mirrors/raspiblitz
1
0
Fork 0
mirror of https://github.com/rootzoll/raspiblitz.git synced 2025-02-24 22:58:43 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1147 from frennkie/add-macaroon-store

Browse source 
Add central LND credential store (e.g. macaroons)
This commit is contained in:
Christian Rotzoll 2020-05-04 00:00:49 +02:00 committed by GitHub
commit 8b25b150ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 272 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
build_sdcard.sh
View file

@ -101,7 +101,7 @@ if [ "${baseImage}" = "raspbian" ] || [ "${baseImage}" = "dietpi" ] ; then
sudo sed -i "s/^ SendEnv LANG LC.*/# SendEnv LANG LC_*/g" /etc/ssh/ssh_config
# remove unneccesary files
sudo rm -rf /home/pi/MagPi
sudo rm -rf /home/pi/MagPi
fi
# remove some (big) packages that are not needed
@ -281,7 +281,7 @@ sudo apt-get install -y fbi
sudo apt install -y sysbench
# check for dependencies on DietPi, Ubuntu, Armbian
sudo apt install -y build-essential
sudo apt install -y build-essential
if [ "${baseImage}" = "armbian" ]; then
# add armbian config
sudo apt --fix-broken install -y
@ -330,6 +330,13 @@ echo "*** ADDING SERVICE USER bitcoin"
sudo adduser --disabled-password --gecos "" bitcoin
echo "bitcoin:raspiblitz" | sudo chpasswd
echo ""
echo "*** ADDING GROUPS FOR CREDENTIALS STORE ***"
# access to credentials (e.g. macaroon files) in a central location is managed with unix groups and permissions
sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
echo ""
echo "*** SWAP FILE ***"
# based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file
@ -709,7 +716,7 @@ sudo -u admin chmod -R 755 LCD-show
sudo -u admin chown -R admin:admin LCD-show
cd LCD-show/
# set comit hard to old version - that seemed to run better
#
#
sudo -u admin git reset --hard ce52014
# install xinput calibrator package

6
home.admin/00mainMenu.sh
View file

@ -87,7 +87,7 @@ fi
OPTIONS+=(SERVICES "Activate/Deactivate Services")
OPTIONS+=(MOBILE "Connect Mobile Wallet")
OPTIONS+=(EXPORT "Macaroons and TLS.cert")
OPTIONS+=(LNDCREDS "Manage LND Credentials")
OPTIONS+=(NAME "Change Name/Alias of Node")
OPTIONS+=(PASSWORD "Change Passwords")
@ -210,8 +210,8 @@ case $CHOICE in
MOBILE)
/home/admin/97addMobileWallet.sh
;;
EXPORT)
sudo /home/admin/config.scripts/lnd.export.sh
LNDCREDS)
sudo /home/admin/config.scripts/lnd.credentials.sh
;;
NAME)
sudo /home/admin/config.scripts/lnd.setname.sh

4
home.admin/70initLND.sh
View file

@ -450,7 +450,7 @@ if [ ${macaroonExists} -eq 0 ]; then
sleep 3
fi
# check if macatoon exists now - if not fail
# check if macaroon exists now - if not fail
macaroonExists=$(sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon 2>/dev/null | grep -c admin.macaroon)
if [ ${macaroonExists} -eq 0 ]; then
sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon
@ -463,7 +463,7 @@ if [ ${macaroonExists} -eq 0 ]; then
fi
# copy macaroons to all needed users
sudo /home/admin/config.scripts/lnd.check.sh update-credentials
sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "OK - LND Macaroons created and copied"
echo ""

