From 61c539d5b636e26bfea22ad3e9ce022748cd889d Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sat, 22 Oct 2022 23:52:59 +0200 Subject: [PATCH 1/4] defaultHardening: allow syscall `set_mempolicy` This syscall is safe to allow. It's required by the dotnet runtime (btcpayserver, nbxplorer) update introduced in the following commit. --- pkgs/lib.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/lib.nix b/pkgs/lib.nix index fb25950..dd0a803 100644 --- a/pkgs/lib.nix +++ b/pkgs/lib.nix @@ -33,7 +33,7 @@ let self = { # @system-service whitelist and docker seccomp blacklist (except for "clone" # which is a core requirement for systemd services) # @system-service is defined in src/shared/seccomp-util.c (systemd source) - SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ]; + SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key setns unshare userfaultfd" ]; SystemCallArchitectures = "native"; }; From 3549725b510c51d06669fe97b13c26585e0afb5c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Sat, 22 Oct 2022 23:53:00 +0200 Subject: [PATCH 2/4] update nixpkgs btcpayserver: 1.6.10 -> 1.6.12 clightning: 0.12.0 -> 0.12.1 fulcrum: 1.8.1 -> 1.8.2 nbxplorer: 2.3.33 -> 2.3.41 --- flake.lock | 12 ++++++------ pkgs/pinned.nix | 6 +++--- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index be13d8b..24b5cbc 100644 --- a/flake.lock +++ b/flake.lock @@ -17,11 +17,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1663760840, - "narHash": "sha256-ym5Iycs5H4cOaLfE2/vC0tsLp8XuBJQIHGV8/uXSy8M=", + "lastModified": 1666528161, + "narHash": "sha256-PFOQSC0x4xPD1p/GZIbpKuoEBu6M8HnEOeNRiBUCELA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9bdbbaa634aa666eb6a27096bdcb991c59181244", + "rev": "471d92178b978fcbad8db27c2e8a4e737d4e0e27", "type": "github" }, "original": { @@ -33,11 +33,11 @@ }, "nixpkgsUnstable": { "locked": { - "lastModified": 1663757063, - "narHash": "sha256-H+BPgoXuVcdi3g5BH4cact4osjfjntaTQTdA/HNiCYE=", + "lastModified": 1666570118, + "narHash": "sha256-MTXmIYowHM1wyIYyqPdBLia5SjGnxETv0YkIbDsbkx4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a0e390471362e27349abc1090197e09fe8c59d16", + "rev": "1e684b371cf05300bc2b432f958f285855bac8fb", "type": "github" }, "original": { diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix index a9cc8aa..868d3fe 100644 --- a/pkgs/pinned.nix +++ b/pkgs/pinned.nix @@ -6,8 +6,7 @@ pkgs: pkgsUnstable: bitcoind extra-container lightning-pool - lndconnect - nbxplorer; + lndconnect; inherit (pkgsUnstable) btcpayserver @@ -17,7 +16,8 @@ pkgs: pkgsUnstable: elementsd fulcrum hwi - lightning-loop; + lightning-loop + nbxplorer; inherit pkgs pkgsUnstable; } From 13a835e88f21bdeb5b348de94364e1feafb3d56b Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 24 Oct 2022 11:49:32 +0200 Subject: [PATCH 3/4] Revert "pkgs: add lnd 0.15.2" This reverts commit cf836b5d3b75a6c634391aa78a0113f540e637b9. --- pkgs/default.nix | 5 ----- pkgs/lnd-0.15.2.nix | 40 ---------------------------------------- pkgs/pinned.nix | 1 + 3 files changed, 1 insertion(+), 45 deletions(-) delete mode 100644 pkgs/lnd-0.15.2.nix diff --git a/pkgs/default.nix b/pkgs/default.nix index 95d397c..21ede79 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -37,10 +37,5 @@ let self = { pinned = import ./pinned.nix pkgs pkgsUnstable; - # TODO-EXTERNAL: - # Remove this when https://github.com/NixOS/nixpkgs/pull/195337 is available in the - # nixpkgs-unstable channel - lnd = pkgsUnstable.callPackage ./lnd-0.15.2.nix {}; - modulesPkgs = self // self.pinned; }; in self diff --git a/pkgs/lnd-0.15.2.nix b/pkgs/lnd-0.15.2.nix deleted file mode 100644 index bb91e14..0000000 --- a/pkgs/lnd-0.15.2.