Merge fort-nix/nix-bitcoin#610: update nixpkgs

af87d5958a obsolete-options: simplify removal of clightning plugin `commando` (Erik Arvstedt) 9b575e4f3f test/backups: check that bitcoind stops without errors (Erik Arvstedt) 8a791b754e rtl: 0.13.6 -> 0.14.0 (Erik Arvstedt) 3650d4befe bitcoin: replace nixpkgs package with bitcoin{,d} 24.1 (Jonas Nick) 75e54bbb90 spark-wallet: remove package and module (Jonas Nick) 29a95ea311 clightning-rest: update module to v0.10.3 (Erik Arvstedt) 67475f768e clightning-rest: 0.9.0 -> 0.10.3 (Erik Arvstedt) fe76516790 bitcoind: update module to v25.0 (Erik Arvstedt) 9c59b96add clightning-plugins: add prometheus patch for clightning 23.05 (Jonas Nick) 9aea69e799 clightning-plugins: update (Jonas Nick) 2166bfd1ee clboss: deprecate, add clighting 23.05 compatibility (Erik Arvstedt) dcc5a543ae update nixpkgs (Jonas Nick) Pull request description: ACKs for top commit: erikarvstedt: ACK af87d5958a Tree-SHA512: 8bc6bc1aa01f342047b9b5cc468ab4af1f71a16d7f575f7e5108f2dfb0121160d777ead5b6714506a911066d594a37c6e14b774eb1bc1cb674ddea85e2e33c5a
2023-06-02 12:39:42 +00:00 · 2023-06-02 12:39:42 +00:00 · e3190b244f
commit e3190b244f
parent d9baa2e108 af87d5958a
33 changed files with 216 additions and 2951 deletions
--- a/README.md
+++ b/README.md
@ -90,7 +90,6 @@ NixOS modules ([src](modules/modules.nix))
    clightning [via WireGuard](./docs/services.md#use-zeus-mobile-lightning-wallet-via-wireguard) or
    [Tor](./docs/services.md#use-zeus-mobile-lightning-wallet-via-tor)
  * [Ride The Lightning](https://github.com/Ride-The-Lightning/RTL): web interface for `lnd` and `clightning`
-  * [spark-wallet](https://github.com/shesek/spark-wallet)
  * [electrs](https://github.com/romanz/electrs): Electrum server
  * [fulcrum](https://github.com/cculianu/Fulcrum): Electrum server (see [the module](modules/fulcrum.nix) for a comparison with electrs)
  * [btcpayserver](https://github.com/btcpayserver/btcpayserver)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -45,7 +45,7 @@ all other security vulnerabilities.
 | Type | Description | Examples |
 | :-: | :-: | :-: |
 | Outright Vulnerabilities | Vulnerabilities in nix-bitcoin specific tooling (except CI tooling) | privilege escalation in SUID binary `netns-exec`, improper release signature verification through `fetch-release` |
-| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, spark-wallet has access to bitcoin RPC interface or files |
+| Violations of [PoLP](https://en.wikipedia.org/wiki/Principle_of_least_privilege) | nix-bitcoin services are given too much privilege over the system or unnecessary access to other nix-bitcoin services, or one of the nix-bitcoin isolation measures is incorrectly implemented | `netns-isolation` doesn't work, RTL has access to bitcoin RPC interface or files |
 | Vulnerabilities in Dependencies | A vulnerability in any dependency of a nix-bitcoin installation with a configuration consisting of any combination of the following services: bitcoind, clightning, lnd, electrs, joinmarket, btcpayserver, liquidd.<br />**Note:** The vulnerability must first be reported to and handled by the maintainers of the dependency before it qualifies for a reward| Compromised NixOS expression pulls in malicious package, JoinMarket pulls in a python dependency with a known severe vulnerability |
 | Bad Documentation | Our documentation suggests blatantly insecure things | `install.md` tells you to add our SSH keys to your root user |
 | Compromise of Signing Key | Compromise of the nix-bitcoin signing key, i.e., `0xB1A70E4F8DCD0366` | Leaking the key, managing to sign something with it |
--- a/dev/dev-features.sh
+++ b/dev/dev-features.sh
@ -127,22 +127,6 @@ c systemctl status clightning-rest
 c journalctl -u clightning-rest
 c systemctl status clightning-rest-migrate-datadir

-#―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
-# spark-wallet
-
-run-tests.sh -s "{
-  services.spark-wallet.enable = true;
-  test.container.exposeLocalhost = true;
-}" container
-
-c systemctl status spark-wallet
-c journalctl -u spark-wallet
-
-sparkAuth=$(c cat /secrets/spark-wallet-login | grep -ohP '(?<=login=).*')
-curl -v http://$sparkAuth@$ip:9737
-# Open in browser
-runuser -u "$(logname)" -- xdg-open http://$sparkAuth@$ip:9737
-
 #―――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――
 # electrs

--- a/docs/services.md
+++ b/docs/services.md
@ -291,49 +291,6 @@ Create a plain text URL:
 lndconnect-wg --url
 ``````

-# Connect to spark-wallet
-### Requirements
-* Android phone
-* [Orbot](https://guardianproject.info/apps/orbot/) installed from [F-Droid](https://guardianproject.info/fdroid) (recommended) or [Google Play](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en)
-* [Spark-wallet](https://github.com/shesek/spark-wallet) installed from [direct download](https://github.com/shesek/spark-wallet/releases) or [Google Play](https://play.google.com/store/apps/details?id=com.spark.wallet)
-
-1. Enable spark-wallet in `configuration.nix`
-
-    Change
-    ```
-    # services.spark-wallet.enable = true;
-    ```
-    to
-    ```
-    services.spark-wallet.enable = true;
-    ```
-
-2. Deploy new `configuration.nix`
-
-3. Enable Orbot VPN for spark-wallet
-
-    ```
-    Open Orbot app
-    Turn on "VPN Mode"
-    Select Gear icon under "Tor-Enabled Apps"
-    Toggle checkbox under Spark icon
-    ```
-
-4. Get the onion address, access key and QR access code for the spark wallet android app
-
-    ```
-    journalctl -eu spark-wallet
-    ```
-    Note: The qr code might have issues scanning if you have a light terminal theme. Try setting it to dark or highlighting the entire output to invert the colors.