7
home.admin/_background.sh
View file

@ -202,19 +202,20 @@ do
echo "--> Channel Backup File changed"
# make copy to sd card (as local basic backup)
# ToDo(frennkie) /home/admin/.lnd/ no longer is on the SD card
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net/ 2>/dev/null
sudo cp /mnt/hdd/lnd/data/chain/${network}/${chain}net/channel.backup /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup
echo "OK channel.backup copied to '/home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup'"
# check if a SCP backup target is set
# paramter in raspiblitz.conf:
# parameter in raspiblitz.conf:
# scpBackupTarget='[USER]@[SERVER]:[DIRPATH-WITHOUT-ENDING-/]'
# On target server add the public key of your RaspiBlitz to the authorized_keys for the user
# https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/
if [ ${#scpBackupTarget} -gt 0 ]; then
echo "--> Offsite-Backup SCP Server"
# its ok to ignore known host, because data is encrypted (worst case of MiM would be: no offsite channel backup)
# but its more likely that whithout ignoriing known host, script might not run thru and that way: no offsite channel backup
# but its more likely that without ignoring known host, script might not run thru and that way: no offsite channel backup
sudo scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup ${scpBackupTarget}/channel.backup
result=$?
if [ ${result} -eq 0 ]; then
@ -225,7 +226,7 @@ do
fi
# check if a DropBox backup target is set
# paramter in raspiblitz.conf:
# parameter in raspiblitz.conf:
# dropboxBackupTarget='[DROPBOX-APP-OAUTH2-TOKEN]'
# see dropbox setup: https://gist.github.com/vindard/e0cd3d41bb403a823f3b5002488e3f90
if [ ${#dropboxBackupTarget} -gt 0 ]; then

12
home.admin/config.scripts/blitz.touchscreen.sh
View file

@ -98,9 +98,15 @@ EOF
# remove minimize, maximize, close from titlebar
sudo sed -i -E 's/titleLayout>LIMC/titleLayout>L/g' /etc/xdg/openbox/lxde-pi-rc.xml
# make sure that the directory for tls & macaroons exists
# fresh copy will be put there by bootstrap script on every start- restart needed
sudo mkdir -p /home/pi/.lnd 2>/dev/null
echo "make sure pi is member of lndreadonly and lndinvoice"
sudo /usr/sbin/usermod --append --groups lndinvoice pi
sudo /usr/sbin/usermod --append --groups lndreadonly pi
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/pi/.lnd" ]]; then
sudo rm -rf "/home/pi/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/pi/.lnd" # and create symlink
fi
# rotate touchscreen based on if LCD is rotated
if [ "${lcdrotate}" = "0" ]; then

