lnd: fix missing RPC permissions when bitcoind is pruned

2022-10-25 22:35:31 +02:00 · 2022-10-25 22:35:31 +02:00 · b3c134c01d
commit b3c134c01d
parent 29d1a6b8a8
3 changed files with 33 additions and 4 deletions
--- a/modules/lnd.nix
+++ b/modules/lnd.nix
@ -174,7 +174,7 @@ let
    ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"}

    bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port}
-    bitcoind.rpcuser=${bitcoind.rpc.users.public.name}
+    bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name}
    bitcoind.zmqpubrawblock=${bitcoind.zmqpubrawblock}
    bitcoind.zmqpubrawtx=${bitcoind.zmqpubrawtx}

@ -182,11 +182,16 @@ let

    ${cfg.extraConfig}
  '';
+
+  isPruned = bitcoind.prune > 0;
+  # When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses`
+  # to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go)
+  rpcUser = if isPruned then "lnd" else "public";
 in {

  inherit options;

-  config = mkIf cfg.enable {
+  config = mkIf cfg.enable (mkMerge [ {
    assertions = [
      { assertion =
          !(config.services ? clightning)
@ -226,7 +231,7 @@ in {
      preStart = ''
        install -m600 ${configFile} '${cfg.dataDir}/lnd.conf'
        {
-          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)"
+          echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})"
          ${optionalString (cfg.getPublicAddressCmd != "") ''
            echo "externalip=$(${cfg.getPublicAddressCmd})"
          ''}
@ -304,5 +309,22 @@ in {
      makePasswordSecret lnd-wallet-password
      makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
    '';
-  };
+  }
+
+  (mkIf isPruned {
+    services.bitcoind.rpc.users.lnd = {
+      passwordHMACFromFile = true;
+      rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [
+        "getpeerinfo"
+        "getnodeaddresses"
+      ];
+    };
+    nix-bitcoin.secrets = {
+      bitcoin-rpcpassword-lnd.user = cfg.user;
+      bitcoin-HMAC-lnd.user = bitcoind.user;
+    };
+    nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = ''
+      makeBitcoinRPCPassword lnd
+    '';
+  }) ]);
 }
--- a/test/run-tests.sh
+++ b/test/run-tests.sh
@ -306,6 +306,7 @@ buildable() {
    scenario=regtest buildTest "$@"
    scenario=hardened buildTest "$@"
    scenario=clightningReplication buildTest "$@"
+    scenario=lndPruned buildTest "$@"
 }

 examples() {
--- a/test/tests.nix
+++ b/test/tests.nix
@ -318,6 +318,12 @@ let
      services.btcpayserver.lbtc = mkForce false;
    };

+    # Test the special bitcoin RPC setup that lnd uses when bitcoin is pruned
+    lndPruned = {
+      services.lnd.enable = true;
+      services.bitcoind.prune = 1000;
+    };
+
    ## Examples / debug helper

    # Run a selection of tests in scenario 'netns'