joinmarket: 0.9.8 -> 0.9.9

fulcrum: 1.9.0 -> 1.9.1
lightning-loop: 0.20.0-beta -> 0.23.0-beta
lnd: 0.15.5-beta -> 0.16.2-beta

.cirrus.yml

@@ -27,6 +27,7 @@ task:
           - scenario: default
           - scenario: netns
           - scenario: netnsRegtest
+          - scenario: trustedcoin
       # This script is run as root
       build_script:
         - echo "sandbox = true" >> /etc/nix/nix.conf

README.md

@@ -79,19 +79,22 @@ NixOS modules ([src](modules/modules.nix))
     * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
     * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
     * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
+    * [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
     * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
   * [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
   * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
     * [Lightning Loop](https://github.com/lightninglabs/loop)
     * [Lightning Pool](https://github.com/lightninglabs/pool)
     * [charge-lnd](https://github.com/accumulator/charge-lnd): policy-based channel fee manager
-  * [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or clightning via a REST onion service
+  * [lndconnect](https://github.com/LN-Zap/lndconnect): connect your wallet to lnd or
+    clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
+    [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
   * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
   * [spark-wallet](https://github.com/shesek/spark-wallet)
-  * [electrs](https://github.com/romanz/electrs)
-  * [fulcrum](https://github.com/cculianu/Fulcrum) (see [the module](modules/fulcrum.nix) for a comparison to electrs)
+  * [electrs](https://github.com/romanz/electrs): Electrum server
+  * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
   * [btcpayserver](https://github.com/btcpayserver/btcpayserver)
-  * [liquid](https://github.com/elementsproject/elements)
+  * [liquid](https://github.com/elementsproject/elements): federated sidechain
   * [JoinMarket](https://github.com/joinmarket-org/joinmarket-clientserver)
     * [JoinMarket Orderbook Watcher](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master/docs/orderbook.md)
   * [bitcoin-core-hwi](https://github.com/bitcoin-core/HWI)
@@ -99,7 +102,13 @@ NixOS modules ([src](modules/modules.nix))
   * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
   * [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
   * [backups](modules/backups.nix): duplicity backups of all your node's important files
-  * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
+  * [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
+
+### Extension modules
+Extension modules are maintained in separate repositories and have their own review
+and release process.
+
+* [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
 
 Security
 ---

dev/dev-features.sh

@@ -56,9 +56,10 @@ ls -al /var/lib/containers/nb-test
 # Start a shell in the context of a service process.
 # Must be run inside the container (enter with cmd `c`).
 enter_service() {
-    local name=$1
-    nsenter --all -t "$(systemctl show -p MainPID --value "$name")" \
-      --setuid "$(id -u "$name")" --setgid "$(id -g "$name")" bash
+    name=$1
+    pid=$(systemctl show -p MainPID --value "$name")
+    IFS=- read -r uid gid  < <(stat -c "%u-%g" "/proc/$pid")
+    nsenter --all -t "$pid" --setuid "$uid" --setgid "$gid" bash
 }
 enter_service clightning
 

dev/dev-scenarios.nix

@@ -9,6 +9,9 @@ with lib;
     services.btcpayserver.enable = true;
     test.container.exposeLocalhost = true;
     # services.btcpayserver.lbtc = false;
+
+    # Required for testing interactive plugin installation
+    test.container.enableWAN = true;
   };
 
   # A node with internet access to test joinmarket-ob-watcher
@@ -42,4 +45,34 @@ with lib;
     nix-bitcoin.nodeinfo.enable = true;
     # test.container.enableWAN = true;
   };
+
+  wireguard-lndconnect-online = { config, pkgs, lib, ... }: {
+    imports = [
+      ../modules/presets/wireguard.nix
+      scenarios.regtestBase
+    ];
+
+    # 51820 (default wg port) + 1
+    networking.wireguard.interfaces.wg-nb.listenPort = 51821;
+    test.container.enableWAN = true;
+    # test.container.exposeLocalhost = true;
+
+    services.clightning.extraConfig = "disable-dns";
+
+    services.lnd = {
+      enable = true;
+      lndconnect = {
+        enable = true;
+        onion = true;
+      };
+    };
+    services.clightning-rest = {
+      enable = true;
+      lndconnect = {
+        enable = true;
+        onion = true;
+      };
+    };
+    nix-bitcoin.nodeinfo.enable = true;
+  };
 }

dev/topics/lndconnect-and-wireguard.sh

@@ -0,0 +1,64 @@
+#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
+# Test Tor and WireGuard connections on a mobile device
+
+# 1. Run container
+run-tests.sh -s wireguard-lndconnect-online container
+
+# 2. Test connecting via Tor
+# Print QR codes for lnd, clightning-rest connections via Tor
+c lndconnect
+c lndconnect-clightning
+# Add these to Zeus >= 0.7.1.
+# To explicitly check if the connection is successful, press the node logo in the top
+# left corner, and then "Node Info".
+
+# Debug
+c lndconnect --url
+c lndconnect-clightning --url
+
+# 3. Test connecting via WireGuard
+
+# 3.1 Forward WireGuard port from the container host to the container
+iptables -t nat -A PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
+
+# 3.2. Optional: When your container host has an external firewall,
+# forward the WireGuard port to the container host:
+# - Port: 51821
+# - Protocol: UDP
+# - Destination: IPv4 of the container host
+
+# 3.2 Print QR code and setup wireguard on the mobile device
+c nix-bitcoin-wg-connect
+c nix-bitcoin-wg-connect --text
+
+# Print QR codes for lnd, clightning-rest connections via WireGuard
+c lndconnect-wg
+c lndconnect-clightning-wg
+# Add these to Zeus >= 0.7.1.
+# To explicitly check if the connection is successful, press the node logo in the top
+# left corner, and then "Node Info".
+
+# Debug
+c lndconnect-wg --url
+c lndconnect-clightning-wg --url
+
+# 3.3.remove external firewall port forward, remove local port forward:
+iptables -t nat -D PREROUTING -p udp --dport 51821 -j DNAT --to-destination 10.225.255.2
+# Now exit the container shell
+
+#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
+# Debug lndconnect
+
+run-tests.sh -s wireguard-lndconnect-online container
+
+c nodeinfo
+
+c lndconnect --url
+c lndconnect-wg --url
+c lndconnect-clightning --url
+c lndconnect-clightning-wg --url
+
+c lndconnect
+c lndconnect-wg
+c lndconnect-clightning
+c lndconnect-clightning-wg

docs/services.md

@@ -142,60 +142,154 @@ You can find the `<onion-address>` with command `nodeinfo`.
 The default password location is `$secretsDir/rtl-password`.
 See: [Secrets dir](./configuration.md#secrets-dir)
 
-# Use LND or clightning with Zeus (mobile wallet) via Tor
-1. Install [Zeus](https://zeusln.app)
+# Use Zeus (mobile lightning wallet) via Tor
+1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1)
 
 2. Edit your `configuration.nix`
 
    ##### For lnd
 
    Add the following config:
-   ```
-   services.lnd.lndconnectOnion.enable = true;
+   ```nix
+   services.lnd.lndconnect = {
+     enable = true;
+     onion = true;
+   };
    ```
 
    ##### For clightning
 
    Add the following config:
-   ```
+   ```nix
    services.clightning-rest = {
      enable = true;
-     lndconnectOnion.enable = true;
+     lndconnect = {
+       enable = true;
+       onion = true;
+     };
    };
    ```
 
 3. Deploy your configuration
 
-3. Run the following command on your node (as user `operator`) to create a QR code
+4. Run the following command on your node (as user `operator`) to create a QR code
    with address and authentication information:
 
    ##### For lnd
    ```
-   lndconnect-onion
+   lndconnect
    ```
 
    ##### For clightning
    ```
-   lndconnect-onion-clightning
+   lndconnect-clightning
    ```
 
-4. Configure Zeus
-   - Add a new node
-   - Select `Scan lndconnect config` (at the bottom) and scan the QR code
-   - For clightning: Set `Node interface` to `c-lightning-REST`
+5. Configure Zeus
+   - Add a new node and scan the QR code
    - Click `Save node config`
    - Start sending and stacking sats privately
 