73
home.admin/config.scripts/bonus.btcpayserver.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash
# Based on: https://gist.github.com/normandmickey/3f10fc077d15345fb469034e3697d0d0
# Based on: https://gist.github.com/normandmickey/3f10fc077d15345fb469034e3697d0d0
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@ -51,13 +51,24 @@ fi
# write-tls-macaroon
if [ "$1" = "write-tls-macaroon" ]; then
echo "make sure btcpay is member of lndadmin"
sudo /usr/sbin/usermod --append --groups lndadmin btcpay
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/btcpay/.lnd" ]]; then
sudo rm -rf "/home/btcpay/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/btcpay/.lnd" # and create symlink
fi
# copy admin macaroon
echo "copyin admin.macaroon for btcpay"
sudo cp /mnt/hdd/lnd/data/chain/bitcoin/mainnet/admin.macaroon /home/btcpay/admin.macaroon
sudo chown btcpay:btcpay /home/btcpay/admin.macaroon
sudo chmod 600 /home/btcpay/admin.macaroon
echo "extra symlink to admin.macaroon for btcpay"
if ! [[ -L "/home/btcpay/admin.macaroon" ]]; then
sudo ln -s "/home/btcpay/.lnd/data/chain/${network}/${chain}net/admin.macaroon" "/home/btcpay/admin.macaroon"
fi
# set thumbprint
FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/admin/.lnd/tls.cert | cut -c 20-)
FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/btcpay/.lnd/tls.cert | cut -d"=" -f2)
doesNetworkEntryAlreadyExists=$(sudo cat /home/btcpay/.btcpayserver/Main/settings.config | grep -c '^network=')
if [ ${doesNetworkEntryAlreadyExists} -eq 0 ]; then
echo "setting the LND TLS thumbprint for BTCPay"
@ -76,10 +87,8 @@ BTC.lightning=type=lnd-rest;server=https://127.0.0.1:8080/;macaroonfilepath=/hom
" | sudo -u btcpay tee -a /home/btcpay/.btcpayserver/Main/settings.config
else
echo "setting new LND TLS thumbprint for BTCPay"
sudo -u btcpay sed -i \
"s/^BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=.*\
/BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=$FINGERPRINT/g" \
/home/btcpay/.btcpayserver/Main/settings.config
s="BTC.lightning=type=lnd-rest\;server=https\://127.0.0.1:8080/\;macaroonfilepath=/home/btcpay/admin.macaroon\;"
sudo -u btcpay sed -i "s|^${s}certthumbprint=.*|${s}certthumbprint=$FINGERPRINT|g" /home/btcpay/.btcpayserver/Main/settings.config
fi
sudo systemctl restart btcpayserver
exit 0
@ -90,11 +99,11 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "*** INSTALL BTCPAYSERVER ***"
# --> just serving directly thru TOR for now
# setting up nginx and the SSL certificate
# setting up nginx and the SSL certificate
#/home/admin/config.scripts/bonus.btcpaysetdomain.sh
#errorOnInstall=$?
#if [ ${errorOnInstall} -eq 1 ]; then
# echo "exiting as user cancelled BTCPayServer installation"
# echo "exiting as user cancelled BTCPayServer installation"
# exit 1
#fi
@ -136,7 +145,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "Installing .NET"
echo "***"
echo ""
# download dotnet-sdk
# https://dotnet.microsoft.com/download/dotnet-core/3.1
sudo apt-get -y install libunwind8 gettext libssl1.0
@ -150,7 +159,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "!!! FAIL !!! Downloaded ${dotnetName} not matching SHA512 checksum: ${binaryChecksum}"
exit 1
fi
# download aspnetcore-runtime
aspnetcoreName="aspnetcore-runtime-3.1.1-linux-arm.tar.gz"
sudo rm /home/btcpay/${aspnetcoreName} 2>/dev/null
@ -162,15 +171,15 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "!!! FAIL !!! Downloaded ${aspnetcoreName} not matching SHA512 checksum: ${binaryChecksum}"
exit 1
fi
sudo -u btcpay mkdir /home/btcpay/dotnet
sudo -u btcpay tar -xvf ${dotnetName} -C /home/btcpay/dotnet
sudo -u btcpay tar -xvf ${aspnetcoreName} -C /home/btcpay/dotnet
sudo rm -f *.tar.gz*
# opt out of telemetry
echo "DOTNET_CLI_TELEMETRY_OPTOUT=1" | sudo tee -a /etc/environment
# make .NET accessible and add to PATH
sudo ln -s /home/btcpay/dotnet /usr/share
export PATH=$PATH:/usr/share
@ -184,14 +193,14 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo bash -c "echo 'PATH=\$PATH:/home/btcpay/dotnet' >> /etc/profile"
fi
sudo -u btcpay /home/btcpay/dotnet/dotnet --info
# NBXplorer
echo ""
echo "***"
echo "Install NBXplorer"
echo "***"
echo ""
cd /home/btcpay
echo "Downloading NBXplorer source code.."
sudo -u btcpay git clone https://github.com/dgarage/NBXplorer.git 2>/dev/null
@ -201,7 +210,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
# from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release NBXplorer/NBXplorer.csproj
# create nbxplorer service
echo "
[Unit]
@ -225,12 +234,12 @@ PrivateDevices=true
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/nbxplorer.service
sudo systemctl daemon-reload
# start to create settings.config
sudo systemctl enable nbxplorer
sudo systemctl start nbxplorer
echo "Checking for nbxplorer config"
while [ ! -f "/home/btcpay/.nbxplorer/Main/settings.config" ]
do
@ -242,7 +251,7 @@ WantedBy=multi-user.target
echo "maybe report here: https://github.com/rootzoll/raspiblitz/issues/214"
fi
done
echo ""
echo "***"
echo "getting RPC credentials from the bitcoin.conf"
@ -259,14 +268,14 @@ EOF
sudo mv /home/admin/settings.config /home/btcpay/.nbxplorer/Main/settings.config
sudo chown btcpay:btcpay /home/btcpay/.nbxplorer/Main/settings.config
sudo systemctl restart nbxplorer
# BTCPayServer
echo ""
echo "***"
echo "Install BTCPayServer"
echo "***"
echo ""
cd /home/btcpay
echo "Downloading BTCPayServer source code.."
sudo -u btcpay git clone https://github.com/btcpayserver/btcpayserver.git 2>/dev/null
@ -274,8 +283,8 @@ EOF
# check https://github.com/btcpayserver/btcpayserver/releases
sudo -u btcpay git reset --hard v1.0.4.2
# from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj
# create btcpayserver service
echo "
[Unit]
@ -294,11 +303,11 @@ Restart=on-failure
[Install]
WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/btcpayserver.service
sudo systemctl daemon-reload
sudo systemctl enable btcpayserver
sudo systemctl start btcpayserver
echo "Checking for btcpayserver config"
while [ ! -f "/home/btcpay/.btcpayserver/Main/settings.config" ]
do
@ -313,13 +322,13 @@ WantedBy=multi-user.target
/home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon
else
else
echo "BTCPay Server is already installed."
# start service
echo "start service"
sudo systemctl start nbxplorer 2>/dev/null
sudo systemctl start btcpayserver 2>/dev/null
fi
fi
# setting value in raspi blitz config
sudo sed -i "s/^BTCPayServer=.*/BTCPayServer=on/g" /mnt/hdd/raspiblitz.conf
@ -358,7 +367,7 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
# nuke user
sudo userdel -rf btcpay 2>/dev/null
echo "OK BTCPayServer removed."
else
else
echo "BTCPayServer is not installed."
fi
exit 0

