Merge #617: Update to NixOS 23.05

e658209 run-tests.sh: fix building tests for Nix ≥ 2.15 (Erik Arvstedt)
bb2e88c fix python packages for nixos 23.05 (Erik Arvstedt)
e31cc68 run-tests: make compatible with new shellcheck version (Erik Arvstedt)
76dc7b9 examples/deploy-container.sh: add extra-container version check (Erik Arvstedt)
6c2d110 update the required extra-container version for nixos 23.05 (Erik Arvstedt)
e2cce7d update to nixos 23.05 (Erik Arvstedt)
55c64d8 update nixpkgs (Erik Arvstedt)
bd77b89 rtl, clightning-rest: update to nodejs 18 (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK e658209

Tree-SHA512: 5814f56e469ad384dfb81bc11f9ac256a35cd2647e7fd997b14f84927448fbb880b0b1cee3bdf5a2b926760b74aab291e901e67a0759d43ffaf705ff6b741b97

.cirrus.yml

@@ -9,7 +9,7 @@ task:
 
   container:
     # Defined in https://github.com/nix-community/docker-nixpkgs
-    image: nixpkgs/nix-flakes:nixos-22.11
+    image: nixpkgs/nix-flakes:nixos-23.05
 
   matrix:
     - name: modules_test

dev/topics/rtl.sh

@@ -30,7 +30,7 @@ runuser -u "$(logname)" -- xdg-open "http://$ip:3000"
 rtl_src=~/s/RTL
 git clone https://github.com/Ride-The-Lightning/RTL "$rtl_src"
 
-nix build -o /tmp/nix-bitcoin-dev/nodejs --inputs-from . nixpkgs#nodejs-16_x
+nix build -o /tmp/nix-bitcoin-dev/nodejs --inputs-from . nixpkgs#nodejs-18_x
 # Start a shell in a sandbox
 env --chdir "$rtl_src" nix-bitcoin-firejail --whitelist="$rtl_src" --whitelist=/tmp/nix-bitcoin-dev/nodejs
 PATH=/tmp/nix-bitcoin-dev/nodejs/bin:"$PATH"

examples/configuration.nix

@@ -265,7 +265,7 @@
 
   services.openssh = {
     enable = true;
-    passwordAuthentication = false;
+    settings.PasswordAuthentication = false;
   };
   users.users.root = {
     openssh.authorizedKeys.keys = [
@@ -292,7 +292,7 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "22.11"; # Did you read the comment?
+  system.stateVersion = "23.05"; # Did you read the comment?
 
   # The nix-bitcoin release version that your config is compatible with.
   # When upgrading to a backwards-incompatible release, nix-bitcoin will display an

examples/deploy-container.sh

@@ -87,6 +87,7 @@ read -rd '' src <<EOF || true
   };
 }
 EOF
+. "${BASH_SOURCE[0]%/*}"/../test/lib/extra-container-check-version.sh
 extra-container shell -E "$src" "${runCmd[@]}"
 
 # The container is automatically deleted at exit

flake.nix

@@ -5,7 +5,7 @@
   '';
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
     extra-container = {

pkgs/clightning-plugins/default.nix

@@ -42,7 +42,7 @@ let
       description = "Lightning node exporter for the prometheus timeseries server";
       extraPkgs = [ prometheus_client ];
       patchRequirements =
-        "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
+        "--replace prometheus-client==0.6.0 prometheus-client==0.16.0"
         + " --replace pyln-client~=0.9.3 pyln-client~=23.02";
     };
     rebalance = {
@@ -79,7 +79,7 @@ let
 
