spark-wallet: remove package and module
This commit is contained in:
parent
29a95ea311
commit
75e54bbb90
|
@ -90,7 +90,6 @@ NixOS modules ([src](modules/modules.nix))
|
|||
clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
|
||||
[Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
|
||||
* [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
|
||||
* [spark-wallet](https://github.com/shesek/spark-wallet)
|
||||
* [electrs](https://github.com/romanz/electrs): Electrum server
|
||||
* [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
|
||||
* [btcpayserver](https://github.com/btcpayserver/btcpayserver)
|
||||
|
|
|
@ -45,7 +45,7 @@ all other security vulnerabilities.
|
|||
| Type | Description | Examples |
|
||||
| :-: | :-: | :-: |
|
||||
| Outright Vulnerabilities | Vulnerabilities in nix-bitcoin specific tooling (except CI tooling) | privilege escalation in SUID binary `netns-exec`, improper release signature verification through `fetch-release` |
|
||||
| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, spark-wallet has access to bitcoin RPC interface or files |
|
||||
| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, RTL has access to bitcoin RPC interface or files |
|
||||
| Vulnerabilities in Dependencies | A vulnerability in any dependency of a nix-bitcoin installation with a configuration consisting of any combination of the following services: bitcoind, clightning, lnd, electrs, joinmarket, btcpayserver, liquidd.<br />**Note:** The vulnerability must first be reported to and handled by the maintainers of the dependency before it qualifies for a reward| Compromised NixOS expression pulls in malicious package, JoinMarket pulls in a python dependency with a known severe vulnerability |
|
||||
| Bad Documentation | Our documentation suggests blatantly insecure things | `install.md` tells you to add our SSH keys to your root user |
|
||||
| Compromise of Signing Key | Compromise of the nix-bitcoin signing key, i.e., `0xB1A70E4F8DCD0366` | Leaking the key, managing to sign something with it |
|
||||
|
|
|
@ -127,22 +127,6 @@ c systemctl status clightning-rest
|
|||
c journalctl -u clightning-rest
|
||||
c systemctl status clightning-rest-migrate-datadir
|
||||
|
||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
||||
# spark-wallet
|
||||
|
||||
run-tests.sh -s "{
|
||||
services.spark-wallet.enable = true;
|
||||
test.container.exposeLocalhost = true;
|
||||
}" container
|
||||
|
||||
c systemctl status spark-wallet
|
||||
c journalctl -u spark-wallet
|
||||
|
||||
sparkAuth=$(c cat /secrets/spark-wallet-login | grep -ohP '(?<=login=).*')
|
||||
curl -v http://$sparkAuth@$ip:9737
|
||||
# Open in browser
|
||||
runuser -u "$(logname)" -- xdg-open http://$sparkAuth@$ip:9737
|
||||
|
||||
#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
|
||||
# electrs
|
||||
|
||||
|
|
|
@ -291,49 +291,6 @@ Create a plain text URL:
|
|||
lndconnect-wg --url
|
||||
``````
|
||||
|
||||
# Connect to spark-wallet
|
||||
### Requirements
|
||||
* Android phone
|
||||
* [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
|
||||
* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
|
||||
|
||||
1. Enable spark-wallet in `configuration.nix`
|
||||
|
||||
Change
|
||||
```
|
||||
# services.spark-wallet.enable = true;
|
||||
```
|
||||
to
|
||||
```
|
||||
services.spark-wallet.enable = true;
|
||||
```
|
||||
|
||||
2. Deploy new `configuration.nix`
|
||||
|
||||
3. Enable Orbot VPN for spark-wallet
|
||||
|
||||
```
|
||||
Open Orbot app
|
||||
Turn on "VPN Mode"
|
||||
Select Gear icon under "Tor-Enabled Apps"
