diff --git a/modules/bitcoind.nix b/modules/bitcoind.nix index 2b65795..e6e102a 100644 --- a/modules/bitcoind.nix +++ b/modules/bitcoind.nix @@ -310,7 +310,7 @@ let ${optionalString cfg.listenWhitelisted "whitebind=${cfg.address}:${toString cfg.whitelistedPort}"} ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"} - ${optionalString (cfg.i2p != false) "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"} + ${optionalString cfg.i2p "i2psam=${nbLib.addressWithPort i2pSAM.address i2pSAM.port}"} ${optionalString (cfg.i2p == "only-outgoing") "i2pacceptincoming=0"} ${optionalString (cfg.discover != null) "discover=${if cfg.discover then "1" else "0"}"} @@ -364,7 +364,7 @@ in { } ]; - services.i2pd = mkIf (cfg.i2p != false) { + services.i2pd = mkIf cfg.i2p { enable = true; proto.sam.enable = true; }; @@ -435,28 +435,33 @@ in { // optionalAttrs zmqServerEnabled nbLib.allowNetlink; }; - users.users.${cfg.user} = { - isSystemUser = true; - group = cfg.group; - }; - users.groups.${cfg.group} = {}; - users.groups.bitcoinrpc-public = {}; - - nix-bitcoin.operator.groups = [ cfg.group ]; - - nix-bitcoin.secrets = { - bitcoin-rpcpassword-privileged.user = cfg.user; - bitcoin-rpcpassword-public = { - user = cfg.user; - group = "bitcoinrpc-public"; + users = { + users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + }; + groups = { + ${cfg.group} = {}; + bitcoinrpc-public = {}; }; - - bitcoin-HMAC-privileged.user = cfg.user; - bitcoin-HMAC-public.user = cfg.user; }; - nix-bitcoin.generateSecretsCmds.bitcoind = '' - makeBitcoinRPCPassword privileged - makeBitcoinRPCPassword public - ''; + + nix-bitcoin = { + operator.groups = [ cfg.group ]; + secrets = { + bitcoin-rpcpassword-privileged.user = cfg.user; + bitcoin-rpcpassword-public = { + user = cfg.user; + group = "bitcoinrpc-public"; + }; + + bitcoin-HMAC-privileged.user = cfg.user; + bitcoin-HMAC-public.user = cfg.user; + }; + generateSecretsCmds.bitcoind = '' + makeBitcoinRPCPassword privileged + makeBitcoinRPCPassword public + ''; + }; }; } diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index e03247d..a6c9fab 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -110,170 +110,188 @@ in { inherit options; config = mkIf cfg.btcpayserver.enable { - services.bitcoind = { - enable = true; - rpc.users.btcpayserver = { - passwordHMACFromFile = true; - rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ - "setban" - "generatetoaddress" - "getpeerinfo" + services = { + bitcoind = { + enable = true; + rpc.users.btcpayserver = { + passwordHMACFromFile = true; + rpcwhitelist = cfg.bitcoind.rpc.users.public.rpcwhitelist ++ [ + "setban" + "generatetoaddress" + "getpeerinfo" + ]; + }; + listenWhitelisted = true; + }; + clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; + lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") { + enable = true; + macaroons.btcpayserver = { + inherit (cfg.btcpayserver) user; + permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}''; + }; + }; + liquidd = mkIf cfg.btcpayserver.lbtc { + enable = true; + listenWhitelisted = true; + }; + postgresql = { + enable = true; + ensureDatabases = [ "btcpaydb" "nbxplorer" ]; + ensureUsers = [ + { name = cfg.btcpayserver.user; } + { name = cfg.nbxplorer.user; } ]; }; - listenWhitelisted = true; }; - services.clightning.enable = mkIf (cfg.btcpayserver.lightningBackend == "clightning") true; - services.lnd = mkIf (cfg.btcpayserver.lightningBackend == "lnd") { - enable = true; - macaroons.btcpayserver = { - inherit (cfg.btcpayserver) user; - permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"address","action":"read"},{"entity":"message","action":"read"},{"entity":"peers","action":"read"},{"entity":"signer","action":"read"},{"entity":"invoices","action":"read"},{"entity":"invoices","action":"write"},{"entity":"address","action":"write"}''; - }; - }; - services.liquidd = mkIf cfg.btcpayserver.lbtc { - enable = true; - listenWhitelisted = true; - }; - services.postgresql = { - enable = true; - ensureDatabases = [ "btcpaydb" "nbxplorer" ]; - ensureUsers = [ - { name = cfg.btcpayserver.user; } - { name = cfg.nbxplorer.user; } + + systemd = { + tmpfiles.rules = [ + "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" + "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" ]; - }; - systemd.services.postgresql.postStart = lib.mkAfter '' - $PSQL -tAc ' - ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}"; - ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}"; - ' - ''; - systemd.tmpfiles.rules = [ - "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -" - "d '${cfg.btcpayserver.dataDir}' 0770 ${cfg.btcpayserver.user} ${cfg.btcpayserver.group} - -" - ]; - - systemd.services.nbxplorer = let - configFile = builtins.toFile "config" '' - network=${bitcoind.network} - btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name} - btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port} - btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} - bind=${cfg.nbxplorer.address} - port=${toString cfg.nbxplorer.port} - ${optionalString cfg.btcpayserver.lbtc '' - chains=btc,lbtc - lbtcrpcuser=${liquidd.rpcuser} - lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port} - lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort} - ''} - postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer - automigrate=1 - ''; - in rec { - wantedBy = [ "multi-user.target" ]; - requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service"; - after = requires ++ [ "nix-bitcoin-secrets.target" ]; - preStart = '' - install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config' - { - echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)" - ${optionalString cfg.btcpayserver.lbtc '' - echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)" - ''} - } >> '${cfg.nbxplorer.dataDir}/settings.config' - ''; - serviceConfig = nbLib.defaultHardening // { - ExecStart = '' - ${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \ - --datadir=${cfg.nbxplorer.dataDir} + services = { + postgresql.postStart = lib.mkAfter '' + $PSQL -tAc ' + ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}"; + ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}"; + ' ''; - User = cfg.nbxplorer.user; - Restart = "on-failure"; - RestartSec = "10s"; - ReadWritePaths = [ cfg.nbxplorer.dataDir ]; - MemoryDenyWriteExecute = false; - } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; - }; - systemd.services.btcpayserver = let - nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/"; - nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie"; - configFile = builtins.toFile "btcpayserver-config" ('' - network=${bitcoind.network} - bind=${cfg.btcpayserver.address} - port=${toString cfg.btcpayserver.port} - socksendpoint=${config.nix-bitcoin.torClientAddressWithPort} - btcexplorerurl=${nbExplorerUrl} - btcexplorercookiefile=${nbExplorerCookie} - postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb - '' + optionalString (cfg.btcpayserver.rootpath != null) '' - rootpath=${cfg.btcpayserver.rootpath} - '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") '' - btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc - '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd") - ( - "btclightning=type=lnd-rest;" + - "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + - "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + - "certfilepath=${config.services.lnd.certPath}" + - "\n" - ) - + optionalString cfg.btcpayserver.lbtc '' - chains=btc,lbtc - lbtcexplorerurl=${nbExplorerUrl} - lbtcexplorercookiefile=${nbExplorerCookie} - ''); - in let self = { - wantedBy = [ "multi-user.target" ]; - requires = [ "nbxplorer.service" "postgresql.service" ] - ++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service"; - after = self.requires; - serviceConfig = nbLib.defaultHardening // { - ExecStart = '' - ${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \ - --datadir='${cfg.btcpayserver.dataDir}' - ''; - User = cfg.btcpayserver.user; - # Also restart after the program has exited successfully. - # This is required to support restarting from the web interface after - # interactive plugin installation. - # Restart rate limiting is implemented via the `startLimit*` options