 ### Additional lndconnect features
-Create plain text URLs or QR code images:
-```
-lndconnect-onion --url
-lndconnect-onion --image
+- Create a plain text URL:
+  ```bash
+  lndconnect --url
+  ```
+- Set a custom host. By default, `lndconnect` detects the system's external IP and uses it as the host.
+  ```bash
+  lndconnect --host myhost
+  ```
+
+# Use Zeus (mobile lightning wallet) via WireGuard
+
+Connecting Zeus directly to your node is much faster than using Tor, but a bit more complex to setup.
+
+There are two ways to establish a secure, direct connection:
+
+- Connecting via TLS. This requires installing your lightning app's
+  TLS Certificate on your mobile device.
+
+- Connecting via WireGuard. This approach is simpler and more versatile, and is
+  described in this guide.
+
+1. Install [Zeus](https://zeusln.app) (version ≥ 0.7.1) and
+   [WireGuard](https://www.wireguard.com/install/) on your mobile device.
+
+2. Add the following to your `configuration.nix`:
+   ```nix
+   imports = [
+     # Use this line when using the default deployment method
+     <nix-bitcoin/modules/presets/wireguard.nix>
+
+     # Use this line when using Flakes
+     (nix-bitcoin + /modules/presets/wireguard.nix)
+   ]
+
+   # For lnd
+   services.lnd.lndconnect.enable = true;
+
+   # For clightning
+   services.clightning-rest = {
+     enable = true;
+     lndconnect.enable = true;
+   };
+   ```
+3. Deploy your configuration.
+
+4. If your node is behind an external firewall or NAT, add the following port forwarding
+   rule to the external device:
+   - Port: 51820 (the default value of option `networking.wireguard.interfaces.wg-nb.listenPort`)
+   - Protocol: UDP
+   - Destination: IP of your node
+
+5. Setup WireGuard on your mobile device.
+
+   Run the following command on your node (as user `operator`) to create a QR code
+   for WireGuard:
+   ```bash
+   nix-bitcoin-wg-connect
+
+   # For debugging: Show the WireGuard config as text
+   nix-bitcoin-wg-connect --text
+   ```
+   The above commands automatically detect your node's external IP.\
+   To set a custom IP or hostname, run the following:
+   ```
+   nix-bitcoin-wg-connect 93.184.216.34
+   nix-bitcoin-wg-connect mynode.org
+   ```
+
+   Configure WireGuard:
+   - Press the `+` button in the bottom right corner
+   - Scan the QR code
+   - Add the tunnel
+
+6. Setup Zeus
+
+   Run the following command on your node (as user `operator`) to create a QR code for Zeus:
+
+   ##### For lnd
+   ```
+   lndconnect-wg
+   ```
+
+   ##### For clightning
+   ```
+   lndconnect-clightning-wg
+   ```
+
+   Configure Zeus:
+   - Add a new node and scan the QR code
+   - Click `Save node config`
+   - On the certificate warning screen, click `I understand, save node config`.\
+     Certificates are not needed when connecting via WireGuard.
+   - Start sending and stacking sats privately
+
+### Additional lndconnect features
+Create a plain text URL:
+```bash
+lndconnect-wg --url
 ``````
-Create a QR code for a custom hostname:
-```
-lndconnect-onion --host=mynode.org
-```
 
 # Connect to spark-wallet
 ### Requirements
@@ -527,3 +621,27 @@ services.clightning = {
 ```
 
 Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
+
+### Trustedcoin hints
+The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
+proxy for all of its external connections by default. That's why you can
+sometimes face issues with your connections to esploras getting blocked.
+
+An example of clightning log error output in a case your connections are getting blocked:
+
+```
+lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
+```
+
+```
+lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
+lightningd[4933]: <meta http-equiv="content-type" content="text/html;
+```
+
+If you face these issues and you still need to use trustedcoin, use can disable
+clightning's tor hardening by setting this option in your `configuration.nix`
+file:
+
+```
+services.clightning.tor.enforce = false;
+```

examples/configuration.nix

@@ -56,13 +56,18 @@
   #
   # == REST server
   # Set this to create a clightning REST onion service.
-  # This also adds binary `lndconnect-onion-clightning` to the system environment.
+  # This also adds binary `lndconnect-clightning` to the system environment.
   # This binary creates QR codes or URLs for connecting applications to clightning
-  # via the REST onion service (see ../docs/services.md).
+  # via the REST onion service.
+  # You can also connect via WireGuard instead of Tor.
+  # See ../docs/services.md for details.
   #
   # services.clightning-rest = {
   #   enable = true;
-  #   lndconnectOnion.enable = true;
+  #   lndconnect = {
+  #     enable = true;
+  #     onion = true;
+  #   };
   # };
 
   ### LND
@@ -78,11 +83,17 @@
   # The onion service is automatically announced to peers.
   # nix-bitcoin.onionServices.lnd.public = true;
   #
-  # Set this to create an lnd REST onion service.
-  # This also adds binary `lndconnect-onion` to the system environment.
+  # Set this to create a lnd REST onion service.
+  # This also adds binary `lndconnect` to the system environment.
   # This binary generates QR codes or URLs for connecting applications to lnd via the
-  # REST onion service (see ../docs/services.md).
-  # services.lnd.lndconnectOnion.enable = true;
+  # REST onion service.
+  # You can also connect via WireGuard instead of Tor.
+  # See ../docs/services.md for details.
+  #
+  # services.lnd.lndconnect = {
+  #   enable = true;
+  #   onion = true;
+  # };
   #
   ## WARNING
   # If you use lnd, you should manually backup your wallet mnemonic

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1671802034,
-        "narHash": "sha256-mkv2u5nQJEV3KlWiopkt/gMz0OM4nmEXSfzkSw6welQ=",
+        "lastModified": 1679648217,
+        "narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
         "owner": "erikarvstedt",
         "repo": "extra-container",
-        "rev": "e34f0cca15f6f0f2e598dad0b329196d0dab6d4f",
+        "rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
         "type": "github"
       },
       "original": {
@@ -24,12 +24,15 @@
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
@@ -40,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1674407282,
-        "narHash": "sha256-2qwc8mrPINSFdWffPK+ji6nQ9aGnnZyHSItVcYDZDlk=",
+        "lastModified": 1683207485,
+        "narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ab1254087f4cdf4af74b552d7fc95175d9bdbb49",
+        "rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
         "type": "github"
       },
       "original": {
@@ -56,11 +59,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1674487464,
-        "narHash": "sha256-Jgq50e4S4JVCYpWLqrabBzDp/1mfaxHCh8/OOorHTy0=",
+        "lastModified": 1683353485,
+        "narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3954218cf613eba8e0dcefa9abe337d26bc48fd0",
+        "rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
         "type": "github"
       },
       "original": {
@@ -77,6 +80,21 @@
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

modules/bitcoind.nix

@@ -427,7 +427,8 @@ in {
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
-        ReadWritePaths = [ cfg.dataDir ];
+        #ReadWritePaths = [ cfg.dataDir ];
+        ReadWritePaths = [ "/dummy" ];
       } // nbLib.allowedIPAddresses cfg.tor.enforce
         // optionalAttrs zmqServerEnabled nbLib.allowNetlink;
     };

modules/btcpayserver.nix

@@ -236,11 +236,16 @@ in {
             --datadir='${cfg.btcpayserver.dataDir}'
         '';
         User = cfg.btcpayserver.user;
-        Restart = "on-failure";
-        RestartSec = "10s";
+        # Also restart after the program has exited successfully.
+        # This is required to support restarting from the web interface after
+        # interactive plugin installation.
+        # Restart rate limiting is implemented via the `startLimit*` options below.
+        Restart = "always";
         ReadWritePaths = [ cfg.btcpayserver.dataDir ];
         MemoryDenyWriteExecute = false;
       } // nbLib.allowedIPAddresses cfg.btcpayserver.tor.enforce;
+      startLimitIntervalSec = 30;
+      startLimitBurst = 10;
     }; in self;
 
     users.users.${cfg.nbxplorer.user} = {

modules/clightning-plugins/default.nix

@@ -17,6 +17,7 @@ in {
     ./feeadjuster.nix
     ./prometheus.nix
     ./summary.nix
+    ./trustedcoin.nix
     ./zmq.nix
   ];
 

