From 61c539d5b636e26bfea22ad3e9ce022748cd889d Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sat, 22 Oct 2022 23:52:59 +0200
Subject: [PATCH 1/4] defaultHardening: allow syscall `set_mempolicy`

This syscall is safe to allow.
It's required by the dotnet runtime (btcpayserver, nbxplorer) update
introduced in the following commit.
---
 pkgs/lib.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/lib.nix b/pkgs/lib.nix
index fb25950..dd0a803 100644
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@@ -33,7 +33,7 @@ let self = {
       # @system-service whitelist and docker seccomp blacklist (except for "clone"
       # which is a core requirement for systemd services)
       # @system-service is defined in src/shared/seccomp-util.c (systemd source)
-      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key set_mempolicy setns unshare userfaultfd" ];
+      SystemCallFilter = [ "@system-service" "~add_key kcmp keyctl mbind move_pages name_to_handle_at personality process_vm_readv process_vm_writev request_key setns unshare userfaultfd" ];
       SystemCallArchitectures = "native";
   };
 

From 3549725b510c51d06669fe97b13c26585e0afb5c Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sat, 22 Oct 2022 23:53:00 +0200
Subject: [PATCH 2/4] update nixpkgs

btcpayserver: 1.6.10 -> 1.6.12
clightning: 0.12.0 -> 0.12.1
fulcrum: 1.8.1 -> 1.8.2
nbxplorer: 2.3.33 -> 2.3.41
---
 flake.lock      | 12 ++++++------
 pkgs/pinned.nix |  6 +++---
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index be13d8b..24b5cbc 100644
--- a/flake.lock
+++ b/flake.lock
@@ -17,11 +17,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1663760840,
-        "narHash": "sha256-ym5Iycs5H4cOaLfE2/vC0tsLp8XuBJQIHGV8/uXSy8M=",
+        "lastModified": 1666528161,
+        "narHash": "sha256-PFOQSC0x4xPD1p/GZIbpKuoEBu6M8HnEOeNRiBUCELA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "9bdbbaa634aa666eb6a27096bdcb991c59181244",
+        "rev": "471d92178b978fcbad8db27c2e8a4e737d4e0e27",
         "type": "github"
       },
       "original": {
@@ -33,11 +33,11 @@
     },
     "nixpkgsUnstable": {
       "locked": {
-        "lastModified": 1663757063,
-        "narHash": "sha256-H+BPgoXuVcdi3g5BH4cact4osjfjntaTQTdA/HNiCYE=",
+        "lastModified": 1666570118,
+        "narHash": "sha256-MTXmIYowHM1wyIYyqPdBLia5SjGnxETv0YkIbDsbkx4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a0e390471362e27349abc1090197e09fe8c59d16",
+        "rev": "1e684b371cf05300bc2b432f958f285855bac8fb",
         "type": "github"
       },
       "original": {
diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix
index a9cc8aa..868d3fe 100644
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@@ -6,8 +6,7 @@ pkgs: pkgsUnstable:
     bitcoind
     extra-container
     lightning-pool
-    lndconnect
-    nbxplorer;
+    lndconnect;
 
   inherit (pkgsUnstable)
     btcpayserver
@@ -17,7 +16,8 @@ pkgs: pkgsUnstable:
     elementsd
     fulcrum
     hwi
-    lightning-loop;
+    lightning-loop
+    nbxplorer;
 
   inherit pkgs pkgsUnstable;
 }

From 13a835e88f21bdeb5b348de94364e1feafb3d56b Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 24 Oct 2022 11:49:32 +0200
Subject: [PATCH 3/4] Revert "pkgs: add lnd 0.15.2"

This reverts commit cf836b5d3b75a6c634391aa78a0113f540e637b9.
---
 pkgs/default.nix    |  5 -----
 pkgs/lnd-0.15.2.nix | 40 ----------------------------------------
 pkgs/pinned.nix     |  1 +
 3 files changed, 1 insertion(+), 45 deletions(-)
 delete mode 100644 pkgs/lnd-0.15.2.nix

diff --git a/pkgs/default.nix b/pkgs/default.nix
index 95d397c..21ede79 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -37,10 +37,5 @@ let self = {
 
   pinned = import ./pinned.nix pkgs pkgsUnstable;
 