-
-5. Connect to spark-wallet android app
-
-    ```
-    Server Settings
-    Scan QR
-    Done
-    ```
-
 # Connect to electrs
 ### Requirements Android
 * Android phone
--- a/examples/configuration.nix
+++ b/examples/configuration.nix
@ -126,12 +126,6 @@
  # Automatically enables lightning-loop.
  # services.rtl.nodes.lnd.loop = true;

-  ### SPARK WALLET
-  # Set this to enable spark-wallet, a minimalistic wallet GUI for
-  # c-lightning, accessible over the web or through mobile and desktop apps.
-  # Automatically enables clightning.
-  # services.spark-wallet.enable = true;
-
  ### ELECTRS
  # Set this to enable electrs, an Electrum server implemented in Rust.
  # services.electrs.enable = true;
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1679648217,
-        "narHash": "sha256-aq2J5Hj5IE8X8X/7v3n0wcv8n+FLzzENbcCF9xqhxAc=",
+        "lastModified": 1683579895,
+        "narHash": "sha256-bjcFOul4kiq/a+wpUQP3l0XRY1/burbPdvxxqmlZx30=",
        "owner": "erikarvstedt",
        "repo": "extra-container",
-        "rev": "40c73f5e3292e73d6ce91625d9751be84fde17cb",
+        "rev": "46d9d7afb3d3de822217cd6515c150decf05868f",
        "type": "github"
      },
      "original": {
@ -43,11 +43,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1683207485,
-        "narHash": "sha256-gs+PHt/y/XQB7S8+YyBLAM8LjgYpPZUVFQBwpFSmJro=",
+        "lastModified": 1685215858,
+        "narHash": "sha256-IRMFoDXA6cYx3ifVw3B2JcC4JrjT5v7tRAx2vro2Ffs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cc45a3f8c98e1c33ca996e3504adefbf660a72d1",
+        "rev": "ba6e4ddeb3e8ad3f3e3bec63dafbc9fe558729bb",
        "type": "github"
      },
      "original": {
@ -59,11 +59,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1683353485,
-        "narHash": "sha256-Skp5El3egmoXPiINWjnoW0ktVfB7PR/xc4F4bhD+BJY=",
+        "lastModified": 1685317056,
+        "narHash": "sha256-XyG7iSSrgqsnT90GZOvWWbJheagWvSon4LOwjGGFq6c=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "caf436a52b25164b71e0d48b671127ac2e2a5b75",
+        "rev": "6b554aae1cf48cb39d4a61a51f826859027a93e2",
        "type": "github"
      },
      "original": {
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -414,6 +414,8 @@ in {
      # Enable RPC access for group
      postStart = ''
        chmod g=r '${cfg.dataDir}/${optionalString cfg.regtest "regtest/"}.cookie'
+      '' + (optionalString cfg.regtest) ''
+        chmod g=x '${cfg.dataDir}/regtest'
      '';

      serviceConfig = nbLib.defaultHardening // {
--- a/modules/clightning-plugins/clboss.nix
+++ b/modules/clightning-plugins/clboss.nix
@ -12,6 +12,11 @@ let cfg = config.services.clightning.plugins.clboss; in
        See also: https://github.com/ZmnSCPxj/clboss#operating
      '';
    };
+    acknowledgeDeprecation = mkOption {
+      type = types.bool;
+      default = false;
+      internal = true;
+    };
    min-onchain = mkOption {
      type = types.ints.positive;
      default = 30000;
@ -49,6 +54,22 @@ let cfg = config.services.clightning.plugins.clboss; in
  };

  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.acknowledgeDeprecation;
+        message = ''
+          `clboss` is no longer maintained and has been deprecated.
