diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 65a6981..6260a12 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -6,8 +6,21 @@ let cfg = config.services.lightning-loop; inherit (config) nix-bitcoin-services; secretsDir = config.nix-bitcoin.secretsDir; -in { + configFile = builtins.toFile "loop.conf" '' + datadir=${cfg.dataDir} + logdir=${cfg.dataDir}/logs + tlscertpath=${secretsDir}/loop-cert + tlskeypath=${secretsDir}/loop-key + lnd.host=${builtins.elemAt config.services.lnd.rpclisten 0}:${toString config.services.lnd.rpcPort} + lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet + lnd.tlspath=${secretsDir}/lnd-cert + + ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"} + + ${cfg.extraConfig} + ''; +in { options.services.lightning-loop = { enable = mkEnableOption "lightning-loop"; package = mkOption { @@ -16,26 +29,32 @@ in { defaultText = "pkgs.nix-bitcoin.lightning-loop"; description = "The package providing lightning-loop binaries."; }; + dataDir = mkOption { + type = types.path; + default = "/var/lib/lightning-loop"; + description = "The data directory for lightning-loop."; + }; proxy = mkOption { type = types.nullOr types.str; default = null; - description = "Connect through SOCKS5 proxy"; + description = "host:port of SOCKS5 proxy for connnecting to the loop server."; }; - extraArgs = mkOption { - type = types.separatedString " "; + extraConfig = mkOption { + type = types.lines; default = ""; - description = "Extra command line arguments passed to loopd."; + example = '' + debuglevel=trace + ''; + description = "Extra lines appended to the configuration file."; }; cli = mkOption { - default = pkgs.writeScriptBin "loop" - # Switch user because lnd makes datadir contents readable by user only - '' - ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/loop "$@" + default = pkgs.writeScriptBin "loop" '' + ${cfg.cliExec} ${cfg.package}/bin/loop --tlscertpath ${secretsDir}/loop-cert "$@" ''; - description = "Binary to connect with the lnd instance."; + description = "Binary to connect with the lightning-loop instance."; }; inherit (nix-bitcoin-services) cliExec; - enforceTor = nix-bitcoin-services.enforceTor; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -47,27 +66,28 @@ in { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 lnd lnd - -" + ]; + systemd.services.lightning-loop = { - description = "Run loopd"; wantedBy = [ "multi-user.target" ]; requires = [ "lnd.service" ]; after = [ "lnd.service" ]; serviceConfig = nix-bitcoin-services.defaultHardening // { - ExecStart = '' - ${cfg.package}/bin/loopd \ - --lnd.host=${config.services.lnd.listen}:10009 \ - --lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet \ - --lnd.tlspath=${secretsDir}/lnd-cert \ - ${optionalString (cfg.proxy != null) "--server.proxy=${cfg.proxy}"} \ - ${cfg.extraArgs} - ''; + ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}"; User = "lnd"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = "${config.services.lnd.dataDir}"; + ReadWritePaths = "${cfg.dataDir}"; } // (if cfg.enforceTor - then nix-bitcoin-services.allowTor - else nix-bitcoin-services.allowAnyIP); + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP); }; + + nix-bitcoin.secrets = { + loop-key.user = "lnd"; + loop-cert.user = "lnd"; + }; }; } diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh index 831b235..4255289 100755 --- a/pkgs/generate-secrets/generate-secrets.sh +++ b/pkgs/generate-secrets/generate-secrets.sh @@ -34,3 +34,10 @@ if [[ ! -e lnd-key || ! -e lnd-cert ]]; then openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert rm lnd.csr fi + +if [[ ! -e loop-key || ! -e loop-cert ]]; then + openssl ecparam -genkey -name prime256v1 -out loop-key + openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd' + openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert + rm loop.csr +fi diff --git a/pkgs/generate-secrets/openssl.cnf b/pkgs/generate-secrets/openssl.cnf index 641d13d..efc6cb5 100644 --- a/pkgs/generate-secrets/openssl.cnf +++ b/pkgs/generate-secrets/openssl.cnf @@ -32,3 +32,5 @@ IP.1 = 127.0.0.1 DNS.1 = localhost # TODO: Remove hardcoded lnd IP IP.2 = 169.254.1.14 +# TODO: Remove hardcoded loopd IP +IP.3 = 169.254.1.22 diff --git a/pkgs/lightning-loop/default.nix b/pkgs/lightning-loop/default.nix index 3020cd5..5d1ad07 100644 --- a/pkgs/lightning-loop/default.nix +++ b/pkgs/lightning-loop/default.nix @@ -2,17 +2,17 @@ buildGoModule rec { pname = "lightning-loop"; - version = "0.8.1-beta"; + version = "0.9.0-beta"; src = fetchurl { url = "https://github.com/lightninglabs/loop/archive/v${version}.tar.gz"; # Use ./get-sha256.sh to fetch latest (verified) sha256 - sha256 = "36815049c7807b1f0b2b0694ae64b2ec23819240952cb327c9b9e0d530ac4696"; + sha256 = "82f7c1c0c1d2ddec59c7c5e0780ae645f97ecdaca00b397cd533b27db7a6b7ca"; }; subPackages = [ "cmd/loop" "cmd/loopd" ]; - vendorSha256 = "0y1j4ca4njx9fyyq3qv8hmcvs5ig6kyx6hhp1bdby7wgmlc0s5vp"; + vendorSha256 = "1dmiiyp38biyrlmwxbrh3k8w7mxv0lsvf5qnzjrrxy6qbmglmk0l"; meta = with lib; { description = " Lightning Loop: A Non-Custodial Off/On Chain Bridge"; diff --git a/test/base.py b/test/base.py index 85c5096..a2faf79 100644 --- a/test/base.py +++ b/test/base.py @@ -73,7 +73,7 @@ def run_tests(extra_tests): assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') assert_no_failure("lnd") - succeed("systemctl start lightning-loop") + assert_running("lightning-loop") assert_matches("su operator -c 'loop --version'", "version") # Check that lightning-loop fails with the right error, making sure # lightning-loop can connect to lnd diff --git a/test/test.nix b/test/test.nix index 0533b92..15bbd69 100644 --- a/test/test.nix +++ b/test/test.nix @@ -34,9 +34,6 @@ import ./make-test.nix rec { services.lnd.enable = true; services.lnd.listenPort = 9736; services.lightning-loop.enable = true; - # needed because we must control when lightning-loop starts so it doesn't - # fail before we run commands in the nb-lightning-loop netns - systemd.services.lightning-loop.wantedBy = mkForce []; services.electrs.enable = true;