Merge #312: Refactorings, cleanups

0a2c8e4 run-tests: add option --copy-src (Erik Arvstedt)
803584a backups: don't use hardcoded secrets dir (Erik Arvstedt)
c29d44b ci: use 'cachix watch-exec' (Erik Arvstedt)
6a32812 services: add names for systemd helper scripts (Erik Arvstedt)
6982699 services: use consistent layout (Erik Arvstedt)
a43534d services: improve config file setup (Erik Arvstedt)
18f2002 joinmarket-yieldgenerator: improve systemd journal output (Erik Arvstedt)
9d0b8c8 joinmarket-ob-watcher: use DynamicUser (Erik Arvstedt)
e9c98f4 joinmarket: explain need for tor control socket (Erik Arvstedt)
d9c87b6 joinmarket: fix wallet creation (Erik Arvstedt)
7458350 treewide: remove deprecated types.loaOf (Erik Arvstedt)
9cf0389 treewide: use mkEnableOption (Erik Arvstedt)
7a97304 treewide: remove unit descriptions (Erik Arvstedt)
a942177 treewide: remove user descriptions (Erik Arvstedt)
4f6ff40 treewide: remove unneeded string literals (Erik Arvstedt)
e6a6c72 treewide: streamline 'extraConfig' descriptions (Erik Arvstedt)
e774c04 treewide: fix formatting (Erik Arvstedt)
0b5b29a netns-isolation: simplify permission definition for netns-exec (Erik Arvstedt)
a587a2b defaultHardening: explain where @System-service is defined (Erik Arvstedt)
bb3a697 README: minor improvements (Erik Arvstedt)
13fc9df examples: improve introductory comments (Erik Arvstedt)
af2040f netns-isolation: use 'true' for systemd option (Erik Arvstedt)
c246bbb bitcoind, clightning, lnd: improve descriptions (Erik Arvstedt)
7533f12 bitcoind, clightning, run-tests: minor refactoring (Erik Arvstedt)
41fe9b0 elementsd: minor refactoring (Erik Arvstedt)
f0850d3 btcpayserver: reorder config settings (Erik Arvstedt)
d1c0ea9 btcpayserver: add missing systemd postgresql dependency (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 0a2c8e4

Tree-SHA512: 5c81b36042fbb2f016c8e58ba9e05ef3389d5376b8df713d3258d2cd0b6a9239904531171aca8e49bea7039341d5fa91aa9474c6d98de849c25ede52deccc5a3

README.md

@@ -43,7 +43,7 @@ running nix-bitcoin does not require any previous experience with the Nix ecosys
 
 Examples
 ---
-See the [examples directory](examples/README.md).
+See [here for examples](examples/README.md).
 
 Features
 ---
@@ -76,7 +76,7 @@ NixOS modules
 * Helper
   * [netns-isolation](modules/netns-isolation.nix): isolates applications on the network-level via network namespaces
   * [nodeinfo](modules/nodeinfo.nix): script which prints info about the node's services
-  * [backups](modules/backups.nix): daily duplicity backups of all your node's important files
+  * [backups](modules/backups.nix): duplicity backups of all your node's important files
   * [operator](modules/operator.nix): adds non-root user `operator` who has access to client tools (e.g. `bitcoin-cli`, `lightning-cli`)
 
 Security

ci/build-to-cachix.sh

@@ -11,18 +11,8 @@ cachixCache=nix-bitcoin
 
 trap 'echo Error at line $LINENO' ERR
 
-atExit() {
-    rm -rf $tmpDir
-    if [[ -v cachixPid ]]; then stopCachix; fi
-}
 tmpDir=$(mktemp -d -p /tmp)
-trap atExit EXIT
-
-stopCachix() {
-    kill $cachixPid 2>/dev/null || true
-    # Wait for cachix to finish
-    tail --pid=$cachixPid -f /dev/null
-}
+trap "rm -rf $tmpDir" EXIT
 
 ## Instantiate
 
@@ -43,14 +33,14 @@ fi
 
 if [[ $CACHIX_SIGNING_KEY ]]; then
     # Speed up task by uploading store paths as soon as they are created
-    cachix push $cachixCache --watch-store &
-    cachixPid=$!
+    buildCmd="cachix watch-exec $cachixCache nix-build --"
+else
+    buildCmd=nix-build
 fi
 
-nix-build --out-link $tmpDir/result $tmpDir/drv >/dev/null
+$buildCmd --out-link $tmpDir/result $tmpDir/drv >/dev/null
 
 if [[ $CACHIX_SIGNING_KEY ]]; then
-    stopCachix
     cachix push $cachixCache $outPath
 fi
 

examples/deploy-container.sh

@@ -5,8 +5,8 @@ set -euo pipefail
 # Running this script leaves no traces on your host system.
 