modules/clightning-plugins/trustedcoin.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let cfg = config.services.clightning.plugins.trustedcoin; in
+{
+  options.services.clightning.plugins.trustedcoin = {
+    enable = mkEnableOption "Trustedcoin (clightning plugin)";
+    package = mkOption {
+      type = types.package;
+      default = config.nix-bitcoin.pkgs.trustedcoin;
+      defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
+      description = mdDoc "The package providing trustedcoin binaries.";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.clightning.extraConfig = ''
+      plugin=${cfg.package}/bin/trustedcoin
+      disable-plugin=bcli
+    '';
+
+    # Trustedcoin does not honor the clightning's proxy configuration.
+    # Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
+    systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
+      HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
+    };
+  };
+}

modules/clightning.nix

@@ -107,13 +107,15 @@ let
   network = bitcoind.makeNetworkName "bitcoin" "regtest";
   configFile = pkgs.writeText "config" ''
     network=${network}
-    bitcoin-datadir=${bitcoind.dataDir}
+    ${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
     ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
     always-use-proxy=${boolToString cfg.always-use-proxy}
     bind-addr=${cfg.address}:${toString cfg.port}
+
     bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
     bitcoin-rpcport=${toString bitcoind.rpc.port}
     bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
+
     rpc-file-mode=0660
     log-timestamps=false
     ${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@@ -161,6 +163,7 @@ in {
         {
           cat ${configFile}
           echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
+
           ${optionalString (cfg.getPublicAddressCmd != "") ''
             echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
           ''}

modules/electrs.nix

@@ -61,10 +61,9 @@ in {
       listenWhitelisted = true;
     };
 
-    # Commented out to allow nfs mounts
-    # systemd.tmpfiles.rules = [
-    #   "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-    # ];
+    systemd.tmpfiles.rules = [
+      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
+    ];
 
     systemd.services.electrs = {
       wantedBy = [ "multi-user.target" ];

modules/joinmarket.nix

@@ -158,7 +158,7 @@ let
     onion_serving_host = ${cfg.messagingAddress}
     onion_serving_port = ${toString cfg.messagingPort}
     hidden_service_dir =
-    directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
+    directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
 
     # irc.darkscience.net
     [MESSAGING:server1]

modules/lndconnect-onion.nix

@@ -1,126 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  options = {
-    services.lnd.lndconnectOnion.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = mdDoc ''
-        Create an onion service for the lnd REST server.
-        Add a `lndconnect-onion` binary to the system environment.
-        See: https://github.com/LN-Zap/lndconnect
-
-        Usage:
-        ```bash
-          # Print QR code
-          lndconnect-onion
-
-          # Print URL
-          lndconnect-onion --url
-        ```
-      '';
-    };
-
-    services.clightning-rest.lndconnectOnion.enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = mdDoc ''
-        Create an onion service for clightning-rest.
-        Add a `lndconnect-onion-clightning` binary to the system environment.
-        See: https://github.com/LN-Zap/lndconnect
-
-        Usage:
-        ```bash
-          # Print QR code
-          lndconnect-onion-clightning
-
-          # Print URL
-          lndconnect-onion-clightning --url
-        ```
-      '';
-    };
-  };
-
-  nbLib = config.nix-bitcoin.lib;
-  runAsUser = config.nix-bitcoin.runAsUserCmd;
-
-  inherit (config.services)
-    lnd
-    clightning
-    clightning-rest;
-
-  mkLndconnect = {
-    name,
-    shebang ? "#!${pkgs.stdenv.shell} -e",
-    onionService,
-    port,
-    certPath,
-    macaroonPath
-  }:
-  # TODO-EXTERNAL:
-  # lndconnect requires a --configfile argument, although it's unused
-  # https://github.com/LN-Zap/lndconnect/issues/25
-  pkgs.writeScriptBin name ''
-    ${shebang}
-    exec ${config.nix-bitcoin.pkgs.lndconnect}/bin/lndconnect \
-     --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService}) \
-     --port=${toString port} \
-     --tlscertpath='${certPath}' \
-     --adminmacaroonpath='${macaroonPath}' \
-     --configfile=/dev/null "$@"
-  '';
-
-  operatorName = config.nix-bitcoin.operator.name;
-in {
-  inherit options;
-
-  config = mkMerge [
-    (mkIf (lnd.enable && lnd.lndconnectOnion.enable) {
-      services.tor = {
-        enable = true;
-        relay.onionServices.lnd-rest = nbLib.mkOnionService {
-          target.addr = nbLib.address lnd.restAddress;
-          target.port = lnd.restPort;
-          port = lnd.restPort;
-        };
-      };
-      nix-bitcoin.onionAddresses.access.${lnd.user} = [ "lnd-rest" ];
-
-      environment.systemPackages = [(
-        mkLndconnect {
-          name = "lndconnect-onion";
-          # Run as lnd user because the macaroon and cert are not group-readable
-          shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
-          onionService = "${lnd.user}/lnd-rest";
-          port = lnd.restPort;
-          certPath = lnd.certPath;
-          macaroonPath = "${lnd.networkDir}/admin.macaroon";
-        }
-      )];
-    })
-
-    (mkIf (clightning-rest.enable && clightning-rest.lndconnectOnion.enable) {
-      services.tor = {
-        enable = true;
-        relay.onionServices.clightning-rest = nbLib.mkOnionService {
-          target.addr = nbLib.address clightning-rest.address;
-          target.port = clightning-rest.port;
-          port = clightning-rest.port;
-        };
-      };
-      # This also allows nodeinfo to show the clightning-rest onion address
-      nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
-
-      environment.systemPackages = [(
-        mkLndconnect {
-          name = "lndconnect-onion-clightning";
-          onionService = "${operatorName}/clightning-rest";
-          port = clightning-rest.port;
-          certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
-          macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
-        }
-      )];
-    })
-  ];
-}

