Merge tag 'v0.0.101' into feature/nwc

nostr-wallet-connect initial code
Merge fort-nix/nix-bitcoin#662 : Update to NixOS 23.11
2024-01-15 16:03:55 -05:00 · 2024-01-15 15:57:32 -05:00 · 2023-12-14 14:26:42 +00:00 · 2023-12-14 15:00:28 +01:00 · 2023-12-14 14:53:10 +01:00 · 2023-12-14 14:53:10 +01:00
111 changed files with 1640 additions and 3674 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -9,7 +9,7 @@ task:
  container:
    # Defined in https://github.com/nix-community/docker-nixpkgs
-    image: nixpkgs/nix-flakes:nixos-22.11
+    image: nixpkgs/nix-flakes:nixos-23.11
  matrix:
    - name: modules_test
@ -27,7 +27,6 @@ task:
          - scenario: default
          - scenario: netns
          - scenario: netnsRegtest
          - scenario: trustedcoin
      # This script is run as root
      build_script:
        - echo "sandbox = true" >> /etc/nix/nix.conf
--- a/README.md
+++ b/README.md
@ -79,7 +79,7 @@ NixOS modules ([src](modules/modules.nix))
    * [prometheus](https://github.com/lightningd/plugins/tree/master/prometheus): lightning node exporter for the prometheus timeseries server
    * [rebalance](https://github.com/lightningd/plugins/tree/master/rebalance): keeps your channels balanced
    * [summary](https://github.com/lightningd/plugins/tree/master/summary): print a nice summary of the node status
-    * [trustedcoin](https://github.com/nbd-wtf/trustedcoin) [[experimental](docs/services.md#trustedcoin-hints)]: replaces bitcoind with trusted public explorers
+    * [trustedcoin](https://github.com/nbd-wtf/trustedcoin) ([experimental](docs/services.md#trustedcoin)): replaces bitcoind with trusted public explorers
    * [zmq](https://github.com/lightningd/plugins/tree/master/zmq): publishes notifications via ZeroMQ to configured endpoints
  * [clightning-rest](https://github.com/Ride-The-Lightning/c-lightning-REST): REST server for clightning
  * [lnd](https://github.com/lightningnetwork/lnd) with support for announcing an onion service and [static channel backups](https://github.com/lightningnetwork/lnd/blob/master/docs/recovery.md)
@ -90,7 +90,7 @@ NixOS modules ([src](modules/modules.nix))
    clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
    [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
  * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
-  * [spark-wallet](https://github.com/shesek/spark-wallet)
+  * [mempool](https://github.com/mempool/mempool): Bitcoin visualizer, explorer, and API service
  * [electrs](https://github.com/romanz/electrs): Electrum server
  * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
  * [btcpayserver](https://github.com/btcpayserver/btcpayserver)
@ -104,12 +104,6 @@ NixOS modules ([src](modules/modules.nix))
  * [backups](modules/backups.nix): duplicity backups of all your node's important files
  * [operator](modules/operator.nix): configures a non-root user who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
 ### Extension modules
 Extension modules are maintained in separate repositories and have their own review
 and release process.
 * [Mempool](https://github.com/fort-nix/nix-bitcoin-mempool): Bitcoin visualizer, explorer and API service
 Security
 ---
 See [SECURITY.md](SECURITY.md) for the security policy and how to report a vulnerability.
--- a/SECURITY.md
+++ b/SECURITY.md
@ -45,7 +45,7 @@ all other security vulnerabilities.
 | Type | Description | Examples |
 | :-: | :-: | :-: |
 | Outright Vulnerabilities | Vulnerabilities in nix-bitcoin specific tooling (except CI tooling) | privilege escalation in SUID binary `netns-exec`, improper release signature verification through `fetch-release` |
-| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, spark-wallet has access to bitcoin RPC interface or files |
+| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, RTL has access to bitcoin RPC interface or files |
 | Vulnerabilities in Dependencies | A vulnerability in any dependency of a nix-bitcoin installation with a configuration consisting of any combination of the following services: bitcoind, clightning, lnd, electrs, joinmarket, btcpayserver, liquidd.<br />**Note:** The vulnerability must first be reported to and handled by the maintainers of the dependency before it qualifies for a reward| Compromised NixOS expression pulls in malicious package, JoinMarket pulls in a python dependency with a known severe vulnerability |
 | Bad Documentation | Our documentation suggests blatantly insecure things | `install.md` tells you to add our SSH keys to your root user |
 | Compromise of Signing Key | Compromise of the nix-bitcoin signing key, i.e., `0xB1A70E4F8DCD0366` | Leaking the key, managing to sign something with it |
--- a/dev/README.md
+++ b/dev/README.md
@ -101,4 +101,5 @@ It's easiest to use an existing service as a template:
 - [flake.nix](../flake.nix): update `nixpkgs.url`
 - [cirrus.yml](../.cirrus.yml): update toplevel container -> image attribute
 - [examples/configuration.nix](../examples/configuration.nix): update `system.stateVersion`
 - [examples/flakes/flake.nix](../examples/flakes/flake.nix): update `inputs.nix-bitcoin.url`
 - Treewide: check if any `TODO-EXTERNAL` comments can be resolved
--- a/dev/dev-features.sh
+++ b/dev/dev-features.sh
@ -127,22 +127,6 @@ c systemctl status clightning-rest
 c journalctl -u clightning-rest
 c systemctl status clightning-rest-migrate-datadir
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # spark-wallet
 run-tests.sh -s "{
  services.spark-wallet.enable = true;
  test.container.exposeLocalhost = true;
 }" container
 c systemctl status spark-wallet
 c journalctl -u spark-wallet
 sparkAuth=$(c cat /secrets/spark-wallet-login | grep -ohP '(?<=login=).*')
 curl -v http://$sparkAuth@$ip:9737
 # Open in browser
 runuser -u "$(logname)" -- xdg-open http://$sparkAuth@$ip:9737
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # electrs
@ -291,9 +275,18 @@ c journalctl -u joinmarket-ob-watcher
 c journalctl -f -u joinmarket-ob-watcher
 # Check webinterface
-c curl localhost:62601
+c curl 127.0.0.1:62601
 nix run --inputs-from . nixpkgs#lynx -- --dump $ip:62601
-c curl -s localhost:62601 | grep -i "orders found"
+c curl -s 127.0.0.1:62601 | grep -i "orders found"
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # trustedcoin
 run-tests.sh -s trustedcoin-online container
 c systemctl start clightning
 c journalctl -u clightning -f
 # This should show log msgs like
 # plugin-trustedcoin returning block 801409, 0000000000000000000482ddc4…, 1483968 bytes
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # rtl
--- a/dev/dev-scenarios.nix
+++ b/dev/dev-scenarios.nix
@ -37,7 +37,7 @@ with lib;
        extraConfig.Settings.themeColor = "INDIGO";
      };
      # nodes.lnd.enable = false;
-      # services.rtl.nodes.reverseOrder = true;
+      # nodes.reverseOrder = true;
      nightTheme = true;
      extraCurrency = "CHF";
    };
@ -75,4 +75,34 @@ with lib;
    };
    nix-bitcoin.nodeinfo.enable = true;
  };
  trustedcoin-online = {
    services.clightning = {
      enable = true;
      tor.proxy = true;
      plugins.trustedcoin.enable = true;
      plugins.trustedcoin.tor.proxy = false;
    };
    # Don't run clightning on startup.
    # This breaks the follwing dependency cycle:
    #   clightning
    #   -> network (trustedcoin fails and exits clightning without network access)
    #   -> multi-user.target (NixOS containers only gain network access after multi-user.target has completed)
    #   -> clightning
    systemd.services.clightning.wantedBy = mkForce [];
    test.container.enableWAN = true;
  };
  mempool-regtest = {
    imports = [
      scenarios.regtestBase
    ];
    services.mempool = {
      enable = true;
      frontend.address = "0.0.0.0";
    };
    nix-bitcoin.nodeinfo.enable = true;
  };
 }
--- a/dev/topics/mempool.sh
+++ b/dev/topics/mempool.sh
@ -0,0 +1,22 @@
 # Start mempool container
 run-tests.sh -s mempool-regtest container
 c systemctl status mempool
 c systemctl status mysql
 c nodeinfo
 # Check backend
 c curl -fsS localhost:8999/api/v1/blocks/1 | jq
 c curl -fsS localhost:8999/api/v1/blocks/tip/height | jq
 c curl -fsS localhost:8999/api/v1/address/1CGG9qVq2P6F7fo6sZExvNq99Jv2GDpaLE | jq
 # Check frontend
 c curl -fsS localhost:60845
 c curl -fsS localhost:60845/api/mempool | jq
 c curl -fsS localhost:60845/api/blocks/1 | jq
 c curl -fsS localhost:60845/api/v1/blocks/1 | jq
 c curl -fsS localhost:60845/api/blocks/tip/height | jq
 # Open frontend
 # shellcheck disable=SC2154
 runuser -u "$(logname)" -- xdg-open "http://$ip:60845/"
--- a/dev/topics/rtl.sh
+++ b/dev/topics/rtl.sh
@ -30,7 +30,7 @@ runuser -u "$(logname)" -- xdg-open "http://$ip:3000"
 rtl_src=~/s/RTL
 git clone https://github.com/Ride-The-Lightning/RTL "$rtl_src"
-nix build -o /tmp/nix-bitcoin-dev/nodejs --inputs-from . nixpkgs#nodejs-16_x
+nix build -o /tmp/nix-bitcoin-dev/nodejs --inputs-from . nixpkgs#nodejs-18_x
 # Start a shell in a sandbox
 env --chdir "$rtl_src" nix-bitcoin-firejail --whitelist="$rtl_src" --whitelist=/tmp/nix-bitcoin-dev/nodejs
 PATH=/tmp/nix-bitcoin-dev/nodejs/bin:"$PATH"
--- a/docs/hardware.md
+++ b/docs/hardware.md
@ -2,7 +2,7 @@ Hardware requirements
 ---
 * RAM: 2GB. ECC memory is better. Additionally, it's recommended to use DDR4 memory with
  targeted row refresh (TRR) enabled (https://rambleed.com/).
-* Disk space: 500 GB (400GB for Bitcoin blockchain + some room) for an unpruned
+* Disk space: 1 TB for an unpruned
  instance of Bitcoin Core.
  * This can be significantly lowered by enabling pruning.
    Note: Pruning is not supported by `electrs` and `fulcrum`.
--- a/docs/install.md
+++ b/docs/install.md
@ -20,16 +20,16 @@ This is borrowed from the [NixOS manual](https://nixos.org/nixos/manual/index.ht
 1. Obtain latest [NixOS](https://nixos.org/nixos/download.html). For example:
    ```
-    wget https://releases.nixos.org/nixos/20.09/nixos-20.09.2405.e065200fc90/nixos-minimal-20.09.2405.e065200fc90-i686-linux.iso
+    wget  https://releases.nixos.org/nixos/23.11/nixos-23.11.1494.b4372c4924d9/nixos-minimal-23.11.1494.b4372c4924d9-x86_64-linux.iso
-    sha256sum nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso
+    sha256sum nixos-minimal-23.11.1494.b4372c4924d9-x86_64-linux.iso
-    # output: 5fc182e27a71a297b041b5c287558b21bdabde7068d4fc049752dad3025df867
+    # output: f48cf810432c1f04b291c947b36f824823dfef8ebfa0e1906602a516450189d8
    ```
    Alternatively you can build NixOS from source by following the instructions at https://nixos.org/nixos/manual/index.html#sec-building-cd.
 2. Write NixOS iso to install media (USB/CD). For example:
    ```
-    cp nixos-minimal-20.09.2405.e065200fc90-x86_64-linux.iso /dev/sdX
+    cp nixos-minimal-23.05.3701.e9b4b56e5a20-x86_64-linux.iso /dev/sdX
    ```
    Replace /dev/sdX with the correct device name. You can find this using `sudo fdisk -l`
@ -210,31 +210,21 @@ You can also build Nix from source by following the instructions at https://nixo
 1. Clone this project
    ```
    cd
    git clone https://github.com/fort-nix/nix-bitcoin
    ```
-2. Obtain the hash of the latest nix-bitcoin release
+2. Create a new directory for your nix-bitcoin node config and copy initial files from nix-bitcoin
    ```
    cd nix-bitcoin/examples
    nix-shell
    ```
    This will download the nix-bitcoin dependencies and might take a while without giving an output.
    Now in the nix-shell run
    ```
    fetch-release > nix-bitcoin-release.nix
    ```
 3. Create a new directory for your nix-bitcoin deployment and copy initial files from nix-bitcoin
    ```
    cd ../../
    mkdir nix-bitcoin-node
    cd nix-bitcoin-node
-    cp -r ../nix-bitcoin/examples/{nix-bitcoin-release.nix,configuration.nix,shell.nix,krops,.gitignore} .
+    cp -r ../nix-bitcoin/examples/{configuration.nix,shell.nix,krops,.gitignore} .
    ```
 3. Obtain the hash of the latest nix-bitcoin release
    ```
    ../nix-bitcoin/helper/fetch-release > nix-bitcoin-release.nix
    ```
 #### Optional: Specify the system of your node
--- a/docs/services.md
+++ b/docs/services.md
@ -128,7 +128,7 @@ yourself with custom permissions.
 Normally you would connect to RTL via SSH tunneling with a command like this
 ```
-ssh -L 3000:localhost:3000 root@bitcoin-node
+ssh -L 3000:127.0.0.1:3000 root@bitcoin-node
 ```
 Or like this, if you are using `netns-isolation`
@ -291,49 +291,6 @@ Create a plain text URL:
 lndconnect-wg --url
 ``````
 # Connect to spark-wallet
 ### Requirements
 * Android phone
 * [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
 * [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
 1. Enable spark-wallet in `configuration.nix`
    Change
    ```
    # services.spark-wallet.enable = true;
    ```
    to
    ```
    services.spark-wallet.enable = true;
    ```
 2. Deploy new `configuration.nix`
 3. Enable Orbot VPN for spark-wallet
    ```
    Open Orbot app
    Turn on "VPN Mode"
    Select Gear icon under "Tor-Enabled Apps"
    Toggle checkbox under Spark icon
    ```
 4. Get the onion address, access key and QR access code for the spark wallet android app
    ```
    journalctl -eu spark-wallet
    ```
    Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
 5. Connect to spark-wallet android app
    ```
    Server Settings
    Scan QR
    Done
    ```
 # Connect to electrs
 ### Requirements Android
 * Android phone
@ -369,7 +326,7 @@ lndconnect-wg --url
    On Desktop
    ```
-    electrum --oneserver -1 -s "<electrs onion address>:t" -p socks5:localhost:9050
+    electrum --oneserver -1 -s "<electrs onion address>:t" -p socks5:127.0.0.1:9050
    ```
    On Android
@ -408,11 +365,11 @@ lndconnect-wg --url
 4. Connect to your nix-bitcoin node's SSH onion service, forwarding a local port to the nix-bitcoin node's SSH server
    ```
-    ssh -i ~/.ssh/id_ed25519 -L <random port of your choosing>:localhost:22 root@<SSH onion address>
+    ssh -i ~/.ssh/id_ed25519 -L <random port of your choosing>:127.0.0.1:22 root@<SSH onion address>
    ```
-5. Edit your deployment tool's configuration and change the node's address to `localhost` and the ssh port to `<random port of your choosing>`.
+5. Edit your deployment tool's configuration and change the node's address to `127.0.0.1` and the ssh port to `<random port of your choosing>`.
-   If you use krops as described in the [installation tutorial](./install.md), set `target = "localhost:<random port of your choosing>";` in `krops/deploy.nix`.
+   If you use krops as described in the [installation tutorial](./install.md), set `target = "127.0.0.1:<random port of your choosing>";` in `krops/deploy.nix`.
 6. After deploying the new configuration, it will connect through the SSH tunnel you established in step iv. This also allows you to do more complex SSH setups that some deployment tools don't support. An example would be authenticating with [Trezor's SSH agent](https://github.com/romanz/trezor-agent), which provides extra security.
@ -622,26 +579,18 @@ services.clightning = {
 Please have a look at the module for a plugin (e.g. [prometheus.nix](../modules/clightning-plugins/prometheus.nix)) to learn its configuration options.
-### Trustedcoin hints
+### Trustedcoin
-The [trustedcoin](https://github.com/nbd-wtf/trustedcoin) plugin use a Tor
+When `services.clightning.tor.proxy` is enabled, [trustedcoin](https://github.com/nbd-wtf/trustedcoin)
-proxy for all of its external connections by default. That's why you can
+also uses Tor for all external connections by default.
-sometimes face issues with your connections to esploras getting blocked.
+In this case, connections to block explorers can sometimes get blocked.
 An example of clightning log error output in a case your connections are getting blocked:
 An example of clightning log error output when connections are getting blocked:
 ```
 lightningd[5138]: plugin-trustedcoin estimatefees error: https://blockstream.info/api error: 403 Forbidden
 lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>...