-  # TODO-EXTERNAL:
-  # Remove this when https://github.com/NixOS/nixpkgs/pull/195337 is available in the
-  # nixpkgs-unstable channel
-  lnd = pkgsUnstable.callPackage ./lnd-0.15.2.nix {};
-
   modulesPkgs = self // self.pinned;
 }; in self
diff --git a/pkgs/lnd-0.15.2.nix b/pkgs/lnd-0.15.2.nix
deleted file mode 100644
index bb91e14..0000000
--- a/pkgs/lnd-0.15.2.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ buildGoModule
-, fetchFromGitHub
-, lib
-, tags ? [ "autopilotrpc" "signrpc" "walletrpc" "chainrpc" "invoicesrpc" "watchtowerrpc" "routerrpc" "monitoring" "kvdb_postgres" "kvdb_etcd" ]
-}:
-
-buildGoModule rec {
-  pname = "lnd";
-  version = "0.15.2-beta";
-
-  src = fetchFromGitHub {
-    owner = "lightningnetwork";
-    repo = "lnd";
-    rev = "v${version}";
-    sha256 = "sha256-C7BZ6awY2v5Uvvh12YEosoEQyJoetWzH/1wIQSVjtEk=";
-  };
-
-  vendorSha256 = "sha256-rCdcPkgrFcDfLfF8wipFws7YTKEgotuVqVIJYLMOxbs=";
-
-  subPackages = [ "cmd/lncli" "cmd/lnd" ];
-
-  preBuild = let
-    buildVars = {
-      RawTags = lib.concatStringsSep "," tags;
-      GoVersion = "$(go version | egrep -o 'go[0-9]+[.][^ ]*')";
-    };
-    buildVarsFlags = lib.concatStringsSep " " (lib.mapAttrsToList (k: v: "-X github.com/lightningnetwork/lnd/build.${k}=${v}") buildVars);
-  in
-  lib.optionalString (tags != []) ''
-    buildFlagsArray+=("-tags=${lib.concatStringsSep " " tags}")
-    buildFlagsArray+=("-ldflags=${buildVarsFlags}")
-  '';
-
-  meta = with lib; {
-    description = "Lightning Network Daemon";
-    homepage = "https://github.com/lightningnetwork/lnd";
-    license = licenses.mit;
-    maintainers = with maintainers; [ cypherpunk2140 prusnak ];
-  };
-}
diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix
index 868d3fe..1ff832b 100644
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@@ -6,6 +6,7 @@ pkgs: pkgsUnstable:
     bitcoind
     extra-container
     lightning-pool
+    lnd
     lndconnect;
 
   inherit (pkgsUnstable)

From c88acbb1bb48d19335bb44f0ed3613e994bd6edc Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Mon, 24 Oct 2022 12:06:45 +0200
Subject: [PATCH 4/4] btcpayserver: use new option `certfilepath` for lnd

---
 modules/btcpayserver.nix | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix
index 3a6dc43..8437537 100644
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@@ -200,7 +200,7 @@ in {
     systemd.services.btcpayserver = let
       nbExplorerUrl = "http://${nbLib.addressWithPort cfg.nbxplorer.address cfg.nbxplorer.port}/";
       nbExplorerCookie = "${cfg.nbxplorer.dataDir}/${bitcoind.makeNetworkName "Main" "RegTest"}/.cookie";
-      configFile = builtins.toFile "config" (''
+      configFile = builtins.toFile "btcpayserver-config" (''
         network=${bitcoind.network}
         bind=${cfg.btcpayserver.address}
         port=${toString cfg.btcpayserver.port}
@@ -212,34 +212,27 @@ in {
         rootpath=${cfg.btcpayserver.rootpath}
       '' + optionalString (cfg.btcpayserver.lightningBackend == "clightning") ''
         btclightning=type=clightning;server=unix:///${cfg.clightning.dataDir}/${bitcoind.makeNetworkName "bitcoin" "regtest"}/lightning-rpc
-      '' + optionalString cfg.btcpayserver.lbtc ''
+      '' + optionalString (cfg.btcpayserver.lightningBackend == "lnd")
+        (
+          "btclightning=type=lnd-rest;" +
+          "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
+          "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
+          "certfilepath=${config.services.lnd.certPath}" +
+          "\n"
+        )
+      + optionalString cfg.btcpayserver.lbtc ''
         chains=btc,lbtc
         lbtcexplorerurl=${nbExplorerUrl}
         lbtcexplorercookiefile=${nbExplorerCookie}
       '');
-      lndConfig =
-        "btclightning=type=lnd-rest;" +
-        "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" +
-        "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" +
-        "certthumbprint=";
     in let self = {
       wantedBy = [ "multi-user.target" ];
       requires = [ "nbxplorer.service" "postgresql.service" ]
                  ++ optional (cfg.btcpayserver.lightningBackend != null) "${cfg.btcpayserver.lightningBackend}.service";
       after = self.requires;
-      preStart = ''
-        install -m 600 ${configFile} '${cfg.btcpayserver.dataDir}/settings.config'
-        ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
-          {
-            echo -n "${lndConfig}"
-            ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
-              | sed -e 's/.*=//;s/://g'
-          } >> '${cfg.btcpayserver.dataDir}/settings.config'
-        ''}
-      '';
       serviceConfig = nbLib.defaultHardening // {
         ExecStart = ''
-          ${cfg.btcpayserver.package}/bin/btcpayserver --conf='${cfg.btcpayserver.dataDir}/settings.config' \
+          ${cfg.btcpayserver.package}/bin/btcpayserver --conf=${configFile} \
             --datadir='${cfg.btcpayserver.dataDir}'
         '';
         User = cfg.btcpayserver.user;