+
+          Warning: For compatibility with clighting 23.05, the nix-bitcoin `clboss` package
+          includes a third-party fix that has not been thoroughly tested:
+          https://github.com/ZmnSCPxj/clboss/pull/162
+
+          To ignore this warning and continue using `clboss`, add the following to your config:
+          services.clightning.plugins.clboss.acknowledgeDeprecation = true;
+        '';
+      }
+    ];
+
    services.clightning.extraConfig = ''
      plugin=${cfg.package}/bin/clboss
      clboss-min-onchain=${toString cfg.min-onchain}
@ -56,6 +77,7 @@ let cfg = config.services.clightning.plugins.clboss; in
      clboss-max-channel=${toString cfg.max-channel}
      clboss-zerobasefee=${cfg.zerobasefee}
    '';
+
    systemd.services.clightning.path = [
      pkgs.dnsutils
    ] ++ optional config.services.clightning.tor.proxy (hiPrio config.nix-bitcoin.torify);
--- a/modules/clightning-rest.nix
+++ b/modules/clightning-rest.nix
@ -97,6 +97,7 @@ in {
        Restart = "on-failure";
        RestartSec = "10s";
        ReadWritePaths = [ cfg.dataDir ];
+        inherit (nbLib.allowNetlink) RestrictAddressFamilies;
      } // nbLib.allowedIPAddresses cfg.tor.enforce
        // nbLib.nodejs;
    };
--- a/modules/modules.nix
+++ b/modules/modules.nix
@ -14,7 +14,6 @@
    ./clightning-plugins
    ./clightning-rest.nix
    ./clightning-replication.nix
-    ./spark-wallet.nix
    ./lnd.nix
    ./lightning-loop.nix
    ./lightning-pool.nix
--- a/modules/netns-isolation.nix
+++ b/modules/netns-isolation.nix
@ -244,10 +244,6 @@ in {
        id = 16;
        connections = [ "bitcoind" ];
      };
-      spark-wallet = {
-        id = 17;
-        # communicates with clightning over lightning-rpc socket
-      };
      nginx = {
        id = 21;
      };
@ -332,11 +328,6 @@ in {

    services.fulcrum.address = netns.fulcrum.address;

-    services.spark-wallet = {
-      address = netns.spark-wallet.address;
-      extraArgs = "--no-tls";
-    };
-
    services.lightning-loop.rpcAddress = netns.lightning-loop.address;

    services.nbxplorer.address = netns.nbxplorer.address;
--- a/modules/nodeinfo.nix
+++ b/modules/nodeinfo.nix
@ -145,7 +145,6 @@ in {
      clightning-rest = mkInfo "";
      electrs = mkInfo "";
      fulcrum = mkInfo "";
-      spark-wallet = mkInfo "";
      btcpayserver = mkInfo "";
      liquidd = mkInfo "";
      joinmarket-ob-watcher = mkInfo "";
--- a/modules/obsolete-options.nix
+++ b/modules/obsolete-options.nix
@ -24,7 +24,6 @@ in {
    (mkRenamedOptionModule [ "services" "bitcoind" "rpcthreads" ] [ "services" "bitcoind" "rpc" "threads" ])
    (mkRenamedOptionModule [ "services" "clightning" "bind-addr" ] [ "services" "clightning" "address" ])
    (mkRenamedOptionModule [ "services" "clightning" "bindport" ] [ "services" "clightning" "port" ])
-    (mkRenamedOptionModule [ "services" "spark-wallet" "host" ] [ "services" "spark-wallet" "address" ])
    (mkRenamedOptionModule [ "services" "lnd" "rpclisten" ] [ "services" "lnd" "rpcAddress" ])
    (mkRenamedOptionModule [ "services" "lnd" "listen" ] [ "services" "lnd" "address" ])
    (mkRenamedOptionModule [ "services" "lnd" "listenPort" ] [ "services" "lnd" "port" ])
@ -75,7 +74,6 @@ in {
    "lightning-pool"
    "liquid"
    "lnd"
-    "spark-wallet"
    "bitcoind"
  ]) ++
  (map mkRenamedEnforceTorOption [
@ -84,21 +82,25 @@ in {
    "electrs"
  ]) ++
  # 0.0.77
-  (
-    let
-      optionName = [ "services" "clightning" "plugins" "commando" ];
-    in [
-      (mkRemovedOptionModule (optionName ++ [ "enable" ]) ''
-        clightning 0.12.0 ships with a reimplementation of the commando plugin
-        that is incompatible with the commando module that existed in
-        nix-bitcoin. The new built-in commando plugin is always enabled. For
-        information on how to use it, run `lightning-cli help commando` and
-        `lightning-cli help commando-rune`.
-      '')
-      (mkRemovedOptionModule (optionName ++ [ "readers" ]) "")
-      (mkRemovedOptionModule (optionName ++ [ "writers" ]) "")
-  ]);
-
+  [
+    (mkRemovedOptionModule [ "services" "clightning" "plugins" "commando" ] ''
+      clightning 0.12.0 ships with a reimplementation of the commando plugin
+      that is incompatible with the commando module that existed in
+      nix-bitcoin. The new built-in commando plugin is always enabled. For
+      information on how to use it, run `lightning-cli help commando` and
+      `lightning-cli help commando-rune`.
+    '')
+  ] ++
+  # 0.0.92
+  [
+    (mkRemovedOptionModule [ "services" "spark-wallet" ] ''
+      Spark Lightning Wallet is unmaintained and incompatible with clightning
+      23.05. Therefore, the spark-wallet module has been removed from
+      nix-bitcoin. For a replacement, consider using the rtl (Ride The
+      Lightning) module or the clightning-rest module in combination with the
+      Zeus mobile wallet.
