Merge pull request #1147 from frennkie/add-macaroon-store

Add central LND credential store (e.g. macaroons)
This commit is contained in:
Christian Rotzoll 2020-05-04 00:00:49 +02:00 committed by GitHub
commit 8b25b150ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 272 additions and 173 deletions

View file

@ -101,7 +101,7 @@ if [ "${baseImage}" = "raspbian" ] || [ "${baseImage}" = "dietpi" ] ; then
sudo sed -i "s/^ SendEnv LANG LC.*/# SendEnv LANG LC_*/g" /etc/ssh/ssh_config sudo sed -i "s/^ SendEnv LANG LC.*/# SendEnv LANG LC_*/g" /etc/ssh/ssh_config
# remove unneccesary files # remove unneccesary files
sudo rm -rf /home/pi/MagPi sudo rm -rf /home/pi/MagPi
fi fi
# remove some (big) packages that are not needed # remove some (big) packages that are not needed
@ -281,7 +281,7 @@ sudo apt-get install -y fbi
sudo apt install -y sysbench sudo apt install -y sysbench
# check for dependencies on DietPi, Ubuntu, Armbian # check for dependencies on DietPi, Ubuntu, Armbian
sudo apt install -y build-essential sudo apt install -y build-essential
if [ "${baseImage}" = "armbian" ]; then if [ "${baseImage}" = "armbian" ]; then
# add armbian config # add armbian config
sudo apt --fix-broken install -y sudo apt --fix-broken install -y
@ -330,6 +330,13 @@ echo "*** ADDING SERVICE USER bitcoin"
sudo adduser --disabled-password --gecos "" bitcoin sudo adduser --disabled-password --gecos "" bitcoin
echo "bitcoin:raspiblitz" | sudo chpasswd echo "bitcoin:raspiblitz" | sudo chpasswd
echo ""
echo "*** ADDING GROUPS FOR CREDENTIALS STORE ***"
# access to credentials (e.g. macaroon files) in a central location is managed with unix groups and permissions
sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
echo "" echo ""
echo "*** SWAP FILE ***" echo "*** SWAP FILE ***"
# based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file
@ -709,7 +716,7 @@ sudo -u admin chmod -R 755 LCD-show
sudo -u admin chown -R admin:admin LCD-show sudo -u admin chown -R admin:admin LCD-show
cd LCD-show/ cd LCD-show/
# set comit hard to old version - that seemed to run better # set comit hard to old version - that seemed to run better
# #
sudo -u admin git reset --hard ce52014 sudo -u admin git reset --hard ce52014
# install xinput calibrator package # install xinput calibrator package

View file

@ -87,7 +87,7 @@ fi
OPTIONS+=(SERVICES "Activate/Deactivate Services") OPTIONS+=(SERVICES "Activate/Deactivate Services")
OPTIONS+=(MOBILE "Connect Mobile Wallet") OPTIONS+=(MOBILE "Connect Mobile Wallet")
OPTIONS+=(EXPORT "Macaroons and TLS.cert") OPTIONS+=(LNDCREDS "Manage LND Credentials")
OPTIONS+=(NAME "Change Name/Alias of Node") OPTIONS+=(NAME "Change Name/Alias of Node")
OPTIONS+=(PASSWORD "Change Passwords") OPTIONS+=(PASSWORD "Change Passwords")
@ -210,8 +210,8 @@ case $CHOICE in
MOBILE) MOBILE)
/home/admin/97addMobileWallet.sh /home/admin/97addMobileWallet.sh
;; ;;
EXPORT) LNDCREDS)
sudo /home/admin/config.scripts/lnd.export.sh sudo /home/admin/config.scripts/lnd.credentials.sh
;; ;;
NAME) NAME)
sudo /home/admin/config.scripts/lnd.setname.sh sudo /home/admin/config.scripts/lnd.setname.sh

View file

@ -450,7 +450,7 @@ if [ ${macaroonExists} -eq 0 ]; then
sleep 3 sleep 3
fi fi
# check if macatoon exists now - if not fail # check if macaroon exists now - if not fail
macaroonExists=$(sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon 2>/dev/null | grep -c admin.macaroon) macaroonExists=$(sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon 2>/dev/null | grep -c admin.macaroon)
if [ ${macaroonExists} -eq 0 ]; then if [ ${macaroonExists} -eq 0 ]; then
sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon sudo -u bitcoin ls -la /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon
@ -463,7 +463,7 @@ if [ ${macaroonExists} -eq 0 ]; then
fi fi
# copy macaroons to all needed users # copy macaroons to all needed users
sudo /home/admin/config.scripts/lnd.check.sh update-credentials sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "OK - LND Macaroons created and copied" echo "OK - LND Macaroons created and copied"
echo "" echo ""

