From 4a503f57bdd856bf6ff8035449928184a236907c Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Tue, 15 Sep 2020 08:45:36 +0000 Subject: [PATCH 1/4] lightning-loop: v0.8.1 -> v0.9.0 --- pkgs/lightning-loop/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/lightning-loop/default.nix b/pkgs/lightning-loop/default.nix index 3020cd5..5d1ad07 100644 --- a/pkgs/lightning-loop/default.nix +++ b/pkgs/lightning-loop/default.nix @@ -2,17 +2,17 @@ buildGoModule rec { pname = "lightning-loop"; - version = "0.8.1-beta"; + version = "0.9.0-beta"; src = fetchurl { url = "https://github.com/lightninglabs/loop/archive/v${version}.tar.gz"; # Use ./get-sha256.sh to fetch latest (verified) sha256 - sha256 = "36815049c7807b1f0b2b0694ae64b2ec23819240952cb327c9b9e0d530ac4696"; + sha256 = "82f7c1c0c1d2ddec59c7c5e0780ae645f97ecdaca00b397cd533b27db7a6b7ca"; }; subPackages = [ "cmd/loop" "cmd/loopd" ]; - vendorSha256 = "0y1j4ca4njx9fyyq3qv8hmcvs5ig6kyx6hhp1bdby7wgmlc0s5vp"; + vendorSha256 = "1dmiiyp38biyrlmwxbrh3k8w7mxv0lsvf5qnzjrrxy6qbmglmk0l"; meta = with lib; { description = " Lightning Loop: A Non-Custodial Off/On Chain Bridge"; From e7c5f956ea8cca3ba694ba624dad54861ace2997 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Tue, 15 Sep 2020 08:46:15 +0000 Subject: [PATCH 2/4] lightning-loop: update module * commandlineArgs -> configFile * introduce tls certs * loop dataDir * fix formatting and descriptions Warning: Manual migration of existing loop data directory necessary --- modules/lightning-loop.nix | 66 +++++++++++++++-------- pkgs/generate-secrets/generate-secrets.sh | 7 +++ pkgs/generate-secrets/openssl.cnf | 2 + 3 files changed, 52 insertions(+), 23 deletions(-) diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 65a6981..6260a12 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -6,8 +6,21 @@ let cfg = config.services.lightning-loop; inherit (config) nix-bitcoin-services; secretsDir = config.nix-bitcoin.secretsDir; -in { + configFile = builtins.toFile "loop.conf" '' + datadir=${cfg.dataDir} + logdir=${cfg.dataDir}/logs + tlscertpath=${secretsDir}/loop-cert + tlskeypath=${secretsDir}/loop-key + lnd.host=${builtins.elemAt config.services.lnd.rpclisten 0}:${toString config.services.lnd.rpcPort} + lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet + lnd.tlspath=${secretsDir}/lnd-cert + + ${optionalString (cfg.proxy != null) "server.proxy=${cfg.proxy}"} + + ${cfg.extraConfig} + ''; +in { options.services.lightning-loop = { enable = mkEnableOption "lightning-loop"; package = mkOption { @@ -16,26 +29,32 @@ in { defaultText = "pkgs.nix-bitcoin.lightning-loop"; description = "The package providing lightning-loop binaries."; }; + dataDir = mkOption { + type = types.path; + default = "/var/lib/lightning-loop"; + description = "The data directory for lightning-loop."; + }; proxy = mkOption { type = types.nullOr types.str; default = null; - description = "Connect through SOCKS5 proxy"; + description = "host:port of SOCKS5 proxy for connnecting to the loop server."; }; - extraArgs = mkOption { - type = types.separatedString " "; + extraConfig = mkOption { + type = types.lines; default = ""; - description = "Extra command line arguments passed to loopd."; + example = '' + debuglevel=trace + ''; + description = "Extra lines appended to the configuration file."; }; cli = mkOption { - default = pkgs.writeScriptBin "loop" - # Switch user because lnd makes datadir contents readable by user only - '' - ${cfg.cliExec} sudo -u lnd ${cfg.package}/bin/loop "$@" + default = pkgs.writeScriptBin "loop" '' + ${cfg.cliExec} ${cfg.package}/bin/loop --tlscertpath ${secretsDir}/loop-cert "$@" ''; - description = "Binary to connect with the lnd instance."; + description = "Binary to connect with the lightning-loop instance."; }; inherit (nix-bitcoin-services) cliExec; - enforceTor = nix-bitcoin-services.enforceTor; + enforceTor = nix-bitcoin-services.enforceTor; }; config = mkIf cfg.enable { @@ -47,27 +66,28 @@ in { environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ]; + systemd.tmpfiles.rules = [ + "d '${cfg.dataDir}' 0770 lnd lnd - -" + ]; + systemd.services.lightning-loop = { - description = "Run loopd"; wantedBy = [ "multi-user.target" ]; requires = [ "lnd.service" ]; after = [ "lnd.service" ]; serviceConfig = nix-bitcoin-services.defaultHardening // { - ExecStart = '' - ${cfg.package}/bin/loopd \ - --lnd.host=${config.services.lnd.listen}:10009 \ - --lnd.macaroondir=${config.services.lnd.dataDir}/chain/bitcoin/mainnet \ - --lnd.tlspath=${secretsDir}/lnd-cert \ - ${optionalString (cfg.proxy != null) "--server.proxy=${cfg.proxy}"} \ - ${cfg.extraArgs} - ''; + ExecStart = "${cfg.package}/bin/loopd --configfile=${configFile}"; User = "lnd"; Restart = "on-failure"; RestartSec = "10s"; - ReadWritePaths = "${config.services.lnd.dataDir}"; + ReadWritePaths = "${cfg.dataDir}"; } // (if cfg.enforceTor - then nix-bitcoin-services.allowTor - else nix-bitcoin-services.allowAnyIP); + then nix-bitcoin-services.allowTor + else nix-bitcoin-services.allowAnyIP); }; + + nix-bitcoin.secrets = { + loop-key.user = "lnd"; + loop-cert.user = "lnd"; + }; }; } diff --git a/pkgs/generate-secrets/generate-secrets.sh b/pkgs/generate-secrets/generate-secrets.sh index 831b235..4255289 100755 --- a/pkgs/generate-secrets/generate-secrets.sh +++ b/pkgs/generate-secrets/generate-secrets.sh @@ -34,3 +34,10 @@ if [[ ! -e lnd-key || ! -e lnd-cert ]]; then openssl req -config $opensslConf -x509 -sha256 -days 1825 -key lnd-key -in lnd.csr -out lnd-cert rm lnd.csr fi + +if [[ ! -e loop-key || ! -e loop-cert ]]; then + openssl ecparam -genkey -name prime256v1 -out loop-key + openssl req -config $opensslConf -new -sha256 -key loop-key -out loop.csr -subj '/CN=localhost/O=loopd' + openssl req -config $opensslConf -x509 -sha256 -days 1825 -key loop-key -in loop.csr -out loop-cert + rm loop.csr +fi diff --git a/pkgs/generate-secrets/openssl.cnf b/pkgs/generate-secrets/openssl.cnf index 641d13d..efc6cb5 100644 --- a/pkgs/generate-secrets/openssl.cnf +++ b/pkgs/generate-secrets/openssl.cnf @@ -32,3 +32,5 @@ IP.1 = 127.0.0.1 DNS.1 = localhost # TODO: Remove hardcoded lnd IP IP.2 = 169.254.1.14 +# TODO: Remove hardcoded loopd IP +IP.3 = 169.254.1.22 From 24b506ff8a2c2d788e102548423cb75bfe4d81e4 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Thu, 24 Sep 2020 16:39:18 +0000 Subject: [PATCH 3/4] tests: simplify lightning-loop test --- test/base.py | 2 +- test/test.nix | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/test/base.py b/test/base.py index b7db2ae..d8b7b90 100644 --- a/test/base.py +++ b/test/base.py @@ -73,7 +73,7 @@ def run_tests(extra_tests): assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') assert_no_failure("lnd") - succeed("systemctl start lightning-loop") + assert_running("lightning-loop") assert_matches("su operator -c 'loop --version'", "version") # Check that lightning-loop fails with the right error, making sure # lightning-loop can connect to lnd diff --git a/test/test.nix b/test/test.nix index 23a6c26..857ed4f 100644 --- a/test/test.nix +++ b/test/test.nix @@ -31,9 +31,6 @@ import ./make-test.nix rec { services.lnd.enable = true; services.lnd.listenPort = 9736; services.lightning-loop.enable = true; - # needed because we must control when lightning-loop starts so it doesn't - # fail before we run commands in the nb-lightning-loop netns - systemd.services.lightning-loop.wantedBy = mkForce []; services.electrs.enable = true; From a89a3e934f485bd9b0c159e18f6af91883c56e84 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Thu, 24 Sep 2020 16:54:54 +0000 Subject: [PATCH 4/4] test: increase diskSize --- test/test.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/test.nix b/test/test.nix index 857ed4f..15bbd69 100644 --- a/test/test.nix +++ b/test/test.nix @@ -19,6 +19,9 @@ import ./make-test.nix rec { # hardened ]; + # needed because duplicity requires 270 MB of free temp space, regardless of backup size. + virtualisation.diskSize = 1024; + nix-bitcoin.netns-isolation.enable = (scenario == "withnetns"); services.bitcoind.extraConfig = mkForce "connect=0";