Merge #171: Hardening DAC

b8e10afe18 recurring-donations: Run under recurring-donations user (nixbitcoin) 5d01ea7101 nodeinfo: Convert to module and allow alternative operator username (nixbitcoin) 95d230d1d6 Remove bitcoinrpc group remnants (nixbitcoin) 563b210835 spark-wallet: Run under spark-wallet user (nixbitcoin) 205fca3576 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin) 81a04a4ef1 lightning-charge: add dedicated user (nixbitcoin) e67a818297 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin) 0ba55757f8 clightning: allow group access to RPC socket (nixbitcoin) 304dd297ba clightning: remove config group read access (nixbitcoin) 04c6936ce9 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin) 393ab0fb3c electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin) 7cfae66db4 electrs: Drop insecure TLS ciphers (nixbitcoin) 4c139a6d77 electrs: Make TLSProxy truly optional (nixbitcoin) Pull request description: ACKs for top commit: jonasnick: ACK b8e10afe18 Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
2020-05-19 12:24:53 +00:00 · 2020-05-19 12:24:53 +00:00 · 0ac1e496b2
parent ca7f287f6d b8e10afe18
commit 0ac1e496b2
17 changed files with 427 additions and 777 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -268,7 +268,7 @@ in {
          mkdir -m 0770 -p '${cfg.dataDir}/blocks'
        fi
        chown -R '${cfg.user}:${cfg.group}' '${cfg.dataDir}'
-        chmod -R g+rX '${cfg.dataDir}/blocks'
+        ${optionalString cfg.dataDirReadableByGroup  "chmod -R g+rX '${cfg.dataDir}/blocks'"}

        cfg=$(cat ${configFile}; printf "rpcpassword="; cat "${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword")
        confFile='${cfg.dataDir}/bitcoin.conf'
@ -332,11 +332,9 @@ in {
      description = "Bitcoin daemon user";
    };
    users.groups.${cfg.group} = {};
-    users.groups.bitcoinrpc = {};

    nix-bitcoin.secrets.bitcoin-rpcpassword = {
      user = "bitcoin";
-      group = "bitcoinrpc";
    };
  };
 }
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -13,6 +13,7 @@ let
    always-use-proxy=${if cfg.always-use-proxy then "true" else "false"}
    ${optionalString (cfg.bind-addr != null) "bind-addr=${cfg.bind-addr}"}
    bitcoin-rpcuser=${cfg.bitcoin-rpcuser}
+    rpc-file-mode=0660
  '';
 in {
  options.services.clightning = {
@ -61,10 +62,8 @@ in {
    cli = mkOption {
      readOnly = true;
      default = pkgs.writeScriptBin "lightning-cli"
-      # Switch user because c-lightning doesn't allow setting the permissions of the rpc socket
-      # https://github.com/ElementsProject/lightning/issues/1366
      ''
-        exec sudo -u clightning ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
+        ${pkgs.nix-bitcoin.clightning}/bin/lightning-cli --lightning-dir='${cfg.dataDir}' "$@"
      '';
      description = "Binary to connect with the clightning instance.";
    };
@ -76,7 +75,6 @@ in {
    users.users.clightning = {
        description = "clightning User";
        group = "clightning";
-        extraGroups = [ "bitcoinrpc" ];
    };
    users.groups.clightning = {};

