mirrors/raspiblitz
1
0
Fork 0
mirror of https://github.com/rootzoll/raspiblitz.git synced 2025-02-25 15:10:38 +01:00
Code Issues Projects Releases Packages Wiki Activity
raspiblitz/home.admin/config.scripts/cln.hsmtool.sh

304 lines
10 KiB
Bash
Raw Normal View History

merging pre-1.7.1 (#2462) * fix copychain returns * typo in sync loop * stop services on inconsistent state * calling correct provisioning * apply bitcoin and lncli aliases in all scripts * network.aliases: add CLNETWORK * make cln default plugin dir: cln-plugins-enabled similar to the nginx model make 2 directories for plugins: cln-plugins-enabled - symlinked to ~/.lightning/plugins plugins from here are loaded automatically on cln start cln-plugins-available: plugins are downloaded here to be run until the next cln restart (or stopped with runonce) note the disk is mounted with noexec so plugins can't run from there discuss in: https://github.com/rootzoll/raspiblitz/issues/2295 * move shutdown script * change all place where shutdown script is used * change notify & release * moved shutdown script * moved shutdown scripts * add more debug info * moving github script * remove chain in sync * no longer needed chain in sync * move debug script * patch patch command * make sure setup file is sourced * remove debug output * make sure lnd is put behind tor * change indent * get fresh sync progress * avoid scrolling in menus * use new selfsignedcert if no lnd tls.cert present * sparko: add info and connect menu with own cert https://github.com/rootzoll/raspiblitz/issues/2295 * cln.rest: add connect option for Zeus https://github.com/rootzoll/raspiblitz/issues/2295 * cln: add the backup plugin + options Usage options: cln-plugin.backup.sh [on] [testnet|mainnet|signet] cln-plugin.backup.sh [restore] [testnet|mainnet|signet] [force] cln-plugin.backup.sh [backup-compact] [testnet|mainnet|signet] https://github.com/lightningd/plugins/tree/master/backup Discussed in: https://github.com/rootzoll/raspiblitz/issues/2295 * cln: add cln-plugin.standard.python.sh Install and show the output of the chosen plugin for C-lightning Usage: cln-plugin.standard-python.sh on [plugin-name] [testnet|mainnet|signet] [runonce] tested plugins: summary | helpme | feeadjuster find more at: https://github.com/lightningd/plugins discussed in: https://github.com/rootzoll/raspiblitz/issues/2295 * shellcheck: change all `egrep` to `grep -E` https://github.com/koalaman/shellcheck/wiki/SC2196 * do not resolve aliases, use as variables * lnd: fix lnd.conf for parallel networks discussed in: https://github.com/rootzoll/raspiblitz/issues/2290 * lnd: add LND option for parallel networks * deprecate Testnet in SETTINGS keysend and autopilot only for mainnet due to: https://github.com/rootzoll/raspiblitz/issues/2290 * lnd: autopilot and autounlock for testnet * fix comments * add the SYSTEM menu for parallel chains * RTL update to v0.11.0 make chain specific directory for the config: /home/rtl/${netprefix}RTL/ use ${netprefix}lnd.conf in config override Environmen tvaribales for cln in the systemd service: /etc/systemd/system/${netprefix}${typeprefix}RTL.service discussed in: https://github.com/rootzoll/raspiblitz/issues/2384 * lnd.setname.sh for testnet * display ${CHAIN} in the SYSTEM menu options * keep _aliases file when live patches are applied * all lncli_aliases to be used as variables * default to KIllMode=control-group in services https://www.man7.org/linux/man-pages/man5/systemd.kill.5.html discussed in: https://github.com/rootzoll/raspiblitz/issues/1901 * add cln.hsmtool.sh for hsm_secret handling encrypt | decrypt | autounlock the hsm_secret for C-lightning usage: cln.hsmtool.sh [unlock] [testnet|mainnet|signet] cln.hsmtool.sh [encrypt|decrypt] [testnet|mainnet|signet] cln.hsmtool.sh [autounlock-on|autounlock-off] [testnet|mainnet|signet] discussed