         # Check that requirements are met
         PYTHONPATH='${toString python}/${python.sitePackages}' \
-          ${pkgs.python3Packages.pip}/bin/pip install -r requirements.txt --no-cache --no-index
+          ${pkgs.python3Packages.pip}/bin/pip install -r requirements.txt --no-cache --no-index --break-system-packages
 
         chmod +x '${script}'
         patchShebangs '${script}'

pkgs/clightning-rest/default.nix

@@ -1,7 +1,7 @@
 { lib
 , stdenvNoCC
-, nodejs-16_x
-, nodejs-slim-16_x
+, nodejs-18_x
+, nodejs-slim-18_x
 , fetchNodeModules
 , fetchurl
 , makeWrapper
@@ -17,8 +17,8 @@ let self = stdenvNoCC.mkDerivation {
   };
 
   passthru = {
-    nodejs = nodejs-16_x;
-    nodejsRuntime = nodejs-slim-16_x;
+    nodejs = nodejs-18_x;
+    nodejsRuntime = nodejs-slim-18_x;
 
     nodeModules = fetchNodeModules {
       inherit (self) src nodejs;

pkgs/lib.nix

@@ -41,8 +41,12 @@ let self = {
     RestrictAddressFamilies = self.defaultHardening.RestrictAddressFamilies + " AF_NETLINK";
   };
 
-  # nodejs applications require memory write execute for JIT compilation
-  nodejs = { MemoryDenyWriteExecute = false; };
+  nodejs = {
+    # Required for JIT compilation
+    MemoryDenyWriteExecute = false;
+    # Required by nodejs >= 18
+    SystemCallFilter = self.defaultHardening.SystemCallFilter ++ [ "@pkey" ];
+  };
 
   # Allow takes precedence over Deny.
   allowLocalIPAddresses = {

pkgs/pinned.nix

@@ -2,19 +2,19 @@
 pkgs: pkgsUnstable:
 {
   inherit (pkgs)
-    lightning-pool
-    lndconnect;
-
-  inherit (pkgsUnstable)
-    btcpayserver
     charge-lnd
-    clightning
     electrs
     elementsd
     extra-container
     fulcrum
     hwi
+    lndconnect;
+
+  inherit (pkgsUnstable)
+    btcpayserver
+    clightning
     lightning-loop
+    lightning-pool
     nbxplorer;
 
   inherit pkgs pkgsUnstable;

pkgs/python-packages/default.nix

@@ -1,4 +1,15 @@
 nbPkgs: python3:
+let
+  # Ignore eval error:
+  # `OpenSSL 1.1 is reaching its end of life on 2023/09/11 and cannot
+  # be supported through the NixOS 23.05 release cycle.`
+  # TODO-EXTERNAL: consider removing when
+  # https://github.com/Simplexum/python-bitcointx/issues/76 and
+  # https://github.com/JoinMarket-Org/joinmarket-clientserver#1451 are resolved.
+  openssl_1_1 = python3.pkgs.pkgs.openssl_1_1.overrideAttrs (old: {
+    meta = builtins.removeAttrs old.meta [ "knownVulnerabilities" ];
+  });
+in
 rec {
   pyPkgsOverrides = self: super: let
     inherit (self) callPackage;
@@ -13,12 +24,15 @@ rec {
       pyln-bolt7 = clightningPkg ./pyln-bolt7;
       pylightning = clightningPkg ./pylightning;
 
+      # bitstring 3.1.9, required by pyln-proto
+      bitstring = callPackage ./specific-versions/bitstring.nix {};
+
       # Packages only used by joinmarket
       bencoderpyx = callPackage ./bencoderpyx {};
       chromalog = callPackage ./chromalog {};
       python-bitcointx = callPackage ./python-bitcointx {
         inherit (nbPkgs) secp256k1;
-        openssl = super.pkgs.openssl_1_1;
+        openssl = openssl_1_1;
       };
       runes = callPackage ./runes {};
       sha256 = callPackage ./sha256 {};
@@ -39,7 +53,7 @@ rec {
 
       # cryptography 3.3.2, required by joinmarketdaemon
       cryptography = callPackage ./specific-versions/cryptography {
-        openssl = super.pkgs.openssl_1_1;
+        openssl = openssl_1_1;
         cryptography_vectors = callPackage ./specific-versions/cryptography/vectors.nix {};
       };
 
