mirrors/raspiblitz
1
0
Fork 0
mirror of https://github.com/rootzoll/raspiblitz.git synced 2025-02-25 07:07:46 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1147 from frennkie/add-macaroon-store

Browse source 
Add central LND credential store (e.g. macaroons)
This commit is contained in:
Christian Rotzoll 2020-05-04 00:00:49 +02:00 committed by GitHub
commit 8b25b150ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 272 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
build_sdcard.sh
View file

@ -330,6 +330,13 @@ echo "*** ADDING SERVICE USER bitcoin"
sudo adduser --disabled-password --gecos "" bitcoin sudo adduser --disabled-password --gecos "" bitcoin
echo "bitcoin:raspiblitz" | sudo chpasswd echo "bitcoin:raspiblitz" | sudo chpasswd
echo ""
echo "*** ADDING GROUPS FOR CREDENTIALS STORE ***"
# access to credentials (e.g. macaroon files) in a central location is managed with unix groups and permissions
sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
echo "" echo ""
echo "*** SWAP FILE ***" echo "*** SWAP FILE ***"
# based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file

6
home.admin/00mainMenu.sh
View file

@ -87,7 +87,7 @@ fi
OPTIONS+=(SERVICES "Activate/Deactivate Services") OPTIONS+=(SERVICES "Activate/Deactivate Services")
OPTIONS+=(MOBILE "Connect Mobile Wallet") OPTIONS+=(MOBILE "Connect Mobile Wallet")
OPTIONS+=(EXPORT "Macaroons and TLS.cert") OPTIONS+=(LNDCREDS "Manage LND Credentials")
OPTIONS+=(NAME "Change Name/Alias of Node") OPTIONS+=(NAME "Change Name/Alias of Node")
OPTIONS+=(PASSWORD "Change Passwords") OPTIONS+=(PASSWORD "Change Passwords")
@ -210,8 +210,8 @@ case $CHOICE in
MOBILE) MOBILE)
/home/admin/97addMobileWallet.sh /home/admin/97addMobileWallet.sh
;; ;;
EXPORT) LNDCREDS)
sudo /home/admin/config.scripts/lnd.export.sh sudo /home/admin/config.scripts/lnd.credentials.sh
;; ;;
NAME) NAME)
sudo /home/admin/config.scripts/lnd.setname.sh sudo /home/admin/config.scripts/lnd.setname.sh

4
home.admin/70initLND.sh
View file

@ -450,7 +450,7 @@ if [ ${macaroonExists} -eq 0 ]; then
sleep 3 sleep 3
fi fi
# check if macatoon exists now - if not fail # check if macaroon exists now - if not fail
macaroonExists=$(sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon 2>/dev/null | grep -c admin.macaroon) macaroonExists=$(sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon 2>/dev/null | grep -c admin.macaroon)
if [ ${macaroonExists} -eq 0 ]; then if [ ${macaroonExists} -eq 0 ]; then
sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon
@ -463,7 +463,7 @@ if [ ${macaroonExists} -eq 0 ]; then
fi fi
# copy macaroons to all needed users # copy macaroons to all needed users
sudo /home/admin/config.scripts/lnd.check.sh update-credentials sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "OK - LND Macaroons created and copied" echo "OK - LND Macaroons created and copied"
echo "" echo ""

