From b3c134c01d430a25fb83429afa8a7bb1a09c477c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Tue, 25 Oct 2022 22:35:31 +0200 Subject: [PATCH] lnd: fix missing RPC permissions when bitcoind is pruned --- modules/lnd.nix | 30 ++++++++++++++++++++++++++---- test/run-tests.sh | 1 + test/tests.nix | 6 ++++++ 3 files changed, 33 insertions(+), 4 deletions(-) diff --git a/modules/lnd.nix b/modules/lnd.nix index 7d99641..3fd59f2 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -174,7 +174,7 @@ let ${optionalString (cfg.tor-socks != null) "tor.socks=${cfg.tor-socks}"} bitcoind.rpchost=${bitcoindRpcAddress}:${toString bitcoind.rpc.port} - bitcoind.rpcuser=${bitcoind.rpc.users.public.name} + bitcoind.rpcuser=${bitcoind.rpc.users.${rpcUser}.name} bitcoind.zmqpubrawblock=${bitcoind.zmqpubrawblock} bitcoind.zmqpubrawtx=${bitcoind.zmqpubrawtx} @@ -182,11 +182,16 @@ let ${cfg.extraConfig} ''; + + isPruned = bitcoind.prune > 0; + # When bitcoind pruning is enabled, lnd requires non-public RPC commands `getpeerinfo`, `getnodeaddresses` + # to fetch missing blocks from peers (implemented in btcsuite/btcwallet/chain/pruned_block_dispatcher.go) + rpcUser = if isPruned then "lnd" else "public"; in { inherit options; - config = mkIf cfg.enable { + config = mkIf cfg.enable (mkMerge [ { assertions = [ { assertion = !(config.services ? clightning) @@ -226,7 +231,7 @@ in { preStart = '' install -m600 ${configFile} '${cfg.dataDir}/lnd.conf' { - echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-public)" + echo "bitcoind.rpcpass=$(cat ${secretsDir}/bitcoin-rpcpassword-${rpcUser})" ${optionalString (cfg.getPublicAddressCmd != "") '' echo "externalip=$(${cfg.getPublicAddressCmd})" ''} @@ -304,5 +309,22 @@ in { makePasswordSecret lnd-wallet-password makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}' ''; - }; + } + + (mkIf isPruned { + services.bitcoind.rpc.users.lnd = { + passwordHMACFromFile = true; + rpcwhitelist = bitcoind.rpc.users.public.rpcwhitelist ++ [ + "getpeerinfo" + "getnodeaddresses" + ]; + }; + nix-bitcoin.secrets = { + bitcoin-rpcpassword-lnd.user = cfg.user; + bitcoin-HMAC-lnd.user = bitcoind.user; + }; + nix-bitcoin.generateSecretsCmds.lndBitcoinRPC = '' + makeBitcoinRPCPassword lnd + ''; + }) ]); } diff --git a/test/run-tests.sh b/test/run-tests.sh index f33792d..0fa227e 100755 --- a/test/run-tests.sh +++ b/test/run-tests.sh @@ -306,6 +306,7 @@ buildable() { scenario=regtest buildTest "$@" scenario=hardened buildTest "$@" scenario=clightningReplication buildTest "$@" + scenario=lndPruned buildTest "$@" } examples() { diff --git a/test/tests.nix b/test/tests.nix index 7df63f0..cd30357 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -318,6 +318,12 @@ let services.btcpayserver.lbtc = mkForce false; }; + # Test the special bitcoin RPC setup that lnd uses when bitcoin is pruned + lndPruned = { + services.lnd.enable = true; + services.bitcoind.prune = 1000; + }; + ## Examples / debug helper # Run a selection of tests in scenario 'netns'