fort-nix/nix-bitcoin
1
1
Fork 0
mirror of https://github.com/fort-nix/nix-bitcoin.git synced 2024-08-17 10:50:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

treewide: fix various issues found by statix

Browse Source
This commit is contained in:
Otto Sabart 2024-05-27 21:00:00 +02:00
parent c8592ab86c
commit f5d8503be4
No known key found for this signature in database
GPG Key ID: 823BAE99F8BE1E3C
20 changed files with 261 additions and 235 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
modules/bitcoind.nix
View File

@ -310,7 +310,7 @@ let
${optionalString cfg.listenWhitelisted
"whitebind=${cfg.address}:${toString cfg.whitelistedPort}"}
${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
${optionalString cfg.i2p "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"}
${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"}
${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"}
@ -364,7 +364,7 @@ in {
}
];
services.i2pd = mkIf (cfg.i2p != false) {
services.i2pd = mkIf cfg.i2p {
enable = true;
proto.sam.enable = true;
};
@ -435,28 +435,33 @@ in {
// optionalAttrs zmqServerEnabled nbLib.allowNetlink;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
users.groups.${cfg.group} = {};
users.groups.bitcoinrpc-public = {};
nix-bitcoin.operator.groups = [ cfg.group ];
nix-bitcoin.secrets = {
bitcoin-rpcpassword-privileged.user = cfg.user;
bitcoin-rpcpassword-public = {
user = cfg.user;
group = "bitcoinrpc-public";
users = {
users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
};
groups = {
${cfg.group} = {};
bitcoinrpc-public = {};
};
bitcoin-HMAC-privileged.user = cfg.user;
bitcoin-HMAC-public.user = cfg.user;
};
nix-bitcoin.generateSecretsCmds.bitcoind = ''
makeBitcoinRPCPassword privileged
makeBitcoinRPCPassword public
'';
nix-bitcoin = {
operator.groups = [ cfg.group ];
secrets = {
bitcoin-rpcpassword-privileged.user = cfg.user;
bitcoin-rpcpassword-public = {
user = cfg.user;
group = "bitcoinrpc-public";
};
bitcoin-HMAC-privileged.user = cfg.user;
bitcoin-HMAC-public.user = cfg.user;
};
generateSecretsCmds.bitcoind = ''
makeBitcoinRPCPassword privileged
makeBitcoinRPCPassword public
'';
};
};
}