7
home.admin/_background.sh
View file

@ -202,19 +202,20 @@ do
echo "--> Channel Backup File changed" echo "--> Channel Backup File changed"
# make copy to sd card (as local basic backup) # make copy to sd card (as local basic backup)
# ToDo(frennkie) /home/admin/.lnd/ no longer is on the SD card
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net/ 2>/dev/null sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net/ 2>/dev/null
sudo cp /mnt/hdd/lnd/data/chain/${network}/${chain}net/channel.backup /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup sudo cp /mnt/hdd/lnd/data/chain/${network}/${chain}net/channel.backup /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup
echo "OK channel.backup copied to '/home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup'" echo "OK channel.backup copied to '/home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup'"
# check if a SCP backup target is set # check if a SCP backup target is set
# paramter in raspiblitz.conf: # parameter in raspiblitz.conf:
# scpBackupTarget='[USER]@[SERVER]:[DIRPATH-WITHOUT-ENDING-/]' # scpBackupTarget='[USER]@[SERVER]:[DIRPATH-WITHOUT-ENDING-/]'
# On target server add the public key of your RaspiBlitz to the authorized_keys for the user # On target server add the public key of your RaspiBlitz to the authorized_keys for the user
# https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/ # https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/
if [ ${#scpBackupTarget} -gt 0 ]; then if [ ${#scpBackupTarget} -gt 0 ]; then
echo "--> Offsite-Backup SCP Server" echo "--> Offsite-Backup SCP Server"
# its ok to ignore known host, because data is encrypted (worst case of MiM would be: no offsite channel backup) # its ok to ignore known host, because data is encrypted (worst case of MiM would be: no offsite channel backup)
# but its more likely that whithout ignoriing known host, script might not run thru and that way: no offsite channel backup # but its more likely that without ignoring known host, script might not run thru and that way: no offsite channel backup
sudo scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup ${scpBackupTarget}/channel.backup sudo scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup ${scpBackupTarget}/channel.backup
result=$? result=$?
if [ ${result} -eq 0 ]; then if [ ${result} -eq 0 ]; then
@ -225,7 +226,7 @@ do
fi fi
# check if a DropBox backup target is set # check if a DropBox backup target is set
# paramter in raspiblitz.conf: # parameter in raspiblitz.conf:
# dropboxBackupTarget='[DROPBOX-APP-OAUTH2-TOKEN]' # dropboxBackupTarget='[DROPBOX-APP-OAUTH2-TOKEN]'
# see dropbox setup: https://gist.github.com/vindard/e0cd3d41bb403a823f3b5002488e3f90 # see dropbox setup: https://gist.github.com/vindard/e0cd3d41bb403a823f3b5002488e3f90
if [ ${#dropboxBackupTarget} -gt 0 ]; then if [ ${#dropboxBackupTarget} -gt 0 ]; then

12
home.admin/config.scripts/blitz.touchscreen.sh
View file

@ -98,9 +98,15 @@ EOF
# remove minimize, maximize, close from titlebar # remove minimize, maximize, close from titlebar
sudo sed -i -E 's/titleLayout>LIMC/titleLayout>L/g' /etc/xdg/openbox/lxde-pi-rc.xml sudo sed -i -E 's/titleLayout>LIMC/titleLayout>L/g' /etc/xdg/openbox/lxde-pi-rc.xml
# make sure that the directory for tls & macaroons exists echo "make sure pi is member of lndreadonly and lndinvoice"
# fresh copy will be put there by bootstrap script on every start- restart needed sudo /usr/sbin/usermod --append --groups lndinvoice pi
sudo mkdir -p /home/pi/.lnd 2>/dev/null sudo /usr/sbin/usermod --append --groups lndreadonly pi
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/pi/.lnd" ]]; then
sudo rm -rf "/home/pi/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/pi/.lnd" # and create symlink
fi
# rotate touchscreen based on if LCD is rotated # rotate touchscreen based on if LCD is rotated
if [ "${lcdrotate}" = "0" ]; then if [ "${lcdrotate}" = "0" ]; then

