Merge #610: update nixpkgs

af87d59 obsolete-options: simplify removal of clightning plugin `commando` (Erik Arvstedt) 9b575e4 test/backups: check that bitcoind stops without errors (Erik Arvstedt) 8a791b7 rtl: 0.13.6 -> 0.14.0 (Erik Arvstedt) 3650d4b bitcoin: replace nixpkgs package with bitcoin{,d} 24.1 (Jonas Nick) 75e54bb spark-wallet: remove package and module (Jonas Nick) 29a95ea clightning-rest: update module to v0.10.3 (Erik Arvstedt) 67475f7 clightning-rest: 0.9.0 -> 0.10.3 (Erik Arvstedt) fe76516 bitcoind: update module to v25.0 (Erik Arvstedt) 9c59b96 clightning-plugins: add prometheus patch for clightning 23.05 (Jonas Nick) 9aea69e clightning-plugins: update (Jonas Nick) 2166bfd clboss: deprecate, add clighting 23.05 compatibility (Erik Arvstedt) dcc5a54 update nixpkgs (Jonas Nick) Pull request description: ACKs for top commit: erikarvstedt: ACK af87d59 Tree-SHA512: 8bc6bc1aa01f342047b9b5cc468ab4af1f71a16d7f575f7e5108f2dfb0121160d777ead5b6714506a911066d594a37c6e14b774eb1bc1cb674ddea85e2e33c5a
fort-nix · Jun 2, 2023 · e3190b2 · e3190b2
2 parents d9baa2e + af87d59
commit e3190b2
Show file tree

Hide file tree

Showing 33 changed files with 216 additions and 2,951 deletions.
diff --git a/README.md b/README.md
@@ -90,7 +90,6 @@ NixOS modules ([src](modules/modules.nix))
     clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
     [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
   * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
-  * [spark-wallet](https://github.com/shesek/spark-wallet)
   * [electrs](https://github.com/romanz/electrs): Electrum server
   * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
   * [btcpayserver](https://github.com/btcpayserver/btcpayserver)

diff --git a/SECURITY.md b/SECURITY.md
@@ -45,7 +45,7 @@ all other security vulnerabilities.
 | Type | Description | Examples |
 | :-: | :-: | :-: |
 | Outright Vulnerabilities | Vulnerabilities in nix-bitcoin specific tooling (except CI tooling) | privilege escalation in SUID binary `netns-exec`, improper release signature verification through `fetch-release` |
-| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, spark-wallet has access to bitcoin RPC interface or files |
+| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, RTL has access to bitcoin RPC interface or files |
 | Vulnerabilities in Dependencies | A vulnerability in any dependency of a nix-bitcoin installation with a configuration consisting of any combination of the following services: bitcoind, clightning, lnd, electrs, joinmarket, btcpayserver, liquidd.<br />**Note:** The vulnerability must first be reported to and handled by the maintainers of the dependency before it qualifies for a reward| Compromised NixOS expression pulls in malicious package, JoinMarket pulls in a python dependency with a known severe vulnerability |
 | Bad Documentation | Our documentation suggests blatantly insecure things | `install.md` tells you to add our SSH keys to your root user |
 | Compromise of Signing Key | Compromise of the nix-bitcoin signing key, i.e., `0xB1A70E4F8DCD0366` | Leaking the key, managing to sign something with it |

diff --git a/dev/dev-features.sh b/dev/dev-features.sh
@@ -127,22 +127,6 @@ c systemctl status clightning-rest
 c journalctl -u clightning-rest
 c systemctl status clightning-rest-migrate-datadir
 
-#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-# spark-wallet
-
-run-tests.sh -s "{
-  services.spark-wallet.enable = true;
-  test.container.exposeLocalhost = true;
-}" container
-
-c systemctl status spark-wallet
-c journalctl -u spark-wallet
-
-sparkAuth=$(c cat /secrets/spark-wallet-login | grep -ohP '(?<=login=).*')
-curl -v http://$sparkAuth@$ip:9737
-# Open in browser
-runuser -u "$(logname)" -- xdg-open http://$sparkAuth@$ip:9737
-
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # electrs
 