328
modules/btcpayserver.nix
View File

@ -110,170 +110,188 @@ in {
inherit options;
config = mkIf cfg.btcpayserver.enable {
services.bitcoind = {
enable = true;
rpc.users.btcpayserver = {
passwordHMACFromFile = true;
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
"setban"
"generatetoaddress"
"getpeerinfo"
services = {
bitcoind = {
enable = true;
rpc.users.btcpayserver = {
passwordHMACFromFile = true;
rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [
"setban"
"generatetoaddress"
"getpeerinfo"
];
};
listenWhitelisted = true;
};
clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
enable = true;
macaroons.btcpayserver = {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
};
liquidd = mkIf cfg.btcpayserver.lbtc {
enable = true;
listenWhitelisted = true;
};
postgresql = {
enable = true;
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
ensureUsers = [
{ name = cfg.btcpayserver.user; }
{ name = cfg.nbxplorer.user; }
];
};
listenWhitelisted = true;
};
services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true;
services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") {
enable = true;
macaroons.btcpayserver = {
inherit (cfg.btcpayserver) user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}'';
};
};
services.liquidd = mkIf cfg.btcpayserver.lbtc {
enable = true;
listenWhitelisted = true;
};
services.postgresql = {
enable = true;
ensureDatabases = [ "btcpaydb" "nbxplorer" ];
ensureUsers = [
{ name = cfg.btcpayserver.user; }
{ name = cfg.nbxplorer.user; }
systemd = {
tmpfiles.rules = [
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
];
};
systemd.services.postgresql.postStart = lib.mkAfter ''
$PSQL -tAc '
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
'
'';
systemd.tmpfiles.rules = [
"d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
"d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -"
];
systemd.services.nbxplorer = let
configFile = builtins.toFile "config" ''
network=${bitcoind.network}
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
bind=${cfg.nbxplorer.address}
port=${toString cfg.nbxplorer.port}
${optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcrpcuser=${liquidd.rpcuser}
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
''}
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
automigrate=1
'';
in rec {
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
after = requires ++ [ "nix-bitcoin-secrets.target" ];
preStart = ''
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
{
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
${optionalString cfg.btcpayserver.lbtc ''
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
''}
} >> '${cfg.nbxplorer.dataDir}/settings.config'
'';
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
--datadir=${cfg.nbxplorer.dataDir}
services = {
postgresql.postStart = lib.mkAfter ''
$PSQL -tAc '
ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
'
'';
User = cfg.nbxplorer.user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
};
systemd.services.btcpayserver = let
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
configFile = builtins.toFile "btcpayserver-config" (''
network=${bitcoind.network}
bind=${cfg.btcpayserver.address}
port=${toString cfg.btcpayserver.port}
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
btcexplorerurl=${nbExplorerUrl}
btcexplorercookiefile=${nbExplorerCookie}
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
'' + optionalString (cfg.btcpayserver.rootpath != null) ''
rootpath=${cfg.btcpayserver.rootpath}
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
(
"btclightning=type=lnd-rest;" +
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
"certfilepath=${config.services.lnd.certPath}" +
"\n"
)
+ optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcexplorerurl=${nbExplorerUrl}
lbtcexplorercookiefile=${nbExplorerCookie}
'');
in let self = {
wantedBy = [ "multi-user.target" ];
requires = [ "nbxplorer.service" "postgresql.service" ]
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
after = self.requires;
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
--datadir='${cfg.btcpayserver.dataDir}'
'';
User = cfg.btcpayserver.user;
# Also restart after the program has exited successfully.
# This is required to support restarting from the web interface after
# interactive plugin installation.
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
}; in self;
nbxplorer = let
configFile = builtins.toFile "config" ''
network=${bitcoind.network}
btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name}
btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port}
btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort}
bind=${cfg.nbxplorer.address}
port=${toString cfg.nbxplorer.port}
${optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcrpcuser=${liquidd.rpcuser}
lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port}
lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort}
''}
postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer
automigrate=1
'';
in rec {
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
after = requires ++ [ "nix-bitcoin-secrets.target" ];
preStart = ''
install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
{
echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)"
${optionalString cfg.btcpayserver.lbtc ''
echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)"
''}
} >> '${cfg.nbxplorer.dataDir}/settings.config'
'';
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \
--datadir=${cfg.nbxplorer.dataDir}
'';
User = cfg.nbxplorer.user;
Restart = "on-failure";
RestartSec = "10s";
ReadWritePaths = [ cfg.nbxplorer.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce;
};
users.users.${cfg.nbxplorer.user} = {
isSystemUser = true;
group = cfg.nbxplorer.group;
extraGroups = [ "bitcoinrpc-public" ]
++ optional cfg.btcpayserver.lbtc liquidd.group;
home = cfg.nbxplorer.dataDir;
};
users.groups.${cfg.nbxplorer.group} = {};
users.users.${cfg.btcpayserver.user} = {
isSystemUser = true;
group = cfg.btcpayserver.group;
extraGroups = [ cfg.nbxplorer.group ]
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
home = cfg.btcpayserver.dataDir;
};
users.groups.${cfg.btcpayserver.group} = {};
nix-bitcoin.secrets = {
bitcoin-rpcpassword-btcpayserver = {
user = cfg.bitcoind.user;
group = cfg.nbxplorer.group;
btcpayserver = let
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
configFile = builtins.toFile "btcpayserver-config" (''
network=${bitcoind.network}
bind=${cfg.btcpayserver.address}
port=${toString cfg.btcpayserver.port}
socksendpoint=${config.nix-bitcoin.torClientAddressWithPort}
btcexplorerurl=${nbExplorerUrl}
btcexplorercookiefile=${nbExplorerCookie}
postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb
'' + optionalString (cfg.btcpayserver.rootpath != null) ''
rootpath=${cfg.btcpayserver.rootpath}
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
(
"btclightning=type=lnd-rest;" +
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
"certfilepath=${config.services.lnd.certPath}" +
"\n"
)
+ optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcexplorerurl=${nbExplorerUrl}
lbtcexplorercookiefile=${nbExplorerCookie}
'');
serviceRequires = [ "nbxplorer.service" "postgresql.service" ]
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
in {
wantedBy = [ "multi-user.target" ];
requires = serviceRequires;
after = serviceRequires;
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
--datadir='${cfg.btcpayserver.dataDir}'
'';
User = cfg.btcpayserver.user;
# Also restart after the program has exited successfully.
# This is required to support restarting from the web interface after
# interactive plugin installation.
# Restart rate limiting is implemented via the `startLimit*` options below.
Restart = "always";
ReadWritePaths = [ cfg.btcpayserver.dataDir ];
MemoryDenyWriteExecute = false;
} // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
startLimitIntervalSec = 30;
startLimitBurst = 10;
};
};
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
};
nix-bitcoin.generateSecretsCmds.btcpayserver = ''
makeBitcoinRPCPassword btcpayserver
'';
users = {
users = {
${cfg.nbxplorer.user} = {
isSystemUser = true;
inherit (cfg.nbxplorer) group;
extraGroups = [ "bitcoinrpc-public" ]
++ optional cfg.btcpayserver.lbtc liquidd.group;
home = cfg.nbxplorer.dataDir;
};
${cfg.btcpayserver.user} = {
isSystemUser = true;
inherit (cfg.btcpayserver) group;
extraGroups = [ cfg.nbxplorer.group ]
++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user;
home = cfg.btcpayserver.dataDir;
};
};
groups = {
${cfg.nbxplorer.group} = {};
${cfg.btcpayserver.group} = {};
};
};
nix-bitcoin = {
secrets = {
bitcoin-rpcpassword-btcpayserver = {
inherit (cfg.bitcoind) user;
inherit (cfg.nbxplorer) group;
};
bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user;
};
generateSecretsCmds.btcpayserver = ''
makeBitcoinRPCPassword btcpayserver
'';
};
};
}