View file

@ -202,19 +202,20 @@ do
echo "--> Channel Backup File changed" echo "--> Channel Backup File changed"
# make copy to sd card (as local basic backup) # make copy to sd card (as local basic backup)
# ToDo(frennkie) /home/admin/.lnd/ no longer is on the SD card
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net/ 2>/dev/null sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net/ 2>/dev/null
sudo cp /mnt/hdd/lnd/data/chain/${network}/${chain}net/channel.backup /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup sudo cp /mnt/hdd/lnd/data/chain/${network}/${chain}net/channel.backup /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup
echo "OK channel.backup copied to '/home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup'" echo "OK channel.backup copied to '/home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup'"
# check if a SCP backup target is set # check if a SCP backup target is set
# paramter in raspiblitz.conf: # parameter in raspiblitz.conf:
# scpBackupTarget='[USER]@[SERVER]:[DIRPATH-WITHOUT-ENDING-/]' # scpBackupTarget='[USER]@[SERVER]:[DIRPATH-WITHOUT-ENDING-/]'
# On target server add the public key of your RaspiBlitz to the authorized_keys for the user # On target server add the public key of your RaspiBlitz to the authorized_keys for the user
# https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/ # https://www.linode.com/docs/security/authentication/use-public-key-authentication-with-ssh/
if [ ${#scpBackupTarget} -gt 0 ]; then if [ ${#scpBackupTarget} -gt 0 ]; then
echo "--> Offsite-Backup SCP Server" echo "--> Offsite-Backup SCP Server"
# its ok to ignore known host, because data is encrypted (worst case of MiM would be: no offsite channel backup) # its ok to ignore known host, because data is encrypted (worst case of MiM would be: no offsite channel backup)
# but its more likely that whithout ignoriing known host, script might not run thru and that way: no offsite channel backup # but its more likely that without ignoring known host, script might not run thru and that way: no offsite channel backup
sudo scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup ${scpBackupTarget}/channel.backup sudo scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null /home/admin/.lnd/data/chain/${network}/${chain}net/channel.backup ${scpBackupTarget}/channel.backup
result=$? result=$?
if [ ${result} -eq 0 ]; then if [ ${result} -eq 0 ]; then
@ -225,7 +226,7 @@ do
fi fi
# check if a DropBox backup target is set # check if a DropBox backup target is set
# paramter in raspiblitz.conf: # parameter in raspiblitz.conf:
# dropboxBackupTarget='[DROPBOX-APP-OAUTH2-TOKEN]' # dropboxBackupTarget='[DROPBOX-APP-OAUTH2-TOKEN]'
# see dropbox setup: https://gist.github.com/vindard/e0cd3d41bb403a823f3b5002488e3f90 # see dropbox setup: https://gist.github.com/vindard/e0cd3d41bb403a823f3b5002488e3f90
if [ ${#dropboxBackupTarget} -gt 0 ]; then if [ ${#dropboxBackupTarget} -gt 0 ]; then

View file

@ -98,9 +98,15 @@ EOF
# remove minimize, maximize, close from titlebar # remove minimize, maximize, close from titlebar
sudo sed -i -E 's/titleLayout>LIMC/titleLayout>L/g' /etc/xdg/openbox/lxde-pi-rc.xml sudo sed -i -E 's/titleLayout>LIMC/titleLayout>L/g' /etc/xdg/openbox/lxde-pi-rc.xml
# make sure that the directory for tls & macaroons exists echo "make sure pi is member of lndreadonly and lndinvoice"
# fresh copy will be put there by bootstrap script on every start- restart needed sudo /usr/sbin/usermod --append --groups lndinvoice pi
sudo mkdir -p /home/pi/.lnd 2>/dev/null sudo /usr/sbin/usermod --append --groups lndreadonly pi
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/pi/.lnd" ]]; then
sudo rm -rf "/home/pi/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/pi/.lnd" # and create symlink
fi
# rotate touchscreen based on if LCD is rotated # rotate touchscreen based on if LCD is rotated
if [ "${lcdrotate}" = "0" ]; then if [ "${lcdrotate}" = "0" ]; then

