Merge fort-nix/nix-bitcoin#450: Misc. improvements

d959d5b558 secure-node: don't set `nix-bitcoin.secretsDir` (Erik Arvstedt)
7b0c3d48c9 docs/services.md: link to clightning plugin list (Erik Arvstedt)
7402212263 examples/configuration.nix: disable `passwordAuthentication` (Erik Arvstedt)
e093bb64d9 examples/configuration.nix: fix links to `docs/services.md` (Erik Arvstedt)
d41a550355 fetch-release: export GNUPGHOME (Erik Arvstedt)
397b372cf3 bitcoind: improve option `rpc.users` (Erik Arvstedt)
679e7b6544 bitcoind: remove unneeded tmpfile rule (Erik Arvstedt)
98f419233f bitcoind: don't log timestamps (Erik Arvstedt)
6f8b4d9ebe flake: optimize nixpkgs importing (Erik Arvstedt)
16e2d4c8b7 flake: remove unneeded indirection in legacyPackages (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK d959d5b558

Tree-SHA512: e62fcf36ac77df62b9f86279d0ebac807525d188cbf1ee5c13cf1406b3caadad0f2df7527b0c8713259cbc6d5cdfa006f01e90d5377f974213f204a2f85a8ae6

docs/configuration.md

@@ -250,9 +250,4 @@ following default values:
 
 - If you're using the krops deployment method: `/var/src/secrets`
 
-- Otherwise:
+- Otherwise: `/etc/nix-bitcoin-secrets`
-  - `/secrets` (if you're using the `secure-node.nix` template)
-  - `/etc/nix-bitcoin-secrets` (otherwise)
-
-  `/secrets` only exists to provide backwards compatibility for users of the
-  `secure-node.nix` template.

docs/services.md

@@ -41,7 +41,8 @@ ssh -L 3000:169.254.1.29:3000 root@bitcoin-node
 
 Otherwise, you can access it via Tor Browser at `http://<onion-address>`.
 You can find the `<onion-address>` with command `nodeinfo`.
-The default password location is `/secrets/rtl-password`.
+The default password location is `$secretsDir/rtl-password`.
+See: [Secrets dir](./configuration.md#secrets-dir)
 
 # Connect to spark-wallet
 ### Requirements
@@ -305,9 +306,10 @@ If you want to manually initialize your wallet instead, follow these steps:
     Follow the on-screen instructions and write down your seed.
 
     In order to use nix-bitcoin's `joinmarket.yieldgenerator`, use the password
-    from `/secrets/jm-wallet-password` and use the suggested default wallet name
+    from `$secretsDir/jm-wallet-password` and use the suggested default wallet name
     `wallet.jmdat`. If you want to use your own `jm-wallet-password`, simply
     replace the password string in your local secrets directory.
+    See: [Secrets dir](./configuration.md#secrets-dir)
 
 ## Run the tumbler
 
@@ -391,15 +393,10 @@ See [here](https://github.com/JoinMarket-Org/joinmarket-clientserver/blob/master
 # clightning
 
 ## Plugins
+There is a number of [plugins](https://github.com/lightningd/plugins) available for clightning.
+See [`Readme: Features → clightning`](../README.md#features) or [search.nixos.org][1] for a complete list.
 
-There are a number of [plugins](https://github.com/lightningd/plugins) available for clightning. Currently `nix-bitcoin` supports:
+[1]: https://search.nixos.org/flakes?channel=unstable&from=0&size=30&sort=relevance&type=options&query=services.clightning.plugins
-
-- helpme
-- monitor
-- prometheus
-- rebalance
-- summary
-- zmq
 
 You can activate and configure these plugins like so:
 

examples/configuration.nix

@@ -51,7 +51,7 @@
   # nix-bitcoin.onionServices.clightning.public = true;
   #
   # == Plugins
-  # See ../docs/usage.md for the list of available plugins.
+  # See ../README.md (Features → clightning) for the list of available plugins.
   # services.clightning.plugins.prometheus.enable = true;
 
   ### LND
@@ -154,7 +154,7 @@
   # services.hardware-wallets.ledger = true;
   #
   # Trezor can be initialized with the trezorctl command in nix-bitcoin. More information in
-  # `docs/usage.md`.
+  # `../docs/services.md`.
   # services.hardware-wallets.trezor = true;
 
   ### lightning-loop
@@ -234,10 +234,15 @@
   networking.hostName = "host";
   time.timeZone = "UTC";
 
-  # FIXME: Add your SSH pubkey
+  services.openssh = {
-  services.openssh.enable = true;
+    enable = true;
+    passwordAuthentication = false;
+  };
   users.users.root = {
-    openssh.authorizedKeys.keys = [ "" ];
+    openssh.authorizedKeys.keys = [
+      # FIXME: Replace this with your SSH pubkey
+      "ssh-ed25519 AAAAC3..."
+    ];
   };
 