in: https://github.com/rootzoll/raspiblitz/issues/2295 * add cln.install-service.sh to set up cln with systemd script to set up or update the CLN systemd service checks for hsm_secret encryption, autounlock and the sparko plugin usage: /home/admin/config.scripts/cln.install-service.sh $CHAIN discussed in: https://github.com/rootzoll/raspiblitz/issues/2295 * use symlink to cln-plugins-enabled for all plugins * keep lnd autopilot and autounlock mainnet only mainnet only settings: lnd autopilot lnd keysend circuibreaker lnd autounlock StaticChannelBackup to DropBox and USB * cln FUNDING fix parsing address * cln.hsmtool: add change-password and lock options * always set password A * cached peer info * fix printing cache * fix check for existing files * handle bitcoind not running * result with newline * test line break * test new line * test new line * two vars on output * #2388 improve online check (less pinging) * used cached peer status * move chache * cach file permissions * allow sudo call * fix cache * remove double scan info * add conf info to sync screen * reorder info * add space * add space * order info * internet suppress error messages * order info * fix offering Blockchain copy * fix hostname * final ready state info * lnd unlock after provision * remove debug exit * harmonize ready state * add status to lnd unlock * update lnd unlock script * edit the unlock * remove debug echo * add debug * add debug * fix if statement * debug output * switch position of source setupdata * #1126 preparing new setup with new c-lightning (#2396) * move debug script * patch patch command * make sure setup file is sourced * remove debug output * make sure lnd is put behind tor * change indent * get fresh sync progress * always set password A * cached peer info * fix printing cache * fix check for existing files * handle bitcoind not running * result with newline * test line break * test new line * test new line * two vars on output * #2388 improve online check (less pinging) * used cached peer status * move chache * cach file permissions * allow sudo call * fix cache * remove double scan info * add conf info to sync screen * reorder info * add space * add space * order info * internet suppress error messages * order info * fix offering Blockchain copy * fix hostname * final ready state info * lnd unlock after provision * remove debug exit * harmonize ready state * add status to lnd unlock * update lnd unlock script * edit the unlock * remove debug echo * add debug * add debug * fix if statement * debug output * switch position of source setupdata * lnd.unlock: fix typo * netwok.monitor.sh debug * cln-plugin.summary: fix paths * rtl: fix permission of config on copy * CASHOUT: use aliases for lnd * rtl: install correctly for paralell chains * use CHAIN in CLN and LND menu * cln: add CASHOUT option * CLOSEALL and CASHOUT: Improve labels and comments Explaining CASHOUT in the label as discussed in: https://github.com/rootzoll/raspiblitz/issues/2358 * cln.install: fix tor config * cln: installthe latest master until the next release * _commands: source _aliases only if exists * network aliases: fall back to 'main' for 'chain' * new setup: keep testnet3 blocks and chainstate * new setup: improve capitalization in menu * improve help and comments * cln: install Sparko if configured, but not present * cln: add new wallet and import seed options * fix peernum * make sure that aliases get created on lnd setup * no error if aliases not yet exist * debug state * fix network alias when not set * fix syntax error * add debug error info * mute unlocking echos * add debug wait * add debug wait * make sure info is uptodate * make alias info as defaults * rename option * update sync info for no lightning * add action string * update sync info * move name dialog * wait for sync progress