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# Based on: https://gist.github.com/normandmickey/3f10fc077d15345fb469034e3697d0d0 # Based on: https://gist.github.com/normandmickey/3f10fc077d15345fb469034e3697d0d0
# command info # command info
if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
@ -51,13 +51,24 @@ fi
# write-tls-macaroon # write-tls-macaroon
if [ "$1" = "write-tls-macaroon" ]; then if [ "$1" = "write-tls-macaroon" ]; then
echo "make sure btcpay is member of lndadmin"
sudo /usr/sbin/usermod --append --groups lndadmin btcpay
echo "make sure symlink to central app-data directory exists"
if ! [[ -L "/home/btcpay/.lnd" ]]; then
sudo rm -rf "/home/btcpay/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/btcpay/.lnd" # and create symlink
fi
# copy admin macaroon # copy admin macaroon
echo "copyin admin.macaroon for btcpay" echo "extra symlink to admin.macaroon for btcpay"
sudo cp /mnt/hdd/lnd/data/chain/bitcoin/mainnet/admin.macaroon /home/btcpay/admin.macaroon if ! [[ -L "/home/btcpay/admin.macaroon" ]]; then
sudo chown btcpay:btcpay /home/btcpay/admin.macaroon sudo ln -s "/home/btcpay/.lnd/data/chain/${network}/${chain}net/admin.macaroon" "/home/btcpay/admin.macaroon"
sudo chmod 600 /home/btcpay/admin.macaroon fi
# set thumbprint # set thumbprint
FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/admin/.lnd/tls.cert | cut -c 20-) FINGERPRINT=$(openssl x509 -noout -fingerprint -sha256 -inform pem -in /home/btcpay/.lnd/tls.cert | cut -d"=" -f2)
doesNetworkEntryAlreadyExists=$(sudo cat /home/btcpay/.btcpayserver/Main/settings.config | grep -c '^network=') doesNetworkEntryAlreadyExists=$(sudo cat /home/btcpay/.btcpayserver/Main/settings.config | grep -c '^network=')
if [ ${doesNetworkEntryAlreadyExists} -eq 0 ]; then if [ ${doesNetworkEntryAlreadyExists} -eq 0 ]; then
echo "setting the LND TLS thumbprint for BTCPay" echo "setting the LND TLS thumbprint for BTCPay"
@ -76,10 +87,8 @@ BTC.lightning=type=lnd-rest;server=https://127.0.0.1:8080/;macaroonfilepath=/hom
" | sudo -u btcpay tee -a /home/btcpay/.btcpayserver/Main/settings.config " | sudo -u btcpay tee -a /home/btcpay/.btcpayserver/Main/settings.config
else else
echo "setting new LND TLS thumbprint for BTCPay" echo "setting new LND TLS thumbprint for BTCPay"
sudo -u btcpay sed -i \ s="BTC.lightning=type=lnd-rest\;server=https\://127.0.0.1:8080/\;macaroonfilepath=/home/btcpay/admin.macaroon\;"
"s/^BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=.*\ sudo -u btcpay sed -i "s|^${s}certthumbprint=.*|${s}certthumbprint=$FINGERPRINT|g" /home/btcpay/.btcpayserver/Main/settings.config
/BTC.lightning=type=lnd-rest\;server=https\:\/\/127.0.0.1:8080\/\;macaroonfilepath=\/home\/btcpay\/admin.macaroon\;certthumbprint=$FINGERPRINT/g" \
/home/btcpay/.btcpayserver/Main/settings.config
fi fi
sudo systemctl restart btcpayserver sudo systemctl restart btcpayserver
exit 0 exit 0
@ -90,11 +99,11 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "*** INSTALL BTCPAYSERVER ***" echo "*** INSTALL BTCPAYSERVER ***"
# --> just serving directly thru TOR for now # --> just serving directly thru TOR for now
# setting up nginx and the SSL certificate # setting up nginx and the SSL certificate
#/home/admin/config.scripts/bonus.btcpaysetdomain.sh #/home/admin/config.scripts/bonus.btcpaysetdomain.sh
#errorOnInstall=$? #errorOnInstall=$?
#if [ ${errorOnInstall} -eq 1 ]; then #if [ ${errorOnInstall} -eq 1 ]; then
# echo "exiting as user cancelled BTCPayServer installation" # echo "exiting as user cancelled BTCPayServer installation"
# exit 1 # exit 1
#fi #fi
@ -136,7 +145,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "Installing .NET" echo "Installing .NET"
echo "***" echo "***"
echo "" echo ""
# download dotnet-sdk # download dotnet-sdk
# https://dotnet.microsoft.com/download/dotnet-core/3.1 # https://dotnet.microsoft.com/download/dotnet-core/3.1
sudo apt-get -y install libunwind8 gettext libssl1.0 sudo apt-get -y install libunwind8 gettext libssl1.0
@ -150,7 +159,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "!!! FAIL !!! Downloaded ${dotnetName} not matching SHA512 checksum: ${binaryChecksum}" echo "!!! FAIL !!! Downloaded ${dotnetName} not matching SHA512 checksum: ${binaryChecksum}"
exit 1 exit 1
fi fi
# download aspnetcore-runtime # download aspnetcore-runtime
aspnetcoreName="aspnetcore-runtime-3.1.1-linux-arm.tar.gz" aspnetcoreName="aspnetcore-runtime-3.1.1-linux-arm.tar.gz"
sudo rm /home/btcpay/${aspnetcoreName} 2>/dev/null sudo rm /home/btcpay/${aspnetcoreName} 2>/dev/null
@ -162,15 +171,15 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
echo "!!! FAIL !!! Downloaded ${aspnetcoreName} not matching SHA512 checksum: ${binaryChecksum}" echo "!!! FAIL !!! Downloaded ${aspnetcoreName} not matching SHA512 checksum: ${binaryChecksum}"
exit 1 exit 1
fi fi
sudo -u btcpay mkdir /home/btcpay/dotnet sudo -u btcpay mkdir /home/btcpay/dotnet
sudo -u btcpay tar -xvf ${dotnetName} -C /home/btcpay/dotnet sudo -u btcpay tar -xvf ${dotnetName} -C /home/btcpay/dotnet
sudo -u btcpay tar -xvf ${aspnetcoreName} -C /home/btcpay/dotnet sudo -u btcpay tar -xvf ${aspnetcoreName} -C /home/btcpay/dotnet
sudo rm -f *.tar.gz* sudo rm -f *.tar.gz*
# opt out of telemetry # opt out of telemetry
echo "DOTNET_CLI_TELEMETRY_OPTOUT=1" | sudo tee -a /etc/environment echo "DOTNET_CLI_TELEMETRY_OPTOUT=1" | sudo tee -a /etc/environment