@@ -49,8 +63,8 @@ rec {
       # pyopenssl 21.0.0, required by joinmarketdaemon
       pyopenssl = callPackage ./specific-versions/pyopenssl.nix {};
 
-      # twisted 22.4.0, required by joinmarketbase
-      twisted = callPackage ./specific-versions/twisted.nix {};
+      # txtorcon 22.0.0, required by joinmarketdaemon
+      txtorcon = callPackage ./specific-versions/txtorcon.nix {};
     };
 
   nbPython3Packages = (python3.override {

pkgs/python-packages/jmbase/default.nix

@@ -6,6 +6,10 @@ buildPythonPackage rec {
 
   postUnpack = "sourceRoot=$sourceRoot/jmbase";
 
+  patchPhase = ''
+    sed -i 's|twisted==22.4.0|twisted==22.10.0|' setup.py
+  '';
+
   propagatedBuildInputs = [ future twisted service-identity chromalog txtorcon ];
 
   meta = with lib; {

pkgs/python-packages/jmclient/default.nix

@@ -14,7 +14,7 @@ buildPythonPackage rec {
     substituteInPlace setup.py \
       --replace "'klein==20.6.0'" "'klein>=20.6.0'"
     substituteInPlace setup.py \
-      --replace "'pyjwt==2.4.0'" "'pyjwt==2.5.0'"
+      --replace "'pyjwt==2.4.0'" "'pyjwt==2.6.0'"
   '';
 
   meta = with lib; {

pkgs/python-packages/pyln-proto/default.nix

@@ -29,6 +29,6 @@ buildPythonPackage rec {
   postUnpack = "sourceRoot=$sourceRoot/contrib/pyln-proto";
 
   postPatch = ''
-    sed -i 's|cryptography = "^36.0.1"|cryptography = "^38.0.0"|' pyproject.toml
+    sed -i 's|cryptography = "^36.0.1"|cryptography = "^40.0"|' pyproject.toml
   '';
 }

pkgs/python-packages/specific-versions/bitstring.nix

@@ -0,0 +1,40 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, fetchpatch
+, unittestCheckHook
+}:
+
+buildPythonPackage rec {
+  pname = "bitstring";
+  version = "3.1.9";
+
+  src = fetchFromGitHub {
+    owner = "scott-griffiths";
+    repo = pname;
+    rev = "bitstring-${version}";
+    sha256 = "0y2kcq58psvl038r6dhahhlhp1wjgr5zsms45wyz1naq6ri8x9qa";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "fix-running-unit-tests-using-unittest-hook.patch";
+      url = "https://github.com/scott-griffiths/bitstring/commit/e5ee3fd41cad2ea761f4450b13b0424ae7262331.patch";
+      hash = "sha256-+ZGywIfQQcYXJlYZBi402ONnysYm66G5zE4duJE40h8=";
+    })
+  ];
+
+  checkInputs = [ unittestCheckHook ];
+
+  unittestFlagsArray = [ "-s" "test" ];
+
+  pythonImportsCheck = [ "bitstring" ];
+
+  meta = with lib; {
+    description = "Module for binary data manipulation";
+    homepage = "https://github.com/scott-griffiths/bitstring";
+    license = licenses.mit;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ bjornfor ];
+  };
+}

pkgs/python-packages/specific-versions/cryptography/default.nix

@@ -50,15 +50,16 @@ buildPythonPackage rec {
 
   checkInputs = [
     cryptography_vectors
-    hypothesis
+    # Work around `error: infinite recursion encountered`
+    (hypothesis.override { enableDocumentation = false; })
     iso8601
     pretend
     pytest
     pytz
   ];
 
   checkPhase = ''
-    py.test --disable-pytest-warnings tests
+    ${pytest}/bin/py.test --disable-pytest-warnings tests
   '';
 
   # IOKit's dependencies are inconsistent between OSX versions, so this is the best we