Merge fort-nix/nix-bitcoin#497: update nixpkgs (stable: 21.11 -> 22.05)

fe68ee650b fix containers on nixos-22.05 (Erik Arvstedt)
15e7b32c2d fix VMs on nixos-22.05 (Erik Arvstedt)
f52ff8fdb5 fix python packages on nixos-22.05 (Erik Arvstedt)
a9123a9842 lndinit: update `vendorSha256` (Erik Arvstedt)
3102c99275 configuration.nix: update `system.stateVersion` (Erik Arvstedt)
2106a2cdea spark-wallet/generate.sh: remove TODO-EXTERNAL (Erik Arvstedt)
c7eab98a31 tests: fix deprecation warning (Jonas Nick)
805eb26d12 update nixpkgs (stable: 21.11 -> 22.05) (Jonas Nick)
96144fde81 update-flake.nix: fix stable pkgs selection (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK fe68ee650b

Tree-SHA512: 793d644ea0d8349ff35e74db046f73a540f53d46b3f212250c107ea881f6e9bf2e89be48ef1466b17074d7963bea567a2a79f2e9e2bea701638d9ca75f403624

examples/configuration.nix

@@ -274,7 +274,7 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "21.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 
   # The nix-bitcoin release version that your config is compatible with.
   # When upgrading to a backwards-incompatible release, nix-bitcoin will display an

examples/deploy-container.sh

@@ -53,7 +53,7 @@ echo "lightning-cli state:"
 c lightning-cli getinfo
 echo
 echo "Bitcoind data dir:"
-sudo ls -al /var/lib/containers/demo-node/var/lib/bitcoind
+sudo ls -al /var/lib/*containers/demo-node/var/lib/bitcoind
 '
 nodeInfoCmd='
 echo

examples/deploy-krops.sh

@@ -26,15 +26,17 @@ echo "Building the target VM"
 # Build the initial VM to which the nix-bitcoin node is deployed via krops
 nix-build --out-link $tmpDir/vm - <<'EOF'
 (import <nixpkgs/nixos> {
-  configuration = { lib, ... }: {
+  configuration = { config, lib, ... }: {
     imports = [ <qemu-vm/vm-config.nix>  ];
     services.openssh.enable = true;
 
     # Silence the following warning that appears when deploying via krops:
     # warning: Nix search path entry '/nix/var/nix/profiles/per-user/root/channels' does not exist, ignoring
     nix.nixPath = lib.mkForce [];
+
+    system.stateVersion = config.system.nixos.release;
   };
-}).vm
+}).config.system.build.vm
 EOF
 
 vmNumCPUs=4

examples/deploy-qemu-vm.sh

@@ -31,7 +31,7 @@ nix-build --out-link $tmpDir/vm - <<'EOF'
     ];
     nix-bitcoin.generateSecrets = true;
   };
-}).vm
+}).config.system.build.vm
 EOF
 
 vmNumCPUs=4

examples/qemu-vm/minimal-vm.nix

@@ -13,19 +13,21 @@ rec {
 
   vm = (import "${nixpkgs}/nixos" {
     inherit system;
-    configuration = { lib, ... }: {
+    configuration = { config, lib, modulesPath, ... }: {
       imports = [
         nix-bitcoin.nixosModules.default
         "${nix-bitcoin}/modules/presets/secure-node.nix"
+        "${modulesPath}/virtualisation/qemu-vm.nix"
       ];
 
+      virtualisation.graphics = false;
+
       nix-bitcoin.generateSecrets = true;
       services.clightning.enable = true;
       # For faster startup in offline VMs
       services.clightning.extraConfig = "disable-dns";
 
       nixpkgs.pkgs = pkgs;
-      virtualisation.graphics = false;
       services.getty.autologinUser = "root";
       nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
 
@@ -42,8 +44,10 @@ rec {
       systemd.services."serial-getty@".preStop = ''
         echo o >/proc/sysrq-trigger
       '';
+
+      system.stateVersion = config.system.nixos.release;
     };
-  }).vm;
+  }).config.system.build.vm;
 
   runVM = mkVMScript vm;
 }

examples/qemu-vm/vm-config.nix

@@ -1,7 +1,10 @@
+{ modulesPath, ... }:
 {
   # Disable the hardened preset to improve VM performance
   disabledModules = [ <nix-bitcoin/modules/presets/hardened.nix> ];
 