 ```
-```
+To work around this and connect via clearnet instead, set this option:
-lightningd[4933]: plugin-trustedcoin getblock error: got something that isn't a block hash: <html><head>
+```nix
-lightningd[4933]: <meta http-equiv="content-type" content="text/html;
+services.clightning.plugins.trustedcoin.tor.proxy = false;
 ```
 If you face these issues and you still need to use trustedcoin, use can disable
 clightning's tor hardening by setting this option in your `configuration.nix`
 file:
 ```
 services.clightning.tor.enforce = false;
 ```
--- a/examples/README.md
+++ b/examples/README.md
@ -23,9 +23,9 @@ cd nix-bitcoin/examples/
 nix-shell
 ```
-The following example scripts set up a nix-bitcoin node according to [`configuration.nix`](configuration.nix) and then
+The following example scripts set up a nix-bitcoin node according to [`./configuration.nix`](configuration.nix) and then
 shut down immediately. They leave no traces (outside of `/nix/store`) on the host system.\
-By default, [`configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`.
+By default, [`./configuration.nix`](configuration.nix) enables `bitcoind` and `clightning`.
 - [`./deploy-container.sh`](deploy-container.sh) creates a [NixOS container](https://github.com/erikarvstedt/extra-container).\
  This is the fastest way to set up a node.\
@ -63,3 +63,9 @@ The commands in `shell.nix` allow you to locally run the node in a VM or contain
 Flakes make it easy to include `nix-bitcoin` in an existing NixOS config.
 The [flakes example](./flakes/flake.nix) shows how to use `nix-bitcoin` as an input to a system flake.
 ### Extending nix-bitcoin with Flakes
 The [mempool extension flake](https://github.com/fort-nix/nix-bitcoin-mempool) shows how to define new
 pkgs and modules in a Flake.\
 Since mempool is now a core nix-bitcoin module, this Flake just serves as an example.
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@ -126,11 +126,25 @@
  # Automatically enables lightning-loop.
  # services.rtl.nodes.lnd.loop = true;
-  ### SPARK WALLET
+  ### MEMPOOL
-  # Set this to enable spark-wallet, a minimalistic wallet GUI for
+  # Set this to enable mempool, a fully featured Bitcoin visualizer, explorer,
-  # c-lightning, accessible over the web or through mobile and desktop apps.
+  # and API service.
-  # Automatically enables clightning.
+  #
-  # services.spark-wallet.enable = true;
+  # services.mempool.enable = true;
  #
  # Possible options for the Electrum backend server:
  #
  # - electrs (enabled by default):
  #   Small database size, slow when querying new addresses.
  #
  # - fulcrum:
  #   Large database size, quickly serves arbitrary address queries.
  #   Enable with:
  #     services.mempool.electrumServer = "fulcrum";
  #
  # Set this to create an onion service to make the mempool web interface
  # available via Tor:
  # nix-bitcoin.onionServices.mempool-frontend.enable = true;
  ### ELECTRS
  # Set this to enable electrs, an Electrum server implemented in Rust.
@ -236,6 +250,12 @@
  # Set this to enable the JoinMarket order book watcher.
  # services.joinmarket-ob-watcher.enable = true;
  ### Nodeinfo
  # Set this to add command `nodeinfo` to the system environment.
  # It shows info about running services like onion addresses and local addresses.
  # It is enabled by default when importing `secure-node.nix`.
  # nix-bitcoin.nodeinfo.enable = true;
  ### Backups
  # Set this to enable nix-bitcoin's own backup service. By default, it
  # uses duplicity to incrementally back up all important files in /var/lib to
@ -271,7 +291,7 @@
  services.openssh = {
    enable = true;
-    passwordAuthentication = false;
+    settings.PasswordAuthentication = false;
  };
  users.users.root = {
    openssh.authorizedKeys.keys = [
@ -298,7 +318,7 @@
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
  # The nix-bitcoin release version that your config is compatible with.
  # When upgrading to a backwards-incompatible release, nix-bitcoin will display an
--- a/examples/deploy-container.sh
+++ b/examples/deploy-container.sh
@ -87,6 +87,7 @@ read -rd '' src <<EOF || true
  };
 }
 EOF
 . "${BASH_SOURCE[0]%/*}"/../test/lib/extra-container-check-version.sh
 extra-container shell -E "$src" "${runCmd[@]}"
 # The container is automatically deleted at exit
--- a/examples/flakes/flake.nix
+++ b/examples/flakes/flake.nix
@ -1,11 +1,23 @@
 # This is a system configuration template that uses nix-bitcoin.
 #
 # You can adapt this to an existing system flake by copying the parts
 # relevant to nix-bitcoin.
 #
 # Make sure to check and edit all lines marked by 'FIXME:'
 {
  description = "A basic nix-bitcoin node";
  inputs.nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release";
  # You can also use a version branch to track a specific NixOS release
  # inputs.nix-bitcoin.url = "github:fort-nix/nix-bitcoin/nixos-23.11";
-  outputs = { self, nix-bitcoin }: {
+  inputs.nixpkgs.follows = "nix-bitcoin/nixpkgs";
  inputs.nixpkgs-unstable.follows = "nix-bitcoin/nixpkgs-unstable";
-    nixosConfigurations.mynode = nix-bitcoin.inputs.nixpkgs.lib.nixosSystem {
+  outputs = { self, nixpkgs, nix-bitcoin, ... }: {
    nixosConfigurations.mynode = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        nix-bitcoin.nixosModules.default
@ -21,21 +33,25 @@
          # The secrets are stored in /etc/nix-bitcoin-secrets
          nix-bitcoin.generateSecrets = true;
-          # Enable services.
+          # Enable some services.
          # See ../configuration.nix for all available features.
          services.bitcoind.enable = true;
          services.clightning.enable = true;
          # When using nix-bitcoin as part of a larger NixOS configuration, set the following to enable
          # interactive access to nix-bitcoin features (like bitcoin-cli) for your system's main user
          nix-bitcoin.operator = {
            enable = true;
-            name = "main"; # Set this to your system's main user
+            # FIXME: Set this to your system's main user
            name = "main";
          };
-          # The system's main unprivileged user. This setting is usually part of your
+          # The system's main unprivileged user.
-          # existing NixOS configuration.
+          # In an existing NixOS configuration, this setting is usually already defined.
          users.users.main = {
            isNormalUser = true;
            # FIXME: This is unsafe. Use `hashedpassword` or `passwordFile` instead in a real
            # deployment: https://search.nixos.org/options?show=users.users.%3Cname%3E.hashedPassword
            password = "a";
          };
--- a/examples/krops-vm-configuration.nix
+++ b/examples/krops-vm-configuration.nix
@ -3,6 +3,5 @@
    ./configuration.nix
    <nix-bitcoin/modules/deployment/krops.nix>
    <qemu-vm/vm-config.nix>
    <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
  ];
 }
--- a/examples/qemu-vm/minimal-vm.nix
+++ b/examples/qemu-vm/minimal-vm.nix
@ -40,10 +40,11 @@ rec {
        Welcome to nix-bitcoin!
        To explore running services, try the following commands:
-        - nodeinfo
+          nodeinfo
-        - systemctl status bitcoind
+          systemctl status bitcoind
-        - systemctl status clightning
+          systemctl status clightning
-        - lightning-cli getinfo
+          bitcoin-cli -getinfo
          lightning-cli getinfo
      '';
      # Power off VM when the user exits the shell
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1679648217,
+        "lastModified": 1699821751,
-        "narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
+        "narHash": "sha256-UlId5jvJFmkVcKpn0oZ2VTvWAc/mZy6butRZGk73xXM=",
        "owner": "erikarvstedt",
        "repo": "extra-container",
-        "rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
+        "rev": "842912907bf189ef17a80ca09ba37b6bdfc76c49",
        "type": "github"
      },
      "original": {
@ -28,11 +28,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1681202837,
+        "lastModified": 1701680307,
-        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
@ -43,27 +43,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1681482634,
+        "lastModified": 1702233072,
-        "narHash": "sha256-cT/nr3L8khEYZSGp8qqwxFH+/q4/547MfyOdSj6MhBk=",
+        "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "fda0d99c2cbbb5c89d8855d258cb0821bd9113ad",
+        "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-22.11",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1681571934,
+        "lastModified": 1701336116,
-        "narHash": "sha256-Q3B3HTqhTahhPCT53ahK1FPktOXlEWmudSttd9CWGbE=",
+        "narHash": "sha256-kEmpezCR/FpITc6yMbAh4WrOCiT2zg5pSjnKrq51h5Y=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "29176972b4be60f7d3eb3101f696c99f2e6ada57",
+        "rev": "f5c27c6136db4d76c30e533c20517df6864c46ee",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,7 @@
  '';
  inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
    flake-utils.url = "github:numtide/flake-utils";
    extra-container = {
--- a/helper/key-jonasnick.bin
+++ b/helper/key-jonasnick.bin
--- a/helper/push-release.sh
+++ b/helper/push-release.sh
@ -6,42 +6,45 @@ BRANCH=master
 GIT_REMOTE=origin
 OAUTH_TOKEN=
 DRY_RUN=
-TAG_NAME=
+releaseVersion=
 trap 'echo "Error at ${BASH_SOURCE[0]}:$LINENO"' ERR
 cd "${BASH_SOURCE[0]%/*}"
 for arg in "$@"; do
    case $arg in
        --dry-run|-n)
            DRY_RUN=1
            ;;
        *)
-            TAG_NAME="$arg"
+            releaseVersion="$arg"
            ;;
    esac
 done
-if [[ ! $TAG_NAME ]]; then
+latestVersion=$(curl -fsS https://api.github.com/repos/$REPO/releases/latest | jq -r '.tag_name' | tail -c +2)
-    echo "$0 [--dry-run|-n] <tag_name>"
+
-    exit
+if [[ ! $releaseVersion ]]; then
    # Increment the lowest/last part of `latestVersion`
    releaseVersion=$(echo "$latestVersion" | awk -F. '/[0-9]+\./{$NF++;print}' OFS=.)
 fi
 if [[ $DRY_RUN ]]; then
    echo "Dry run"
 else
    OAUTH_TOKEN=$(pass show nix-bitcoin/github/oauth-token)
    if [[ ! $OAUTH_TOKEN ]]; then
-        echo "Please set OAUTH_TOKEN variable"
+        echo "Error fetching OAUTH_TOKEN"
        exit 1
    fi
 fi
-cd "${BASH_SOURCE[0]%/*}"
+echo "Latest release: $latestVersion"
 RESPONSE=$(curl https://api.github.com/repos/$REPO/releases/latest 2> /dev/null)
 echo "Latest release" "$(echo "$RESPONSE" | jq -r '.tag_name' | tail -c +2)"
 if [[ ! $DRY_RUN ]]; then
   while true; do
-       read -rp "Create release ${TAG_NAME}? [yn] " yn
+       read -rp "Create release ${releaseVersion}? [yn] " yn
       case $yn in
           [Yy]* ) break;;
           [Nn]* ) exit;;
@ -50,9 +53,16 @@ if [[ ! $DRY_RUN ]]; then
   done
 fi
 nixosVersion=$(sed -nE 's|.*system.stateVersion = "(.*?)".*|\1|p' ../examples/configuration.nix)
 if [[ ! $nixosVersion ]]; then
    echo "Error fetching NixOS version"
    exit 1
 fi
 nixosVersionBranch=nixos-$nixosVersion
 TMPDIR=$(mktemp -d)
 if [[ ! $DRY_RUN ]]; then trap 'rm -rf $TMPDIR' EXIT; fi
-ARCHIVE_NAME=nix-bitcoin-$TAG_NAME.tar.gz
+ARCHIVE_NAME=nix-bitcoin-$releaseVersion.tar.gz
 ARCHIVE=$TMPDIR/$ARCHIVE_NAME
 # Need to be in the repo root directory for archiving
@ -70,12 +80,16 @@ nix hash to-sri --type sha256 "$(nix-prefetch-url --unpack "file://$ARCHIVE" 2>
 gpg -o nar-hash.txt.asc -a --detach-sig nar-hash.txt
 if [[ $DRY_RUN ]]; then
-    echo "Created v$TAG_NAME in $TMPDIR"
+    echo "Created v$releaseVersion in $TMPDIR"
    echo "NixOS version branch: $nixosVersionBranch"
    exit 0
 fi
-POST_DATA="{ \"tag_name\": \"v$TAG_NAME\", \"name\": \"nix-bitcoin-$TAG_NAME\", \"body\": \"nix-bitcoin-$TAG_NAME\", \"target_comitish\": \"$BRANCH\" }"
+#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-RESPONSE=$(curl -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases 2> /dev/null)
+# Create release
 POST_DATA="{ \"tag_name\": \"v$releaseVersion\", \"name\": \"nix-bitcoin-$releaseVersion\", \"body\": \"nix-bitcoin-$releaseVersion\", \"target_comitish\": \"$BRANCH\" }"
 RESPONSE=$(curl -fsS -H "Authorization: token $OAUTH_TOKEN" -d "$POST_DATA" https://api.github.com/repos/$REPO/releases)
 ID=$(echo "$RESPONSE" | jq -r '.id')
 if [[ $ID == null ]]; then
    echo "Failed to create release with $POST_DATA"
@ -84,8 +98,8 @@ fi
 post_asset() {
    GH_ASSET="https://uploads.github.com/repos/$REPO/releases/$ID/assets?name="
-    curl -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
+    curl -fsS -H "Authorization: token $OAUTH_TOKEN" --data-binary "@$1" -H "Content-Type: application/octet-stream" \
-         "$GH_ASSET/$(basename "$1")" &> /dev/null
+         "$GH_ASSET/$(basename "$1")"
 }
 post_asset nar-hash.txt
 post_asset nar-hash.txt.asc
@ -98,7 +112,8 @@ post_asset "$SHA256SUMS.asc"
 popd >/dev/null
 if [[ ! $DRY_RUN ]]; then
-    git push "$GIT_REMOTE" "${BRANCH}:release"
+    git push "$GIT_REMOTE" "$BRANCH:release"
    git push "$GIT_REMOTE" "$BRANCH:$nixosVersionBranch"
 fi
 echo "Successfully created" "$(echo "$POST_DATA" | jq -r .tag_name)"
--- a/helper/update-fixed-output-derivation.sh
+++ b/helper/update-fixed-output-derivation.sh
@ -1,3 +1,5 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # The file that defines the derivation that should be updated
--- a/modules/backups.nix
+++ b/modules/backups.nix
@ -49,7 +49,7 @@ let
  cfg = config.services.backups;
-  # Potential backup file paths are are matched against filelist
+  # Potential backup file paths are matched against filelist
  # entries from top to bottom.
  # The first match determines inclusion or exclusion.
  filelist = builtins.toFile "filelist.txt" ''
@ -106,7 +106,7 @@ in {
      systemd.services.duplicity = {
        wants = postgresqlBackupServices;
-        after = postgresqlBackupServices;
+        after = postgresqlBackupServices ++ [ "nix-bitcoin-secrets.target" ];
      };
      services.postgresqlBackup = {
--- a/modules/bitcoind-rpc-public-whitelist.nix
+++ b/modules/bitcoind-rpc-public-whitelist.nix
@ -2,6 +2,7 @@
 [
  "echo"
  "getinfo"
  "getindexinfo"
  "help"
  "ping"
  "uptime"
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -414,6 +414,8 @@ in {
      # Enable RPC access for group
      postStart = ''
        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
      '' + (optionalString cfg.regtest) ''
        chmod g=x '${cfg.dataDir}/regtest'
      '';
      serviceConfig = nbLib.defaultHardening // {
--- a/modules/btcpayserver.nix
+++ b/modules/btcpayserver.nix
@ -138,16 +138,16 @@ in {
      enable = true;
      ensureDatabases = [ "btcpaydb" "nbxplorer" ];
      ensureUsers = [
-        {
+        { name = cfg.btcpayserver.user; }
-          name = cfg.btcpayserver.user;
+        { name = cfg.nbxplorer.user; }
          ensurePermissions."DATABASE btcpaydb" = "ALL PRIVILEGES";
        }
        {
          name = cfg.nbxplorer.user;
          ensurePermissions."DATABASE nbxplorer" = "ALL PRIVILEGES";
        }
      ];
    };
    systemd.services.postgresql.postStart = lib.mkAfter ''
      $PSQL -tAc '
        ALTER DATABASE "btcpaydb" OWNER TO "${cfg.btcpayserver.user}";
        ALTER DATABASE "nbxplorer" OWNER TO "${cfg.nbxplorer.user}";
      '
    '';
    systemd.tmpfiles.rules = [
      "d '${cfg.nbxplorer.dataDir}' 0770 ${cfg.nbxplorer.user} ${cfg.nbxplorer.group} - -"
@ -174,7 +174,7 @@ in {
    in rec {
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" "postgresql.service" ] ++ optional cfg.btcpayserver.lbtc "liquidd.service";
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
      preStart = ''
        install -m 600 ${configFile} '${cfg.nbxplorer.dataDir}/settings.config'
        {
--- a/modules/clightning-plugins/clboss.nix
+++ b/modules/clightning-plugins/clboss.nix
@ -56,6 +56,7 @@ let cfg = config.services.clightning.plugins.clboss; in
      clboss-max-channel=${toString cfg.max-channel}
      clboss-zerobasefee=${cfg.zerobasefee}
    '';
    systemd.services.clightning.path = [
      pkgs.dnsutils
    ] ++ optional config.services.clightning.tor.proxy (hiPrio config.nix-bitcoin.torify);
--- a/modules/clightning-plugins/trustedcoin.nix
+++ b/modules/clightning-plugins/trustedcoin.nix
@ -5,24 +5,36 @@ let cfg = config.services.clightning.plugins.trustedcoin; in
 {
  options.services.clightning.plugins.trustedcoin = {
    enable = mkEnableOption "Trustedcoin (clightning plugin)";
    package = mkOption {
      type = types.package;
      default = config.nix-bitcoin.pkgs.trustedcoin;
      defaultText = "config.nix-bitcoin.pkgs.trustedcoin";
      description = mdDoc "The package providing trustedcoin binaries.";
    };
    tor.proxy = mkOption {
      type = types.bool;
      default = config.services.clightning.tor.proxy;
      description = mdDoc "Whether to proxy outgoing connections with Tor.";
    };
  };
  config = mkIf cfg.enable {
-    services.clightning.extraConfig = ''
+    services.clightning = {
      useBcliPlugin = false;
      extraConfig = ''
        plugin=${cfg.package}/bin/trustedcoin
      disable-plugin=bcli
      '';
      tor.enforce = mkIf (!cfg.tor.proxy) false;
    };
-    # Trustedcoin does not honor the clightning's proxy configuration.