+    '')
+  ];
  config = {
    # Migrate old clightning-rest datadir from nix-bitcoin versions < 0.0.70
    systemd.services.clightning-rest-migrate-datadir = let
--- a/modules/onion-services.nix
+++ b/modules/onion-services.nix
@ -104,15 +104,6 @@ in {
    # Set sensible defaults for some services
    {
      nix-bitcoin.onionServices = {
-        spark-wallet = {
-          externalPort = 80;
-          # Enable 'public' by default, but don't auto-enable the onion service.
-          # When the onion service is enabled, 'public' lets spark-wallet generate
-          # a QR code for accessing the web interface.
-          public = true;
-          # Low priority so we can override this with mkDefault in ./presets/enable-tor.nix
-          enable = mkOverride 1400 false;
-        };
        btcpayserver = {
          externalPort = 80;
        };
--- a/modules/presets/enable-tor.nix
+++ b/modules/presets/enable-tor.nix
@ -26,7 +26,6 @@ in {
    # TODO-EXTERNAL:
    # disable Tor enforcement until btcpayserver can fetch rates over Tor
    # btcpayserver = defaultEnableTorProxy;
-    spark-wallet = defaultEnableTorProxy;
    lightning-pool = defaultEnableTorProxy;

    # These services don't make outgoing connections
@ -48,7 +47,6 @@ in {
    liquidd.enable = defaultTrue;
    electrs.enable = defaultTrue;
    fulcrum.enable = defaultTrue;
-    spark-wallet.enable = defaultTrue;
    joinmarket-ob-watcher.enable = defaultTrue;
    rtl.enable = defaultTrue;
  };
--- a/modules/spark-wallet.nix
+++ b/modules/spark-wallet.nix
@ -1,98 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
-  options.services.spark-wallet = {
-    enable = mkEnableOption "spark-wallet";
-    address = mkOption {
-      type = types.str;
-      default = "localhost";
-      description = mdDoc "http(s) server address.";
-    };
-    port = mkOption {
-      type = types.port;
-      default = 9737;
-      description = mdDoc "http(s) server port.";
-    };
-    extraArgs = mkOption {
-      type = types.separatedString " ";
-      default = "";
-      description = mdDoc "Extra command line arguments passed to spark-wallet.";
-    };
-    getPublicAddressCmd = mkOption {
-      type = types.str;
-      default = "";
-      description = mdDoc ''
-        Bash expression which outputs the public service address.
-        If set, spark-wallet prints a QR code to the systemd journal which
-        encodes an URL for accessing the web interface.
-      '';
-    };
-    user = mkOption {
-      type = types.str;
-      default = "spark-wallet";
-      description = mdDoc "The user as which to run spark-wallet.";
-    };
-    group = mkOption {
-      type = types.str;
-      default = cfg.user;
-      description = mdDoc "The group as which to run spark-wallet.";
-    };
-    tor = nbLib.tor;
-  };
-
-  cfg = config.services.spark-wallet;
-  nbLib = config.nix-bitcoin.lib;
-
-  clightning = config.services.clightning;
-
-  # Use wasabi rate provider because the default (bitstamp) doesn't accept
-  # connections through Tor
-  torRateProvider = "--rate-provider wasabi --proxy socks5h://${config.nix-bitcoin.torClientAddressWithPort}";
-  startScript = ''
-    ${optionalString (cfg.getPublicAddressCmd != "") ''
-      publicURL=(--public-url "http://$(${cfg.getPublicAddressCmd})")
-    ''}
-    exec ${config.nix-bitcoin.pkgs.spark-wallet}/bin/spark-wallet \
-      --ln-path '${clightning.networkDir}'  \
-      --host ${cfg.address} --port ${toString cfg.port} \
-      --config '${config.nix-bitcoin.secretsDir}/spark-wallet-login' \
-      ${optionalString cfg.tor.proxy torRateProvider} \
-      ${optionalString (cfg.getPublicAddressCmd != "") ''"''${publicURL[@]}"''} \
-      --pairing-qr --print-key ${cfg.extraArgs}
-  '';
-in {
-  inherit options;
-
-  config = mkIf cfg.enable {
-    services.clightning.enable = true;
-
-    systemd.services.spark-wallet = {
-      wantedBy = [ "multi-user.target" ];
-      requires = [ "clightning.service" ];