below. - Restart = "always"; - ReadWritePaths = [ cfg.btcpayserver.dataDir ]; - MemoryDenyWriteExecute = false; - } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; - startLimitIntervalSec = 30; - startLimitBurst = 10; - }; in self; + nbxplorer = let + configFile = builtins.toFile "config" '' + network=${bitcoind.network} + btcrpcuser=${cfg.bitcoind.rpc.users.btcpayserver.name} + btcrpcurl=http://${nbLib.addressWithPort bitcoind.rpc.address cfg.bitcoind.rpc.port} + btcnodeendpoint=${nbLib.addressWithPort bitcoind.address bitcoind.whitelistedPort} + bind=${cfg.nbxplorer.address} + port=${toString cfg.nbxplorer.port} + ${optionalString cfg.btcpayserver.lbtc '' + chains=btc,lbtc + lbtcrpcuser=${liquidd.rpcuser} + lbtcrpcurl=http://${nbLib.addressWithPort liquidd.rpc.address liquidd.rpc.port} + lbtcnodeendpoint=${nbLib.addressWithPort liquidd.address liquidd.whitelistedPort} + ''} + postgres=User ID=${cfg.nbxplorer.user};Host=/run/postgresql;Database=nbxplorer + automigrate=1 + ''; + in rec { + wantedBy = [ "multi-user.target" ]; + requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service"; + after = requires ++ [ "nix-bitcoin-secrets.target" ]; + preStart = '' + install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config' + { + echo "btcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-btcpayserver)" + ${optionalString cfg.btcpayserver.lbtc '' + echo "lbtcrpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/liquid-rpcpassword)" + ''} + } >> '${cfg.nbxplorer.dataDir}/settings.config' + ''; + serviceConfig = nbLib.defaultHardening // { + ExecStart = '' + ${cfg.nbxplorer.package}/bin/nbxplorer --conf=${cfg.nbxplorer.dataDir}/settings.config \ + --datadir=${cfg.nbxplorer.dataDir} + ''; + User = cfg.nbxplorer.user; + Restart = "on-failure"; + RestartSec = "10s"; + ReadWritePaths = [ cfg.nbxplorer.dataDir ]; + MemoryDenyWriteExecute = false; + } // nbLib.allowedIPAddresses cfg.nbxplorer.tor.enforce; + }; - users.users.${cfg.nbxplorer.user} = { - isSystemUser = true; - group = cfg.nbxplorer.group; - extraGroups = [ "bitcoinrpc-public" ] - ++ optional cfg.btcpayserver.lbtc liquidd.group; - home = cfg.nbxplorer.dataDir; - }; - users.groups.${cfg.nbxplorer.group} = {}; - users.users.${cfg.btcpayserver.user} = { - isSystemUser = true; - group = cfg.btcpayserver.group; - extraGroups = [ cfg.nbxplorer.group ] - ++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user; - home = cfg.btcpayserver.dataDir; - }; - users.groups.${cfg.btcpayserver.group} = {}; - - nix-bitcoin.secrets = { - bitcoin-rpcpassword-btcpayserver = { - user = cfg.bitcoind.user; - group = cfg.nbxplorer.group; + btcpayserver = let + nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/"; + nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie"; + configFile = builtins.toFile "btcpayserver-config" ('' + network=${bitcoind.network} + bind=${cfg.btcpayserver.address} + port=${toString cfg.btcpayserver.port} + socksendpoint=${config.nix-bitcoin.torClientAddressWithPort} + btcexplorerurl=${nbExplorerUrl} + btcexplorercookiefile=${nbExplorerCookie} + postgres=User ID=${cfg.btcpayserver.user};Host=/run/postgresql;Database=btcpaydb + '' + optionalString (cfg.btcpayserver.rootpath != null) '' + rootpath=${cfg.btcpayserver.rootpath} + '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") '' + btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc + '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd") + ( + "btclightning=type=lnd-rest;" + + "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + + "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + + "certfilepath=${config.services.lnd.certPath}" + + "\n" + ) + + optionalString cfg.btcpayserver.lbtc '' + chains=btc,lbtc + lbtcexplorerurl=${nbExplorerUrl} + lbtcexplorercookiefile=${nbExplorerCookie} + ''); + serviceRequires = [ "nbxplorer.service" "postgresql.service" ] + ++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service"; + in { + wantedBy = [ "multi-user.target" ]; + requires = serviceRequires; + after = serviceRequires; + serviceConfig = nbLib.defaultHardening // { + ExecStart = '' + ${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \ + --datadir='${cfg.btcpayserver.dataDir}' + ''; + User = cfg.btcpayserver.user; + # Also restart after the program has exited successfully. + # This is required to support restarting from the web interface after + # interactive plugin installation. + # Restart rate limiting is implemented via the `startLimit*` options below. + Restart = "always"; + ReadWritePaths = [ cfg.btcpayserver.dataDir ]; + MemoryDenyWriteExecute = false; + } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce; + startLimitIntervalSec = 30; + startLimitBurst = 10; + }; }; - bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user; }; - nix-bitcoin.generateSecretsCmds.btcpayserver = '' - makeBitcoinRPCPassword btcpayserver - ''; + + users = { + users = { + ${cfg.nbxplorer.user} = { + isSystemUser = true; + inherit (cfg.nbxplorer) group; + extraGroups = [ "bitcoinrpc-public" ] + ++ optional cfg.btcpayserver.lbtc liquidd.group; + home = cfg.nbxplorer.dataDir; + }; + + ${cfg.btcpayserver.user} = { + isSystemUser = true; + inherit (cfg.btcpayserver) group; + extraGroups = [ cfg.nbxplorer.group ] + ++ optional (cfg.btcpayserver.lightningBackend == "clightning") cfg.clightning.user; + home = cfg.btcpayserver.dataDir; + }; + }; + + groups = { + ${cfg.nbxplorer.group} = {}; + ${cfg.btcpayserver.group} = {}; + }; + }; + + nix-bitcoin = { + secrets = { + bitcoin-rpcpassword-btcpayserver = { + inherit (cfg.bitcoind) user; + inherit (cfg.nbxplorer) group; + }; + bitcoin-HMAC-btcpayserver.user = cfg.bitcoind.user; + }; + generateSecretsCmds.btcpayserver = '' + makeBitcoinRPCPassword btcpayserver + ''; + }; }; } diff --git a/modules/charge-lnd.nix b/modules/charge-lnd.nix index 5de39ea..d314ca1 100644 --- a/modules/charge-lnd.nix +++ b/modules/charge-lnd.nix @@ -90,7 +90,7 @@ in services.lnd = { enable = true; macaroons.charge-lnd = { - user = user; + inherit user; permissions = ''{"entity":"info","action":"read"},{"entity":"onchain","action":"read"},{"entity":"offchain","action":"read"},{"entity":"offchain","action":"write"}''; }; }; @@ -134,7 +134,7 @@ in users.users.${user} = { isSystemUser = true; - group = group; + inherit group; }; users.groups.${group} = {}; }; diff --git a/modules/clightning-plugins/trustedcoin.nix b/modules/clightning-plugins/trustedcoin.nix index 9ac14ca..5b96a18 100644 --- a/modules/clightning-plugins/trustedcoin.nix +++ b/modules/clightning-plugins/trustedcoin.nix @@ -29,7 +29,7 @@ let cfg = config.services.clightning.plugins.trustedcoin; in tor.enforce = mkIf (!cfg.tor.proxy) false; }; - systemd.services.clightning.environment = mkIf (cfg.tor.proxy) { + systemd.services.clightning.environment = mkIf cfg.tor.proxy { HTTPS_PROXY = let clnProxy = config.services.clightning.proxy; proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort; diff --git a/modules/clightning-replication.nix b/modules/clightning-replication.nix index 34dd341..b635eeb 100644 --- a/modules/clightning-replication.nix +++ b/modules/clightning-replication.nix @@ -209,7 +209,7 @@ in { nix-bitcoin = mkMerge [ (mkIf useSshfs { secrets.clightning-replication-ssh-key = { - user = user; + inherit user; permissions = "400"; }; generateSecretsCmds.clightning-replication-ssh-key = '' diff --git a/modules/hardware-wallets.nix b/modules/hardware-wallets.nix index 6957f5c..4dce75a 100644 --- a/modules/hardware-wallets.nix +++ b/modules/hardware-wallets.nix @@ -33,7 +33,7 @@ in { config = mkMerge [ (mkIf (cfg.ledger || cfg.trezor) { assertions = [ - { assertion = (config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet); + { assertion = config.services.bitcoind.disablewallet == null || !config.services.bitcoind.disablewallet; message = '' Hardware-Wallets are not compatible with bitcoind.disablewallet. ''; diff --git a/modules/joinmarket.nix b/modules/joinmarket.nix index 34343fa..c642976 100644 --- a/modules/joinmarket.nix +++ b/modules/joinmarket.nix @@ -369,23 +369,26 @@ in { } // nbLib.allowedIPAddresses cfg.tor.enforce; }; - users.users.