90ce68cb16
Now all services that access secrets only run after the secrets setup has finished. Previously, we assumed that the systemd `after` dependency is transitive, i.e. that adding an `after = [ "bitcoind.service" ]` to a service implicitly pulled in the `after` dependency to `nix-bitcoin-secrets.target` (which is defined for `bitcoind`). This is not the case. Services could start before secrets setup had finished, leading to service failure.
333 lines
11 KiB
Nix
333 lines
11 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
let
|
|
options.services.lnd = {
|
|
enable = mkEnableOption "Lightning Network daemon, a Lightning Network implementation in Go";
|
|
address = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1";
|
|
description = mdDoc "Address to listen for peer connections";
|
|
};
|
|
port = mkOption {
|
|
type = types.port;
|
|
default = 9735;
|
|
description = mdDoc "Port to listen for peer connections";
|
|
};
|
|
rpcAddress = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1";
|
|
description = mdDoc "Address to listen for RPC connections.";
|
|
};
|
|
rpcPort = mkOption {
|
|
type = types.port;
|
|
default = 10009;
|
|
description = mdDoc "Port to listen for gRPC connections.";
|
|
};
|
|
restAddress = mkOption {
|
|
type = types.str;
|
|
default = "127.0.0.1";
|
|
description = mdDoc "Address to listen for REST connections.";
|
|
};
|
|
restPort = mkOption {
|
|
type = types.port;
|
|
default = 8080;
|
|
description = mdDoc "Port to listen for REST connections.";
|
|
};
|
|
dataDir = mkOption {
|
|
type = types.path;
|
|
default = "/var/lib/lnd";
|
|
description = mdDoc "The data directory for LND.";
|
|
};
|
|
networkDir = mkOption {
|
|
readOnly = true;
|
|
default = "${cfg.dataDir}/chain/bitcoin/${bitcoind.network}";
|
|
description = mdDoc "The network data directory.";
|
|
};
|
|
tor-socks = mkOption {
|
|
type = types.nullOr types.str;
|
|
default = if cfg.tor.proxy then config.nix-bitcoin.torClientAddressWithPort else null;
|
|
description = mdDoc "Socks proxy for connecting to Tor nodes";
|
|
};
|
|
macaroons = mkOption {
|
|
default = {};
|
|
type = with types; attrsOf (submodule {
|
|
options = {
|
|
user = mkOption {
|
|
type = types.str;
|
|
description = mdDoc "User who owns the macaroon.";
|
|
};
|
|
permissions = mkOption {
|
|
type = types.str;
|
|
example = ''
|
|
{"entity":"info","action":"read"},{"entity":"onchain","action":"read"}
|
|
'';
|
|
description = mdDoc "List of granted macaroon permissions.";
|
|
};
|
|
};
|
|
});
|
|
description = mdDoc ''
|
|
Extra macaroon definitions.
|
|
'';
|
|
};
|
|
certificate = {
|
|
extraIPs = mkOption {
|
|
type = with types; listOf str;
|
|
default = [];
|
|
example = [ "60.100.0.1" ];
|
|
description = mdDoc ''
|
|
Extra `subjectAltName` IPs added to the certificate.
|
|
This works the same as lnd option {option}`tlsextraip`.
|
|
'';
|
|
};
|
|
extraDomains = mkOption {
|
|
type = with types; listOf str;
|
|
default = [];
|
|
example = [ "example.com" ];
|
|
description = mdDoc ''
|
|
Extra `subjectAltName` domain names added to the certificate.
|
|
This works the same as lnd option {option}`tlsextradomain`.
|
|
'';
|
|
};
|
|
};
|
|
extraConfig = mkOption {
|
|
type = types.lines;
|
|
default = "";
|
|
example = ''
|
|
autopilot.active=1
|
|
'';
|
|
description = mdDoc ''
|
|
Extra lines appended to {file}`lnd.conf`.
|
|
See here for all available options:
|
|
https://github.com/lightningnetwork/lnd/blob/master/sample-lnd.conf
|
|
'';
|
|
};
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = config.nix-bitcoin.pkgs.lnd;
|
|
defaultText = "config.nix-bitcoin.pkgs.lnd";
|
|
description = mdDoc "The package providing lnd binaries.";
|
|
};
|
|
cli = mkOption {
|
|
default = pkgs.writers.writeBashBin "lncli"
|
|
# Switch user because lnd makes datadir contents readable by user only
|
|
''
|
|
${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
|
|
--rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
|
|
--tlscertpath '${cfg.certPath}' \
|
|
--macaroonpath '${networkDir}/admin.macaroon' "$@"
|
|
'';
|
|
defaultText = "(See source)";
|
|
description = mdDoc "Binary to connect with the lnd instance.";
|
|
};
|
|
getPublicAddressCmd = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = mdDoc ''
|
|
Bash expression which outputs the public service address to announce to peers.
