Patch electrs to avoid chmod

86dc7e2669 fulcrum: allow access to `/proc/meminfo` (Erik Arvstedt)
c948af2e18 dev/dev-features: add `enter_service` helper (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 86dc7e2669

Tree-SHA512: 5c2b7bc5e2247a7fb45e6c805162c02d87b4c917e4a1306134d634f418534b03e3152e402d17e054c410d3d72f3f5eb3d270fcb53019b2f96ea6b27ecae53755

dev/dev-features.sh

@@ -53,6 +53,15 @@ ls -al /var/lib/nixos-containers/nb-test
 # The container root filesystem on NixOS systems with stateVersion < 22.05
 ls -al /var/lib/containers/nb-test
 
+# Start a shell in the context of a service process.
+# Must be run inside the container (enter with cmd `c`).
+enter_service() {
+    local name=$1
+    nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
+      --setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
+}
+enter_service clightning
+
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # bitcoind
 run-tests.sh -s bitcoind container

dev/topics/rtl.sh

@@ -37,6 +37,9 @@ PATH=/tmp/nix-bitcoin-dev/nodejs/bin:"$PATH"
 
 # Install
 npm ci --omit=dev --omit=optional --no-update-notifier --ignore-scripts
+# If the above fails, try: (details: https://github.com/Ride-The-Lightning/RTL/issues/1182)
+npm ci --omit=dev --omit=optional --no-update-notifier --ignore-scripts --legacy-peer-deps
+
 
 # Run
 node rtl --help

flake.lock

@@ -40,11 +40,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1672844754,
+        "lastModified": 1674407282,
-        "narHash": "sha256-o26WabuHABQsaHxxmIrR3AQRqDFUEdLckLXkVCpIjSU=",
+        "narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e9ade2c8240e00a4784fac282a502efff2786bdc",
+        "rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
         "type": "github"
       },
       "original": {
@@ -56,11 +56,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1672756850,
+        "lastModified": 1674487464,
-        "narHash": "sha256-Smbq3+fitwA13qsTMeaaurv09/KVbZfW7m7lINwzDGA=",
+        "narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "298add347c2bbce14020fcb54051f517c391196b",
+        "rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
         "type": "github"
       },
       "original": {

modules/bitcoind.nix

@@ -367,9 +367,10 @@ in {
       proto.sam.enable = true;
     };
 
-    systemd.tmpfiles.rules = [
+    # Commented out to avoid trying to chown the nfs-mounted directory
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # systemd.tmpfiles.rules = [
-    ];
+    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # ];
 
     systemd.services.bitcoind = {
       # Use `wants` instead of `requires` so that bitcoind and all dependent services
@@ -412,17 +413,17 @@ in {
       '';
 
       # Enable RPC access for group
-      postStart = ''
+      # postStart = ''
-        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      #   chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
-      '';
+      # '';
 
       serviceConfig = nbLib.defaultHardening // {
         Type = "notify";
         NotifyAccess = "all";
         User = cfg.user;
         Group = cfg.group;
-        TimeoutStartSec = "10min";
+        TimeoutStartSec = "30min";
-        TimeoutStopSec = "10min";
+        TimeoutStopSec = "30min";
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";

modules/electrs.nix

@@ -61,9 +61,10 @@ in {
       listenWhitelisted = true;
     };
 
-    systemd.tmpfiles.rules = [
+    # Commented out to allow nfs mounts
-      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # systemd.tmpfiles.rules = [
-    ];
+    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    # ];
 
     systemd.services.electrs = {
       wantedBy = [ "multi-user.target" ];

modules/fulcrum.nix

@@ -126,6 +126,7 @@ in {
         Restart = "on-failure";
         RestartSec = "10s";
         ReadWritePaths = cfg.dataDir;
+        ProcSubset = "all"; # Fulcrum requires read access to /proc/meminfo
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 

modules/liquid.nix

@@ -270,8 +270,8 @@ in {
         NotifyAccess = "all";
         User = cfg.user;
         Group = cfg.group;
-        TimeoutStartSec = "10min";
+        TimeoutStartSec = "2h";
-        TimeoutStopSec = "10min";
+        TimeoutStopSec = "2h";
         ExecStart = "${nbPkgs.elementsd}/bin/elementsd -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         ReadWritePaths = [ cfg.dataDir ];

modules/netns-isolation.nix

@@ -215,9 +215,11 @@ in {
 
         };
       };
-    in foldl (services: n:
+    in
+      foldl (services: n:
         services // (makeNetnsServices n netns.${n})
-    ) {} (builtins.attrNames netns));
+      ) {} (builtins.attrNames netns)
+    );
   }
 
   # Service-specific config

modules/secrets/secrets.nix

@@ -28,7 +28,7 @@ let
     };
 
     generateSecretsCmds = mkOption {
-      type = types.attrsOf types.str;
+      type = types.attrsOf types.lines;
       default = {};
       description = mdDoc ''
         Bash expressions for generating secrets.