@ -90,10 +88,9 @@ in {
        mkdir -m 0770 -p ${cfg.dataDir}
        cp ${configFile} ${cfg.dataDir}/config
        chown -R 'clightning:clightning' '${cfg.dataDir}'
-        # give group read access to allow using lightning-cli
-        chmod u=rw,g=r,o= ${cfg.dataDir}/config
        # The RPC socket has to be removed otherwise we might have stale sockets
        rm -f ${cfg.dataDir}/bitcoin/lightning-rpc
+        chmod 600 ${cfg.dataDir}/config
        echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword)" >> '${cfg.dataDir}/config'
        '';
      serviceConfig = {
@ -112,6 +109,8 @@ in {
        while [[ ! -e ${cfg.dataDir}/bitcoin/lightning-rpc ]]; do
            sleep 0.1
        done
+        # Needed to enable lightning-cli for users with group 'clightning'
+        chmod g+x ${cfg.dataDir}/bitcoin
      '';
    };
  };
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -106,7 +106,7 @@ in {
    users.users.${cfg.user} = {
      description = "electrs User";
      group = cfg.group;
-      extraGroups = [ "bitcoinrpc" "bitcoin"];
+      extraGroups = optionals cfg.high-memory [ "bitcoin" ];
    };
    users.groups.${cfg.group} = {};
  }
@ -136,7 +136,7 @@ in {
            ssl_certificate_key ${secretsDir}/nginx-key;
            ssl_session_cache shared:SSL:1m;
            ssl_session_timeout 4h;
-            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+            ssl_protocols TLSv1.2 TLSv1.3;
            ssl_prefer_server_ciphers on;
          }
        }
--- a/modules/lightning-charge.nix
+++ b/modules/lightning-charge.nix
@ -5,6 +5,8 @@ with lib;
 let
  cfg = config.services.lightning-charge;
  inherit (config) nix-bitcoin-services;
+  user = config.users.users.lightning-charge.name;
+  group = config.users.users.lightning-charge.group;
 in {
  options.services.lightning-charge = {
    enable = mkOption {
@ -14,35 +16,51 @@ in {
        If enabled, the lightning-charge service will be installed.
      '';
    };
-    clightning-datadir = mkOption {
-      type = types.str;
-      default = "/var/lib/clighting/";
-      description = ''
-        Data directory of the clightning service
-      '';
+    dataDir = mkOption {
+      type = types.path;
+      default = "/var/lib/lightning-charge";
+      description = "The data directory for lightning-charge.";
    };
  };