${cfg.user} = { - isSystemUser = true; - group = cfg.group; - home = cfg.dataDir; - # Allow access to the tor control socket, needed for payjoin onion service creation - extraGroups = [ "tor" "bitcoin" ]; + users = { + users.${cfg.user} = { + isSystemUser = true; + group = cfg.group; + home = cfg.dataDir; + # Allow access to the tor control socket, needed for payjoin onion service creation + extraGroups = [ "tor" "bitcoin" ]; + }; + groups.${cfg.group} = {}; }; - users.groups.${cfg.group} = {}; - nix-bitcoin.operator = { - groups = [ cfg.group ]; - allowRunAsUsers = [ cfg.user ]; + nix-bitcoin = { + operator = { + groups = [ cfg.group ]; + allowRunAsUsers = [ cfg.user ]; + }; + secrets.jm-wallet-password.user = cfg.user; + generateSecretsCmds.joinmarket = '' + makePasswordSecret jm-wallet-password + ''; }; - - nix-bitcoin.secrets.jm-wallet-password.user = cfg.user; - nix-bitcoin.generateSecretsCmds.joinmarket = '' - makePasswordSecret jm-wallet-password - ''; } (mkIf cfg.yieldgenerator.enable { diff --git a/modules/liquid.nix b/modules/liquid.nix index 1ad6c5c..8a68af8 100644 --- a/modules/liquid.nix +++ b/modules/liquid.nix @@ -237,7 +237,7 @@ in { config = mkIf cfg.enable { assertions = [ - { assertion = bitcoind.regtest -> cfg.validatepegin != true; + { assertion = bitcoind.regtest -> !cfg.validatepegin; message = "liquidd: `validatepegin` is incompatible with regtest."; } ]; diff --git a/modules/lnd.nix b/modules/lnd.nix index c2b9c08..18f5d57 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -170,7 +170,7 @@ let bitcoin.active=1 bitcoin.node=bitcoind - ${optionalString (cfg.tor.proxy) "tor.active=true"} + ${optionalString cfg.tor.proxy "tor.active=true"} ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"} bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port} diff --git a/modules/lndconnect.nix b/modules/lndconnect.nix index bc39ab8..521557d 100644 --- a/modules/lndconnect.nix +++ b/modules/lndconnect.nix @@ -178,7 +178,7 @@ in { isClightning = true; enableOnion = clightning-rest.lndconnect.onion; onionService = "${operatorName}/clightning-rest"; - port = clightning-rest.port; + inherit (clightning-rest) port; certPath = "${clightning-rest.dataDir}/certs/certificate.pem"; macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon"; } @@ -193,7 +193,7 @@ in { relay.onionServices.clightning-rest = nbLib.mkOnionService { target.addr = nbLib.address clightning-rest.address; target.port = clightning-rest.port; - port = clightning-rest.port; + inherit (clightning-rest) port; }; }; # This also allows nodeinfo to show the clightning-rest onion address diff --git a/modules/mempool.nix b/modules/mempool.nix index 422f219..6538607 100644 --- a/modules/mempool.nix +++ b/modules/mempool.nix @@ -269,7 +269,7 @@ in { DATABASE = cfg.database.name; SOCKET = "/run/mysqld/mysqld.sock"; }; - } // optionalAttrs (cfg.tor.proxy) { + } // optionalAttrs cfg.tor.proxy { # Use Tor for rate fetching SOCKS5PROXY = { ENABLED = true; diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index 90ffd43..b3fdf0b 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -35,23 +35,25 @@ in { services.tor.relay.onionServices.sshd = nbLib.mkOnionService { port = 22; }; nix-bitcoin.onionAddresses.access.${operatorName} = [ "sshd" ]; - services.bitcoind = { - enable = true; - listen = true; - dbCache = 1000; - }; - - services.liquidd = { - # Enable `validatepegin` to verify that a transaction sending BTC into - # Liquid exists on Bitcoin. Without it, a malicious liquid federation can - # make the node accept a sidechain that is not fully backed. - validatepegin = true; - listen = true; - }; - nix-bitcoin.nodeinfo.enable = true; - services.backups.frequency = "daily"; + services = { + bitcoind = { + enable = true; + listen = true; + dbCache = 1000; + }; + + liquidd = { + # Enable `validatepegin` to verify that a transaction sending BTC into + # Liquid exists on Bitcoin. Without it, a malicious liquid federation can + # make the node accept a sidechain that is not fully backed. + validatepegin = true; + listen = true; + }; + + backups.frequency = "daily"; + }; # operator nix-bitcoin.operator.enable = true; diff --git a/modules/rtl.nix b/modules/rtl.nix index 73e9cf0..d7b41de 100644 --- a/modules/rtl.nix +++ b/modules/rtl.nix @@ -106,8 +106,8 @@ let cfg = config.services.rtl; nbLib = config.nix-bitcoin.lib; nbPkgs = config.nix-bitcoin.pkgs; - secretsDir = config.nix-bitcoin.secretsDir; + inherit (config.nix-bitcoin) secretsDir; inherit (nbLib) optionalAttr; node = { isLnd, index }: { @@ -149,7 +149,7 @@ let rtlConfig = { multiPass = "@multiPass@"; host = cfg.address; - port = cfg.port; + inherit (cfg) port; SSO.rtlSSO = 0; inherit nodes; }; @@ -216,7 +216,7 @@ in { users.users.