+    systemd.services.clightning.environment = mkIf (cfg.tor.proxy) {
-    # Ref.: https://github.com/nbd-wtf/trustedcoin/pull/19
+      HTTPS_PROXY = let
-    systemd.services.clightning.environment = mkIf (config.services.clightning.proxy != null) {
+        clnProxy = config.services.clightning.proxy;
-      HTTPS_PROXY = "socks5://${config.services.clightning.proxy}";
+        proxy = if clnProxy != null then clnProxy else config.nix-bitcoin.torClientAddressWithPort;
      in
        "socks5://${proxy}";
    };
  };
 }
--- a/modules/clightning-rest.nix
+++ b/modules/clightning-rest.nix
@ -97,6 +97,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = [ cfg.dataDir ];
        inherit (nbLib.allowNetlink) RestrictAddressFamilies;
      } // nbLib.allowedIPAddresses cfg.tor.enforce
        // nbLib.nodejs;
    };
--- a/modules/clightning.nix
+++ b/modules/clightning.nix
@ -49,6 +49,15 @@ let
        parameters, as fully qualified data source name.
      '';
    };
    useBcliPlugin = mkOption {
      type = types.bool;
      default = true;
      description = ''
        Use bitcoind (via plugin `bcli`) for getting block data.
        This option is disabled by plugins that use other sources for
        fetching block data, like `trustedcoin`.
      '';
    };
    extraConfig = mkOption {
      type = types.lines;
      default = "";
@ -107,15 +116,19 @@ let
  network = bitcoind.makeNetworkName "bitcoin" "regtest";
  configFile = pkgs.writeText "config" ''
    network=${network}
-    ${optionalString (!cfg.plugins.trustedcoin.enable) "bitcoin-datadir=${bitcoind.dataDir}"}
+    ${
      if cfg.useBcliPlugin then ''
        bitcoin-datadir=${config.services.bitcoind.dataDir}
      '' else ''
        disable-plugin=bcli
      ''
    }
    ${optionalString (cfg.proxy != null) "proxy=${cfg.proxy}"}
    always-use-proxy=${boolToString cfg.always-use-proxy}
    bind-addr=${cfg.address}:${toString cfg.port}
    bitcoin-rpcconnect=${nbLib.address bitcoind.rpc.address}
    bitcoin-rpcport=${toString bitcoind.rpc.port}
    bitcoin-rpcuser=${bitcoind.rpc.users.public.name}
    rpc-file-mode=0660
    log-timestamps=false
    ${optionalString (cfg.wallet != null) "wallet=${cfg.wallet}"}
@ -152,18 +165,20 @@ in {
    ];
    systemd.services.clightning = {
-      path  = [ nbPkgs.bitcoind ];
+      path  = [ bitcoind.package ];
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      preStart = ''
-        # The RPC socket has to be removed otherwise we might have stale sockets
+        # Remove an existing socket so that `postStart` can detect when when a new
        # socket has been created and clightning is ready to accept RPC connections.
        # This will no longer be needed when clightning supports systemd startup notifications.
        rm -f ${cfg.networkDir}/lightning-rpc
        umask u=rw,g=r,o=
        {
          cat ${configFile}
          echo "bitcoin-rpcpassword=$(cat ${config.nix-bitcoin.secretsDir}/bitcoin-rpcpassword-public)"
          ${optionalString (cfg.getPublicAddressCmd != "") ''
            echo "announce-addr=$(${cfg.getPublicAddressCmd}):${toString publicPort}"
          ''}
--- a/modules/electrs.nix
+++ b/modules/electrs.nix
@ -68,7 +68,7 @@ in {
    systemd.services.electrs = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      preStart = ''
        echo "auth = \"${bitcoind.rpc.users.public.name}:$(cat ${secretsDir}/bitcoin-rpcpassword-public)\"" \
          > electrs.toml
--- a/modules/fulcrum.nix
+++ b/modules/fulcrum.nix
@ -112,7 +112,7 @@ in {
    systemd.services.fulcrum = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      preStart = ''
        {
          cat ${configFile}
--- a/modules/joinmarket-ob-watcher.nix
+++ b/modules/joinmarket-ob-watcher.nix
@ -75,7 +75,7 @@ in {
    systemd.services.joinmarket-ob-watcher = rec {
      wantedBy = [ "multi-user.target" ];
      requires = [ "tor.service" "bitcoind.service" ];
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
      # The service writes to HOME/.config/matplotlib
      environment.HOME = cfg.dataDir;
      preStart = ''
--- a/modules/joinmarket.nix
+++ b/modules/joinmarket.nix
@ -158,7 +158,7 @@ let
    onion_serving_host = ${cfg.messagingAddress}
    onion_serving_port = ${toString cfg.messagingPort}
    hidden_service_dir =
-    directory_nodes = 3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,jmdirjmioywe2s5jad7ts6kgcqg66rj6wujj6q77n6wbdrgocqwexzid.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
+    directory_nodes = g3hv4uynnmynqqq2mchf3fcm3yd46kfzmcdogejuckgwknwyq5ya6iad.onion:5222,3kxw6lf5vf6y26emzwgibzhrzhmhqiw6ekrek3nqfjjmhwznb2moonad.onion:5222,bqlpq6ak24mwvuixixitift4yu42nxchlilrcqwk2ugn45tdclg42qid.onion:5222
    # irc.darkscience.net
    [MESSAGING:server1]
@ -191,7 +191,7 @@ let
    [DAEMON]
    no_daemon = 0
    daemon_port = 27183
-    daemon_host = localhost
+    daemon_host = 127.0.0.1
    use_ssl = false
    [BLOCKCHAIN]
@ -212,6 +212,7 @@ let
    segwit = true
    native = true
    merge_algorithm = default
    gaplimit = 6
    tx_fees = 3
    tx_fees_factor = 0.2
    absurd_fee_per_kb = 350000
@ -252,7 +253,6 @@ let
    txfee_contribution_factor = ${toString yg.txfee_contribution_factor}
    minsize = ${toString yg.minsize}
    size_factor = ${toString yg.size_factor}
    gaplimit = 6
    [SNICKER]
    enabled = false
@ -303,7 +303,7 @@ in {
    systemd.services.joinmarket = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      preStart = ''
        {
          cat ${configFile}
@ -387,7 +387,7 @@ in {
    systemd.services.joinmarket-yieldgenerator = {
      wantedBy = [ "joinmarket.service" ];
      requires = [ "joinmarket.service" ];
-      after = [ "joinmarket.service" ];
+      after = [ "joinmarket.service" "nix-bitcoin-secrets.target" ];
      script = ''
        tr -d "\n" <"${secretsDir}/jm-wallet-password" \
        | ${nbPkgs.joinmarket}/bin/jm-yg-privacyenhanced --datadir='${cfg.dataDir}' \
--- a/modules/lightning-loop.nix
+++ b/modules/lightning-loop.nix
@ -6,7 +6,7 @@ let
    enable = mkEnableOption "Lightning Loop, a non-custodial off/on chain bridge";
    rpcAddress = mkOption {
       type = types.str;
-       default = "localhost";
+       default = "127.0.0.1";
       description = mdDoc "Address to listen for gRPC connections.";
    };
    rpcPort = mkOption {
@ -121,12 +121,12 @@ in {
      "d '${cfg.dataDir}' 0770 ${lnd.user} ${lnd.group} - -"
    ];
-    services.lightning-loop.certificate.extraIPs = mkIf (cfg.rpcAddress != "localhost") [ "${cfg.rpcAddress}" ];
+    services.lightning-loop.certificate.extraIPs = mkIf (cfg.rpcAddress != "127.0.0.1") [ "${cfg.rpcAddress}" ];
    systemd.services.lightning-loop = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "lnd.service" ];
-      after = [ "lnd.service" ];
+      after = [ "lnd.service" "nix-bitcoin-secrets.target" ];
      serviceConfig = nbLib.defaultHardening // {
        ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}";
        User = lnd.user;
--- a/modules/lightning-pool.nix
+++ b/modules/lightning-pool.nix
@ -6,7 +6,7 @@ let
    enable = mkEnableOption "Lightning Pool, a marketplace for inbound lightning liquidity ";
    rpcAddress = mkOption {
       type = types.str;
-       default = "localhost";
+       default = "127.0.0.1";
       description = mdDoc "Address to listen for gRPC connections.";
    };
    rpcPort = mkOption {
--- a/modules/liquid.nix
+++ b/modules/liquid.nix
@ -256,7 +256,7 @@ in {
    systemd.services.liquidd = {
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      wantedBy = [ "multi-user.target" ];
      preStart = ''
        install -m 640 ${configFile} '${cfg.dataDir}/elements.conf'
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -6,7 +6,7 @@ let
    enable = mkEnableOption "Lightning Network daemon, a Lightning Network implementation in Go";
    address = mkOption {
      type = types.str;
-      default = "localhost";
+      default = "127.0.0.1";
      description = mdDoc "Address to listen for peer connections";
    };
    port = mkOption {
@ -16,7 +16,7 @@ let
    };
    rpcAddress = mkOption {
      type = types.str;
-      default = "localhost";
+      default = "127.0.0.1";
      description = mdDoc "Address to listen for RPC connections.";
    };
    rpcPort = mkOption {
@ -26,7 +26,7 @@ let
    };
    restAddress = mkOption {
      type = types.str;
-      default = "localhost";
+      default = "127.0.0.1";
      description = mdDoc "Address to listen for REST connections.";
    };
    restPort = mkOption {
@ -224,12 +224,12 @@ in {
      "d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
    ];
-    services.lnd.certificate.extraIPs = mkIf (cfg.rpcAddress != "localhost") [ "${cfg.rpcAddress}" ];
+    services.lnd.certificate.extraIPs = mkIf (cfg.rpcAddress != "127.0.0.1") [ "${cfg.rpcAddress}" ];
    systemd.services.lnd = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "bitcoind.service" ];
-      after = [ "bitcoind.service" ];
+      after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
      preStart = ''
        install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
        {
--- a/modules/mempool.nix
+++ b/modules/mempool.nix
@ -0,0 +1,332 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  options.services = {
    mempool = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = mdDoc ''
          Enable Mempool, a fully featured Bitcoin visualizer, explorer, and API service.
          Note: Mempool enables `txindex` in bitcoind (this is a requirement).
          This module has two components:
          - A backend service (systemd service `mempool`)
          - An optional web interface run by nginx, defined by options `services.mempool.frontend.*`.
            The frontend is enabled by default when mempool is enabled.
            For details, see `services.mempool.frontend.enable`.
        '';
      };
      frontend = {
        enable = mkOption {
          type = types.bool;
          default = cfg.enable;
          description = mdDoc ''
            Enable the mempool frontend (web interface).
            This starts a simple nginx instance, configured for local usage with
            settings similar to the `mempool/frontend` Docker image.
            IMPORTANT:
            If you want to expose the mempool frontend to the internet, you
            should create a custom nginx config that includes TLS, backend caching, rate limiting
            and performance tuning.
            For this task, reuse the config snippets from option `services.mempool.frontend.nginxConfig`.
            See also: https://github.com/fort-nix/nixbitcoin.org/blob/master/website/mempool.nix,
            which contains a mempool nginx config for public hosting (running at
            https://mempool.nixbitcoin.org).
          '';
        };
        address = mkOption {
          type = types.str;
          default = "127.0.0.1";
          description = mdDoc "HTTP server address.";
        };
        port = mkOption {
          type = types.port;
          default = 60845; # A random private port
          description = mdDoc "HTTP server port.";
        };
        staticContentRoot = mkOption {
          type = types.path;
          default = nbPkgs.mempool-frontend;
          defaultText = "config.nix-bitcoin.pkgs.mempool-frontend";
          description = mdDoc "
            Path of the static frontend content root.
          ";
        };
        nginxConfig = mkOption {
          readOnly = true;
          default = frontend.nginxConfig;
          defaultText = "(See source)";
          description = mdDoc "
            An attrset of nginx config snippets for assembling a custom
            mempool nginx config.
            For details, see the source comments at the point of definition.
          ";
        };
      };
      address = mkOption {
        type = types.str;
        default = "127.0.0.1";
        description = mdDoc "Mempool backend address.";
      };
      port = mkOption {
        type = types.port;
        default = 8999;
        description = mdDoc "Mempool backend port.";
      };
      electrumServer = mkOption {
        type = types.enum [ "electrs" "fulcrum" ];
        default = "electrs";
        description = mdDoc ''
          The Electrum server to use for fetching address information.
          Possible options:
          - electrs:
            Small database size, slow when querying new addresses.
          - fulcrum:
            Large database size, quickly serves arbitrary address queries.
        '';
      };
      settings = mkOption {
        type = with types; attrsOf (attrsOf anything);
        example = {
          MEMPOOL = {
            POLL_RATE_MS = 3000;
            STDOUT_LOG_MIN_PRIORITY = "debug";
          };
          PRICE_DATA_SERVER = {
            CLEARNET_URL = "https://myserver.org/prices";
          };
        };
        description = mdDoc ''
          Mempool backend settings.
          See here for possible options:
          https://github.com/mempool/mempool/blob/master/backend/src/config.ts
        '';
      };
      database = {
        name = mkOption {
          type = types.str;
          default = "mempool";
          description = mdDoc "Database name.";
        };
      };
      package = mkOption {
        type = types.package;
        default = nbPkgs.mempool-backend;
        defaultText = "config.nix-bitcoin.pkgs.mempool-backend";
        description = mdDoc "The package providing mempool binaries.";
      };
      user = mkOption {
        type = types.str;
        default = "mempool";
        description = mdDoc "The user as which to run Mempool.";
      };
      group = mkOption {
        type = types.str;
        default = cfg.user;
        description = mdDoc "The group as which to run Mempool.";
      };
      tor = nbLib.tor;
    };
    # Internal read-only options used by `./nodeinfo.nix` and `./onion-services.nix`
    mempool-frontend = let
      mkAlias = default: mkOption {
        internal = true;
        readOnly = true;
        inherit default;
      };
    in {
      enable = mkAlias cfg.frontend.enable;
      address = mkAlias cfg.frontend.address;
      port = mkAlias cfg.frontend.port;
    };
  };
  cfg = config.services.mempool;
  nbLib = config.nix-bitcoin.lib;
  nbPkgs = config.nix-bitcoin.pkgs;
  secretsDir = config.nix-bitcoin.secretsDir;
  configFile = builtins.toFile "mempool-config" (builtins.toJSON cfg.settings);
  cacheDir = "/var/cache/mempool";
  inherit (config.services)
    bitcoind
    electrs
    fulcrum;
  torSocket = config.services.tor.client.socksListenAddress;
