf695f treewide: use bool literals for systemd
Run this from the repo root to check that there are no more remaining
bool strings:
grep -P '"true"|"false"' -r --exclude-dir=.git
2023-06-01 02:56:22 -07:00
Erik Arvstedt
f0ca489867 rtl: 0.13.2 -> 0.13.4 2023-06-01 02:56:22 -07:00
Erik Arvstedt
de49082f2a update nixpkgs
btcpayserver: 1.7.2 -> 1.7.3
electrs: 0.9.10 -> 0.9.11
hwi: 2.1.1 -> 2.2.0
2023-06-01 02:56:22 -07:00
Erik Arvstedt
22e41d5c06 add dev helper and docs 2023-06-01 02:56:22 -07:00
Erik Arvstedt
740dd666ad docs: move test docs from examples/README to test/README 2023-06-01 02:56:22 -07:00
Erik Arvstedt
1e21feb257 docs/configuration: fix typo 2023-06-01 02:56:22 -07:00
Erik Arvstedt
e7407d9efe tests: add example scenario customTest 2023-06-01 02:56:22 -07:00
Erik Arvstedt
cfeddd44aa tests: formatting
Move line next to `services.lnd` config for clarity.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
49229a3e2d tests: fix broken unit file when clightning is disabled
Previously, an incomplete clightning unit was always created because
attr `clightning` was always defined in option attrset `systemd.services`.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
c237f1302f run-tests: use arg instead of env var for scenario overrides
This removes a source of implicit state and guarantees that regular
calls to `run-tests.sh` always run the builtin tests.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
d119c207b9 versioning: add fulcrum db change info 2023-06-01 02:56:22 -07:00
Jonas Nick
4d637adf57 update nixpkgs
btcpayserver: 1.7.1 -> 1.7.2
fulcrum: 1.8.2 -> 1.9.0
nbxplorer: 2.3.49 -> 2.3.54
2023-06-01 02:56:22 -07:00
Erik Arvstedt
94659f3326 examples/deploy-container: fix sudo env propagation
Env vars can't be reliably passed through `sudo`, so always
call nix-shell to setup the env after running sudo.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
0e35b8a79a nix-bitcoin/runAsUserCmd: remove workaround 2023-06-01 02:56:22 -07:00
Erik Arvstedt
e6ce10a478 joinmarket: fix Python packages 2023-06-01 02:56:22 -07:00
Erik Arvstedt
d6cb65fbde clightning: fix Python packages
Patching `pyln-proto` to use cryptography 38 lets
us avoid adding many older Python pkg versions.

The backwards incompatible changes from cryptography 36 to 38
only include the removal of deprecated fns that pyln-proto
doesn't use.
See string "BACKWARDS INCOMPATIBLE" in
https://cryptography.io/en/latest/changelog/
2023-06-01 02:56:22 -07:00
Erik Arvstedt
2737e8374c pythonPackages: improve layout
- Move the creation of the joinmarket Python pkgs from
  `joinmarket/default.nix` to `pkgs/python-packages/default.nix`.

- Move definitions of old pkg versions from the main Python pkgs
  to the joinmarket Python pkgs.
  These old versions are only required by joinmarket.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
c3d2072b58 pythonPackages: add indentation
This makes the following commit more readable.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
f603cb6101 treewide: use mdDoc for descriptions
Enable markdown syntax (instead of docbook) for descriptions.
This only affects external doc tooling that renders the descriptions.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
e96ff7075e treewide: rename maintainer earvstedt -> erikarvstedt 2023-06-01 02:56:22 -07:00
Erik Arvstedt
ba54d3d699 shellcheck-services.nix: update to NixOS 22.11 2023-06-01 02:56:22 -07:00
Erik Arvstedt
2e5b287bc8 test: update to NixOS 22.11 2023-06-01 02:56:22 -07:00
Erik Arvstedt
7a2c1efd5d flake: remove 32-bit systems 2023-06-01 02:56:22 -07:00
Erik Arvstedt
2156b4410d update to NixOS 22.11
This includes no pkg version updates.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
bf7dc0f27a helper/update-flake: support updating NixOS versions 2023-06-01 02:56:22 -07:00
JayDeLux
85aa6f8ede minor typo 2023-06-01 02:56:22 -07:00
Erik Arvstedt
f3fdab1d76 rtl: 0.13.1 -> 0.13.2 2023-06-01 02:56:22 -07:00
nixbitcoin
de4dccb006 joinmarket: 0.9.7 -> 0.9.8 2023-06-01 02:56:22 -07:00
Jonas Nick
bc72ad94b3 clightning: set "database-upgrade=true" for 22.11.1 2023-06-01 02:56:22 -07:00
Jonas Nick
6b7b23cd6e update nixpkgs
btcpayserver: 1.6.12 -> 1.7.1
bitcoind: 24.0 -> 24.0.1
clightning: 0.12.1 -> 22.11.1
lnd: 0.15.4-beta -> 0.15.5-beta
nbxplorer: 2.3.41 -> 2.3.49
2023-06-01 02:56:22 -07:00
Jonas Nick
de4797be1f update nixpkgs
bitcoin: 23.0 -> 24.0
bitcoind: 23.0 -> 24.0
charge-lnd: 0.2.12 -> 0.2.13
2023-06-01 02:56:22 -07:00
Erik Arvstedt
761898f380 lnd: support INADDR_ANY addresses for bitcoind.zmqpubraw*
Also use `mkDefault` when defining `bitcoind.zmqpubraw*` to simplify
overriding for users.
2023-06-01 02:56:22 -07:00
Jonas Nick
206deaf2b3 update nixpkgs
electrs: 0.9.9 -> 0.9.10
elementsd: 22.0 -> 22.0.2
extra-container: 0.10 -> 0.11
lnd: 0.15.2-beta -> 0.15.4-beta
2023-06-01 02:56:22 -07:00
Jonas Nick
c263aec335 Revert "pkgs: add lnd 0.15.4 (hotfix)"
This reverts commit 57b76d4461.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
9c61850621 clightning-replication: switch system before waiting for server sshd
This is primarily a cosmetic change.
- Increases code clarity because all system test blocks now start with `switch_to_system`
- Optimizes dependency ordering because `switch_to_system` has no
  dependency on the server sshd
2023-06-01 02:56:22 -07:00
Erik Arvstedt
45bfc181fc clightning: extract var bitcoind
Follow the default module formatting style.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
4bb95d1e29 examples/vm-config: fix syntax error 2023-06-01 02:56:22 -07:00
Erik Arvstedt
a1a27857e7 examples/minimal-vm: add lightning-cli demo command 2023-06-01 02:56:22 -07:00
Erik Arvstedt
6dd365e719 treewide: set shebang for bash scripts
These scripts previously failed when called with syscalls like
`execve` (used by, e.g., Python's `subprocess.run`) that use no default
interpreter for scripts without a shebang.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
e68cb010ba tests: define tests via flake
Advantages:
- Pure test evaluations
- The test framework can now be used by flakes that extend nix-bitcoin
- Most features of `run-tests.sh` are now accessible via `nix build`/`nix run`.
  We keep `run-tests.sh` for advanced features like `scenarioOverridesFile` and adhoc scenarios.

