Patch electrs to avoid chmod

fcd81d486d joinmarket: 0.9.8 -> 0.9.9 (nixbitcoin)

Pull request description:

ACKs for top commit:
  erikarvstedt:
    ACK fcd81d486d

Tree-SHA512: cb6c1b750361592a7508ee94fa811824e72e3dc5d97ff3a2b73c6141e9500b7300faa0457da2ae3ccd2c443ad8dfac360be32804374a4252161fadbae06ac896

modules/bitcoind.nix

@@ -367,9 +367,10 @@ in {
       proto.sam.enable = true;
     };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-    ];
+    # Commented out to avoid trying to chown the nfs-mounted directory
+    # systemd.tmpfiles.rules = [
+    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # ];
 
     systemd.services.bitcoind = {
       # Use `wants` instead of `requires` so that bitcoind and all dependent services
@@ -412,9 +413,9 @@ in {
       '';
 
       # Enable RPC access for group
-      postStart = ''
-        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
-      '';
+      # postStart = ''
+      #   chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      # '';
 
       serviceConfig = nbLib.defaultHardening // {
         Type = "notify";

modules/electrs.nix

@@ -61,9 +61,10 @@ in {
       listenWhitelisted = true;
     };
 
-    systemd.tmpfiles.rules = [
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-    ];
+    # Commented out to allow nfs mounts
+    # systemd.tmpfiles.rules = [
+    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # ];
 
     systemd.services.electrs = {
       wantedBy = [ "multi-user.target" ];

modules/joinmarket.nix

@@ -158,7 +158,7 @@ let
     onion_serving_host = ${cfg.messagingAddress}
     onion_serving_port = ${toString cfg.messagingPort}
     hidden_service_dir =
-    directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
+    directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
 
     # irc.darkscience.net
     [MESSAGING:server1]

pkgs/default.nix

@@ -22,6 +22,11 @@ let self = {
   spark-wallet = pkgs.callPackage ./spark-wallet { };
   trustedcoin = pkgs.callPackage ./trustedcoin { };
 
+  # TODO-EXTERNAL:
+  # Remove this when https://github.com/lightningnetwork/lnd/pull/7672
+  # has been resolved
+  lnd = pkgsUnstable.callPackage ./lnd { };
+
   pyPkgs = import ./python-packages self pkgs.python3;
   inherit (self.pyPkgs)
     nbPython3Packages

pkgs/joinmarket/default.nix

@@ -1,10 +1,12 @@
-{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
+{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
 
 let
-  version = "0.9.8";
-  src = fetchurl {
-    url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
-    sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
+  version = "0.9.9";
+  src = fetchFromGitHub {
+    owner = "joinmarket-org";
+    repo = "joinmarket-clientserver";
+    rev = "v${version}";
+    sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
   };
 
   runtimePackages = with nbPython3PackagesJoinmarket; [

pkgs/joinmarket/get-sha256.sh

@@ -1,25 +1,23 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p git gnupg jq
+
 set -euo pipefail
-. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
+newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
 
-TMPDIR="$(mktemp -d -p /tmp)"
-trap 'rm -rf $TMPDIR' EXIT
-cd "$TMPDIR"
-
-echo "Fetching latest release"
-git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
-cd joinmarket-clientserver
-latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
-echo "Latest release is $latest"
-
-# GPG verification
-export GNUPGHOME=$TMPDIR
+# Fetch release and GPG-verify the content hash
+tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
+repo=$tmpdir/repo
+git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
+export GNUPGHOME=$tmpdir
 echo "Fetching Adam Gibson's key"
 gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
-echo "Verifying latest release"
-git verify-tag "$latest"
+echo
+echo "Verifying commit"
+git -C "$repo" verify-commit HEAD
+rm -rf "$repo"/.git
+newHash=$(nix hash path "$repo")
+rm -rf "$tmpdir"
+echo
 
-echo "tag: $latest"
-# The prefix option is necessary because GitHub prefixes the archive contents in this format
-echo "sha256: $(nix-hash --type sha256 --flat --base32 \
-                <(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
+echo "tag: $newVersion"
+echo "hash: $newHash"

pkgs/lnd/default.nix

@@ -0,0 +1,12 @@
+{ lnd, fetchpatch }:
+
+lnd.overrideAttrs (_: {
+  patches = [
+    (fetchpatch {
+      # https://github.com/lightningnetwork/lnd/pull/7672
+      name = "fix-PKCS8-cert-key-support";
+      url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
+      hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
+    })
+  ];
+})

pkgs/pinned.nix

@@ -17,7 +17,6 @@ pkgs: pkgsUnstable:
     fulcrum
     hwi
     lightning-loop
-    lnd
     nbxplorer;
 
   inherit pkgs pkgsUnstable;

pkgs/python-packages/bencoderpyx/default.nix

@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "bencoder.pyx";
-  version = "2.0.1";
+  version = "3.0.1";
 
   src = fetchurl {
-    url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
-    sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
+    url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
+    sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
   };
 
   nativeBuildInputs = [ cython ];

pkgs/python-packages/default.nix

@@ -22,7 +22,6 @@ rec {
       };
       runes = callPackage ./runes {};
       sha256 = callPackage ./sha256 {};
-      urldecode = callPackage ./urldecode {};
     };
 
   # Joinmarket requires a custom package set because it uses older versions of Python pkgs
@@ -47,12 +46,10 @@ rec {
       # autobahn 20.12.3, required by joinmarketclient
       autobahn = callPackage ./specific-versions/autobahn.nix {};
 