27
home.admin/config.scripts/bonus.btcpayserver.sh
View file

@ -51,13 +51,24 @@ fi
# write-tls-macaroon # write-tls-macaroon
if [ "$1" = "write-tls-macaroon" ]; then if [ "$1" = "write-tls-macaroon" ]; then
echo "make sure btcpay is member of lndadmin"
sudo /usr/sbin/usermod --append --groups lndadmin btcpay
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/btcpay/.lnd" ]]; then
sudo rm -rf "/home/btcpay/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/btcpay/.lnd" # and create symlink
fi
# copy admin macaroon # copy admin macaroon
echo "copyin admin.macaroon for btcpay" echo "extra symlink to admin.macaroon for btcpay"
sudo cp /mnt/hdd/lnd/data/chain/bitcoin/mainnet/admin.macaroon /home/btcpay/admin.macaroon if ! [[ -L "/home/btcpay/admin.macaroon" ]]; then
sudo chown btcpay:btcpay /home/btcpay/admin.macaroon sudo ln -s "/home/btcpay/.lnd/data/chain/${network}/${chain}net/admin.macaroon" "/home/btcpay/admin.macaroon"
sudo chmod 600 /home/btcpay/admin.macaroon fi
# set thumbprint # set thumbprint
FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/admin/.lnd/tls.cert | cut -c 20-) FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/btcpay/.lnd/tls.cert | cut -d"=" -f2)
doesNetworkEntryAlreadyExists=$(sudo cat /home/btcpay/.btcpayserver/Main/settings.config | grep -c '^network=') doesNetworkEntryAlreadyExists=$(sudo cat /home/btcpay/.btcpayserver/Main/settings.config | grep -c '^network=')
if [ ${doesNetworkEntryAlreadyExists} -eq 0 ]; then if [ ${doesNetworkEntryAlreadyExists} -eq 0 ]; then
echo "setting the LND TLS thumbprint for BTCPay" echo "setting the LND TLS thumbprint for BTCPay"
@ -76,10 +87,8 @@ BTC.lightning=type=lnd-rest;server=https://127.0.0.1:8080/;macaroonfilepath=/hom
" | sudo -u btcpay tee -a /home/btcpay/.btcpayserver/Main/settings.config " | sudo -u btcpay tee -a /home/btcpay/.btcpayserver/Main/settings.config
else else
echo "setting new LND TLS thumbprint for BTCPay" echo "setting new LND TLS thumbprint for BTCPay"
sudo -u btcpay sed -i \ s="BTC.lightning=type=lnd-rest\;server=https\://127.0.0.1:8080/\;macaroonfilepath=/home/btcpay/admin.macaroon\;"
"s/^BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=.*\ sudo -u btcpay sed -i "s|^${s}certthumbprint=.*|${s}certthumbprint=$FINGERPRINT|g" /home/btcpay/.btcpayserver/Main/settings.config
/BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=$FINGERPRINT/g" \
/home/btcpay/.btcpayserver/Main/settings.config
fi fi
sudo systemctl restart btcpayserver sudo systemctl restart btcpayserver
exit 0 exit 0

36
home.admin/config.scripts/bonus.lnbits.sh
View file

@ -79,24 +79,23 @@ if [ "$1" = "write-macaroons" ]; then
exit 1 exit 1
fi fi
# copy cert and macaroons cert for lnbits environment echo "make sure lnbits is member of lndreadonly and lndinvoice"
# set tls.cert path sudo /usr/sbin/usermod --append --groups lndinvoice lnbits
sudo -u lnbits sed -i "s/^LND_REST_CERT=.*/LND_REST_CERT=\/home\/admin\/.lnd\/tls.cert/g" /home/lnbits/lnbits/.env sudo /usr/sbin/usermod --append --groups lndreadonly lnbits
# copy macaroons
echo "copy macaroons to lnbits user" echo "make sure symlink to central app-data directory exists"
sudo -u lnbits mkdir -p /home/lnbits/.lnd/data/chain/${network}/${chain}net/ if ! [[ -L "/home/lnbits/.lnd" ]]; then
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ sudo rm -rf "/home/lnbits/.lnd" # not a symlink.. delete it silently
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/invoice.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/lnbits/.lnd" # and create symlink
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/readonly.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ fi
sudo chown lnbits:lnbits -R /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo chmod 600 /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon # set tls.cert path (use | as separator to avoid escaping file path slashes)
echo "OK DONE" sudo -u lnbits sed -i "s|^LND_REST_CERT=.*|LND_REST_CERT=/home/lnbits/.lnd/tls.cert|g" /home/lnbits/lnbits/.env
macaroonAdminHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon)
macaroonInvoiceHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon) # set macaroon path info in .env
macaroonReadHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/readonly.macaroon) sudo sed -i "s|^LND_REST_ADMIN_MACAROON=.*|LND_REST_ADMIN_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_ADMIN_MACAROON=.*/LND_REST_ADMIN_MACAROON=${macaroonAdminHex}/g" /home/lnbits/lnbits/.env sudo sed -i "s|^LND_REST_INVOICE_MACAROON=.*|LND_REST_INVOICE_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_INVOICE_MACAROON=.*/LND_REST_INVOICE_MACAROON=${macaroonInvoiceHex}/g" /home/lnbits/lnbits/.env sudo sed -i "s|^LND_REST_READ_MACAROON=.*|LND_REST_READ_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/read.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_READ_MACAROON=.*/LND_REST_READ_MACAROON=${macaroonReadHex}/g" /home/lnbits/lnbits/.env
echo "# OK - macaroons written to /home/lnbits/lnbits/.env" echo "# OK - macaroons written to /home/lnbits/lnbits/.env"
exit 0 exit 0
fi fi
@ -188,6 +187,7 @@ WantedBy=multi-user.target
EOF EOF
sudo mv /home/admin/lnbits.service /etc/systemd/system/lnbits.service sudo mv /home/admin/lnbits.service /etc/systemd/system/lnbits.service
sudo chown root:root /etc/systemd/system/lnbits.service
sudo systemctl enable lnbits sudo systemctl enable lnbits
echo "# OK - service needs starting: sudo systemctl start lnbits" echo "# OK - service needs starting: sudo systemctl start lnbits"