36
home.admin/config.scripts/bonus.lnbits.sh
View file

@ -79,24 +79,23 @@ if [ "$1" = "write-macaroons" ]; then
exit 1
fi
# copy cert and macaroons cert for lnbits environment
# set tls.cert path
sudo -u lnbits sed -i "s/^LND_REST_CERT=.*/LND_REST_CERT=\/home\/admin\/.lnd\/tls.cert/g" /home/lnbits/lnbits/.env
# copy macaroons
echo "copy macaroons to lnbits user"
sudo -u lnbits mkdir -p /home/lnbits/.lnd/data/chain/${network}/${chain}net/
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/invoice.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/readonly.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/
sudo chown lnbits:lnbits -R /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo chmod 600 /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon
echo "OK DONE"
macaroonAdminHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon)
macaroonInvoiceHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon)
macaroonReadHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/readonly.macaroon)
sudo sed -i "s/^LND_REST_ADMIN_MACAROON=.*/LND_REST_ADMIN_MACAROON=${macaroonAdminHex}/g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_INVOICE_MACAROON=.*/LND_REST_INVOICE_MACAROON=${macaroonInvoiceHex}/g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_READ_MACAROON=.*/LND_REST_READ_MACAROON=${macaroonReadHex}/g" /home/lnbits/lnbits/.env
echo "make sure lnbits is member of lndreadonly and lndinvoice"
sudo /usr/sbin/usermod --append --groups lndinvoice lnbits
sudo /usr/sbin/usermod --append --groups lndreadonly lnbits
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/lnbits/.lnd" ]]; then
sudo rm -rf "/home/lnbits/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/lnbits/.lnd" # and create symlink
fi
# set tls.cert path (use | as separator to avoid escaping file path slashes)
sudo -u lnbits sed -i "s|^LND_REST_CERT=.*|LND_REST_CERT=/home/lnbits/.lnd/tls.cert|g" /home/lnbits/lnbits/.env
# set macaroon path info in .env
sudo sed -i "s|^LND_REST_ADMIN_MACAROON=.*|LND_REST_ADMIN_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s|^LND_REST_INVOICE_MACAROON=.*|LND_REST_INVOICE_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s|^LND_REST_READ_MACAROON=.*|LND_REST_READ_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/read.macaroon|g" /home/lnbits/lnbits/.env
echo "# OK - macaroons written to /home/lnbits/lnbits/.env"
exit 0
fi
@ -188,6 +187,7 @@ WantedBy=multi-user.target
EOF
sudo mv /home/admin/lnbits.service /etc/systemd/system/lnbits.service
sudo chown root:root /etc/systemd/system/lnbits.service
sudo systemctl enable lnbits
echo "# OK - service needs starting: sudo systemctl start lnbits"

