diff --git a/.cirrus.yml b/.cirrus.yml index 3b56692..430078f 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -39,4 +39,4 @@ task: - name: shellcheck build_script: - - nix shell --inputs-from . nixpkgs#{shellcheck,findutils,gnugrep} -c ./test/shellcheck.sh + - ./test/shellcheck.sh diff --git a/README.md b/README.md index 1b51aa0..b4439d8 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ top left corner of the documents. -* [NixOS Options Search](https://search.nixos.org/flakes?channel=unstable&sort=relevance&type=options&query=bitcoin) +* [NixOS options search](https://search.nixos.org/flakes?channel=unstable&sort=relevance&type=options&query=bitcoin) * [Hardware requirements](docs/hardware.md) * [Installation](docs/install.md) * [Configuration and maintenance](docs/configuration.md) diff --git a/SECURITY.md b/SECURITY.md index 8ec3485..e6faf95 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -35,7 +35,7 @@ amounts. The nix-bitcoin developers [listed above](#reporting-a-vulnerability) each hold one key to the multisig address and collectively form the nix-bitcoin developer -quorum: +quorum. ### Eligible Vulnerabilities diff --git a/default.nix b/default.nix index 14030d9..660779e 100644 --- a/default.nix +++ b/default.nix @@ -1,5 +1,3 @@ { pkgs ? import {} }: -(import ./pkgs { inherit pkgs; }) // { - modules = import ./modules; -} +import ./pkgs { inherit pkgs; } diff --git a/docs/configuration.md b/docs/configuration.md index b0f151c..878bf45 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -214,18 +214,15 @@ services.bitcoind = { }; ``` -If a `secure-node.nix` or `tor-enable.nix` preset is imported in your -configuration or a `tor.enforce` option is explicitly enabled, you also need to -allow remote connections for **every** service which needs to connect to the -remote bitcoind: - -``` -systemd.services..serviceConfig = { - IPAddressAllow = [ ${services.bitcoind.rpc.address} ]; -}; +For each service that connects to bitcoind and has option +`services..tor.enforce` enabled (either explicitly or by importing +`secure-node.nix` or `enable-tor.nix`), you need to +allow the remote bitcoind connection: +```nix +systemd.services..serviceConfig.IPAddressAllow = [ ${services.bitcoind.rpc.address} ]; ``` -> Please note that configuration above applies only if the remote bitcoind **is +> The above configuration is only required if the remote bitcoind **is > not** accessed via Tor. diff --git a/helper/run-in-nix-env b/helper/run-in-nix-env new file mode 100644 index 0000000..d2e0976 --- /dev/null +++ b/helper/run-in-nix-env @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# Usage: +# source "path/to/run-in-nix-env" "pkg1 pkg2 ..." "$@" +# +# Runs the calling script with pkgs1, pkg2, ... in PATH. +# The packages are sourced from the nixpkgs input of the nix-bitcoin root flake. + +if [[ ${_NIX_BITCOIN_ENV_PKGS:-} != "$1" ]]; then + export _NIX_BITCOIN_ENV_PKGS=$1 + shift + + _shell_pkgs=() + for _pkg in $_NIX_BITCOIN_ENV_PKGS; do + _shell_pkgs+=("nixpkgs#$_pkg") + done + # BASH_SOURCE[0] is this file + # BASH_SOURCE[-1] is the root src file + exec nix shell --inputs-from "${BASH_SOURCE[0]%/*}/.." "${_shell_pkgs[@]}" -c "${BASH_SOURCE[-1]}" "$@" +fi diff --git a/modules/clightning-replication.nix b/modules/clightning-replication.nix index 1cf58da..fe482ee 100644 --- a/modules/clightning-replication.nix +++ b/modules/clightning-replication.nix @@ -143,8 +143,11 @@ in { # We can't simply set `destDir` here because it might point to # a FUSE mount. # FUSE mounts can only be set up as `ReadWritePaths` by systemd when they - # are accessible by root. This would require FUSE-mounting with option - # `allow_other`. + # are accessible by root. + # But FUSE mounts are only accessible by the mounting user and + # not by root. + # (This could be circumvented by FUSE-mounting `destDir` with option `allow_other`, + # but this would grant access to all users.) (if useMounts then mountsDir else localDir) ]; }; diff --git a/modules/default.nix b/modules/default.nix deleted file mode 100644 index f173f9a..0000000 --- a/modules/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - modules = ./modules.nix; - bitcoind = ./bitcoind.nix; - clightning = ./clightning.nix; - default = ./default.nix; - electrs = ./electrs.nix; - liquid = ./liquid.nix; - presets.secure-node = ./presets/secure-node.nix; - rtl = ./rtl.nix; - spark-wallet = ./spark-wallet.nix; - lnd = ./lnd.nix; - charge-lnd = ./charge-lnd.nix; - joinmarket = ./joinmarket.nix; -} diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix index 032e1c1..3a5a10a 100644 --- a/modules/secrets/secrets.nix +++ b/modules/secrets/secrets.nix @@ -73,7 +73,7 @@ let generateSecretsScript = mkOption { internal = true; default = let - rpcauthSrc = builtins.fetchurl { + rpcauthSrc = pkgs.fetchurl { url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py"; sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n"; }; diff --git a/pkgs/clightning-plugins/get-sha256.sh b/pkgs/clightning-plugins/get-sha256.sh index 886d5f8..b66906f 100755 --- a/pkgs/clightning-plugins/get-sha256.sh +++ b/pkgs/clightning-plugins/get-sha256.sh @@ -1,6 +1,6 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i bash -p git +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git" "$@" archive_hash () { repo=$1 diff --git a/pkgs/clightning-rest/generate.sh b/pkgs/clightning-rest/generate.sh index 038be02..c03bdf3 100755 --- a/pkgs/clightning-rest/generate.sh +++ b/pkgs/clightning-rest/generate.sh @@ -1,6 +1,6 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p gnupg wget gnused +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@" version="0.9.0" repo=https://github.com/Ride-The-Lightning/c-lightning-REST diff --git a/pkgs/joinmarket/get-sha256.sh b/pkgs/joinmarket/get-sha256.sh index 111aa68..1a36b12 100755 --- a/pkgs/joinmarket/get-sha256.sh +++ b/pkgs/joinmarket/get-sha256.sh @@ -1,6 +1,6 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i bash -p git gnupg +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@" TMPDIR="$(mktemp -d -p /tmp)" trap 'rm -rf $TMPDIR' EXIT diff --git a/pkgs/krops/fetch-release.sh b/pkgs/krops/fetch-release.sh index 8fa5c5a..44a56b9 100755 --- a/pkgs/krops/fetch-release.sh +++ b/pkgs/krops/fetch-release.sh @@ -1,6 +1,6 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i bash -p git +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git" "$@" archive_hash () { repo=$1 diff --git a/pkgs/lndinit/get-sha256.sh b/pkgs/lndinit/get-sha256.sh index cca5bca..7b3d310 100755 --- a/pkgs/lndinit/get-sha256.sh +++ b/pkgs/lndinit/get-sha256.sh @@ -1,6 +1,6 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i bash -p git gnupg curl jq +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg curl jq" "$@" TMPDIR=$(mktemp -d -p /tmp) trap 'rm -rf $TMPDIR' EXIT diff --git a/pkgs/python-packages/python-bitcointx/get-sha256.sh b/pkgs/python-packages/python-bitcointx/get-sha256.sh index 745ffb1..ce70cc8 100755 --- a/pkgs/python-packages/python-bitcointx/get-sha256.sh +++ b/pkgs/python-packages/python-bitcointx/get-sha256.sh @@ -1,6 +1,6 @@ -#! /usr/bin/env nix-shell -#! nix-shell -i bash -p git gnupg +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../../helper/run-in-nix-env" "git gnupg" "$@" TMPDIR=$(mktemp -d -p /tmp) trap 'rm -rf $TMPDIR' EXIT diff --git a/pkgs/rtl/generate.sh b/pkgs/rtl/generate.sh index 0e19d44..937c0d2 100755 --- a/pkgs/rtl/generate.sh +++ b/pkgs/rtl/generate.sh @@ -1,6 +1,6 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p gnupg wget gnused +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@" version="0.13.1" repo=https://github.com/Ride-The-Lightning/RTL diff --git a/pkgs/spark-wallet/generate.sh b/pkgs/spark-wallet/generate.sh index 50c3a83..ecbbd65 100755 --- a/pkgs/spark-wallet/generate.sh +++ b/pkgs/spark-wallet/generate.sh @@ -1,6 +1,6 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p nodePackages.node2nix gnupg wget jq moreutils gnused +#!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "nodePackages.node2nix gnupg wget jq moreutils gnused" "$@" TMPDIR=$(mktemp -d -p /tmp) trap 'rm -rf $TMPDIR' EXIT diff --git a/test/lib/create-git-repo.sh b/test/lib/create-git-repo.sh index 110dfdf..3549904 100644 --- a/test/lib/create-git-repo.sh +++ b/test/lib/create-git-repo.sh @@ -4,7 +4,7 @@ cd "$scriptDir/.." amend=--amend - if [[ ! -e .git ]]; then + if [[ ! -e .git ]] || ! git rev-parse HEAD 2>/dev/null; then git init amend= fi diff --git a/test/nixos-search/flake.nix b/test/nixos-search/flake.nix index 76eb49e..113a71a 100644 --- a/test/nixos-search/flake.nix +++ b/test/nixos-search/flake.nix @@ -8,6 +8,5 @@ # Used by ./ci-test.sh inherit (nixos-search.inputs.nixpkgs) legacyPackages; - nixpkgsPath = toString nixos-search.inputs.nixpkgs; }; } diff --git a/test/run-tests.sh b/test/run-tests.sh index 54f25a9..b380853 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -322,7 +322,7 @@ examples() { shellcheck() { if ! checkFlakeSupport "shellcheck"; then return; fi - nix shell --inputs-from "$scriptDir/.." nixpkgs#shellcheck -c "$scriptDir/shellcheck.sh" + "$scriptDir/shellcheck.sh" } all() { diff --git a/test/shellcheck.sh b/test/shellcheck.sh index 822f5d9..f6b697e 100755 --- a/test/shellcheck.sh +++ b/test/shellcheck.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +. "${BASH_SOURCE[0]%/*}/../helper/run-in-nix-env" "shellcheck findutils gnugrep" "$@" cd "${BASH_SOURCE[0]%/*}/.." {