14
home.admin/config.scripts/bonus.lndconnect.sh
View file

@ -51,7 +51,7 @@ fi
connector="" connector=""
host="" host=""
port="" port=""
extraparamter="" extraparameter=""
supportsTOR=0 supportsTOR=0
if [ "${targetWallet}" = "zap-ios" ]; then if [ "${targetWallet}" = "zap-ios" ]; then
@ -59,7 +59,7 @@ if [ "${targetWallet}" = "zap-ios" ]; then
if [ ${forceTOR} -eq 1 ]; then if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST # when ZAP runs on TOR it uses REST
port="8080" port="8080"
extraparamter="--nocert" extraparameter="--nocert"
else else
# normal ZAP uses gRPC ports # normal ZAP uses gRPC ports
port="10009" port="10009"
@ -70,7 +70,7 @@ elif [ "${targetWallet}" = "zap-android" ]; then
if [ ${forceTOR} -eq 1 ]; then if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST # when ZAP runs on TOR it uses REST
port="8080" port="8080"
extraparamter="--nocert" extraparameter="--nocert"
else else
# normal ZAP uses gRPC ports # normal ZAP uses gRPC ports
port="10009" port="10009"
@ -97,7 +97,7 @@ elif [ "${targetWallet}" = "sendmany-android" ]; then
echo "error='no tor support'" echo "error='no tor support'"
exit 1 exit 1
#port="8080" #port="8080"
#extraparamter="--nocert" #extraparameter="--nocert"
fi fi
port="10009" port="10009"
@ -185,7 +185,7 @@ if [ "${connector}" == "lndconnect" ]; then
# write qr code data to an image # write qr code data to an image
cd /home/admin cd /home/admin
lndconnect --host=${host} --port=${port} --image ${extraparamter} lndconnect --host=${host} --port=${port} --image ${extraparameter}
# display qr code image on LCD # display qr code image on LCD
/home/admin/config.scripts/blitz.lcd.sh image /home/admin/lndconnect-qr.png /home/admin/config.scripts/blitz.lcd.sh image /home/admin/lndconnect-qr.png
@ -199,7 +199,7 @@ elif [ "${connector}" == "shango" ]; then
/home/admin/config.scripts/blitz.lcd.sh qr "${datastring}" /home/admin/config.scripts/blitz.lcd.sh qr "${datastring}"
else else
echo "error='unkown connector'" echo "error='unknown connector'"
exit 1 exit 1
fi fi
@ -217,7 +217,7 @@ whiptail --backtitle "Connecting Mobile Wallet" \
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
# backup - show QR code on screen (not LCD) # backup - show QR code on screen (not LCD)
if [ "${connector}" == "lndconnect" ]; then if [ "${connector}" == "lndconnect" ]; then
lndconnect --host=${hostscreen} --port=${port} ${extraparamter} lndconnect --host=${hostscreen} --port=${port} ${extraparameter}
echo "(To shrink QR code: OSX->CMD- / LINUX-> CTRL-) Press ENTER when finished." echo "(To shrink QR code: OSX->CMD- / LINUX-> CTRL-) Press ENTER when finished."
read key read key
elif [ "${connector}" == "shango" ]; then elif [ "${connector}" == "shango" ]; then