# make .NET accessible and add to PATH # make .NET accessible and add to PATH
sudo ln -s /home/btcpay/dotnet /usr/share sudo ln -s /home/btcpay/dotnet /usr/share
export PATH=$PATH:/usr/share export PATH=$PATH:/usr/share
@ -184,14 +193,14 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
sudo bash -c "echo 'PATH=\$PATH:/home/btcpay/dotnet' >> /etc/profile" sudo bash -c "echo 'PATH=\$PATH:/home/btcpay/dotnet' >> /etc/profile"
fi fi
sudo -u btcpay /home/btcpay/dotnet/dotnet --info sudo -u btcpay /home/btcpay/dotnet/dotnet --info
# NBXplorer # NBXplorer
echo "" echo ""
echo "***" echo "***"
echo "Install NBXplorer" echo "Install NBXplorer"
echo "***" echo "***"
echo "" echo ""
cd /home/btcpay cd /home/btcpay
echo "Downloading NBXplorer source code.." echo "Downloading NBXplorer source code.."
sudo -u btcpay git clone https://github.com/dgarage/NBXplorer.git 2>/dev/null sudo -u btcpay git clone https://github.com/dgarage/NBXplorer.git 2>/dev/null
@ -201,7 +210,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
# from the build.sh with path # from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release NBXplorer/NBXplorer.csproj sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release NBXplorer/NBXplorer.csproj
# create nbxplorer service # create nbxplorer service
echo " echo "
[Unit] [Unit]
@ -225,12 +234,12 @@ PrivateDevices=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/nbxplorer.service " | sudo tee /etc/systemd/system/nbxplorer.service
sudo systemctl daemon-reload sudo systemctl daemon-reload
# start to create settings.config # start to create settings.config
sudo systemctl enable nbxplorer sudo systemctl enable nbxplorer
sudo systemctl start nbxplorer sudo systemctl start nbxplorer
echo "Checking for nbxplorer config" echo "Checking for nbxplorer config"
while [ ! -f "/home/btcpay/.nbxplorer/Main/settings.config" ] while [ ! -f "/home/btcpay/.nbxplorer/Main/settings.config" ]
do do
@ -242,7 +251,7 @@ WantedBy=multi-user.target
echo "maybe report here: https://github.com/rootzoll/raspiblitz/issues/214" echo "maybe report here: https://github.com/rootzoll/raspiblitz/issues/214"
fi fi
done done
echo "" echo ""
echo "***" echo "***"
echo "getting RPC credentials from the bitcoin.conf" echo "getting RPC credentials from the bitcoin.conf"
@ -259,14 +268,14 @@ EOF
sudo mv /home/admin/settings.config /home/btcpay/.nbxplorer/Main/settings.config sudo mv /home/admin/settings.config /home/btcpay/.nbxplorer/Main/settings.config
sudo chown btcpay:btcpay /home/btcpay/.nbxplorer/Main/settings.config sudo chown btcpay:btcpay /home/btcpay/.nbxplorer/Main/settings.config
sudo systemctl restart nbxplorer sudo systemctl restart nbxplorer
# BTCPayServer # BTCPayServer
echo "" echo ""
echo "***" echo "***"
echo "Install BTCPayServer" echo "Install BTCPayServer"
echo "***" echo "***"
echo "" echo ""
cd /home/btcpay cd /home/btcpay
echo "Downloading BTCPayServer source code.." echo "Downloading BTCPayServer source code.."
sudo -u btcpay git clone https://github.com/btcpayserver/btcpayserver.git 2>/dev/null sudo -u btcpay git clone https://github.com/btcpayserver/btcpayserver.git 2>/dev/null
@ -274,8 +283,8 @@ EOF
# check https://github.com/btcpayserver/btcpayserver/releases # check https://github.com/btcpayserver/btcpayserver/releases
sudo -u btcpay git reset --hard v1.0.4.2 sudo -u btcpay git reset --hard v1.0.4.2
# from the build.sh with path # from the build.sh with path
sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj sudo -u btcpay /home/btcpay/dotnet/dotnet build -c Release /home/btcpay/btcpayserver/BTCPayServer/BTCPayServer.csproj
# create btcpayserver service # create btcpayserver service
echo " echo "
[Unit] [Unit]
@ -294,11 +303,11 @@ Restart=on-failure
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
" | sudo tee /etc/systemd/system/btcpayserver.service " | sudo tee /etc/systemd/system/btcpayserver.service
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable btcpayserver sudo systemctl enable btcpayserver
sudo systemctl start btcpayserver sudo systemctl start btcpayserver
echo "Checking for btcpayserver config" echo "Checking for btcpayserver config"
while [ ! -f "/home/btcpay/.btcpayserver/Main/settings.config" ] while [ ! -f "/home/btcpay/.btcpayserver/Main/settings.config" ]
do do
@ -313,13 +322,13 @@ WantedBy=multi-user.target
/home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon /home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon
else else
echo "BTCPay Server is already installed." echo "BTCPay Server is already installed."
# start service # start service
echo "start service" echo "start service"
sudo systemctl start nbxplorer 2>/dev/null sudo systemctl start nbxplorer 2>/dev/null
sudo systemctl start btcpayserver 2>/dev/null sudo systemctl start btcpayserver 2>/dev/null
fi fi
# setting value in raspi blitz config # setting value in raspi blitz config
sudo sed -i "s/^BTCPayServer=.*/BTCPayServer=on/g" /mnt/hdd/raspiblitz.conf sudo sed -i "s/^BTCPayServer=.*/BTCPayServer=on/g" /mnt/hdd/raspiblitz.conf
@ -358,7 +367,7 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
# nuke user # nuke user
sudo userdel -rf btcpay 2>/dev/null sudo userdel -rf btcpay 2>/dev/null
echo "OK BTCPayServer removed." echo "OK BTCPayServer removed."
else else
echo "BTCPayServer is not installed." echo "BTCPayServer is not installed."
fi fi
exit 0 exit 0