   # FIXME: Uncomment this to allow the operator user to run
@@ -261,5 +266,5 @@
   # The nix-bitcoin release version that your config is compatible with.
   # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
   # an error and provide hints for migrating your config to the new release.
-  nix-bitcoin.configVersion = "0.0.57";
+  nix-bitcoin.configVersion = "0.0.65";
 }

flake.nix

@@ -18,8 +18,8 @@
       lib = {
         mkNbPkgs = {
           system
-          , pkgs ? import nixpkgs { inherit system; }
+          , pkgs ? nixpkgs.legacyPackages.${system}
-          , pkgsUnstable ? import nixpkgsUnstable { inherit system; }
+          , pkgsUnstable ? nixpkgsUnstable.legacyPackages.${system}
         }:
           import ./pkgs { inherit pkgs pkgsUnstable; };
       };
@@ -65,7 +65,7 @@
 
     } // (flake-utils.lib.eachSystem supportedSystems (system:
       let
-        pkgs = import nixpkgs { inherit system; };
+        pkgs = nixpkgs.legacyPackages.${system};
 
         nbPkgs = self.lib.mkNbPkgs { inherit system pkgs; };
 
@@ -111,7 +111,7 @@
         # Allow accessing the whole nested `nbPkgs` attrset (including `modulesPkgs`)
         # via this flake.
         # `packages` is not allowed to contain nested pkgs attrsets.
-        legacyPackages = { inherit nbPkgs; };
+        legacyPackages = nbPkgs;
 
         defaultApp = apps.vm;
 

helper/fetch-release

@@ -14,15 +14,15 @@ fi
 TMPDIR=$(mktemp -d)
 trap "rm -rf $TMPDIR" EXIT
 
-GPG_HOME=$TMPDIR/gpg-home
+export GNUPGHOME=$TMPDIR/gpg-home
-mkdir -p -m 700 "$GPG_HOME"
+mkdir -p -m 700 "$GNUPGHOME"
 
 # Import key
-gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
+gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
 # Check that exactly one key was imported
-(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1))
+(($(gpg --list-keys --with-colons | grep -c pub) == 1))
 # Verify key fingerprint
-gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
+gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
 
 # Fetch nar-hash of release
 cd $TMPDIR
@@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
 curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
 
 # Verify signature for nar-hash
-gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
+gpg --verify nar-hash.txt.asc &> /dev/null || {
     >&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
     exit 1
 }

modules/bitcoind.nix

@@ -101,9 +101,14 @@ let
         };
         users = mkOption {
           default = {};
+          description = ''
+            Allowed users for JSON-RPC connections.
+          '';
           example = {
-            alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
+            alice = {
-            bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
+              passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
+              rpcwhitelist = [ "getnetworkinfo" "getpeerinfo" ];
+            };
           };
           type = with types; attrsOf (submodule ({ name, ... }: {
             options = {
@@ -138,9 +143,6 @@ let
               };
             };
           }));
-          description = ''
-            RPC user information for JSON-RPC connections.
-          '';
         };
       };
       regtest = mkOption {
@@ -282,6 +284,7 @@ let
   configFile = builtins.toFile "bitcoin.conf" ''
     # We're already logging via journald
     nodebuglogfile=1
+    logtimestamps=0
 
     startupnotify=/run/current-system/systemd/bin/systemd-notify --ready
 
@@ -366,7 +369,6 @@ in {
 
     systemd.tmpfiles.rules = [
       "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
-      "d '${cfg.dataDir}/blocks' 0770 ${cfg.user} ${cfg.group} - -"
     ];
 
     systemd.services.bitcoind = {
@@ -386,7 +388,12 @@ in {
           ''
         ) (builtins.attrNames cfg.rpc.users);
       in ''
-        ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
+        ${optionalString cfg.dataDirReadableByGroup ''
+          if [[ -e '${cfg.dataDir}/blocks' ]]; then
+            chmod -R g+rX '${cfg.dataDir}/blocks'
+          fi
+        ''}
+
         cfg=$(
           cat ${configFile}
           ${extraRpcauth}

modules/presets/secure-node.nix

@@ -18,9 +18,6 @@ in {
   };
 
   config =  {
-    # For backwards compatibility only
-    nix-bitcoin.secretsDir = mkDefault "/secrets";
-
     networking.firewall.enable = true;
 
     nix-bitcoin.security.dbusHideProcessInformation = true;

modules/versioning.nix

@@ -181,6 +181,27 @@ let
             once.
       '';
     }
+    {
+      version = "0.0.65";
+      condition = config.nix-bitcoin ? secure-node-preset-enabled &&
+                  config.nix-bitcoin.secretsDir == "/etc/nix-bitcoin-secrets";
+      message = ''
+        The `secure-node.nix` preset does not set the secrets directory
+        to "/secrets" anymore.
+        Instead, the default location "/etc/nix-bitcoin-secrets" is used.
+
+        To upgrade, choose one of the following:
+
+        - Continue using "/secrets":
+          Add `nix-bitcoin.secretsDir = "/secrets";` to your configuration.nix.
+
+        - Move your secrets to the default location:
+          Run the following command as root on your node:
+          `rsync -a /secrets/ /etc/nix-bitcoin-secrets`.
+          You can delete the old "/secrets" directory after deploying the new system
+          config to your node.
+      '';
+    }
   ];
 
   mkOnionServiceChange = service: {