14
home.admin/config.scripts/bonus.lndconnect.sh
View file

@ -51,7 +51,7 @@ fi
connector=""
host=""
port=""
extraparamter=""
extraparameter=""
supportsTOR=0
if [ "${targetWallet}" = "zap-ios" ]; then
@ -59,7 +59,7 @@ if [ "${targetWallet}" = "zap-ios" ]; then
if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST
port="8080"
extraparamter="--nocert"
extraparameter="--nocert"
else
# normal ZAP uses gRPC ports
port="10009"
@ -70,7 +70,7 @@ elif [ "${targetWallet}" = "zap-android" ]; then
if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST
port="8080"
extraparamter="--nocert"
extraparameter="--nocert"
else
# normal ZAP uses gRPC ports
port="10009"
@ -97,7 +97,7 @@ elif [ "${targetWallet}" = "sendmany-android" ]; then
echo "error='no tor support'"
exit 1
#port="8080"
#extraparamter="--nocert"
#extraparameter="--nocert"
fi
port="10009"
@ -185,7 +185,7 @@ if [ "${connector}" == "lndconnect" ]; then
# write qr code data to an image
cd /home/admin
lndconnect --host=${host} --port=${port} --image ${extraparamter}
lndconnect --host=${host} --port=${port} --image ${extraparameter}
# display qr code image on LCD
/home/admin/config.scripts/blitz.lcd.sh image /home/admin/lndconnect-qr.png
@ -199,7 +199,7 @@ elif [ "${connector}" == "shango" ]; then
/home/admin/config.scripts/blitz.lcd.sh qr "${datastring}"
else
echo "error='unkown connector'"
echo "error='unknown connector'"
exit 1
fi
@ -217,7 +217,7 @@ whiptail --backtitle "Connecting Mobile Wallet" \
if [ $? -eq 1 ]; then
# backup - show QR code on screen (not LCD)
if [ "${connector}" == "lndconnect" ]; then
lndconnect --host=${hostscreen} --port=${port} ${extraparamter}
lndconnect --host=${hostscreen} --port=${port} ${extraparameter}
echo "(To shrink QR code: OSX->CMD- / LINUX-> CTRL-) Press ENTER when finished."
read key
elif [ "${connector}" == "shango" ]; then