View file

@ -79,24 +79,23 @@ if [ "$1" = "write-macaroons" ]; then
exit 1 exit 1
fi fi
# copy cert and macaroons cert for lnbits environment echo "make sure lnbits is member of lndreadonly and lndinvoice"
# set tls.cert path sudo /usr/sbin/usermod --append --groups lndinvoice lnbits
sudo -u lnbits sed -i "s/^LND_REST_CERT=.*/LND_REST_CERT=\/home\/admin\/.lnd\/tls.cert/g" /home/lnbits/lnbits/.env sudo /usr/sbin/usermod --append --groups lndreadonly lnbits
# copy macaroons
echo "copy macaroons to lnbits user" echo "make sure symlink to central app-data directory exists"
sudo -u lnbits mkdir -p /home/lnbits/.lnd/data/chain/${network}/${chain}net/ if ! [[ -L "/home/lnbits/.lnd" ]]; then
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/admin.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ sudo rm -rf "/home/lnbits/.lnd" # not a symlink.. delete it silently
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/invoice.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/lnbits/.lnd" # and create symlink
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/readonly.macaroon /home/lnbits/.lnd/data/chain/${network}/${chain}net/ fi
sudo chown lnbits:lnbits -R /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo chmod 600 /home/lnbits/.lnd/data/chain/${network}/${chain}net/*.macaroon # set tls.cert path (use | as separator to avoid escaping file path slashes)
echo "OK DONE" sudo -u lnbits sed -i "s|^LND_REST_CERT=.*|LND_REST_CERT=/home/lnbits/.lnd/tls.cert|g" /home/lnbits/lnbits/.env
macaroonAdminHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon)
macaroonInvoiceHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon) # set macaroon path info in .env
macaroonReadHex=$(sudo xxd -ps -u -c 1000 /home/lnbits/.lnd/data/chain/${network}/${chain}net/readonly.macaroon) sudo sed -i "s|^LND_REST_ADMIN_MACAROON=.*|LND_REST_ADMIN_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/admin.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_ADMIN_MACAROON=.*/LND_REST_ADMIN_MACAROON=${macaroonAdminHex}/g" /home/lnbits/lnbits/.env sudo sed -i "s|^LND_REST_INVOICE_MACAROON=.*|LND_REST_INVOICE_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/invoice.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_INVOICE_MACAROON=.*/LND_REST_INVOICE_MACAROON=${macaroonInvoiceHex}/g" /home/lnbits/lnbits/.env sudo sed -i "s|^LND_REST_READ_MACAROON=.*|LND_REST_READ_MACAROON=/home/lnbits/.lnd/data/chain/${network}/${chain}net/read.macaroon|g" /home/lnbits/lnbits/.env
sudo sed -i "s/^LND_REST_READ_MACAROON=.*/LND_REST_READ_MACAROON=${macaroonReadHex}/g" /home/lnbits/lnbits/.env
echo "# OK - macaroons written to /home/lnbits/lnbits/.env" echo "# OK - macaroons written to /home/lnbits/lnbits/.env"
exit 0 exit 0
fi fi
@ -188,6 +187,7 @@ WantedBy=multi-user.target
EOF EOF
sudo mv /home/admin/lnbits.service /etc/systemd/system/lnbits.service sudo mv /home/admin/lnbits.service /etc/systemd/system/lnbits.service
sudo chown root:root /etc/systemd/system/lnbits.service
sudo systemctl enable lnbits sudo systemctl enable lnbits
echo "# OK - service needs starting: sudo systemctl start lnbits" echo "# OK - service needs starting: sudo systemctl start lnbits"

View file

@ -51,7 +51,7 @@ fi
connector="" connector=""
host="" host=""
port="" port=""
extraparamter="" extraparameter=""
supportsTOR=0 supportsTOR=0
if [ "${targetWallet}" = "zap-ios" ]; then if [ "${targetWallet}" = "zap-ios" ]; then
@ -59,7 +59,7 @@ if [ "${targetWallet}" = "zap-ios" ]; then
if [ ${forceTOR} -eq 1 ]; then if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST # when ZAP runs on TOR it uses REST
port="8080" port="8080"
extraparamter="--nocert" extraparameter="--nocert"
else else
# normal ZAP uses gRPC ports # normal ZAP uses gRPC ports
port="10009" port="10009"
@ -70,7 +70,7 @@ elif [ "${targetWallet}" = "zap-android" ]; then
if [ ${forceTOR} -eq 1 ]; then if [ ${forceTOR} -eq 1 ]; then
# when ZAP runs on TOR it uses REST # when ZAP runs on TOR it uses REST
port="8080" port="8080"
extraparamter="--nocert" extraparameter="--nocert"
else else
# normal ZAP uses gRPC ports # normal ZAP uses gRPC ports
port="10009" port="10009"
@ -97,7 +97,7 @@ elif [ "${targetWallet}" = "sendmany-android" ]; then
echo "error='no tor support'" echo "error='no tor support'"
exit 1 exit 1
#port="8080" #port="8080"
#extraparamter="--nocert" #extraparameter="--nocert"
fi fi
port="10009" port="10009"
@ -185,7 +185,7 @@ if [ "${connector}" == "lndconnect" ]; then
# write qr code data to an image # write qr code data to an image
cd /home/admin cd /home/admin
lndconnect --host=${host} --port=${port} --image ${extraparamter} lndconnect --host=${host} --port=${port} --image ${extraparameter}
# display qr code image on LCD # display qr code image on LCD
/home/admin/config.scripts/blitz.lcd.sh image /home/admin/lndconnect-qr.png /home/admin/config.scripts/blitz.lcd.sh image /home/admin/lndconnect-qr.png
@ -199,7 +199,7 @@ elif [ "${connector}" == "shango" ]; then
/home/admin/config.scripts/blitz.lcd.sh qr "${datastring}" /home/admin/config.scripts/blitz.lcd.sh qr "${datastring}"
else else
echo "error='unkown connector'" echo "error='unknown connector'"
exit 1 exit 1
fi fi
@ -217,7 +217,7 @@ whiptail --backtitle "Connecting Mobile Wallet" \
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
# backup - show QR code on screen (not LCD) # backup - show QR code on screen (not LCD)
if [ "${connector}" == "lndconnect" ]; then if [ "${connector}" == "lndconnect" ]; then
lndconnect --host=${hostscreen} --port=${port} ${extraparamter} lndconnect --host=${hostscreen} --port=${port} ${extraparameter}
echo "(To shrink QR code: OSX->CMD- / LINUX-> CTRL-) Press ENTER when finished." echo "(To shrink QR code: OSX->CMD- / LINUX-> CTRL-) Press ENTER when finished."
read key read key
elif [ "${connector}" == "shango" ]; then elif [ "${connector}" == "shango" ]; then