diff --git a/docs/services.md b/docs/services.md
@@ -291,49 +291,6 @@ Create a plain text URL:
 lndconnect-wg --url
 ``````
 
-# Connect to spark-wallet
-### Requirements
-* Android phone
-* [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
-* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
-
-1. Enable spark-wallet in `configuration.nix`
-
-    Change
-    ```
-    # services.spark-wallet.enable = true;
-    ```
-    to
-    ```
-    services.spark-wallet.enable = true;
-    ```
-
-2. Deploy new `configuration.nix`
-
-3. Enable Orbot VPN for spark-wallet
-
-    ```
-    Open Orbot app
-    Turn on "VPN Mode"
-    Select Gear icon under "Tor-Enabled Apps"
-    Toggle checkbox under Spark icon
-    ```
-
-4. Get the onion address, access key and QR access code for the spark wallet android app
-
-    ```
-    journalctl -eu spark-wallet
-    ```
-    Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
-
-5. Connect to spark-wallet android app
-
-    ```
-    Server Settings
-    Scan QR
-    Done
-    ```
-
 # Connect to electrs
 ### Requirements Android
 * Android phone

diff --git a/examples/configuration.nix b/examples/configuration.nix
@@ -126,12 +126,6 @@
   # Automatically enables lightning-loop.
   # services.rtl.nodes.lnd.loop = true;
 
-  ### SPARK WALLET
-  # Set this to enable spark-wallet, a minimalistic wallet GUI for
-  # c-lightning, accessible over the web or through mobile and desktop apps.
-  # Automatically enables clightning.
-  # services.spark-wallet.enable = true;
-
   ### ELECTRS
   # Set this to enable electrs, an Electrum server implemented in Rust.
   # services.electrs.enable = true;

diff --git a/flake.lock b/flake.lock
diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix
@@ -414,6 +414,8 @@ in {
       # Enable RPC access for group
       postStart = ''
         chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      '' + (optionalString cfg.regtest) ''
+        chmod g=x '${cfg.dataDir}/regtest'
       '';
 
       serviceConfig = nbLib.defaultHardening // {

diff --git a/modules/clightning-plugins/clboss.nix b/modules/clightning-plugins/clboss.nix
@@ -12,6 +12,11 @@ let cfg = config.services.clightning.plugins.clboss; in
         See also: https://github.com/ZmnSCPxj/clboss#operating
       '';
     };
+    acknowledgeDeprecation = mkOption {
+      type = types.bool;
+      default = false;
+      internal = true;
+    };
     min-onchain = mkOption {
       type = types.ints.positive;
       default = 30000;
@@ -49,13 +54,30 @@ let cfg = config.services.clightning.plugins.clboss; in
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.acknowledgeDeprecation;
+        message = ''
+          `clboss` is no longer maintained and has been deprecated.
+
+          Warning: For compatibility with clighting 23.05, the nix-bitcoin `clboss` package
+          includes a third-party fix that has not been thoroughly tested:
+          https://github.com/ZmnSCPxj/clboss/pull/162
+
+          To ignore this warning and continue using `clboss`, add the following to your config:
+          services.clightning.plugins.clboss.acknowledgeDeprecation = true;
+        '';
+      }
+    ];
+
     services.clightning.extraConfig = ''
       plugin=${cfg.package}/bin/clboss
       clboss-min-onchain=${toString cfg.min-onchain}
       clboss-min-channel=${toString cfg.min-channel}
       clboss-max-channel=${toString cfg.max-channel}
       clboss-zerobasefee=${cfg.zerobasefee}
     '';
+
     systemd.services.clightning.path = [
       pkgs.dnsutils
     ] ++ optional config.services.clightning.tor.proxy (hiPrio config.nix-bitcoin.torify);

diff --git a/modules/clightning-rest.nix b/modules/clightning-rest.nix
@@ -97,6 +97,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = [ cfg.dataDir ];
+        inherit (nbLib.allowNetlink) RestrictAddressFamilies;
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // nbLib.nodejs;
     };

diff --git a/modules/modules.nix b/modules/modules.nix
@@ -14,7 +14,6 @@
     ./clightning-plugins
     ./clightning-rest.nix
     ./clightning-replication.nix
-    ./spark-wallet.nix
     ./lnd.nix
     ./lightning-loop.nix
     ./lightning-pool.nix

diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix
@@ -244,10 +244,6 @@ in {
         id = 16;
         connections = [ "bitcoind" ];
       };
-      spark-wallet = {
-        id = 17;
-        # communicates with clightning over lightning-rpc socket
-      };
       nginx = {
         id = 21;
       };
@@ -332,11 +328,6 @@ in {
 
     services.fulcrum.address = netns.fulcrum.address;
 