modules/lndconnect.nix

@@ -0,0 +1,205 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  options = {
+    services.lnd.lndconnect = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = mdDoc ''
+          Add a `lndconnect` binary to the system environment which prints
+          connection info for lnd clients.
+          See: https://github.com/LN-Zap/lndconnect
+
+          Usage:
+          ```bash
+            # Print QR code
+            lndconnect
+
+            # Print URL
+            lndconnect --url
+          ```
+        '';
+      };
+      onion = mkOption {
+        type = types.bool;
+        default = false;
+        description = mdDoc ''
+          Create an onion service for the lnd REST server,
+          which is used by lndconnect.
+        '';
+      };
+    };
+
+
+    services.clightning-rest.lndconnect = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = mdDoc ''
+        Add a `lndconnect-clightning` binary to the system environment which prints
+        connection info for clightning clients.
+        See: https://github.com/LN-Zap/lndconnect
+
+        Usage:
+        ```bash
+          # Print QR code
+          lndconnect-clightning
+
+          # Print URL
+          lndconnect-clightning --url
+        ```
+      '';
+      };
+      onion = mkOption {
+        type = types.bool;
+        default = false;
+        description = mdDoc ''
+          Create an onion service for the clightning REST server,
+          which is used by lndconnect.
+        '';
+      };
+    };
+
+    nix-bitcoin.mkLndconnect = mkOption {
+      readOnly = true;
+      default = mkLndconnect;
+      description = mdDoc ''
+        A function to create a lndconnect binary.
+        See the source for further details.
+      '';
+    };
+  };
+
+  nbLib = config.nix-bitcoin.lib;
+  runAsUser = config.nix-bitcoin.runAsUserCmd;
+
+  inherit (config.services)
+    lnd
+    clightning-rest;
+
+  mkLndconnect = {
+    name,
+    shebang ? "#!${pkgs.stdenv.shell} -e",
+    isClightning ? false,
+    port,
+    macaroonPath,
+    enableOnion,
+    onionService ? null,
+    certPath ? null
+  }:
+  # TODO-EXTERNAL:
+  # lndconnect requires a --configfile argument, although it's unused
+  # https://github.com/LN-Zap/lndconnect/issues/25
+  pkgs.hiPrio (pkgs.writeScriptBin name ''
+    ${shebang}
+    url=$(
+      ${getExe config.nix-bitcoin.pkgs.lndconnect} --url \
+        ${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
+        --port=${toString port} \
+        ${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
+        --adminmacaroonpath='${macaroonPath}' \
+        --configfile=/dev/null "$@"
+    )
+
+    ${optionalString isClightning
+      # - Change URL procotcol to c-lightning-rest
+      # - Encode macaroon as hex (in uppercase) instead of base 64.
+      #   Because `macaroon` is always the last URL fragment, the
+      #   sed replacement below works correctly.
+      ''
+        macaroonHex=$(${getExe pkgs.xxd} -p -u -c 99999 '${macaroonPath}')
+        url=$(
+          echo "$url" | ${getExe pkgs.gnused} "
+            s|^lndconnect|c-lightning-rest|
+            s|macaroon=.*|macaroon=$macaroonHex|
+          ";
+        )
+      ''
+    }
+
+    # If --url is in args
+    if [[ " $* " =~ " --url " ]]; then
+      echo "$url"
+    else
+      # This UTF-8 encoding yields a smaller, more convenient output format
+      # compared to the native lndconnect output
+      echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
+    fi
+  '');
+
+  operatorName = config.nix-bitcoin.operator.name;
+in {
+  inherit options;
+
+  config = mkMerge [
+    (mkIf (lnd.enable && lnd.lndconnect.enable)
+      (mkMerge [
+        {
+          environment.systemPackages = [(
+            mkLndconnect {
+              name = "lndconnect";
+              # Run as lnd user because the macaroon and cert are not group-readable
+              shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
+              enableOnion = lnd.lndconnect.onion;
+              onionService = "${lnd.user}/lnd-rest";
+              port = lnd.restPort;
+              certPath = lnd.certPath;
+              macaroonPath = "${lnd.networkDir}/admin.macaroon";
+            }
+          )];
+
+          services.lnd.restAddress = mkIf (!lnd.lndconnect.onion) "0.0.0.0";
+        }
+
+        (mkIf lnd.lndconnect.onion {
+          services.tor = {
+            enable = true;
+            relay.onionServices.lnd-rest = nbLib.mkOnionService {
+              target.addr = nbLib.address lnd.restAddress;
+              target.port = lnd.restPort;
+              port = lnd.restPort;
+            };
+          };
+          nix-bitcoin.onionAddresses.access = {
+            ${lnd.user} = [ "lnd-rest" ];
+            ${operatorName} = [ "lnd-rest" ];
+          };
+        })
+      ]))
+
+    (mkIf (clightning-rest.enable && clightning-rest.lndconnect.enable)
+      (mkMerge [
+        {
+          environment.systemPackages = [(
+            mkLndconnect {
+              name = "lndconnect-clightning";
+              isClightning = true;
+              enableOnion = clightning-rest.lndconnect.onion;
+              onionService = "${operatorName}/clightning-rest";
+              port = clightning-rest.port;
+              certPath = "${clightning-rest.dataDir}/certs/certificate.pem";
+              macaroonPath = "${clightning-rest.dataDir}/certs/access.macaroon";
+            }
+          )];
+
+          # clightning-rest always binds to all interfaces
+        }
+
+        (mkIf clightning-rest.lndconnect.onion {
+          services.tor = {
+            enable = true;
+            relay.onionServices.clightning-rest = nbLib.mkOnionService {
+              target.addr = nbLib.address clightning-rest.address;
+              target.port = clightning-rest.port;
+              port = clightning-rest.port;
+            };
+          };
+          # This also allows nodeinfo to show the clightning-rest onion address
+          nix-bitcoin.onionAddresses.access.${operatorName} = [ "clightning-rest" ];
+        })
+      ])
+    )
+  ];
+}

modules/modules.nix

@@ -19,7 +19,7 @@
     ./lightning-loop.nix
     ./lightning-pool.nix
     ./charge-lnd.nix
-    ./lndconnect-onion.nix # Requires onion-addresses.nix
+    ./lndconnect.nix # Requires onion-addresses.nix
     ./rtl.nix
     ./electrs.nix
     ./fulcrum.nix

modules/nodeinfo.nix

@@ -63,7 +63,7 @@ let
     infos = OrderedDict()
     operator = "${config.nix-bitcoin.operator.name}"
 
-    def set_onion_address(info, name, port):
+    def get_onion_address(name, port):
         path = f"/var/lib/onion-addresses/{operator}/{name}"
         try:
             with open(path, "r") as f:
@@ -71,7 +71,7 @@ let
         except OSError:
             print(f"error reading file {path}", file=sys.stderr)
             return
-        info["onion_address"] = f"{onion_address}:{port}"
+        return f"{onion_address}:{port}"
 
     def add_service(service, make_info, systemd_service = None):
         systemd_service = systemd_service or service
@@ -106,7 +106,7 @@ let
       add_service("${name}", """
       info["local_address"] = "${nbLib.addressWithPort cfg.address cfg.port}"
     '' + mkIfOnionPort name (onionPort: ''
-      set_onion_address(info, "${name}", ${onionPort})
+      info["onion_address"] = get_onion_address("${name}", ${onionPort})
     '') + extraCode + ''
 
       """, "${systemdServiceName}")
@@ -123,8 +123,10 @@ let
 in {
   inherit options;
 
-  config = {
-    environment.systemPackages = optional cfg.enable script;
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ script ];
+
+    nix-bitcoin.operator.enable = true;
 
     nix-bitcoin.nodeinfo.services = with nodeinfoLib; {
       bitcoind = mkInfo "";
@@ -133,9 +135,13 @@ in {
         if 'onion_address' in info:
             info["id"] = f"{info['nodeid']}@{info['onion_address']}"
       '';
-      lnd = mkInfo ''
+      lnd = name: cfg: mkInfo (''
+        info["rest_address"] = "${nbLib.addressWithPort cfg.restAddress cfg.restPort}"
+      '' + mkIfOnionPort "lnd-rest" (onionPort: ''
+        info["onion_rest_address"] = get_onion_address("lnd-rest", ${onionPort})
+      '') + ''
         info["nodeid"] = shell("lncli getinfo | jq -r '.identity_pubkey'")
-      '';
+      '') name cfg;
       clightning-rest = mkInfo "";
       electrs = mkInfo "";
       fulcrum = mkInfo "";
@@ -146,7 +152,7 @@ in {
       rtl = mkInfo "";
       # Only add sshd when it has an onion service
       sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
-        add_service("sshd", """set_onion_address(info, "sshd", ${onionPort})""")
+        add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
       '');
     };
   };

modules/obsolete-options.nix

@@ -33,7 +33,6 @@ in {
     (mkRenamedOptionModule [ "services" "liquidd" "rpcbind" ] [ "services" "liquidd" "rpc" "address" ])
     # 0.0.70
     (mkRenamedOptionModule [ "services" "rtl" "cl-rest" ] [ "services" "clightning-rest" ])
-    (mkRenamedOptionModule [ "services" "lnd" "restOnionService" "enable" ] [ "services" "lnd" "lndconnectOnion" "enable" ])
 
     (mkRenamedOptionModule [ "nix-bitcoin" "setup-secrets" ] [ "nix-bitcoin" "setupSecrets" ])
 
