Merge fort-nix/nix-bitcoin#597: Integrate trustedcoin clightning plugin

a3c654768c docs: trustedcoin: add info about possible problems (Otto Sabart) 67f2eb2feb trustedcoin: explicitly use the HTTPS_PROXY for external connections (Otto Sabart) 4942130abe tests: add tests for trustedcoin clightning plugin (Otto Sabart) 8c00c26fa1 trustedcoin: update to v0.6.1 (Otto Sabart) 5b5e76931d trustedcoin: fix shellcheck (Otto Sabart) 3d26f72b7f clightning-plugins: add trustedcoin (neverupdate) c747ddbf32 readme: reference trustedcoin source (neverupdate) 35fc3a2b44 trustedcoin: add module (neverupdate) 3197338d81 trustedcoin: add pkg (neverupdate) Pull request description: ACKs for top commit: jonasnick: ACK a3c654768c Tree-SHA512: 81075d051c500b533ac979530645ccb596c57cf93cf695419eda9f13575863b1cece0cb9a423fc669d96b97a19ba6a49012a1abef310f904df99b90762c5c943
2023-04-17 11:21:44 +00:00 · 2023-04-17 11:21:44 +00:00 · 7736468466
commit 7736468466
parent 8851c08bb6 a3c654768c
11 changed files with 125 additions and 2 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -27,6 +27,7 @@ task:
          - scenario: default
          - scenario: netns
          - scenario: netnsRegtest
+          - scenario: trustedcoin
      # This script is run as root
      build_script:
        - echo "sandbox = true" >> /etc/nix/nix.conf
--- a/README.md
+++ b/README.md
@ -79,6 +79,7 @@ NixOS modules ([src](modules/modules.nix))
    * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
    * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
    * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
+    * [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
    * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
  * [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
  * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
--- a/docs/services.md
+++ b/docs/services.md
@ -621,3 +621,27 @@ services.clightning = {
 ```

 Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
+
+### Trustedcoin hints
+The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
+proxy for all of its external connections by default. That's why you can
+sometimes face issues with your connections to esploras getting blocked.
+
+An example of clightning log error output in a case your connections are getting blocked:
+
+```
+lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
+```
+
+```
+lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
+lightningd[4933]: <meta http-equiv="content-type" content="text/html;
+```
+
+If you face these issues and you still need to use trustedcoin, use can disable
+clightning's tor hardening by setting this option in your `configuration.nix`
+file:
+
+```
+services.clightning.tor.enforce = false;
+```
--- a/modules/clightning-plugins/default.nix
+++ b/modules/clightning-plugins/default.nix
@ -17,6 +17,7 @@ in {
    ./feeadjuster.nix
    ./prometheus.nix
    ./summary.nix
+    ./trustedcoin.nix
    ./zmq.nix
  ];

--- a/modules/clightning-plugins/trustedcoin.nix
+++ b/modules/clightning-plugins/trustedcoin.nix
@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let cfg = config.services.clightning.plugins.trustedcoin; in
+{
+  options.services.clightning.plugins.trustedcoin = {
+    enable = mkEnableOption "Trustedcoin (clightning plugin)";
+    package = mkOption {
+      type = types.package;
+      default = config.nix-bitcoin.pkgs.trustedcoin;
+      defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
+      description = mdDoc "The package providing trustedcoin binaries.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clightning.extraConfig = ''
+      plugin=${cfg.package}/bin/trustedcoin
+      disable-plugin=bcli
+    '';
+
+    # Trustedcoin does not honor the clightning's proxy configuration.
+    # Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
+    systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
+      HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
+    };
+  };
+}
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -107,13 +107,15 @@ let
  network = bitcoind.makeNetworkName "bitcoin" "regtest";
  configFile = pkgs.writeText "config" ''
    network=${network}
-    bitcoin-datadir=${bitcoind.dataDir}
+    ${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
    ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
    always-use-proxy=${boolToString cfg.always-use-proxy}
    bind-addr=${cfg.address}:${toString cfg.port}
+
    bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
    bitcoin-rpcport=${toString bitcoind.rpc.port}
    bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
+
    rpc-file-mode=0660
    log-timestamps=false
    ${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@ -161,6 +163,7 @@ in {
        {
          cat ${configFile}
          echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
+
          ${optionalString (cfg.getPublicAddressCmd != "") ''
            echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
          ''}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -20,6 +20,7 @@ let self = {
  # The secp256k1 version used by joinmarket
  secp256k1 = pkgs.callPackage ./secp256k1 { };
  spark-wallet = pkgs.callPackage ./spark-wallet { };
+  trustedcoin = pkgs.callPackage ./trustedcoin { };

  pyPkgs = import ./python-packages self pkgs.python3;
  inherit (self.pyPkgs)
--- a/pkgs/trustedcoin/default.nix
+++ b/pkgs/trustedcoin/default.nix
@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "trustedcoin";
+  version = "0.6.1";
+  src = fetchFromGitHub {
+    owner = "nbd-wtf";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
+  };
+
+  vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
+
+  subPackages = [ "." ];
+
+  meta = with lib; {
+    description = "Light bitcoin node implementation";
+    homepage = "https://github.com/nbd-wtf/trustedcoin";
+    maintainers = with maintainers; [ seberm fort-nix ];
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/trustedcoin/get-sha256.sh
+++ b/pkgs/trustedcoin/get-sha256.sh
@ -0,0 +1,20 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p git gnupg curl jq
+set -euo pipefail
+
+
+TMPDIR="$(mktemp -d -p /tmp)"
+trap 'rm -rf $TMPDIR' EXIT
+cd "$TMPDIR"
+
+echo "Fetching latest release"
+repo='nbd-wtf/trustedcoin'
+latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
+echo "Latest release is $latest"
+git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
+cd trustedcoin
+
+echo "tag: $latest"
+git checkout -q "tags/$latest"
+rm -rf .git
+nix --extra-experimental-features nix-command hash path .
--- a/test/tests.nix
+++ b/test/tests.nix
@ -45,7 +45,7 @@ let
      services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
      test.data.clightning-plugins = let
        plugins = config.services.clightning.plugins;
-        removed = [ "commando" ];
+        removed = [ "commando" "trustedcoin" ];
        enabled = builtins.filter (plugin: plugins.${plugin}.enable)
                                  (subtractLists removed (builtins.attrNames plugins));
        nbPkgs = config.nix-bitcoin.pkgs;
@ -315,6 +315,15 @@ let
      services.lnd.enable = true;
      services.bitcoind.prune = 1000;
    };
+
+    # Test the special clightning setup where trustedcoin plugin is used
+    trustedcoin = {
+      tests.trustedcoin = true;
+      services.clightning = {
+        enable = true;
+        plugins.trustedcoin.enable = true;
+      };
+    };
  } // (import ../dev/dev-scenarios.nix {
    inherit lib scenarios;
  });
--- a/test/tests.py
+++ b/test/tests.py
@ -433,6 +433,18 @@ def _():
    if enabled("btcpayserver"):
        machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))

+@test("trustedcoin")
+def _():
+    machine.wait_for_unit("bitcoind")
+    machine.wait_for_unit("clightning")
+
+    # Let's check the trustedcoin plugin was correctly initialized
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
+
+
 if "netns-isolation" in enabled_tests:
    def ip(name):
        return test_data["netns"][name]["address"]