Merge fort-nix/nix-bitcoin#563: lnd: fix missing RPC permissions when bitcoind is pruned
67949a002a
lnd: fix missing RPC permissions when bitcoind is pruned (Erik Arvstedt)49303be2e0
test/shellcheck-services: fix error by excluding unavailable services (Erik Arvstedt)46f17fe313
test/shellcheck-services: simplify accessing service definitions (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK67949a002a
Tree-SHA512: 28652d8ec67a164aef068f3df32d1ae8df4e0920cafedc6e3d568b631333b29e57f7370e54a82e7cde9710a3df0a1494ed94272af101d31dd7859a08bb363e4b
This commit is contained in:
commit
7c16fc5865
@ -174,7 +174,7 @@ let
|
|||||||
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
|
${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}
|
||||||
|
|
||||||
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
|
bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
|
||||||
bitcoind.rpcuser=${bitcoind.rpc.users.public.name}
|
bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
|
||||||
bitcoind.zmqpubrawblock=${bitcoind.zmqpubrawblock}
|
bitcoind.zmqpubrawblock=${bitcoind.zmqpubrawblock}
|
||||||
bitcoind.zmqpubrawtx=${bitcoind.zmqpubrawtx}
|
bitcoind.zmqpubrawtx=${bitcoind.zmqpubrawtx}
|
||||||
|
|
||||||
@ -182,11 +182,16 @@ let
|
|||||||
|
|
||||||
${cfg.extraConfig}
|
${cfg.extraConfig}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
isPruned = bitcoind.prune > 0;
|
||||||
|
# When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
|
||||||
|
# to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
|
||||||
|
rpcUser = if isPruned then "lnd" else "public";
|
||||||
in {
|
in {
|
||||||
|
|
||||||
inherit options;
|
inherit options;
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable (mkMerge [ {
|
||||||
assertions = [
|
assertions = [
|
||||||
{ assertion =
|
{ assertion =
|
||||||
!(config.services ? clightning)
|
!(config.services ? clightning)
|
||||||
@ -226,7 +231,7 @@ in {
|
|||||||
preStart = ''
|
preStart = ''
|
||||||
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
|
install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
|
||||||
{
|
{
|
||||||
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)"
|
echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
|
||||||
${optionalString (cfg.getPublicAddressCmd != "") ''
|
${optionalString (cfg.getPublicAddressCmd != "") ''
|
||||||
echo "externalip=$(${cfg.getPublicAddressCmd})"
|
echo "externalip=$(${cfg.getPublicAddressCmd})"
|
||||||
''}
|
''}
|
||||||
@ -304,5 +309,22 @@ in {
|
|||||||
makePasswordSecret lnd-wallet-password
|
makePasswordSecret lnd-wallet-password
|
||||||
makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
|
||||||
'';
|
'';
|
||||||
|
}
|
||||||
|
|
||||||
|
(mkIf isPruned {
|
||||||
|
services.bitcoind.rpc.users.lnd = {
|
||||||
|
passwordHMACFromFile = true;
|
||||||
|
rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
|
||||||
|
"getpeerinfo"
|
||||||
|
"getnodeaddresses"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
nix-bitcoin.secrets = {
|
||||||
|
bitcoin-rpcpassword-lnd.user = cfg.user;
|
||||||
|
bitcoin-HMAC-lnd.user = bitcoind.user;
|
||||||
|
};
|
||||||
|
nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
|
||||||
|
makeBitcoinRPCPassword lnd
|
||||||
|
'';
|
||||||
|
}) ]);
|
||||||
}
|
}
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
{ config, pkgs, lib, extendModules, ... }:
|
{ config, pkgs, lib, extendModules, ... }@args:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
options = {
|
options = {
|
||||||
@ -12,68 +12,38 @@ let
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# TODO-EXTERNAL:
|
|
||||||
# This can be removed when https://github.com/NixOS/nixpkgs/pull/189836 is merged.
|
|
||||||
#
|
|
||||||
# A list of all systemd service definitions and their locations, with format
|
|
||||||
# [
|
|
||||||
# {
|
|
||||||
# file = ...;
|
|
||||||
# value = { postgresql = ...; };
|
|
||||||
# }
|
|
||||||
# ...
|
|
||||||
# ]
|
|
||||||
systemdServiceDefs =
|
|
||||||
(extendModules {
|
|
||||||
modules = [
|
|
||||||
{
|
|
||||||
# Currently, NixOS modules only allow accessing option definition locations
|
|
||||||
# via type.merge.
|
|
||||||
# Override option `systemd.services` and use it to return the list of service defs.
|
|
||||||
options.systemd.services = lib.mkOption {
|
|
||||||
type = lib.types.anything // {
|
|
||||||
merge = loc: defs: defs;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Disable all modules that define options.systemd.services so that these
|
|
||||||
# defs don't collide with our definition
|
|
||||||
disabledModules = [
|
|
||||||
"system/boot/systemd.nix"
|
|
||||||
# These files amend option systemd.services
|
|
||||||
"testing/service-runner.nix"
|
|
||||||
"security/systemd-confinement.nix"
|
|
||||||
];
|
|
||||||
|
|
||||||
config._module.check = false;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}).config.systemd.services;