16
home.admin/config.scripts/bonus.rtl.sh
View file

@ -78,6 +78,15 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
# create rtl user
sudo adduser --disabled-password --gecos "" rtl
echo "*** make sure rtl is member of lndadmin ***"
sudo /usr/sbin/usermod --append --groups lndadmin rtl
echo "*** make sure symlink to central app-data directory exists ***"
if ! [[ -L "/home/rtl/.lnd" ]]; then
sudo rm -rf "/home/rtl/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/rtl/.lnd" # and create symlink
fi
# download source code and set to tag release
echo "*** Get the RTL Source Code ***"
rm -rf /home/admin/RTL 2>/dev/null
@ -129,8 +138,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
var data = require('/home/rtl/RTL/sample-RTL-Config.json');
//Manipulate data
data.nodes[0].lnNode = '$hostname'
data.nodes[0].Authentication.macaroonPath = '/home/admin/.lnd/data/chain/${network}/${chain}net/';
data.nodes[0].Authentication.configPath = '/mnt/hdd/lnd/lnd.conf';
data.nodes[0].Authentication.macaroonPath = '/home/rtl/.lnd/data/chain/${network}/${chain}net/';
data.nodes[0].Authentication.configPath = '/home/rtl/.lnd/lnd.conf';
data.multiPass = '$PASSWORD_B';
data.nodes[0].Settings.userPersona = 'OPERATOR'
data.nodes[0].Settings.channelBackupPath = '/home/rtl/RTL-SCB-backup-$hostname'
@ -160,7 +169,7 @@ Wants=lnd.service
After=lnd.service
[Service]
ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/admin/.lnd/data/chain/bitcoin/mainnet
ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/rtl/.lnd/data/chain/bitcoin/mainnet
User=rtl
Restart=always
TimeoutSec=120
@ -174,6 +183,7 @@ EOF
sudo mv /home/admin/RTL.service /etc/systemd/system/RTL.service
sudo sed -i "s|chain/bitcoin/mainnet|chain/${network}/${chain}net|" /etc/systemd/system/RTL.service
sudo chown root:root /etc/systemd/system/RTL.service
sudo systemctl enable RTL
echo "OK - the RTL service is now enabled"
fi

62
home.admin/config.scripts/lnd.check.sh
View file

@ -1,20 +1,19 @@
#!/bin/bash
if [ $# -eq 0 ]; then
echo "# script to check LND states"
echo "# lnd.check.sh basic-setup"
echo "# lnd.check.sh update-credentials"
exit 1
# command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$1" = "-help" ]; then
echo "# script to check LND states"
echo "# lnd.check.sh basic-setup"
exit 1
fi
# load raspiblitz conf
source /home/admin/raspiblitz.info
source /mnt/hdd/raspiblitz.conf
# check basic LND setup
if [ "$1" == "basic-setup" ]; then
# check TLS exits
# check TLS exits
tlsExists=$(sudo ls /mnt/hdd/lnd/tls.cert 2>/dev/null | grep -c 'tls.cert')
if [ ${tlsExists} -gt 0 ]; then
echo "tls=1"
@ -22,7 +21,7 @@ if [ "$1" == "basic-setup" ]; then
echo "tls=0"
echo "err='tls.cert is missing in /mnt/hdd/lnd'"
fi
# check TLS exits (on SD card for admin)
# check TLS exits (on SD card for admin)
tlsExists=$(sudo ls /home/admin/.lnd/tls.cert 2>/dev/null | grep -c 'tls.cert')
if [ ${tlsExists} -gt 0 ]; then
echo "tlsCopy=1"
@ -67,7 +66,7 @@ if [ "$1" == "basic-setup" ]; then
echo "configMismatch=0"
echo "err='lnd.conf is missing for user admin'"
fi
# get network from config (BLOCKCHAIN)
lndNetwork=""
source <(sudo cat /mnt/hdd/lnd/lnd.conf 2>/dev/null | grep 'bitcoin.active' | sed 's/^[a-z]*\./bitcoin_/g')
@ -175,46 +174,7 @@ if [ "$1" == "basic-setup" ]; then
fi
echo "rpcpasscorrect=${rpcpasscorrect}"
# enforce basic LND credentials for users
elif [ "$1" == "update-credentials" ]; then
echo "# making sure LND blockchain RPC password is set correct in lnd.conf"
source <(sudo cat /mnt/hdd/${network}/${network}.conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ ${#rpcpassword} -gt 0 ]; then
sudo sed -i "s/^${network}d.rpcpass=.*/${network}d.rpcpass=${rpcpassword}/g" /mnt/hdd/lnd/lnd.conf 2>/dev/null
else
echo "# WARN: could not get value 'rpcuser' from blockchain conf"
fi
echo "# make sure admin user LND data dirs exist"
sudo mkdir -p /home/admin/.lnd
sudo mkdir -p /home/admin/.lnd/data
sudo mkdir -p /home/admin/.lnd/data/chain
sudo mkdir -p /home/admin/.lnd/data/chain/${network}
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net
echo "# updating/cleaning admin user LND data"
sudo rm -R /home/admin/.lnd 2>/dev/null
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net 2>/dev/null
sudo cp /mnt/hdd/lnd/lnd.conf /home/admin/.lnd/lnd.conf
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/admin.macaroon > /home/admin/.lnd/data/chain/${network}/${chain}net/admin.macaroon"
sudo chown admin:admin -R /home/admin/.lnd
echo "# updating/cleaning pi user LND data (just read & invoice)"
sudo rm -R /home/pi/.lnd 2>/dev/null
sudo mkdir -p /home/pi/.lnd/data/chain/${network}/${chain}net/
sudo cp /mnt/hdd/lnd/tls.cert /home/pi/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/readonly.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/readonly.macaroon"
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/invoice.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/invoice.macaroon"
sudo chown pi:pi -R /home/pi/.lnd
if [ "${LNBits}" = "on" ]; then
echo "# updating macaroons for LNBits fresh on start"
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
sudo chown admin:admin -R /mnt/hdd/app-data/LNBits
fi
else
echo "# FAIL: parameter not known"
fi
echo "# FAIL: parameter not known - run with -h for help"
exit 1
fi