Other changes:
- `run-tests.sh` now builds aggregate VM tests like `basic` or
  `buildable` by creating all VMs in a single evaluation.
  This speeds up the tests and eases debugging by separating the eval and build steps.
- Use the new `nix` CLI which has improved build output logging
  by prefixing output lines with the origin drv name.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
f4f4808d59 nodeinfo: rename nodeinfoLib -> lib 2023-06-01 02:56:22 -07:00
Erik Arvstedt
32db35d1bf tests: move mkIfTest to nix-bitcoin.lib 2023-06-01 02:56:22 -07:00
Erik Arvstedt
bd5d70813f flake: expose supportedSystems 2023-06-01 02:56:22 -07:00
Erik Arvstedt
d70fc7d71b nixos-search/flake: formatting 2023-06-01 02:56:22 -07:00
Erik Arvstedt
820a71f34f flake: rename input nixpkgsUnstable -> nixpkgs-unstable
This follows common flake naming conventions.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
ab23466fb7 tests/container: don't require services.clightning to be defined 2023-06-01 02:56:22 -07:00
Erik Arvstedt
365068d763 tests/run-tests.sh: print examples before running
This eases debugging example failures.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
e2d653e7cb tests/copy-src: always copy .git dir
This is required by a later commit that introduces flakes-based test
evaluation. Evaluating local flakes needs a repo dir.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
f405a2ceda make-container.sh: improve root handling
Don't auto-switch to root when executing make-container.sh, because
auto root switching is also implemented in extra-container.

Besides simplifying the code, this is useful for a later commit that
introduces flakes-based container building.
With this change, the container is built under the regular user
instead of root, thereby utilizing the user's regular fetcher and
evaluation caches.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
6a2d4ab1d7 profiles/hardened: support pure eval mode 2023-06-01 02:56:22 -07:00
Erik Arvstedt
ada564c1ea add compatibility with Nix PR #6530 (Source tree abstraction)
Avoid adding flake resource paths to the store (via string
interpolation).
This reduces performance and can lead to modules getting imported
twice, once through a local path and once through a store path.

This might not be needed in a future Nix release, in which case we can
revert this.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
514c05ee47 tests/vmWithoutTests: poweroff on shell exit
This allows quitting the VM with Ctrl-D like in the minimal example VM.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
c12489d838 tests, example: avoid lengthy documentation build
This options manual rebuild takes 30-60s and is triggered by the extra
NixOS options defined by nix-bitcoin.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
d5e50191d6 test/shellcheck-services: add configurable source prefix
This allows using this module for services defined outside of nix-bitcoin.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
b2bae90584 bitcoind: fix rare startup error
Previously, dhcpcd and bitcoind starting up in parallel could lead to
the following error in bitcoind:
```
bitcoind: libevent: getaddrinfo: address family for nodename not supported
bitcoind: Binding RPC on address 127.0.0.1 port 8332 failed.
bitcoind: Unable to bind any endpoint for
```
After the initial failure, the bitcoind service would always restart successfully.

This race condition, where both applications were simultaneously
manipulating network resources, was only triggered under specific
hardware conditions.

Fix it by running bitcoind after dhcp has started (by running after
`network-online.target`).
This bug and the fix only affect the default NixOS scripted
networking backend.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
f874c3b563 pkgs: add lnd 0.15.4 (hotfix)
Includes an emergency hotfix:
https://github.com/lightningnetwork/lnd/releases/tag/v0.15.4-beta
2023-06-01 02:56:22 -07:00
Erik Arvstedt
b3c134c01d lnd: fix missing RPC permissions when bitcoind is pruned 2023-06-01 02:56:22 -07:00
Erik Arvstedt
29d1a6b8a8 test/shellcheck-services: fix error by excluding unavailable services 2023-06-01 02:56:22 -07:00
Erik Arvstedt
425a411e2b test/shellcheck-services: simplify accessing service definitions
This also improves performance by removing the extra module evaluation.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
5e6b560fcf tests: run flake-info in sandbox
Don't use sandboxing in Cirrus CI where namespace support is missing.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
bdb4ee0e0b revert "tests: disable nixosSearch" 2023-06-01 02:56:22 -07:00
Erik Arvstedt
d96c0a628a btcpayserver: use new option certfilepath for lnd 2023-06-01 02:56:22 -07:00
Erik Arvstedt
589860b842 Revert "pkgs: add lnd 0.15.2"
This reverts commit cf836b5d3b.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
ac4c01c374 update nixpkgs
btcpayserver: 1.6.10 -> 1.6.12
clightning: 0.12.0 -> 0.12.1
fulcrum: 1.8.1 -> 1.8.2
nbxplorer: 2.3.33 -> 2.3.41
2023-06-01 02:56:22 -07:00
Erik Arvstedt
effc1ce0a7 defaultHardening: allow syscall set_mempolicy
This syscall is safe to allow.
It's required by the dotnet runtime (btcpayserver, nbxplorer) update
introduced in the following commit.
2023-06-01 02:56:22 -07:00
Erik Arvstedt
48170b241c pkgs: add lnd 0.15.2
Includes an emergency hotfix:
https://github.com/lightningnetwork/lnd/releases/tag/v0.15.2-beta
2023-06-01 02:56:22 -07:00
Jonas Nick
5a063aff00 update nixpkgs
electrs: 0.9.7 -> 0.9.9
elementsd: 0.21.0.2 -> 22.0
fulcrum: 1.7.0 -> 1.8.1
2023-06-01 02:56:22 -07:00
Jonas Nick
b25bccbdc6 clightning-plugins: update packages 2023-06-01 02:56:22 -07:00
Greg Shuflin
9a7e5e1921 Patch to prevent chmod 2022-09-20 19:34:12 -07:00
47 changed files with 1114 additions and 338 deletions

View File

@ -27,6 +27,7 @@ task:
- scenario: default
- scenario: netns
- scenario: netnsRegtest
- scenario: trustedcoin
# This script is run as root
build_script:
- echo "sandbox = true" >> /etc/nix/nix.conf

View File

@ -79,19 +79,22 @@ NixOS modules ([src](modules/modules.nix))
* [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
* [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
* [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
* [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
* [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
* [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
* [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
* [Lightning Loop](https://github.com/lightninglabs/loop)
* [Lightning Pool](https://github.com/lightninglabs/pool)
* [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
* [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or
clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
[Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
* [spark-wallet](https://github.com/shesek/spark-wallet)
* [electrs](https://github.com/romanz/electrs)
* [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
* [electrs](https://github.com/romanz/electrs): Electrum server
* [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
* [btcpayserver](https://github.com/btcpayserver/btcpayserver)
* [liquid](https://github.com/elementsproject/elements)
* [liquid](https://github.com/elementsproject/elements): federated sidechain
* [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
* [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
* [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
@ -99,7 +102,13 @@ NixOS modules ([src](modules/modules.nix))
* [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
* [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
* [backups](modules/backups.nix): duplicity backups of all your node's important files
* [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
* [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
### Extension modules
Extension modules are maintained in separate repositories and have their own review
and release process.
* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
Security
---