info * wait for syncprogress info * fix syntax * get fresh data * make sure to disable lnd * add c-lightning to debug * add setup logs to debug output * fix syntax error * add new-force wallet * try fix call hsmtool * hsm output tool * fix output * add seed-force * refactor blitz.mnemonic.py * test seed * debug info * dump object * try check * correct putput * fix syntax * check lnd for valid seed * fix gui * add Suez install script discussed in: https://github.com/rootzoll/raspiblitz/issues/2366 * cln rescue file export * get correct version * add cln export gui * cln.backup.sh cln-import * correct bytesize * generate cln wallet with passwordc * fix syntax * fix syntax * mute not needed error msg * PEERING: correct message on success * cln.install-service: fix sparko check * add Suez to menu for CLN and LND needs to be installed with the bitcoin user to be able to interact with CLN related: https://github.com/rootzoll/raspiblitz/issues/2366 * debug _provison.setup.sh stop bitcoind and restart with new config to avoid rpc password error disable and enable service instead of daemon-reload CLN: don't use passwordC as seedPassword * add cln.setname.sh make lnd.setname.sh work with parallel wallets * improve comments * SYSTEM: add CLNLOG and CLNCONF options * SYSTEM menu fixes * cln: add more aliases cln, clnlog, clnconf * cln: activate the backup plugin on every install * SERVICES menu: fix chantools/CLN switch * cln: load plugins from ${netprefix}cln-plugins-enabled changed the config paths to $lightning-dir/config or /networkname/config plugins are downloaded to the SDcard: /home/bitcoin/cln-plugins-available/ symlinked and loaded automatically from: /home/bitcoin/${netprefix}cln-plugins-enabled Related: #2295 * sparko: don't show logs after install * #2425 Adding experimental Blitz WebUI & API (#2426) * no password C & D when cln * add debug echos * set defaults before * #2228 wider grep to detect nvms (#2427) * cln.hsmtool: init backup with the new wallet * cln.install: fix access to raspiblitz.conf * cln-plugin.backup: fix path to backup-cli * cln: hide unhelpful warnings during setup * remove old jinja template rendering * fix lnd unlock detection * cln: look for files in .lightning dir with sudo * cln: correct lightning name in FInalDialog + typo * cln: make sure .lightning/bitcoin dir exists * FinalDialog: make the 24 words fit * cln.install.sh: create cln config if not present * Simplify localIP detection and improve compatibility (#2432) * show tail info on provision * only show lnd options when activated * fix syntax * only show main lightning impl options for RC1 * cln: always start the lightnind.service * cln: clear before showing summary * start cln on the end of provisioning * exit 0 on cln menu * press key after single actions * remove key press on cln actions * change to none * detect cln running * fix syntax * fix lightniing info * add TODO for CLN * add clnblockheight * zty with user bitcoin * check synced to chain for cln * fix increment * try scanprogress * use cln sync detection and progress * replace LNTYPE * next line * fix spaces * fix spaces * Update README.md (#2456) Fix 404 * Fix FAQ links (#2441) * Fix invalid URL ( (#2440) * support channels (#2382) * use #2370 height optimization * adjust exit codes in menu scripts * adjust password menu exit codes * adapt shutdown for cln * settings adapt to running lightning impl * fix syntax * debug info * add debug * better height * add default values * add config entry if not there yet * change default value * Added exit info for cln * make sure to load config file if available * add sparko to menu * add default for sparko * replace default sparko entry * show sparko installed or not * add more description to sparko option * RTL for clightnign in service menu * main menu item rtl * add RTL description * debug in RTL install * install sparko on recovery * update menu with cln * rework menu options Co-authored-by: openoms <oms@tuta.io> Co-authored-by: openoms <43343391+openoms@users.noreply.github.com> Co-authored-by: rek79 <rek79@users.noreply.github.com> Co-authored-by: Bitpaint <67663265+bitpaint@users.noreply.github.com> Co-authored-by: João Thallis <joaothallis@icloud.com> Co-authored-by: Peter Flock <78184669+peterflock@users.noreply.github.com> Co-authored-by: nyxnor <nyxnor@protonmail.com>