141
home.admin/config.scripts/lnd.credentials.sh Executable file
View file

@ -0,0 +1,141 @@
#!/bin/bash
# command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to reset or sync credentials (e.g. macaroons)"
echo "lnd.credentials.sh [reset|sync]"
exit 1
fi
# interactive choose type of action
if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS=()
OPTIONS+=(RESET "Recreate Macaroons + TLS")
OPTIONS+=(SYNC "Sync central store with LND")
OPTIONS+=(EXPORT "Macaroons and TLS.cert")
CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \
--title "Manage LND credentials" \
--menu "Choose action" \
11 50 7 \
"${OPTIONS[@]}" \
2>&1 >/dev/tty)
clear
case $CHOICE in
RESET)
sudo /home/admin/config.scripts/lnd.credentials.sh reset
echo "Press ENTER to return to main menu."
read key
exit 0
;;
SYNC)
sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "Press ENTER to return to main menu."
read key
exit 0
;;
EXPORT)
sudo /home/admin/config.scripts/lnd.export.sh
exit 0
;;
esac
fi
# load data from config
source /mnt/hdd/raspiblitz.conf
###########################
# FUNCTIONS
###########################
function copy_mac_set_perms() {
local file_name=${1} # the file name (e.g. admin.macaroon)
local group_name=${2} # the unix group name (e.g. lndadmin)
local n=${3:-bitcoin} # the network (e.g. bitcoin or litecoin) defaults to bitcoin
local c=${4:-main} # the chain (e.g. main, test, sim, reg) defaults to main (for mainnet)
sudo /bin/cp /mnt/hdd/lnd/data/chain/"${n}"/"${c}"net/"${file_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chown --silent admin:"${group_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chmod --silent 640 /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
}
###########################
# RESET Macaroons and TLS
###########################
if [ "$1" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd || exit
echo "- deleting old macaroons"
sudo find /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo find /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo rm /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain="${network}" --network="${chain}"net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "OK DONE"
###########################
# SYNC
###########################
elif [ "$1" = "sync" ]; then
echo "###### SYNCING MACAROONS, RPC Password AND TLS Certificate ######"
echo "# make sure LND app-data directories exist"
sudo /bin/mkdir --mode 0755 --parents /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/
echo "# copy macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "# make sure admin has a symlink at ~/.lnd to /mnt/hdd/app-data/lnd/"
if ! [[ -L "/home/admin/.lnd" ]]; then
sudo rm -rf "/home/admin/.lnd" # not a symlink.. delete it silently
ln -s /mnt/hdd/app-data/lnd/ /home/admin/.lnd # and create symlink
fi
echo "# make sure network (bitcoin/litecoin) RPC password is set correctly in lnd.conf"
source <(sudo cat /mnt/hdd/"${network}"/"${network}".conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ "${#rpcpassword}" -gt 0 ]; then
sudo sed -i 's/^"${network}"d.rpcpass=.*/"${network}"d.rpcpass="${rpcpassword}"/g' /mnt/hdd/lnd/lnd.conf 2>/dev/null
else
echo "# WARN: could not get value 'rpcpass' from network config (e.g. bitcoin.conf)"
fi
echo "# make sure LND conf is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/lnd.conf"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/lnd.conf"
if ! [[ -L "/mnt/hdd/app-data/lnd/lnd.conf" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/lnd.conf" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/lnd.conf" "/mnt/hdd/app-data/lnd/lnd.conf" # and create symlink
fi
echo "# make sure TLS certificate is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/tls.cert"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/tls.cert" "/mnt/hdd/app-data/lnd/tls.cert" # and create symlink
fi
###########################
# UNKNOWN
###########################
else
echo "# FAIL: parameter not known - run with -h for help"
exit 1
fi

