In conjuction with secure-node.nix, this sets sane
RestrictAddressFamilies unless lnd is enabled. Before, we were
constantly exposing unnecessary Address Families, not just when lnd is
enabled.
However, zmqpub* must always be enabled for lnd, even when used
outside of secure-node.nix, so we make this change in the lnd module.
b8e10afe1846548075136d953b7f01cf1fb0a45b recurring-donations: Run under recurring-donations user (nixbitcoin)
5d01ea7101a94a4ceb8bdcaabe60f66652253a5a nodeinfo: Convert to module and allow alternative operator username (nixbitcoin)
95d230d1d6a64b27fa834748b6fc695b7e8f4cec Remove bitcoinrpc group remnants (nixbitcoin)
563b2108356323e99d757a95ce50aca5fa2f45af spark-wallet: Run under spark-wallet user (nixbitcoin)
205fca357677c3b186658379618c9eb2655f6167 bitcoind: only make blocksdir group-readable when dataDirReadableByGroup (nixbitcoin)
81a04a4ef14f27f196d519ff482f0d6a225f02b0 lightning-charge: add dedicated user (nixbitcoin)
e67a81829722bd6c16b1450371d13b681f6de532 lightning-charge: 0.4.14 -> 0.4.19 (nixbitcoin)
0ba55757f8027da906f84a1330bd11fc3ae1f0f0 clightning: allow group access to RPC socket (nixbitcoin)
304dd297ba6a128c21ebba20d83298c2c9cecbc8 clightning: remove config group read access (nixbitcoin)
04c6936ce9030e7e99aa9bfedf0a73810f550ac1 clightning: Remove clightning "bitcoinrpc" membership (nixbitcoin)
393ab0fb3c160adfdf64786d5e9e360967dfb678 electrs: Remove electrs user from "bitcoinrpc" and "bitcoin" sometimes (nixbitcoin)
7cfae66db491b8eb2f128b85f69ede64bcb1531e electrs: Drop insecure TLS ciphers (nixbitcoin)
4c139a6d7778abf0957cbcaca443bdddb42dcce7 electrs: Make TLSProxy truly optional (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK b8e10afe1846548075136d953b7f01cf1fb0a45b
Tree-SHA512: d3828961b42b8730818b6f55bd9cb19a9c1a1fcecc426da903ba1304251bb4b3b38ff0e4d7b29945ae1bf3c7a42719431b8c91b74b01aeb8d3671026c3d6df75
currently, nodeinfo has presets/secure-node.nix as a strict
dependency as it requires onion-chef and the 'operatorName' option.
and nix-bitcoin-webindex.nix has nodeinfo as a dependecy.
so don't add nodeinfo and webindex to modules.nix because they will fail on standalone use.
Electrs does not need to be a part of "bitcoinrpc" group because preStart
electrs.toml creation is handled by PermissionsStartOnly. "bitcoin"
group membership is only necessary when cfg.high-memory is enabled and
electrs reads blocks directly from the blocks directory.
Previously, the sessions contained only explicitly exported variables
and functions.
This was fragile and in part buggy due to lacking exports.
Interactive features like user-defined aliases and functions are still
working as before.
Download shesek's github spark-npm.tgz, verify signature, unpack
spark-npm.tgz, patch package.json to include qrcode-terminal in
dependencies, run node2nix with tmpdir as local source, replace tmpdir
spark-wallet source with shesek's github spark-npm.tgz in
node-packages.nix.
spark-wallet: erikarvstedt fixups
move script to pkg dir, add hint to script in pkg def
remove unneeded script deps
add extended bash error checking
rename DIR -> TMPDIR
remove TMPDIR on exit
strip whitespace, simplify comments
gpg2 -> gpg
latesttagelectrs -> latest
tmpdir: don't use XDG_RUNTIME_DIR
XDG_RUNTIME_DIR is often in RAM and shouldn't be used for larger
workloads like repo downlaods
verify fingerprint of the imported key
remove trailing '-' in output
simplify output
Hide --fetch-key output
Output is not relevant to user, looks better without it
More accurately describe ./get-sha256 function
User might think that ./get-sha256 automatically updates sha256 in default.nix
Fetch key from sks keyservers instead of keybase.io
Using --recv-key simplifies getting the right key, and only the
right key, greatly. I try to refrain from using sks keyservers,
but the certificate spamming attack shouldn't be an issue in this
case because we create a temporary keychain just for the
verificaiton.
remove unneeded cargoDepsHook
Make clang nativeBuildInput instead of buildInput
e95f5981aa184ca5dce5a452d57fa279c70eba74 Remove KN countrycode (nixbitcoin)
742aef1e0f4f52118211013d00c959debe9e8840 Only set dataDirReadableByGroup if cfg.high-memory is enabled (nixbitcoin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK e95f5981aa184ca5dce5a452d57fa279c70eba74
Tree-SHA512: e8253b934211e6fc6be11917f8acb05a05e390caafdf86f90670f9299d9c0d98596758ff021c65aae199c9a5a3f86f87854e1b8f50a53bab8ad28d9a7003d98e
47b2b110ccf93f45a2bd59370552fc87316d7b7a pinned: make it easy to use pinned packages (William Casarin)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 47b2b110ccf93f45a2bd59370552fc87316d7b7a
Tree-SHA512: 4a45eee55ff87d8f00f7ef7af7bd6dfc4674c492d45a4875dc933edb5d21e06cd1bcedc73b07b8a2b804a4b1fe9d52223e623d382a348524621749beda8cc115
It appears the pinned attrset is a bit adhoc. This generalizes
pinned.nix so that you can do:
$ nix build -f . pinned.stable.hwi
$ nix build -f . pinned.unstable.hwi
etc
Signed-off-by: William Casarin <jb55@jb55.com>
0382d3a6b82976d98e207a0115ec1ebb2f98fc35 Document low-entropy problem (nixbitcoin)
Pull request description:
Top commit has no ACKs.
Tree-SHA512: 4b5e69a7163171e30e995a4944fa262141466b5a15680bfba4d483b3fd5e26d1d40384199ae467bc12794fae0a83a8f99a487cc12be711df5c1e567f2c6cef35
