Merge fort-nix/nix-bitcoin#560: Update nixpgks

c88acbb1bb btcpayserver: use new option `certfilepath` for lnd (Erik Arvstedt)
13a835e88f Revert "pkgs: add lnd 0.15.2" (Erik Arvstedt)
3549725b51 update nixpkgs (Erik Arvstedt)
61c539d5b6 defaultHardening: allow syscall `set_mempolicy` (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK c88acbb1bb

Tree-SHA512: 450fc27bb738d7465be829bc6ceda0030cdfc6bb75d15001986450c8189d675fe0fd0a0e6875c0224a239be0aae3acbecb74fb3b970fb6a8dfedd1d463a93d55

flake.lock

@@ -17,11 +17,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1663760840,
-        "narHash": "sha256-ym5Iycs5H4cOaLfE2/vC0tsLp8XuBJQIHGV8/uXSy8M=",
+        "lastModified": 1666528161,
+        "narHash": "sha256-PFOQSC0x4xPD1p/GZIbpKuoEBu6M8HnEOeNRiBUCELA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9bdbbaa634aa666eb6a27096bdcb991c59181244",
+        "rev": "471d92178b978fcbad8db27c2e8a4e737d4e0e27",
         "type": "github"
       },
       "original": {
@@ -33,11 +33,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1663757063,
-        "narHash": "sha256-H+BPgoXuVcdi3g5BH4cact4osjfjntaTQTdA/HNiCYE=",
+        "lastModified": 1666570118,
+        "narHash": "sha256-MTXmIYowHM1wyIYyqPdBLia5SjGnxETv0YkIbDsbkx4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a0e390471362e27349abc1090197e09fe8c59d16",
+        "rev": "1e684b371cf05300bc2b432f958f285855bac8fb",
         "type": "github"
       },
       "original": {

modules/btcpayserver.nix

@@ -200,7 +200,7 @@ in {
     systemd.services.btcpayserver = let
       nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
       nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
-      configFile = builtins.toFile "config" (''
+      configFile = builtins.toFile "btcpayserver-config" (''
         network=${bitcoind.network}
         bind=${cfg.btcpayserver.address}
         port=${toString cfg.btcpayserver.port}
@@ -212,34 +212,27 @@ in {
         rootpath=${cfg.btcpayserver.rootpath}
       '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
         btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
-      '' + optionalString cfg.btcpayserver.lbtc ''
+      '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
+        (
+          "btclightning=type=lnd-rest;" +
+          "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
+          "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
+          "certfilepath=${config.services.lnd.certPath}" +
+          "\n"
+        )
+      + optionalString cfg.btcpayserver.lbtc ''
         chains=btc,lbtc
         lbtcexplorerurl=${nbExplorerUrl}
         lbtcexplorercookiefile=${nbExplorerCookie}
       '');
-      lndConfig =
-        "btclightning=type=lnd-rest;" +
-        "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
-        "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
-        "certthumbprint=";
     in let self = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "nbxplorer.service" "postgresql.service" ]
                  ++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
       after = self.requires;
-      preStart = ''
-        install -m 600 ${configFile} '${cfg.btcpayserver.dataDir}/settings.config'
-        ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
-          {
-            echo -n "${lndConfig}"
-            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
-              | sed -e 's/.*=//;s/://g'
-          } >> '${cfg.btcpayserver.dataDir}/settings.config'
-        ''}
-      '';
       serviceConfig = nbLib.defaultHardening // {
         ExecStart = ''
-          ${cfg.btcpayserver.package}/bin/btcpayserver --conf='${cfg.btcpayserver.dataDir}/settings.config' \
+          ${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
             --datadir='${cfg.btcpayserver.dataDir}'
         '';
         User = cfg.btcpayserver.user;

pkgs/default.nix

@@ -37,10 +37,5 @@ let self = {
 
   pinned = import ./pinned.nix pkgs pkgsUnstable;
 
-  # TODO-EXTERNAL:
-  # Remove this when https://github.com/NixOS/nixpkgs/pull/195337 is available in the
-  # nixpkgs-unstable channel
-  lnd = pkgsUnstable.callPackage ./lnd-0.15.2.nix {};
-
   modulesPkgs = self // self.pinned;
 }; in self

pkgs/lib.nix

@@ -33,7 +33,7 @@ let self = {
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)
       # @system-service is defined in src/shared/seccomp-util.c (systemd source)
-      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
+      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key setns unshare userfaultfd" ];
       SystemCallArchitectures = "native";
   };
 

pkgs/lnd-0.15.2.nix

@@ -1,40 +0,0 @@
-{ buildGoModule
-, fetchFromGitHub
-, lib
-, tags ? [ "autopilotrpc" "signrpc" "walletrpc" "chainrpc" "invoicesrpc" "watchtowerrpc" "routerrpc" "monitoring" "kvdb_postgres" "kvdb_etcd" ]
-}:
-
-buildGoModule rec {
-  pname = "lnd";
-  version = "0.15.2-beta";
-
-  src = fetchFromGitHub {
-    owner = "lightningnetwork";
-    repo = "lnd";
-    rev = "v${version}";
-    sha256 = "sha256-C7BZ6awY2v5Uvvh12YEosoEQyJoetWzH/1wIQSVjtEk=";
-  };
-
-  vendorSha256 = "sha256-rCdcPkgrFcDfLfF8wipFws7YTKEgotuVqVIJYLMOxbs=";
-
-  subPackages = [ "cmd/lncli" "cmd/lnd" ];
-
-  preBuild = let
-    buildVars = {
-      RawTags = lib.concatStringsSep "," tags;
-      GoVersion = "$(go version | egrep -o 'go[0-9]+[.][^ ]*')";
-    };
-    buildVarsFlags = lib.concatStringsSep " " (lib.mapAttrsToList (k: v: "-X github.com/lightningnetwork/lnd/build.${k}=${v}") buildVars);
-  in
-  lib.optionalString (tags != []) ''
-    buildFlagsArray+=("-tags=${lib.concatStringsSep " " tags}")
-    buildFlagsArray+=("-ldflags=${buildVarsFlags}")
-  '';
-
-  meta = with lib; {
-    description = "Lightning Network Daemon";
-    homepage = "https://github.com/lightningnetwork/lnd";
-    license = licenses.mit;
-    maintainers = with maintainers; [ cypherpunk2140 prusnak ];
-  };
-}

pkgs/pinned.nix

@@ -6,8 +6,8 @@ pkgs: pkgsUnstable:
     bitcoind
     extra-container
     lightning-pool
-    lndconnect
-    nbxplorer;
+    lnd
+    lndconnect;
 
   inherit (pkgsUnstable)
     btcpayserver
@@ -17,7 +17,8 @@ pkgs: pkgsUnstable:
     elementsd
     fulcrum
     hwi
-    lightning-loop;
+    lightning-loop
+    nbxplorer;
 
   inherit pkgs pkgsUnstable;
 }