45
home.admin/config.scripts/lnd.export.sh
View file

@ -3,7 +3,7 @@
# command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to export macaroons & tls.cert"
echo "lnd.export.sh [hexstring|scp|http|reset]"
echo "lnd.export.sh [hexstring|scp|http]"
exit 1
fi
@ -16,7 +16,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS+=(HEX "Hex-String (Copy+Paste)")
OPTIONS+=(SCP "SSH Download (Commands)")
OPTIONS+=(HTTP "Browserdownload (bit risky)")
OPTIONS+=(RESET "RENEW MACAROONS & TLS")
CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \
--title "Export Macaroons & TLS.cert" \
@ -35,9 +34,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
HTTP)
exportType='http';
;;
RESET)
exportType='reset';
;;
esac
fi
@ -131,45 +127,8 @@ elif [ "${exportType}" = "http" ]; then
sudo rm -r ${randomFolderName}
echo "OK - temp HTTP server is stopped."
###########################
# RESET Macaroons and TLS
###########################
elif [ "${exportType}" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd
echo "- deleting old macaroons"
sudo rm /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain=${network} --network=${chain}net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to admin user"
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon /home/admin/.lnd/data/chain/${network}/${chain}net/
sudo chown admin:admin -R /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
# BTCPayServer
if [ "${BTCPayServer}" == "on" ]; then
/home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon
fi
# LNBits
if [ "${LNBits}" = "on" ]; then
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
fi
echo "OK DONE"
else
echo "FAIL: unknown '${exportType}' -run-> ./lnd.export.sh -h"
echo "FAIL: unknown '${exportType}' - run with -h for help"
fi
if [ "$1" = "" ] || [ $# -eq 0 ]; then

16
home.admin/config.scripts/lnd.newtlscert.sh
View file

@ -1,4 +1,3 @@
#!/bin/bash
# stop services
@ -27,7 +26,14 @@ do
done
sudo killall /usr/local/bin/lnd
sudo chmod 664 /mnt/hdd/lnd/tls.cert
echo "copy new cert to admin user"
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd
sudo chown admin:admin -R /home/admin/.lnd/*.cert
echo "OK TLS certs are fresh"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
echo "symlink new cert to lnd app-data directory"
if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert # and create symlink
fi
echo "OK TLS certs are fresh"
# ToDo(frennkie) why doesn't this start lnd again? - I assume as _background will start it anyway?!
# ToDo(frennkie) the way LND generates the x509 certificate is not ideal -
# it may be better to simply run openssl and create a cert with our settings...