View File

@ -56,9 +56,10 @@ ls -al /var/lib/containers/nb-test
# Start a shell in the context of a service process.
# Must be run inside the container (enter with cmd `c`).
enter_service() {
local name=$1
nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
--setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
name=$1
pid=$(systemctl show -p MainPID --value "$name")
IFS=- read -r uid gid < <(stat -c "%u-%g" "/proc/$pid")
nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
}
enter_service clightning

View File

@ -9,6 +9,9 @@ with lib;
services.btcpayserver.enable = true;
test.container.exposeLocalhost = true;
# services.btcpayserver.lbtc = false;
# Required for testing interactive plugin installation
test.container.enableWAN = true;
};
# A node with internet access to test joinmarket-ob-watcher
@ -42,4 +45,34 @@ with lib;
nix-bitcoin.nodeinfo.enable = true;
# test.container.enableWAN = true;
};
wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
imports = [
../modules/presets/wireguard.nix
scenarios.regtestBase
];
# 51820 (default wg port) + 1
networking.wireguard.interfaces.wg-nb.listenPort = 51821;
test.container.enableWAN = true;
# test.container.exposeLocalhost = true;
services.clightning.extraConfig = "disable-dns";
services.lnd = {
enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
services.clightning-rest = {
enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
nix-bitcoin.nodeinfo.enable = true;
};
}

View File

@ -0,0 +1,64 @@
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
# Test Tor and WireGuard connections on a mobile device
# 1. Run container
run-tests.sh -s wireguard-lndconnect-online container
# 2. Test connecting via Tor
# Print QR codes for lnd, clightning-rest connections via Tor
c lndconnect
c lndconnect-clightning
# Add these to Zeus >= 0.7.1.
# To explicitly check if the connection is successful, press the node logo in the top
# left corner, and then "Node Info".
# Debug
c lndconnect --url
c lndconnect-clightning --url
# 3. Test connecting via WireGuard
# 3.1 Forward WireGuard port from the container host to the container
iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
# 3.2. Optional: When your container host has an external firewall,
# forward the WireGuard port to the container host:
# - Port: 51821
# - Protocol: UDP
# - Destination: IPv4 of the container host
# 3.2 Print QR code and setup wireguard on the mobile device
c nix-bitcoin-wg-connect
c nix-bitcoin-wg-connect --text
# Print QR codes for lnd, clightning-rest connections via WireGuard
c lndconnect-wg
c lndconnect-clightning-wg
# Add these to Zeus >= 0.7.1.
# To explicitly check if the connection is successful, press the node logo in the top
# left corner, and then "Node Info".
# Debug
c lndconnect-wg --url
c lndconnect-clightning-wg --url
# 3.3.remove external firewall port forward, remove local port forward:
iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
# Now exit the container shell
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
# Debug lndconnect
run-tests.sh -s wireguard-lndconnect-online container
c nodeinfo
c lndconnect --url
c lndconnect-wg --url
c lndconnect-clightning --url
c lndconnect-clightning-wg --url
c lndconnect
c lndconnect-wg
c lndconnect-clightning
c lndconnect-clightning-wg

