netns-lnd: allow RPC access from main netns
This commit is contained in:
Erik Arvstedt
parent
58d24e735d
commit
82f4901880
@ -138,12 +138,13 @@ in {
|
|||||||
default = pkgs.writeScriptBin "lncli"
|
default = pkgs.writeScriptBin "lncli"
|
||||||
# Switch user because lnd makes datadir contents readable by user only
|
# Switch user because lnd makes datadir contents readable by user only
|
||||||
''
|
''
|
||||||
${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/lncli --tlscertpath ${secretsDir}/lnd-cert \
|
sudo -u lnd ${cfg.package}/bin/lncli \
|
||||||
|
--rpcserver ${builtins.elemAt cfg.rpclisten 0}:${toString cfg.rpcPort} \
|
||||||
|
--tlscertpath '${secretsDir}/lnd-cert' \
|
||||||
--macaroonpath '${networkDir}/admin.macaroon' "$@"
|
--macaroonpath '${networkDir}/admin.macaroon' "$@"
|
||||||
'';
|
'';
|
||||||
description = "Binary to connect with the lnd instance.";
|
description = "Binary to connect with the lnd instance.";
|
||||||
};
|
};
|
||||||
inherit (nix-bitcoin-services) cliExec;
|
|
||||||
enforceTor = nix-bitcoin-services.enforceTor;
|
enforceTor = nix-bitcoin-services.enforceTor;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -188,12 +189,12 @@ in {
|
|||||||
RestartSec = "10s";
|
RestartSec = "10s";
|
||||||
ReadWritePaths = "${cfg.dataDir}";
|
ReadWritePaths = "${cfg.dataDir}";
|
||||||
ExecStartPost = let
|
ExecStartPost = let
|
||||||
restPort = toString cfg.restPort;
|
restUrl = "https://${builtins.elemAt cfg.restlisten 0}:${toString cfg.restPort}/v1";
|
||||||
in [
|
in [
|
||||||
# Run fully privileged for secrets dir write access
|
# Run fully privileged for secrets dir write access
|
||||||
"+${nix-bitcoin-services.script ''
|
"+${nix-bitcoin-services.script ''
|
||||||
attempts=250
|
attempts=250
|
||||||
while ! { exec 3>/dev/tcp/127.0.0.1/${restPort} && exec 3>&-; } &>/dev/null; do
|
while ! { exec 3>/dev/tcp/${builtins.elemAt cfg.restlisten 0}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do
|
||||||
((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; }
|
((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; }
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
done
|
done
|
||||||
@ -204,7 +205,7 @@ in {
|
|||||||
umask u=r,go=
|
umask u=r,go=
|
||||||
${pkgs.curl}/bin/curl -s \
|
${pkgs.curl}/bin/curl -s \
|
||||||
--cacert ${secretsDir}/lnd-cert \
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
-X GET https://127.0.0.1:${restPort}/v1/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
|
-X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
|
||||||
fi
|
fi
|
||||||
chown lnd: "$mnemonic"
|
chown lnd: "$mnemonic"
|
||||||
''}"
|
''}"
|
||||||
@ -216,7 +217,7 @@ in {
|
|||||||
--cacert ${secretsDir}/lnd-cert \
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
-X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
|
-X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
|
||||||
\"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \
|
\"cipher_seed_mnemonic\": $(cat ${secretsDir}/lnd-seed-mnemonic | tr -d '\n')}" \
|
||||||
https://127.0.0.1:${restPort}/v1/initwallet
|
${restUrl}/initwallet
|
||||||
|
|
||||||
# Guarantees that RPC calls with cfg.cli succeed after the service is started
|
# Guarantees that RPC calls with cfg.cli succeed after the service is started
|
||||||
echo Wait until wallet is created
|
echo Wait until wallet is created
|
||||||
@ -231,11 +232,11 @@ in {
|
|||||||
--cacert ${secretsDir}/lnd-cert \
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
-X POST \
|
-X POST \
|
||||||
-d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
|
-d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
|
||||||
https://127.0.0.1:${restPort}/v1/unlockwallet
|
${restUrl}/unlockwallet
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Wait until the RPC port is open
|
# Wait until the RPC port is open
|
||||||
while ! { exec 3>/dev/tcp/127.0.0.1/${toString cfg.rpcPort}; } &>/dev/null; do
|
while ! { exec 3>/dev/tcp/${builtins.elemAt cfg.rpclisten 0}/${toString cfg.rpcPort}; } &>/dev/null; do
|
||||||
sleep 0.1
|
sleep 0.1
|
||||||
done
|
done
|
||||||
|
|
||||||
@ -251,7 +252,7 @@ in {
|
|||||||
--cacert ${secretsDir}/lnd-cert \
|
--cacert ${secretsDir}/lnd-cert \
|
||||||
-X POST \
|
-X POST \
|
||||||
-d '{"permissions":[${cfg.macaroons.${macaroon}.permissions}]}' \
|
-d '{"permissions":[${cfg.macaroons.${macaroon}.permissions}]}' \
|
||||||
https://127.0.0.1:${restPort}/v1/macaroon |\
|
${restUrl}/macaroon |\
|
||||||
${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
|
${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
|
||||||
chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
|
chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
|
||||||
'') (attrNames cfg.macaroons)}
|
'') (attrNames cfg.macaroons)}
|
||||||
|
|||||||
@ -264,15 +264,8 @@ in {
|
|||||||
|
|
||||||
services.lnd = {
|
services.lnd = {
|
||||||
listen = netns.lnd.address;
|
listen = netns.lnd.address;
|
||||||
rpclisten = [
|
rpclisten = [ netns.lnd.address ];
|
||||||
"${netns.lnd.address}"
|
restlisten = [ netns.lnd.address ];
|
||||||
"127.0.0.1"
|
|
||||||
];
|
|
||||||
restlisten = [
|
|
||||||
"${netns.lnd.address}"
|
|
||||||
"127.0.0.1"
|
|
||||||
];
|
|
||||||
cliExec = mkCliExec "lnd";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
services.liquidd = {
|
services.liquidd = {
|
||||||
|
|||||||
@ -10,7 +10,6 @@
|
|||||||
#include <sys/capability.h>
|
#include <sys/capability.h>
|
||||||
|
|
||||||
static char *allowed_netns[] = {
|
static char *allowed_netns[] = {
|
||||||
"nb-lnd",
|
|
||||||
"nb-lightning-loop",
|
"nb-lightning-loop",
|
||||||
"nb-liquidd",
|
"nb-liquidd",
|
||||||
"nb-joinmarket"
|
"nb-joinmarket"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user