@@ -46,6 +45,28 @@ in {
       bitcoin peer connections for syncing blocks. This performs well on low and high
       memory systems.
     '')
+    # 0.0.86
+    (mkRemovedOptionModule [ "services" "lnd" "restOnionService" "enable" ] ''
+      Set the following options instead:
+      services.lnd.lndconnect = {
+        enable = true;
+        onion = true;
+      }
+    '')
+    (mkRemovedOptionModule [ "services" "lnd" "lndconnectOnion" ] ''
+      Set the following options instead:
+      services.lnd.lndconnect = {
+        enable = true;
+        onion = true;
+      }
+    '')
+    (mkRemovedOptionModule [ "services" "clightning-rest" "lndconnectOnion" ] ''
+      Set the following options instead:
+      services.clightning-rest.lndconnect = {
+        enable = true;
+        onion = true;
+      }
+    '')
   ] ++
   # 0.0.59
   (map mkSplitEnforceTorOption [

modules/presets/wireguard.nix

@@ -0,0 +1,214 @@
+{ config, pkgs, lib, ... }:
+
+# Create a WireGuard server with a single peer.
+# Private/public keys are created via the secrets system.
+# Add helper binaries `nix-bitcoin-wg-connect` and optionally `lndconnect-wg`, `lndconnect-clightning-wg`.
+
+# See ../../docs/services.md ("Use Zeus (mobile lightning wallet) via WireGuard")
+# for usage instructions.
+
+# This is a rather opinionated implementation that lacks the flexibility offered by
+# other nix-bitcoin modules, so ship this as a `preset`.
+# Some users will prefer to use `lndconnect` with their existing WireGuard or Tailscale setup.
+
+with lib;
+let
+  options.nix-bitcoin.wireguard = {
+    subnet = mkOption {
+      type = types.str;
+      default = "10.10.0";
+      description = mdDoc "The /24 subnet of the wireguard network.";
+    };
+    restrictPeer = mkOption {
+      type = types.bool;
+      default = true;
+      description = mdDoc ''
+        Prevent the peer from connecting to any addresses except for the WireGuard server address.
+      '';
+    };
+  };
+
+  cfg = config.nix-bitcoin.wireguard;
+  wgSubnet = cfg.subnet;
+  inherit (config.networking.wireguard.interfaces) wg-nb;
+  inherit (config.services)
+    lnd
+    clightning-rest;
+
+  lndconnect = lnd.enable && lnd.lndconnect.enable;
+  lndconnect-clightning = clightning-rest.enable && clightning-rest.lndconnect.enable;
+
+  serverAddress = "${wgSubnet}.1";
+  peerAddress = "${wgSubnet}.2";
+
+  secretsDir = config.nix-bitcoin.secretsDir;
+
+  wgConnectUser = if config.nix-bitcoin.operator.enable
+                  then config.nix-bitcoin.operator.name
+                  else "root";
+
+  # A script that prints a QR code to connect a peer to the server.
+  # The QR code encodes a wg-quick config that can be imported by the wireguard
+  # mobile app.
+  wgConnect = pkgs.writers.writeBashBin "nix-bitcoin-wg-connect" ''
+    set -euo pipefail
+    text=
+    host=
+    for arg in "$@"; do
+      case $arg in
+        --text)
+          text=1
+          ;;
+        *)
+          host=$arg
+          ;;
+      esac
+    done
+
+    if [[ ! $host ]]; then
+      # Use lndconnect to fetch the external ip.
+      # This internally uses https://github.com/GlenDC/go-external-ip, which
+      # queries a set of external ip providers.
+      host=$(
+        ${getExe config.nix-bitcoin.pkgs.lndconnect} --url --nocert \
+          --configfile=/dev/null --adminmacaroonpath=/dev/null \
+          | sed -nE 's|.*?/(.*?):.*|\1|p'
+      )
+    fi
+
+    config="[Interface]
+    PrivateKey = $(cat ${secretsDir}/wg-peer-private-key)
+    Address = ${peerAddress}/24
+
+    [Peer]
+    PublicKey = $(cat ${secretsDir}/wg-server-public-key)
+    AllowedIPs = ${wgSubnet}.0/24
+    Endpoint = $host:${toString wg-nb.listenPort}
+    PersistentKeepalive = 25
+    "
+
+    if [[ $text ]]; then
+      echo "$config"
+    else
+      echo "$config" | ${getExe pkgs.qrencode} -t UTF8 -o -
+    fi
+  '';
+in {
+  inherit options;
+
+  config = {
+    assertions = [
+      {
+        # Don't support `netns-isolation` for now to keep things simple
+        assertion = !(config.nix-bitcoin.netns-isolation.enable or false);
+        message = "`nix-bitcoin.wireguard` is not compatible with `netns-isolation`.";
+      }
+    ];
+
+    networking.wireguard.interfaces.wg-nb = {
+      ips = [ "${serverAddress}/24" ];
+      listenPort = mkDefault 51820;
+      privateKeyFile = "${secretsDir}/wg-server-private-key";
+      allowedIPsAsRoutes = false;
+      peers = [
+        {
+          # To use the actual public key from the secrets file, use dummy pubkey
+          # `peer0` and replace it via `getPubkeyFromFile` (see further below)
+          # at peer service runtime.
+          publicKey = "peer0";
+          allowedIPs = [ "${peerAddress}/32" ];
+        }
+      ];
+    };
+
+    systemd.services = {
+      wireguard-wg-nb = rec {
+        wants = [ "nix-bitcoin-secrets.target" ];
+        after = wants;
+      };
+
+      # HACK: Modify start/stop scripts of the peer setup service to read
+      # the pubkey from a secrets file.
+      wireguard-wg-nb-peer-peer0 = let
+        getPubkeyFromFile = mkBefore ''
+          if [[ ! -v inPatchedSrc ]]; then
+            export inPatchedSrc=1
+            publicKey=$(cat "${secretsDir}/wg-peer-public-key")
+            <"''${BASH_SOURCE[0]}" sed "s|\bpeer0\b|$publicKey|g" | ${pkgs.bash}/bin/bash -s
+            exit
+          fi
+        '';
+      in {
+        script = getPubkeyFromFile;
+        postStop = getPubkeyFromFile;
+      };
+    };
+
+    environment.systemPackages = [
+      wgConnect
+    ] ++ (optional lndconnect
+      (pkgs.writers.writeBashBin "lndconnect-wg" ''
+        exec lndconnect --host "${serverAddress}" --nocert "$@"
+      '')
+    ) ++ (optional lndconnect-clightning
+      (pkgs.writers.writeBashBin "lndconnect-clightning-wg" ''
+        exec lndconnect-clightning --host "${serverAddress}" --nocert "$@"
+      '')
+    );
+
+    networking.firewall = let
+      restrictPeerRule = "-s ${peerAddress} ! -d ${serverAddress} -j REJECT";
+    in {
+      allowedUDPPorts = [ wg-nb.listenPort ];
+
+      extraCommands =
+        optionalString lndconnect ''
+          iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString lnd.restPort} -j nixos-fw-accept
+        ''
+        + optionalString lndconnect-clightning ''
+          iptables -w -A nixos-fw -p tcp -s ${wgSubnet}.0/24 --dport ${toString clightning-rest.port} -j nixos-fw-accept
+        ''
+        + optionalString cfg.restrictPeer ''
+          iptables -w -A nixos-fw ${restrictPeerRule}
+          iptables -w -A FORWARD ${restrictPeerRule}
+        '';
+
+      extraStopCommands =
+        # Rules added to chain `nixos-fw` are automatically removed when restarting
+        # the NixOS firewall service.
+        mkIf cfg.restrictPeer ''
+          iptables -w -D FORWARD ${restrictPeerRule} || :
+        '';
+    };
+
+    # Listen on all addresses, including `serverAddress`.
+    # This is safe because the listen ports are secured by the firewall.
+    services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
+    # clightning-rest always listens on "0.0.0.0"
+
+    nix-bitcoin.secrets = {
+      wg-server-private-key = {};
+      wg-server-public-key = { user = wgConnectUser; group = "root"; };
+      wg-peer-private-key = { user = wgConnectUser; group = "root"; };
+      wg-peer-public-key = {};
+    };
+
+    nix-bitcoin.generateSecretsCmds.wireguard = let
+      wg = "${pkgs.wireguard-tools}/bin/wg";
+    in ''
+      makeWireguardKey() {
+        local name=$1
+        local priv=wg-$name-private-key
+        local pub=wg-$name-public-key
+        if [[ ! -e $priv ]]; then
+          ${wg} genkey > $priv
+        fi
+        if [[ $priv -nt $pub ]]; then
+          ${wg} pubkey < $priv > $pub
+        fi
+      }
+      makeWireguardKey server
+      makeWireguardKey peer
+    '';
+  };
+}

modules/rtl.nix

@@ -191,6 +191,7 @@ in {
                  optional cfg.nodes.lnd.enable "lnd.service";
       after = requires;
       environment.RTL_CONFIG_PATH = cfg.dataDir;
+      environment.DB_DIRECTORY_PATH = cfg.dataDir;
       serviceConfig = nbLib.defaultHardening // {
         ExecStartPre = [
           (nbLib.script "rtl-setup-config" ''

