greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lnd: add certificate options extraIPs and extraDomains

Browse Source 
This is useful for non-local access to the lnd REST server.
This commit is contained in:
Erik Arvstedt 2022-07-07 16:08:27 +02:00
parent 60a27d58a6
commit edfbe700e7
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
4 changed files with 54 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
modules/lnd.nix
View File

@ -70,6 +70,26 @@ let
Extra macaroon definitions.
'';
};
certificate = {
extraIPs = mkOption {
type = with types; listOf str;
default = [];
example = [ "60.100.0.1" ];
description = ''
Extra `subjectAltName` IPs added to the certificate.
This works the same as lnd option `tlsextraip`.
'';
};
extraDomains = mkOption {
type = with types; listOf str;
default = [];
example = [ "example.com" ];
description = ''
Extra `subjectAltName` domain names added to the certificate.
This works the same as lnd option `tlsextradomain`.
'';
};
};
extraConfig = mkOption {
type = types.lines;
default = "";
@ -195,6 +215,8 @@ in {
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
];
services.lnd.certificate.extraIPs = mkIf (cfg.rpcAddress != "localhost") [ "${cfg.rpcAddress}" ];
systemd.services.lnd = {
wantedBy = [ "multi-user.target" ];
requires = [ "bitcoind.service" ];
@ -282,7 +304,7 @@ in {
# - Enables deployment of a mesh of server plus client nodes with predefined certs
nix-bitcoin.generateSecretsCmds.lnd = ''
makePasswordSecret lnd-wallet-password
makeCert lnd '${optionalString (cfg.rpcAddress != "localhost") "IP:${cfg.rpcAddress}"}'
makeCert lnd '${nbLib.mkCertExtraAltNames cfg.certificate}'
'';
};
}

6
pkgs/lib.nix
View File

@ -109,4 +109,10 @@ let self = {
optionalAttr = cond: name: if cond then name else null;
mkCertExtraAltNames = cert:
builtins.concatStringsSep "," (
(map (domain: "DNS:${domain}") cert.extraDomains) ++
(map (ip: "IP:${ip}") cert.extraIPs)
);
}; in self

17
test/tests.nix
View File

@ -35,6 +35,13 @@ let
# Share the same pkgs instance among tests
nixpkgs.pkgs = mkDefault globalPkgs;
environment.systemPackages = mkMerge (with pkgs; [
# Needed to test macaroon creation
(mkIfTest "btcpayserver" [ openssl xxd ])
# Needed to test certificate creation
(mkIfTest "lnd" [ openssl ])
]);
tests.bitcoind = cfg.bitcoind.enable;
services.bitcoind = {
enable = true;
@ -81,7 +88,13 @@ let
tests.spark-wallet = cfg.spark-wallet.enable;
tests.lnd = cfg.lnd.enable;
services.lnd.port = 9736;
services.lnd = {
port = 9736;
certificate = {
extraIPs = [ "10.0.0.1" "20.0.0.1" ];
extraDomains = [ "example.com" ];
};
};
tests.lndconnect-onion-lnd = cfg.lnd.lndconnectOnion.enable;
tests.lndconnect-onion-clightning = cfg.clightning-rest.lndconnectOnion.enable;
@ -103,8 +116,6 @@ let
lightningBackend = mkDefault "lnd";
lbtc = mkDefault true;
};
# Needed to test macaroon creation
environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);
test.data.btcpayserver-lbtc = config.services.btcpayserver.lbtc;
tests.joinmarket = cfg.joinmarket.enable;

14
test/tests.py
View File

@ -7,9 +7,11 @@ def succeed(*cmds):
return machine.succeed(*cmds)
def assert_matches(cmd, regexp):
out = succeed(cmd)
if not re.search(regexp, out):
raise Exception(f"Pattern '{regexp}' not found in '{out}'")
assert_str_matches(succeed(cmd), regexp)
def assert_str_matches(str, regexp):
if not re.search(regexp, str):
raise Exception(f"Pattern '{regexp}' not found in '{str}'")
def assert_full_match(cmd, regexp):
out = succeed(cmd)
@ -152,6 +154,12 @@ def _():
assert_matches("runuser -u operator -- lncli getinfo | jq", '"version"')
assert_no_failure("lnd")
# Test certificate generation
cert_alt_names = succeed("</secrets/lnd-cert openssl x509 -noout -ext subjectAltName")
assert_str_matches(cert_alt_names, '10.0.0.1')
assert_str_matches(cert_alt_names, '20.0.0.1')
assert_str_matches(cert_alt_names, 'example.com')
@test("lndconnect-onion-lnd")
def _():
assert_running("lnd")