|
||||
Toggle checkbox under Spark icon
|
||||
```
|
||||
|
||||
4. Get the onion address, access key and QR access code for the spark wallet android app
|
||||
|
||||
```
|
||||
journalctl -eu spark-wallet
|
||||
```
|
||||
Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
|
||||
|
||||
5. Connect to spark-wallet android app
|
||||
|
||||
```
|
||||
Server Settings
|
||||
Scan QR
|
||||
Done
|
||||
```
|
||||
|
||||
# Connect to electrs
|
||||
### Requirements Android
|
||||
* Android phone
|
||||
|
|
|
@ -126,12 +126,6 @@
|
|||
# Automatically enables lightning-loop.
|
||||
# services.rtl.nodes.lnd.loop = true;
|
||||
|
||||
### SPARK WALLET
|
||||
# Set this to enable spark-wallet, a minimalistic wallet GUI for
|
||||
# c-lightning, accessible over the web or through mobile and desktop apps.
|
||||
# Automatically enables clightning.
|
||||
# services.spark-wallet.enable = true;
|
||||
|
||||
### ELECTRS
|
||||
# Set this to enable electrs, an Electrum server implemented in Rust.
|
||||
# services.electrs.enable = true;
|
||||
|
|
|
@ -14,7 +14,6 @@
|
|||
./clightning-plugins
|
||||
./clightning-rest.nix
|
||||
./clightning-replication.nix
|
||||
./spark-wallet.nix
|
||||
./lnd.nix
|
||||
./lightning-loop.nix
|
||||
./lightning-pool.nix
|
||||
|
|
|
@ -244,10 +244,6 @@ in {
|
|||
id = 16;
|
||||
connections = [ "bitcoind" ];
|
||||
};
|
||||
spark-wallet = {
|
||||
id = 17;
|
||||
# communicates with clightning over lightning-rpc socket
|
||||
};
|
||||
nginx = {
|
||||
id = 21;
|
||||
};
|
||||
|
@ -332,11 +328,6 @@ in {
|
|||
|
||||
services.fulcrum.address = netns.fulcrum.address;
|
||||
|
||||
services.spark-wallet = {
|
||||
address = netns.spark-wallet.address;
|
||||
extraArgs = "--no-tls";
|
||||
};
|
||||
|
||||
services.lightning-loop.rpcAddress = netns.lightning-loop.address;
|
||||
|
||||
services.nbxplorer.address = netns.nbxplorer.address;
|
||||
|
|
|
@ -145,7 +145,6 @@ in {
|
|||
clightning-rest = mkInfo "";
|
||||
electrs = mkInfo "";
|
||||
fulcrum = mkInfo "";
|
||||
spark-wallet = mkInfo "";
|
||||
btcpayserver = mkInfo "";
|
||||
liquidd = mkInfo "";
|
||||
joinmarket-ob-watcher = mkInfo "";
|
||||
|
|
|
@ -24,7 +24,6 @@ in {
|
|||
(mkRenamedOptionModule [ "services" "bitcoind" "rpcthreads" ] [ "services" "bitcoind" "rpc" "threads" ])
|
||||
(mkRenamedOptionModule [ "services" "clightning" "bind-addr" ] [ "services" "clightning" "address" ])
|
||||
(mkRenamedOptionModule [ "services" "clightning" "bindport" ] [ "services" "clightning" "port" ])
|
||||
(mkRenamedOptionModule [ "services" "spark-wallet" "host" ] [ "services" "spark-wallet" "address" ])
|
||||
(mkRenamedOptionModule [ "services" "lnd" "rpclisten" ] [ "services" "lnd" "rpcAddress" ])
|
||||
(mkRenamedOptionModule [ "services" "lnd" "listen" ] [ "services" "lnd" "address" ])
|
||||
(mkRenamedOptionModule [ "services" "lnd" "listenPort" ] [ "services" "lnd" "port" ])
|
||||
|
@ -75,7 +74,6 @@ in {
|
|||
"lightning-pool"
|
||||
"liquid"
|
||||
"lnd"
|
||||
"spark-wallet"
|
||||
"bitcoind"
|
||||
]) ++
|
||||
(map mkRenamedEnforceTorOption [
|
||||
|
@ -97,8 +95,17 @@ in {
|
|||
'')
|
||||
(mkRemovedOptionModule (optionName ++ [ "readers" ]) "")
|
||||
(mkRemovedOptionModule (optionName ++ [ "writers" ]) "")
|
||||
]);
|
||||
|
||||
]) ++
|
||||
# 0.0.92
|
||||
[
|
||||
(mkRemovedOptionModule [ "services" "spark-wallet" ] ''
|
||||
Spark Lightning Wallet is unmaintained and incompatible with clightning
|
||||
23.05. Therefore, the spark-wallet module has been removed from
|
||||
nix-bitcoin. For a replacement, consider using the rtl (Ride The
|
||||
Lightning) module or the clightning-rest module in combination with the
|
||||
Zeus mobile wallet.