4
modules/charge-lnd.nix
View File

@ -90,7 +90,7 @@ in
services.lnd = {
enable = true;
macaroons.charge-lnd = {
user = user;
inherit user;
permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}'';
};
};
@ -134,7 +134,7 @@ in
users.users.${user} = {
isSystemUser = true;
group = group;
inherit group;
};
users.groups.${group} = {};
};

2
modules/clightning-plugins/trustedcoin.nix
View File

@ -29,7 +29,7 @@ let cfg = config.services.clightning.plugins.trustedcoin; in
tor.enforce = mkIf (!cfg.tor.proxy) false;
};
systemd.services.clightning.environment = mkIf (cfg.tor.proxy) {
systemd.services.clightning.environment = mkIf cfg.tor.proxy {
HTTPS_PROXY = let
clnProxy = config.services.clightning.proxy;
proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort;

2
modules/clightning-replication.nix
View File

@ -209,7 +209,7 @@ in {
nix-bitcoin = mkMerge [
(mkIf useSshfs {
secrets.clightning-replication-ssh-key = {
user = user;
inherit user;
permissions = "400";
};
generateSecretsCmds.clightning-replication-ssh-key = ''

2
modules/hardware-wallets.nix
View File

@ -33,7 +33,7 @@ in {
config = mkMerge [
(mkIf (cfg.ledger || cfg.trezor) {
assertions = [
{ assertion = (config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet);
{ assertion = config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet;
message = ''
Hardware-Wallets are not compatible with bitcoind.disablewallet.
'';

33
modules/joinmarket.nix
View File

@ -369,23 +369,26 @@ in {
} // nbLib.allowedIPAddresses cfg.tor.enforce;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
# Allow access to the tor control socket, needed for payjoin onion service creation
extraGroups = [ "tor" "bitcoin" ];
users = {
users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
# Allow access to the tor control socket, needed for payjoin onion service creation
extraGroups = [ "tor" "bitcoin" ];
};
groups.${cfg.group} = {};
};
users.groups.${cfg.group} = {};
nix-bitcoin.operator = {
groups = [ cfg.group ];
allowRunAsUsers = [ cfg.user ];
nix-bitcoin = {
operator = {
groups = [ cfg.group ];
allowRunAsUsers = [ cfg.user ];
};
secrets.jm-wallet-password.user = cfg.user;
generateSecretsCmds.joinmarket = ''
makePasswordSecret jm-wallet-password
'';
};
nix-bitcoin.secrets.jm-wallet-password.user = cfg.user;
nix-bitcoin.generateSecretsCmds.joinmarket = ''
makePasswordSecret jm-wallet-password
'';
}
(mkIf cfg.yieldgenerator.enable {

2
modules/liquid.nix
View File

@ -237,7 +237,7 @@ in {
config = mkIf cfg.enable {
assertions = [
{ assertion = bitcoind.regtest -> cfg.validatepegin != true;
{ assertion = bitcoind.regtest -> !cfg.validatepegin;
message = "liquidd: `validatepegin` is incompatible with regtest.";
}
];

2
modules/lnd.nix
View File

@ -170,7 +170,7 @@ let
bitcoin.active=1
bitcoin.node=bitcoind
${optionalString (cfg.tor.proxy) "tor.active=true"}
${optionalString cfg.tor.proxy "tor.active=true"}
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}

4
modules/lndconnect.nix
View File

@ -178,7 +178,7 @@ in {
isClightning = true;
enableOnion = clightning-rest.lndconnect.onion;
onionService = "${operatorName}/clightning-rest";
port = clightning-rest.port;
inherit (clightning-rest) port;
certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
}
@ -193,7 +193,7 @@ in {
relay.onionServices.clightning-rest = nbLib.mkOnionService {
target.addr = nbLib.address clightning-rest.address;
target.port = clightning-rest.port;
port = clightning-rest.port;
inherit (clightning-rest) port;
};
};
# This also allows nodeinfo to show the clightning-rest onion address