16
home.admin/config.scripts/bonus.rtl.sh
View file

@ -78,6 +78,15 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
# create rtl user # create rtl user
sudo adduser --disabled-password --gecos "" rtl sudo adduser --disabled-password --gecos "" rtl
echo "*** make sure rtl is member of lndadmin ***"
sudo /usr/sbin/usermod --append --groups lndadmin rtl
echo "*** make sure symlink to central app-data directory exists ***"
if ! [[ -L "/home/rtl/.lnd" ]]; then
sudo rm -rf "/home/rtl/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/rtl/.lnd" # and create symlink
fi
# download source code and set to tag release # download source code and set to tag release
echo "*** Get the RTL Source Code ***" echo "*** Get the RTL Source Code ***"
rm -rf /home/admin/RTL 2>/dev/null rm -rf /home/admin/RTL 2>/dev/null
@ -129,8 +138,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
var data = require('/home/rtl/RTL/sample-RTL-Config.json'); var data = require('/home/rtl/RTL/sample-RTL-Config.json');
//Manipulate data //Manipulate data
data.nodes[0].lnNode = '$hostname' data.nodes[0].lnNode = '$hostname'
data.nodes[0].Authentication.macaroonPath = '/home/admin/.lnd/data/chain/${network}/${chain}net/'; data.nodes[0].Authentication.macaroonPath = '/home/rtl/.lnd/data/chain/${network}/${chain}net/';
data.nodes[0].Authentication.configPath = '/mnt/hdd/lnd/lnd.conf'; data.nodes[0].Authentication.configPath = '/home/rtl/.lnd/lnd.conf';
data.multiPass = '$PASSWORD_B'; data.multiPass = '$PASSWORD_B';
data.nodes[0].Settings.userPersona = 'OPERATOR' data.nodes[0].Settings.userPersona = 'OPERATOR'
data.nodes[0].Settings.channelBackupPath = '/home/rtl/RTL-SCB-backup-$hostname' data.nodes[0].Settings.channelBackupPath = '/home/rtl/RTL-SCB-backup-$hostname'
@ -160,7 +169,7 @@ Wants=lnd.service
After=lnd.service After=lnd.service
[Service] [Service]
ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/admin/.lnd/data/chain/bitcoin/mainnet ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/rtl/.lnd/data/chain/bitcoin/mainnet
User=rtl User=rtl
Restart=always Restart=always
TimeoutSec=120 TimeoutSec=120
@ -174,6 +183,7 @@ EOF
sudo mv /home/admin/RTL.service /etc/systemd/system/RTL.service sudo mv /home/admin/RTL.service /etc/systemd/system/RTL.service
sudo sed -i "s|chain/bitcoin/mainnet|chain/${network}/${chain}net|" /etc/systemd/system/RTL.service sudo sed -i "s|chain/bitcoin/mainnet|chain/${network}/${chain}net|" /etc/systemd/system/RTL.service
sudo chown root:root /etc/systemd/system/RTL.service
sudo systemctl enable RTL sudo systemctl enable RTL
echo "OK - the RTL service is now enabled" echo "OK - the RTL service is now enabled"
fi fi