|
||||
'')
|
||||
];
|
||||
config = {
|
||||
# Migrate old clightning-rest datadir from nix-bitcoin versions < 0.0.70
|
||||
systemd.services.clightning-rest-migrate-datadir = let
|
||||
|
|
|
@ -104,15 +104,6 @@ in {
|
|||
# Set sensible defaults for some services
|
||||
{
|
||||
nix-bitcoin.onionServices = {
|
||||
spark-wallet = {
|
||||
externalPort = 80;
|
||||
# Enable 'public' by default, but don't auto-enable the onion service.
|
||||
# When the onion service is enabled, 'public' lets spark-wallet generate
|
||||
# a QR code for accessing the web interface.
|
||||
public = true;
|
||||
# Low priority so we can override this with mkDefault in ./presets/enable-tor.nix
|
||||
enable = mkOverride 1400 false;
|
||||
};
|
||||
btcpayserver = {
|
||||
externalPort = 80;
|
||||
};
|
||||
|
|
|
@ -26,7 +26,6 @@ in {
|
|||
# TODO-EXTERNAL:
|
||||
# disable Tor enforcement until btcpayserver can fetch rates over Tor
|
||||
# btcpayserver = defaultEnableTorProxy;
|
||||
spark-wallet = defaultEnableTorProxy;
|
||||
lightning-pool = defaultEnableTorProxy;
|
||||
|
||||
# These services don't make outgoing connections
|
||||
|
@ -48,7 +47,6 @@ in {
|
|||
liquidd.enable = defaultTrue;
|
||||
electrs.enable = defaultTrue;
|
||||
fulcrum.enable = defaultTrue;
|
||||
spark-wallet.enable = defaultTrue;
|
||||
joinmarket-ob-watcher.enable = defaultTrue;
|
||||
rtl.enable = defaultTrue;
|
||||
};
|
||||
|
|
|
@ -1,98 +0,0 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
options.services.spark-wallet = {
|
||||
enable = mkEnableOption "spark-wallet";
|
||||
address = mkOption {
|
||||
type = types.str;
|
||||
default = "localhost";
|
||||
description = mdDoc "http(s) server address.";
|
||||
};
|
||||
port = mkOption {
|
||||
type = types.port;
|
||||
default = 9737;
|
||||
description = mdDoc "http(s) server port.";
|
||||
};
|
||||
extraArgs = mkOption {
|
||||
type = types.separatedString " ";
|
||||
default = "";
|
||||
description = mdDoc "Extra command line arguments passed to spark-wallet.";
|
||||
};
|
||||
getPublicAddressCmd = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = mdDoc ''
|
||||
Bash expression which outputs the public service address.
|
||||
If set, spark-wallet prints a QR code to the systemd journal which
|
||||
encodes an URL for accessing the web interface.
|
||||
'';
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.str;
|
||||
default = "spark-wallet";
|
||||
description = mdDoc "The user as which to run spark-wallet.";
|
||||
};
|
||||
group = mkOption {
|
||||
type = types.str;
|
||||
default = cfg.user;
|
||||
description = mdDoc "The group as which to run spark-wallet.";
|
||||
};
|
||||
tor = nbLib.tor;
|
||||
};
|
||||
|
||||
cfg = config.services.spark-wallet;
|
||||
nbLib = config.nix-bitcoin.lib;
|
||||
|
||||
clightning = config.services.clightning;
|
||||
|
||||
# Use wasabi rate provider because the default (bitstamp) doesn't accept
|
||||
# connections through Tor
|
||||
torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
|
||||
startScript = ''
|
||||
${optionalString (cfg.getPublicAddressCmd != "") ''
|
||||
publicURL=(--public-url "http://$(${cfg.getPublicAddressCmd})")
|
||||
''}
|
||||
exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
|
||||
--ln-path '${clightning.networkDir}' \
|
||||
--host ${cfg.address} --port ${toString cfg.port} \
|
||||
--config '${config.nix-bitcoin.secretsDir}/spark-wallet-login' \
|
||||
${optionalString cfg.tor.proxy torRateProvider} \
|
||||
${optionalString (cfg.getPublicAddressCmd != "") ''"''${publicURL[@]}"''} \
|
||||
--pairing-qr --print-key ${cfg.extraArgs}