+  imports = [ "${modulesPath}/virtualisation/qemu-vm.nix" ];
+
   config = {
     virtualisation.graphics = false;
     services.getty.autologinUser = "root";

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1653893745,
-        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
+        "lastModified": 1656065134,
+        "narHash": "sha256-oc6E6ByIw3oJaIyc67maaFcnjYOz1mMcOtHxbEf9NwQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "rev": "bee6a7250dd1b01844a2de7e02e4df7d8a0a206c",
         "type": "github"
       },
       "original": {
@@ -17,27 +17,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1653830209,
-        "narHash": "sha256-V+HnLKJzvk2HZcLUKt9z2puZ46vLo74chOakxbLfXek=",
+        "lastModified": 1656265786,
+        "narHash": "sha256-A9RkoGrxzsmMm0vily18p92Rasb+MbdDMaSnzmywXKw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cc257c49c495b2d0d7d40c5753a452d0abc8adf3",
+        "rev": "cd90e773eae83ba7733d2377b6cdf84d45558780",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-21.11",
+        "ref": "nixos-22.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1653738054,
-        "narHash": "sha256-IaR8iLN4Ms3f5EjU1CJkXSc49ZzyS5qv03DtVAti6/s=",
+        "lastModified": 1656250965,
+        "narHash": "sha256-2IlNf6jxEJiuCrGymqLOLjxk2SIj4HhVIwEb0kvcs24=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "17b62c338f2a0862a58bb6951556beecd98ccda9",
+        "rev": "9a17f325397d137ac4d219ecbd5c7f15154422f4",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,7 @@
   '';
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
     nixpkgsUnstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };

helper/update-flake.nix

@@ -8,8 +8,8 @@ in rec {
   #   stable = { bitcoind = "0.21.1"; ... };
   #   unstable = { btcpayserver = "1.2.1"; ... };
   # }
-  # A pinned pkg is added to `stable` if the stable and unstable pkg versions
-  # are identical.
+  # A pinned pkg is added to `stable` if its stable version is newer or
+  # identical to the unstable version.
   versions = let
     pinned = flake.legacyPackages.x86_64-linux.pinned;
     pinnedPkgs = lib.filterAttrs (n: v: lib.isDerivation v) pinned;
@@ -17,7 +17,8 @@ in rec {
     unstable = pinned.pkgsUnstable;
     isStable = builtins.partition (pkgName:
       !(unstable ? "${pkgName}") ||
-      ((stable ? "${pkgName}") && stable.${pkgName}.version == unstable.${pkgName}.version)
+      ((stable ? "${pkgName}")
+       && (builtins.compareVersions stable.${pkgName}.version unstable.${pkgName}.version >= 0))
     ) (builtins.attrNames pinnedPkgs);
   in {
     stable   = lib.genAttrs isStable.right (pkgName: stable.${pkgName}.version);

pkgs/clightning-plugins/default.nix

@@ -22,7 +22,7 @@ let
       description = "Lightning node exporter for the prometheus timeseries server";
       extraPkgs = [ prometheus_client ];
       patchRequirements =
-        "--replace prometheus-client==0.6.0 prometheus-client==0.11.0"
+        "--replace prometheus-client==0.6.0 prometheus-client==0.13.1"
         + " --replace pyln-client~=0.9.3 pyln-client~=0.10.1";
     };
     rebalance = { description = "Keeps your channels balanced"; };

pkgs/lndinit/default.nix

@@ -11,7 +11,7 @@ buildGoModule rec {
     sha256 = "sha256-sO1DpbppCurxr9g9nUl9Vx82FJK1mTcUw3rY1Fm1wEU=";
   };
 