|
|
If left empty, no address is announced.
|
|
'';
|
|
};
|
|
user = mkOption {
|
|
type = types.str;
|
|
default = "lnd";
|
|
description = mdDoc "The user as which to run LND.";
|
|
};
|
|
group = mkOption {
|
|
type = types.str;
|
|
default = cfg.user;
|
|
description = mdDoc "The group as which to run LND.";
|
|
};
|
|
certPath = mkOption {
|
|
readOnly = true;
|
|
default = "${secretsDir}/lnd-cert";
|
|
description = mdDoc "LND TLS certificate path.";
|
|
};
|
|
tor = nbLib.tor;
|
|
};
|
|
|
|
cfg = config.services.lnd;
|
|
nbLib = config.nix-bitcoin.lib;
|
|
secretsDir = config.nix-bitcoin.secretsDir;
|
|
runAsUser = config.nix-bitcoin.runAsUserCmd;
|
|
lndinit = "${config.nix-bitcoin.pkgs.lndinit}/bin/lndinit";
|
|
|
|
bitcoind = config.services.bitcoind;
|
|
|
|
bitcoindRpcAddress = nbLib.address bitcoind.rpc.address;
|
|
networkDir = cfg.networkDir;
|
|
configFile = pkgs.writeText "lnd.conf" ''
|
|
datadir=${cfg.dataDir}
|
|
logdir=${cfg.dataDir}/logs
|
|
tlscertpath=${cfg.certPath}
|
|
tlskeypath=${secretsDir}/lnd-key
|
|
|
|
listen=${toString cfg.address}:${toString cfg.port}
|
|
rpclisten=${cfg.rpcAddress}:${toString cfg.rpcPort}
|
|
restlisten=${cfg.restAddress}:${toString cfg.restPort}
|
|
|
|
bitcoin.${bitcoind.network}=1
|
|
bitcoin.active=1
|
|
bitcoin.node=bitcoind
|
|
|
|
${optionalString (cfg.tor.proxy) "tor.active=true"}
|
|
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
|
|
|
|
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
|
|
bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
|
|
bitcoind.zmqpubrawblock=${zmqHandleSpecialAddress bitcoind.zmqpubrawblock}
|
|
bitcoind.zmqpubrawtx=${zmqHandleSpecialAddress bitcoind.zmqpubrawtx}
|
|
|
|
wallet-unlock-password-file=${secretsDir}/lnd-wallet-password
|
|
|
|
${cfg.extraConfig}
|
|
'';
|
|
|
|
zmqHandleSpecialAddress = builtins.replaceStrings [ "0.0.0.0" "[::]" ] [ "127.0.0.1" "[::1]" ];
|
|
|
|
isPruned = bitcoind.prune > 0;
|
|
# When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
|
|
# to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
|
|
rpcUser = if isPruned then "lnd" else "public";
|
|
in {
|
|
|
|
inherit options;
|
|
|
|
config = mkIf cfg.enable (mkMerge [ {
|
|
assertions = [
|
|
{ assertion =
|
|
!(config.services ? clightning)
|
|
|| !config.services.clightning.enable
|
|
|| config.services.clightning.port != cfg.port;
|
|
message = ''
|
|
LND and clightning can't both bind to lightning port 9735. Either
|
|
disable LND/clightning or change services.clightning.port or
|
|
services.lnd.port to a port other than 9735.