View File

@ -142,60 +142,154 @@ You can find the `<onion-address>` with command `nodeinfo`.
The default password location is `$secretsDir/rtl-password`.
See: [Secrets dir](./configuration.md#secrets-dir)
# Use LND or clightning with Zeus (mobile wallet) via Tor
1. Install [Zeus](https://zeusln.app)
# Use Zeus (mobile lightning wallet) via Tor
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1)
2. Edit your `configuration.nix`
##### For lnd
Add the following config:
```
services.lnd.lndconnectOnion.enable = true;
```nix
services.lnd.lndconnect = {
enable = true;
onion = true;
};
```
##### For clightning
Add the following config:
```
```nix
services.clightning-rest = {
enable = true;
lndconnectOnion.enable = true;
lndconnect = {
enable = true;
onion = true;
};
};
```
3. Deploy your configuration
3. Run the following command on your node (as user `operator`) to create a QR code
4. Run the following command on your node (as user `operator`) to create a QR code
with address and authentication information:
##### For lnd
```
lndconnect-onion
lndconnect
```
##### For clightning
```
lndconnect-onion-clightning
lndconnect-clightning
```
4. Configure Zeus
- Add a new node
- Select `Scan lndconnect config` (at the bottom) and scan the QR code
- For clightning: Set `Node interface` to `c-lightning-REST`
5. Configure Zeus
- Add a new node and scan the QR code
- Click `Save node config`
- Start sending and stacking sats privately
### Additional lndconnect features
Create plain text URLs or QR code images:
- Create a plain text URL:
```bash
lndconnect --url
```
lndconnect-onion --url
lndconnect-onion --image
- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
```bash
lndconnect --host myhost
```
# Use Zeus (mobile lightning wallet) via WireGuard
Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
There are two ways to establish a secure, direct connection:
- Connecting via TLS. This requires installing your lightning app's
TLS Certificate on your mobile device.
- Connecting via WireGuard. This approach is simpler and more versatile, and is
described in this guide.
1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
[WireGuard](https://www.wireguard.com/install/) on your mobile device.
2. Add the following to your `configuration.nix`:
```nix
imports = [
# Use this line when using the default deployment method
<nix-bitcoin/modules/presets/wireguard.nix>
# Use this line when using Flakes
(nix-bitcoin + /modules/presets/wireguard.nix)
]
# For lnd
services.lnd.lndconnect.enable = true;
# For clightning
services.clightning-rest = {
enable = true;
lndconnect.enable = true;
};
```
3. Deploy your configuration.
4. If your node is behind an external firewall or NAT, add the following port forwarding
rule to the external device:
- Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
- Protocol: UDP
- Destination: IP of your node
5. Setup WireGuard on your mobile device.
Run the following command on your node (as user `operator`) to create a QR code
for WireGuard:
```bash
nix-bitcoin-wg-connect
# For debugging: Show the WireGuard config as text
nix-bitcoin-wg-connect --text
```
The above commands automatically detect your node's external IP.\
To set a custom IP or hostname, run the following:
```
nix-bitcoin-wg-connect 93.184.216.34
nix-bitcoin-wg-connect mynode.org
```
Configure WireGuard:
- Press the `+` button in the bottom right corner
- Scan the QR code
- Add the tunnel
6. Setup Zeus
Run the following command on your node (as user `operator`) to create a QR code for Zeus:
##### For lnd
```
lndconnect-wg
```
##### For clightning
```
lndconnect-clightning-wg
```
Configure Zeus:
- Add a new node and scan the QR code
- Click `Save node config`
- On the certificate warning screen, click `I understand, save node config`.\
Certificates are not needed when connecting via WireGuard.
- Start sending and stacking sats privately
### Additional lndconnect features
Create a plain text URL:
```bash
lndconnect-wg --url
``````
Create a QR code for a custom hostname:
```
lndconnect-onion --host=mynode.org
```
# Connect to spark-wallet
### Requirements
@ -527,3 +621,27 @@ services.clightning = {
```
Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
### Trustedcoin hints
The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
proxy for all of its external connections by default. That's why you can
sometimes face issues with your connections to esploras getting blocked.
An example of clightning log error output in a case your connections are getting blocked:
```
lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
```
```
lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
lightningd[4933]: <meta http-equiv="content-type" content="text/html;
```
If you face these issues and you still need to use trustedcoin, use can disable
clightning's tor hardening by setting this option in your `configuration.nix`
file:
```
services.clightning.tor.enforce = false;
```

View File

@ -56,13 +56,18 @@
#
# == REST server
# Set this to create a clightning REST onion service.
# This also adds binary `lndconnect-onion-clightning` to the system environment.
# This also adds binary `lndconnect-clightning` to the system environment.
# This binary creates QR codes or URLs for connecting applications to clightning
# via the REST onion service (see ../docs/services.md).
# via the REST onion service.
# You can also connect via WireGuard instead of Tor.
# See ../docs/services.md for details.
#
# services.clightning-rest = {
# enable = true;
# lndconnectOnion.enable = true;
# lndconnect = {
# enable = true;
# onion = true;
# };
# };
### LND
@ -78,11 +83,17 @@
# The onion service is automatically announced to peers.
# nix-bitcoin.onionServices.lnd.public = true;
#
# Set this to create an lnd REST onion service.
# This also adds binary `lndconnect-onion` to the system environment.
# Set this to create a lnd REST onion service.
# This also adds binary `lndconnect` to the system environment.
# This binary generates QR codes or URLs for connecting applications to lnd via the
# REST onion service (see ../docs/services.md).
# services.lnd.lndconnectOnion.enable = true;
# REST onion service.
# You can also connect via WireGuard instead of Tor.
# See ../docs/services.md for details.
#
# services.lnd.lndconnect = {
# enable = true;
# onion = true;
# };
#
## WARNING
# If you use lnd, you should manually backup your wallet mnemonic

View File

@ -10,11 +10,11 @@
]
},
"locked": {
"lastModified": 1671802034,
"narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
"lastModified": 1679648217,
"narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
"owner": "erikarvstedt",
"repo": "extra-container",
"rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
"rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
"type": "github"
},
"original": {
@ -24,12 +24,15 @@
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
@ -40,11 +43,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1674407282,
"narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
"lastModified": 1683207485,
"narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
"rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
"type": "github"
},
"original": {
@ -56,11 +59,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1674487464,
"narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
"lastModified": 1683353485,
"narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
"rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
"type": "github"
},
"original": {
@ -77,6 +80,21 @@
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

Binary file not shown.

View File

@ -427,7 +427,8 @@ in {
ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
Restart = "on-failure";
UMask = mkIf cfg.dataDirReadableByGroup "0027";
ReadWritePaths = [ cfg.dataDir ];
#ReadWritePaths = [ cfg.dataDir ];
ReadWritePaths = [ "/dummy" ];
} // nbLib.allowedIPAddresses cfg.tor.enforce
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
};

View File

@ -236,11 +236,16 @@ in {
--datadir='${cfg.btcpayserver.dataDir}'
'';
User = cfg.btcpayserver.user;
Restart = "on-failure";
RestartSec = "10s";
# Also restart after the program has exited successfully.
# This is required to support restarting from the web interface after
# interactive plugin installation.
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
}; in self;
users.users.${cfg.nbxplorer.user} = {

View File

@ -17,6 +17,7 @@ in {
./feeadjuster.nix
./prometheus.nix
./summary.nix
./trustedcoin.nix
./zmq.nix
];

View File

@ -0,0 +1,28 @@
{ config, lib, pkgs, ... }:
with lib;
let cfg = config.services.clightning.plugins.trustedcoin; in
{
options.services.clightning.plugins.trustedcoin = {
enable = mkEnableOption "Trustedcoin (clightning plugin)";
package = mkOption {
type = types.package;
default = config.nix-bitcoin.pkgs.trustedcoin;
defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
description = mdDoc "The package providing trustedcoin binaries.";
};
};
config = mkIf cfg.enable {
services.clightning.extraConfig = ''
plugin=${cfg.package}/bin/trustedcoin
disable-plugin=bcli
'';
# Trustedcoin does not honor the clightning's proxy configuration.
# Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
};
};
}

View File

@ -107,13 +107,15 @@ let
network = bitcoind.makeNetworkName "bitcoin" "regtest";
configFile = pkgs.writeText "config" ''
network=${network}
bitcoin-datadir=${bitcoind.dataDir}
${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
always-use-proxy=${boolToString cfg.always-use-proxy}
bind-addr=${cfg.address}:${toString cfg.port}
bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
bitcoin-rpcport=${toString bitcoind.rpc.port}
bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
rpc-file-mode=0660
log-timestamps=false
${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@ -161,6 +163,7 @@ in {
{
cat ${configFile}
echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
${optionalString (cfg.getPublicAddressCmd != "") ''
echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
''}

View File

@ -61,10 +61,9 @@ in {
listenWhitelisted = true;
};
# Commented out to allow nfs mounts
# systemd.tmpfiles.rules = [
# "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
# ];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
];
systemd.services.electrs = {
wantedBy = [ "multi-user.target" ];

View File

@ -158,7 +158,7 @@ let
onion_serving_host = ${cfg.messagingAddress}
onion_serving_port = ${toString cfg.messagingPort}
hidden_service_dir =
directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
# irc.darkscience.net
[MESSAGING:server1]

View File

@ -1,126 +0,0 @@
{ config, lib, pkgs, ... }:
with lib;
let
options = {
services.lnd.lndconnectOnion.enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the lnd REST server.
Add a `lndconnect-onion` binary to the system environment.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-onion
# Print URL
lndconnect-onion --url
```
'';
};
services.clightning-rest.lndconnectOnion.enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for clightning-rest.
Add a `lndconnect-onion-clightning` binary to the system environment.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-onion-clightning
# Print URL
lndconnect-onion-clightning --url
```
'';
};
};
nbLib = config.nix-bitcoin.lib;
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services)
lnd
clightning
clightning-rest;
mkLndconnect = {
name,
shebang ? "#!${pkgs.stdenv.shell} -e",
onionService,
port,
certPath,
macaroonPath
}:
# TODO-EXTERNAL:
# lndconnect requires a --configfile argument, although it's unused
# https://github.com/LN-Zap/lndconnect/issues/25
pkgs.writeScriptBin name ''
${shebang}
exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
--port=${toString port} \
--tlscertpath='${certPath}' \
--adminmacaroonpath='${macaroonPath}' \
--configfile=/dev/null "$@"
'';
operatorName = config.nix-bitcoin.operator.name;
in {
inherit options;
config = mkMerge [
(mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
services.tor = {
enable = true;
relay.onionServices.lnd-rest = nbLib.mkOnionService {
target.addr = nbLib.address lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort;
};
};
nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-onion";
# Run as lnd user because the macaroon and cert are not group-readable
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
onionService = "${lnd.user}/lnd-rest";
port = lnd.restPort;
certPath = lnd.certPath;
macaroonPath = "${lnd.networkDir}/admin.macaroon";
}
)];
})
(mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
services.tor = {
enable = true;
relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port;
port = clightning-rest.port;
};
};
# This also allows nodeinfo to show the clightning-rest onion address
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-onion-clightning";
onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
}
)];
})
];
}

205
modules/lndconnect.nix Normal file
View File

@ -0,0 +1,205 @@
{ config, lib, pkgs, ... }:
with lib;
let
options = {
services.lnd.lndconnect = {
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Add a `lndconnect` binary to the system environment which prints
connection info for lnd clients.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect
# Print URL
lndconnect --url
```
'';
};
onion = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the lnd REST server,
which is used by lndconnect.
'';
};
};
services.clightning-rest.lndconnect = {
enable = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Add a `lndconnect-clightning` binary to the system environment which prints
connection info for clightning clients.
See: https://github.com/LN-Zap/lndconnect
Usage:
```bash
# Print QR code
lndconnect-clightning
# Print URL
lndconnect-clightning --url
```
'';
};
onion = mkOption {
type = types.bool;
default = false;
description = mdDoc ''
Create an onion service for the clightning REST server,
which is used by lndconnect.
'';
};
};
nix-bitcoin.mkLndconnect = mkOption {
readOnly = true;
default = mkLndconnect;
description = mdDoc ''
A function to create a lndconnect binary.
See the source for further details.
'';
};
};
nbLib = config.nix-bitcoin.lib;
runAsUser = config.nix-bitcoin.runAsUserCmd;
inherit (config.services)
lnd
clightning-rest;
mkLndconnect = {
name,
shebang ? "#!${pkgs.stdenv.shell} -e",
isClightning ? false,
port,
macaroonPath,
enableOnion,
onionService ? null,
certPath ? null
}:
# TODO-EXTERNAL:
# lndconnect requires a --configfile argument, although it's unused
# https://github.com/LN-Zap/lndconnect/issues/25
pkgs.hiPrio (pkgs.writeScriptBin name ''
${shebang}
url=$(
${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
--port=${toString port} \
${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
--adminmacaroonpath='${macaroonPath}' \
--configfile=/dev/null "$@"
)
${optionalString isClightning
# - Change URL procotcol to c-lightning-rest
# - Encode macaroon as hex (in uppercase) instead of base 64.
# Because `macaroon` is always the last URL fragment, the
# sed replacement below works correctly.
''
macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
url=$(
echo "$url" | ${getExe pkgs.gnused} "
s|^lndconnect|c-lightning-rest|
s|macaroon=.*|macaroon=$macaroonHex|
";
)
''
}
# If --url is in args
if [[ " $* " =~ " --url " ]]; then
echo "$url"
else
# This UTF-8 encoding yields a smaller, more convenient output format
# compared to the native lndconnect output
echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
fi
'');
operatorName = config.nix-bitcoin.operator.name;
in {
inherit options;
config = mkMerge [
(mkIf (lnd.enable && lnd.lndconnect.enable)
(mkMerge [
{
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect";
# Run as lnd user because the macaroon and cert are not group-readable
shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
enableOnion = lnd.lndconnect.onion;
onionService = "${lnd.user}/lnd-rest";
port = lnd.restPort;
certPath = lnd.certPath;
macaroonPath = "${lnd.networkDir}/admin.macaroon";
}
)];
services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
}
(mkIf lnd.lndconnect.onion {
services.tor = {
enable = true;
relay.onionServices.lnd-rest = nbLib.mkOnionService {
target.addr = nbLib.address lnd.restAddress;
target.port = lnd.restPort;
port = lnd.restPort;
};
};
nix-bitcoin.onionAddresses.access = {
${lnd.user} = [ "lnd-rest" ];
${operatorName} = [ "lnd-rest" ];
};
})
]))
(mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
(mkMerge [
{
environment.systemPackages = [(
mkLndconnect {
name = "lndconnect-clightning";
isClightning = true;
enableOnion = clightning-rest.lndconnect.onion;
onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
}
)];
# clightning-rest always binds to all interfaces
}
(mkIf clightning-rest.lndconnect.onion {
services.tor = {
enable = true;
relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port;
port = clightning-rest.port;
};
};
# This also allows nodeinfo to show the clightning-rest onion address
nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
})
])
)
];
}