-  vendorSha256 = "sha256-xdxxixSabcuGzwCctHrP/RV/Z8sCQDmk2PU4j1u8MX8=";
+  vendorSha256 = "sha256-El44BS5Bu0K/klMxkajciU/R6uqiXBMOiLN536QztbE=";
 
   subPackages = [ "." ];
 

pkgs/pinned.nix

@@ -2,21 +2,21 @@
 pkgs: pkgsUnstable:
 {
   inherit (pkgs)
-    charge-lnd
-    extra-container;
-
-  inherit (pkgsUnstable)
     bitcoin
     bitcoind
-    btcpayserver
+    charge-lnd
     clightning
     electrs
     elementsd
-    hwi
-    lightning-loop
+    extra-container
     lightning-pool
     lnd
-    lndconnect
+    lndconnect;
+
+  inherit (pkgsUnstable)
+    btcpayserver
+    hwi
+    lightning-loop
     nbxplorer;
 
   inherit pkgs pkgsUnstable;

pkgs/python-packages/default.nix

@@ -26,6 +26,12 @@ in {
   pyln-bolt7 = clightningPkg ./pyln-bolt7;
   pylightning = clightningPkg ./pylightning;
 
+  # Don't mark `klein` as broken.
+  # `klein` is fixed by using werkzeug 2.1.0 (see below)
+  klein = super.klein.overrideAttrs (old: {
+    meta = builtins.removeAttrs old.meta [ "broken" ];
+  });
+
   ## Specific versions of packages that already exist in nixpkgs
 
   # cryptography 3.3.2, required by joinmarketdaemon
@@ -34,17 +40,12 @@ in {
     cryptography_vectors = callPackage ./specific-versions/cryptography/vectors.nix {};
   };
 
-  # cryptography 36.0.0, required by pyln-proto.
-  cryptography = callPackage "${unstable}/pkgs/development/python-modules/cryptography" {
-    Security = self.darwin.apple_sdk.frameworks.Security;
-  };
-
   # autobahn 20.12.3, required by joinmarketclient
   autobahn = callPackage ./specific-versions/autobahn.nix {};
 
-  # tubes 0.2.0, required by jmclient (via pkg `klein`)
-  tubes = callPackage ./specific-versions/tubes.nix {};
+  # werkzeug 2.1.0, required by jmclient (via pkg `klein`)
+  werkzeug = callPackage ./specific-versions/werkzeug.nix {};
 
-  # recommonmark 0.7.1, required by pyln-client
-  recommonmark = callPackage ./specific-versions/recommonmark.nix { inherit (super) recommonmark; };
+  # pyopenssl 20.0.1, required by joinmarketdaemon
+  pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
 }

pkgs/python-packages/jmclient/default.nix

@@ -13,6 +13,8 @@ buildPythonPackage rec {
   patchPhase = ''
     substituteInPlace setup.py \
       --replace "'klein==20.6.0'" "'klein==21.8.0'"
+    substituteInPlace setup.py \
+      --replace "'pyjwt==2.1.0'" "'pyjwt==2.3.0'"
   '';
 
