lnd: extract option certPath

Improves service encapsulation.
This commit is contained in:
Erik Arvstedt 2021-09-08 17:01:13 +02:00
parent be12a49933
commit 2c8e29b35b
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
6 changed files with 13 additions and 10 deletions

View File

@ -211,7 +211,7 @@ in {
${optionalString (cfg.btcpayserver.lightningBackend == "lnd") '' ${optionalString (cfg.btcpayserver.lightningBackend == "lnd") ''
{ {
echo -n "${lndConfig}" echo -n "${lndConfig}"
${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.nix-bitcoin.secretsDir}/lnd-cert \ ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 -in ${config.services.lnd.certPath} \
| sed -e 's/.*=//;s/://g' | sed -e 's/.*=//;s/://g'
} >> '${cfg.btcpayserver.dataDir}/settings.config' } >> '${cfg.btcpayserver.dataDir}/settings.config'
''} ''}

View File

@ -105,7 +105,7 @@ in
macaroonDir=${dataDir}/lnddir-proxy/data/chain/bitcoin/mainnet macaroonDir=${dataDir}/lnddir-proxy/data/chain/bitcoin/mainnet
mkdir -p $macaroonDir mkdir -p $macaroonDir
ln -sf /run/lnd/charge-lnd.macaroon $macaroonDir ln -sf /run/lnd/charge-lnd.macaroon $macaroonDir
ln -sf ${config.nix-bitcoin.secretsDir}/lnd-cert ${dataDir}/lnddir-proxy/tls.cert ln -sf ${lnd.certPath} ${dataDir}/lnddir-proxy/tls.cert
''; '';
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
ExecStart = '' ExecStart = ''

View File

@ -22,7 +22,7 @@ let
lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort} lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
lnd.macaroonpath=${lnd.networkDir}/admin.macaroon lnd.macaroonpath=${lnd.networkDir}/admin.macaroon
lnd.tlspath=${secretsDir}/lnd-cert lnd.tlspath=${lnd.certPath}
${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"} ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"}

View File

@ -5,7 +5,6 @@ with lib;
let let
cfg = config.services.lightning-pool; cfg = config.services.lightning-pool;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
lnd = config.services.lnd; lnd = config.services.lnd;
@ -18,7 +17,7 @@ let
lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort} lnd.host=${lnd.rpcAddress}:${toString lnd.rpcPort}
lnd.macaroondir=${lnd.networkDir} lnd.macaroondir=${lnd.networkDir}
lnd.tlspath=${secretsDir}/lnd-cert lnd.tlspath=${lnd.certPath}
${cfg.extraConfig} ${cfg.extraConfig}
''; '';

View File

@ -5,7 +5,6 @@ with lib;
let let
cfg = config.services.lnd.restOnionService; cfg = config.services.lnd.restOnionService;
nbLib = config.nix-bitcoin.lib; nbLib = config.nix-bitcoin.lib;
secretsDir = config.nix-bitcoin.secretsDir;
runAsUser = config.nix-bitcoin.runAsUserCmd; runAsUser = config.nix-bitcoin.runAsUserCmd;
lnd = config.services.lnd; lnd = config.services.lnd;
@ -17,7 +16,7 @@ let
--host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \ --host=$(cat ${config.nix-bitcoin.onionAddresses.dataDir}/lnd/lnd-rest) \
--port=${toString lnd.restPort} \ --port=${toString lnd.restPort} \
--lnddir=${lnd.dataDir} \ --lnddir=${lnd.dataDir} \
--tlscertpath=${secretsDir}/lnd-cert "$@" --tlscertpath=${lnd.certPath} "$@"
''; '';
in { in {
options.services.lnd.restOnionService = { options.services.lnd.restOnionService = {

View File

@ -14,7 +14,7 @@ let
configFile = pkgs.writeText "lnd.conf" '' configFile = pkgs.writeText "lnd.conf" ''
datadir=${cfg.dataDir} datadir=${cfg.dataDir}
logdir=${cfg.dataDir}/logs logdir=${cfg.dataDir}/logs
tlscertpath=${secretsDir}/lnd-cert tlscertpath=${cfg.certPath}
tlskeypath=${secretsDir}/lnd-key tlskeypath=${secretsDir}/lnd-key
listen=${toString cfg.address}:${toString cfg.port} listen=${toString cfg.address}:${toString cfg.port}
@ -126,7 +126,7 @@ in {
'' ''
${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \ ${runAsUser} ${cfg.user} ${cfg.package}/bin/lncli \
--rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \
--tlscertpath '${secretsDir}/lnd-cert' \ --tlscertpath '${cfg.certPath}' \
--macaroonpath '${networkDir}/admin.macaroon' "$@" --macaroonpath '${networkDir}/admin.macaroon' "$@"
''; '';
description = "Binary to connect with the lnd instance."; description = "Binary to connect with the lnd instance.";
@ -149,6 +149,11 @@ in {
default = cfg.user; default = cfg.user;
description = "The group as which to run LND."; description = "The group as which to run LND.";
}; };
certPath = mkOption {
readOnly = true;
default = "${secretsDir}/lnd-cert";
description = "LND TLS certificate path.";
};
inherit (nbLib) enforceTor; inherit (nbLib) enforceTor;
}; };
@ -211,7 +216,7 @@ in {
# Retrying is necessary because it can happen that the lnd socket is # Retrying is necessary because it can happen that the lnd socket is
# existing, but the RPC service isn't yet, which results in error # existing, but the RPC service isn't yet, which results in error
# "waiting to start, RPC services not available". # "waiting to start, RPC services not available".
curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${secretsDir}/lnd-cert"; curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${cfg.certPath}";
restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1"; restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1";
in [ in [
(nbLib.script "lnd-create-wallet" '' (nbLib.script "lnd-create-wallet" ''