|
|
'';
|
|
}
|
|
];
|
|
|
|
services.bitcoind = {
|
|
enable = true;
|
|
|
|
# Increase rpc thread count due to reports that lightning implementations fail
|
|
# under high bitcoind rpc load
|
|
rpc.threads = 16;
|
|
|
|
zmqpubrawblock = mkDefault "tcp://${bitcoindRpcAddress}:28332";
|
|
zmqpubrawtx = mkDefault "tcp://${bitcoindRpcAddress}:28333";
|
|
};
|
|
|
|
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
|
];
|
|
|
|
services.lnd.certificate.extraIPs = mkIf (cfg.rpcAddress != "127.0.0.1") [ "${cfg.rpcAddress}" ];
|
|
|
|
systemd.services.lnd = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
requires = [ "bitcoind.service" ];
|
|
after = [ "bitcoind.service" "nix-bitcoin-secrets.target" ];
|
|
preStart = ''
|
|
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
|
|
{
|
|
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
|
|
${optionalString (cfg.getPublicAddressCmd != "") ''
|
|
echo "externalip=$(${cfg.getPublicAddressCmd})"
|
|
''}
|
|
} >> '${cfg.dataDir}/lnd.conf'
|
|
|
|
if [[ ! -f ${networkDir}/wallet.db ]]; then
|
|
seed='${cfg.dataDir}/lnd-seed-mnemonic'
|
|
|
|
if [[ ! -f "$seed" ]]; then
|
|
echo "Create lnd seed"
|
|
(umask u=r,go=; ${lndinit} gen-seed > "$seed")
|
|
fi
|
|
|
|
echo "Create lnd wallet"
|
|
${lndinit} -v init-wallet \
|
|
--file.seed="$seed" \
|
|
--file.wallet-password='${secretsDir}/lnd-wallet-password' \
|
|
--init-file.output-wallet-dir='${cfg.networkDir}'
|
|
fi
|
|
'';
|
|
serviceConfig = nbLib.defaultHardening // {
|
|
Type = "notify";
|
|
RuntimeDirectory = "lnd"; # Only used to store custom macaroons
|
|
RuntimeDirectoryMode = "711";
|
|
ExecStart = "${cfg.package}/bin/lnd --configfile='${cfg.dataDir}/lnd.conf'";
|
|
User = cfg.user;
|
|
TimeoutSec = "15min";
|
|
Restart = "on-failure";
|
|
RestartSec = "10s";
|
|
ReadWritePaths = [ cfg.dataDir ];
|
|
ExecStartPost = let
|
|
curl = "${pkgs.curl}/bin/curl -fsS --cacert ${cfg.certPath}";
|
|
restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
|
|
in
|
|
# Setting macaroon permissions for other users needs root permissions
|
|
nbLib.rootScript "lnd-create-macaroons" ''
|
|
umask ug=r,o=
|
|
${lib.concatMapStrings (macaroon: ''
|
|
echo "Create custom macaroon ${macaroon}"
|
|
macaroonPath="$RUNTIME_DIRECTORY/${macaroon}.macaroon"
|
|
${curl} \
|
|
-H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${networkDir}/admin.macaroon')" \
|
|
-X POST \
|
|
-d '{"permissions":[${cfg.macaroons.${macaroon}.permissions}]}' \
|
|
${restUrl}/macaroon |\
|
|
${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
|
|
chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
|
|
'') (attrNames cfg.macaroons)}
|
|
'';
|
|
} // nbLib.allowedIPAddresses cfg.tor.enforce;
|
|
};
|
|
|
|
users.users.${cfg.user} = {
|
|
isSystemUser = true;
|
|
group = cfg.group;
|
|
extraGroups = [ "bitcoinrpc-public" ];
|
|
home = cfg.dataDir; # lnd creates .lnd dir in HOME
|
|
};
|
|
users.groups.${cfg.group} = {};
|
|
nix-bitcoin.operator = {
|
|
groups = [ cfg.group ];
|
|
allowRunAsUsers = [ cfg.user ];
|
|
};
|
|
|
|
nix-bitcoin.secrets = {
|
|
lnd-wallet-password.user = cfg.user;
|
|
lnd-key.user = cfg.user;
|
|
lnd-cert.user = cfg.user;
|
|
lnd-cert.permissions = "444"; # world readable
|
|
};
|
|
# Advantages of manually pre-generating certs:
|
|
# - Reduces dynamic state
|
|
# - Enables deployment of a mesh of server plus client nodes with predefined certs
|
|
nix-bitcoin.generateSecretsCmds.lnd = ''
|
|
makePasswordSecret lnd-wallet-password
|
|
makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
|
'';
|
|
}
|
|
|
|
(mkIf isPruned {
|
|
services.bitcoind.rpc.users.lnd = {
|
|
passwordHMACFromFile = true;
|
|
rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
|
|
"getpeerinfo"
|
|
"getnodeaddresses"
|
|
];
|
|
};
|
|
nix-bitcoin.secrets = {
|
|
bitcoin-rpcpassword-lnd.user = cfg.user;
|
|
bitcoin-HMAC-lnd.user = bitcoind.user;
|
|
};
|
|
nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
|
|
makeBitcoinRPCPassword lnd
|
|
'';
|
|
}) ]);
|
|
}
|