-      after = [ "clightning.service" ];
-      script = startScript;
-      serviceConfig = nbLib.defaultHardening // {
-        User = cfg.user;
-        Restart = "on-failure";
-        RestartSec = "10s";
-      } // nbLib.allowedIPAddresses cfg.tor.enforce
-        // nbLib.nodejs;
-    };
-
-    users.users.${cfg.user} = {
-      isSystemUser = true;
-      group = cfg.group;
-      extraGroups = [ clightning.group ];
-    };
-    users.groups.${cfg.group} = {};
-
-    nix-bitcoin.secrets.spark-wallet-login.user = cfg.user;
-    nix-bitcoin.generateSecretsCmds.spark-wallet = ''
-      makePasswordSecret spark-wallet-password
-      if [[ spark-wallet-password -nt spark-wallet-login ]]; then
-         echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
-      fi
-    '';
-  };
-}
--- a/pkgs/bitcoin/default.nix
+++ b/pkgs/bitcoin/default.nix
@ -0,0 +1,107 @@
+# Copied from nixpkgs 4a22f6f0a4b4354778f786425babce9a56f6b5d8
+{ lib
+, stdenv
+, fetchurl
+, autoreconfHook
+, pkg-config
+, util-linux
+, hexdump
+, autoSignDarwinBinariesHook
+, wrapQtAppsHook ? null
+, boost
+, libevent
+, miniupnpc
+, zeromq
+, zlib
+, db48
+, sqlite
+, qrencode
+, qtbase ? null
+, qttools ? null
+, python3
+, nixosTests
+, withGui
+, withWallet ? true
+}:
+
+let
+  desktop = fetchurl {
+    # c2e5f3e is the last commit when the debian/bitcoin-qt.desktop file was changed
+    url = "https://raw.githubusercontent.com/bitcoin-core/packaging/c2e5f3e20a8093ea02b73cbaf113bc0947b4140e/debian/bitcoin-qt.desktop";
+    sha256 = "0cpna0nxcd1dw3nnzli36nf9zj28d2g9jf5y0zl9j18lvanvniha";
+  };
+in
+stdenv.mkDerivation rec {
+  pname = if withGui then "bitcoin" else "bitcoind";
+  version = "24.1";
+
+  src = fetchurl {
+    urls = [
+      "https://bitcoincore.org/bin/bitcoin-core-${version}/bitcoin-${version}.tar.gz"
+    ];
+    # hash retrieved from signed SHA256SUMS
+    sha256 = "8a0a3db3b2d9cc024e897113f70a3a65d8de831c129eb6d1e26ffa65e7bfaf4e";
+  };
+
+  nativeBuildInputs =
+    [ autoreconfHook pkg-config ]
+    ++ lib.optionals stdenv.isLinux [ util-linux ]
+    ++ lib.optionals stdenv.isDarwin [ hexdump ]
+    ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [ autoSignDarwinBinariesHook ]
+    ++ lib.optionals withGui [ wrapQtAppsHook ];
+
+  buildInputs = [ boost libevent miniupnpc zeromq zlib ]
+    ++ lib.optionals withWallet [ db48 sqlite ]
+    ++ lib.optionals withGui [ qrencode qtbase qttools ];
+
+  postInstall = lib.optionalString withGui ''
+    install -Dm644 ${desktop} $out/share/applications/bitcoin-qt.desktop
+    substituteInPlace $out/share/applications/bitcoin-qt.desktop --replace "Icon=bitcoin128" "Icon=bitcoin"
+    install -Dm644 share/pixmaps/bitcoin256.png $out/share/pixmaps/bitcoin.png
+  '';
+
+  configureFlags = [
+    "--with-boost-libdir=${boost.out}/lib"
+    "--disable-bench"
+  ] ++ lib.optionals (!doCheck) [
+    "--disable-tests"
+    "--disable-gui-tests"
+  ] ++ lib.optionals (!withWallet) [
+    "--disable-wallet"
+  ] ++ lib.optionals withGui [
+    "--with-gui=qt5"
+    "--with-qt-bindir=${qtbase.dev}/bin:${qttools.dev}/bin"
+  ];
+
+  nativeCheckInputs = [ python3 ];
+
+  doCheck = true;
+
+  checkFlags =
+    [ "LC_ALL=en_US.UTF-8" ]
+    # QT_PLUGIN_PATH needs to be set when executing QT, which is needed when testing Bitcoin's GUI.
+    # See also https://github.com/NixOS/nixpkgs/issues/24256
+    ++ lib.optional withGui "QT_PLUGIN_PATH=${qtbase}/${qtbase.qtPluginPrefix}";
+
+  enableParallelBuilding = true;
+
+  passthru.tests = {
+    smoke-test = nixosTests.bitcoind;
+  };
+
+  meta = with lib; {
+    description = "Peer-to-peer electronic cash system";
+    longDescription = ''
+      Bitcoin is a free open source peer-to-peer electronic cash system that is
+      completely decentralized, without the need for a central server or trusted
+      parties. Users hold the crypto keys to their own money and transact directly
+      with each other, with the help of a P2P network to check for double-spending.
