From 3dcb9e76ce532d2162031ca1fc59546e58d3c867 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 29 Jun 2021 15:53:22 +0200 Subject: [PATCH 1/8] Update node info --- nodes/bitcoin-2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json index 01bd552..ee268e9 100644 --- a/nodes/bitcoin-2.json +++ b/nodes/bitcoin-2.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "bitcoin-2", "os": "linux", - "os_version": "5.4.0-58-generic", + "os_version": "5.4.0-77-generic", "hostname": "bitcoin-2", "ipaddress": "192.168.122.148", "roles": [ From f095094cf78ad966ced9a191e10f8695a6dfd07c Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 29 Jun 2021 15:53:52 +0200 Subject: [PATCH 2/8] Fix compilation issue with dotnet services Compilation fails while the executable is running. Fixed by stopping the services before upgrades. --- site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb | 1 + site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb | 1 + 2 files changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb index 562ef67..42cf3c6 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb @@ -11,6 +11,7 @@ git node['btcpay']['source_dir'] do repository node['btcpay']['repo'] revision node['btcpay']['revision'] action :sync + notifies :stop, "systemd_unit[btcpayserver.service]", :immediately notifies :run, 'bash[build_btcpay]', :immediately end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb index 729e076..d771ede 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb @@ -11,6 +11,7 @@ git node['nbxplorer']['source_dir'] do repository node['nbxplorer']['repo'] revision node['nbxplorer']['revision'] action :sync + notifies :stop, "systemd_unit[nbxplorer.service]", :immediately notifies :run, 'bash[build_nbxplorer]', :immediately end From a65065c793ab119f20f8af4c4207180d8137434b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 29 Jun 2021 15:55:20 +0200 Subject: [PATCH 3/8] Upgrade all bitcoin software to latest versions --- .../kosmos-bitcoin/attributes/default.rb | 14 +++++++------- site-cookbooks/kosmos-bitcoin/recipes/source.rb | 1 - 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 812f9c3..8111a5e 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -1,5 +1,5 @@ -node.default['bitcoin']['version'] = '0.21.0' -node.default['bitcoin']['checksum'] = '1a91202c62ee49fb64d57a52b8d6d01cd392fffcbef257b573800f9289655f37' +node.default['bitcoin']['version'] = '0.21.1' +node.default['bitcoin']['checksum'] = 'caff23449220cf45753f312cefede53a9eac64000bb300797916526236b6a1e0' node.default['bitcoin']['username'] = 'satoshi' node.default['bitcoin']['usergroup'] = 'bitcoin' node.default['bitcoin']['network'] = 'mainnet' @@ -26,7 +26,7 @@ node.default['bitcoin']['conf'] = { } node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning' -node.default['c-lightning']['revision'] = 'v0.9.3' +node.default['c-lightning']['revision'] = 'v0.10.0' node.default['c-lightning']['source_dir'] = '/opt/c-lightning' node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning" node.default['c-lightning']['alias'] = 'ln3.kosmos.org' @@ -35,7 +35,7 @@ node.default['c-lightning']['log_level'] = 'info' node.default['c-lightning']['public_ip'] = '148.251.237.73' node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd' -node.default['lnd']['revision'] = 'v0.12.0-beta' +node.default['lnd']['revision'] = 'v0.13.0-beta' node.default['lnd']['source_dir'] = '/opt/lnd' node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd" node.default['lnd']['alias'] = 'ln2.kosmos.org' @@ -49,7 +49,7 @@ node.default['lnd']['basefee'] = '500' node.default['lnd']['feerate'] = '1' node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git' -node.default['rtl']['revision'] = 'v0.10.0' +node.default['rtl']['revision'] = 'v0.11.0' node.default['rtl']['host'] = '10.1.1.163' node.default['rtl']['port'] = '3000' @@ -57,13 +57,13 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/ node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991" node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer' -node.default['nbxplorer']['revision'] = 'latest' +node.default['nbxplorer']['revision'] = 'v2.1.52' node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer' node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config" node.default['nbxplorer']['port'] = '24445' node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver' -node.default['btcpay']['revision'] = 'latest' +node.default['btcpay']['revision'] = 