  config = mkIf cfg.enable {
+    users.users.lightning-charge = {
+      description = "lightning-charge User";
+      group = "lightning-charge";
+      extraGroups = [ "clightning" ];
+    };
+    users.groups.lightning-charge = {};
+
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0700 ${user} ${group} - -"
+    ];
+
    environment.systemPackages = [ pkgs.nix-bitcoin.lightning-charge ];
    systemd.services.lightning-charge = {
      description = "Run lightning-charge";
      wantedBy = [ "multi-user.target" ];
      requires = [ "clightning.service" ];
      after = [ "clightning.service" ];
+      preStart = ''
+        # Move existing lightning-charge.db
+        # TODO: Remove eventually
+        if [[ -e ${config.services.clightning.dataDir}/lightning-charge.db ]]; then
+          mv ${config.services.clightning.dataDir}/lightning-charge.db ${cfg.dataDir}/lightning-charge.db
+          chown ${user}: ${cfg.dataDir}/lightning-charge.db
+          chmod 600 ${cfg.dataDir}/lightning-charge.db
+        fi
+        '';
      serviceConfig = {
+          PermissionsStartOnly = "true";
          EnvironmentFile = "${config.nix-bitcoin.secretsDir}/lightning-charge-env";
-          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${config.services.clightning.dataDir}/lightning-charge.db";
-          # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket,
-          # so this must run as the clightning user
-          # https://github.com/ElementsProject/lightning/issues/1366
-          User = "clightning";
+          ExecStart = "${pkgs.nix-bitcoin.lightning-charge}/bin/charged -l ${config.services.clightning.dataDir}/bitcoin -d ${cfg.dataDir}/lightning-charge.db";
+          User = user;
          Restart = "on-failure";
          RestartSec = "10s";
      } // nix-bitcoin-services.defaultHardening
        // nix-bitcoin-services.nodejs
        // nix-bitcoin-services.allowTor;
    };
-    nix-bitcoin.secrets.lightning-charge-env.user = "clightning";
+    nix-bitcoin.secrets.lightning-charge-env.user = user;
  };
 }
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -155,7 +155,6 @@ in {
    users.users.lnd = {
      description = "LND User";
      group = "lnd";
-      extraGroups = [ "bitcoinrpc" ];
      home = cfg.dataDir; # lnd creates .lnd dir in HOME
    };
    users.groups.lnd = {};
--- a/modules/modules.nix
+++ b/modules/modules.nix
@ -6,7 +6,6 @@
    ./clightning.nix
    ./lightning-charge.nix
    ./nanopos.nix
-    ./nix-bitcoin-webindex.nix
    ./liquid.nix
    ./spark-wallet.nix
    ./electrs.nix
--- a/modules/nix-bitcoin-webindex.nix
+++ b/modules/nix-bitcoin-webindex.nix
@ -75,7 +75,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      after = [ "nodeinfo.service" ];
      path  = with pkgs; [
-        nix-bitcoin.nodeinfo
+        config.programs.nodeinfo
        config.services.clightning.cli
        config.services.lnd.cli
        jq
--- a/modules/nodeinfo.nix
+++ b/modules/nodeinfo.nix
@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  operatorName = config.nix-bitcoin.operatorName;
+  script = pkgs.writeScriptBin "nodeinfo" ''
+    set -eo pipefail
+
+    BITCOIND_ONION="$(cat /var/lib/onion-chef/${operatorName}/bitcoind)"
+    echo BITCOIND_ONION="$BITCOIND_ONION"
+
+    if systemctl is-active --quiet clightning; then
+      CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
+      CLIGHTNING_ONION="$(cat /var/lib/onion-chef/${operatorName}/clightning)"
+      CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
+      echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
+      echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
+      echo CLIGHTNING_ID="$CLIGHTNING_ID"
+    fi
+
+    if systemctl is-active --quiet lnd; then
+      LND_NODEID=$(lncli getinfo | jq -r '.uris[0]')
+      echo LND_NODEID="$LND_NODEID"
+    fi
+
+    NGINX_ONION_FILE=/var/lib/onion-chef/${operatorName}/nginx
+    if [ -e "$NGINX_ONION_FILE" ]; then
+      NGINX_ONION="$(cat $NGINX_ONION_FILE)"
+      echo NGINX_ONION="$NGINX_ONION"
+    fi
+
+    LIQUIDD_ONION_FILE=/var/lib/onion-chef/${operatorName}/liquidd
+    if [ -e "$LIQUIDD_ONION_FILE" ]; then
+      LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
+      echo LIQUIDD_ONION="$LIQUIDD_ONION"
+    fi
+
+    SPARKWALLET_ONION_FILE=/var/lib/onion-chef/${operatorName}/spark-wallet
+    if [ -e "$SPARKWALLET_ONION_FILE" ]; then
+      SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
+      echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
+    fi
+
+    ELECTRS_ONION_FILE=/var/lib/onion-chef/${operatorName}/electrs
+    if [ -e "$ELECTRS_ONION_FILE" ]; then
+      ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
+      echo ELECTRS_ONION="$ELECTRS_ONION"
+    fi
+
+    SSHD_ONION_FILE=/var/lib/onion-chef/${operatorName}/sshd
+    if [ -e "$SSHD_ONION_FILE" ]; then
+    SSHD_ONION="$(cat $SSHD_ONION_FILE)"
+    echo SSHD_ONION="$SSHD_ONION"
+    fi
+  '';
+in {
+  options = {
+    programs.nodeinfo = mkOption {
+      readOnly = true;
+      default = script;
+    };
+  };
+
+  config = {
+    environment.systemPackages = [ script ];
+  };
+}
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -5,12 +5,18 @@ with lib;
 let
  cfg = config.services;

+  operatorName = config.nix-bitcoin.operatorName;
+
  mkHiddenService = map: {
    map = [ map ];
    version = 3;
  };
 in {
-  imports = [ ../modules.nix ];
+  imports = [
+    ../modules.nix
+    ../nodeinfo.nix
+    ../nix-bitcoin-webindex.nix
+  ];

  options = {
    services.clightning.onionport = mkOption {
@ -18,12 +24,16 @@ in {
      default = 9735;
      description = "Port on which to listen for tor client connections.";
    };
-
    services.electrs.onionport = mkOption {
      type = types.ints.u16;
      default = 50002;
      description = "Port on which to listen for tor client connections.";
    };
+    nix-bitcoin.operatorName = mkOption {
+      type = types.str;
+      default = "operator";
+      description = "Less-privileged user's name.";
+    };
  };

  config =  {
@ -99,7 +109,7 @@ in {
    };
    services.tor.hiddenServices.electrs = mkHiddenService {
      port = cfg.electrs.onionport;
-      toPort = cfg.electrs.TLSProxy.port;
+      toPort = if cfg.electrs.TLSProxy.enable then cfg.electrs.TLSProxy.port else cfg.electrs.port;
    };

    services.spark-wallet.onion-service = true;
@ -111,11 +121,10 @@ in {
      tor
      jq
      qrencode
-      nix-bitcoin.nodeinfo
    ];