-      # pyopenssl 20.0.1, required by joinmarketdaemon
-      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
-        openssl = super.pkgs.openssl_1_1;
-      };
+      # pyopenssl 21.0.0, required by joinmarketdaemon
+      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
 
-      # twisted 22.4.0, compatible with pyopenssl 20.0.1
+      # twisted 22.4.0, required by joinmarketbase
       twisted = callPackage ./specific-versions/twisted.nix {};
     };
 

pkgs/python-packages/jmbitcoin/default.nix

@@ -1,4 +1,4 @@
-{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
+{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
 
 buildPythonPackage rec {
   pname = "joinmarketbitcoin";
@@ -6,7 +6,7 @@ buildPythonPackage rec {
 
   postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
 
-  propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
+  propagatedBuildInputs = [ pyaes python-bitcointx ];
 
   checkInputs = [ joinmarketbase ];
 

pkgs/python-packages/jmdaemon/default.nix

@@ -8,6 +8,12 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
 
+  # libnacl 1.8.0 is not on github
+  patchPhase = ''
+    substituteInPlace setup.py \
+      --replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
+  '';
+
   meta = with lib; {
     description = "Client library for Bitcoin coinjoins";
     homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";

pkgs/python-packages/specific-versions/pyopenssl.nix

@@ -6,17 +6,50 @@
 , cryptography
 , pyasn1
 , idna
-, pytest
+, pytestCheckHook
 , pretend
 , flaky
 , glibcLocales
 , six
 }:
 
-let
-  # https://github.com/pyca/pyopenssl/issues/791
-  # These tests, we disable in the case that libressl is passed in as openssl.
-  failingLibresslTests = [
+buildPythonPackage rec {
+  pname = "pyopenssl";
+  version = "21.0.0";
+
+  src = fetchPypi {
+    pname = "pyOpenSSL";
+    inherit version;
+    sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
+  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
+  doCheck = !stdenv.isDarwin;
+
+  nativeBuildInputs = [ openssl ];
+  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
+
+  checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
+
+  preCheck = ''
+    export LANG="en_US.UTF-8"
+  '';
+
+  disabledTests = [
+    # https://github.com/pyca/pyopenssl/issues/692
+    # These tests, we disable always.
+    "test_set_default_verify_paths"
+    "test_fallback_default_verify_paths"
+    # https://github.com/pyca/pyopenssl/issues/768
+    "test_wantWriteError"
+    # https://github.com/pyca/pyopenssl/issues/1043
+    "test_alpn_call_failure"
+  ] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
+    # https://github.com/pyca/pyopenssl/issues/791
+    # These tests, we disable in the case that libressl is passed in as openssl.
     "test_op_no_compression"
     "test_npn_advertise_error"
     "test_npn_select_error"
@@ -29,64 +62,21 @@ let
     "test_verify_with_revoked"
     "test_set_notAfter"
     "test_set_notBefore"
-  ];
-
-  # these tests are extremely tightly wed to the exact output of the openssl cli tool,
-  # including exact punctuation.
-  failingOpenSSL_1_1Tests = [
+  ] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
+    # these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
     "test_dump_certificate"
     "test_dump_privatekey_text"
     "test_dump_certificate_request"
     "test_export_text"
+  ] ++ lib.optionals stdenv.is32bit [
+    # https://github.com/pyca/pyopenssl/issues/974
+    "test_verify_with_time"
   ];
 
-  disabledTests = [
-    # https://github.com/pyca/pyopenssl/issues/692
-    # These tests, we disable always.
-    "test_set_default_verify_paths"
-    "test_fallback_default_verify_paths"
-    # https://github.com/pyca/pyopenssl/issues/768
-    "test_wantWriteError"
-  ] ++ (
-    lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
-  ) ++ (
-    lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
-  ) ++ (
-    # https://github.com/pyca/pyopenssl/issues/974
-    lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
-  );
-
-  # Compose the final string expression, including the "-k" and the single quotes.
-  testExpression = lib.optionalString (disabledTests != [])
-    "-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
-
-in
-
-buildPythonPackage rec {
-  pname = "pyopenssl";
-  version = "20.0.1";
-
-  src = fetchPypi {
-    pname = "pyOpenSSL";
-    inherit version;
-    sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
+  meta = with lib; {
+    description = "Python wrapper around the OpenSSL library";
+    homepage = "https://github.com/pyca/pyopenssl";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ SuperSandro2000 ];
   };
-
-  outputs = [ "out" "dev" ];
-
-  checkPhase = ''
-    runHook preCheck
-    export LANG="en_US.UTF-8"
-    py.test tests ${testExpression}
-    runHook postCheck
-  '';
-
-  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
-  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
-  doCheck = !stdenv.isDarwin;
-
-  nativeBuildInputs = [ openssl ];
-  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
-
-  checkInputs = [ pytest pretend flaky glibcLocales ];
 }

pkgs/python-packages/urldecode/default.nix

@@ -1,16 +0,0 @@
-{ lib, buildPythonPackage, fetchPypi }:
-buildPythonPackage rec {
-  pname = "urldecode";
-  version = "0.1";
-
-  src = fetchPypi {
-    inherit pname version;
-    sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
-  };
-
-  meta = with lib; {
-    description = "A simple function to decode an encoded url";
-    homepage = "https://github.com/jennyq/urldecode";
-    maintainers = with maintainers; [ nixbitcoin ];
-  };
-}