View File

@ -19,7 +19,7 @@
./lightning-loop.nix
./lightning-pool.nix
./charge-lnd.nix
./lndconnect-onion.nix # Requires onion-addresses.nix
./lndconnect.nix # Requires onion-addresses.nix
./rtl.nix
./electrs.nix
./fulcrum.nix

View File

@ -63,7 +63,7 @@ let
infos = OrderedDict()
operator = "${config.nix-bitcoin.operator.name}"
def set_onion_address(info, name, port):
def get_onion_address(name, port):
path = f"/var/lib/onion-addresses/{operator}/{name}"
try:
with open(path, "r") as f:
@ -71,7 +71,7 @@ let
except OSError:
print(f"error reading file {path}", file=sys.stderr)
return
info["onion_address"] = f"{onion_address}:{port}"
return f"{onion_address}:{port}"
def add_service(service, make_info, systemd_service = None):
systemd_service = systemd_service or service
@ -106,7 +106,7 @@ let
add_service("${name}", """
info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
'' + mkIfOnionPort name (onionPort: ''
set_onion_address(info, "${name}", ${onionPort})
info["onion_address"] = get_onion_address("${name}", ${onionPort})
'') + extraCode + ''
""", "${systemdServiceName}")
@ -123,8 +123,10 @@ let
in {
inherit options;
config = {
environment.systemPackages = optional cfg.enable script;
config = mkIf cfg.enable {
environment.systemPackages = [ script ];
nix-bitcoin.operator.enable = true;
nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
bitcoind = mkInfo "";
@ -133,9 +135,13 @@ in {
if 'onion_address' in info:
info["id"] = f"{info['nodeid']}@{info['onion_address']}"
'';
lnd = mkInfo ''
lnd = name: cfg: mkInfo (''
info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
'' + mkIfOnionPort "lnd-rest" (onionPort: ''
info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
'') + ''
info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
'';
'') name cfg;
clightning-rest = mkInfo "";
electrs = mkInfo "";
fulcrum = mkInfo "";
@ -146,7 +152,7 @@ in {
rtl = mkInfo "";
# Only add sshd when it has an onion service
sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
'');
};
};

View File

@ -33,7 +33,6 @@ in {
(mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
# 0.0.70
(mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
(mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
(mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
@ -46,6 +45,28 @@ in {
bitcoin peer connections for syncing blocks. This performs well on low and high
memory systems.
'')
# 0.0.86
(mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
Set the following options instead:
services.lnd.lndconnect = {
enable = true;
onion = true;
}
'')
(mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
Set the following options instead:
services.lnd.lndconnect = {
enable = true;
onion = true;
}
'')
(mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
Set the following options instead:
services.clightning-rest.lndconnect = {
enable = true;
onion = true;
}
'')
] ++
# 0.0.59
(map mkSplitEnforceTorOption [