 # This demo is a template for your own experiments.
-# Feel free to modify or to run nix-shell and execute individual statements of this
-# script in the interactive shell.
+# Run with option `--interactive` or `-i` to start a shell for interacting with
+# the node.
 
 if [[ ! -v IN_NIX_SHELL ]]; then
     echo "Running script in nix shell env..."

examples/deploy-nixops.sh

@@ -5,8 +5,8 @@ set -euo pipefail
 # Running this script leaves no traces on your host system.
 
 # This demo is a template for your own experiments.
-# Feel free to modify or to run nix-shell and execute individual statements of this
-# script in the interactive shell.
+# Run with option `--interactive` or `-i` to start a shell for interacting with
+# the node.
 
 if [[ ! -v IN_NIX_SHELL ]]; then
     echo "Running script in nix shell env..."

examples/deploy-qemu-vm.sh

@@ -5,8 +5,8 @@ set -euo pipefail
 # Running this script leaves no traces on your host system.
 
 # This demo is a template for your own experiments.
-# Feel free to modify or to run nix-shell and execute individual statements of this
-# script in the interactive shell.
+# Run with option `--interactive` or `-i` to start a shell for interacting with
+# the node.
 
 # MAKE SURE TO REPLACE the SSH identity file if you use this script for
 # anything serious.

modules/backups.nix

@@ -4,21 +4,23 @@ with lib;
 
 let
   cfg = config.services.backups;
+  secretsDir = config.nix-bitcoin.secretsDir;
+
   filelist = pkgs.writeText "filelist.txt" ''
     ${optionalString (!cfg.with-bulk-data) "- ${config.services.bitcoind.dataDir}/blocks"}
     ${optionalString (!cfg.with-bulk-data) "- ${config.services.bitcoind.dataDir}/chainstate"}
     ${config.services.bitcoind.dataDir}
     ${config.services.clightning.dataDir}
     ${config.services.lnd.dataDir}
-    /secrets/lnd-seed-mnemonic
+    ${secretsDir}/lnd-seed-mnemonic
     ${optionalString (!cfg.with-bulk-data) "- ${config.services.liquidd.dataDir}/*/blocks"}
     ${optionalString (!cfg.with-bulk-data) "- ${config.services.liquidd.dataDir}/*/chainstate"}
     ${config.services.liquidd.dataDir}
     ${optionalString cfg.with-bulk-data "${config.services.electrs.dataDir}"}
     ${config.services.nbxplorer.dataDir}
     ${config.services.btcpayserver.dataDir}
     ${config.services.joinmarket.dataDir}
-    /secrets/jm-wallet-seed
+    ${secretsDir}/jm-wallet-seed
     ${config.services.postgresqlBackup.location}/btcpaydb.sql.gz
     /var/lib/tor
     # Extra files
@@ -27,7 +29,6 @@ let
     # Exclude all unspecified files and directories
     - /
   '';
-
 in {
   options.services.backups = {
     enable = mkEnableOption "Backups service";
@@ -72,7 +73,7 @@ in {
           "--include-filelist" "${filelist}"
           "--full-if-older-than" "1M"
         ];
-        targetUrl = "${cfg.destination}";
+        targetUrl = cfg.destination;
         frequency = cfg.frequency;
         secretFile = "${config.nix-bitcoin.secretsDir}/backup-encryption-env";
       };

modules/bitcoind-rpc-public-whitelist.nix

@@ -58,5 +58,5 @@
   "validateaddress"
   "verifymessage"
   # Zmq
- "getzmqnotifications"
+  "getzmqnotifications"
 ]

modules/bitcoind.nix

@@ -7,7 +7,7 @@ let
   nbLib = config.nix-bitcoin.lib;
   secretsDir = config.nix-bitcoin.secretsDir;
 
-  configFile = pkgs.writeText "bitcoin.conf" ''
+  configFile = builtins.toFile "bitcoin.conf" ''
     # We're already logging via journald
     nodebuglogfile=1
 