'v1.1.2' node.default['btcpay']['source_dir'] = '/opt/btcpay' node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config" node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log" diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index dfd993b..e92a80f 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -27,7 +27,6 @@ end build_essential include_recipe 'ark' - %w{ libtool autotools-dev make automake cmake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg| apt_package pkg From 2ca576468ed13cb8482d4b779ea7e703987d4626 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 30 Jun 2021 17:09:31 +0200 Subject: [PATCH 4/8] Auto-unlock LND wallet/node The latest release added a new config option for auto-unlocking the wallet/node using a password file. This changeset adds support for just that to the lnd recipe, so that nobody has to manually unlock it after reboots or service restarts. --- site-cookbooks/kosmos-bitcoin/attributes/default.rb | 5 +++-- site-cookbooks/kosmos-bitcoin/recipes/lnd.rb | 13 +++++++++++++ .../kosmos-bitcoin/templates/lnd.conf.erb | 1 + 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 8111a5e..054639a 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -45,8 +45,9 @@ node.default['lnd']['public_ip'] = '148.251.237.111' node.default['lnd']['public_port'] = '9735' node.default['lnd']['port'] = '9736' node.default['lnd']['minchansize'] = '1000000' -node.default['lnd']['basefee'] = '500' -node.default['lnd']['feerate'] = '1' +node.default['lnd']['basefee'] = '1000' +node.default['lnd']['feerate'] = '50' +node.default['lnd']['auto_unlock'] = true # requires credentials/lnd data bag item node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git' node.default['rtl']['revision'] = 'v0.11.0' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index 4e2464a..6f36bb7 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -36,6 +36,17 @@ directory lnd_dir do action :create end +if node['lnd']['auto_unlock'] + lnd_credentials = Chef::EncryptedDataBagItem.load('credentials', 'lnd') + + file "#{lnd_dir}/.unlock.txt" do + content lnd_credentials['password'] + mode '0600' + owner bitcoin_user + group bitcoin_group + end +end + template "#{lnd_dir}/lnd.conf" do source "lnd.conf.erb" owner bitcoin_user @@ -49,6 +60,8 @@ template "#{lnd_dir}/lnd.conf" do lnd_minchansize: node['lnd']['minchansize'], lnd_basefee: node['lnd']['basefee'], lnd_feerate: node['lnd']['feerate'], + lnd_dir: lnd_dir, + auto_unlock: node['lnd']['auto_unlock'], bitcoin_datadir: node['bitcoin']['datadir'], bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'], bitcoin_rpc_password: bitcoin_credentials["rpcpassword"], diff --git a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb index b96f7d8..57c7caf 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb @@ -6,6 +6,7 @@ alias=<%= @lnd_alias %> color=<%= @lnd_color %> maxpendingchannels=2 minchansize=<%= @lnd_minchansize %> +<% if @auto_unlock %>wallet-unlock-password-file=<%= @lnd_dir %>/.unlock.txt<% end %> [autopilot] autopilot.active=0 From 4bda4d7857f21cb7395b1e9a6156cbfbf1818642 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 30 Jun 2021 17:10:57 +0200 Subject: [PATCH 5/8] Install LND with all subsystems enabled This allows to run loopd and other tools. --- site-cookbooks/kosmos-bitcoin/recipes/lnd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index 6f36bb7..bcf1cd0 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -17,7 +17,7 @@ bash "compile_lnd" do cwd node['lnd']['source_dir'] code <<-EOH source /etc/profile.d/golang.sh - make clean && make && make install + make clean && make && make install tags="signrpc walletrpc chainrpc invoicesrpc" EOH action :nothing notifies :restart, "systemd_unit[lnd.service]", :delayed From 37873fb881de437b842fd7ed3467f12edb029376 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 1 Jul 2021 13:17:51 +0200 Subject: [PATCH 6/8] Add data bag for LND credentials --- data_bags/credentials/lnd.json | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 data_bags/credentials/lnd.json diff --git a/data_bags/credentials/lnd.json b/data_bags/credentials/lnd.json new file mode 100644 index 0000000..5e61dcb --- /dev/null +++ b/data_bags/credentials/lnd.json @@ -0,0 +1,10 @@ +{ + "id": "lnd", + "password": { + "encrypted_data": "etEgstimoXqyD8HhZZ7rKW0+LW3rnYAR3f++AOv6SA==\n", + "iv": "g9LA7GpA6eV1ZAJu\n", + "auth_tag": "wv67Nliq0HGqAhVeyhNO/g==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file From 