View file

@ -78,6 +78,15 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
# create rtl user # create rtl user
sudo adduser --disabled-password --gecos "" rtl sudo adduser --disabled-password --gecos "" rtl
echo "*** make sure rtl is member of lndadmin ***"
sudo /usr/sbin/usermod --append --groups lndadmin rtl
echo "*** make sure symlink to central app-data directory exists ***"
if ! [[ -L "/home/rtl/.lnd" ]]; then
sudo rm -rf "/home/rtl/.lnd" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/rtl/.lnd" # and create symlink
fi
# download source code and set to tag release # download source code and set to tag release
echo "*** Get the RTL Source Code ***" echo "*** Get the RTL Source Code ***"
rm -rf /home/admin/RTL 2>/dev/null rm -rf /home/admin/RTL 2>/dev/null
@ -129,8 +138,8 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
var data = require('/home/rtl/RTL/sample-RTL-Config.json'); var data = require('/home/rtl/RTL/sample-RTL-Config.json');
//Manipulate data //Manipulate data
data.nodes[0].lnNode = '$hostname' data.nodes[0].lnNode = '$hostname'
data.nodes[0].Authentication.macaroonPath = '/home/admin/.lnd/data/chain/${network}/${chain}net/'; data.nodes[0].Authentication.macaroonPath = '/home/rtl/.lnd/data/chain/${network}/${chain}net/';
data.nodes[0].Authentication.configPath = '/mnt/hdd/lnd/lnd.conf'; data.nodes[0].Authentication.configPath = '/home/rtl/.lnd/lnd.conf';
data.multiPass = '$PASSWORD_B'; data.multiPass = '$PASSWORD_B';
data.nodes[0].Settings.userPersona = 'OPERATOR' data.nodes[0].Settings.userPersona = 'OPERATOR'
data.nodes[0].Settings.channelBackupPath = '/home/rtl/RTL-SCB-backup-$hostname' data.nodes[0].Settings.channelBackupPath = '/home/rtl/RTL-SCB-backup-$hostname'
@ -160,7 +169,7 @@ Wants=lnd.service
After=lnd.service After=lnd.service
[Service] [Service]
ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/admin/.lnd/data/chain/bitcoin/mainnet ExecStart=/usr/bin/node /home/rtl/RTL/rtl --lndir /home/rtl/.lnd/data/chain/bitcoin/mainnet
User=rtl User=rtl
Restart=always Restart=always
TimeoutSec=120 TimeoutSec=120
@ -174,6 +183,7 @@ EOF
sudo mv /home/admin/RTL.service /etc/systemd/system/RTL.service sudo mv /home/admin/RTL.service /etc/systemd/system/RTL.service
sudo sed -i "s|chain/bitcoin/mainnet|chain/${network}/${chain}net|" /etc/systemd/system/RTL.service sudo sed -i "s|chain/bitcoin/mainnet|chain/${network}/${chain}net|" /etc/systemd/system/RTL.service
sudo chown root:root /etc/systemd/system/RTL.service
sudo systemctl enable RTL sudo systemctl enable RTL
echo "OK - the RTL service is now enabled" echo "OK - the RTL service is now enabled"
fi fi

View file

@ -1,20 +1,19 @@
#!/bin/bash #!/bin/bash
if [ $# -eq 0 ]; then # command info
echo "# script to check LND states" if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ] || [ "$1" = "-help" ]; then
echo "# lnd.check.sh basic-setup" echo "# script to check LND states"
echo "# lnd.check.sh update-credentials" echo "# lnd.check.sh basic-setup"
exit 1 exit 1
fi fi
# load raspiblitz conf # load raspiblitz conf
source /home/admin/raspiblitz.info
source /mnt/hdd/raspiblitz.conf source /mnt/hdd/raspiblitz.conf
# check basic LND setup # check basic LND setup
if [ "$1" == "basic-setup" ]; then if [ "$1" == "basic-setup" ]; then
# check TLS exits # check TLS exits
tlsExists=$(sudo ls /mnt/hdd/lnd/tls.cert 2>/dev/null | grep -c 'tls.cert') tlsExists=$(sudo ls /mnt/hdd/lnd/tls.cert 2>/dev/null | grep -c 'tls.cert')
if [ ${tlsExists} -gt 0 ]; then if [ ${tlsExists} -gt 0 ]; then
echo "tls=1" echo "tls=1"
@ -22,7 +21,7 @@ if [ "$1" == "basic-setup" ]; then
echo "tls=0" echo "tls=0"
echo "err='tls.cert is missing in /mnt/hdd/lnd'" echo "err='tls.cert is missing in /mnt/hdd/lnd'"
fi fi
# check TLS exits (on SD card for admin) # check TLS exits (on SD card for admin)
tlsExists=$(sudo ls /home/admin/.lnd/tls.cert 2>/dev/null | grep -c 'tls.cert') tlsExists=$(sudo ls /home/admin/.lnd/tls.cert 2>/dev/null | grep -c 'tls.cert')
if [ ${tlsExists} -gt 0 ]; then if [ ${tlsExists} -gt 0 ]; then
echo "tlsCopy=1" echo "tlsCopy=1"
@ -67,7 +66,7 @@ if [ "$1" == "basic-setup" ]; then
echo "configMismatch=0" echo "configMismatch=0"
echo "err='lnd.conf is missing for user admin'" echo "err='lnd.conf is missing for user admin'"
fi fi
# get network from config (BLOCKCHAIN) # get network from config (BLOCKCHAIN)
lndNetwork="" lndNetwork=""
source <(sudo cat /mnt/hdd/lnd/lnd.conf 2>/dev/null | grep 'bitcoin.active' | sed 's/^[a-z]*\./bitcoin_/g') source <(sudo cat /mnt/hdd/lnd/lnd.conf 2>/dev/null | grep 'bitcoin.active' | sed 's/^[a-z]*\./bitcoin_/g')
@ -175,46 +174,7 @@ if [ "$1" == "basic-setup" ]; then
fi fi
echo "rpcpasscorrect=${rpcpasscorrect}" echo "rpcpasscorrect=${rpcpasscorrect}"
# enforce basic LND credentials for users
elif [ "$1" == "update-credentials" ]; then
echo "# making sure LND blockchain RPC password is set correct in lnd.conf"
source <(sudo cat /mnt/hdd/${network}/${network}.conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ ${#rpcpassword} -gt 0 ]; then
sudo sed -i "s/^${network}d.rpcpass=.*/${network}d.rpcpass=${rpcpassword}/g" /mnt/hdd/lnd/lnd.conf 2>/dev/null
else
echo "# WARN: could not get value 'rpcuser' from blockchain conf"
fi
echo "# make sure admin user LND data dirs exist"
sudo mkdir -p /home/admin/.lnd
sudo mkdir -p /home/admin/.lnd/data
sudo mkdir -p /home/admin/.lnd/data/chain
sudo mkdir -p /home/admin/.lnd/data/chain/${network}
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net
echo "# updating/cleaning admin user LND data"
sudo rm -R /home/admin/.lnd 2>/dev/null
sudo mkdir -p /home/admin/.lnd/data/chain/${network}/${chain}net 2>/dev/null
sudo cp /mnt/hdd/lnd/lnd.conf /home/admin/.lnd/lnd.conf
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/admin.macaroon > /home/admin/.lnd/data/chain/${network}/${chain}net/admin.macaroon"
sudo chown admin:admin -R /home/admin/.lnd
echo "# updating/cleaning pi user LND data (just read & invoice)"
sudo rm -R /home/pi/.lnd 2>/dev/null
sudo mkdir -p /home/pi/.lnd/data/chain/${network}/${chain}net/
sudo cp /mnt/hdd/lnd/tls.cert /home/pi/.lnd/tls.cert
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/readonly.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/readonly.macaroon"
sudo sh -c "cat /mnt/hdd/lnd/data/chain/${network}/${chain}net/invoice.macaroon > /home/pi/.lnd/data/chain/${network}/${chain}net/invoice.macaroon"
sudo chown pi:pi -R /home/pi/.lnd
if [ "${LNBits}" = "on" ]; then
echo "# updating macaroons for LNBits fresh on start"
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
sudo chown admin:admin -R /mnt/hdd/app-data/LNBits
fi
else else
echo "# FAIL: parameter not known" echo "# FAIL: parameter not known - run with -h for help"
fi exit 1
fi