@@ -90,7 +90,7 @@ in {
           par=16
           logips=1
         '';
-        description = "Additional configurations to be appended to <filename>bitcoin.conf</filename>.";
+        description = "Extra lines appended to <filename>bitcoin.conf</filename>.";
       };
       dataDir = mkOption {
         type = types.path;
@@ -138,7 +138,7 @@ in {
             alice.passwordHMAC = "f7efda5c189b999524f151318c0c86$d5b51b3beffbc02b724e5d095828e0bc8b2456e9ac8757ae3211a5d9b16a22ae";
             bob.passwordHMAC = "b2dd077cb54591a2f3139e69a897ac$4e71f08d48b4347cf8eff3815c0e25ae2e9a4340474079f55705f40574f4ec99";
           };
-          type = with types; loaOf (submodule ({ name, ... }: {
+          type = with types; attrsOf (submodule ({ name, ... }: {
             options = {
               name = mkOption {
                 type = types.str;
@@ -197,9 +197,7 @@ in {
       listen = mkOption {
         type = types.bool;
         default = false;
-        description = ''
-          If enabled, the bitcoin service will listen.
-        '';
+        description = "Accept incoming connections.";
       };
       dataDirReadableByGroup = mkOption {
         type = types.bool;
@@ -228,21 +226,15 @@ in {
         type = types.nullOr (types.ints.between 4 16384);
         default = null;
         example = 4000;
-        description = "Override the default database cache size in megabytes.";
+        description = "Override the default database cache size in MiB.";
       };
       prune = mkOption {
         type = types.ints.unsigned;
         default = 0;
         example = 10000;
         description = ''
-          Reduce storage requirements by enabling pruning (deleting) of old
-          blocks. This allows the pruneblockchain RPC to be called to delete
-          specific blocks, and enables automatic pruning of old blocks if a
-          target size in MiB is provided. This mode is incompatible with -txindex
-          and -rescan. Warning: Reverting this setting requires re-downloading
-          the entire blockchain. ("disable" = disable pruning blocks, "manual"
-          = allow manual pruning via RPC, >=550 = automatically prune block files
-          to stay under the specified target size in MiB)
+          Automatically prune block files to stay under the specified target size in MiB.
+          Value 0 disables pruning.
         '';
       };
       zmqpubrawblock = mkOption {
@@ -281,7 +273,7 @@ in {
         type = types.nullOr types.str;
         default = null;
         example = "bech32";
-        description = "What type of addresses to use";
+        description = "The type of addresses to use";
       };
       cli = mkOption {
         readOnly = true;
@@ -320,7 +312,6 @@ in {
     ];
 
     systemd.services.bitcoind = {
-      description = "Bitcoin daemon";
       requires = [ "nix-bitcoin-secrets.target" ];
       after = [ "network.target" "nix-bitcoin-secrets.target" ];
       wantedBy = [ "multi-user.target" ];
@@ -334,10 +325,10 @@ in {
       in ''
         ${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
         cfg=$(
-          cat ${configFile};
+          cat ${configFile}
           ${extraRpcauth}
           ${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
-          printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged";
+          printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged"
           echo
           ${optionalString (cfg.getPublicAddressCmd != "") ''
             echo "externalip=$(${cfg.getPublicAddressCmd})"
@@ -351,13 +342,13 @@ in {
       serviceConfig = nbLib.defaultHardening // {
         Type = "notify";
         NotifyAccess = "all";
-        User = "${cfg.user}";
-        Group = "${cfg.group}";
+        User = cfg.user;
+        Group = cfg.group;
         TimeoutStartSec = 300;
         ExecStart = "${cfg.package}/bin/bitcoind -datadir='${cfg.dataDir}'";
         Restart = "on-failure";
         UMask = mkIf cfg.dataDirReadableByGroup "0027";
-        ReadWritePaths = "${cfg.dataDir}";
+        ReadWritePaths = cfg.dataDir;
       } // (if cfg.enforceTor
             then nbLib.allowTor
             else nbLib.allowAnyIP)
@@ -383,16 +374,13 @@ in {
         done
       '';
       serviceConfig = nbLib.defaultHardening // {
-        User = "${cfg.user}";
-        Group = "${cfg.group}";
-        ReadWritePaths = "${cfg.dataDir}";
+        User = cfg.user;
+        Group = cfg.group;
+        ReadWritePaths = cfg.dataDir;
       } // nbLib.allowTor;
     };
 
-    users.users.${cfg.user} = {
-      group = cfg.group;
-      description = "Bitcoin daemon user";
-    };
+    users.users.${cfg.user}.group = cfg.group;
     users.groups.${cfg.group} = {};
     users.groups.bitcoinrpc = {};
     nix-bitcoin.operator.groups = [ cfg.group ];