modules/versioning.nix

@@ -228,7 +228,7 @@ let
       version = "0.0.70";
       condition = config.services.lnd.lndconnectOnion.enable;
       message = ''
-        The `lndconnect-rest-onion` binary has been renamed to `lndconnect-onion`.
+        The `lndconnect-rest-onion` binary has been renamed to `lndconnect`.
       '';
     }
     {

pkgs/clightning-plugins/default.nix

@@ -32,7 +32,7 @@ let
       extraPkgs = [ prometheus_client ];
       patchRequirements =
         "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
-        + " --replace pyln-client~=0.9.3 pyln-client~=22.11rc1";
+        + " --replace pyln-client~=0.9.3 pyln-client~=23.02";
     };
     rebalance = {
       description = "Keeps your channels balanced";

pkgs/default.nix

@@ -20,6 +20,12 @@ let self = {
   # The secp256k1 version used by joinmarket
   secp256k1 = pkgs.callPackage ./secp256k1 { };
   spark-wallet = pkgs.callPackage ./spark-wallet { };
+  trustedcoin = pkgs.callPackage ./trustedcoin { };
+
+  # TODO-EXTERNAL:
+  # Remove this when https://github.com/lightningnetwork/lnd/pull/7672
+  # has been resolved
+  lnd = pkgsUnstable.callPackage ./lnd { };
 
   pyPkgs = import ./python-packages self pkgs.python3;
   inherit (self.pyPkgs)

pkgs/joinmarket/default.nix

@@ -1,10 +1,12 @@
-{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
+{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
 
 let
-  version = "0.9.8";
-  src = fetchurl {
-    url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
-    sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
+  version = "0.9.9";
+  src = fetchFromGitHub {
+    owner = "joinmarket-org";
+    repo = "joinmarket-clientserver";
+    rev = "v${version}";
+    sha256 = "sha256-dkeSgAhjNl8o/ATKYAlQxxCrur5fLdXuMDXSnWaxYP8=";
   };
 
   runtimePackages = with nbPython3PackagesJoinmarket; [

pkgs/joinmarket/get-sha256.sh

@@ -1,25 +1,23 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p git gnupg jq
+
 set -euo pipefail
-. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
+newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
 
-TMPDIR="$(mktemp -d -p /tmp)"
-trap 'rm -rf $TMPDIR' EXIT
-cd "$TMPDIR"
-
-echo "Fetching latest release"
-git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
-cd joinmarket-clientserver
-latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
-echo "Latest release is $latest"
-
-# GPG verification
-export GNUPGHOME=$TMPDIR
+# Fetch release and GPG-verify the content hash
+tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
+repo=$tmpdir/repo
+git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
+export GNUPGHOME=$tmpdir
 echo "Fetching Adam Gibson's key"
 gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
-echo "Verifying latest release"
-git verify-tag "$latest"
+echo
+echo "Verifying commit"
+git -C "$repo" verify-commit HEAD
+rm -rf "$repo"/.git
+newHash=$(nix hash path "$repo")
+rm -rf "$tmpdir"
+echo
 
-echo "tag: $latest"
-# The prefix option is necessary because GitHub prefixes the archive contents in this format
-echo "sha256: $(nix-hash --type sha256 --flat --base32 \
-                <(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
+echo "tag: $newVersion"
+echo "hash: $newHash"

pkgs/lnd/default.nix

@@ -0,0 +1,12 @@
+{ lnd, fetchpatch }:
+
+lnd.overrideAttrs (_: {
+  patches = [
+    (fetchpatch {
+      # https://github.com/lightningnetwork/lnd/pull/7672
+      name = "fix-PKCS8-cert-key-support";
+      url = "https://github.com/lightningnetwork/lnd/commit/bfdd5db0d97a6d65489d980a917bbd2243dfe15c.patch";
+      hash = "sha256-j9EirxyNi48DGzLuHcZ36LrFlbJLXrE8L+1TYh5Yznk=";
+    })
+  ];
+})

pkgs/pinned.nix

@@ -4,21 +4,20 @@ pkgs: pkgsUnstable:
   inherit (pkgs)
     bitcoin
     bitcoind
-    elementsd
     extra-container
-    lightning-loop
     lightning-pool
-    lndconnect
-    nbxplorer;
+    lndconnect;
 
   inherit (pkgsUnstable)
     btcpayserver
     charge-lnd
     clightning
     electrs
+    elementsd
     fulcrum
     hwi
-    lnd;
+    lightning-loop
+    nbxplorer;
 
   inherit pkgs pkgsUnstable;
 }

pkgs/python-packages/bencoderpyx/default.nix

@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "bencoder.pyx";
-  version = "2.0.1";
+  version = "3.0.1";
 
   src = fetchurl {
-    url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
-    sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
+    url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
+    sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
   };
 
   nativeBuildInputs = [ cython ];

pkgs/python-packages/default.nix

@@ -22,7 +22,6 @@ rec {
       };
       runes = callPackage ./runes {};
       sha256 = callPackage ./sha256 {};
-      urldecode = callPackage ./urldecode {};
     };
 
   # Joinmarket requires a custom package set because it uses older versions of Python pkgs
@@ -47,12 +46,10 @@ rec {
       # autobahn 20.12.3, required by joinmarketclient
       autobahn = callPackage ./specific-versions/autobahn.nix {};
 
-      # pyopenssl 20.0.1, required by joinmarketdaemon
-      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
-        openssl = super.pkgs.openssl_1_1;
-      };
+      # pyopenssl 21.0.0, required by joinmarketdaemon
+      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
 
-      # twisted 22.4.0, compatible with pyopenssl 20.0.1
+      # twisted 22.4.0, required by joinmarketbase
       twisted = callPackage ./specific-versions/twisted.nix {};
     };
 

pkgs/python-packages/jmbitcoin/default.nix

@@ -1,4 +1,4 @@
-{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
+{ version, src, lib, buildPythonPackage, fetchurl, pyaes, python-bitcointx, joinmarketbase }:
 
 buildPythonPackage rec {
   pname = "joinmarketbitcoin";
@@ -6,7 +6,7 @@ buildPythonPackage rec {
 
   postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
 
-  propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
+  propagatedBuildInputs = [ pyaes python-bitcointx ];
 
   checkInputs = [ joinmarketbase ];
 

pkgs/python-packages/jmdaemon/default.nix

@@ -8,6 +8,12 @@ buildPythonPackage rec {
 
   propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
 
+  # libnacl 1.8.0 is not on github
+  patchPhase = ''
+    substituteInPlace setup.py \
+      --replace "'libnacl==1.8.0'" "'libnacl==1.7.2'"
+  '';
+
   meta = with lib; {
     description = "Client library for Bitcoin coinjoins";
     homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";

pkgs/python-packages/specific-versions/pyopenssl.nix

@@ -6,17 +6,50 @@
 , cryptography
 , pyasn1
 , idna
-, pytest
+, pytestCheckHook
 , pretend
 , flaky
 , glibcLocales
 , six
 }:
 