View File

@ -0,0 +1,214 @@
{ config, pkgs, lib, ... }:
# Create a WireGuard server with a single peer.
# Private/public keys are created via the secrets system.
# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
# for usage instructions.
# This is a rather opinionated implementation that lacks the flexibility offered by
# other nix-bitcoin modules, so ship this as a `preset`.
# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
with lib;
let
options.nix-bitcoin.wireguard = {
subnet = mkOption {
type = types.str;
default = "10.10.0";
description = mdDoc "The /24 subnet of the wireguard network.";
};
restrictPeer = mkOption {
type = types.bool;
default = true;
description = mdDoc ''
Prevent the peer from connecting to any addresses except for the WireGuard server address.
'';
};
};
cfg = config.nix-bitcoin.wireguard;
wgSubnet = cfg.subnet;
inherit (config.networking.wireguard.interfaces) wg-nb;
inherit (config.services)
lnd
clightning-rest;
lndconnect = lnd.enable && lnd.lndconnect.enable;
lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
serverAddress = "${wgSubnet}.1";
peerAddress = "${wgSubnet}.2";
secretsDir = config.nix-bitcoin.secretsDir;
wgConnectUser = if config.nix-bitcoin.operator.enable
then config.nix-bitcoin.operator.name
else "root";
# A script that prints a QR code to connect a peer to the server.
# The QR code encodes a wg-quick config that can be imported by the wireguard
# mobile app.
wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
set -euo pipefail
text=
host=
for arg in "$@"; do
case $arg in
--text)
text=1
;;
*)
host=$arg
;;
esac
done
if [[ ! $host ]]; then
# Use lndconnect to fetch the external ip.
# This internally uses https://github.com/GlenDC/go-external-ip, which
# queries a set of external ip providers.
host=$(
${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
--configfile=/dev/null --adminmacaroonpath=/dev/null \
| sed -nE 's|.*?/(.*?):.*|\1|p'
)
fi
config="[Interface]
PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
Address = ${peerAddress}/24
[Peer]
PublicKey = $(cat ${secretsDir}/wg-server-public-key)
AllowedIPs = ${wgSubnet}.0/24
Endpoint = $host:${toString wg-nb.listenPort}
PersistentKeepalive = 25
"
if [[ $text ]]; then
echo "$config"
else
echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
fi
'';
in {
inherit options;
config = {
assertions = [
{
# Don't support `netns-isolation` for now to keep things simple
assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
}
];
networking.wireguard.interfaces.wg-nb = {
ips = [ "${serverAddress}/24" ];
listenPort = mkDefault 51820;
privateKeyFile = "${secretsDir}/wg-server-private-key";
allowedIPsAsRoutes = false;
peers = [
{
# To use the actual public key from the secrets file, use dummy pubkey
# `peer0` and replace it via `getPubkeyFromFile` (see further below)
# at peer service runtime.
publicKey = "peer0";
allowedIPs = [ "${peerAddress}/32" ];
}
];
};
systemd.services = {
wireguard-wg-nb = rec {
wants = [ "nix-bitcoin-secrets.target" ];
after = wants;
};
# HACK: Modify start/stop scripts of the peer setup service to read
# the pubkey from a secrets file.
wireguard-wg-nb-peer-peer0 = let
getPubkeyFromFile = mkBefore ''
if [[ ! -v inPatchedSrc ]]; then
export inPatchedSrc=1
publicKey=$(cat "${secretsDir}/wg-peer-public-key")
<"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
exit
fi
'';
in {
script = getPubkeyFromFile;
postStop = getPubkeyFromFile;
};
};
environment.systemPackages = [
wgConnect
] ++ (optional lndconnect
(pkgs.writers.writeBashBin "lndconnect-wg" ''
exec lndconnect --host "${serverAddress}" --nocert "$@"
'')
) ++ (optional lndconnect-clightning
(pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
'')
);
networking.firewall = let
restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
in {
allowedUDPPorts = [ wg-nb.listenPort ];
extraCommands =
optionalString lndconnect ''
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
''
+ optionalString lndconnect-clightning ''
iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
''
+ optionalString cfg.restrictPeer ''
iptables -w -A nixos-fw ${restrictPeerRule}
iptables -w -A FORWARD ${restrictPeerRule}
'';
extraStopCommands =
# Rules added to chain `nixos-fw` are automatically removed when restarting
# the NixOS firewall service.
mkIf cfg.restrictPeer ''
iptables -w -D FORWARD ${restrictPeerRule} || :
'';
};
# Listen on all addresses, including `serverAddress`.
# This is safe because the listen ports are secured by the firewall.
services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
# clightning-rest always listens on "0.0.0.0"
nix-bitcoin.secrets = {
wg-server-private-key = {};
wg-server-public-key = { user = wgConnectUser; group = "root"; };
wg-peer-private-key = { user = wgConnectUser; group = "root"; };
wg-peer-public-key = {};
};
nix-bitcoin.generateSecretsCmds.wireguard = let
wg = "${pkgs.wireguard-tools}/bin/wg";
in ''
makeWireguardKey() {
local name=$1
local priv=wg-$name-private-key
local pub=wg-$name-public-key
if [[ ! -e $priv ]]; then
${wg} genkey > $priv
fi
if [[ $priv -nt $pub ]]; then
${wg} pubkey < $priv > $pub
fi
}
makeWireguardKey server
makeWireguardKey peer
'';
};
}

View File

@ -191,6 +191,7 @@ in {
optional cfg.nodes.lnd.enable "lnd.service";
after = requires;
environment.RTL_CONFIG_PATH = cfg.dataDir;
environment.DB_DIRECTORY_PATH = cfg.dataDir;
serviceConfig = nbLib.defaultHardening // {
ExecStartPre = [
(nbLib.script "rtl-setup-config" ''

View File

@ -228,7 +228,7 @@ let
version = "0.0.70";
condition = config.services.lnd.lndconnectOnion.enable;
message = ''
The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
The `lndconnect-rest-onion` binary has been renamed to `lndconnect`.
'';
}
{

View File

@ -32,7 +32,7 @@ let
extraPkgs = [ prometheus_client ];
patchRequirements =
"--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
+ " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
+ " --replace pyln-client~=0.9.3 pyln-client~=23.02";
};
rebalance = {
description = "Keeps your channels balanced";

View File

@ -20,6 +20,12 @@ let self = {
# The secp256k1 version used by joinmarket
secp256k1 = pkgs.callPackage ./secp256k1 { };
spark-wallet = pkgs.callPackage ./spark-wallet { };
trustedcoin = pkgs.callPackage ./trustedcoin { };
# TODO-EXTERNAL:
# Remove this when https://github.com/lightningnetwork/lnd/pull/7672
# has been resolved
lnd = pkgsUnstable.callPackage ./lnd { };
pyPkgs = import ./python-packages self pkgs.python3;
inherit (self.pyPkgs)

View File

@ -1,10 +1,12 @@
{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
let
version = "0.9.8";
src = fetchurl {
url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
version = "0.9.9";
src = fetchFromGitHub {
owner = "joinmarket-org";
repo = "joinmarket-clientserver";
rev = "v${version}";
sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
};
runtimePackages = with nbPython3PackagesJoinmarket; [

View File

@ -1,25 +1,23 @@
#!/usr/bin/env bash
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p git gnupg jq
set -euo pipefail
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
TMPDIR="$(mktemp -d -p /tmp)"
trap 'rm -rf $TMPDIR' EXIT
cd "$TMPDIR"
echo "Fetching latest release"
git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
cd joinmarket-clientserver
latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
echo "Latest release is $latest"
# GPG verification
export GNUPGHOME=$TMPDIR
# Fetch release and GPG-verify the content hash
tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
repo=$tmpdir/repo
git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
export GNUPGHOME=$tmpdir
echo "Fetching Adam Gibson's key"
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
echo "Verifying latest release"
git verify-tag "$latest"
echo
echo "Verifying commit"
git -C "$repo" verify-commit HEAD
rm -rf "$repo"/.git
newHash=$(nix hash path "$repo")
rm -rf "$tmpdir"
echo
echo "tag: $latest"
# The prefix option is necessary because GitHub prefixes the archive contents in this format
echo "sha256: $(nix-hash --type sha256 --flat --base32 \
<(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
echo "tag: $newVersion"
echo "hash: $newHash"

