Merge fort-nix/nix-bitcoin#441: lnd: improve service initialization

d8af0aca02 lnd: improve service initialization (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    utACK d8af0aca02
  jonasnick:
    ACK d8af0aca02

Tree-SHA512: 4c775362a63c6307dcb2f2765d367c8e35c707f18ca6b898f8860daa80934dd58e58aca852ae1fe3b29a43227b3cb1374225fe1ca60f8a4384b32da4470affe0
This commit is contained in:
Jonas Nick 2022-01-19 19:46:16 +00:00
commit b9f9c202f8
No known key found for this signature in database
GPG Key ID: 4861DBF262123605

View File

@ -207,30 +207,25 @@ in {
} >> '${cfg.dataDir}/lnd.conf' } >> '${cfg.dataDir}/lnd.conf'
''; '';
serviceConfig = nbLib.defaultHardening // { serviceConfig = nbLib.defaultHardening // {
Type = "notify";
RuntimeDirectory = "lnd"; # Only used to store custom macaroons RuntimeDirectory = "lnd"; # Only used to store custom macaroons
RuntimeDirectoryMode = "711"; RuntimeDirectoryMode = "711";
ExecStart = "${cfg.package}/bin/lnd --configfile=${cfg.dataDir}/lnd.conf"; ExecStart = ''
${cfg.package}/bin/lnd \
--configfile="${cfg.dataDir}/lnd.conf" \
--wallet-unlock-password-file="${secretsDir}/lnd-wallet-password" \
--wallet-unlock-allow-create
'';
User = cfg.user; User = cfg.user;
TimeoutSec = "15min"; TimeoutSec = "15min";
Restart = "on-failure"; Restart = "on-failure";
RestartSec = "10s"; RestartSec = "10s";
ReadWritePaths = cfg.dataDir; ReadWritePaths = cfg.dataDir;
ExecStartPost = let ExecStartPost = let
# Retrying is necessary because it can happen that the lnd socket is curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
# existing, but the RPC service isn't yet, which results in error
# "waiting to start, RPC services not available".
curl = "${pkgs.curl}/bin/curl -s --show-error --retry 10 --cacert ${cfg.certPath}";
restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1"; restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
in [ in [
(nbLib.script "lnd-create-wallet" '' (nbLib.script "lnd-create-wallet" ''
attempts=250
while ! {
exec 3>/dev/tcp/${nbLib.address cfg.restAddress}/${toString cfg.restPort} && exec 3>&-
} &>/dev/null; do
((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; }
sleep 0.1
done
if [[ ! -f ${networkDir}/wallet.db ]]; then if [[ ! -f ${networkDir}/wallet.db ]]; then
mnemonic="${cfg.dataDir}/lnd-seed-mnemonic" mnemonic="${cfg.dataDir}/lnd-seed-mnemonic"
if [[ ! -f "$mnemonic" ]]; then if [[ ! -f "$mnemonic" ]]; then
@ -245,25 +240,16 @@ in {
\"cipher_seed_mnemonic\": $(cat "$mnemonic" | tr -d '\n')}" \ \"cipher_seed_mnemonic\": $(cat "$mnemonic" | tr -d '\n')}" \
${restUrl}/initwallet ${restUrl}/initwallet
# Guarantees that RPC calls with cfg.cli succeed after the service is started
echo "Wait until wallet is created" echo "Wait until wallet is created"
while [[ ! -f ${networkDir}/admin.macaroon ]]; do getStatus() {
/run/current-system/systemd/bin/systemctl show -p StatusText lnd | cut -f 2 -d=
}
while [[ $(getStatus) == "Wallet locked" ]]; do
sleep 0.1 sleep 0.1
done done
else
echo "Unlock lnd wallet"
${curl} \
-H "Grpc-Metadata-macaroon: $(${pkgs.xxd}/bin/xxd -ps -u -c 99999 '${networkDir}/admin.macaroon')" \
-X POST \
-d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\"}" \
${restUrl}/unlockwallet
fi fi
# Wait until the wallet has been unlocked and RPC is fully active
while [[ $(${curl} -d '{}' -X POST ${restUrl}/state | ${pkgs.jq}/bin/jq -r '.state') != RPC_ACTIVE ]]; do
sleep 0.1
done
'') '')
# Setting macaroon permission for other users needs root permissions # Setting macaroon permissions for other users needs root permissions
(nbLib.rootScript "lnd-create-macaroons" '' (nbLib.rootScript "lnd-create-macaroons" ''
umask ug=r,o= umask ug=r,o=
${lib.concatMapStrings (macaroon: '' ${lib.concatMapStrings (macaroon: ''