-let
-  # https://github.com/pyca/pyopenssl/issues/791
-  # These tests, we disable in the case that libressl is passed in as openssl.
-  failingLibresslTests = [
+buildPythonPackage rec {
+  pname = "pyopenssl";
+  version = "21.0.0";
+
+  src = fetchPypi {
+    pname = "pyOpenSSL";
+    inherit version;
+    sha256 = "5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3";
+  };
+
+  outputs = [ "out" "dev" ];
+
+  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
+  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
+  doCheck = !stdenv.isDarwin;
+
+  nativeBuildInputs = [ openssl ];
+  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
+
+  checkInputs = [ pytestCheckHook pretend flaky glibcLocales ];
+
+  preCheck = ''
+    export LANG="en_US.UTF-8"
+  '';
+
+  disabledTests = [
+    # https://github.com/pyca/pyopenssl/issues/692
+    # These tests, we disable always.
+    "test_set_default_verify_paths"
+    "test_fallback_default_verify_paths"
+    # https://github.com/pyca/pyopenssl/issues/768
+    "test_wantWriteError"
+    # https://github.com/pyca/pyopenssl/issues/1043
+    "test_alpn_call_failure"
+  ] ++ lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) [
+    # https://github.com/pyca/pyopenssl/issues/791
+    # These tests, we disable in the case that libressl is passed in as openssl.
     "test_op_no_compression"
     "test_npn_advertise_error"
     "test_npn_select_error"
@@ -29,64 +62,21 @@ let
     "test_verify_with_revoked"
     "test_set_notAfter"
     "test_set_notBefore"
-  ];
-
-  # these tests are extremely tightly wed to the exact output of the openssl cli tool,
-  # including exact punctuation.
-  failingOpenSSL_1_1Tests = [
+  ] ++ lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") [
+    # these tests are extremely tightly wed to the exact output of the openssl cli tool, including exact punctuation.
     "test_dump_certificate"
     "test_dump_privatekey_text"
     "test_dump_certificate_request"
     "test_export_text"
+  ] ++ lib.optionals stdenv.is32bit [
+    # https://github.com/pyca/pyopenssl/issues/974
+    "test_verify_with_time"
   ];
 
-  disabledTests = [
-    # https://github.com/pyca/pyopenssl/issues/692
-    # These tests, we disable always.
-    "test_set_default_verify_paths"
-    "test_fallback_default_verify_paths"
-    # https://github.com/pyca/pyopenssl/issues/768
-    "test_wantWriteError"
-  ] ++ (
-    lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
-  ) ++ (
-    lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
-  ) ++ (
-    # https://github.com/pyca/pyopenssl/issues/974
-    lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
-  );
-
-  # Compose the final string expression, including the "-k" and the single quotes.
-  testExpression = lib.optionalString (disabledTests != [])
-    "-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
-
-in
-
-buildPythonPackage rec {
-  pname = "pyopenssl";
-  version = "20.0.1";
-
-  src = fetchPypi {
-    pname = "pyOpenSSL";
-    inherit version;
-    sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
+  meta = with lib; {
+    description = "Python wrapper around the OpenSSL library";
+    homepage = "https://github.com/pyca/pyopenssl";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ SuperSandro2000 ];
   };
-
-  outputs = [ "out" "dev" ];
-
-  checkPhase = ''
-    runHook preCheck
-    export LANG="en_US.UTF-8"
-    py.test tests ${testExpression}
-    runHook postCheck
-  '';
-
-  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
-  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
-  doCheck = !stdenv.isDarwin;
-
-  nativeBuildInputs = [ openssl ];
-  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
-
-  checkInputs = [ pytest pretend flaky glibcLocales ];
 }

pkgs/python-packages/urldecode/default.nix

@@ -1,16 +0,0 @@
-{ lib, buildPythonPackage, fetchPypi }:
-buildPythonPackage rec {
-  pname = "urldecode";
-  version = "0.1";
-
-  src = fetchPypi {
-    inherit pname version;
-    sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
-  };
-
-  meta = with lib; {
-    description = "A simple function to decode an encoded url";
-    homepage = "https://github.com/jennyq/urldecode";
-    maintainers = with maintainers; [ nixbitcoin ];
-  };
-}

pkgs/rtl/default.nix

@@ -10,11 +10,11 @@
 }:
 let self = stdenvNoCC.mkDerivation {
   pname = "rtl";
-  version = "0.13.4";
+  version = "0.13.6";
 
   src = fetchurl {
     url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-WVldNnmCB7Gi/U3dUDTYF58i480eXkstRnEg+1QCeMM=";
+    hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
   };
 
   passthru = {
@@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
       # TODO-EXTERNAL: Remove `npmFlags` when no longer required
       # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
       npmFlags = "--legacy-peer-deps";
-      hash = "sha256-AG7930RGLxbPp1ErTGuYvUvPur9ppEmg91Taz7Ube6w=";
+      hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
     };
   };
 

pkgs/rtl/generate.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
 
-version="0.13.4"
+version="0.13.6"
 repo=https://github.com/Ride-The-Lightning/RTL
 
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)

pkgs/trustedcoin/default.nix

@@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "trustedcoin";
+  version = "0.6.1";
+  src = fetchFromGitHub {
+    owner = "nbd-wtf";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-UNQjxhAT0mK1In7vUtIoMoMNBV+0wkrwbDmm7m+0R3o=";
+  };
+
+  vendorSha256 = "sha256-xvkK9rMQlXTnNyOMd79qxVSvhgPobcBk9cq4/YWbupY=";
+
+  subPackages = [ "." ];
+
+  meta = with lib; {
+    description = "Light bitcoin node implementation";
+    homepage = "https://github.com/nbd-wtf/trustedcoin";
+    maintainers = with maintainers; [ seberm fort-nix ];
+    platforms = platforms.linux;
+  };
+}

pkgs/trustedcoin/get-sha256.sh

@@ -0,0 +1,20 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p git gnupg curl jq
+set -euo pipefail
+
+
+TMPDIR="$(mktemp -d -p /tmp)"
+trap 'rm -rf $TMPDIR' EXIT
+cd "$TMPDIR"
+
+echo "Fetching latest release"
+repo='nbd-wtf/trustedcoin'
+latest=$(curl --location --silent --show-error https://api.github.com/repos/${repo}/releases/latest | jq -r .tag_name)
+echo "Latest release is $latest"
+git clone --depth 1 --branch "$latest" "https://github.com/${repo}" 2>/dev/null
+cd trustedcoin
+
+echo "tag: $latest"
+git checkout -q "tags/$latest"
+rm -rf .git
+nix --extra-experimental-features nix-command hash path .

test/nixos-search/ci-test.sh

@@ -20,4 +20,4 @@ if [[ ${CACHIX_SIGNING_KEY:-} ]]; then
 fi
 
 echo "Running flake-info (nixos-search)"
-flake-info flake ../..
+flake-info --json flake ../.. >/dev/null

test/nixos-search/flake-info-sandboxed.sh

@@ -41,4 +41,4 @@ bwrap \
   --ro-bind "$tmpDir/nix.conf" /etc/nix/nix.conf \
   --ro-bind /usr /usr \
   --ro-bind-try /run /run \
-  -- flake-info flake "$nbFlake"
+  -- flake-info --json flake "$nbFlake" >/dev/null

test/nixos-search/flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1678901627,
+        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
         "type": "github"
       },
       "original": {
@@ -18,11 +18,11 @@
     "nixos-org-configurations": {
       "flake": false,
       "locked": {
-        "lastModified": 1674564797,
-        "narHash": "sha256-MgGsFleE8Wzhu8XX3ulcBojkHzFLkII+D9sxkTHg7OU=",
+        "lastModified": 1679995724,
+        "narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
         "owner": "NixOS",
         "repo": "nixos-org-configurations",
-        "rev": "3ce43a1fb5181a0e33b1f67d36fa0f3affa6bc6c",
+        "rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
         "type": "github"
       },
       "original": {
@@ -39,11 +39,11 @@
         "npmlock2nix": "npmlock2nix"
       },
       "locked": {
-        "lastModified": 1674593115,
-        "narHash": "sha256-P4bjLR/8tJ/jVBBeHDzNS2BgVUdB6vS7Udfh30kULJs=",
+        "lastModified": 1683204679,
+        "narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
         "owner": "nixos",
         "repo": "nixos-search",
-        "rev": "be9a717b8032c7410337139f9dcfd6227b7407a4",
+        "rev": "0498effc4137095938f16fd752cc81a96901554f",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1667629849,
-        "narHash": "sha256-P+v+nDOFWicM4wziFK9S/ajF2lc0N2Rg9p6Y35uMoZI=",
+        "lastModified": 1680213900,
+        "narHash": "sha256-cIDr5WZIj3EkKyCgj/6j3HBH4Jj1W296z7HTcWj1aMA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "3bacde6273b09a21a8ccfba15586fb165078fb62",
+        "rev": "e3652e0735fbec227f342712f180f4f21f0594f2",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     "npmlock2nix": {
       "flake": false,
       "locked": {
-        "lastModified": 1666460237,
-        "narHash": "sha256-HME6rnysvCwUVtH+BDWDGahmweMaLgD2wqHeRuGp6QI=",
+        "lastModified": 1673447413,
+        "narHash": "sha256-sJM82Sj8yfQYs9axEmGZ9Evzdv/kDcI9sddqJ45frrU=",
         "owner": "nix-community",
         "repo": "npmlock2nix",
-        "rev": "eeed152290ec2425f96c5e74e469c40b621e1468",
+        "rev": "9197bbf397d76059a76310523d45df10d2e4ca81",
         "type": "github"
       },
       "original": {