12
pkgs/lnd/default.nix Normal file
View File

@ -0,0 +1,12 @@
{ lnd, fetchpatch }:
lnd.overrideAttrs (_: {
patches = [
(fetchpatch {
# https://github.com/lightningnetwork/lnd/pull/7672
name = "fix-PKCS8-cert-key-support";
url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
})
];
})

View File

@ -4,21 +4,20 @@ pkgs: pkgsUnstable:
inherit (pkgs)
bitcoin
bitcoind
elementsd
extra-container
lightning-loop
lightning-pool
lndconnect
nbxplorer;
lndconnect;
inherit (pkgsUnstable)
btcpayserver
charge-lnd
clightning
electrs
elementsd
fulcrum
hwi
lnd;
lightning-loop
nbxplorer;
inherit pkgs pkgsUnstable;
}

View File

@ -2,11 +2,11 @@
buildPythonPackage rec {
pname = "bencoder.pyx";
version = "2.0.1";
version = "3.0.1";
src = fetchurl {
url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
};
nativeBuildInputs = [ cython ];

View File

@ -22,7 +22,6 @@ rec {
};
runes = callPackage ./runes {};
sha256 = callPackage ./sha256 {};
urldecode = callPackage ./urldecode {};
};
# Joinmarket requires a custom package set because it uses older versions of Python pkgs
@ -47,12 +46,10 @@ rec {
# autobahn 20.12.3, required by joinmarketclient
autobahn = callPackage ./specific-versions/autobahn.nix {};
# pyopenssl 20.0.1, required by joinmarketdaemon
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
openssl = super.pkgs.openssl_1_1;
};
# pyopenssl 21.0.0, required by joinmarketdaemon
pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
# twisted 22.4.0, compatible with pyopenssl 20.0.1
# twisted 22.4.0, required by joinmarketbase
twisted = callPackage ./specific-versions/twisted.nix {};
};

View File

@ -1,4 +1,4 @@
{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
buildPythonPackage rec {
pname = "joinmarketbitcoin";
@ -6,7 +6,7 @@ buildPythonPackage rec {
postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
propagatedBuildInputs = [ pyaes python-bitcointx ];
checkInputs = [ joinmarketbase ];

View File

@ -8,6 +8,12 @@ buildPythonPackage rec {
propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
# libnacl 1.8.0 is not on github
patchPhase = ''
substituteInPlace setup.py \
--replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
'';
meta = with lib; {
description = "Client library for Bitcoin coinjoins";
homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";

View File

@ -6,17 +6,50 @@
, cryptography
, pyasn1
, idna
, pytest
, pytestCheckHook
, pretend
, flaky
, glibcLocales
, six
}:
let
buildPythonPackage rec {
pname = "pyopenssl";
version = "21.0.0";
src = fetchPypi {
pname = "pyOpenSSL";
inherit version;
sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
};
outputs = [ "out" "dev" ];
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
doCheck = !stdenv.isDarwin;
nativeBuildInputs = [ openssl ];
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
preCheck = ''
export LANG="en_US.UTF-8"
'';
disabledTests = [
# https://github.com/pyca/pyopenssl/issues/692
# These tests, we disable always.
"test_set_default_verify_paths"
"test_fallback_default_verify_paths"
# https://github.com/pyca/pyopenssl/issues/768
"test_wantWriteError"
# https://github.com/pyca/pyopenssl/issues/1043
"test_alpn_call_failure"
] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
# https://github.com/pyca/pyopenssl/issues/791
# These tests, we disable in the case that libressl is passed in as openssl.
failingLibresslTests = [
"test_op_no_compression"
"test_npn_advertise_error"
"test_npn_select_error"
@ -29,64 +62,21 @@ let
"test_verify_with_revoked"
"test_set_notAfter"
"test_set_notBefore"
];
# these tests are extremely tightly wed to the exact output of the openssl cli tool,
# including exact punctuation.
failingOpenSSL_1_1Tests = [
] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
# these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
"test_dump_certificate"
"test_dump_privatekey_text"
"test_dump_certificate_request"
"test_export_text"
] ++ lib.optionals stdenv.is32bit [
# https://github.com/pyca/pyopenssl/issues/974
"test_verify_with_time"
];
disabledTests = [
# https://github.com/pyca/pyopenssl/issues/692
# These tests, we disable always.
"test_set_default_verify_paths"
"test_fallback_default_verify_paths"
# https://github.com/pyca/pyopenssl/issues/768
"test_wantWriteError"
] ++ (
lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
) ++ (
lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
) ++ (
# https://github.com/pyca/pyopenssl/issues/974
lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
);
# Compose the final string expression, including the "-k" and the single quotes.
testExpression = lib.optionalString (disabledTests != [])
"-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
in
buildPythonPackage rec {
pname = "pyopenssl";
version = "20.0.1";
src = fetchPypi {
pname = "pyOpenSSL";
inherit version;
sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
meta = with lib; {
description = "Python wrapper around the OpenSSL library";
homepage = "https://github.com/pyca/pyopenssl";
license = licenses.asl20;
maintainers = with maintainers; [ SuperSandro2000 ];
};
outputs = [ "out" "dev" ];
checkPhase = ''
runHook preCheck
export LANG="en_US.UTF-8"
py.test tests ${testExpression}
runHook postCheck
'';
# Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
# for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
doCheck = !stdenv.isDarwin;
nativeBuildInputs = [ openssl ];
propagatedBuildInputs = [ cryptography pyasn1 idna six ];
checkInputs = [ pytest pretend flaky glibcLocales ];
}

View File

@ -1,16 +0,0 @@
{ lib, buildPythonPackage, fetchPypi }:
buildPythonPackage rec {
pname = "urldecode";
version = "0.1";
src = fetchPypi {
inherit pname version;
sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
};
meta = with lib; {
description = "A simple function to decode an encoded url";
homepage = "https://github.com/jennyq/urldecode";
maintainers = with maintainers; [ nixbitcoin ];
};
}

View File

@ -10,11 +10,11 @@
}:
let self = stdenvNoCC.mkDerivation {
pname = "rtl";
version = "0.13.4";
version = "0.13.6";
src = fetchurl {
url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
};
passthru = {
@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
# TODO-EXTERNAL: Remove `npmFlags` when no longer required
# See: https://github.com/Ride-The-Lightning/RTL/issues/1182
npmFlags = "--legacy-peer-deps";
hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
};
};

View File

@ -2,7 +2,7 @@
set -euo pipefail
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
version="0.13.4"
version="0.13.6"
repo=https://github.com/Ride-The-Lightning/RTL
scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

View File

@ -0,0 +1,23 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule rec {
pname = "trustedcoin";
version = "0.6.1";
src = fetchFromGitHub {
owner = "nbd-wtf";
repo = pname;
rev = "v${version}";
sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
};
vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
subPackages = [ "." ];
meta = with lib; {
description = "Light bitcoin node implementation";
homepage = "https://github.com/nbd-wtf/trustedcoin";
maintainers = with maintainers; [ seberm fort-nix ];
platforms = platforms.linux;
};
}

20
pkgs/trustedcoin/get-sha256.sh Executable file
View File

@ -0,0 +1,20 @@
#! /usr/bin/env nix-shell
#! nix-shell -i bash -p git gnupg curl jq
set -euo pipefail
TMPDIR="$(mktemp -d -p /tmp)"
trap 'rm -rf $TMPDIR' EXIT
cd "$TMPDIR"
echo "Fetching latest release"
repo='nbd-wtf/trustedcoin'
latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
echo "Latest release is $latest"
git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
cd trustedcoin
echo "tag: $latest"
git checkout -q "tags/$latest"
rm -rf .git
nix --extra-experimental-features nix-command hash path .