  # See the `services.nginx` definition further below below
  # on how to use these snippets.
  frontend.nginxConfig = {
    # This must be added to `services.nginx.commonHttpConfig` when
    # `mempool/location-static.conf` is used
    httpConfig = ''
      include ${nbPkgs.mempool-nginx-conf}/mempool/http-language.conf;
    '';
    # This should be added to `services.nginx.virtualHosts.<mempool server name>.extraConfig`
    staticContent = ''
      index index.html;
      add_header Cache-Control "public, no-transform";
      add_header Vary Accept-Language;
      add_header Vary Cookie;
      include ${nbPkgs.mempool-nginx-conf}/mempool/location-static.conf;
      # Redirect /api to /docs/api
      location = /api {
        return 308 https://$host/docs/api;
      }
      location = /api/ {
        return 308 https://$host/docs/api;
      }
    '';
    # This should be added to `services.nginx.virtualHosts.<mempool server name>.extraConfig`
    proxyApi = let
      backend = "http://${nbLib.addressWithPort cfg.address cfg.port}";
    in ''
      location /api/ {
          proxy_pass ${backend}/api/v1/;
      }
      location /api/v1 {
          proxy_pass ${backend};
      }
      # Websocket API
      location /api/v1/ws {
          proxy_pass ${backend};
          # Websocket header settings
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
          # Relevant settings from `recommendedProxyConfig` (nixos/nginx/default.nix)
          # (In the above api locations, this are inherited from the parent scope)
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
      }
    '';
  };
 in {
  inherit options;
  config = mkIf cfg.enable {
    services.bitcoind.txindex = true;
    services.electrs.enable = mkIf (cfg.electrumServer == "electrs" ) true;
    services.fulcrum.enable = mkIf (cfg.electrumServer == "fulcrum" ) true;
    services.mysql = {
      enable = true;
      package = pkgs.mariadb;
      ensureDatabases = [ cfg.database.name ];
      ensureUsers = [
        {
          name = cfg.user;
          ensurePermissions."${cfg.database.name}.*" = "ALL PRIVILEGES";
        }
      ];
    };
    # Available options:
    # https://github.com/mempool/mempool/blob/master/backend/src/config.ts
    services.mempool.settings = {
      MEMPOOL = {
        # mempool doesn't support regtest
        NETWORK = "mainnet";
        BACKEND = "electrum";
        HTTP_PORT = cfg.port;
        CACHE_DIR = "${cacheDir}/cache";
        STDOUT_LOG_MIN_PRIORITY = mkDefault "info";
      };
      CORE_RPC = {
        HOST = bitcoind.rpc.address;
        PORT = bitcoind.rpc.port;
        USERNAME = bitcoind.rpc.users.public.name;
        PASSWORD = "@btcRpcPassword@";
      };
      ELECTRUM = let
        server = config.services.${cfg.electrumServer};
      in {
        HOST = server.address;
        PORT = server.port;
        TLS_ENABLED = false;
      };
      DATABASE = {
        ENABLED = true;
        DATABASE = cfg.database.name;
        SOCKET = "/run/mysqld/mysqld.sock";
      };
    } // optionalAttrs (cfg.tor.proxy) {
      # Use Tor for rate fetching
      SOCKS5PROXY = {
        ENABLED = true;
        USE_ONION = true;
        HOST = torSocket.addr;
        PORT = torSocket.port;
      };
    };
    systemd.services.mempool = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "${cfg.electrumServer}.service" ];
      after = [ "${cfg.electrumServer}.service" "mysql.service" ];
      preStart = ''
        mkdir -p '${cacheDir}/cache'
        <${configFile} sed \
          -e "s|@btcRpcPassword@|$(cat ${secretsDir}/bitcoin-rpcpassword-public)|" \
          > '${cacheDir}/config.json'
      '';
      environment.MEMPOOL_CONFIG_FILE = "${cacheDir}/config.json";
      serviceConfig = nbLib.defaultHardening // {
        ExecStart = "${cfg.package}/bin/mempool-backend";
        CacheDirectory = "mempool";
        CacheDirectoryMode = "770";
        # Show "mempool" instead of "node" in the journal
        SyslogIdentifier = "mempool";
        User = cfg.user;
        Restart = "on-failure";
        RestartSec = "10s";
      } // nbLib.allowedIPAddresses cfg.tor.enforce
        // nbLib.nodejs;
    };
    services.nginx = mkIf cfg.frontend.enable {
      enable = true;
      enableReload = true;
      recommendedBrotliSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      commonHttpConfig = frontend.nginxConfig.httpConfig;
      virtualHosts."mempool" = {
        serverName = "_";
        listen = [ { addr = cfg.frontend.address; port = cfg.frontend.port; } ];
        root = cfg.frontend.staticContentRoot;
        extraConfig =
          frontend.nginxConfig.staticContent +
          frontend.nginxConfig.proxyApi;
      };
    };
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      extraGroups = [ "bitcoinrpc-public" ];
    };
    users.groups.${cfg.group} = {};
  };
 }
--- a/modules/modules.nix
+++ b/modules/modules.nix
@ -14,13 +14,13 @@
    ./clightning-plugins
    ./clightning-rest.nix
    ./clightning-replication.nix
    ./spark-wallet.nix
    ./lnd.nix
    ./lightning-loop.nix
    ./lightning-pool.nix
    ./charge-lnd.nix
    ./lndconnect.nix # Requires onion-addresses.nix
    ./rtl.nix
    ./mempool.nix
    ./electrs.nix
    ./fulcrum.nix
    ./liquid.nix
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -244,10 +244,6 @@ in {
        id = 16;
        connections = [ "bitcoind" ];
      };
      spark-wallet = {
        id = 17;
        # communicates with clightning over lightning-rpc socket
      };
      nginx = {
        id = 21;
      };
@ -299,7 +295,14 @@ in {
        id = 31;
        connections = [ "bitcoind" ];
      };
-      # id = 32 reserved for the upcoming mempool module
+      mempool = {
        id = 32;
        connections = [
          "bitcoind"
          "nginx"
          (if (config.services.mempool.electrumServer == "electrs") then "electrs" else "fulcrum")
        ];
      };
    };
    services.bitcoind = {
@ -332,11 +335,6 @@ in {
    services.fulcrum.address = netns.fulcrum.address;
    services.spark-wallet = {
      address = netns.spark-wallet.address;
      extraArgs = "--no-tls";
    };
    services.lightning-loop.rpcAddress = netns.lightning-loop.address;
    services.nbxplorer.address = netns.nbxplorer.address;
@ -358,6 +356,9 @@ in {
    services.rtl.address = netns.rtl.address;
    services.clightning-rest.address = netns.clightning-rest.address;
    services.mempool.address = netns.mempool.address;
    services.mempool.frontend.address = netns.nginx.address;
  }
  ]);
 }
--- a/modules/nodeinfo.nix
+++ b/modules/nodeinfo.nix
@ -145,11 +145,16 @@ in {
      clightning-rest = mkInfo "";
      electrs = mkInfo "";
      fulcrum = mkInfo "";
      spark-wallet = mkInfo "";
      btcpayserver = mkInfo "";
      liquidd = mkInfo "";
      joinmarket-ob-watcher = mkInfo "";
      rtl = mkInfo "";
      mempool = mkInfo "";
      mempool-frontend = name: cfg: mkInfoLong {
        inherit name cfg;
        systemdServiceName = "nginx";
        extraCode = "";
      };
      # Only add sshd when it has an onion service
      sshd = name: cfg: mkIfOnionPort "sshd" (onionPort: ''
        add_service("sshd", """info["onion_address"] = get_onion_address("sshd", ${onionPort})""")
--- a/modules/nostr-wallet-connect.nix
+++ b/modules/nostr-wallet-connect.nix
@ -0,0 +1,126 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  options = {
    services.lnd.nostr-wallet-connect = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = mdDoc ''
          Add a `nostr-wallet-connect` binary to the system environment which prints
          connection info for lnd clients.
          See: https://github.com/getalby/nostr-wallet-connect
          Usage:
          ```bash
            # Print QR code
            nostr-wallet-connect
            # Print URL
            nostr-wallet-connect --url
          ```
        '';
      };
      onion = mkOption {
        type = types.bool;
        default = false;
        description = mdDoc ''
          Create an onion service for the lnd REST server,
          which is used by nostr-wallet-connect.
        '';
      };
    };
    nix-bitcoin.mknostr-wallet-connect = mkOption {
      readOnly = true;
      default = mknostr-wallet-connect;
      description = mdDoc ''
        A function to create a nostr-wallet-connect binary.
        See the source for further details.
      '';
    };
  };
  nbLib = config.nix-bitcoin.lib;
  runAsUser = config.nix-bitcoin.runAsUserCmd;
  inherit (config.services)
    lnd;
  mknostr-wallet-connect = {
    name,
    shebang ? "#!${pkgs.stdenv.shell} -e",
    isClightning ? false,
    port,
    macaroonPath,
    enableOnion,
    onionService ? null,
    certPath ? null
  }:
  # TODO-EXTERNAL:
  # nostr-wallet-connect requires a --configfile argument, although it's unused
  # https://github.com/LN-Zap/nostr-wallet-connect/issues/25
  pkgs.hiPrio (pkgs.writeScriptBin name ''
    ${shebang}
    url=$(
      ${getExe config.nix-bitcoin.pkgs.nostr-wallet-connect} --url \
        ${optionalString enableOnion "--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/${onionService})"} \
        --port=${toString port} \
        ${if enableOnion || certPath == null then "--nocert" else "--tlscertpath='${certPath}'"} \
        --adminmacaroonpath='${macaroonPath}' \
        --configfile=/dev/null "$@"
    )
    # If --url is in args
    if [[ " $* " =~ " --url " ]]; then
      echo "$url"
    else
      # This UTF-8 encoding yields a smaller, more convenient output format
      # compared to the native nostr-wallet-connect output
      echo -n "$url" | ${getExe pkgs.qrencode} -t UTF8 -o -
    fi
  '');
  operatorName = config.nix-bitcoin.operator.name;
 in {
  inherit options;
  config = mkMerge [
    (mkIf (lnd.enable && lnd.nostr-wallet-connect.enable)
      (mkMerge [
        {
          environment.systemPackages = [(
            mknostr-wallet-connect {
              name = "nostr-wallet-connect";
              # Run as lnd user because the macaroon and cert are not group-readable
              shebang = "#!/usr/bin/env -S ${runAsUser} ${lnd.user} ${pkgs.bash}/bin/bash";
              enableOnion = lnd.nostr-wallet-connect.onion;
              onionService = "${lnd.user}/nwc-rest";
              port = lnd.rpcPort;
              certPath = lnd.certPath;
              macaroonPath = "${lnd.networkDir}/admin.macaroon";
            }
          )];
          services.lnd.restAddress = mkIf (!lnd.nostr-wallet-connect.onion) "0.0.0.0";
        }
        (mkIf lnd.nostr-wallet-connect.onion {
          services.tor = {
            enable = true;
            relay.onionServices.nwc-rest = nbLib.mkOnionService {
              target.addr = nbLib.address lnd.restAddress;
              target.port = lnd.restPort;
              port = lnd.restPort;
            };
          };
          nix-bitcoin.onionAddresses.access = {
            ${lnd.user} = [ "nwc-rest" ];
            ${operatorName} = [ "nwc-rest" ];
          };
        })
      ]))
  ];
 }
--- a/modules/obsolete-options.nix
+++ b/modules/obsolete-options.nix
@ -24,7 +24,6 @@ in {
    (mkRenamedOptionModule [ "services" "bitcoind" "rpcthreads" ] [ "services" "bitcoind" "rpc" "threads" ])
    (mkRenamedOptionModule [ "services" "clightning" "bind-addr" ] [ "services" "clightning" "address" ])
    (mkRenamedOptionModule [ "services" "clightning" "bindport" ] [ "services" "clightning" "port" ])
    (mkRenamedOptionModule [ "services" "spark-wallet" "host" ] [ "services" "spark-wallet" "address" ])
    (mkRenamedOptionModule [ "services" "lnd" "rpclisten" ] [ "services" "lnd" "rpcAddress" ])
    (mkRenamedOptionModule [ "services" "lnd" "listen" ] [ "services" "lnd" "address" ])
    (mkRenamedOptionModule [ "services" "lnd" "listenPort" ] [ "services" "lnd" "port" ])
@ -75,7 +74,6 @@ in {
    "lightning-pool"
    "liquid"
    "lnd"
    "spark-wallet"
    "bitcoind"
  ]) ++
  (map mkRenamedEnforceTorOption [
@ -84,21 +82,32 @@ in {
    "electrs"
  ]) ++
  # 0.0.77
-  (
+  [
-    let
+    (mkRemovedOptionModule [ "services" "clightning" "plugins" "commando" ] ''
      optionName = [ "services" "clightning" "plugins" "commando" ];
    in [
      (mkRemovedOptionModule (optionName ++ [ "enable" ]) ''
      clightning 0.12.0 ships with a reimplementation of the commando plugin
      that is incompatible with the commando module that existed in
      nix-bitcoin. The new built-in commando plugin is always enabled. For
      information on how to use it, run `lightning-cli help commando` and
      `lightning-cli help commando-rune`.
    '')
-      (mkRemovedOptionModule (optionName ++ [ "readers" ]) "")
+  ] ++
-      (mkRemovedOptionModule (optionName ++ [ "writers" ]) "")
+  # 0.0.92
-  ]);
+  [
-
+    (mkRemovedOptionModule [ "services" "spark-wallet" ] ''
      Spark Lightning Wallet is unmaintained and incompatible with clightning
      23.05. Therefore, the spark-wallet module has been removed from
      nix-bitcoin. For a replacement, consider using the rtl (Ride The
      Lightning) module or the clightning-rest module in combination with the
      Zeus mobile wallet.
    '')
  ]
  ++
  # 0.0.98
  [
    (mkRemovedOptionModule [ "services" "clightning" "plugins" "clboss" "acknowledgeDeprecation" ] ''
      `clboss` is maintained again and has been un-deprecated.
    '')
  ];
  config = {
    # Migrate old clightning-rest datadir from nix-bitcoin versions < 0.0.70
    systemd.services.clightning-rest-migrate-datadir = let
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@ -104,15 +104,6 @@ in {
    # Set sensible defaults for some services
    {
      nix-bitcoin.onionServices = {
        spark-wallet = {
          externalPort = 80;
          # Enable 'public' by default, but don't auto-enable the onion service.
          # When the onion service is enabled, 'public' lets spark-wallet generate
          # a QR code for accessing the web interface.
          public = true;
          # Low priority so we can override this with mkDefault in ./presets/enable-tor.nix
          enable = mkOverride 1400 false;
        };
        btcpayserver = {
          externalPort = 80;
        };
@ -122,6 +113,9 @@ in {
        rtl = {
          externalPort = 80;
        };
        mempool-frontend = {
          externalPort = 80;
        };
      };
    }
  ];
--- a/modules/presets/enable-tor.nix
+++ b/modules/presets/enable-tor.nix
@ -26,8 +26,8 @@ in {
    # TODO-EXTERNAL:
    # disable Tor enforcement until btcpayserver can fetch rates over Tor
    # btcpayserver = defaultEnableTorProxy;
    spark-wallet = defaultEnableTorProxy;
    lightning-pool = defaultEnableTorProxy;
    mempool = defaultEnableTorProxy;
    # These services don't make outgoing connections
    # (or use Tor by default in case of joinmarket)
@ -48,7 +48,6 @@ in {
    liquidd.enable = defaultTrue;
    electrs.enable = defaultTrue;
    fulcrum.enable = defaultTrue;
    spark-wallet.enable = defaultTrue;
    joinmarket-ob-watcher.enable = defaultTrue;
    rtl.enable = defaultTrue;
  };
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -25,6 +25,7 @@ in {
    # Use doas instead of sudo
    security.doas.enable = true;
    security.sudo.enable = false;
    environment.shellAliases.sudo = "doas";
    environment.systemPackages = with pkgs; [
      jq
--- a/modules/presets/wireguard.nix
+++ b/modules/presets/wireguard.nix
@ -183,8 +183,14 @@ in {
    # Listen on all addresses, including `serverAddress`.
    # This is safe because the listen ports are secured by the firewall.
-    services.lnd.restAddress = mkIf lndconnect "0.0.0.0";
+    services.lnd = mkIf lndconnect {
      restAddress = "0.0.0.0";
      tor.enforce = false;
    };
    services.clightning-rest = mkIf lndconnect-clightning {
      # clightning-rest always listens on "0.0.0.0"
      tor.enforce = false;
    };
    nix-bitcoin.secrets = {
      wg-server-private-key = {};
--- a/modules/rtl.nix
+++ b/modules/rtl.nix
@ -189,7 +189,7 @@ in {
      wantedBy = [ "multi-user.target" ];
      requires = optional cfg.nodes.clightning.enable "clightning-rest.service" ++
                 optional cfg.nodes.lnd.enable "lnd.service";
-      after = requires;
+      after = requires ++ [ "nix-bitcoin-secrets.target" ];
      environment.RTL_CONFIG_PATH = cfg.dataDir;
      environment.DB_DIRECTORY_PATH = cfg.dataDir;
      serviceConfig = nbLib.defaultHardening // {
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -80,6 +80,7 @@ let
        rpcauth = pkgs.writers.writeBash "rpcauth" ''
          exec ${pkgs.python3}/bin/python ${rpcauthSrc} "$@"
        '';
      # Writes secrets to PWD
      in pkgs.writers.writeBash "generate-secrets" ''
        set -euo pipefail
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -1,98 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  options.services.spark-wallet = {
    enable = mkEnableOption "spark-wallet";
    address = mkOption {
      type = types.str;
      default = "localhost";
      description = mdDoc "http(s) server address.";
    };
    port = mkOption {
      type = types.port;
      default = 9737;
      description = mdDoc "http(s) server port.";
    };
    extraArgs = mkOption {
      type = types.separatedString " ";
      default = "";
      description = mdDoc "Extra command line arguments passed to spark-wallet.";
    };
    getPublicAddressCmd = mkOption {
      type = types.str;
      default = "";
      description = mdDoc ''
        Bash expression which outputs the public service address.