2
modules/mempool.nix
View File

@ -269,7 +269,7 @@ in {
DATABASE = cfg.database.name;
SOCKET = "/run/mysqld/mysqld.sock";
};
} // optionalAttrs (cfg.tor.proxy) {
} // optionalAttrs cfg.tor.proxy {
# Use Tor for rate fetching
SOCKS5PROXY = {
ENABLED = true;

32
modules/presets/secure-node.nix
View File

@ -35,23 +35,25 @@ in {
services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; };
nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ];
services.bitcoind = {
enable = true;
listen = true;
dbCache = 1000;
};
services.liquidd = {
# Enable `validatepegin` to verify that a transaction sending BTC into
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
# make the node accept a sidechain that is not fully backed.
validatepegin = true;
listen = true;
};
nix-bitcoin.nodeinfo.enable = true;
services.backups.frequency = "daily";
services = {
bitcoind = {
enable = true;
listen = true;
dbCache = 1000;
};
liquidd = {
# Enable `validatepegin` to verify that a transaction sending BTC into
# Liquid exists on Bitcoin. Without it, a malicious liquid federation can
# make the node accept a sidechain that is not fully backed.
validatepegin = true;
listen = true;
};
backups.frequency = "daily";
};
# operator
nix-bitcoin.operator.enable = true;

6
modules/rtl.nix
View File

@ -106,8 +106,8 @@ let
cfg = config.services.rtl;
nbLib = config.nix-bitcoin.lib;
nbPkgs = config.nix-bitcoin.pkgs;
secretsDir = config.nix-bitcoin.secretsDir;
inherit (config.nix-bitcoin) secretsDir;
inherit (nbLib) optionalAttr;
node = { isLnd, index }: {
@ -149,7 +149,7 @@ let
rtlConfig = {
multiPass = "@multiPass@";
host = cfg.address;
port = cfg.port;
inherit (cfg) port;
SSO.rtlSSO = 0;
inherit nodes;
};
@ -216,7 +216,7 @@ in {
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
inherit (cfg) group;
extraGroups =
# Reads cert and macaroon from the clightning-rest datadir
optional cfg.nodes.clightning.enable clightning-rest.group ++

2
pkgs/build-support/fetch-node-modules.nix
View File

@ -16,7 +16,7 @@ stdenvNoCC.mkDerivation ({
name = "${src.name}-node_modules";
nativeBuildInputs = [
makeWrapper
(if args ? nodejs then args.nodejs else nodejs)
(args.nodejs or nodejs)
];
outputHashMode = "recursive";

2
pkgs/nixops/default.nix
View File

@ -42,7 +42,7 @@ let
nixopsRelease = import "${src}/release.nix" {
nixpkgs = pkgs.path;
inherit pluginData;
p = (p: with p; [ aws hetzner vbox ]);
p = p: with p; [ aws hetzner vbox ];
};
in
nixopsRelease.build.${builtins.currentSystem}

4
pkgs/python-packages/pyln-client/default.nix
View File

@ -2,11 +2,9 @@
buildPythonPackageWithDepsCheck rec {
pname = "pyln-client";
version = clightning.version;
inherit (clightning) src version;
format = "pyproject";
inherit (clightning) src;
nativeBuildInputs = [ poetry-core ];
propagatedBuildInputs = [

4
pkgs/python-packages/pyln-proto/default.nix
View File

@ -11,11 +11,9 @@
buildPythonPackageWithDepsCheck rec {
pname = "pyln-proto";
version = clightning.version;
inherit (clightning) src version;
format = "pyproject";
inherit (clightning) src;
nativeBuildInputs = [ poetry-core ];
propagatedBuildInputs = [

2
pkgs/python-packages/txzmq/default.nix
View File

@ -24,7 +24,7 @@ buildPythonPackage rec {
meta = with lib; {
description = "Twisted bindings for ZeroMQ";
homepage = https://github.com/smira/txZMQ;
homepage = "https://github.com/smira/txZMQ";
license = licenses.gpl2;
};
}

4
test/lib/shellcheck-services.nix
View File

@ -52,9 +52,9 @@ let
isMatching = lib.hasPrefix sourcePrefix file;
in
# Nix has no boolean XOR, so use `if`
lib.optionals (if shouldMatch then isMatching else !isMatching) (
lib.optionals (if shouldMatch then isMatching else !isMatching)
(map (service: { name = service; value = true; }) (builtins.attrNames services))
)
) systemdServices.definitionsWithLocations));
in
# Calculate set difference: matchingServices - nonMatchingServices

8
test/tests.nix
View File

@ -12,9 +12,11 @@ let
nixBitcoinModule
{
# Features required by the Python test suite
nix-bitcoin.secretsDir = "/secrets";
nix-bitcoin.generateSecrets = true;
nix-bitcoin.operator.enable = true;
nix-bitcoin = {
secretsDir = "/secrets";
generateSecrets = true;
operator.enable = true;
};
environment.systemPackages = with pkgs; [ jq ];
}
];