-    # Create user 'operator' which can access the node's services
-    users.users.operator = {
+    # Create operator user which can access the node's services
+    users.users.${operatorName} = {
      isNormalUser = true;
      extraGroups = [
          "systemd-journal"
@ -130,23 +139,18 @@ in {
    };
    # Give operator access to onion hostnames
    services.onion-chef.enable = true;
-    services.onion-chef.access.operator = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];
+    services.onion-chef.access.${operatorName} = [ "bitcoind" "clightning" "nginx" "liquidd" "spark-wallet" "electrs" "sshd" ];

-    # Unfortunately c-lightning doesn't allow setting the permissions of the rpc socket
-    # https://github.com/ElementsProject/lightning/issues/1366
    security.sudo.configFile =
-     (optionalString cfg.clightning.enable ''
-       operator    ALL=(clightning) NOPASSWD: ALL
-     '') +
     (optionalString cfg.lnd.enable ''
-       operator    ALL=(lnd) NOPASSWD: ALL
+       ${operatorName}    ALL=(lnd) NOPASSWD: ALL
     '');

    # Enable nixops ssh for operator (`nixops ssh operator@mynode`) on nixops-vbox deployments
    systemd.services.get-vbox-nixops-client-key =
      mkIf (builtins.elem ".vbox-nixops-client-key" config.services.openssh.authorizedKeysFiles) {
        postStart = ''
-          cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.operator.home}"
+          cp "${config.users.users.root.home}/.vbox-nixops-client-key" "${config.users.users.${operatorName}.home}"
        '';
      };
  };
--- a/modules/recurring-donations.nix
+++ b/modules/recurring-donations.nix
@ -78,6 +78,13 @@ in {
  };

  config = mkIf cfg.enable {
+    users.users.recurring-donations = {
+        description = "recurring-donations User";
+        group = "recurring-donations";
+        extraGroups = [ "clightning" ];
+    };
+    users.groups.recurring-donations = {};
+
    systemd.services.recurring-donations = {
      description = "Run recurring-donations";
      requires = [ "clightning.service" ];
@ -85,9 +92,7 @@ in {
      path = with pkgs; [ nix-bitcoin.clightning curl torsocks sudo jq ];
      serviceConfig = {
        ExecStart = "${pkgs.bash}/bin/bash ${recurring-donations-script}";
-        # TODO: would be better if this was operator, but I don't get sudo
-        # working inside the shell script
-        User = "clightning";
+        User = "recurring-donations";
        Type = "oneshot";
      } // nix-bitcoin-services.defaultHardening
        // nix-bitcoin-services.allowTor;
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -12,7 +12,7 @@ let
    ${optionalString cfg.onion-service
      ''
      echo Getting onion hostname
-      CMD="$CMD --public-url http://$(cat /var/lib/onion-chef/clightning/spark-wallet)"
+      CMD="$CMD --public-url http://$(cat /var/lib/onion-chef/spark-wallet/spark-wallet)"
      ''
    }
    # Use rate provide wasabi because default (bitstamp) doesn't accept
@ -48,6 +48,13 @@ in {