pkgs/pinned.nix

@@ -4,20 +4,20 @@ pkgs: pkgsUnstable:
   inherit (pkgs)
     bitcoin
     bitcoind
-    btcpayserver
-    electrs
     elementsd
     extra-container
-    hwi
     lightning-loop
     lightning-pool
     lndconnect
     nbxplorer;
 
   inherit (pkgsUnstable)
+    btcpayserver
     charge-lnd
     clightning
+    electrs
     fulcrum
+    hwi
     lnd;
 
   inherit pkgs pkgsUnstable;

pkgs/rtl/default.nix

@@ -10,11 +10,11 @@
 }:
 let self = stdenvNoCC.mkDerivation {
   pname = "rtl";
-  version = "0.13.2";
+  version = "0.13.4";
 
   src = fetchurl {
     url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-7VrLxmE+xPCipx7UOG1mja2pSBrj+swk55afcvBQeDU=";
+    hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
   };
 
   passthru = {
@@ -23,7 +23,10 @@ let self = stdenvNoCC.mkDerivation {
 
     nodeModules = fetchNodeModules {
       inherit (self) src nodejs;
-      hash = "sha256-ohS6gVX0M1Ir1QE9SjibbCrBpkXYIv5jV1Bkv0czRw4=";
+      # TODO-EXTERNAL: Remove `npmFlags` when no longer required
+      # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
+      npmFlags = "--legacy-peer-deps";
+      hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
     };
   };
 

pkgs/rtl/generate.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
 
-version="0.13.2"
+version="0.13.4"
 repo=https://github.com/Ride-The-Lightning/RTL
 
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

test/clightning-replication.nix

@@ -1,4 +1,4 @@
-# You can run this test via `run-tests.sh -s clightningReplication`
+# You can run this test via `run-tests.sh -s clightning-replication`
 
 makeTestVM: pkgs:
 with pkgs.lib;
@@ -14,6 +14,8 @@ let
   clientBaseConfig = {
     imports = [ ../modules/modules.nix ];
 
+    nixpkgs.pkgs = pkgs;
+
     nix-bitcoin.generateSecrets = true;
 
     services.clightning = {
@@ -54,7 +56,9 @@ makeTestVM {
       services.clightning.replication.encrypt = true;
     };
 
-    server = { ... }: {
+    server = {
+      nixpkgs.pkgs = pkgs;
+
       environment.etc."ssh-host-key" = {
         source = keys.server;
         mode = "400";

test/lib/make-test-vm.nix

@@ -27,4 +27,9 @@ let
     inherit (test) meta passthru;
   } // test;
 in
-  runTest
+  runTest // {
+    # A VM runner for interactive use
+    run = pkgs.writers.writeBashBin "run-vm" ''
+      . ${./run-vm.sh} ${runTest.driver} "$@"
+    '';
+  }

test/lib/make-test.nix

@@ -52,11 +52,6 @@ let
       ];
   };
 
-  # A VM runner for interactive use
-  run = pkgs.writers.writeBashBin "run-vm" ''
-    . ${./run-vm.sh} ${test.driver} "$@"
-  '';
-
   mkContainer = legacyInstallDirs:
     extra-container.lib.buildContainers {
       inherit system legacyInstallDirs;
@@ -139,7 +134,6 @@ let
 in
 test // {
   inherit
-    run
     vm
     container
     # For NixOS with `system.stateVersion` <22.05

test/nixos-search/flake.lock

@@ -18,11 +18,11 @@
     "nixos-org-configurations": {
       "flake": false,
       "locked": {
-        "lastModified": 1669836977,
+        "lastModified": 1674564797,
-        "narHash": "sha256-21+3DkUXbWmIhXnQmJ9Tp/+QnyQnSiWuW8UDjjvPX2w=",
+        "narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
         "owner": "NixOS",
         "repo": "nixos-org-configurations",
-        "rev": "241f12bc9218ee081dc12b6c1b4a10e5e78ffeb3",
+        "rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "npmlock2nix": "npmlock2nix"
       },
       "locked": {
-        "lastModified": 1673019806,
+        "lastModified": 1674593115,
-        "narHash": "sha256-iZousPg/4eDv2c9MTRo9RP8jjjp7luP7JYWU71MXCds=",
+        "narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
         "owner": "nixos",
         "repo": "nixos-search",
-        "rev": "1d9fac3a575623c79c1f56c771360b049888447b",
+        "rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
         "type": "github"
       },
       "original": {

test/run-tests.sh

@@ -272,7 +272,7 @@ buildable=(
     full
     regtest
     hardened
-    clightningReplication
+    clightning-replication
     lndPruned
 )
 buildable() { buildTests buildable "$@"; }

test/tests.nix

@@ -404,7 +404,7 @@ in {
       ) scenarios;
     in
       {
-        clightningReplication = import ./clightning-replication.nix makeTestVM pkgs;
+        clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
       } // mainTests;
 
     tests = makeTests scenarios;