48
home.admin/config.scripts/lnd.check.sh
View file

@ -1,14 +1,13 @@
#!/bin/bash #!/bin/bash
if [ $# -eq 0 ]; then # command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$1" = "-help" ]; then
echo "# script to check LND states" echo "# script to check LND states"
echo "# lnd.check.sh basic-setup" echo "# lnd.check.sh basic-setup"
echo "# lnd.check.sh update-credentials"
exit 1 exit 1
fi fi
# load raspiblitz conf # load raspiblitz conf
source /home/admin/raspiblitz.info
source /mnt/hdd/raspiblitz.conf source /mnt/hdd/raspiblitz.conf
# check basic LND setup # check basic LND setup
@ -175,46 +174,7 @@ if [ "$1" == "basic-setup" ]; then
fi fi
echo "rpcpasscorrect=${rpcpasscorrect}" echo "rpcpasscorrect=${rpcpasscorrect}"
# enforce basic LND credentials for users
elif [ "$1" == "update-credentials" ]; then
echo "# making sure LND blockchain RPC password is set correct in lnd.conf"
source <(sudo cat /mnt/hdd/${network}/${network}.conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ ${#rpcpassword} -gt 0 ]; then
sudo sed -i "s/^${network}d.rpcpass=.*/${network}d.rpcpass=${rpcpassword}/g" /mnt/hdd/lnd/lnd.conf 2>/dev/null
else else
echo "# WARN: could not get value 'rpcuser' from blockchain conf" echo "# FAIL: parameter not known - run with -h for help"
fi exit 1
echo "# make sure admin user LND data dirs exist"
sudo mkdir -p /home/admin/.lnd
sudo mkdir -p /home/admin/.lnd/data
sudo mkdir -p /home/admin/.lnd/data/chain
sudo mkdir -p /home/admin/.lnd/data/chain/${network}
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net
echo "# updating/cleaning admin user LND data"
sudo rm -R /home/admin/.lnd 2>/dev/null
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net 2>/dev/null
sudo cp /mnt/hdd/lnd/lnd.conf /home/admin/.lnd/lnd.conf
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/admin.macaroon > /home/admin/.lnd/data/chain/${network}/${chain}net/admin.macaroon"
sudo chown admin:admin -R /home/admin/.lnd
echo "# updating/cleaning pi user LND data (just read & invoice)"
sudo rm -R /home/pi/.lnd 2>/dev/null
sudo mkdir -p /home/pi/.lnd/data/chain/${network}/${chain}net/
sudo cp /mnt/hdd/lnd/tls.cert /home/pi/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/readonly.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/readonly.macaroon"
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/invoice.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/invoice.macaroon"
sudo chown pi:pi -R /home/pi/.lnd
if [ "${LNBits}" = "on" ]; then
echo "# updating macaroons for LNBits fresh on start"
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
sudo chown admin:admin -R /mnt/hdd/app-data/LNBits
fi
else
echo "# FAIL: parameter not known"
fi fi

141
home.admin/config.scripts/lnd.credentials.sh Executable file
View file

@ -0,0 +1,141 @@
#!/bin/bash
# command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to reset or sync credentials (e.g. macaroons)"
echo "lnd.credentials.sh [reset|sync]"
exit 1
fi
# interactive choose type of action
if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS=()
OPTIONS+=(RESET "Recreate Macaroons + TLS")
OPTIONS+=(SYNC "Sync central store with LND")
OPTIONS+=(EXPORT "Macaroons and TLS.cert")
CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \
--title "Manage LND credentials" \
--menu "Choose action" \
11 50 7 \
"${OPTIONS[@]}" \
2>&1 >/dev/tty)
clear
case $CHOICE in
RESET)
sudo /home/admin/config.scripts/lnd.credentials.sh reset
echo "Press ENTER to return to main menu."
read key
exit 0
;;
SYNC)
sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "Press ENTER to return to main menu."
read key
exit 0
;;
EXPORT)
sudo /home/admin/config.scripts/lnd.export.sh
exit 0
;;
esac
fi
# load data from config
source /mnt/hdd/raspiblitz.conf
###########################
# FUNCTIONS
###########################
function copy_mac_set_perms() {
local file_name=${1} # the file name (e.g. admin.macaroon)
local group_name=${2} # the unix group name (e.g. lndadmin)
local n=${3:-bitcoin} # the network (e.g. bitcoin or litecoin) defaults to bitcoin
local c=${4:-main} # the chain (e.g. main, test, sim, reg) defaults to main (for mainnet)
sudo /bin/cp /mnt/hdd/lnd/data/chain/"${n}"/"${c}"net/"${file_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chown --silent admin:"${group_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chmod --silent 640 /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
}
###########################
# RESET Macaroons and TLS
###########################
if [ "$1" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd || exit
echo "- deleting old macaroons"
sudo find /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo find /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo rm /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain="${network}" --network="${chain}"net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "OK DONE"
###########################
# SYNC
###########################
elif [ "$1" = "sync" ]; then
echo "###### SYNCING MACAROONS, RPC Password AND TLS Certificate ######"
echo "# make sure LND app-data directories exist"
sudo /bin/mkdir --mode 0755 --parents /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/
echo "# copy macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "# make sure admin has a symlink at ~/.lnd to /mnt/hdd/app-data/lnd/"
if ! [[ -L "/home/admin/.lnd" ]]; then
sudo rm -rf "/home/admin/.lnd" # not a symlink.. delete it silently
ln -s /mnt/hdd/app-data/lnd/ /home/admin/.lnd # and create symlink
fi
echo "# make sure network (bitcoin/litecoin) RPC password is set correctly in lnd.conf"
source <(sudo cat /mnt/hdd/"${network}"/"${network}".conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ "${#rpcpassword}" -gt 0 ]; then
sudo sed -i 's/^"${network}"d.rpcpass=.*/"${network}"d.rpcpass="${rpcpassword}"/g' /mnt/hdd/lnd/lnd.conf 2>/dev/null
else
echo "# WARN: could not get value 'rpcpass' from network config (e.g. bitcoin.conf)"
fi
echo "# make sure LND conf is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/lnd.conf"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/lnd.conf"
if ! [[ -L "/mnt/hdd/app-data/lnd/lnd.conf" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/lnd.conf" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/lnd.conf" "/mnt/hdd/app-data/lnd/lnd.conf" # and create symlink
fi
echo "# make sure TLS certificate is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/tls.cert"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/tls.cert" "/mnt/hdd/app-data/lnd/tls.cert" # and create symlink
fi
###########################
# UNKNOWN
###########################
else
echo "# FAIL: parameter not known - run with -h for help"
exit 1
fi