|
|
||||||
|
|
||||||
# A list of all service names that are defined by nix-bitcoin.
|
# A list of all service names that are defined by nix-bitcoin.
|
||||||
# [ "bitcoind", "clightning", ... ]
|
# [ "bitcoind", "clightning", ... ]
|
||||||
#
|
#
|
||||||
# Algorithm: Parse `systemdServiceDefs` and return all services that
|
# Algorithm: Parse defintions of `systemd.services` and return all services
|
||||||
# only have definitions located in the nix-bitcoin source.
|
# that only have definitions located in the nix-bitcoin source.
|
||||||
nix-bitcoin-services = let
|
nix-bitcoin-services = let
|
||||||
|
systemdServices = args.options.systemd.services;
|
||||||
|
configSystemdServices = args.config.systemd.services;
|
||||||
nix-bitcoin-source = toString ../..;
|
nix-bitcoin-source = toString ../..;
|
||||||
nbServices = collectServices true;
|
nbServices = collectServices true;
|
||||||
nonNbServices = collectServices false;
|
nonNbServices = collectServices false;
|
||||||
# Return set of services ({ service1 = true; service2 = true; ... })
|
# Return set of services ({ service1 = true; service2 = true; ... })
|
||||||
# which are either defined or not defined by nix-bitcoin, depending
|
# which are either defined or not defined by nix-bitcoin, depending
|
||||||
# on `fromNixBitcoin`.
|
# on `fromNixBitcoin`.
|
||||||
collectServices = fromNixBitcoin: lib.listToAttrs (builtins.concatLists (map (def:
|
collectServices = fromNixBitcoin: lib.listToAttrs (builtins.concatLists (zipListsWith (services: file:
|
||||||
let
|
let
|
||||||
isNbSource = lib.hasPrefix nix-bitcoin-source def.file;
|
isNbSource = lib.hasPrefix nix-bitcoin-source file;
|
||||||
in
|
in
|
||||||
# Nix has nor boolean XOR, so use `if`
|
# Nix has no boolean XOR, so use `if`
|
||||||
lib.optionals (if fromNixBitcoin then isNbSource else !isNbSource) (
|
lib.optionals (if fromNixBitcoin then isNbSource else !isNbSource) (
|
||||||
(map (service: { name = service; value = true; }) (builtins.attrNames def.value))
|
(map (service: { name = service; value = true; }) (builtins.attrNames services))
|
||||||
)
|
)
|
||||||
) systemdServiceDefs));
|
# TODO-EXTERNAL:
|
||||||
|
# Use `systemdServices.definitionsWithLocations` when https://github.com/NixOS/nixpkgs/pull/189836
|
||||||
|
# is included in nixpkgs stable.
|
||||||
|
) systemdServices.definitions systemdServices.files));
|
||||||
in
|
in
|
||||||
# Set difference: nbServices - nonNbServices
|
# Calculate set difference: nbServices - nonNbServices
|
||||||
builtins.filter (nbService: ! nonNbServices ? ${nbService}) (builtins.attrNames nbServices);
|
# and exclude unavailable services (defined via `mkIf false ...`) by checking `configSystemdServices`.
|
||||||
|
builtins.filter (nbService:
|
||||||
|
configSystemdServices ? ${nbService} && (! nonNbServices ? ${nbService})
|
||||||
|
) (builtins.attrNames nbServices);
|
||||||
|
|
||||||
# The concatenated list of values of ExecStart, ExecStop, ... (`scriptAttrs`) of all `nix-bitcoin-services`.
|
# The concatenated list of values of ExecStart, ExecStop, ... (`scriptAttrs`) of all `nix-bitcoin-services`.
|
||||||
serviceCmds = let
|
serviceCmds = let
|
||||||
|
@ -306,6 +306,7 @@ buildable() {
|
|||||||
scenario=regtest buildTest "$@"
|
scenario=regtest buildTest "$@"
|
||||||
scenario=hardened buildTest "$@"
|
scenario=hardened buildTest "$@"
|
||||||
scenario=clightningReplication buildTest "$@"
|
scenario=clightningReplication buildTest "$@"
|
||||||
|
scenario=lndPruned buildTest "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
examples() {
|
examples() {
|
||||||
|
@ -318,6 +318,12 @@ let
|
|||||||
services.btcpayserver.lbtc = mkForce false;
|
services.btcpayserver.lbtc = mkForce false;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Test the special bitcoin RPC setup that lnd uses when bitcoin is pruned
|
||||||
|
lndPruned = {
|
||||||
|
services.lnd.enable = true;
|
||||||
|
services.bitcoind.prune = 1000;
|
||||||
|
};
|
||||||
|
|
||||||
## Examples / debug helper
|
## Examples / debug helper
|
||||||
|
|
||||||
# Run a selection of tests in scenario 'netns'
|
# Run a selection of tests in scenario 'netns'
|
||||||
|
Loading…
Reference in New Issue
Block a user