View File

@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
fi
echo "Running flake-info (nixos-search)"
flake-info flake ../..
flake-info --json flake ../.. >/dev/null

View File

@ -41,4 +41,4 @@ bwrap \
--ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
--ro-bind /usr /usr \
--ro-bind-try /run /run \
-- flake-info flake "$nbFlake"
-- flake-info --json flake "$nbFlake" >/dev/null

View File

@ -2,11 +2,11 @@
"nodes": {
"flake-utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
@ -18,11 +18,11 @@
"nixos-org-configurations": {
"flake": false,
"locked": {
"lastModified": 1674564797,
"narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
"lastModified": 1679995724,
"narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
"owner": "NixOS",
"repo": "nixos-org-configurations",
"rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
"rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
"type": "github"
},
"original": {
@ -39,11 +39,11 @@
"npmlock2nix": "npmlock2nix"
},
"locked": {
"lastModified": 1674593115,
"narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
"lastModified": 1683204679,
"narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
"owner": "nixos",
"repo": "nixos-search",
"rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
"rev": "0498effc4137095938f16fd752cc81a96901554f",
"type": "github"
},
"original": {
@ -54,11 +54,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1667629849,
"narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
"lastModified": 1680213900,
"narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
"rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
"type": "github"
},
"original": {
@ -70,11 +70,11 @@
"npmlock2nix": {
"flake": false,
"locked": {
"lastModified": 1666460237,
"narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
"lastModified": 1673447413,
"narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=",
"owner": "nix-community",
"repo": "npmlock2nix",
"rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
"rev": "9197bbf397d76059a76310523d45df10d2e4ca81",
"type": "github"
},
"original": {

View File

@ -274,6 +274,7 @@ buildable=(
hardened
clightning-replication
lndPruned
wireguard-lndconnect
)
buildable() { buildTests buildable "$@"; }

View File

@ -45,7 +45,7 @@ let
services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
test.data.clightning-plugins = let
plugins = config.services.clightning.plugins;
removed = [ "commando" ];
removed = [ "commando" "trustedcoin" ];
enabled = builtins.filter (plugin: plugins.${plugin}.enable)
(subtractLists removed (builtins.attrNames plugins));
nbPkgs = config.nix-bitcoin.pkgs;
@ -86,8 +86,8 @@ let
nix-bitcoin.onionServices.lnd.public = true;
tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion;
tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion;
tests.lightning-loop = cfg.lightning-loop.enable;
services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
@ -187,9 +187,9 @@ let
services.rtl.enable = true;
services.spark-wallet.enable = true;
services.clightning-rest.enable = true;
services.clightning-rest.lndconnectOnion.enable = true;
services.clightning-rest.lndconnect = { enable = true; onion = true; };
services.lnd.enable = true;
services.lnd.lndconnectOnion.enable = true;
services.lnd.lndconnect = { enable = true; onion = true; };
services.lightning-loop.enable = true;
services.lightning-pool.enable = true;
services.charge-lnd.enable = true;
@ -315,6 +315,15 @@ let
services.lnd.enable = true;
services.bitcoind.prune = 1000;
};
# Test the special clightning setup where trustedcoin plugin is used
trustedcoin = {
tests.trustedcoin = true;
services.clightning = {
enable = true;
plugins.trustedcoin.enable = true;
};
};
} // (import ../dev/dev-scenarios.nix {
inherit lib scenarios;
});
@ -405,6 +414,7 @@ in {
in
{
clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
} // mainTests;
tests = makeTests scenarios;

View File

@ -177,12 +177,12 @@ def _():
@test("lndconnect-onion-lnd")
def _():
assert_running("lnd")
assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
assert_matches("runuser -u operator -- lndconnect --url", ".onion")
@test("lndconnect-onion-clightning")
def _():
assert_running("clightning-rest")
assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion")
@test("lightning-loop")
def _():
@ -433,6 +433,18 @@ def _():
if enabled("btcpayserver"):
machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
@test("trustedcoin")
def _():
machine.wait_for_unit("bitcoind")
machine.wait_for_unit("clightning")
# Let's check the trustedcoin plugin was correctly initialized
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
if "netns-isolation" in enabled_tests:
def ip(name):
return test_data["netns"][name]["address"]

View File

@ -0,0 +1,103 @@
# You can run this test via `run-tests.sh -s wireguard-lndconnect`
makeTestVM: pkgs:
with pkgs.lib;
makeTestVM {
name = "wireguard-lndconnect";
nodes = {
server = {
imports = [
../modules/modules.nix
../modules/presets/wireguard.nix
];
nixpkgs.pkgs = pkgs;
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator.enable = true;
services.clightning-rest = {
enable = true;
lndconnect.enable = true;
};
# TODO-EXTERNAL:
# When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
services.clightning.extraConfig = "disable-dns";
services.lnd = {
enable = true;
lndconnect.enable = true;
port = 9736;
};
};
client = {
nixpkgs.pkgs = pkgs;
environment.systemPackages = with pkgs; [
wireguard-tools
];
};
};
testScript = ''
import base64
import urllib.parse as Url
from types import SimpleNamespace
def parse_lndconnect_url(url):
u = Url.urlparse(url)
queries = Url.parse_qs(u.query)
macaroon = queries['macaroon'][0]
is_clightning = url.startswith("c-lightning-rest")
return SimpleNamespace(
host = u.hostname,
port = u.port,
macaroon_hex =
macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
)
client.start()
server.connect()
if not "is_interactive" in vars():
with subtest("connect client to server via WireGuard"):
server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
# Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
# Encode to base64
b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
# Connect to server via WireGuard
client.succeed("wg-quick up /tmp/wireguard.conf")
# Ping server from client
print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
with subtest("lndconnect-wg"):
server.wait_for_unit("lnd.service")
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
api = parse_lndconnect_url(lndconnect_url)
# Make lnd REST API call
client.succeed(
f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
f"-X GET https://{api.host}:{api.port}/v1/getinfo"
)
with subtest("lndconnect-clightning-wg"):
server.wait_for_unit("clightning-rest.service")
lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
api = parse_lndconnect_url(lndconnect_url)
# Make clightning-rest API call
client.succeed(
f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
)
'';
}