        If set, spark-wallet prints a QR code to the systemd journal which
        encodes an URL for accessing the web interface.
      '';
    };
    user = mkOption {
      type = types.str;
      default = "spark-wallet";
      description = mdDoc "The user as which to run spark-wallet.";
    };
    group = mkOption {
      type = types.str;
      default = cfg.user;
      description = mdDoc "The group as which to run spark-wallet.";
    };
    tor = nbLib.tor;
  };
  cfg = config.services.spark-wallet;
  nbLib = config.nix-bitcoin.lib;
  clightning = config.services.clightning;
  # Use wasabi rate provider because the default (bitstamp) doesn't accept
  # connections through Tor
  torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
  startScript = ''
    ${optionalString (cfg.getPublicAddressCmd != "") ''
      publicURL=(--public-url "http://$(${cfg.getPublicAddressCmd})")
    ''}
    exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
      --ln-path '${clightning.networkDir}'  \
      --host ${cfg.address} --port ${toString cfg.port} \
      --config '${config.nix-bitcoin.secretsDir}/spark-wallet-login' \
      ${optionalString cfg.tor.proxy torRateProvider} \
      ${optionalString (cfg.getPublicAddressCmd != "") ''"''${publicURL[@]}"''} \
      --pairing-qr --print-key ${cfg.extraArgs}
  '';
 in {
  inherit options;
  config = mkIf cfg.enable {
    services.clightning.enable = true;
    systemd.services.spark-wallet = {
      wantedBy = [ "multi-user.target" ];
      requires = [ "clightning.service" ];
      after = [ "clightning.service" ];
      script = startScript;
      serviceConfig = nbLib.defaultHardening // {
        User = cfg.user;
        Restart = "on-failure";
        RestartSec = "10s";
      } // nbLib.allowedIPAddresses cfg.tor.enforce
        // nbLib.nodejs;
    };
    users.users.${cfg.user} = {
      isSystemUser = true;
      group = cfg.group;
      extraGroups = [ clightning.group ];
    };
    users.groups.${cfg.group} = {};
    nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
    nix-bitcoin.generateSecretsCmds.spark-wallet = ''
      makePasswordSecret spark-wallet-password
      if [[ spark-wallet-password -nt spark-wallet-login ]]; then
         echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
      fi
    '';
  };
 }
--- a/modules/versioning.nix
+++ b/modules/versioning.nix
@ -11,13 +11,16 @@ let
    nix-bitcoin.configVersion = mkOption {
      type = with types; nullOr str;
      default = null;
      example = "0.0.92";
      description = mdDoc ''
-        Set this option to the nix-bitcoin release version that your config is
+        The nix-bitcoin release version that your config is compatible with.
        compatible with.
        When upgrading to a backwards-incompatible release, nix-bitcoin will throw an
        error during evaluation and provide instructions for migrating your config to
        the new release.
        Once set, you only need to update this option when explicitly told to in an
        error message during evaluation.
      '';
    };
  };
--- a/pkgs/build-support/fetch-node-modules.nix
+++ b/pkgs/build-support/fetch-node-modules.nix
@ -1,7 +1,7 @@
 # This is a modified version of
 # https://github.com/NixOS/nixpkgs/pull/128749
-{ lib, stdenvNoCC, makeWrapper, nodejs }:
+{ lib, stdenvNoCC, makeWrapper, nodejs, cacert }:
 { src
 , hash ? ""
@ -25,6 +25,9 @@ stdenvNoCC.mkDerivation ({
  phases = "unpackPhase patchPhase buildPhase installPhase";
  # npm doesn't support var `SSL_CERT_FILE`.
  NODE_EXTRA_CA_CERTS = "${cacert}/etc/ssl/certs/ca-bundle.crt";
  buildPhase = ''
    runHook preBuild
--- a/pkgs/clboss/default.nix
+++ b/pkgs/clboss/default.nix
@ -1,24 +1,34 @@
-{ lib, stdenv, fetchurl, pkgconfig, curl, libev, sqlite }:
+{ lib, stdenv, fetchFromGitHub, autoconf-archive, autoreconfHook, pkg-config, curl, libev, sqlite }:
 let
  curlWithGnuTLS = curl.override { gnutlsSupport = true; opensslSupport = false; };
 in
 stdenv.mkDerivation rec {
  pname = "clboss";
-  version = "0.13A";
+  version = "0.13";
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "https://github.com/ZmnSCPxj/clboss/releases/download/${version}/clboss-${version}.tar.gz";
+    owner = "ZmnSCPxj";
-    hash = "sha256-LTDJrm9Mk4j7Z++tKJKawEurgF1TnYuIoj+APbDHll4=";
+    repo = "clboss";
    rev = "v${version}";
    hash = "sha256-NP9blymdqDXo/OtGLQg/MXK24PpPvCrzqXRdtfCvpfI=";
  };
-  nativeBuildInputs = [ pkgconfig libev curlWithGnuTLS sqlite ];
+  nativeBuildInputs = [
    autoreconfHook
    autoconf-archive
    pkg-config
    libev
    curlWithGnuTLS
    sqlite
  ];
  enableParallelBuilding = true;
  meta = with lib; {
    description = "Automated C-Lightning Node Manager";
    homepage = "https://github.com/ZmnSCPxj/clboss";
    changelog = "https://github.com/ZmnSCPxj/clboss/blob/v${version}/ChangeLog";
    license = licenses.mit;
    maintainers = with maintainers; [ nixbitcoin ];
    platforms = platforms.linux;
--- a/pkgs/clightning-plugins/default.nix
+++ b/pkgs/clightning-plugins/default.nix
@ -6,8 +6,8 @@ let
  src = pkgs.fetchFromGitHub {
    owner = "lightningd";
    repo = "plugins";
-    rev = "e625369423b00c70b23641662f62ccd898286edc";
+    rev = "ce078bb74e10b5dea779fcd9fbe77e1d3e72db7a";
-    sha256 = "04f30xlfr7pgdmdgka87x7sc9j82wc4zv7fbiqrjsc83dkmly81i";
+    hash = "sha256-SCHSJzXe1l14hVT47SU3lWDxKCKwwICjXjSDpjUX96U";
  };
  version = builtins.substring 0 7 src.rev;
@ -31,7 +31,7 @@ let
      description = "Lightning node exporter for the prometheus timeseries server";
      extraPkgs = [ prometheus_client ];
      patchRequirements =
-        "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
+        "--replace prometheus-client==0.6.0 prometheus-client==0.17.1"
        + " --replace pyln-client~=0.9.3 pyln-client~=23.02";
    };
    rebalance = {
@ -68,7 +68,7 @@ let
        # Check that requirements are met
        PYTHONPATH='${toString python}/${python.sitePackages}' \
-          ${pkgs.python3Packages.pip}/bin/pip install -r requirements.txt --no-cache --no-index
+          ${pkgs.python3Packages.pip}/bin/pip install -r requirements.txt --no-cache --no-index --break-system-packages
        chmod +x '${script}'
        patchShebangs '${script}'
--- a/pkgs/clightning-rest/default.nix
+++ b/pkgs/clightning-rest/default.nix
@ -1,7 +1,7 @@
 { lib
 , stdenvNoCC
-, nodejs-16_x
+, nodejs-18_x
-, nodejs-slim-16_x
+, nodejs-slim-18_x
 , fetchNodeModules
 , fetchurl
 , makeWrapper
@ -9,20 +9,20 @@
 }:
 let self = stdenvNoCC.mkDerivation {
  pname = "clightning-rest";
-  version = "0.9.0";
+  version = "0.10.7";
  src = fetchurl {
    url = "https://github.com/Ride-The-Lightning/c-lightning-REST/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-1thorV/UivDDH7oqjfm8VTd47LYSGooR2yEoETgBOH4=";
+    hash = "sha256-m/djMQk+g994GaTW/yysD/eVgWcqY8cap41tot0UElI=";
  };
  passthru = {
-    nodejs = nodejs-16_x;
+    nodejs = nodejs-18_x;
-    nodejsRuntime = nodejs-slim-16_x;
+    nodejsRuntime = nodejs-slim-18_x;
    nodeModules = fetchNodeModules {
      inherit (self) src nodejs;
-      hash = "sha256-rQrAt2BDmNMUCVWxTJN3qoPonKlRWeJ8C4ZvF/gPygk=";
+      hash = "sha256-Dz4/kR4X34idfuPFFQJYE8yGIR3OSseDnkAhqbZ6iEI=";
    };
  };
--- a/pkgs/clightning-rest/generate.sh
+++ b/pkgs/clightning-rest/generate.sh
@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
-version="0.9.0"
+version="0.10.7"
 repo=https://github.com/Ride-The-Lightning/c-lightning-REST
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -17,9 +17,12 @@ let self = {
  lndinit = pkgs.callPackage ./lndinit { };
  liquid-swap = pkgs.python3Packages.callPackage ./liquid-swap { };
  rtl = pkgs.callPackage ./rtl { inherit (self) fetchNodeModules; };
  inherit (pkgs.callPackage ./mempool { inherit (self) fetchNodeModules; })
    mempool-backend
    mempool-frontend
    mempool-nginx-conf;
  # The secp256k1 version used by joinmarket
  secp256k1 = pkgs.callPackage ./secp256k1 { };
  spark-wallet = pkgs.callPackage ./spark-wallet { };
  trustedcoin = pkgs.callPackage ./trustedcoin { };
  pyPkgs = import ./python-packages self pkgs.python3;
--- a/pkgs/joinmarket/default.nix
+++ b/pkgs/joinmarket/default.nix
@ -1,10 +1,12 @@
-{ stdenv, lib, fetchurl, python3, nbPython3PackagesJoinmarket }:
+{ stdenv, lib, fetchFromGitHub, python3, nbPython3PackagesJoinmarket }:
 let
-  version = "0.9.8";
+  version = "0.9.10";
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "https://github.com/JoinMarket-Org/joinmarket-clientserver/archive/v${version}.tar.gz";
+    owner = "joinmarket-org";
-    sha256 = "1ab4smpyx966iiiip3g11bcslya37qhac1kgkbmsmlsdkpilw9di";
+    repo = "joinmarket-clientserver";
    rev = "v${version}";
    hash = "sha256-uNweI7VKC16CFn8MNOAvadcSnTjK/Fznfy4qctM5PR8=";
  };
  runtimePackages = with nbPython3PackagesJoinmarket; [
--- a/pkgs/joinmarket/get-sha256.sh
+++ b/pkgs/joinmarket/get-sha256.sh
@ -1,25 +1,25 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
 #!nix-shell -i bash -p git gnupg jq
 set -euo pipefail
-. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "git gnupg" "$@"
+newVersion=$(curl -s "https://api.github.com/repos/joinmarket-org/joinmarket-clientserver/releases" | jq -r '.[0].tag_name')
-TMPDIR="$(mktemp -d -p /tmp)"
+# Fetch release and GPG-verify the content hash
-trap 'rm -rf $TMPDIR' EXIT
+tmpdir=$(mktemp -d /tmp/joinmarket-verify-gpg.XXX)
-cd "$TMPDIR"
+repo=$tmpdir/repo
-
+git clone --depth 1 --branch "${newVersion}" -c advice.detachedHead=false https://github.com/joinmarket-org/joinmarket-clientserver "$repo"
-echo "Fetching latest release"
+export GNUPGHOME=$tmpdir
 git clone https://github.com/joinmarket-org/joinmarket-clientserver 2> /dev/null
 cd joinmarket-clientserver
 latest=$(git describe --tags "$(git rev-list --tags --max-count=1)")
 echo "Latest release is $latest"
 # GPG verification
 export GNUPGHOME=$TMPDIR
 echo "Fetching Adam Gibson's key"
 gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 2B6FC204D9BF332D062B461A141001A1AF77F20B 2> /dev/null
-echo "Verifying latest release"
+echo "Fetch Kristaps Kaupe's key"
-git verify-tag "$latest"
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 70A1D47DD44F59DF8B22244333E472FE870C7E5D 2> /dev/null
 echo
 echo "Verifying commit"
 git -C "$repo" verify-commit HEAD
 rm -rf "$repo"/.git
 newHash=$(nix hash path "$repo")
 rm -rf "$tmpdir"
 echo
-echo "tag: $latest"
+echo "tag: $newVersion"
-# The prefix option is necessary because GitHub prefixes the archive contents in this format
+echo "hash: $newHash"
 echo "sha256: $(nix-hash --type sha256 --flat --base32 \
                <(git archive --format tar.gz --prefix=joinmarket-clientserver-"${latest//v}"/ "$latest"))"
--- a/pkgs/lib.nix
+++ b/pkgs/lib.nix
@ -41,8 +41,12 @@ let self = {
    RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
  };
-  # nodejs applications require memory write execute for JIT compilation
+  nodejs = {
-  nodejs = { MemoryDenyWriteExecute = false; };
+    # Required for JIT compilation
    MemoryDenyWriteExecute = false;
    # Required by nodejs >= 18
    SystemCallFilter = self.defaultHardening.SystemCallFilter ++ [ "@pkey" ];
  };
  # Allow takes precedence over Deny.
  allowLocalIPAddresses = {
--- a/pkgs/lndinit/default.nix
+++ b/pkgs/lndinit/default.nix
@ -11,7 +11,7 @@ buildGoModule rec {
    sha256 = "sha256-sO1DpbppCurxr9g9nUl9Vx82FJK1mTcUw3rY1Fm1wEU=";
  };
-  vendorSha256 = "sha256-El44BS5Bu0K/klMxkajciU/R6uqiXBMOiLN536QztbE=";
+  vendorHash = "sha256-El44BS5Bu0K/klMxkajciU/R6uqiXBMOiLN536QztbE=";
  subPackages = [ "." ];
--- a/pkgs/mempool/default.nix
+++ b/pkgs/mempool/default.nix
@ -0,0 +1,143 @@
 { lib
 , stdenvNoCC
 , nodejs-18_x
 , nodejs-slim-18_x
 , fetchFromGitHub
 , fetchNodeModules
 , runCommand
 , makeWrapper
 , curl
 , cacert
 , rsync
 }:
 rec {
  nodejs = nodejs-18_x;
  nodejsRuntime = nodejs-slim-18_x;
  src = fetchFromGitHub {
    owner = "mempool";
    repo = "mempool";
    rev = "v2.5.0";
    hash = "sha256-8HmfytxRte3fQ0QKOljUVk9YAuaXhQQWuv3EFNmOgfQ=";
  };
  nodeModules = {
    frontend = fetchNodeModules {
      inherit src nodejs;
      preBuild = "cd frontend";
      hash = "sha256-/Z0xNvob7eMGpzdUWolr47vljpFiIutZpGwd0uYhPWI=";
    };
    backend = fetchNodeModules {
      inherit src nodejs;
      preBuild = "cd backend";
      hash = "sha256-HpzzSTuSRWDWGbctVhTcUA01if/7OTI4xN3DAbAAX+U=";
    };
  };
  frontendAssets = fetchFiles {
    name = "mempool-frontend-assets";
    hash = "sha256-3TmulAfzJJMf0UFhnHEqjAnzc1TNC5DM2XcsU7eyinY=";
    fetcher = ./frontend-assets-fetch.sh;
  };
  mempool-backend = mkDerivationMempool {
    pname = "mempool-backend";
    buildPhase = ''
      cd backend
      ${sync} --chmod=+w ${nodeModules.backend}/lib/node_modules .
      patchShebangs node_modules
      npm run package
      runHook postBuild
    '';
    installPhase = ''
      mkdir -p $out/lib/mempool-backend
      ${sync} package/ $out/lib/mempool-backend
      makeWrapper ${nodejsRuntime}/bin/node $out/bin/mempool-backend \
        --add-flags $out/lib/mempool-backend/index.js
      runHook postInstall
    '';
    passthru = {
      inherit nodejs nodejsRuntime;
    };
  };
  mempool-frontend = mkDerivationMempool {
    pname = "mempool-frontend";
    buildPhase = ''
      cd frontend
      ${sync} --chmod=+w ${nodeModules.frontend}/lib/node_modules .
