Merge fort-nix/nix-bitcoin#539: Minor improvements

67a573dae8 create-git-repo.sh: fix amend error if there's no branch checked out (Erik Arvstedt) d9eecb7d4c nixos-search/flake: remove unused output (Erik Arvstedt) 4e70db14bc README: fix capitalization (Erik Arvstedt) 030be842c8 secrets: use fetchurl derivation (Erik Arvstedt) 1713e016a0 clightning-replication: clarify comment about FUSE mounts (Erik Arvstedt) cd3878e357 delete modules/default.nix (Erik Arvstedt) f2a4d1fe65 docs/security: fix typo (Erik Arvstedt) 3a65dc0dc9 docs/configuration: improve section `Remote bitcoind` (Erik Arvstedt) af115d746b internal scripts: use pinned, cached pkgs (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK 67a573dae8 Tree-SHA512: 9ab2e9141793996eeae94cf2bb630491489a479841858187719fee9cf39e56b1db8bfc09f9466026b7409e160bb2047b374047ca4d2f7249077895c804663bd0
2022-08-29 11:38:44 +00:00 · 2022-08-29 11:38:44 +00:00 · 6145dc3032
parent 4cd9d0c6de 67a573dae8
commit 6145dc3032
21 changed files with 56 additions and 52 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -39,4 +39,4 @@ task:

    - name: shellcheck
      build_script:
-        - nix shell --inputs-from . nixpkgs#{shellcheck,findutils,gnugrep} -c ./test/shellcheck.sh
+        - ./test/shellcheck.sh
--- a/README.md
+++ b/README.md
@ -54,7 +54,7 @@ top left corner of the documents.

 <!-- TODO-EXTERNAL: -->
 <!-- Change query to `nix-bitcoin` when upstream search has been fixed -->
-* [NixOS Options Search](https://search.nixos.org/flakes?channel=unstable&sort=relevance&type=options&query=bitcoin)
+* [NixOS options search](https://search.nixos.org/flakes?channel=unstable&sort=relevance&type=options&query=bitcoin)
 * [Hardware requirements](docs/hardware.md)
 * [Installation](docs/install.md)
 * [Configuration and maintenance](docs/configuration.md)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -35,7 +35,7 @@ amounts.

 The nix-bitcoin developers [listed above](#reporting-a-vulnerability) each hold
 one key to the multisig address and collectively form the nix-bitcoin developer
-quorum:
+quorum.

 ### Eligible Vulnerabilities

--- a/default.nix
+++ b/default.nix
@ -1,5 +1,3 @@
 { pkgs ? import <nixpkgs> {} }:

-(import ./pkgs { inherit pkgs; }) // {
-  modules = import ./modules;
-}
+import ./pkgs { inherit pkgs; }
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -214,18 +214,15 @@ services.bitcoind = {
 };
 ```

-If a `secure-node.nix` or `tor-enable.nix` preset is imported in your
-configuration or a `tor.enforce` option is explicitly enabled, you also need to
-allow remote connections for **every** service which needs to connect to the
-remote bitcoind:
-
-```
-systemd.services.<service>.serviceConfig = {
-  IPAddressAllow = [ ${services.bitcoind.rpc.address} ];
-};
+For each service that connects to bitcoind and has option
+`services.<service>.tor.enforce` enabled (either explicitly or by importing
+`secure-node.nix` or `enable-tor.nix`), you need to
+allow the remote bitcoind connection:
+```nix
+systemd.services.<service>.serviceConfig.IPAddressAllow = [ ${services.bitcoind.rpc.address} ];
 ```

-> Please note that configuration above applies only if the remote bitcoind **is
+> The above configuration is only required if the remote bitcoind **is
 > not** accessed via Tor.


