lnd: fix missing RPC permissions when bitcoind is pruned

This commit is contained in:
Erik Arvstedt 2022-10-25 22:35:31 +02:00
parent 49303be2e0
commit 67949a002a
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
3 changed files with 33 additions and 4 deletions

View File

@ -174,7 +174,7 @@ let
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
bitcoind.rpcuser=${bitcoind.rpc.users.public.name}
bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
bitcoind.zmqpubrawblock=${bitcoind.zmqpubrawblock}
bitcoind.zmqpubrawtx=${bitcoind.zmqpubrawtx}
@ -182,11 +182,16 @@ let
${cfg.extraConfig}
'';
isPruned = bitcoind.prune > 0;
# When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
# to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
rpcUser = if isPruned then "lnd" else "public";
in {
inherit options;
config = mkIf cfg.enable {
config = mkIf cfg.enable (mkMerge [ {
assertions = [
{ assertion =
!(config.services ? clightning)
@ -226,7 +231,7 @@ in {
preStart = ''
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
{
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)"
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
${optionalString (cfg.getPublicAddressCmd != "") ''
echo "externalip=$(${cfg.getPublicAddressCmd})"
''}
@ -304,5 +309,22 @@ in {
makePasswordSecret lnd-wallet-password
makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
'';
}
(mkIf isPruned {
services.bitcoind.rpc.users.lnd = {
passwordHMACFromFile = true;
rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
"getpeerinfo"
"getnodeaddresses"
];
};
nix-bitcoin.secrets = {
bitcoin-rpcpassword-lnd.user = cfg.user;
bitcoin-HMAC-lnd.user = bitcoind.user;
};
nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
makeBitcoinRPCPassword lnd
'';
}) ]);
}

View File

@ -312,6 +312,7 @@ buildable() {
scenario=regtest buildTest "$@"
scenario=hardened buildTest "$@"
scenario=clightningReplication buildTest "$@"
scenario=lndPruned buildTest "$@"
}
examples() {

View File

@ -318,6 +318,12 @@ let
services.btcpayserver.lbtc = mkForce false;
};
# Test the special bitcoin RPC setup that lnd uses when bitcoin is pruned
lndPruned = {
services.lnd.enable = true;
services.bitcoind.prune = 1000;
};
## Examples / debug helper
# Run a selection of tests in scenario 'netns'