   meta = with lib; {

pkgs/python-packages/specific-versions/pyopenssl.nix

@@ -0,0 +1,92 @@
+{ lib
+, stdenv
+, buildPythonPackage
+, fetchPypi
+, openssl
+, cryptography
+, pyasn1
+, idna
+, pytest
+, pretend
+, flaky
+, glibcLocales
+, six
+}:
+
+let
+  # https://github.com/pyca/pyopenssl/issues/791
+  # These tests, we disable in the case that libressl is passed in as openssl.
+  failingLibresslTests = [
+    "test_op_no_compression"
+    "test_npn_advertise_error"
+    "test_npn_select_error"
+    "test_npn_client_fail"
+    "test_npn_success"
+    "test_use_certificate_chain_file_unicode"
+    "test_use_certificate_chain_file_bytes"
+    "test_add_extra_chain_cert"
+    "test_set_session_id_fail"
+    "test_verify_with_revoked"
+    "test_set_notAfter"
+    "test_set_notBefore"
+  ];
+
+  # these tests are extremely tightly wed to the exact output of the openssl cli tool,
+  # including exact punctuation.
+  failingOpenSSL_1_1Tests = [
+    "test_dump_certificate"
+    "test_dump_privatekey_text"
+    "test_dump_certificate_request"
+    "test_export_text"
+  ];
+
+  disabledTests = [
+    # https://github.com/pyca/pyopenssl/issues/692
+    # These tests, we disable always.
+    "test_set_default_verify_paths"
+    "test_fallback_default_verify_paths"
+    # https://github.com/pyca/pyopenssl/issues/768
+    "test_wantWriteError"
+  ] ++ (
+    lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
+  ) ++ (
+    lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
+  ) ++ (
+    # https://github.com/pyca/pyopenssl/issues/974
+    lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
+  );
+
+  # Compose the final string expression, including the "-k" and the single quotes.
+  testExpression = lib.optionalString (disabledTests != [])
+    "-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
+
+in
+
+buildPythonPackage rec {
+  pname = "pyopenssl";
+  version = "20.0.1";
+
+  src = fetchPypi {
+    pname = "pyOpenSSL";
+    inherit version;
+    sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  checkPhase = ''
+    runHook preCheck
+    export LANG="en_US.UTF-8"
+    py.test tests ${testExpression}
+    runHook postCheck
+  '';
+
+  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
+  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
+  doCheck = !stdenv.isDarwin;
+
+  nativeBuildInputs = [ openssl ];
+  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
+
+  checkInputs = [ pytest pretend flaky glibcLocales ];
+}

pkgs/python-packages/specific-versions/recommonmark.nix

@@ -1,12 +0,0 @@
-{ recommonmark, fetchFromGitHub }:
-
-recommonmark.overridePythonAttrs (old: rec {
-  version = "0.7.1";
-
-  src = fetchFromGitHub {
-    owner = "rtfd";
-    repo = old.pname;
-    rev = version;
-    sha256 = "0kwm4smxbgq0c0ybkxfvlgrfb3gq9amdw94141jyykk9mmz38379";
-  };
-})

pkgs/python-packages/specific-versions/tubes.nix

@@ -1,29 +0,0 @@
-{ lib, buildPythonPackage, fetchPypi, python
-, characteristic, six, twisted
-}:
-
-buildPythonPackage rec {
-  pname = "tubes";
-  version = "0.2.0";
-
-  src = fetchPypi {
-    pname = "Tubes";
-    inherit version;
-    sha256 = "0sg1gg2002h1xsgxigznr1zk1skwmhss72dzk6iysb9k9kdgymcd";
-  };
-
-  propagatedBuildInputs = [ characteristic six twisted ];
-
-  checkPhase = ''
-    ${python.interpreter} -m twisted.trial -j $NIX_BUILD_CORES tubes
-  '';
-
-  pythonImportsCheck = [ "tubes" ];
-
-  meta = with lib; {
-    description = "a data-processing and flow-control engine for event-driven programs";
-    homepage    = "https://github.com/twisted/tubes";
-    license     = licenses.mit;
-    maintainers = with maintainers; [ exarkun ];
-  };
-}

pkgs/python-packages/specific-versions/werkzeug.nix

@@ -0,0 +1,68 @@
+{ lib
+, stdenv
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, watchdog
+, dataclasses
+, ephemeral-port-reserve
+, pytest-timeout
+, pytest-xprocess
+, pytestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "werkzeug";
+  version = "2.1.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    pname = "Werkzeug";
+    inherit version;
+    sha256 = "sha256-m1VGaj6Z4TsfBoamYRfTm9qFqZIWbgp5rt/PNYYyj3o=";
+  };
+
+  propagatedBuildInputs = lib.optionals (!stdenv.isDarwin) [
+    # watchdog requires macos-sdk 10.13+
+    watchdog
+  ] ++ lib.optionals (pythonOlder "3.7") [
+    dataclasses
+  ];
+
+  checkInputs = [
+    ephemeral-port-reserve
+    pytest-timeout
+    pytest-xprocess
+    pytestCheckHook
+  ];
+
+  disabledTests = lib.optionals stdenv.isDarwin [
+    "test_get_machine_id"
+  ];
+
+  disabledTestPaths = [
+    # ConnectionRefusedError: [Errno 111] Connection refused
+    "tests/test_serving.py"
+  ];
+
+  pytestFlagsArray = [
+    # don't run tests that are marked with filterwarnings, they fail with
+    # warnings._OptionError: unknown warning category: 'pytest.PytestUnraisableExceptionWarning'
+    "-m 'not filterwarnings'"
+  ];
+
+  meta = with lib; {
+    homepage = "https://palletsprojects.com/p/werkzeug/";
+    description = "The comprehensive WSGI web application library";
+    longDescription = ''
+      Werkzeug is a comprehensive WSGI web application library. It
+      began as a simple collection of various utilities for WSGI
+      applications and has become one of the most advanced WSGI
+      utility libraries.
+    '';
+    license = licenses.bsd3;
+    maintainers = with maintainers; [ ];
+  };
+}