2021-08-04 00:18:30 +02:00
#!/bin/bash
# keeps the password in memory between restarts: /dev/shm/.${netprefix}cln.pw
# see the reasoning: https://github.com/ElementsProject/lightning#hd-wallet-encryption
# does not store the password on disk unless auto-unlock is enabled
# autounlock password is in /root/.${netprefix}cln.pw
# command info
if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]||\
! echo "$@" | grep -Eq "new|seed|unlock|lock|encrypt|decrypt|autounlock-on|autounlock-off|change-password" ;then
echo
echo "# create new wallet or import seed"
echo "# unlock/lock, encrypt, decrypt, set autounlock or change password for the hsm_secret"
echo
echo "# usage:"
echo "# Create new wallet"
echo "# cln.hsmtool.sh [new] [mainnet|testnet|signet] [?seedPassword]"
echo "# cln.hsmtool.sh [new-force] [mainnet|testnet|signet] [?seedPassword]"
echo "# There will be no seedPassword(passphrase) used by default"
echo "# new-force will delete any old wallet and will work without dialog"
echo
echo "# cln.hsmtool.sh [seed] [mainnet|testnet|signet] [\"space-separated-seed-words\"] [?seedPassword]"
echo "# cln.hsmtool.sh [seed-force] [mainnet|testnet|signet] [\"space-separated-seed-words\"] [?seedPassword]"
echo "# the new hsm_secret will be not encrypted if no NewPassword is given"
echo "# seed-force will delete any old wallet and will work without dialog"
echo
echo "# cln.hsmtool.sh [unlock|lock] <mainnet|testnet|signet>"
echo "# cln.hsmtool.sh [encrypt|decrypt] <mainnet|testnet|signet>"
echo "# cln.hsmtool.sh [autounlock-on|autounlock-off] <mainnet|testnet|signet>"
echo
echo "# cln.hsmtool.sh [change-password] <mainnet|testnet|signet> <NewPassword>"
echo
exit 1
fi
source /mnt/hdd/raspiblitz.conf
source <(/home/admin/config.scripts/network.aliases.sh getvars cln $2)
hsmSecretPath="/home/bitcoin/.lightning/${CLNETWORK}/hsm_secret"
# password file is on the disk if encrypted and auto-unlock is enabled
passwordFile=/dev/shm/.${netprefix}cln.pw
if grep -Eq "${netprefix}clnEncryptedHSM=on" /mnt/hdd/raspiblitz.conf;then
if grep -Eq "${netprefix}clnAutoUnlock=on" /mnt/hdd/raspiblitz.conf;then
passwordFile=/root/${netprefix}cln.pw
fi
fi
# add default value to raspi config if needed
if ! grep -Eq "^${netprefix}clnEncryptedHSM=" /mnt/hdd/raspiblitz.conf; then
echo "${netprefix}clnEncryptedHSM=off" >> /mnt/hdd/raspiblitz.conf
fi
# add default value to raspi config if needed
if ! grep -Eq "^${netprefix}clnAutoUnlock=" /mnt/hdd/raspiblitz.conf; then
echo "${netprefix}clnAutoUnlock=off" >> /mnt/hdd/raspiblitz.conf
fi
#############
# Functions #
#############
function passwordToFile() {
if [ $# -gt 0 ];then
text="$1"
else
text="Type or paste the decryption password for the $CHAIN C-lightning wallet"
fi
# write password into a file in memory
# get password
data=$(mktemp -p /dev/shm/)
# trap it
trap 'rm -f $data' 0 1 2 5 15
dialog --clear \
--backtitle "Enter password" \
--title "Enter password" \
--insecure \
--passwordbox "$text" 8 52 2> "$data"
# make decison
pressed=$?
case $pressed in
0)
sudo touch $passwordFile
sudo chmod 600 $passwordFile
sudo chown bitcoin:bitcoin $passwordFile
sudo tee $passwordFile 1>/dev/null < "$data"
shred "$data";;
1)
shred "$data"
shred -uvz $passwordFile
echo "# Cancelled"
exit 1;;
255)
shred "$data"
shred -uvz $passwordFile
[ -s "$data" ] && cat "$data" || echo "# ESC pressed."