  config = mkIf cfg.enable {
    environment.systemPackages = [ pkgs.nix-bitcoin.spark-wallet ];
+    users.users.spark-wallet = {
+      description = "spark-wallet User";
+      group = "spark-wallet";
+      extraGroups = [ "clightning" ];
+    };
+    users.groups.spark-wallet = {};
+
    services.tor.enable = cfg.onion-service;
    # requires client functionality for Bitcoin rate lookup
    services.tor.client.enable = true;
@ -58,7 +65,7 @@ in {
      version = 3;
    };
    services.onion-chef.enable = cfg.onion-service;
-    services.onion-chef.access.clightning = if cfg.onion-service then [ "spark-wallet" ] else [];
+    services.onion-chef.access.spark-wallet = if cfg.onion-service then [ "spark-wallet" ] else [];
    systemd.services.spark-wallet = {
      description = "Run spark-wallet";
      wantedBy = [ "multi-user.target" ];
@ -67,13 +74,13 @@ in {
      serviceConfig = {
        PermissionsStartOnly = "true";
        ExecStart = "${pkgs.bash}/bin/bash ${run-spark-wallet}";
-        User = "clightning";
+        User = "spark-wallet";
        Restart = "on-failure";
        RestartSec = "10s";
      } // nix-bitcoin-services.defaultHardening
        // nix-bitcoin-services.nodejs
        // nix-bitcoin-services.allowTor;
    };
-    nix-bitcoin.secrets.spark-wallet-login.user = "clightning";
+    nix-bitcoin.secrets.spark-wallet-login.user = "spark-wallet";
  };
 }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,6 +1,5 @@
 { pkgs ? import <nixpkgs> {} }:
 {
-  nodeinfo = pkgs.callPackage ./nodeinfo { };
  lightning-charge = pkgs.callPackage ./lightning-charge { };
  nanopos = pkgs.callPackage ./nanopos { };
  spark-wallet = pkgs.callPackage ./spark-wallet { };
--- a/pkgs/lightning-charge/node-packages.nix
+++ b/pkgs/lightning-charge/node-packages.nix
--- a/pkgs/lightning-charge/pkg.json
+++ b/pkgs/lightning-charge/pkg.json
@ -1,3 +1,3 @@
 [
-  { "lightning-charge": "^0.4.14" }
+  { "lightning-charge": "^0.4.19" }
 ]
--- a/pkgs/lightning-charge/supplement.nix
+++ b/pkgs/lightning-charge/supplement.nix
@ -58,13 +58,13 @@ let
        sha512 = "iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==";
      };
    };
-    "chownr-1.1.3" = {
+    "chownr-1.1.4" = {
      name = "chownr";
      packageName = "chownr";
-      version = "1.1.3";
+      version = "1.1.4";
      src = fetchurl {
-        url = "https://registry.npmjs.org/chownr/-/chownr-1.1.3.tgz";
-        sha512 = "i70fVHhmV3DtTl6nqvZOnIjbY0Pe4kAUjwHj8z0zAdgBtYrJyYwLKCCuRBQ5ppkyL0AkN7HKRnETdmdp1zqNXw==";
+        url = "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz";
+        sha512 = "jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==";
      };
    };
    "code-point-at-1.1.0" = {
@ -256,22 +256,13 @@ let
        sha512 = "yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==";
      };
    };
-    "minimist-0.0.8" = {
+    "minimist-1.2.5" = {
      name = "minimist";
      packageName = "minimist";
-      version = "0.0.8";
+      version = "1.2.5";
      src = fetchurl {
-        url = "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz";
-        sha1 = "857fcabfc3397d2625b8228262e86aa7a011b05d";
-      };
-    };
-    "minimist-1.2.0" = {
-      name = "minimist";
-      packageName = "minimist";
-      version = "1.2.0";
-      src = fetchurl {
-        url = "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz";
-        sha1 = "a35008b20f41383eec1fb914f4cd5df79a264284";
+        url = "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz";
