Merge #610: update nixpkgs

af87d59 obsolete-options: simplify removal of clightning plugin `commando` (Erik Arvstedt)
9b575e4 test/backups: check that bitcoind stops without errors (Erik Arvstedt)
8a791b7 rtl: 0.13.6 -> 0.14.0 (Erik Arvstedt)
3650d4b bitcoin: replace nixpkgs package with bitcoin{,d} 24.1 (Jonas Nick)
75e54bb spark-wallet: remove package and module (Jonas Nick)
29a95ea clightning-rest: update module to v0.10.3 (Erik Arvstedt)
67475f7 clightning-rest: 0.9.0 -> 0.10.3 (Erik Arvstedt)
fe76516 bitcoind: update module to v25.0 (Erik Arvstedt)
9c59b96 clightning-plugins: add prometheus patch for clightning 23.05 (Jonas Nick)
9aea69e clightning-plugins: update (Jonas Nick)
2166bfd clboss: deprecate, add clighting 23.05 compatibility (Erik Arvstedt)
dcc5a54 update nixpkgs (Jonas Nick)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK af87d59

Tree-SHA512: 8bc6bc1aa01f342047b9b5cc468ab4af1f71a16d7f575f7e5108f2dfb0121160d777ead5b6714506a911066d594a37c6e14b774eb1bc1cb674ddea85e2e33c5a

Author: jonasnick

README.md

@@ -90,7 +90,6 @@ NixOS modules ([src](modules/modules.nix))
     clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
     [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
   * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
-  * [spark-wallet](https://github.com/shesek/spark-wallet)
   * [electrs](https://github.com/romanz/electrs): Electrum server
   * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
   * [btcpayserver](https://github.com/btcpayserver/btcpayserver)

SECURITY.md

@@ -45,7 +45,7 @@ all other security vulnerabilities.
 | Type | Description | Examples |
 | :-: | :-: | :-: |
 | Outright Vulnerabilities | Vulnerabilities in nix-bitcoin specific tooling (except CI tooling) | privilege escalation in SUID binary `netns-exec`, improper release signature verification through `fetch-release` |
-| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, spark-wallet has access to bitcoin RPC interface or files |
+| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, RTL has access to bitcoin RPC interface or files |
 | Vulnerabilities in Dependencies | A vulnerability in any dependency of a nix-bitcoin installation with a configuration consisting of any combination of the following services: bitcoind, clightning, lnd, electrs, joinmarket, btcpayserver, liquidd.<br />**Note:** The vulnerability must first be reported to and handled by the maintainers of the dependency before it qualifies for a reward| Compromised NixOS expression pulls in malicious package, JoinMarket pulls in a python dependency with a known severe vulnerability |
 | Bad Documentation | Our documentation suggests blatantly insecure things | `install.md` tells you to add our SSH keys to your root user |
 | Compromise of Signing Key | Compromise of the nix-bitcoin signing key, i.e., `0xB1A70E4F8DCD0366` | Leaking the key, managing to sign something with it |

dev/dev-features.sh

@@ -127,22 +127,6 @@ c systemctl status clightning-rest
 c journalctl -u clightning-rest
 c systemctl status clightning-rest-migrate-datadir
 
-#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-# spark-wallet
-
-run-tests.sh -s "{
-  services.spark-wallet.enable = true;
-  test.container.exposeLocalhost = true;
-}" container
-
-c systemctl status spark-wallet
-c journalctl -u spark-wallet
-
-sparkAuth=$(c cat /secrets/spark-wallet-login | grep -ohP '(?<=login=).*')
-curl -v http://$sparkAuth@$ip:9737
-# Open in browser
-runuser -u "$(logname)" -- xdg-open http://$sparkAuth@$ip:9737
-
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # electrs
 