View file

@ -0,0 +1,141 @@
#!/bin/bash
# command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to reset or sync credentials (e.g. macaroons)"
echo "lnd.credentials.sh [reset|sync]"
exit 1
fi
# interactive choose type of action
if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS=()
OPTIONS+=(RESET "Recreate Macaroons + TLS")
OPTIONS+=(SYNC "Sync central store with LND")
OPTIONS+=(EXPORT "Macaroons and TLS.cert")
CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \
--title "Manage LND credentials" \
--menu "Choose action" \
11 50 7 \
"${OPTIONS[@]}" \
2>&1 >/dev/tty)
clear
case $CHOICE in
RESET)
sudo /home/admin/config.scripts/lnd.credentials.sh reset
echo "Press ENTER to return to main menu."
read key
exit 0
;;
SYNC)
sudo /home/admin/config.scripts/lnd.credentials.sh sync
echo "Press ENTER to return to main menu."
read key
exit 0
;;
EXPORT)
sudo /home/admin/config.scripts/lnd.export.sh
exit 0
;;
esac
fi
# load data from config
source /mnt/hdd/raspiblitz.conf
###########################
# FUNCTIONS
###########################
function copy_mac_set_perms() {
local file_name=${1} # the file name (e.g. admin.macaroon)
local group_name=${2} # the unix group name (e.g. lndadmin)
local n=${3:-bitcoin} # the network (e.g. bitcoin or litecoin) defaults to bitcoin
local c=${4:-main} # the chain (e.g. main, test, sim, reg) defaults to main (for mainnet)
sudo /bin/cp /mnt/hdd/lnd/data/chain/"${n}"/"${c}"net/"${file_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chown --silent admin:"${group_name}" /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
sudo /bin/chmod --silent 640 /mnt/hdd/app-data/lnd/data/chain/"${n}"/"${c}"net/"${file_name}"
}
###########################
# RESET Macaroons and TLS
###########################
if [ "$1" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd || exit
echo "- deleting old macaroons"
sudo find /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo find /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/ -iname '*.macaroon' -delete
sudo rm /home/bitcoin/.lnd/data/chain/"${network}"/"${chain}"net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain="${network}" --network="${chain}"net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "OK DONE"
###########################
# SYNC
###########################
elif [ "$1" = "sync" ]; then
echo "###### SYNCING MACAROONS, RPC Password AND TLS Certificate ######"
echo "# make sure LND app-data directories exist"
sudo /bin/mkdir --mode 0755 --parents /mnt/hdd/app-data/lnd/data/chain/"${network}"/"${chain}"net/
echo "# copy macaroons to central app-data directory and ensure unix ownerships and permissions"
copy_mac_set_perms admin.macaroon lndadmin "${network}" "${chain}"
copy_mac_set_perms invoice.macaroon lndinvoice "${network}" "${chain}"
copy_mac_set_perms readonly.macaroon lndreadonly "${network}" "${chain}"
echo "# make sure admin has a symlink at ~/.lnd to /mnt/hdd/app-data/lnd/"
if ! [[ -L "/home/admin/.lnd" ]]; then
sudo rm -rf "/home/admin/.lnd" # not a symlink.. delete it silently
ln -s /mnt/hdd/app-data/lnd/ /home/admin/.lnd # and create symlink
fi
echo "# make sure network (bitcoin/litecoin) RPC password is set correctly in lnd.conf"
source <(sudo cat /mnt/hdd/"${network}"/"${network}".conf 2>/dev/null | grep "rpcpass" | sed 's/^[a-z]*\./lnd/g')
if [ "${#rpcpassword}" -gt 0 ]; then
sudo sed -i 's/^"${network}"d.rpcpass=.*/"${network}"d.rpcpass="${rpcpassword}"/g' /mnt/hdd/lnd/lnd.conf 2>/dev/null
else
echo "# WARN: could not get value 'rpcpass' from network config (e.g. bitcoin.conf)"
fi
echo "# make sure LND conf is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/lnd.conf"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/lnd.conf"
if ! [[ -L "/mnt/hdd/app-data/lnd/lnd.conf" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/lnd.conf" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/lnd.conf" "/mnt/hdd/app-data/lnd/lnd.conf" # and create symlink
fi
echo "# make sure TLS certificate is readable and symlinked"
sudo chmod 644 "/mnt/hdd/lnd/tls.cert"
sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s "/mnt/hdd/lnd/tls.cert" "/mnt/hdd/app-data/lnd/tls.cert" # and create symlink
fi
###########################
# UNKNOWN
###########################
else
echo "# FAIL: parameter not known - run with -h for help"
exit 1
fi