test/run-tests.sh

@@ -274,6 +274,7 @@ buildable=(
     hardened
     clightning-replication
     lndPruned
+    wireguard-lndconnect
 )
 buildable() { buildTests buildable "$@"; }
 

test/tests.nix

@@ -45,7 +45,7 @@ let
       services.clightning.extraConfig = mkIf config.test.noConnections "disable-dns";
       test.data.clightning-plugins = let
         plugins = config.services.clightning.plugins;
-        removed = [ "commando" ];
+        removed = [ "commando" "trustedcoin" ];
         enabled = builtins.filter (plugin: plugins.${plugin}.enable)
                                   (subtractLists removed (builtins.attrNames plugins));
         nbPkgs = config.nix-bitcoin.pkgs;
@@ -86,8 +86,8 @@ let
 
       nix-bitcoin.onionServices.lnd.public = true;
 
-      tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
-      tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
+      tests.lndconnect-onion-lnd = with cfg.lnd.lndconnect; enable && onion;
+      tests.lndconnect-onion-clightning = with cfg.clightning-rest.lndconnect; enable && onion;
 
       tests.lightning-loop = cfg.lightning-loop.enable;
       services.lightning-loop.certificate.extraIPs = [ "20.0.0.1" ];
@@ -187,9 +187,9 @@ let
       services.rtl.enable = true;
       services.spark-wallet.enable = true;
       services.clightning-rest.enable = true;
-      services.clightning-rest.lndconnectOnion.enable = true;
+      services.clightning-rest.lndconnect = { enable = true; onion = true; };
       services.lnd.enable = true;
-      services.lnd.lndconnectOnion.enable = true;
+      services.lnd.lndconnect = { enable = true; onion = true; };
       services.lightning-loop.enable = true;
       services.lightning-pool.enable = true;
       services.charge-lnd.enable = true;
@@ -315,6 +315,15 @@ let
       services.lnd.enable = true;
       services.bitcoind.prune = 1000;
     };
+
+    # Test the special clightning setup where trustedcoin plugin is used
+    trustedcoin = {
+      tests.trustedcoin = true;
+      services.clightning = {
+        enable = true;
+        plugins.trustedcoin.enable = true;
+      };
+    };
   } // (import ../dev/dev-scenarios.nix {
     inherit lib scenarios;
   });
@@ -405,6 +414,7 @@ in {
     in
       {
         clightning-replication = import ./clightning-replication.nix makeTestVM pkgs;
+        wireguard-lndconnect = import ./wireguard-lndconnect.nix makeTestVM pkgs;
       } // mainTests;
 
     tests = makeTests scenarios;

test/tests.py

@@ -177,12 +177,12 @@ def _():
 @test("lndconnect-onion-lnd")
 def _():
     assert_running("lnd")
-    assert_matches("runuser -u operator -- lndconnect-onion --url", ".onion")
+    assert_matches("runuser -u operator -- lndconnect --url", ".onion")
 
 @test("lndconnect-onion-clightning")
 def _():
     assert_running("clightning-rest")
-    assert_matches("runuser -u operator -- lndconnect-onion-clightning --url", ".onion")
+    assert_matches("runuser -u operator -- lndconnect-clightning --url", ".onion")
 
 @test("lightning-loop")
 def _():
@@ -433,6 +433,18 @@ def _():
     if enabled("btcpayserver"):
         machine.wait_until_succeeds(log_has_string("nbxplorer", f"At height: {num_blocks}"))
 
+@test("trustedcoin")
+def _():
+    machine.wait_for_unit("bitcoind")
+    machine.wait_for_unit("clightning")
+
+    # Let's check the trustedcoin plugin was correctly initialized
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+initialized plugin"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+bitcoind RPC working"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+tip: 0"))
+    machine.wait_until_succeeds(log_has_string("clightning", "plugin-trustedcoin[^^]\[0m\s+estimatefees error: none of the esploras returned usable responses"))
+
+
 if "netns-isolation" in enabled_tests:
     def ip(name):
         return test_data["netns"][name]["address"]

test/wireguard-lndconnect.nix

@@ -0,0 +1,103 @@
+# You can run this test via `run-tests.sh -s wireguard-lndconnect`
+
+makeTestVM: pkgs:
+with pkgs.lib;
+
+makeTestVM {
+  name = "wireguard-lndconnect";
+
+  nodes = {
+    server = {
+      imports = [
+        ../modules/modules.nix
+        ../modules/presets/wireguard.nix
+      ];
+
+      nixpkgs.pkgs = pkgs;
+
+      nix-bitcoin.generateSecrets = true;
+      nix-bitcoin.operator.enable = true;
+
+      services.clightning-rest = {
+        enable = true;
+        lndconnect.enable = true;
+      };
+      # TODO-EXTERNAL:
+      # When WAN is disabled, DNS bootstrapping slows down service startup by ~15 s.
+      services.clightning.extraConfig = "disable-dns";
+
+      services.lnd = {
+        enable = true;
+        lndconnect.enable = true;
+        port = 9736;
+      };
+    };
+
+    client = {
+      nixpkgs.pkgs = pkgs;
+
+      environment.systemPackages = with pkgs; [
+        wireguard-tools
+      ];
+    };
+  };
+
+  testScript =  ''
+    import base64
+    import urllib.parse as Url
+    from types import SimpleNamespace
+
+    def parse_lndconnect_url(url):
+        u = Url.urlparse(url)
+        queries = Url.parse_qs(u.query)
+        macaroon = queries['macaroon'][0]
+        is_clightning = url.startswith("c-lightning-rest")
+
+        return SimpleNamespace(
+            host = u.hostname,
+            port = u.port,
+            macaroon_hex =
+              macaroon if is_clightning else base64.urlsafe_b64decode(macaroon + '===').hex().upper()
+        )
+
+    client.start()
+    server.connect()
+
+    if not "is_interactive" in vars():
+
+      with subtest("connect client to server via WireGuard"):
+          server.wait_for_unit("wireguard-wg-nb-peer-peer0.service")
+
+          # Get WireGuard config from server and save it to `/tmp/wireguard.conf` on the client
+          wg_config = server.succeed("runuser -u operator -- nix-bitcoin-wg-connect server --text")
+          # Encode to base64
+          b64 = base64.b64encode(wg_config.encode('utf-8')).decode()
+          client.succeed(f"install -m 400 <(echo -n {b64} | base64 -d) /tmp/wireguard.conf")
+
+          # Connect to server via WireGuard
+          client.succeed("wg-quick up /tmp/wireguard.conf")
+
+          # Ping server from client
+          print(client.succeed("ping -c 1 -W 0.5 10.10.0.1"))
+
+      with subtest("lndconnect-wg"):
+          server.wait_for_unit("lnd.service")
+          lndconnect_url = server.succeed("runuser -u operator -- lndconnect-wg --url")
+          api = parse_lndconnect_url(lndconnect_url)
+          # Make lnd REST API call
+          client.succeed(
+              f"curl -fsS --max-time 3 --insecure --header 'Grpc-Metadata-macaroon: {api.macaroon_hex}' "
+              f"-X GET https://{api.host}:{api.port}/v1/getinfo"
+          )
+
+      with subtest("lndconnect-clightning-wg"):
+          server.wait_for_unit("clightning-rest.service")
+          lndconnect_url = server.succeed("runuser -u operator -- lndconnect-clightning-wg --url")
+          api = parse_lndconnect_url(lndconnect_url)
+          # Make clightning-rest API call
+          client.succeed(
+              f"curl -fsS --max-time 3 --insecure --header 'macaroon: {api.macaroon_hex}' "
+              f"--header 'encodingtype: hex' -X GET https://{api.host}:{api.port}/v1/getinfo"
+          )
+  '';
+}