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ buildGoModule -, fetchFromGitHub -, lib -, tags ? [ "autopilotrpc" "signrpc" "walletrpc" "chainrpc" "invoicesrpc" "watchtowerrpc" "routerrpc" "monitoring" "kvdb_postgres" "kvdb_etcd" ] -}: - -buildGoModule rec { - pname = "lnd"; - version = "0.15.2-beta"; - - src = fetchFromGitHub { - owner = "lightningnetwork"; - repo = "lnd"; - rev = "v${version}"; - sha256 = "sha256-C7BZ6awY2v5Uvvh12YEosoEQyJoetWzH/1wIQSVjtEk="; - }; - - vendorSha256 = "sha256-rCdcPkgrFcDfLfF8wipFws7YTKEgotuVqVIJYLMOxbs="; - - subPackages = [ "cmd/lncli" "cmd/lnd" ]; - - preBuild = let - buildVars = { - RawTags = lib.concatStringsSep "," tags; - GoVersion = "$(go version | egrep -o 'go[0-9]+[.][^ ]*')"; - }; - buildVarsFlags = lib.concatStringsSep " " (lib.mapAttrsToList (k: v: "-X github.com/lightningnetwork/lnd/build.${k}=${v}") buildVars); - in - lib.optionalString (tags != []) '' - buildFlagsArray+=("-tags=${lib.concatStringsSep " " tags}") - buildFlagsArray+=("-ldflags=${buildVarsFlags}") - ''; - - meta = with lib; { - description = "Lightning Network Daemon"; - homepage = "https://github.com/lightningnetwork/lnd"; - license = licenses.mit; - maintainers = with maintainers; [ cypherpunk2140 prusnak ]; - }; -} diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix index 868d3fe..1ff832b 100644 --- a/pkgs/pinned.nix +++ b/pkgs/pinned.nix @@ -6,6 +6,7 @@ pkgs: pkgsUnstable: bitcoind extra-container lightning-pool + lnd lndconnect; inherit (pkgsUnstable) From c88acbb1bb48d19335bb44f0ed3613e994bd6edc Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Mon, 24 Oct 2022 12:06:45 +0200 Subject: [PATCH 4/4] btcpayserver: use new option `certfilepath` for lnd --- modules/btcpayserver.nix | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index 3a6dc43..8437537 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -200,7 +200,7 @@ in { systemd.services.btcpayserver = let nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/"; nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie"; - configFile = builtins.toFile "config" ('' + configFile = builtins.toFile "btcpayserver-config" ('' network=${bitcoind.network} bind=${cfg.btcpayserver.address} port=${toString cfg.btcpayserver.port} @@ -212,34 +212,27 @@ in { rootpath=${cfg.btcpayserver.rootpath} '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") '' btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc - '' + optionalString cfg.btcpayserver.lbtc '' + '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd") + ( + "btclightning=type=lnd-rest;" + + "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + + "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + + "certfilepath=${config.services.lnd.certPath}" + + "\n" + ) + + optionalString cfg.btcpayserver.lbtc '' chains=btc,lbtc lbtcexplorerurl=${nbExplorerUrl} lbtcexplorercookiefile=${nbExplorerCookie} ''); - lndConfig = - "btclightning=type=lnd-rest;" + - "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + - "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + - "certthumbprint="; in let self = { wantedBy = [ "multi-user.target" ]; requires = [ "nbxplorer.service" "postgresql.service" ] ++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service"; after = self.requires; - preStart = '' - install -m 600 ${configFile} '${cfg.btcpayserver.dataDir}/settings.config' - ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") '' - { - echo -n "${lndConfig}" - ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \ - | sed -e 's/.*=//;s/://g' - } >> '${cfg.btcpayserver.dataDir}/settings.config' - ''} - ''; serviceConfig = nbLib.defaultHardening // { ExecStart = '' - ${cfg.btcpayserver.package}/bin/btcpayserver --conf='${cfg.btcpayserver.dataDir}/settings.config' \ + ${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \ --datadir='${cfg.btcpayserver.dataDir}' ''; User = cfg.btcpayserver.user;