View file

@ -3,7 +3,7 @@
# command info # command info
if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
echo "tool to export macaroons & tls.cert" echo "tool to export macaroons & tls.cert"
echo "lnd.export.sh [hexstring|scp|http|reset]" echo "lnd.export.sh [hexstring|scp|http]"
exit 1 exit 1
fi fi
@ -16,7 +16,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
OPTIONS+=(HEX "Hex-String (Copy+Paste)") OPTIONS+=(HEX "Hex-String (Copy+Paste)")
OPTIONS+=(SCP "SSH Download (Commands)") OPTIONS+=(SCP "SSH Download (Commands)")
OPTIONS+=(HTTP "Browserdownload (bit risky)") OPTIONS+=(HTTP "Browserdownload (bit risky)")
OPTIONS+=(RESET "RENEW MACAROONS & TLS")
CHOICE=$(dialog --clear \ CHOICE=$(dialog --clear \
--backtitle "RaspiBlitz" \ --backtitle "RaspiBlitz" \
--title "Export Macaroons & TLS.cert" \ --title "Export Macaroons & TLS.cert" \
@ -35,9 +34,6 @@ if [ "$1" = "" ] || [ $# -eq 0 ]; then
HTTP) HTTP)
exportType='http'; exportType='http';
;; ;;
RESET)
exportType='reset';
;;
esac esac
fi fi
@ -131,45 +127,8 @@ elif [ "${exportType}" = "http" ]; then
sudo rm -r ${randomFolderName} sudo rm -r ${randomFolderName}
echo "OK - temp HTTP server is stopped." echo "OK - temp HTTP server is stopped."
###########################
# RESET Macaroons and TLS
###########################
elif [ "${exportType}" = "reset" ]; then
clear
echo "###### RESET MACAROONS AND TLS.cert ######"
echo ""
echo "All your macaroons and the tls.cert get deleted and recreated."
echo "Use this to invalidate former EXPORTS for example if you loose a device."
echo ""
cd
echo "- deleting old macaroons"
sudo rm /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon
sudo rm /home/bitcoin/.lnd/data/chain/${network}/${chain}net/macaroons.db
echo "- resetting TLS cert"
sudo /home/admin/config.scripts/lnd.newtlscert.sh
echo "- restarting LND ... wait 10 secs"
sudo systemctl start lnd
sleep 10
sudo -u bitcoin lncli --chain=${network} --network=${chain}net unlock
echo "- creating new macaroons ... wait 10 secs"
sleep 10
echo "- copy new macaroons to admin user"
sudo cp /home/bitcoin/.lnd/data/chain/${network}/${chain}net/*.macaroon /home/admin/.lnd/data/chain/${network}/${chain}net/
sudo chown admin:admin -R /home/admin/.lnd/data/chain/${network}/${chain}net/*.macaroon
# BTCPayServer
if [ "${BTCPayServer}" == "on" ]; then
/home/admin/config.scripts/bonus.btcpayserver.sh write-tls-macaroon
fi
# LNBits
if [ "${LNBits}" = "on" ]; then
sudo -u admin /home/admin/config.scripts/bonus.lnbits.sh write-macaroons
fi
echo "OK DONE"
else else
echo "FAIL: unknown '${exportType}' -run-> ./lnd.export.sh -h" echo "FAIL: unknown '${exportType}' - run with -h for help"
fi fi
if [ "$1" = "" ] || [ $# -eq 0 ]; then if [ "$1" = "" ] || [ $# -eq 0 ]; then

View file

@ -1,4 +1,3 @@
#!/bin/bash #!/bin/bash
# stop services # stop services
@ -27,7 +26,14 @@ do
done done
sudo killall /usr/local/bin/lnd sudo killall /usr/local/bin/lnd
sudo chmod 664 /mnt/hdd/lnd/tls.cert sudo chmod 664 /mnt/hdd/lnd/tls.cert
echo "copy new cert to admin user" sudo chown bitcoin:bitcoin "/mnt/hdd/lnd/tls.cert"
sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd echo "symlink new cert to lnd app-data directory"
sudo chown admin:admin -R /home/admin/.lnd/*.cert if ! [[ -L "/mnt/hdd/app-data/lnd/tls.cert" ]]; then
echo "OK TLS certs are fresh" sudo rm -rf "/mnt/hdd/app-data/lnd/tls.cert" # not a symlink.. delete it silently
sudo ln -s /mnt/hdd/lnd/tls.cert /home/admin/.lnd/tls.cert # and create symlink
fi
echo "OK TLS certs are fresh"
# ToDo(frennkie) why doesn't this start lnd again? - I assume as _background will start it anyway?!
# ToDo(frennkie) the way LND generates the x509 certificate is not ideal -
# it may be better to simply run openssl and create a cert with our settings...