exit 1;;
esac
}
function shredPasswordFile() {
echo
echo "# Shredding the passwordFile"
echo
sudo shred -uvz $passwordFile
}
function encryptHSMsecret() {
walletPassword=$3
if [ ${#walletPassword} -eq 0 ];then
# ask for password in dialog if $walletPassword is not given in $3
sudo /home/admin/config.scripts/blitz.setpassword.sh x \
"Enter the password to encrypt the C-lightning wallet file (hsm_secret)" \
"$passwordFile"
sudo chmod 600 $passwordFile
walletPassword=$(sudo cat $passwordFile)
fi
(echo $walletPassword; echo $walletPassword) | sudo -u bitcoin \
/home/bitcoin/lightning/tools/hsmtool encrypt \
$hsmSecretPath || exit 1
# setting value in raspiblitz config
sudo sed -i \
"s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \
/mnt/hdd/raspiblitz.conf
echo "# Encrypted the hsm_secret for C-lightning $CHAIN"
}
function decryptHSMsecret() {
if [ ! -f $passwordFile ];then
passwordToFile
else
echo "# Getting the password from $passwordFile"
fi
sudo cat $passwordFile | sudo -u bitcoin \
/home/bitcoin/lightning/tools/hsmtool decrypt \
$hsmSecretPath || exit 1
shredPasswordFile
# setting value in raspiblitz config
sudo sed -i \
"s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=off/g" \
/mnt/hdd/raspiblitz.conf
echo "# Decrypted the hsm_secret for C-lightning $CHAIN"
}
###########
# Options #
###########
if [ "$1" = "new" ] || [ "$1" = "new-force" ] || [ "$1" = "seed" ] || [ "$1" = "seed-force" ]; then
# make sure /home/bitcoin/.lightning/bitcoin exists (when lightningd was not run yet)
if ! sudo ls /home/bitcoin/.lightning/bitcoin; then
sudo -u bitcoin mkdir -p /home/bitcoin/.lightning/bitcoin/
fi
# check/delete existing wallet
if [ "$1" = "new-force" ] || [ "$1" = "seed-force" ]; then
echo "# deleting any old wallet ..."
sudo rm $hsmSecretPath 2>/dev/null
else
if sudo ls $hsmSecretPath 2>1 1>/dev/null; then
echo "# The hsm_secret is already present at $hsmSecretPath."
exit 0
fi
fi
# check for https://github.com/trezor/python-mnemonic
if [ $(pip list | grep -c mnemonic) -eq 0 ];then
pip install mnemonic==0.19 1>/dev/null
fi
if [ "$1" = "new" ]; then
seedPassword="$3"
# get 24 words
source <(python /home/admin/config.scripts/blitz.mnemonic.py generate)
#TODO seedwords to cln.backup.sh seed-export-gui
/home/admin/config.scripts/cln.backup.sh seed-export-gui "${seedwords6x4}"
elif [ "$1" = "new-force" ]; then
# get 24 words
source <(python /home/admin/config.scripts/blitz.mnemonic.py generate)
echo "seedwords='${seedwords}'"
echo "seedwords6x4='${seedwords6x4}'"
elif [ "$1" = "seed" ] || [ "$1" = "seed-force" ]; then
#TODO get seedwords from cln.backup.sh seed-import-gui [$RESULTFILE]
seedwords="$3"
seedpassword="$4"
fi
# pass to 'hsmtool generatehsm hsm_secret'
if [ ${#seedpassword} -eq 0 ]; then
(echo "0"; echo "${seedwords}"; echo) | sudo -u bitcoin /home/bitcoin/lightning/tools/hsmtool "generatehsm" $hsmSecretPath 1>&2
else
# pass to 'hsmtool generatehsm hsm_secret' - confirm seedPassword
(echo "0"; echo "${seedwords}"; echo "$seedpassword"; echo "$seedpassword") | sudo -u bitcoin /home/bitcoin/lightning/tools/hsmtool "generatehsm" $hsmSecretPath 1>&2
fi
echo "# Re-init the backup plugin with the new wallet"
/home/admin/config.scripts/cln-plugin.backup.sh on $CHAIN
exit 0
elif [ "$1" = "unlock" ]; then
# getpassword
if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \
grep -c 'encrypted-hsm: Could not read pass from stdin.') -gt 0 ];then
if [ -f $passwordFile ];then
echo "# Wrong passwordFile is present"
else
echo "# No passwordFile is present"
fi
passwordToFile
sudo systemctl restart ${netprefix}lightningd
# configure --encrypted-hsm
elif [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \
grep -c 'hsm_secret is encrypted, you need to pass the \--encrypted-hsm startup option.') -gt 0 ];then
echo "# The hsm_secret encrypted, but unlock is not configured"
passwordToFile
# setting value in raspiblitz config
sudo sed -i \
"s/^${netprefix}clnEncryptedHSM=.*/${netprefix}clnEncryptedHSM=on/g" \
/mnt/hdd/raspiblitz.conf
/home/admin/config.scripts/cln.install-service.sh $CHAIN
fi
# check if unlocked
attempt=0
while [ $($lightningcli_alias getinfo | grep -c '"id":') -eq 0 ];do
if [ $(sudo journalctl -n5 -u ${netprefix}lightningd | \
grep -c 'Wrong password for encrypted hsm_secret.') -gt 0 ];then
echo "# Wrong password"
sudo rm -f $passwordFile
passwordToFile "Wrong password - type the decryption password for the $CHAIN C-lightning wallet"
sudo systemctl restart ${netprefix}lightningd
elif [ $attempt -eq 12 ];then
echo "# Failed to unlock the ${netprefix}lightningd wallet - giving up after 1 minute"
echo "# Check: sudo journalctl -u ${netprefix}lightningd"
exit 1
fi
echo "# Waiting to unlock wallet ... "
sleep 5
attempt=$((attempt+1))
done
echo "# Ok the ${netprefix}lightningd wallet is unlocked"
exit 0
elif [ "$1" = "lock" ]; then
shredPasswordFile
sudo systemctl restart ${netprefix}lightningd
exit 0
elif [ "$1" = "encrypt" ]; then
walletPassword=$3
encryptHSMsecret $walletPassword
elif [ "$1" = "decrypt" ]; then
decryptHSMsecret
elif [ "$1" = "autounlock-on" ]; then
if grep -Eq "${netprefix}clnEncryptedHSM=on" /mnt/hdd/raspiblitz.conf;then
echo "# Moving the password from $passwordFile"
sudo -u bitcoin mv /dev/shm/.${netprefix}cln.pw /root/.${netprefix}cln.pw
else
passwordFile=/root/.${netprefix}cln.pw
passwordToFile
fi
# setting value in raspiblitz config
sudo sed -i \
"s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=on/g" \
/mnt/hdd/raspiblitz.conf
echo "# Autounlock is on for C-lightning $CHAIN"
elif [ "$1" = "autounlock-off" ]; then
sudo -u bitcoin mv /root/.${netprefix}cln.pw /dev/shm/.${netprefix}cln.pw
# setting value in raspiblitz config
sudo sed -i \
"s/^${netprefix}clnAutoUnlock=.*/${netprefix}clnEncryptedHSM=off/g" \
/mnt/hdd/raspiblitz.conf
echo "# Autounlock is off for C-lightning $CHAIN"
elif [ "$1" = "change-password" ]; then
decryptHSMsecret || exit 1
walletPassword=$3
if ! encryptHSMsecret "$walletPassword"; then
echo "# Warning: the hsm_secret is left unencrypted."
echo "# To fix run:"
echo "/home/admin/config.scripts/cln.hsmtool encrypt $2"
exit 1
fi
exit 0
elif [ "$1" = "check" ]; then
# TODO
# dumponchaindescriptors <path/to/hsm_secret> [network]
# get current descriptors
sudo -u bitcoin /home/bitcoin/lightning/tools/hsmtool dumponchaindescriptors \
/home/bitcoin/.lightning/${CLNETWORK}/hsm_secret $CLNETWORK
# get seed to compare
else
echo "# Unknown option - exiting script"
exit 1
fi
# set the lightnind service file after all choices unless exited before
/home/admin/config.scripts/cln.install-service.sh $CHAIN
Reference in a new issue Copy permalink