+        sha512 = "FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==";
      };
    };
    "minipass-2.9.0" = {
@ -292,13 +283,13 @@ let
        sha512 = "6ZYMOEnmVsdCeTJVE0W9ZD+pVnE8h9Hma/iOwwRDsdQoePpoX56/8B6z3P9VNwppJuBKNRuFDRNRqRWexT9G9Q==";
      };
    };
-    "mkdirp-0.5.1" = {
+    "mkdirp-0.5.5" = {
      name = "mkdirp";
      packageName = "mkdirp";
-      version = "0.5.1";
+      version = "0.5.5";
      src = fetchurl {
-        url = "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz";
-        sha1 = "30057438eac6cf7f8c4767f38648d6697d75c903";
+        url = "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.5.tgz";
+        sha512 = "NKmAlESf6jMGym1++R0Ra7wvhV+wFW63FaSOFPwRahvea0gMUcGUhVeAg/0BC0wiv9ih5NYPB1Wn1UEI1/L+xQ==";
      };
    };
    "ms-2.1.2" = {
@ -310,22 +301,22 @@ let
        sha512 = "sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==";
      };
    };
-    "needle-2.4.0" = {
+    "needle-2.4.1" = {
      name = "needle";
      packageName = "needle";
-      version = "2.4.0";
+      version = "2.4.1";
      src = fetchurl {
-        url = "https://registry.npmjs.org/needle/-/needle-2.4.0.tgz";
-        sha512 = "4Hnwzr3mi5L97hMYeNl8wRW/Onhy4nUKR/lVemJ8gJedxxUyBLm9kkrDColJvoSfwi0jCNhD+xCdOtiGDQiRZg==";
+        url = "https://registry.npmjs.org/needle/-/needle-2.4.1.tgz";
+        sha512 = "x/gi6ijr4B7fwl6WYL9FwlCvRQKGlUNvnceho8wxkwXqN8jvVmmmATTmZPRRG7b/yC1eode26C2HO9jl78Du9g==";
      };
    };
-    "nopt-4.0.1" = {
+    "nopt-4.0.3" = {
      name = "nopt";
      packageName = "nopt";
-      version = "4.0.1";
+      version = "4.0.3";
      src = fetchurl {
-        url = "https://registry.npmjs.org/nopt/-/nopt-4.0.1.tgz";
-        sha1 = "d0d4685afd5415193c8c7505602d0d17cd64474d";
+        url = "https://registry.npmjs.org/nopt/-/nopt-4.0.3.tgz";
+        sha512 = "CvaGwVMztSMJLOeXPrez7fyfObdZqNUK1cPAEzLHrTybIua9pMdmmPR5YwtfNftIOMv3DPUhFaxsZMNTQO20Kg==";
      };
    };
    "npm-bundled-1.1.1" = {
@ -346,13 +337,13 @@ let
        sha512 = "EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA==";
      };
    };
-    "npm-packlist-1.4.7" = {
+    "npm-packlist-1.4.8" = {
      name = "npm-packlist";
      packageName = "npm-packlist";
-      version = "1.4.7";
+      version = "1.4.8";
      src = fetchurl {
-        url = "https://registry.npmjs.org/npm-packlist/-/npm-packlist-1.4.7.tgz";
-        sha512 = "vAj7dIkp5NhieaGZxBJB8fF4R0078rqsmhJcAfXZ6O7JJhjhPK96n5Ry1oZcfLXgfun0GWTZPOxaEyqv8GBykQ==";
+        url = "https://registry.npmjs.org/npm-packlist/-/npm-packlist-1.4.8.tgz";
+        sha512 = "5+AZgwru5IevF5ZdnFglB5wNlHG1AOOuw28WhUq8/8emhBmLv6jX5by4WJCh7lW0uSYZYS6DXqIsyZVIXRZU9A==";
      };
    };
    "npmlog-4.1.2" = {
@ -508,13 +499,13 @@ let
        sha1 = "045f9782d011ae9a6803ddd382b24392b3d890f7";
      };
    };
-    "signal-exit-3.0.2" = {
+    "signal-exit-3.0.3" = {
      name = "signal-exit";
      packageName = "signal-exit";
-      version = "3.0.2";
+      version = "3.0.3";
      src = fetchurl {
-        url = "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.2.tgz";
-        sha1 = "b5fdc08f1287ea1178628e415e25132b73646c6d";
+        url = "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.3.tgz";
+        sha512 = "VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==";
      };
    };
    "string-width-1.0.2" = {
@ -616,7 +607,7 @@ in
      sources."are-we-there-yet-1.1.5"
      sources."balanced-match-1.0.0"
      sources."brace-expansion-1.1.11"
-      sources."chownr-1.1.3"