+    '';
+    homepage = "https://bitcoin.org/en/";
+    downloadPage = "https://bitcoincore.org/bin/bitcoin-core-${version}/";
+    changelog = "https://bitcoincore.org/en/releases/${version}/";
+    maintainers = with maintainers; [ prusnak roconnor ];
+    license = licenses.mit;
+    platforms = platforms.unix;
+  };
+}
--- a/pkgs/clboss/default.nix
+++ b/pkgs/clboss/default.nix
@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkgconfig, curl, libev, sqlite }:
+{ lib, stdenv, fetchurl, fetchpatch, pkgconfig, curl, libev, sqlite }:

 let
  curlWithGnuTLS = curl.override { gnutlsSupport = true; opensslSupport = false; };
@ -12,6 +12,15 @@ stdenv.mkDerivation rec {
    hash = "sha256-LTDJrm9Mk4j7Z++tKJKawEurgF1TnYuIoj+APbDHll4=";
  };

+  patches = [
+    # https://github.com/ZmnSCPxj/clboss/pull/162, required for clighting 23.05
+    (fetchpatch {
+      name = "fix-json-rpc";
+      url = "https://github.com/ZmnSCPxj/clboss/commit/a4bb0192550803db3d07628a29284a76f7204365.patch";
+      sha256 = "sha256-1iBJlOnt7n2xXNDgzH3PAvLryZcpM4VWNaWcEegbapQ=";
+    })
+  ];
+
  nativeBuildInputs = [ pkgconfig libev curlWithGnuTLS sqlite ];

  enableParallelBuilding = true;
--- a/pkgs/clightning-plugins/default.nix
+++ b/pkgs/clightning-plugins/default.nix
@ -6,8 +6,8 @@ let
  src = pkgs.fetchFromGitHub {
    owner = "lightningd";
    repo = "plugins";
-    rev = "e625369423b00c70b23641662f62ccd898286edc";
-    sha256 = "04f30xlfr7pgdmdgka87x7sc9j82wc4zv7fbiqrjsc83dkmly81i";
+    rev = "eee5e90df442586b7f891df4fc0c67d273534737";
+    sha256 = "0ry6gxp9gqpzpdjykx0a5q53saai5jydwvcy6smsh0f5dmjl8srh";
  };

  version = builtins.substring 0 7 src.rev;
@ -33,6 +33,14 @@ let
      patchRequirements =
        "--replace prometheus-client==0.6.0 prometheus-client==0.15.0"
        + " --replace pyln-client~=0.9.3 pyln-client~=23.02";
+      patches = [
+        # https://github.com/lightningd/plugins/pull/451
+        (pkgs.fetchpatch {
+          name = "202305-prometheus-msat-purge";
+          url = "https://github.com/lightningd/plugins/commit/f8a27b97a1b9ded8790c1f033b1f4268c0a6e210.patch";
+          sha256 = "sha256-0lFMhHHIi9bUU0+xaHhpnascNlFmr51JxE6e2F0s0zc=";
+        })
+      ];
    };
    rebalance = {
      description = "Keeps your channels balanced";
@ -74,6 +82,8 @@ let
        patchShebangs '${script}'
      '';

+      patches = plugin.patches or [];
+
      passthru.path = "${drv}/${script}";

      meta = with lib; {
--- a/pkgs/clightning-rest/default.nix
+++ b/pkgs/clightning-rest/default.nix
@ -9,11 +9,11 @@
 }:
 let self = stdenvNoCC.mkDerivation {
  pname = "clightning-rest";
-  version = "0.9.0";
+  version = "0.10.3";

  src = fetchurl {
    url = "https://github.com/Ride-The-Lightning/c-lightning-REST/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-1thorV/UivDDH7oqjfm8VTd47LYSGooR2yEoETgBOH4=";
+    hash = "sha256-1yGKCLO+hTHJG+xNLnNeySU/Awk7DxqhXHJHQAjMgAs=";
  };

  passthru = {
@ -22,7 +22,7 @@ let self = stdenvNoCC.mkDerivation {

    nodeModules = fetchNodeModules {
      inherit (self) src nodejs;
-      hash = "sha256-rQrAt2BDmNMUCVWxTJN3qoPonKlRWeJ8C4ZvF/gPygk=";
+      hash = "sha256-s98VHqSWGP9eI4oKL8XMyszmxAcLOvElolF5OdtDKCA=";
    };
  };

--- a/pkgs/clightning-rest/generate.sh
+++ b/pkgs/clightning-rest/generate.sh
@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"

-version="0.9.0"
+version="0.10.3"
 repo=https://github.com/Ride-The-Lightning/c-lightning-REST

 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -10,6 +10,21 @@ in
  }
 }:
 let self = {
+  # TODO-EXTERNAL:
+  # Remove bitcoin and bitcoind 24.1 packages and replace with 25.0 from nixpkgs
+  # when https://github.com/bitcoin/bitcoin/issues/27722 has been resolved
+  bitcoin  = pkgsUnstable.libsForQt5.callPackage ./bitcoin {
+    stdenv = if pkgsUnstable.stdenv.isDarwin then pkgsUnstable.darwin.apple_sdk_11_0.stdenv else pkgsUnstable.stdenv;
+    boost = pkgsUnstable.boost17x;
+    withGui = true;
+    inherit (pkgsUnstable.darwin) autoSignDarwinBinariesHook;
+  };
+
+  bitcoind = pkgsUnstable.callPackage ./bitcoin {
+    boost = pkgsUnstable.boost17x;
+    withGui = false;
+    inherit (pkgsUnstable.darwin) autoSignDarwinBinariesHook;
+  };
  clightning-rest = pkgs.callPackage ./clightning-rest { inherit (self) fetchNodeModules; };
  clboss = pkgs.callPackage ./clboss { };
  clightning-plugins = pkgs.recurseIntoAttrs (import ./clightning-plugins pkgs self.nbPython3Packages);
@ -19,7 +34,6 @@ let self = {
  rtl = pkgs.callPackage ./rtl { inherit (self) fetchNodeModules; };
  # The secp256k1 version used by joinmarket
  secp256k1 = pkgs.callPackage ./secp256k1 { };
-  spark-wallet = pkgs.callPackage ./spark-wallet { };
  trustedcoin = pkgs.callPackage ./trustedcoin { };