docs/services.md

@@ -291,49 +291,6 @@ Create a plain text URL:
 lndconnect-wg --url
 ``````
 
-# Connect to spark-wallet
-### Requirements
-* Android phone
-* [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
-* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
-
-1. Enable spark-wallet in `configuration.nix`
-
-    Change
-    ```
-    # services.spark-wallet.enable = true;
-    ```
-    to
-    ```
-    services.spark-wallet.enable = true;
-    ```
-
-2. Deploy new `configuration.nix`
-
-3. Enable Orbot VPN for spark-wallet
-
-    ```
-    Open Orbot app
-    Turn on "VPN Mode"
-    Select Gear icon under "Tor-Enabled Apps"
-    Toggle checkbox under Spark icon
-    ```
-
-4. Get the onion address, access key and QR access code for the spark wallet android app
-
-    ```
-    journalctl -eu spark-wallet
-    ```
-    Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
-
-5. Connect to spark-wallet android app
-
-    ```
-    Server Settings
-    Scan QR
-    Done
-    ```
-
 # Connect to electrs
 ### Requirements Android
 * Android phone

examples/configuration.nix

@@ -126,12 +126,6 @@
   # Automatically enables lightning-loop.
   # services.rtl.nodes.lnd.loop = true;
 
-  ### SPARK WALLET
-  # Set this to enable spark-wallet, a minimalistic wallet GUI for
-  # c-lightning, accessible over the web or through mobile and desktop apps.
-  # Automatically enables clightning.
-  # services.spark-wallet.enable = true;
-
   ### ELECTRS
   # Set this to enable electrs, an Electrum server implemented in Rust.
   # services.electrs.enable = true;

flake.lock

@@ -414,6 +414,8 @@ in {
       # Enable RPC access for group
       postStart = ''
         chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      '' + (optionalString cfg.regtest) ''
+        chmod g=x '${cfg.dataDir}/regtest'
       '';
 
       serviceConfig = nbLib.defaultHardening // {

modules/bitcoind.nix

@@ -12,6 +12,11 @@ let cfg = config.services.clightning.plugins.clboss; in
         See also: https://github.com/ZmnSCPxj/clboss#operating
       '';
     };
+    acknowledgeDeprecation = mkOption {
+      type = types.bool;
+      default = false;
+      internal = true;
+    };
     min-onchain = mkOption {
       type = types.ints.positive;
       default = 30000;
@@ -49,13 +54,30 @@ let cfg = config.services.clightning.plugins.clboss; in
   };
 
   config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.acknowledgeDeprecation;
+        message = ''
+          `clboss` is no longer maintained and has been deprecated.
+
+          Warning: For compatibility with clighting 23.05, the nix-bitcoin `clboss` package
+          includes a third-party fix that has not been thoroughly tested:
+          https://github.com/ZmnSCPxj/clboss/pull/162
+
+          To ignore this warning and continue using `clboss`, add the following to your config:
+          services.clightning.plugins.clboss.acknowledgeDeprecation = true;
+        '';
+      }
+    ];
+
     services.clightning.extraConfig = ''
       plugin=${cfg.package}/bin/clboss
       clboss-min-onchain=${toString cfg.min-onchain}
       clboss-min-channel=${toString cfg.min-channel}
       clboss-max-channel=${toString cfg.max-channel}
       clboss-zerobasefee=${cfg.zerobasefee}
     '';
+
     systemd.services.clightning.path = [
       pkgs.dnsutils
     ] ++ optional config.services.clightning.tor.proxy (hiPrio config.nix-bitcoin.torify);

modules/clightning-plugins/clboss.nix

@@ -97,6 +97,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = [ cfg.dataDir ];
+        inherit (nbLib.allowNetlink) RestrictAddressFamilies;
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // nbLib.nodejs;
     };

modules/clightning-rest.nix

@@ -14,7 +14,6 @@
     ./clightning-plugins
     ./clightning-rest.nix
     ./clightning-replication.nix
-    ./spark-wallet.nix
     ./lnd.nix
     ./lightning-loop.nix
     ./lightning-pool.nix