${cfg.user} = { isSystemUser = true; - group = cfg.group; + inherit (cfg) group; extraGroups = # Reads cert and macaroon from the clightning-rest datadir optional cfg.nodes.clightning.enable clightning-rest.group ++ diff --git a/pkgs/build-support/fetch-node-modules.nix b/pkgs/build-support/fetch-node-modules.nix index 2376b6f..7b0c5c5 100644 --- a/pkgs/build-support/fetch-node-modules.nix +++ b/pkgs/build-support/fetch-node-modules.nix @@ -16,7 +16,7 @@ stdenvNoCC.mkDerivation ({ name = "${src.name}-node_modules"; nativeBuildInputs = [ makeWrapper - (if args ? nodejs then args.nodejs else nodejs) + (args.nodejs or nodejs) ]; outputHashMode = "recursive"; diff --git a/pkgs/nixops/default.nix b/pkgs/nixops/default.nix index e7857c7..5a018a0 100644 --- a/pkgs/nixops/default.nix +++ b/pkgs/nixops/default.nix @@ -42,7 +42,7 @@ let nixopsRelease = import "${src}/release.nix" { nixpkgs = pkgs.path; inherit pluginData; - p = (p: with p; [ aws hetzner vbox ]); + p = p: with p; [ aws hetzner vbox ]; }; in nixopsRelease.build.${builtins.currentSystem} diff --git a/pkgs/python-packages/pyln-client/default.nix b/pkgs/python-packages/pyln-client/default.nix index 872aaf8..2cdcb24 100644 --- a/pkgs/python-packages/pyln-client/default.nix +++ b/pkgs/python-packages/pyln-client/default.nix @@ -2,11 +2,9 @@ buildPythonPackageWithDepsCheck rec { pname = "pyln-client"; - version = clightning.version; + inherit (clightning) src version; format = "pyproject"; - inherit (clightning) src; - nativeBuildInputs = [ poetry-core ]; propagatedBuildInputs = [ diff --git a/pkgs/python-packages/pyln-proto/default.nix b/pkgs/python-packages/pyln-proto/default.nix index 6d3b1fa..d0d6a84 100644 --- a/pkgs/python-packages/pyln-proto/default.nix +++ b/pkgs/python-packages/pyln-proto/default.nix @@ -11,11 +11,9 @@ buildPythonPackageWithDepsCheck rec { pname = "pyln-proto"; - version = clightning.version; + inherit (clightning) src version; format = "pyproject"; - inherit (clightning) src; - nativeBuildInputs = [ poetry-core ]; propagatedBuildInputs = [ diff --git a/pkgs/python-packages/txzmq/default.nix b/pkgs/python-packages/txzmq/default.nix index b3799aa..7bd90b6 100644 --- a/pkgs/python-packages/txzmq/default.nix +++ b/pkgs/python-packages/txzmq/default.nix @@ -24,7 +24,7 @@ buildPythonPackage rec { meta = with lib; { description = "Twisted bindings for ZeroMQ"; - homepage = https://github.com/smira/txZMQ; + homepage = "https://github.com/smira/txZMQ"; license = licenses.gpl2; }; } diff --git a/test/lib/shellcheck-services.nix b/test/lib/shellcheck-services.nix index 14e1d02..5c40ba2 100644 --- a/test/lib/shellcheck-services.nix +++ b/test/lib/shellcheck-services.nix @@ -52,9 +52,9 @@ let isMatching = lib.hasPrefix sourcePrefix file; in # Nix has no boolean XOR, so use `if` - lib.optionals (if shouldMatch then isMatching else !isMatching) ( + lib.optionals (if shouldMatch then isMatching else !isMatching) (map (service: { name = service; value = true; }) (builtins.attrNames services)) - ) + ) systemdServices.definitionsWithLocations)); in # Calculate set difference: matchingServices - nonMatchingServices diff --git a/test/tests.nix b/test/tests.nix index fb92119..66682d9 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -12,9 +12,11 @@ let nixBitcoinModule { # Features required by the Python test suite - nix-bitcoin.secretsDir = "/secrets"; - nix-bitcoin.generateSecrets = true; - nix-bitcoin.operator.enable = true; + nix-bitcoin = { + secretsDir = "/secrets"; + generateSecrets = true; + operator.enable = true; + }; environment.systemPackages = with pkgs; [ jq ]; } ];