+      sources."chownr-1.1.4"
      sources."code-point-at-1.1.0"
      sources."concat-map-0.0.1"
      sources."console-control-strings-1.1.0"
@ -638,16 +629,16 @@ in
      sources."is-fullwidth-code-point-1.0.0"
      sources."isarray-1.0.0"
      sources."minimatch-3.0.4"
-      sources."minimist-0.0.8"
+      sources."minimist-1.2.5"
      sources."minipass-2.9.0"
      sources."minizlib-1.3.3"
-      sources."mkdirp-0.5.1"
+      sources."mkdirp-0.5.5"
      sources."ms-2.1.2"
-      sources."needle-2.4.0"
-      sources."nopt-4.0.1"
+      sources."needle-2.4.1"
+      sources."nopt-4.0.3"
      sources."npm-bundled-1.1.1"
      sources."npm-normalize-package-bin-1.0.1"
-      sources."npm-packlist-1.4.7"
+      sources."npm-packlist-1.4.8"
      sources."npmlog-4.1.2"
      sources."number-is-nan-1.0.1"
      sources."object-assign-4.1.1"
@ -657,11 +648,7 @@ in
      sources."osenv-0.1.5"
      sources."path-is-absolute-1.0.1"
      sources."process-nextick-args-2.0.1"
-      (sources."rc-1.2.8" // {
-        dependencies = [
-          sources."minimist-1.2.0"
-        ];
-      })
+      sources."rc-1.2.8"
      sources."readable-stream-2.3.7"
      sources."rimraf-2.7.1"
      sources."safe-buffer-5.1.2"
@ -669,7 +656,7 @@ in
      sources."sax-1.2.4"
      sources."semver-5.7.1"
      sources."set-blocking-2.0.0"
-      sources."signal-exit-3.0.2"
+      sources."signal-exit-3.0.3"
      sources."string-width-1.0.2"
      sources."string_decoder-1.1.1"
      sources."strip-ansi-3.0.1"
--- a/pkgs/nodeinfo/default.nix
+++ b/pkgs/nodeinfo/default.nix
@ -1,15 +0,0 @@
-{pkgs}:
-
-with pkgs;
-stdenv.mkDerivation {
-  name = "nodeinfo";
-  src = ./nodeinfo.sh;
-
-  unpackPhase = "true";
-  installPhase = ''
-    mkdir -p $out
-    mkdir -p $out/bin
-    cp $src $out/bin/nodeinfo
-    chmod +x $out/bin/nodeinfo
-    '';
-}
--- a/pkgs/nodeinfo/nodeinfo.sh
+++ b/pkgs/nodeinfo/nodeinfo.sh
@ -1,49 +0,0 @@
-set -e
-set -o pipefail
-
-BITCOIND_ONION="$(cat /var/lib/onion-chef/operator/bitcoind)"
-echo BITCOIND_ONION="$BITCOIND_ONION"
-
-if systemctl is-active --quiet clightning; then
-    CLIGHTNING_NODEID=$(lightning-cli getinfo | jq -r '.id')
-    CLIGHTNING_ONION="$(cat /var/lib/onion-chef/operator/clightning)"
-    CLIGHTNING_ID="$CLIGHTNING_NODEID@$CLIGHTNING_ONION:9735"
-    echo CLIGHTNING_NODEID="$CLIGHTNING_NODEID"
-    echo CLIGHTNING_ONION="$CLIGHTNING_ONION"
-    echo CLIGHTNING_ID="$CLIGHTNING_ID"
-fi
-
-if systemctl is-active --quiet lnd; then
-    LND_NODEID=$(lncli getinfo | jq -r '.uris[0]')
-    echo LND_NODEID="$LND_NODEID"
-fi
-
-NGINX_ONION_FILE=/var/lib/onion-chef/operator/nginx
-if [ -e "$NGINX_ONION_FILE" ]; then
-    NGINX_ONION="$(cat $NGINX_ONION_FILE)"
-    echo NGINX_ONION="$NGINX_ONION"
-fi
-
-LIQUIDD_ONION_FILE=/var/lib/onion-chef/operator/liquidd
-if [ -e "$LIQUIDD_ONION_FILE" ]; then
-    LIQUIDD_ONION="$(cat $LIQUIDD_ONION_FILE)"
-    echo LIQUIDD_ONION="$LIQUIDD_ONION"
-fi
-
-SPARKWALLET_ONION_FILE=/var/lib/onion-chef/operator/spark-wallet
-if [ -e "$SPARKWALLET_ONION_FILE" ]; then
-    SPARKWALLET_ONION="$(cat $SPARKWALLET_ONION_FILE)"
-    echo SPARKWALLET_ONION="http://$SPARKWALLET_ONION"
-fi
-
-ELECTRS_ONION_FILE=/var/lib/onion-chef/operator/electrs
-if [ -e "$ELECTRS_ONION_FILE" ]; then
-    ELECTRS_ONION="$(cat $ELECTRS_ONION_FILE)"
-    echo ELECTRS_ONION="$ELECTRS_ONION"
-fi
-
-SSHD_ONION_FILE=/var/lib/onion-chef/operator/sshd
-if [ -e "$SSHD_ONION_FILE" ]; then
-    SSHD_ONION="$(cat $SSHD_ONION_FILE)"
-    echo SSHD_ONION="$SSHD_ONION"
-fi