--- a/helper/run-in-nix-env
+++ b/helper/run-in-nix-env
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+# Usage:
+# source "path/to/run-in-nix-env" "pkg1 pkg2 ..." "$@"
+#
+# Runs the calling script with pkgs1, pkg2, ... in PATH.
+# The packages are sourced from the nixpkgs input of the nix-bitcoin root flake.
+
+if [[ ${_NIX_BITCOIN_ENV_PKGS:-} != "$1" ]]; then
+    export _NIX_BITCOIN_ENV_PKGS=$1
+    shift
+
+    _shell_pkgs=()
+    for _pkg in $_NIX_BITCOIN_ENV_PKGS; do
+      _shell_pkgs+=("nixpkgs#$_pkg")
+    done
+    # BASH_SOURCE[0] is this file
+    # BASH_SOURCE[-1] is the root src file
+    exec nix shell --inputs-from "${BASH_SOURCE[0]%/*}/.." "${_shell_pkgs[@]}" -c "${BASH_SOURCE[-1]}" "$@"
+fi
--- a/modules/clightning-replication.nix
+++ b/modules/clightning-replication.nix
@ -143,8 +143,11 @@ in {
        # We can't simply set `destDir` here because it might point to
        # a FUSE mount.
        # FUSE mounts can only be set up as `ReadWritePaths` by systemd when they
-        # are accessible by root. This would require FUSE-mounting with option
-        # `allow_other`.
+        # are accessible by root.
+        # But FUSE mounts are only accessible by the mounting user and
+        # not by root.
+        # (This could be circumvented by FUSE-mounting `destDir` with option `allow_other`,
+        # but this would grant access to all users.)
        (if useMounts then mountsDir else localDir)
      ];
    };
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,14 +0,0 @@
-{
-  modules = ./modules.nix;
-  bitcoind = ./bitcoind.nix;
-  clightning = ./clightning.nix;
-  default = ./default.nix;
-  electrs = ./electrs.nix;
-  liquid = ./liquid.nix;
-  presets.secure-node = ./presets/secure-node.nix;
-  rtl = ./rtl.nix;
-  spark-wallet = ./spark-wallet.nix;
-  lnd = ./lnd.nix;
-  charge-lnd = ./charge-lnd.nix;
-  joinmarket = ./joinmarket.nix;
-}
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -73,7 +73,7 @@ let
    generateSecretsScript = mkOption {
      internal = true;
      default = let
-        rpcauthSrc = builtins.fetchurl {
+        rpcauthSrc = pkgs.fetchurl {
          url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py";
          sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
        };
--- a/pkgs/clightning-plugins/get-sha256.sh
+++ b/pkgs/clightning-plugins/get-sha256.sh
@ -1,6 +1,6 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git" "$@"

 archive_hash () {
    repo=$1
--- a/pkgs/clightning-rest/generate.sh
+++ b/pkgs/clightning-rest/generate.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i bash -p gnupg wget gnused
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"

 version="0.9.0"
 repo=https://github.com/Ride-The-Lightning/c-lightning-REST
--- a/pkgs/joinmarket/get-sha256.sh
+++ b/pkgs/joinmarket/get-sha256.sh
@ -1,6 +1,6 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git gnupg
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"

 TMPDIR="$(mktemp -d -p /tmp)"
 trap 'rm -rf $TMPDIR' EXIT
--- a/pkgs/krops/fetch-release.sh
+++ b/pkgs/krops/fetch-release.sh
@ -1,6 +1,6 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git" "$@"

 archive_hash () {
    repo=$1
--- a/pkgs/lndinit/get-sha256.sh
+++ b/pkgs/lndinit/get-sha256.sh
@ -1,6 +1,6 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git gnupg curl jq
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg curl jq" "$@"

 TMPDIR=$(mktemp -d -p /tmp)
 trap 'rm -rf $TMPDIR' EXIT
--- a/pkgs/python-packages/python-bitcointx/get-sha256.sh
+++ b/pkgs/python-packages/python-bitcointx/get-sha256.sh
@ -1,6 +1,6 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p git gnupg
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../../helper/run-in-nix-env" "git gnupg" "$@"

 TMPDIR=$(mktemp -d -p /tmp)
 trap 'rm -rf $TMPDIR' EXIT
--- a/pkgs/rtl/generate.sh
+++ b/pkgs/rtl/generate.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i bash -p gnupg wget gnused
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"

 version="0.13.1"
 repo=https://github.com/Ride-The-Lightning/RTL
--- a/pkgs/spark-wallet/generate.sh
+++ b/pkgs/spark-wallet/generate.sh
@ -1,6 +1,6 @@
-#!/usr/bin/env nix-shell
-#! nix-shell -i bash -p nodePackages.node2nix gnupg wget jq moreutils gnused
+#!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "nodePackages.node2nix gnupg wget jq moreutils gnused" "$@"

 TMPDIR=$(mktemp -d -p /tmp)
 trap 'rm -rf $TMPDIR' EXIT
--- a/test/lib/create-git-repo.sh
+++ b/test/lib/create-git-repo.sh
@ -4,7 +4,7 @@
  cd "$scriptDir/.."
  amend=--amend

-  if [[ ! -e .git ]]; then
+  if [[ ! -e .git ]] || ! git rev-parse HEAD 2>/dev/null; then
    git init
    amend=
  fi
--- a/test/nixos-search/flake.nix
+++ b/test/nixos-search/flake.nix
@ -8,6 +8,5 @@

    # Used by ./ci-test.sh
    inherit (nixos-search.inputs.nixpkgs) legacyPackages;
-    nixpkgsPath = toString nixos-search.inputs.nixpkgs;
  };
 }
--- a/test/run-tests.sh
+++ b/test/run-tests.sh
@ -322,7 +322,7 @@ examples() {

 shellcheck() {
    if ! checkFlakeSupport "shellcheck"; then return; fi
-    nix shell --inputs-from "$scriptDir/.." nixpkgs#shellcheck -c "$scriptDir/shellcheck.sh"
+    "$scriptDir/shellcheck.sh"
 }

 all() {
--- a/test/shellcheck.sh
+++ b/test/shellcheck.sh
@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+. "${BASH_SOURCE[0]%/*}/../helper/run-in-nix-env" "shellcheck findutils gnugrep" "$@"

 cd "${BASH_SOURCE[0]%/*}/.."
 {