|
||||
'';
|
||||
in {
|
||||
inherit options;
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
services.clightning.enable = true;
|
||||
|
||||
systemd.services.spark-wallet = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "clightning.service" ];
|
||||
after = [ "clightning.service" ];
|
||||
script = startScript;
|
||||
serviceConfig = nbLib.defaultHardening // {
|
||||
User = cfg.user;
|
||||
Restart = "on-failure";
|
||||
RestartSec = "10s";
|
||||
} // nbLib.allowedIPAddresses cfg.tor.enforce
|
||||
// nbLib.nodejs;
|
||||
};
|
||||
|
||||
users.users.${cfg.user} = {
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
extraGroups = [ clightning.group ];
|
||||
};
|
||||
users.groups.${cfg.group} = {};
|
||||
|
||||
nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
|
||||
nix-bitcoin.generateSecretsCmds.spark-wallet = ''
|
||||
makePasswordSecret spark-wallet-password
|
||||
if [[ spark-wallet-password -nt spark-wallet-login ]]; then
|
||||
echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||
fi
|
||||
'';
|
||||
};
|
||||
}
|
|
@ -19,7 +19,6 @@ let self = {
|
|||
rtl = pkgs.callPackage ./rtl { inherit (self) fetchNodeModules; };
|
||||
# The secp256k1 version used by joinmarket
|
||||
secp256k1 = pkgs.callPackage ./secp256k1 { };
|
||||
spark-wallet = pkgs.callPackage ./spark-wallet { };
|
||||
trustedcoin = pkgs.callPackage ./trustedcoin { };
|
||||
|
||||
# TODO-EXTERNAL:
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
# This file has been generated by node2nix 1.9.0. Do not edit!
|
||||
|
||||
{pkgs ? import <nixpkgs> {
|
||||
inherit system;
|
||||
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-14_x"}:
|
||||
|
||||
let
|
||||
nodeEnv = import (pkgs.path + "/pkgs/development/node-packages/node-env.nix") {
|
||||
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
|
||||
inherit pkgs nodejs;
|
||||
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
|
||||
};
|
||||
in
|
||||
import ./node-packages.nix {
|
||||
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
|
||||
inherit nodeEnv;
|
||||
}
|
|
@ -1,16 +0,0 @@
|
|||
{ pkgs, lib }:
|
||||
let
|
||||
nodePackages = import ./composition.nix { inherit pkgs; };
|
||||
in
|
||||
nodePackages.package.override {
|
||||
# Required because spark-wallet uses `npm-shrinkwrap.json` as the lock file
|
||||
reconstructLock = true;
|
||||
|
||||
meta = with lib; {
|
||||
description = "A minimalistic wallet GUI for c-lightning";
|
||||
homepage = "https://github.com/shesek/spark-wallet";
|
||||
license = licenses.mit;
|
||||
maintainers = with maintainers; [ nixbitcoin erikarvstedt ];
|
||||
platforms = platforms.unix;
|
||||
};
|
||||
}
|
|
@ -1,58 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "nodePackages.node2nix gnupg wget jq moreutils gnused" "$@"
|
||||
|
||||
TMPDIR=$(mktemp -d -p /tmp)
|
||||
trap 'rm -rf $TMPDIR' EXIT
|
||||
|
||||
version="0.3.1"
|
||||
repo=https://github.com/shesek/spark-wallet
|
||||
|
||||
# Fetch and verify source tarball
|
||||
file=spark-wallet-${version}-npm.tgz
|
||||
url=$repo/releases/download/v${version}/$file
|
||||
export GNUPGHOME=$TMPDIR
|
||||
gpg --keyserver hkps://keyserver.ubuntu.com --recv-key FCF19B67866562F08A43AAD681F6104CD0F150FC
|
||||
wget -P "$TMPDIR" "$url"
|
||||
wget -P "$TMPDIR" "$repo/releases/download/v${version}/SHA256SUMS.asc"
|
||||
gpg --verify "$TMPDIR/SHA256SUMS.asc"
|
||||
(cd "$TMPDIR"; sha256sum --check --ignore-missing SHA256SUMS.asc)
|
||||
hash=$(nix hash file "$TMPDIR/$file")
|
||||
|
||||
# Extract source
|
||||
src=$TMPDIR/src
|
||||
mkdir "$src"
