From b41a720c28a426b1576a063ab74e295b70a5b13e Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Thu, 14 Jan 2021 13:24:03 +0100 Subject: [PATCH] lnd: add consistent address options Also fix btcpayserver by connecting to the lnd restAddress instead of the p2p address. --- examples/configuration.nix | 2 +- modules/btcpayserver.nix | 2 +- modules/lightning-loop.nix | 2 +- modules/lnd.nix | 48 ++++++++++++++++----------------- modules/modules.nix | 4 +-- modules/netns-isolation.nix | 6 ++--- modules/presets/secure-node.nix | 2 +- test/tests.nix | 2 +- 8 files changed, 33 insertions(+), 35 deletions(-) diff --git a/examples/configuration.nix b/examples/configuration.nix index 9545d0f..4d56fe2 100644 --- a/examples/configuration.nix +++ b/examples/configuration.nix @@ -50,7 +50,7 @@ # Uncomment the following line in order to enable lnd, a lightning # implementation written in Go. In order to avoid collisions with clightning # you must disable clightning or change the services.clightning.bindport or - # services.lnd.listenPort to a port other than 9735. + # services.lnd.port to a port other than 9735. # services.lnd.enable = true; # Enable this option to announce our Tor Hidden Service. By default lnd # offers outgoing functionality, but doesn't announce the Tor Hidden Service diff --git a/modules/btcpayserver.nix b/modules/btcpayserver.nix index 7756605..949cbce 100644 --- a/modules/btcpayserver.nix +++ b/modules/btcpayserver.nix @@ -163,7 +163,7 @@ in { ''); lndConfig = "btclightning=type=lnd-rest;" + - "server=https://${toString cfg.lnd.listen}:${toString cfg.lnd.restPort}/;" + + "server=https://${cfg.lnd.restAddress}:${toString cfg.lnd.restPort}/;" + "macaroonfilepath=/run/lnd/btcpayserver.macaroon;" + "certthumbprint="; in let self = { diff --git a/modules/lightning-loop.nix b/modules/lightning-loop.nix index 8702297..37d9448 100644 --- a/modules/lightning-loop.nix +++ b/modules/lightning-loop.nix @@ -17,7 +17,7 @@ let tlscertpath=${secretsDir}/loop-cert tlskeypath=${secretsDir}/loop-key - lnd.host=${config.services.lnd.rpclisten}:${toString config.services.lnd.rpcPort} + lnd.host=${config.services.lnd.rpcAddress}:${toString config.services.lnd.rpcPort} lnd.macaroondir=${config.services.lnd.networkDir} lnd.tlspath=${secretsDir}/lnd-cert diff --git a/modules/lnd.nix b/modules/lnd.nix index f6225d2..226b60c 100644 --- a/modules/lnd.nix +++ b/modules/lnd.nix @@ -17,9 +17,9 @@ let tlscertpath=${secretsDir}/lnd-cert tlskeypath=${secretsDir}/lnd-key - listen=${toString cfg.listen}:${toString cfg.listenPort} - rpclisten=${cfg.rpclisten}:${toString cfg.rpcPort} - restlisten=${cfg.restlisten}:${toString cfg.restPort} + listen=${toString cfg.address}:${toString cfg.port} + rpclisten=${cfg.rpcAddress}:${toString cfg.rpcPort} + restlisten=${cfg.restAddress}:${toString cfg.restPort} bitcoin.${bitcoind.network}=1 bitcoin.active=1 @@ -55,39 +55,37 @@ in { default = networkDir; description = "The network data directory."; }; - listen = mkOption { - type = config.nix-bitcoin.pkgs.lib.ipv4Address; + address = mkOption { + type = types.str; default = "localhost"; - description = "Bind to given address to listen to peer connections"; + description = "Address to listen for peer connections"; }; - listenPort = mkOption { + port = mkOption { type = types.port; default = 9735; - description = "Bind to given port to listen to peer connections"; + description = "Port to listen for peer connections"; }; - rpclisten = mkOption { + rpcAddress = mkOption { type = types.str; default = "localhost"; - description = '' - Bind to given address to listen to RPC connections. - ''; - }; - restlisten = mkOption { - type = types.str; - default = "localhost"; - description = '' - Bind to given address to listen to REST connections. - ''; + description = "Address to listen for RPC connections."; }; rpcPort = mkOption { type = types.port; default = 10009; - description = "Port on which to listen for gRPC connections."; + description = "Port to listen for gRPC connections."; + }; + restAddress = mkOption { + type = types.str; + default = "localhost"; + description = '' + Address to listen for REST connections. + ''; }; restPort = mkOption { type = types.port; default = 8080; - description = "Port on which to listen for REST connections."; + description = "Port to listen for REST connections."; }; tor-socks = mkOption { type = types.nullOr types.str; @@ -138,7 +136,7 @@ in { # Switch user because lnd makes datadir contents readable by user only '' sudo -u lnd ${cfg.package}/bin/lncli \ - --rpcserver ${cfg.rpclisten}:${toString cfg.rpcPort} \ + --rpcserver ${cfg.rpcAddress}:${toString cfg.rpcPort} \ --tlscertpath '${secretsDir}/lnd-cert' \ --macaroonpath '${networkDir}/admin.macaroon' "$@" ''; @@ -187,12 +185,12 @@ in { RestartSec = "10s"; ReadWritePaths = "${cfg.dataDir}"; ExecStartPost = let - restUrl = "https://${cfg.restlisten}:${toString cfg.restPort}/v1"; + restUrl = "https://${cfg.restAddress}:${toString cfg.restPort}/v1"; in [ # Run fully privileged for secrets dir write access "+${nix-bitcoin-services.script '' attempts=250 - while ! { exec 3>/dev/tcp/${cfg.restlisten}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do + while ! { exec 3>/dev/tcp/${cfg.restAddress}/${toString cfg.restPort} && exec 3>&-; } &>/dev/null; do ((attempts-- == 0)) && { echo "lnd REST service unreachable"; exit 1; } sleep 0.1 done @@ -234,7 +232,7 @@ in { fi # Wait until the RPC port is open - while ! { exec 3>/dev/tcp/${cfg.rpclisten}/${toString cfg.rpcPort}; } &>/dev/null; do + while ! { exec 3>/dev/tcp/${cfg.rpcAddress}/${toString cfg.rpcPort}; } &>/dev/null; do sleep 0.1 done diff --git a/modules/modules.nix b/modules/modules.nix index 96fc869..fb366dd 100644 --- a/modules/modules.nix +++ b/modules/modules.nix @@ -58,11 +58,11 @@ with lib; config = { assertions = [ - { assertion = (config.services.lnd.enable -> ( !config.services.clightning.enable || config.services.clightning.bindport != config.services.lnd.listenPort)); + { assertion = (config.services.lnd.enable -> ( !config.services.clightning.enable || config.services.clightning.bindport != config.services.lnd.port)); message = '' LND and clightning can't both bind to lightning port 9735. Either disable LND/clightning or change services.clightning.bindPort or - services.lnd.listenPort to a port other than 9735. + services.lnd.port to a port other than 9735. ''; } ]; diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index 835ce4d..47bf3f1 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -257,9 +257,9 @@ in { services.clightning.bind-addr = netns.clightning.address; services.lnd = { - listen = netns.lnd.address; - rpclisten = netns.lnd.address; - restlisten = netns.lnd.address; + address = netns.lnd.address; + rpcAddress = netns.lnd.address; + restAddress = netns.lnd.address; }; services.liquidd = { diff --git a/modules/presets/secure-node.nix b/modules/presets/secure-node.nix index a5a0acd..87b59be 100644 --- a/modules/presets/secure-node.nix +++ b/modules/presets/secure-node.nix @@ -74,7 +74,7 @@ in { # lnd services.lnd.enforceTor = true; - services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.listen; toPort = cfg.lnd.listenPort; }); + services.tor.hiddenServices.lnd = mkIf cfg.lnd.enable (mkHiddenService { port = cfg.lnd.onionport; toHost = cfg.lnd.address; toPort = cfg.lnd.port; }); # lightning-loop services.lightning-loop.enforceTor = true; diff --git a/test/tests.nix b/test/tests.nix index 10c608d..758e9b6 100644 --- a/test/tests.nix +++ b/test/tests.nix @@ -44,7 +44,7 @@ let testEnv = rec { tests.spark-wallet = cfg.spark-wallet.enable; tests.lnd = cfg.lnd.enable; - services.lnd.listenPort = 9736; + services.lnd.port = 9736; tests.lightning-loop = cfg.lightning-loop.enable;