  # TODO-EXTERNAL:
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@ -2,8 +2,6 @@
 pkgs: pkgsUnstable:
 {
  inherit (pkgs)
-    bitcoin
-    bitcoind
    extra-container
    lightning-pool
    lndconnect;
--- a/pkgs/rtl/default.nix
+++ b/pkgs/rtl/default.nix
@ -10,11 +10,11 @@
 }:
 let self = stdenvNoCC.mkDerivation {
  pname = "rtl";
-  version = "0.13.6";
+  version = "0.14.0";

  src = fetchurl {
    url = "https://github.com/Ride-The-Lightning/RTL/archive/refs/tags/v${self.version}.tar.gz";
-    hash = "sha256-eyRM28h2TV3IyW4hDPHj/wMJxLEZin7AqWQZGQt5mV4=";
+    hash = "sha256-OO2liEUhAA9KRtdyVLMsQKcQ7/l1gxNtvwyD1Lv0Ctk=";
  };

  passthru = {
@ -26,7 +26,7 @@ let self = stdenvNoCC.mkDerivation {
      # TODO-EXTERNAL: Remove `npmFlags` when no longer required
      # See: https://github.com/Ride-The-Lightning/RTL/issues/1182
      npmFlags = "--legacy-peer-deps";
-      hash = "sha256-C4yK6deYXPrTa383aXiHoO0w3JAMIfAaESCEy9KKY2k=";
+      hash = "sha256-0VDavs6zxhHwoja861ra5DxTOl+gmif4IyTFVjzYj6E=";
    };
  };

--- a/pkgs/rtl/generate.sh
+++ b/pkgs/rtl/generate.sh
@ -2,7 +2,7 @@
 set -euo pipefail
 . "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "gnupg wget gnused" "$@"

-version="0.13.6"
+version="0.14.0"
 repo=https://github.com/Ride-The-Lightning/RTL

 scriptDir=$(cd "${BASH_SOURCE[0]%/*}" && pwd)
--- a/pkgs/spark-wallet/composition.nix
+++ b/pkgs/spark-wallet/composition.nix
@ -1,17 +0,0 @@
-# This file has been generated by node2nix 1.9.0. Do not edit!
-
-{pkgs ? import <nixpkgs> {
-    inherit system;
-  }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-14_x"}:
-
-let
-  nodeEnv = import (pkgs.path + "/pkgs/development/node-packages/node-env.nix") {
-    inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript;
-    inherit pkgs nodejs;
-    libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
-  };
-in
-import ./node-packages.nix {
-  inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit;
-  inherit nodeEnv;
-}
--- a/pkgs/spark-wallet/default.nix
+++ b/pkgs/spark-wallet/default.nix
@ -1,16 +0,0 @@
-{ pkgs, lib }:
-let
-  nodePackages = import ./composition.nix { inherit pkgs; };
-in
-nodePackages.package.override {
-  # Required because spark-wallet uses `npm-shrinkwrap.json` as the lock file
-  reconstructLock = true;
-
-  meta = with lib; {
-    description = "A minimalistic wallet GUI for c-lightning";
-    homepage = "https://github.com/shesek/spark-wallet";
-    license = licenses.mit;
-    maintainers = with maintainers; [ nixbitcoin erikarvstedt ];
-    platforms = platforms.unix;
-  };
-}
--- a/pkgs/spark-wallet/generate.sh
+++ b/pkgs/spark-wallet/generate.sh
@ -1,58 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-. "${BASH_SOURCE[0]%/*}/../../helper/run-in-nix-env" "nodePackages.node2nix gnupg wget jq moreutils gnused" "$@"
-
-TMPDIR=$(mktemp -d -p /tmp)
-trap 'rm -rf $TMPDIR' EXIT
-
-version="0.3.1"
-repo=https://github.com/shesek/spark-wallet
-
-# Fetch and verify source tarball
-file=spark-wallet-${version}-npm.tgz
-url=$repo/releases/download/v${version}/$file
-export GNUPGHOME=$TMPDIR
-gpg --keyserver hkps://keyserver.ubuntu.com --recv-key FCF19B67866562F08A43AAD681F6104CD0F150FC
-wget -P "$TMPDIR" "$url"
-wget -P "$TMPDIR" "$repo/releases/download/v${version}/SHA256SUMS.asc"
-gpg --verify "$TMPDIR/SHA256SUMS.asc"
-(cd "$TMPDIR"; sha256sum --check --ignore-missing SHA256SUMS.asc)
-hash=$(nix hash file "$TMPDIR/$file")
-
-# Extract source
-src=$TMPDIR/src
-mkdir "$src"
-tar xvf "$TMPDIR/$file" -C "$src" --strip-components 1 >/dev/null
-
-# Make qrcode-terminal a strict dependency so that node2nix includes it in the package derivation.
-jq '.dependencies["qrcode-terminal"] = .optionalDependencies["qrcode-terminal"]' "$src/package.json" | sponge "$src/package.json"
-
-node2nix \
-  --nodejs-14 \
-  --input "$src/package.json" \
-  --lock "$src/npm-shrinkwrap.json" \
-  --composition composition.nix \
-  --no-copy-node-env
-
-# Use node-env.nix from nixpkgs
-# shellcheck disable=SC2016
-nodeEnvImport='import "${toString pkgs.path}/pkgs/development/node-packages/node-env.nix"'
-sed -i "s|import ./node-env.nix|$nodeEnvImport|" composition.nix
-
-# Use the verified package src
-read -rd '' fetchurl <<EOF || :
-fetchurl {
-      url = "$url";
-      hash = "$hash";
-    };
-EOF
-
-sed -i "
-  # Use the verified package src
-  s|src = .*/src;|src = ${fetchurl//$'\n'/\\n}|
-
-  # github: use HTTPS instead of SSH, which requires user authentication
-  s|git+ssh://git@|https://|
-  s|ssh://git@|https://|
-  s|\.git#|#|
-" node-packages.nix
--- a/pkgs/spark-wallet/node-packages.nix
+++ b/pkgs/spark-wallet/node-packages.nix
--- a/pkgs/spark-wallet/supplement.nix
+++ b/pkgs/spark-wallet/supplement.nix
@ -1,8 +0,0 @@
-# This file has been generated by node2nix 1.8.0. Do not edit!