      patchShebangs node_modules
      # sync-assets.js is called during `npm run build` and downloads assets from the
      # internet. Disable this script and instead add the assets manually after building.
      : > sync-assets.js
      # If this produces incomplete output (when run in a different build setup),
      # see https://github.com/mempool/mempool/issues/1256
      npm run build
      # Add assets that would otherwise be downloaded by sync-assets.js
      ${sync} ${frontendAssets}/ dist/mempool/browser/resources
      runHook postBuild
    '';
    installPhase = ''
      ${sync} dist/mempool/browser/ $out
      runHook postInstall
    '';
    passthru = { assets = frontendAssets; };
  };
  mempool-nginx-conf = runCommand "mempool-nginx-conf" {} ''
    ${sync} --chmod=u+w ${./nginx-conf}/ $out
    ${sync} ${src}/production/nginx/http-language.conf $out/mempool
  '';
  sync = "${rsync}/bin/rsync -a --inplace";
  mkDerivationMempool = args: stdenvNoCC.mkDerivation ({
    version = src.rev;
    inherit src meta;
    nativeBuildInputs = [
      makeWrapper
      nodejs
      rsync
    ];
    phases = "unpackPhase patchPhase buildPhase installPhase";
  } // args);
  fetchFiles = { name, hash, fetcher }: stdenvNoCC.mkDerivation {
    inherit name;
    outputHashMode = "recursive";
    outputHashAlgo = "sha256";
    outputHash = hash;
    nativeBuildInputs = [ curl cacert ];
    buildCommand = ''
      mkdir $out
      cd $out
      ${builtins.readFile fetcher}
    '';
  };
  meta = with lib; {
    description = "Bitcoin blockchain and mempool explorer";
    homepage = "https://github.com/mempool/mempool/";
    license = licenses.agpl3Plus;
    maintainers = with maintainers; [ erikarvstedt ];
    platforms = platforms.unix;
  };
 }
--- a/pkgs/mempool/frontend-assets-fetch.sh
+++ b/pkgs/mempool/frontend-assets-fetch.sh
@ -0,0 +1,31 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Fetch hash-locked versions of assets that are dynamically fetched via
 # https://github.com/mempool/mempool/blob/master/frontend/sync-assets.js
 # when running `npm run build` in the frontend.
 #
 # This file is updated by ./frontend-assets-update.sh
 declare -A revs=(
    ["mempool/mining-pools"]=e889230b0924d7d72eb28186db6f96ef94361fa5
    ["mempool/mining-pool-logos"]=9cb443035878c3f112af97384d624de245afe72d
 )
 fetchFile() {
    repo=$1
    file=$2
    rev=${revs["$repo"]}
    curl -fsS "https://raw.githubusercontent.com/$repo/$rev/$file"
 }
 fetchRepo() {
    repo=$1
    rev=${revs["$repo"]}
    curl -fsSL "https://github.com/$repo/archive/$rev.tar.gz"
 }
 # shellcheck disable=SC2094
 fetchFile "mempool/mining-pools" pools.json > pools.json
 mkdir mining-pools
 fetchRepo "mempool/mining-pool-logos" | tar xz --strip-components=1 -C mining-pools
--- a/pkgs/mempool/frontend-assets-update.sh
+++ b/pkgs/mempool/frontend-assets-update.sh
@ -0,0 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 updateRepoHash() {
    repo=$1
    echo -n "Fetching latest rev for $repo: "
    hash=$(curl -fsS "https://api.github.com/repos/$repo/commits/master" | jq -r '.sha')
    echo "$hash"
    sed -i -E "s|( +)\[\"$repo(.*)|\1[\"$repo\"]=$hash|" frontend-assets-fetch.sh
 }
 <frontend-assets-fetch.sh sed -nE 's| +\["([^"]+).*|\1|p' | while read -r repo; do
    updateRepoHash "$repo"
 done
--- a/pkgs/mempool/generate.sh
+++ b/pkgs/mempool/generate.sh
@ -0,0 +1,71 @@
 #!/usr/bin/env nix-shell
 #! nix-shell -i bash -p gnupg gnused jq
 set -euo pipefail
 # Use this to start a debug shell at the location of this statement
 # . "${BASH_SOURCE[0]%/*}/../../helper/start-bash-session.sh"
 version=2.5.0
 # You can also specify a rev instead:
 # rev=57eddac7f0b99b4fe84d91c0f4a50a4f7ccfe55f
 owner=mempool
 repo=https://github.com/$owner/mempool
 cd "${BASH_SOURCE[0]%/*}"
 updateSrc() {
    TMPDIR="$(mktemp -d /tmp/mempool.XXX)"
    trap 'rm -rf $TMPDIR' EXIT
    # Fetch and verify source
    src=$TMPDIR/src
    mkdir -p "$src"
    if [[ -v rev ]]; then
        # Fetch revision
        git -C "$src" init
        git -C "$src" fetch --depth 1 "$repo" "$rev:src"
        git -C "$src" checkout src
    else
        tag=v$version
        # Fetch and GPG-verify version tag
        git clone --depth 1 --branch "$tag" -c advice.detachedHead=false $repo "$src"
        git -C "$src" checkout tags/$tag
        export GNUPGHOME=$TMPDIR
        # Fetch wiz' key
        gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 913C5FF1F579B66CA10378DBA394E332255A6173 2> /dev/null
        git -C "$src" verify-tag $tag
        rev=$tag
    fi
    rm -rf "$src"/.git
    hash=$(nix hash path "$src")
    sed -i "
      s|\bowner = .*;|owner = \"$owner\";|
      s|\brev = .*;|rev = \"$rev\";|
      s|\bhash = .*;|hash = \"$hash\";|
    " default.nix
 }
 updateNodeModulesHash() {
    component=$1
    echo
    echo "Fetching node modules for mempool-$component"
    ../../helper/update-fixed-output-derivation.sh ./default.nix mempool-"$component" "cd $component"
 }
 updateFrontendAssets() {
  . ./frontend-assets-update.sh
  echo
  echo "Fetching frontend assets"
  ../../helper/update-fixed-output-derivation.sh ./default.nix mempool-frontend.assets "frontendAssets"
 }
 if [[ $# == 0 ]]; then
    # Each of these can be run separately
    updateSrc
    updateFrontendAssets
    updateNodeModulesHash backend
    updateNodeModulesHash frontend
 else
    "$@"
 fi
--- a/pkgs/mempool/nginx-conf/mempool/location-static.conf
+++ b/pkgs/mempool/nginx-conf/mempool/location-static.conf
@ -0,0 +1,44 @@
 # see order of nginx location rules
 # https://stackoverflow.com/questions/5238377/nginx-location-priority
 # for exact / requests, redirect based on $lang
 # cache redirect for 5 minutes
 location = / {
 	if ($lang != '') {
 		return 302 $scheme://$host/$lang/;
 	}
 	try_files /en-US/index.html =404;
 	expires 5m;
 }
 # cache /<lang>/main.f40e91d908a068a2.js forever since they never change
 location ~ ^/([a-z][a-z])/(.+\..+\.(js|css)) {
 	try_files $uri =404;
 	expires 1y;
 }
 # cache everything else for 5 minutes
 location ~ ^/([a-z][a-z])$ {
 	try_files $uri /$1/index.html /en-US/index.html =404;
 	expires 5m;
 }
 location ~ ^/([a-z][a-z])/ {
 	try_files $uri /$1/index.html /en-US/index.html =404;
 	expires 5m;
 }
 # cache /resources/** for 1 week since they don't change often
 location /resources {
 	try_files $uri /en-US/index.html;
 	expires 1w;
 }
 # cache /main.f40e91d908a068a2.js forever since they never change
 location ~* ^/.+\..+\.(js|css) {
 	try_files /$lang/$uri /en-US/$uri =404;
 	expires 1y;
 }
 # catch-all for all URLs i.e. /address/foo /tx/foo /block/000
 # cache 5 minutes since they change frequently
 location / {
 	try_files /$lang/$uri $uri /en-US/$uri /en-US/index.html =404;
 	expires 5m;
 }
--- a/pkgs/mempool/nginx-conf/mempool/mempool.conf
+++ b/pkgs/mempool/nginx-conf/mempool/mempool.conf
@ -0,0 +1,44 @@
 access_log /var/log/nginx/access_mempool.log;
 error_log /var/log/nginx/error_mempool.log;
 root /var/www/mempool/browser;
 index index.html;
 # enable browser and proxy caching
 add_header Cache-Control "public, no-transform";
 # vary cache if user changes language preference
 add_header Vary Accept-Language;
 add_header Vary Cookie;
 include mempool/location-static.conf;
 # static API docs
 location = /api {
 	try_files $uri $uri/ /en-US/index.html =404;
 }
 location = /api/ {
 	try_files $uri $uri/ /en-US/index.html =404;
 }
 location /api/v1/ws {
 	proxy_pass http://127.0.0.1:8999/;
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection "Upgrade";
 }
 location /api/v1 {
 	proxy_pass http://127.0.0.1:8999/api/v1;
 }
 location /api/ {
 	proxy_pass http://127.0.0.1:8999/api/v1/;
 }
 # mainnet API
 location /ws {
 	proxy_pass http://127.0.0.1:8999/;
 	proxy_http_version 1.1;
 	proxy_set_header Upgrade $http_upgrade;
 	proxy_set_header Connection "Upgrade";
 }
--- a/pkgs/mempool/nginx-conf/nginx.conf
+++ b/pkgs/mempool/nginx-conf/nginx.conf
@ -0,0 +1,82 @@
 user nobody;
 pid /var/run/nginx.pid;
 worker_processes auto;
 worker_rlimit_nofile 100000;
 events {
    worker_connections 9000;
    multi_accept on;
 }
 http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    # reset timed out connections freeing ram
    reset_timedout_connection on;
    # maximum time between packets the client can pause when sending nginx any data
    client_body_timeout 10s;
    # maximum time the client has to send the entire header to nginx
    client_header_timeout 10s;
    # timeout which a single keep-alive client connection will stay open
    keepalive_timeout 69s;
    # maximum time between packets nginx is allowed to pause when sending the client data
    send_timeout 69s;
    # number of requests per connection, does not affect SPDY
    keepalive_requests 1337;
    # enable gzip compression
    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_min_length 1000;
    gzip_proxied expired no-cache no-store private auth;
    # text/html is always compressed by gzip module
    gzip_types application/javascript application/json application/ld+json application/manifest+json application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard;
    # limit request body size
    client_max_body_size 10m;
    # proxy cache
    proxy_cache off;
    proxy_cache_path /var/cache/nginx keys_zone=cache:20m levels=1:2 inactive=600s max_size=500m;
    types_hash_max_size 2048;
    # exempt localhost from rate limit
    geo $limited_ip {
        default        1;
        127.0.0.1    0;
    }
    map $limited_ip $limited_ip_key {
        1 $binary_remote_addr;
        0 '';
    }
    # rate limit requests
    limit_req_zone $limited_ip_key zone=api:5m rate=200r/m;
    limit_req_zone $limited_ip_key zone=electrs:5m rate=2000r/m;
    limit_req_status 429;
    # rate limit connections
    limit_conn_zone $limited_ip_key zone=websocket:10m;
    limit_conn_status 429;
    include mempool/http-language.conf;
    server {
        listen 127.0.0.1:80;
        include mempool/mempool.conf;
    }
 }
--- a/pkgs/nostr-wallet-connect/default.nix
+++ b/pkgs/nostr-wallet-connect/default.nix
@ -0,0 +1,24 @@
 { lib, buildGoModule, fetchFromGitHub }:
 buildGoModule rec {
  pname = "nostr-wallet-connect";
  version = "0.3.0";
  src = fetchFromGitHub {
    owner = "getalby";
    repo = pname;
    rev = "v${version}";
    hash = "cef8fb278d90c00b6e9345d28e43e9532cae978a";
  };
  vendorHash = "sha256-iE0nht3PH2R9pTyyrySk759untC7snGt3wTXk4/pjrU=";
  ldflags = [ "-s" "-w" ];
  meta = with lib; {
    description = "Generate QRCode to connect apps to lnd Resources";
    license = licenses.mit;
    homepage = "https://github.com/LN-Zap/nostr-wallet-connect";
    maintainers = [ maintainers.abstractequalibrium ];
    platforms = platforms.linux;
  };
 }
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@ -4,21 +4,21 @@ pkgs: pkgsUnstable:
  inherit (pkgs)
    bitcoin
    bitcoind
    extra-container
    lightning-loop
    lightning-pool
    lndconnect;
  inherit (pkgsUnstable)
    btcpayserver
    charge-lnd
    clightning
    electrs
    elementsd
-    fulcrum
+    extra-container
    hwi
    lightning-loop
    lightning-pool
    lnd
    lndconnect
    nbxplorer;
  inherit (pkgsUnstable)
    fulcrum;
  inherit pkgs pkgsUnstable;
 }
--- a/pkgs/python-packages/bencoderpyx/default.nix
+++ b/pkgs/python-packages/bencoderpyx/default.nix
@ -1,12 +1,12 @@
-{ lib, buildPythonPackage, fetchurl, cython, pytest, coverage }:
+{ lib, buildPythonPackageWithDepsCheck, fetchurl, cython, pytest, coverage }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "bencoder.pyx";
-  version = "2.0.1";
+  version = "3.0.1";
  src = fetchurl {
-    url = "https://github.com/whtsky/bencoder.pyx/archive/v${version}.tar.gz";
+    url = "https://github.com/whtsky/bencoder.pyx/archive/9a47768f3ceba9df9e6fbaa7c445f59960889009.tar.gz";
-    sha256 = "f3ff92ac706a7e4692bed5e6cbe205963327f3076f55e408eb948659923eac72";
+    sha256 = "1yh565xjbbhn49xjfms80ac8psjbzn66n8dcx0x8mn7zzjv06clz";
  };
  nativeBuildInputs = [ cython ];
--- a/pkgs/python-packages/chromalog/default.nix
+++ b/pkgs/python-packages/chromalog/default.nix
@ -1,5 +1,5 @@
-{ lib, buildPythonPackage, fetchFromGitHub, colorama, future, six }:
+{ lib, buildPythonPackageWithDepsCheck, fetchFromGitHub, colorama, future, six }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "chromalog";
  version = "1.0.5";
--- a/pkgs/python-packages/coincurve/default.nix
+++ b/pkgs/python-packages/coincurve/default.nix
@ -1,23 +0,0 @@
 { lib, stdenv, buildPythonPackage, fetchPypi, asn1crypto, cffi, pkg-config,
 autoconf, automake, libtool, libffi, requests }:
 buildPythonPackage rec {
  pname = "coincurve";
  version = "17.0.0";
  src = fetchPypi {
    inherit pname version;
    hash = "sha256-aNpVr/iYcClS/aPuBP1u1gu2uR+RnGknB4btdmtUi5M";
  };
  doCheck = false;
  nativeBuildInputs = [ autoconf automake libtool pkg-config ];
  propagatedBuildInputs = [ asn1crypto cffi libffi requests ];
  meta = with lib; {
    description = "Cross-platform Python CFFI bindings for libsecp256k1";
    homepage = "https://github.com/ofek/coincurve";
    maintainers = with maintainers; [ nixbitcoin ];
    license = licenses.asl20;
  };
 }
--- a/pkgs/python-packages/default.nix
+++ b/pkgs/python-packages/default.nix
@ -3,9 +3,9 @@ rec {
  pyPkgsOverrides = self: super: let
    inherit (self) callPackage;
    clightningPkg = pkg: callPackage pkg { inherit (nbPkgs.pinned) clightning; };
    joinmarketPkg = pkg: callPackage pkg { inherit (nbPkgs.joinmarket) version src; };
  in
    {
      coincurve = callPackage ./coincurve {};
      txzmq = callPackage ./txzmq {};
      pyln-client = clightningPkg ./pyln-client;
@ -13,24 +13,16 @@ rec {
      pyln-bolt7 = clightningPkg ./pyln-bolt7;
      pylightning = clightningPkg ./pylightning;
      # bitstring 3.1.9, required by pyln-proto
      bitstring = callPackage ./specific-versions/bitstring.nix {};
      # Packages only used by joinmarket
      bencoderpyx = callPackage ./bencoderpyx {};
      chromalog = callPackage ./chromalog {};
-      python-bitcointx = callPackage ./python-bitcointx {
+      python-bitcointx = callPackage ./python-bitcointx { inherit (nbPkgs) secp256k1; };
        inherit (nbPkgs) secp256k1;
        openssl = super.pkgs.openssl_1_1;
      };
      runes = callPackage ./runes {};
      sha256 = callPackage ./sha256 {};
      urldecode = callPackage ./urldecode {};
    };
  # Joinmarket requires a custom package set because it uses older versions of Python pkgs
  pyPkgsOverridesJoinmarket = self: super: let
    inherit (self) callPackage;
    joinmarketPkg = pkg: callPackage pkg { inherit (nbPkgs.joinmarket) version src; };
  in
    (pyPkgsOverrides self super) // {
      joinmarketbase = joinmarketPkg ./jmbase;
      joinmarketclient = joinmarketPkg ./jmclient;
      joinmarketbitcoin = joinmarketPkg ./jmbitcoin;
@ -38,29 +30,24 @@ rec {
      ## Specific versions of packages that already exist in nixpkgs
      # cryptography 3.3.2, required by joinmarketdaemon
      cryptography = callPackage ./specific-versions/cryptography {
        openssl = super.pkgs.openssl_1_1;
        cryptography_vectors = callPackage ./specific-versions/cryptography/vectors.nix {};
      };
      # autobahn 20.12.3, required by joinmarketclient
      autobahn = callPackage ./specific-versions/autobahn.nix {};
-      # pyopenssl 20.0.1, required by joinmarketdaemon
+      # A version of `buildPythonPackage` which checks that Python package
-      pyopenssl = callPackage ./specific-versions/pyopenssl.nix {
+      # requirements are met.
-        openssl = super.pkgs.openssl_1_1;
+      # This was the case for NixOS <= 23.05.