45
home.admin/config.scripts/lnd.export.sh
View file

@ -3,7 +3,7 @@
# command info # command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to export macaroons & tls.cert" echo "tool to export macaroons & tls.cert"
echo "lnd.export.sh [hexstring|scp|http|reset]" echo "lnd.export.sh [hexstring|scp|http]"
exit 1 exit 1
fi fi
@ -16,7 +16,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS+=(HEX "Hex-String (Copy+Paste)") OPTIONS+=(HEX "Hex-String (Copy+Paste)")
OPTIONS+=(SCP "SSH Download (Commands)") OPTIONS+=(SCP "SSH Download (Commands)")
OPTIONS+=(HTTP "Browserdownload (bit risky)") OPTIONS+=(HTTP "Browserdownload (bit risky)")
OPTIONS+=(RESET "RENEW MACAROONS & TLS")
CHOICE=$(dialog --clear \ CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \ --backtitle "RaspiBlitz" \
--title "Export Macaroons & TLS.cert" \ --title "Export Macaroons & TLS.cert" \
@ -35,9 +34,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
HTTP) HTTP)
exportType='http'; exportType='http';
;; ;;
RESET)
exportType='reset';
;;
esac esac
fi fi
@ -131,45 +127,8 @@ elif [ "${exportType}" = "http" ]; then
sudo rm -r ${randomFolderName} sudo rm -r ${randomFolderName}
echo "OK - temp HTTP server is stopped." echo "OK - temp HTTP server is stopped."
###########################
# RESET Macaroons and TLS
###########################
elif [ "${exportType}" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd
echo "- deleting old macaroons"
sudo rm /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain=${network} --network=${chain}net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to admin user"
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon /home/admin/.lnd/data/chain/${network}/${chain}net/
sudo chown admin:admin -R /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
# BTCPayServer
if [ "${BTCPayServer}" == "on" ]; then
/home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon
fi
# LNBits
if [ "${LNBits}" = "on" ]; then
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
fi
echo "OK DONE"
else else
echo "FAIL: unknown '${exportType}' -run-> ./lnd.export.sh -h" echo "FAIL: unknown '${exportType}' - run with -h for help"
fi fi
if [ "$1" = "" ] || [ $# -eq 0 ]; then if [ "$1" = "" ] || [ $# -eq 0 ]; then

14
home.admin/config.scripts/lnd.newtlscert.sh
View file

@ -1,4 +1,3 @@
#!/bin/bash #!/bin/bash
# stop services # stop services
@ -27,7 +26,14 @@ do
done done
sudo killall /usr/local/bin/lnd sudo killall /usr/local/bin/lnd
sudo chmod 664 /mnt/hdd/lnd/tls.cert sudo chmod 664 /mnt/hdd/lnd/tls.cert
echo "copy new cert to admin user" sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd echo "symlink new cert to lnd app-data directory"
sudo chown admin:admin -R /home/admin/.lnd/*.cert if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert # and create symlink
fi
echo "OK TLS certs are fresh" echo "OK TLS certs are fresh"
# ToDo(frennkie) why doesn't this start lnd again? - I assume as _background will start it anyway?!
# ToDo(frennkie) the way LND generates the x509 certificate is not ideal -
# it may be better to simply run openssl and create a cert with our settings...