-    services.spark-wallet = {
-      address = netns.spark-wallet.address;
-      extraArgs = "--no-tls";
-    };
-
     services.lightning-loop.rpcAddress = netns.lightning-loop.address;
 
     services.nbxplorer.address = netns.nbxplorer.address;

diff --git a/modules/nodeinfo.nix b/modules/nodeinfo.nix
@@ -145,7 +145,6 @@ in {
       clightning-rest = mkInfo "";
       electrs = mkInfo "";
       fulcrum = mkInfo "";
-      spark-wallet = mkInfo "";
       btcpayserver = mkInfo "";
       liquidd = mkInfo "";
       joinmarket-ob-watcher = mkInfo "";

diff --git a/modules/obsolete-options.nix b/modules/obsolete-options.nix
@@ -24,7 +24,6 @@ in {
     (mkRenamedOptionModule [ "services" "bitcoind" "rpcthreads" ] [ "services" "bitcoind" "rpc" "threads" ])
     (mkRenamedOptionModule [ "services" "clightning" "bind-addr" ] [ "services" "clightning" "address" ])
     (mkRenamedOptionModule [ "services" "clightning" "bindport" ] [ "services" "clightning" "port" ])
-    (mkRenamedOptionModule [ "services" "spark-wallet" "host" ] [ "services" "spark-wallet" "address" ])
     (mkRenamedOptionModule [ "services" "lnd" "rpclisten" ] [ "services" "lnd" "rpcAddress" ])
     (mkRenamedOptionModule [ "services" "lnd" "listen" ] [ "services" "lnd" "address" ])
     (mkRenamedOptionModule [ "services" "lnd" "listenPort" ] [ "services" "lnd" "port" ])
@@ -75,7 +74,6 @@ in {
     "lightning-pool"
     "liquid"
     "lnd"
-    "spark-wallet"
     "bitcoind"
   ]) ++
   (map mkRenamedEnforceTorOption [
@@ -84,21 +82,25 @@ in {
     "electrs"
   ]) ++
   # 0.0.77
-  (
-    let
-      optionName = [ "services" "clightning" "plugins" "commando" ];
-    in [
-      (mkRemovedOptionModule (optionName ++ [ "enable" ]) ''
-        clightning 0.12.0 ships with a reimplementation of the commando plugin
-        that is incompatible with the commando module that existed in
-        nix-bitcoin. The new built-in commando plugin is always enabled. For
-        information on how to use it, run `lightning-cli help commando` and
-        `lightning-cli help commando-rune`.
-      '')
-      (mkRemovedOptionModule (optionName ++ [ "readers" ]) "")
-      (mkRemovedOptionModule (optionName ++ [ "writers" ]) "")
-  ]);
-
+  [
+    (mkRemovedOptionModule [ "services" "clightning" "plugins" "commando" ] ''
+      clightning 0.12.0 ships with a reimplementation of the commando plugin
+      that is incompatible with the commando module that existed in
+      nix-bitcoin. The new built-in commando plugin is always enabled. For
+      information on how to use it, run `lightning-cli help commando` and
+      `lightning-cli help commando-rune`.
+    '')
+  ] ++
+  # 0.0.92
+  [
+    (mkRemovedOptionModule [ "services" "spark-wallet" ] ''
+      Spark Lightning Wallet is unmaintained and incompatible with clightning
+      23.05. Therefore, the spark-wallet module has been removed from
+      nix-bitcoin. For a replacement, consider using the rtl (Ride The
+      Lightning) module or the clightning-rest module in combination with the
+      Zeus mobile wallet.
+    '')
+  ];
   config = {
     # Migrate old clightning-rest datadir from nix-bitcoin versions < 0.0.70
     systemd.services.clightning-rest-migrate-datadir = let

diff --git a/modules/onion-services.nix b/modules/onion-services.nix
@@ -104,15 +104,6 @@ in {
     # Set sensible defaults for some services
     {
       nix-bitcoin.onionServices = {
-        spark-wallet = {
-          externalPort = 80;
-          # Enable 'public' by default, but don't auto-enable the onion service.
-          # When the onion service is enabled, 'public' lets spark-wallet generate
-          # a QR code for accessing the web interface.
-          public = true;
-          # Low priority so we can override this with mkDefault in ./presets/enable-tor.nix
-          enable = mkOverride 1400 false;
-        };
         btcpayserver = {
           externalPort = 80;
         };

diff --git a/modules/presets/enable-tor.nix b/modules/presets/enable-tor.nix
@@ -26,7 +26,6 @@ in {
     # TODO-EXTERNAL:
     # disable Tor enforcement until btcpayserver can fetch rates over Tor
     # btcpayserver = defaultEnableTorProxy;
-    spark-wallet = defaultEnableTorProxy;
     lightning-pool = defaultEnableTorProxy;
 
     # These services don't make outgoing connections
@@ -48,7 +47,6 @@ in {
     liquidd.enable = defaultTrue;
     electrs.enable = defaultTrue;
     fulcrum.enable = defaultTrue;
-    spark-wallet.enable = defaultTrue;
     joinmarket-ob-watcher.enable = defaultTrue;
     rtl.enable = defaultTrue;
   };