-      };
+      # TODO-EXTERNAL: Remove when this is resolved:
-
+      # https://github.com/NixOS/nixpkgs/issues/253131
-      # twisted 22.4.0, compatible with pyopenssl 20.0.1
+      buildPythonPackageWithDepsCheck = attrs:
-      twisted = callPackage ./specific-versions/twisted.nix {};
+        self.buildPythonPackage (attrs // {
          dontUsePypaInstall = true;
          nativeBuildInputs = (attrs.nativeBuildInputs or []) ++ [ self.pipInstallHook ];
        });
    };
  nbPython3Packages = (python3.override {
    packageOverrides = pyPkgsOverrides;
  }).pkgs;
-  nbPython3PackagesJoinmarket = (python3.override {
+  nbPython3PackagesJoinmarket = nbPython3Packages;
    packageOverrides = pyPkgsOverridesJoinmarket;
  }).pkgs;
 }
--- a/pkgs/python-packages/jmbase/default.nix
+++ b/pkgs/python-packages/jmbase/default.nix
@ -1,12 +1,24 @@
-{ version, src, lib, buildPythonPackage, fetchurl, future, twisted, service-identity, chromalog, txtorcon }:
+{ version, src, lib, buildPythonPackageWithDepsCheck, fetchurl, future, twisted, service-identity, chromalog, txtorcon, pyaes }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "joinmarketbase";
  inherit version src;
  postUnpack = "sourceRoot=$sourceRoot/jmbase";
-  propagatedBuildInputs = [ future twisted service-identity chromalog txtorcon ];
+  propagatedBuildInputs = [ future twisted service-identity chromalog txtorcon pyaes ];
  patchPhase = ''
    sed -i 's|twisted==22.4.0|twisted==23.8.0|' setup.py
    sed -i 's|service-identity==21.1.0|service-identity==23.1.0|' setup.py
  '';
  # Has no tests
  doCheck = false;
  pythonImportsCheck = [
    "jmbase"
  ];
  meta = with lib; {
    homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
--- a/pkgs/python-packages/jmbitcoin/default.nix
+++ b/pkgs/python-packages/jmbitcoin/default.nix
@ -1,15 +1,24 @@
-{ version, src, lib, buildPythonPackage, fetchurl, urldecode, pyaes, python-bitcointx, joinmarketbase }:
+{ version, src, lib, buildPythonPackageWithDepsCheck, fetchurl, python-bitcointx, joinmarketbase, pytestCheckHook }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "joinmarketbitcoin";
  inherit version src;
  postUnpack = "sourceRoot=$sourceRoot/jmbitcoin";
-  propagatedBuildInputs = [ urldecode pyaes python-bitcointx ];
+  propagatedBuildInputs = [ python-bitcointx ];
  checkInputs = [ joinmarketbase ];
  nativeCheckInputs = [
    pytestCheckHook
  ];
  patchPhase = ''
    substituteInPlace setup.py \
      --replace "'python-bitcointx==1.1.3'" "'python-bitcointx==1.1.4'"
  '';
  meta = with lib; {
    homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
    maintainers = with maintainers; [ nixbitcoin ];
--- a/pkgs/python-packages/jmclient/default.nix
+++ b/pkgs/python-packages/jmclient/default.nix
@ -1,22 +1,63 @@
-{ version, src, lib, buildPythonPackage, fetchurl, future, configparser, joinmarketbase, joinmarketdaemon, mnemonic, argon2_cffi, bencoderpyx, pyaes, joinmarketbitcoin, klein, pyjwt, autobahn }:
+{
  pipBuildHook
 , version
 , src
 , lib
 , buildPythonPackageWithDepsCheck
 , argon2_cffi
 , autobahn
 , bencoderpyx
 , configparser
 , fetchurl
 , future
 , joinmarketbase
 , joinmarketbitcoin
 , joinmarketdaemon
 , klein
 , mnemonic
 , pyjwt
 , werkzeug
 }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "joinmarketclient";
  inherit version src;
  postUnpack = "sourceRoot=$sourceRoot/jmclient";
-  checkInputs = [ joinmarketbitcoin joinmarketdaemon ];
+  propagatedBuildInputs = [
-
+    argon2_cffi
-  propagatedBuildInputs = [ future configparser joinmarketbase mnemonic argon2_cffi bencoderpyx pyaes klein pyjwt autobahn ];
+    autobahn
    bencoderpyx
    configparser
    future
    joinmarketbase
    joinmarketbitcoin
    joinmarketdaemon
    klein
    mnemonic
    pyjwt
    werkzeug
  ];
  patchPhase = ''
    substituteInPlace setup.py \
      --replace "'klein==20.6.0'" "'klein>=20.6.0'"
    substituteInPlace setup.py \
-      --replace "'pyjwt==2.4.0'" "'pyjwt==2.5.0'"
+      --replace "'argon2_cffi==21.3.0'" "'argon2_cffi==23.1.0'"
    substituteInPlace setup.py \
      --replace "'pyjwt==2.4.0'" "'pyjwt==2.8.0'"
    substituteInPlace setup.py \
      --replace "'werkzeug==2.2.3'" "'werkzeug==2.3.7'"
  '';
  # The unit tests can't be run in a Nix build environment
  doCheck = false;
  pythonImportsCheck = [
    "jmclient"
  ];
  meta = with lib; {
    description = "Client library for Bitcoin coinjoins";
    homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
--- a/pkgs/python-packages/jmdaemon/default.nix
+++ b/pkgs/python-packages/jmdaemon/default.nix
@ -1,6 +1,6 @@
-{ version, src, lib, buildPythonPackage, fetchurl, txtorcon, cryptography, pyopenssl, libnacl, joinmarketbase }:
+{ version, src, lib, buildPythonPackageWithDepsCheck, fetchurl, txtorcon, cryptography, pyopenssl, libnacl, joinmarketbase }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "joinmarketdaemon";
  inherit version src;
@ -8,6 +8,22 @@ buildPythonPackage rec {
  propagatedBuildInputs = [ txtorcon cryptography pyopenssl libnacl joinmarketbase ];
  patchPhase = ''
    substituteInPlace setup.py \
      --replace "'txtorcon==22.0.0'" "'txtorcon==23.5.0'"
    substituteInPlace setup.py \
      --replace "'libnacl==1.8.0'" "'libnacl==2.1.0'"
    substituteInPlace setup.py \
      --replace "'cryptography==41.0.2" "'cryptography==41.0.3"
  '';
  # The unit tests can't be run in a Nix build environment
  doCheck = false;
  pythonImportsCheck = [
    "jmdaemon"
  ];
  meta = with lib; {
    description = "Client library for Bitcoin coinjoins";
    homepage = "https://github.com/Joinmarket-Org/joinmarket-clientserver";
--- a/pkgs/python-packages/pylightning/default.nix
+++ b/pkgs/python-packages/pylightning/default.nix
@ -1,6 +1,6 @@
-{ buildPythonPackage, clightning, pyln-client }:
+{ buildPythonPackageWithDepsCheck, clightning, pyln-client }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "pylightning";
  version = "0.10.1"; # defined in ${src}/contrib/pyln-client/pyln/client/__init__.py
--- a/pkgs/python-packages/pyln-bolt7/default.nix
+++ b/pkgs/python-packages/pyln-bolt7/default.nix
@ -1,6 +1,6 @@
-{ buildPythonPackage, poetry-core, pytestCheckHook, clightning, pyln-proto }:
+{ buildPythonPackageWithDepsCheck, poetry-core, pytestCheckHook, clightning, pyln-proto }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "pyln-bolt7";
  # The version is defined here:
  # https://github.com/ElementsProject/lightning/blob/master/contrib/pyln-spec/bolt7/pyproject.toml
--- a/pkgs/python-packages/pyln-client/default.nix
+++ b/pkgs/python-packages/pyln-client/default.nix
@ -1,6 +1,6 @@
-{ buildPythonPackage, poetry-core, pytestCheckHook, clightning, pyln-bolt7, pyln-proto }:
+{ buildPythonPackageWithDepsCheck, poetry-core, pytestCheckHook, clightning, pyln-bolt7, pyln-proto }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "pyln-client";
  version = clightning.version;
  format = "pyproject";
--- a/pkgs/python-packages/pyln-proto/default.nix
+++ b/pkgs/python-packages/pyln-proto/default.nix
@ -1,4 +1,4 @@
-{ buildPythonPackage
+{ buildPythonPackageWithDepsCheck
 , clightning
 , poetry-core
 , pytestCheckHook
@ -6,9 +6,10 @@
 , cryptography
 , coincurve
 , base58
 , pysocks
 }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "pyln-proto";
  version = clightning.version;
  format = "pyproject";
@ -22,13 +23,10 @@ buildPythonPackage rec {
    cryptography
    coincurve
    base58
    pysocks
  ];
  checkInputs = [ pytestCheckHook ];
  postUnpack = "sourceRoot=$sourceRoot/contrib/pyln-proto";
  postPatch = ''
    sed -i 's|cryptography = "^36.0.1"|cryptography = "^38.0.0"|' pyproject.toml
  '';
 }
--- a/pkgs/python-packages/python-bitcointx/default.nix
+++ b/pkgs/python-packages/python-bitcointx/default.nix
@ -1,12 +1,14 @@
-{ lib, buildPythonPackage, fetchurl, secp256k1, openssl }:
+{ lib, buildPythonPackageWithDepsCheck, fetchFromGitHub, secp256k1 }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "python-bitcointx";
-  version = "1.1.3";
+  version = "1.1.4";
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "https://github.com/Simplexum/${pname}/archive/${pname}-v${version}.tar.gz";
+    owner = "Simplexum";
-    sha256 = "f0f487c29619df0e94a04f6deb3dc950ff9954c072017bd3eda90f73c24f0953";
+    repo = "python-bitcointx";
    rev = "python-bitcointx-v${version}";
    hash = "sha256-y8/cyLQr3GbpYqCg8LKTfyL0OX7eIo5AxjdFTWTqHmk=";
  };
  patchPhase = ''
@ -14,8 +16,6 @@ buildPythonPackage rec {
      substituteInPlace "bitcointx/$path" \
        --replace "ctypes.util.find_library('secp256k1')" "'${secp256k1}/lib/libsecp256k1.so'"
    done
    substituteInPlace bitcointx/core/key.py \
      --replace "ctypes.util.find_library('ssl')" "'${openssl.out}/lib/libssl.so'"
  '';
  meta = with lib; {
--- a/pkgs/python-packages/python-bitcointx/get-sha256.sh
+++ b/pkgs/python-packages/python-bitcointx/get-sha256.sh
@ -9,7 +9,7 @@ cd "$TMPDIR"
 echo "Fetching latest release"
 git clone https://github.com/simplexum/python-bitcointx 2> /dev/null
 cd python-bitcointx
-latest=python-bitcointx-v1.1.3
+latest=python-bitcointx-v1.1.4
 echo "Latest release is ${latest}"
 # GPG verification
@ -19,6 +19,8 @@ gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys B17A35BBA187395784E2A6B3
 echo "Verifying latest release"
 git verify-commit "$latest"
 git checkout -q "tags/$latest"
 rm -rf .git
 echo "tag: $latest"
-# The prefix option is necessary because GitHub prefixes the archive contents in this format
+nix hash path .
 echo "sha256: $(git archive --format tar.gz --prefix=python-bitcointx-"$latest"/ "$latest" | sha256sum | cut -d\  -f1)"
--- a/pkgs/python-packages/runes/default.nix
+++ b/pkgs/python-packages/runes/default.nix
@ -1,6 +1,6 @@
-{ sha256, lib, buildPythonPackage, fetchFromGitHub }:
+{ sha256, lib, buildPythonPackageWithDepsCheck, fetchFromGitHub }:
-buildPythonPackage {
+buildPythonPackageWithDepsCheck {
  pname = "runes";
  version = "0.4.0";
--- a/pkgs/python-packages/sha256/default.nix
+++ b/pkgs/python-packages/sha256/default.nix
@ -1,6 +1,6 @@
-{ lib, buildPythonPackage, fetchFromGitHub, cython }:
+{ lib, buildPythonPackageWithDepsCheck, fetchFromGitHub, cython }:
-buildPythonPackage rec {
+buildPythonPackageWithDepsCheck rec {
  pname = "sha256";
  version = builtins.substring 0 8 src.rev;
--- a/pkgs/python-packages/specific-versions/bitstring.nix
+++ b/pkgs/python-packages/specific-versions/bitstring.nix
@ -0,0 +1,40 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
 , fetchpatch
 , unittestCheckHook
 }:
 buildPythonPackage rec {
  pname = "bitstring";
  version = "3.1.9";
  src = fetchFromGitHub {
    owner = "scott-griffiths";
    repo = pname;
    rev = "bitstring-${version}";
    sha256 = "0y2kcq58psvl038r6dhahhlhp1wjgr5zsms45wyz1naq6ri8x9qa";
  };
  patches = [
    (fetchpatch {
      name = "fix-running-unit-tests-using-unittest-hook.patch";
      url = "https://github.com/scott-griffiths/bitstring/commit/e5ee3fd41cad2ea761f4450b13b0424ae7262331.patch";
      hash = "sha256-+ZGywIfQQcYXJlYZBi402ONnysYm66G5zE4duJE40h8=";
    })
  ];
  checkInputs = [ unittestCheckHook ];
  unittestFlagsArray = [ "-s" "test" ];
  pythonImportsCheck = [ "bitstring" ];
  meta = with lib; {
    description = "Module for binary data manipulation";
    homepage = "https://github.com/scott-griffiths/bitstring";
    license = licenses.mit;
    platforms = platforms.unix;
    maintainers = with maintainers; [ bjornfor ];
  };
 }
--- a/pkgs/python-packages/specific-versions/cryptography/default.nix
+++ b/pkgs/python-packages/specific-versions/cryptography/default.nix
@ -1,83 +0,0 @@
 # Copied from nixpkgs rev c7d0dbe094c988209edac801eb2a0cc21aa498d8
 { lib, stdenv
 , buildPythonPackage
 , fetchPypi
 , fetchpatch
 , isPy27
 , ipaddress
 , openssl
 , cryptography_vectors
 , darwin
 , packaging
 , six
 , pythonOlder
 , isPyPy
 , cffi
 , pytest
 , pretend
 , iso8601
 , pytz
 , hypothesis
 , enum34
 }:
 buildPythonPackage rec {
  pname = "cryptography";
  version = "3.3.2"; # Also update the hash in vectors.nix
  src = fetchPypi {
    inherit pname version;
    sha256 = "1vcvw4lkw1spiq322pm1256kail8nck6bbgpdxx3pqa905wd6q2s";
  };
  outputs = [ "out" "dev" ];
  nativeBuildInputs = lib.optionals (!isPyPy) [
    cffi
  ];
  buildInputs = [ openssl ]
             ++ lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
  propagatedBuildInputs = [
    packaging
    six
  ] ++ lib.optionals (!isPyPy) [
    cffi
  ] ++ lib.optionals isPy27 [
    ipaddress enum34
  ];
  checkInputs = [
    cryptography_vectors
    hypothesis
    iso8601
    pretend
    pytest
    pytz
  ];
  checkPhase = ''
    py.test --disable-pytest-warnings tests
  '';
  # IOKit's dependencies are inconsistent between OSX versions, so this is the best we
  # can do until nix 1.11's release
  __impureHostDeps = [ "/usr/lib" ];
  meta = with lib; {
    description = "A package which provides cryptographic recipes and primitives";
    longDescription = ''
      Cryptography includes both high level recipes and low level interfaces to
      common cryptographic algorithms such as symmetric ciphers, message
      digests, and key derivation functions.
      Our goal is for it to be your "cryptographic standard library". It
      supports Python 2.7, Python 3.5+, and PyPy 5.4+.