|
||||
tar xvf "$TMPDIR/$file" -C "$src" --strip-components 1 >/dev/null
|
||||
|
||||
# Make qrcode-terminal a strict dependency so that node2nix includes it in the package derivation.
|
||||
jq '.dependencies["qrcode-terminal"] = .optionalDependencies["qrcode-terminal"]' "$src/package.json" | sponge "$src/package.json"
|
||||
|
||||
node2nix \
|
||||
--nodejs-14 \
|
||||
--input "$src/package.json" \
|
||||
--lock "$src/npm-shrinkwrap.json" \
|
||||
--composition composition.nix \
|
||||
--no-copy-node-env
|
||||
|
||||
# Use node-env.nix from nixpkgs
|
||||
# shellcheck disable=SC2016
|
||||
nodeEnvImport='import "${toString pkgs.path}/pkgs/development/node-packages/node-env.nix"'
|
||||
sed -i "s|import ./node-env.nix|$nodeEnvImport|" composition.nix
|
||||
|
||||
# Use the verified package src
|
||||
read -rd '' fetchurl <<EOF || :
|
||||
fetchurl {
|
||||
url = "$url";
|
||||
hash = "$hash";
|
||||
};
|
||||
EOF
|
||||
|
||||
sed -i "
|
||||
# Use the verified package src
|
||||
s|src = .*/src;|src = ${fetchurl//$'\n'/\\n}|
|
||||
|
||||
# github: use HTTPS instead of SSH, which requires user authentication
|
||||
s|git+ssh://git@|https://|
|
||||
s|ssh://git@|https://|
|
||||
s|\.git#|#|
|
||||
" node-packages.nix
|
File diff suppressed because it is too large
Load Diff
|
@ -1,8 +0,0 @@
|
|||
# This file has been generated by node2nix 1.8.0. Do not edit!
|
||||
|
||||
{nodeEnv, fetchurl, fetchgit, globalBuildInputs ? []}:
|
||||
|
||||
let
|
||||
sources = {};
|
||||
in
|
||||
{}
|
|
@ -73,8 +73,6 @@ let
|
|||
echo a > rtl-password
|
||||
'');
|
||||
|
||||
tests.spark-wallet = cfg.spark-wallet.enable;
|
||||
|
||||
tests.lnd = cfg.lnd.enable;
|
||||
services.lnd = {
|
||||
port = 9736;
|
||||
|
@ -186,7 +184,6 @@ let
|
|||
};
|
||||
test.features.clightningPlugins = true;
|
||||
services.rtl.enable = true;
|
||||
services.spark-wallet.enable = true;
|
||||
services.clightning-rest.enable = true;
|
||||
services.clightning-rest.lndconnect = { enable = true; onion = true; };
|
||||
services.lnd.enable = true;
|
||||
|
@ -236,7 +233,6 @@ let
|
|||
services.clightning-rest.enable = true;
|
||||
services.liquidd.enable = true;
|
||||
services.rtl.enable = true;
|
||||
services.spark-wallet.enable = true;
|
||||
services.lnd.enable = true;
|
||||
services.lightning-loop.enable = true;
|
||||
services.lightning-pool.enable = true;
|
||||
|
|
|
@ -251,13 +251,6 @@ def _():
|
|||
log_has_string("clightning-rest", "cl-rest api server is ready and listening")
|
||||
)
|
||||
|
||||
@test("spark-wallet")
|
||||
def _():
|
||||
assert_running("spark-wallet")
|
||||
wait_for_open_port(ip("spark-wallet"), 9737)
|
||||
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
||||
assert_matches(f"curl -fsS {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
|
||||
|
||||
@test("joinmarket")
|
||||
def _():
|
||||
assert_running("joinmarket")
|
||||
|
@ -315,7 +308,7 @@ def _():
|
|||
|
||||
# These reachability tests are non-exhaustive
|
||||
assert_reachable("bitcoind", ["clightning", "lnd", "liquidd"])
|
||||
assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
|
||||
assert_unreachable("bitcoind", ["btcpayserver", "rtl", "lightning-loop"])
|
||||
assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop"])
|
||||
|
||||
# netns addresses can not be bound to in the main netns.
|
||||
|
|
Loading…
Reference in New Issue
Block a user