c88acbb1bb btcpayserver: use new option `certfilepath` for lnd (Erik Arvstedt)
13a835e88f Revert "pkgs: add lnd 0.15.2" (Erik Arvstedt)
3549725b51 update nixpkgs (Erik Arvstedt)
61c539d5b6 defaultHardening: allow syscall `set_mempolicy` (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK c88acbb1bb

Tree-SHA512: 450fc27bb738d7465be829bc6ceda0030cdfc6bb75d15001986450c8189d675fe0fd0a0e6875c0224a239be0aae3acbecb74fb3b970fb6a8dfedd1d463a93d55
This commit is contained in:
Jonas Nick 2022-10-25 07:56:54 +00:00
commit 9d074e1985
No known key found for this signature in database
GPG Key ID: 4861DBF262123605
6 changed files with 22 additions and 73 deletions

View File

@ -17,11 +17,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1663760840,
"narHash": "sha256-ym5Iycs5H4cOaLfE2/vC0tsLp8XuBJQIHGV8/uXSy8M=",
"lastModified": 1666528161,
"narHash": "sha256-PFOQSC0x4xPD1p/GZIbpKuoEBu6M8HnEOeNRiBUCELA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "9bdbbaa634aa666eb6a27096bdcb991c59181244",
"rev": "471d92178b978fcbad8db27c2e8a4e737d4e0e27",
"type": "github"
},
"original": {
@ -33,11 +33,11 @@
},
"nixpkgsUnstable": {
"locked": {
"lastModified": 1663757063,
"narHash": "sha256-H+BPgoXuVcdi3g5BH4cact4osjfjntaTQTdA/HNiCYE=",
"lastModified": 1666570118,
"narHash": "sha256-MTXmIYowHM1wyIYyqPdBLia5SjGnxETv0YkIbDsbkx4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a0e390471362e27349abc1090197e09fe8c59d16",
"rev": "1e684b371cf05300bc2b432f958f285855bac8fb",
"type": "github"
},
"original": {

View File

@ -200,7 +200,7 @@ in {
systemd.services.btcpayserver = let
nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
configFile = builtins.toFile "config" (''
configFile = builtins.toFile "btcpayserver-config" (''
network=${bitcoind.network}
bind=${cfg.btcpayserver.address}
port=${toString cfg.btcpayserver.port}
@ -212,34 +212,27 @@ in {
rootpath=${cfg.btcpayserver.rootpath}
'' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
'' + optionalString cfg.btcpayserver.lbtc ''
'' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
(
"btclightning=type=lnd-rest;" +
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
"certfilepath=${config.services.lnd.certPath}" +
"\n"
)
+ optionalString cfg.btcpayserver.lbtc ''
chains=btc,lbtc
lbtcexplorerurl=${nbExplorerUrl}
lbtcexplorercookiefile=${nbExplorerCookie}
'');
lndConfig =
"btclightning=type=lnd-rest;" +
"server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
"macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
"certthumbprint=";
in let self = {
wantedBy = [ "multi-user.target" ];
requires = [ "nbxplorer.service" "postgresql.service" ]
++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
after = self.requires;
preStart = ''
install -m 600 ${configFile} '${cfg.btcpayserver.dataDir}/settings.config'
${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
{
echo -n "${lndConfig}"
${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
| sed -e 's/.*=//;s/://g'
} >> '${cfg.btcpayserver.dataDir}/settings.config'
''}
'';
serviceConfig = nbLib.defaultHardening // {
ExecStart = ''
${cfg.btcpayserver.package}/bin/btcpayserver --conf='${cfg.btcpayserver.dataDir}/settings.config' \
${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
--datadir='${cfg.btcpayserver.dataDir}'
'';
User = cfg.btcpayserver.user;

View File

@ -37,10 +37,5 @@ let self = {
pinned = import ./pinned.nix pkgs pkgsUnstable;
# TODO-EXTERNAL:
# Remove this when https://github.com/NixOS/nixpkgs/pull/195337 is available in the
# nixpkgs-unstable channel
lnd = pkgsUnstable.callPackage ./lnd-0.15.2.nix {};
modulesPkgs = self // self.pinned;
}; in self

View File

@ -33,7 +33,7 @@ let self = {
# @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services)
# @system-service is defined in src/shared/seccomp-util.c (systemd source)
SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key setns unshare userfaultfd" ];
SystemCallArchitectures = "native";
};

View File

@ -1,40 +0,0 @@
{ buildGoModule
, fetchFromGitHub
, lib
, tags ? [ "autopilotrpc" "signrpc" "walletrpc" "chainrpc" "invoicesrpc" "watchtowerrpc" "routerrpc" "monitoring" "kvdb_postgres" "kvdb_etcd" ]
}:
buildGoModule rec {
pname = "lnd";
version = "0.15.2-beta";
src = fetchFromGitHub {
owner = "lightningnetwork";
repo = "lnd";
rev = "v${version}";
sha256 = "sha256-C7BZ6awY2v5Uvvh12YEosoEQyJoetWzH/1wIQSVjtEk=";
};
vendorSha256 = "sha256-rCdcPkgrFcDfLfF8wipFws7YTKEgotuVqVIJYLMOxbs=";
subPackages = [ "cmd/lncli" "cmd/lnd" ];
preBuild = let
buildVars = {
RawTags = lib.concatStringsSep "," tags;
GoVersion = "$(go version | egrep -o 'go[0-9]+[.][^ ]*')";
};
buildVarsFlags = lib.concatStringsSep " " (lib.mapAttrsToList (k: v: "-X github.com/lightningnetwork/lnd/build.${k}=${v}") buildVars);
in
lib.optionalString (tags != []) ''
buildFlagsArray+=("-tags=${lib.concatStringsSep " " tags}")
buildFlagsArray+=("-ldflags=${buildVarsFlags}")
'';
meta = with lib; {
description = "Lightning Network Daemon";
homepage = "https://github.com/lightningnetwork/lnd";
license = licenses.mit;
maintainers = with maintainers; [ cypherpunk2140 prusnak ];
};
}

View File

@ -6,8 +6,8 @@ pkgs: pkgsUnstable:
bitcoind
extra-container
lightning-pool
lndconnect
nbxplorer;
lnd
lndconnect;
inherit (pkgsUnstable)
btcpayserver
@ -17,7 +17,8 @@ pkgs: pkgsUnstable:
elementsd
fulcrum
hwi
lightning-loop;
lightning-loop
nbxplorer;
inherit pkgs pkgsUnstable;
}