    '';
    homepage = "https://github.com/pyca/cryptography";
    changelog = "https://cryptography.io/en/latest/changelog/#v"
      + replaceStrings [ "." ] [ "-" ] version;
    license = with licenses; [ asl20 bsd3 psfl ];
    maintainers = with maintainers; [ primeos ];
  };
 }
--- a/pkgs/python-packages/specific-versions/cryptography/vectors.nix
+++ b/pkgs/python-packages/specific-versions/cryptography/vectors.nix
@ -1,25 +0,0 @@
 # Copied from nixpkgs rev c7d0dbe094c988209edac801eb2a0cc21aa498d8
 { buildPythonPackage, fetchPypi, lib, cryptography }:
 buildPythonPackage rec {
  pname = "cryptography_vectors";
  # The test vectors must have the same version as the cryptography package:
  version = cryptography.version;
  src = fetchPypi {
    inherit pname version;
    sha256 = "1yhaps0f3h2yjb6lmz953z1l1d84y9swk4k3gj9nqyk4vbx5m7cc";
  };
  # No tests included
  doCheck = false;
  meta = with lib; {
    description = "Test vectors for the cryptography package";
    homepage = "https://cryptography.io/en/latest/development/test-vectors/";
    # Source: https://github.com/pyca/cryptography/tree/master/vectors;
    license = with licenses; [ asl20 bsd3 ];
    maintainers = with maintainers; [ primeos ];
  };
 }
--- a/pkgs/python-packages/specific-versions/pyopenssl.nix
+++ b/pkgs/python-packages/specific-versions/pyopenssl.nix
@ -1,92 +0,0 @@
 { lib
 , stdenv
 , buildPythonPackage
 , fetchPypi
 , openssl
 , cryptography
 , pyasn1
 , idna
 , pytest
 , pretend
 , flaky
 , glibcLocales
 , six
 }:
 let
  # https://github.com/pyca/pyopenssl/issues/791
  # These tests, we disable in the case that libressl is passed in as openssl.
  failingLibresslTests = [
    "test_op_no_compression"
    "test_npn_advertise_error"
    "test_npn_select_error"
    "test_npn_client_fail"
    "test_npn_success"
    "test_use_certificate_chain_file_unicode"
    "test_use_certificate_chain_file_bytes"
    "test_add_extra_chain_cert"
    "test_set_session_id_fail"
    "test_verify_with_revoked"
    "test_set_notAfter"
    "test_set_notBefore"
  ];
  # these tests are extremely tightly wed to the exact output of the openssl cli tool,
  # including exact punctuation.
  failingOpenSSL_1_1Tests = [
    "test_dump_certificate"
    "test_dump_privatekey_text"
    "test_dump_certificate_request"
    "test_export_text"
  ];
  disabledTests = [
    # https://github.com/pyca/pyopenssl/issues/692
    # These tests, we disable always.
    "test_set_default_verify_paths"
    "test_fallback_default_verify_paths"
    # https://github.com/pyca/pyopenssl/issues/768
    "test_wantWriteError"
  ] ++ (
    lib.optionals (lib.hasPrefix "libressl" openssl.meta.name) failingLibresslTests
  ) ++ (
    lib.optionals (lib.versionAtLeast (lib.getVersion openssl.name) "1.1") failingOpenSSL_1_1Tests
  ) ++ (
    # https://github.com/pyca/pyopenssl/issues/974
    lib.optionals stdenv.is32bit [ "test_verify_with_time" ]
  );
  # Compose the final string expression, including the "-k" and the single quotes.
  testExpression = lib.optionalString (disabledTests != [])
    "-k 'not ${lib.concatStringsSep " and not " disabledTests}'";
 in
 buildPythonPackage rec {
  pname = "pyopenssl";
  version = "20.0.1";
  src = fetchPypi {
    pname = "pyOpenSSL";
    inherit version;
    sha256 = "4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51";
  };
  outputs = [ "out" "dev" ];
  checkPhase = ''
    runHook preCheck
    export LANG="en_US.UTF-8"
    py.test tests ${testExpression}
    runHook postCheck
  '';
  # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
  # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
  doCheck = !stdenv.isDarwin;
  nativeBuildInputs = [ openssl ];
  propagatedBuildInputs = [ cryptography pyasn1 idna six ];
  checkInputs = [ pytest pretend flaky glibcLocales ];
 }
--- a/pkgs/python-packages/specific-versions/twisted.nix
+++ b/pkgs/python-packages/specific-versions/twisted.nix
@ -1,173 +0,0 @@
 { lib
 , stdenv
 , buildPythonPackage
 , pythonOlder
 , fetchPypi
 , python
 , appdirs
 , attrs
 , automat
 , bcrypt
 , constantly
 , contextvars
 , cryptography
 , git
 , glibcLocales
 , h2
 , hyperlink
 , idna
 , incremental
 , priority
 , pyasn1
 , pyhamcrest
 , pynacl
 , pyopenssl
 , pyserial
 , service-identity
 , setuptools
 , typing-extensions
 , zope_interface
  # for passthru.tests
 , cassandra-driver
 , klein
 , magic-wormhole
 , scrapy
 , treq
 , txaio
 , txamqp
 , txrequests
 , txtorcon
 , thrift
 , nixosTests
 }:
 buildPythonPackage rec {
  pname = "twisted";
  version = "22.4.0";
  format = "setuptools";
  disabled = pythonOlder "3.6";
  src = fetchPypi {
    pname = "Twisted";
    inherit version;
    extension = "tar.gz";
    sha256 = "sha256-oEeZD1ffrh4L0rffJSbU8W3NyEN3TcEIt4xS8qXxNoA=";
  };
  __darwinAllowLocalNetworking = true;
  propagatedBuildInputs = [
    attrs
    automat
    constantly
    hyperlink
    incremental
    setuptools
    typing-extensions
    zope_interface
  ];
  postPatch = ''
    echo 'ListingTests.test_localeIndependent.skip = "Timezone issue"'>> src/twisted/conch/test/test_cftp.py
    echo 'ListingTests.test_newFile.skip = "Timezone issue"'>> src/twisted/conch/test/test_cftp.py
    echo 'ListingTests.test_newSingleDigitDayOfMonth.skip = "Timezone issue"'>> src/twisted/conch/test/test_cftp.py
    echo 'ListingTests.test_oldFile.skip = "Timezone issue"'>> src/twisted/conch/test/test_cftp.py
    echo 'ListingTests.test_oldSingleDigitDayOfMonth.skip = "Timezone issue"'>> src/twisted/conch/test/test_cftp.py
    echo 'PTYProcessTestsBuilder_AsyncioSelectorReactorTests.test_openFileDescriptors.skip = "invalid syntax"'>> src/twisted/internet/test/test_process.py
    echo 'PTYProcessTestsBuilder_SelectReactorTests.test_openFileDescriptors.skip = "invalid syntax"'>> src/twisted/internet/test/test_process.py
    echo 'UNIXTestsBuilder_AsyncioSelectorReactorTests.test_sendFileDescriptorTriggersPauseProducing.skip = "sendFileDescriptor producer was not paused"'>> src/twisted/internet/test/test_unix.py
    echo 'UNIXTestsBuilder_SelectReactorTests.test_sendFileDescriptorTriggersPauseProducing.skip = "sendFileDescriptor producer was not paused"'>> src/twisted/internet/test/test_unix.py
    echo 'FileObserverTests.test_getTimezoneOffsetEastOfUTC.skip = "mktime argument out of range"'>> src/twisted/test/test_log.py
    echo 'FileObserverTests.test_getTimezoneOffsetWestOfUTC.skip = "mktime argument out of range"'>> src/twisted/test/test_log.py
    echo 'FileObserverTests.test_getTimezoneOffsetWithoutDaylightSavingTime.skip = "tuple differs, values not"'>> src/twisted/test/test_log.py
    echo 'MulticastTests.test_joinLeave.skip = "No such device"'>> src/twisted/test/test_udp.py
    echo 'MulticastTests.test_loopback.skip = "No such device"'>> src/twisted/test/test_udp.py
    echo 'MulticastTests.test_multicast.skip = "Reactor was unclean"'>> src/twisted/test/test_udp.py
    echo 'MulticastTests.test_multiListen.skip = "No such device"'>> src/twisted/test/test_udp.py
    echo 'DomishExpatStreamTests.test_namespaceWithWhitespace.skip = "syntax error: line 1, column 0"'>> src/twisted/words/test/test_domish.py
    # not packaged
    substituteInPlace src/twisted/test/test_failure.py \
      --replace "from cython_test_exception_raiser import raiser  # type: ignore[import]" "raiser = None"
  '' + lib.optionalString stdenv.isLinux ''
    echo 'PTYProcessTestsBuilder_EPollReactorTests.test_openFileDescriptors.skip = "invalid syntax"'>> src/twisted/internet/test/test_process.py
    echo 'PTYProcessTestsBuilder_PollReactorTests.test_openFileDescriptors.skip = "invalid syntax"'>> src/twisted/internet/test/test_process.py
    echo 'UNIXTestsBuilder_EPollReactorTests.test_sendFileDescriptorTriggersPauseProducing.skip = "sendFileDescriptor producer was not paused"'>> src/twisted/internet/test/test_unix.py
    echo 'UNIXTestsBuilder_PollReactorTests.test_sendFileDescriptorTriggersPauseProducing.skip = "sendFileDescriptor producer was not paused"'>> src/twisted/internet/test/test_unix.py
    # Patch t.p._inotify to point to libc. Without this,
    # twisted.python.runtime.platform.supportsINotify() == False
    substituteInPlace src/twisted/python/_inotify.py --replace \
      "ctypes.util.find_library(\"c\")" "'${stdenv.cc.libc}/lib/libc.so.6'"
  '' + lib.optionalString (stdenv.isAarch64 && stdenv.isDarwin) ''
    echo 'AbortConnectionTests_AsyncioSelectorReactorTests.test_fullWriteBufferAfterByteExchange.skip = "Timeout after 120 seconds"' >> src/twisted/internet/test/test_tcp.py
    echo 'AbortConnectionTests_AsyncioSelectorReactorTests.test_resumeProducingAbort.skip = "Timeout after 120 seconds"' >> src/twisted/internet/test/test_tcp.py
  '';
  # Generate Twisted's plug-in cache. Twisted users must do it as well. See
  # http://twistedmatrix.com/documents/current/core/howto/plugin.html#auto3
  # and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477103 for details.
  postFixup = ''
    $out/bin/twistd --help > /dev/null
  '';
  checkInputs = [
    git
    glibcLocales
    pyhamcrest
  ]
  ++ passthru.optional-dependencies.conch
  # not supported on aarch64-darwin: https://github.com/pyca/pyopenssl/issues/873
  ++ lib.optionals (!(stdenv.isDarwin && stdenv.isAarch64)) passthru.optional-dependencies.tls;
  checkPhase = ''
    export SOURCE_DATE_EPOCH=315532800
    export PATH=$out/bin:$PATH
    # race conditions when running in paralell
    ${python.interpreter} -m twisted.trial twisted
  '';
  passthru = {
    optional-dependencies = rec {
      conch = [ appdirs bcrypt cryptography pyasn1 ];
      conch_nacl = conch ++ [ pynacl ];
      contextvars = lib.optionals (pythonOlder "3.7") [ contextvars ];
      http2 = [ h2 priority ];
      serial = [ pyserial ];
      tls = [ idna pyopenssl service-identity ];
    };
    tests = {
      inherit
        cassandra-driver
        klein
        magic-wormhole
        scrapy
        treq
        txaio
        txamqp
        txrequests
        txtorcon
        thrift;
      inherit (nixosTests) buildbot matrix-synapse;
    };
  };
  meta = with lib; {
    homepage = "https://github.com/twisted/twisted";
    description = "Twisted, an event-driven networking engine written in Python";
    longDescription = ''
      Twisted is an event-driven networking engine written in Python
      and licensed under the MIT license.
    '';
    license = licenses.mit;
    maintainers = with maintainers; [ SuperSandro2000 ];
  };
 }
--- a/pkgs/python-packages/txzmq/default.nix
+++ b/pkgs/python-packages/txzmq/default.nix
@ -1,8 +1,9 @@
 { lib
 , buildPythonPackage
 , fetchPypi
 , twisted
 , pyzmq
 , setuptools
 , twisted
 }:
 buildPythonPackage rec {
@ -16,8 +17,9 @@ buildPythonPackage rec {
  };
  propagatedBuildInputs = [
    twisted
    pyzmq
    setuptools
    twisted
  ];
  meta = with lib; {
--- a/pkgs/python-packages/urldecode/default.nix
+++ b/pkgs/python-packages/urldecode/default.nix
@ -1,16 +0,0 @@
 { lib, buildPythonPackage, fetchPypi }:
 buildPythonPackage rec {
  pname = "urldecode";
  version = "0.1";
  src = fetchPypi {
    inherit pname version;
    sha256 = "0w8my7kdwxppsfzzi1b2cxhypm6r1fsrnb2hnd752axq4gfsddjj";
  };
  meta = with lib; {
    description = "A simple function to decode an encoded url";
    homepage = "https://github.com/jennyq/urldecode";
    maintainers = with maintainers; [ nixbitcoin ];
  };
 }
--- a/pkgs/rtl/default.nix
+++ b/pkgs/rtl/default.nix
@ -1,7 +1,7 @@
 { lib
 , stdenvNoCC
-, nodejs-16_x
+, nodejs-18_x
-, nodejs-slim-16_x
+, nodejs-slim-18_x
 , fetchNodeModules
 , fetchpatch
 , fetchurl
@ -10,23 +10,23 @@
 }:
 let self = stdenvNoCC.mkDerivation {
  pname = "rtl";
-  version = "0.13.6";
+  version = "0.14.1";
  src = fetchurl {
    url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
+    hash = "sha256-sbV7d/imdCXglpAS3hh7fETvSxMzegi63AfbS1imqbk=";
  };
  passthru = {
-    nodejs = nodejs-16_x;
+    nodejs = nodejs-18_x;
-    nodejsRuntime = nodejs-slim-16_x;
+    nodejsRuntime = nodejs-slim-18_x;
    nodeModules = fetchNodeModules {
      inherit (self) src nodejs;
      # TODO-EXTERNAL: Remove `npmFlags` when no longer required
      # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
      npmFlags = "--legacy-peer-deps";
-      hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
+      hash = "sha256-0fu14j4OvsYGBhu/p67EUFmuHCbIPlLVm4e8qd9tk3o=";
    };
  };
--- a/pkgs/rtl/generate.sh
+++ b/pkgs/rtl/generate.sh
@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"
-version="0.13.6"
+version="0.14.1"
 repo=https://github.com/Ride-The-Lightning/RTL
 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
--- a/pkgs/spark-wallet/composition.nix
+++ b/pkgs/spark-wallet/composition.nix
@ -1,17 +0,0 @@
 # This file has been generated by node2nix 1.9.0. Do not edit!
 {pkgs ? import <nixpkgs> {
    inherit system;
  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-14_x"}:
 let
  nodeEnv = import (pkgs.path + "/pkgs/development/node-packages/node-env.nix") {
    inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
    inherit pkgs nodejs;
    libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
  };
 in
 import ./node-packages.nix {
  inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
  inherit nodeEnv;
 }
--- a/pkgs/spark-wallet/default.nix
+++ b/pkgs/spark-wallet/default.nix
@ -1,16 +0,0 @@
 { pkgs, lib }:
 let
  nodePackages = import ./composition.nix { inherit pkgs; };
 in
 nodePackages.package.override {
  # Required because spark-wallet uses `npm-shrinkwrap.json` as the lock file
  reconstructLock = true;
  meta = with lib; {
    description = "A minimalistic wallet GUI for c-lightning";
    homepage = "https://github.com/shesek/spark-wallet";
    license = licenses.mit;
    maintainers = with maintainers; [ nixbitcoin erikarvstedt ];
    platforms = platforms.unix;
  };
 }
--- a/pkgs/spark-wallet/generate.sh
+++ b/pkgs/spark-wallet/generate.sh
@ -1,58 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "nodePackages.node2nix gnupg wget jq moreutils gnused" "$@"
 TMPDIR=$(mktemp -d -p /tmp)
 trap 'rm -rf $TMPDIR' EXIT
 version="0.3.1"
 repo=https://github.com/shesek/spark-wallet
 # Fetch and verify source tarball
 file=spark-wallet-${version}-npm.tgz
 url=$repo/releases/download/v${version}/$file
 export GNUPGHOME=$TMPDIR
 gpg --keyserver hkps://keyserver.ubuntu.com --recv-key FCF19B67866562F08A43AAD681F6104CD0F150FC
 wget -P "$TMPDIR" "$url"
 wget -P "$TMPDIR" "$repo/releases/download/v${version}/SHA256SUMS.asc"
 gpg --verify "$TMPDIR/SHA256SUMS.asc"
 (cd "$TMPDIR"; sha256sum --check --ignore-missing SHA256SUMS.asc)
 hash=$(nix hash file "$TMPDIR/$file")
 # Extract source
 src=$TMPDIR/src
 mkdir "$src"
 tar xvf "$TMPDIR/$file" -C "$src" --strip-components 1 >/dev/null
 # Make qrcode-terminal a strict dependency so that node2nix includes it in the package derivation.
 jq '.dependencies["qrcode-terminal"] = .optionalDependencies["qrcode-terminal"]' "$src/package.json" | sponge "$src/package.json"
 node2nix \
  --nodejs-14 \
  --input "$src/package.json" \
  --lock "$src/npm-shrinkwrap.json" \
  --composition composition.nix \
  --no-copy-node-env
 # Use node-env.nix from nixpkgs
 # shellcheck disable=SC2016
 nodeEnvImport='import "${toString pkgs.path}/pkgs/development/node-packages/node-env.nix"'
 sed -i "s|import ./node-env.nix|$nodeEnvImport|" composition.nix
 # Use the verified package src
 read -rd '' fetchurl <<EOF || :
 fetchurl {
      url = "$url";
      hash = "$hash";
    };
 EOF
 sed -i "
  # Use the verified package src
  s|src = .*/src;|src = ${fetchurl//$'\n'/\\n}|
  # github: use HTTPS instead of SSH, which requires user authentication
  s|git+ssh://git@|https://|
  s|ssh://git@|https://|
  s|\.git#|#|
 " node-packages.nix
--- a/pkgs/spark-wallet/node-packages.nix
+++ b/pkgs/spark-wallet/node-packages.nix
--- a/Show More
+++ b/Show More