-
-{nodeEnv, fetchurl, fetchgit, globalBuildInputs ? []}:
-
-let
-  sources = {};
-in
-{}
--- a/test/nixos-search/flake.lock
+++ b/test/nixos-search/flake.lock
@ -18,11 +18,11 @@
    "nixos-org-configurations": {
      "flake": false,
      "locked": {
-        "lastModified": 1679995724,
-        "narHash": "sha256-x5ElztEfo+vFEQdePneBEfQZcAtU5a7SWHHAuEESMts=",
+        "lastModified": 1684789677,
+        "narHash": "sha256-0bgI19EblaO0ybzZuQpnizrMTg2rXd474J5p1KzmN6c=",
        "owner": "NixOS",
        "repo": "nixos-org-configurations",
-        "rev": "72adc59c5ba946c3d4844a920e9beefae12bbd49",
+        "rev": "f27bdec45066d828dba681cc0d2655a4ad8edb0e",
        "type": "github"
      },
      "original": {
@ -39,11 +39,11 @@
        "npmlock2nix": "npmlock2nix"
      },
      "locked": {
-        "lastModified": 1683204679,
-        "narHash": "sha256-GrZj4skt6pjcNMmGQxvf5bSDYPzNahWKSNsHAtx5ERI=",
+        "lastModified": 1684846999,
+        "narHash": "sha256-Fzik+dzJFGAFc7ltJ7TwG0/b75rA8ChVSqdczFhQ6WY=",
        "owner": "nixos",
        "repo": "nixos-search",
-        "rev": "0498effc4137095938f16fd752cc81a96901554f",
+        "rev": "c4a21127f53a9a81e85552d3ca6164da59489c1c",
        "type": "github"
      },
      "original": {
--- a/test/tests.nix
+++ b/test/tests.nix
@ -73,8 +73,6 @@ let
        echo a > rtl-password
      '');

-      tests.spark-wallet = cfg.spark-wallet.enable;
-
      tests.lnd = cfg.lnd.enable;
      services.lnd = {
        port = 9736;
@ -145,6 +143,7 @@ let
    (mkIf config.test.features.clightningPlugins {
      services.clightning.plugins = {
        clboss.enable = true;
+        clboss.acknowledgeDeprecation = true;
        feeadjuster.enable = true;
        helpme.enable = true;
        monitor.enable = true;
@ -185,7 +184,6 @@ let
      };
      test.features.clightningPlugins = true;
      services.rtl.enable = true;
-      services.spark-wallet.enable = true;
      services.clightning-rest.enable = true;
      services.clightning-rest.lndconnect = { enable = true; onion = true; };
      services.lnd.enable = true;
@ -235,7 +233,6 @@ let
      services.clightning-rest.enable = true;
      services.liquidd.enable = true;
      services.rtl.enable = true;
-      services.spark-wallet.enable = true;
      services.lnd.enable = true;
      services.lightning-loop.enable = true;
      services.lightning-pool.enable = true;
--- a/test/tests.py
+++ b/test/tests.py
@ -248,16 +248,9 @@ def _():
 def _():
    assert_running("clightning-rest")
    machine.wait_until_succeeds(
-        log_has_string("clightning-rest", "cl-rest api server is ready and listening on port: 3001")
+        log_has_string("clightning-rest", "cl-rest api server is ready and listening")
    )

-@test("spark-wallet")
-def _():
-    assert_running("spark-wallet")
-    wait_for_open_port(ip("spark-wallet"), 9737)
-    spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
-    assert_matches(f"curl -fsS {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
-
@test("joinmarket")
 def _():
    assert_running("joinmarket")
@ -315,7 +308,7 @@ def _():

    # These reachability tests are non-exhaustive
    assert_reachable("bitcoind", ["clightning", "lnd", "liquidd"])
-    assert_unreachable("bitcoind", ["btcpayserver", "spark-wallet", "lightning-loop"])
+    assert_unreachable("bitcoind", ["btcpayserver", "rtl", "lightning-loop"])
    assert_unreachable("btcpayserver", ["bitcoind", "lightning-loop"])

    # netns addresses can not be bound to in the main netns.
@ -346,6 +339,7 @@ def _():
    succeed("bitcoin-cli -named createwallet wallet_name=test blank=true >/dev/null")

    succeed("systemctl stop bitcoind")
+    assert_matches("systemctl show -p ExecMainStatus --value bitcoind", "^0$")
    succeed("systemctl start duplicity")
    machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Deactivated successfully."))
    run_duplicity = "export $(cat /secrets/backup-encryption-env); duplicity"