pkgs/spark-wallet/generate.sh

@@ -27,10 +27,6 @@ tar xvf $TMPDIR/$file -C $src --strip-components 1 >/dev/null
 # Make qrcode-terminal a strict dependency so that node2nix includes it in the package derivation.
 jq '.dependencies["qrcode-terminal"] = .optionalDependencies["qrcode-terminal"]' $src/package.json | sponge $src/package.json
 
-# Generate nix pkg
-# TODO-EXTERNAL: remove --nodejs-14 option once
-# https://github.com/svanderburg/node2nix/pull/296 has made its way into a
-# node2nix release.
 node2nix \
   --nodejs-14 \
   --input $src/package.json \

test/lib/make-test.nix

@@ -9,7 +9,7 @@ name: testConfig:
   vm = makeVM {
     name = "nix-bitcoin-${name}";
 
-    machine = {
+    nodes.machine = {
       imports = [ testConfig ];
       virtualisation = {
         # Needed because duplicity requires 270 MB of free temp space, regardless of backup size

test/nixos-search/flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1649676176,
-        "narHash": "sha256-OWKJratjt2RW151VUlJPRALb7OU2S5s+f0vLj4o1bHM=",
+        "lastModified": 1653893745,
+        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "a4b154ebbdc88c8498a5c7b01589addc9e9cb678",
+        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "nixos-org-configurations": {
       "flake": false,
       "locked": {
-        "lastModified": 1653498760,
-        "narHash": "sha256-KCNAUCcWkTQy/ddrZzYZrtiT3Zg6rLb7QIylUDvKcco=",
+        "lastModified": 1654268653,
+        "narHash": "sha256-oTW2IFRAE1juNLE1tJ/mqVeSG1P+XPrm9o2E0irBVKg=",
         "owner": "NixOS",
         "repo": "nixos-org-configurations",
-        "rev": "34b9422847c5b67cbdbe26b89201b3354557f677",
+        "rev": "8e8668be80e6d3b6f5f602770dca42e6c6f33d50",
         "type": "github"
       },
       "original": {
@@ -38,11 +38,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1653738462,
-        "narHash": "sha256-2eOJBUcahP6C7KmsYCM9GyZhGNFGyyUNmn0LNhEVKY4=",
+        "lastModified": 1654646126,
+        "narHash": "sha256-GjfJq6tK2IB8aQcXA3UkFa2/hsPYvT/H+KE9Ghse4j4=",
         "owner": "nixos",
         "repo": "nixos-search",
-        "rev": "1bf3ce7c9829d3daedc46a000062d09339936034",
+        "rev": "74ed61a9152400465f590a1ad2575c2526ee375b",
         "type": "github"
       },
       "original": {
@@ -53,11 +53,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1651726670,
-        "narHash": "sha256-dSGdzB49SEvdOJvrQWfQYkAefewXraHIV08Vz6iDXWQ=",
+        "lastModified": 1654230545,
+        "narHash": "sha256-8Vlwf0x8ow6pPOK2a04bT+pxIeRnM1+O0Xv9/CuDzRs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c777cdf5c564015d5f63b09cc93bef4178b19b01",
+        "rev": "236cc2971ac72acd90f0ae3a797f9f83098b17ec",
         "type": "github"
       },
       "original": {