9f0b5f0e6408af50b0a4457e52a6cc33989f649d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 1 Jul 2021 15:32:28 +0200 Subject: [PATCH 7/8] (tor) Add support for ControlPort and CookieAuthentication Allow to configure Tor to be controlled by other applications, so they can manage hidden services and such. --- site-cookbooks/tor-full/README.md | 2 ++ site-cookbooks/tor-full/templates/default/torrc.erb | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/tor-full/README.md b/site-cookbooks/tor-full/README.md index 6b2a6c4..415cbf7 100644 --- a/site-cookbooks/tor-full/README.md +++ b/site-cookbooks/tor-full/README.md @@ -32,6 +32,8 @@ The following platform families are supported: * `node['tor']['MinLogLevel']` - The minimum log level to log. Possible values include debug, info, notice, warn, and err. * `node['tor']['LogDestination']` - Where logs should be written. Valid values include a path to a file or "syslog" * `node['tor']['SocksPorts']` - List of 'address:port' to open tor socks proxy on. Defaults to disabled +* `node['tor']['ControlPort']` - The port on which Tor will listen for local connections from Tor controller applications +* `node['tor']['CookieAuthentication']` - Enable this (`true`) when using ControlPort ### Hidden Services config section diff --git a/site-cookbooks/tor-full/templates/default/torrc.erb b/site-cookbooks/tor-full/templates/default/torrc.erb index f5dd682..ca07818 100644 --- a/site-cookbooks/tor-full/templates/default/torrc.erb +++ b/site-cookbooks/tor-full/templates/default/torrc.erb @@ -65,11 +65,11 @@ DataDirectory <%= node['tor']['DataDirectory'] %> ## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. -#ControlPort 9051 +<% if node['tor']['ControlPort'] %>ControlPort <%= node['tor']['ControlPort'] %><% else %>#ControlPort 9051<% end %> ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C -#CookieAuthentication 1 +<% if node['tor']['CookieAuthentication'] %>CookieAuthentication 1<% else %>#CookieAuthentication 1<% end %> ############### This section is just for location-hidden services ### From b7af04e8be59a223ee315ff06380fc5309ca116a Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 1 Jul 2021 15:34:06 +0200 Subject: [PATCH 8/8] Support Tor connections for LND Adds basics for general Tor support in bitcoin recipes, and specific support for Tor to the lnd recipe. --- nodes/bitcoin-2.json | 5 ++++- site-cookbooks/kosmos-bitcoin/attributes/default.rb | 3 +++ site-cookbooks/kosmos-bitcoin/metadata.rb | 1 + site-cookbooks/kosmos-bitcoin/recipes/lnd.rb | 10 +++++++++- site-cookbooks/kosmos-bitcoin/recipes/source.rb | 8 ++++++++ 5 files changed, 25 insertions(+), 2 deletions(-) diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json index ee268e9..1a71313 100644 --- a/nodes/bitcoin-2.json +++ b/nodes/bitcoin-2.json @@ -26,6 +26,8 @@ "kosmos-bitcoin::dotnet", "kosmos-bitcoin::nbxplorer", "kosmos-bitcoin::btcpay", + "tor-full", + "tor-full::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -82,6 +84,7 @@ "recipe[kosmos-bitcoin::c-lightning]", "recipe[kosmos-bitcoin::lnd]", "recipe[kosmos-bitcoin::rtl]", - "role[btcpay]" + "role[btcpay]", + "recipe[tor-full]" ] } \ No newline at end of file diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 054639a..1cf96a2 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -25,6 +25,9 @@ node.default['bitcoin']['conf'] = { zmqpubrawtx: 'tcp://127.0.0.1:8338' } +# Also enables Tor for LND +node.default['bitcoin']['tor_enabled'] = true + node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning' node.default['c-lightning']['revision'] = 'v0.10.0' node.default['c-lightning']['source_dir'] = '/opt/c-lightning' diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb index fe6cd0c..c8bb476 100644 --- a/site-cookbooks/kosmos-bitcoin/metadata.rb +++ b/site-cookbooks/kosmos-bitcoin/metadata.rb @@ -26,3 +26,4 @@ depends 'kosmos-nginx' depends 'kosmos-nodejs' depends 'firewall' depends 'application_javascript' +depends 'tor-full' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index bcf1cd0..47bbe7e 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -71,6 +71,9 @@ template "#{lnd_dir}/lnd.conf" do notifies :restart, "systemd_unit[lnd.service]", :delayed end +exec_flags = "" +exec_flags += "--tor.active --tor.v3" if node['bitcoin']['tor_enabled'] + systemd_unit 'lnd.service' do content({ Unit: { @@ -83,7 +86,7 @@ systemd_unit 'lnd.service' do User: bitcoin_user, Group: bitcoin_group, Type: 'simple', - ExecStart: '/opt/go/bin/lnd', + ExecStart: "/opt/go/bin/lnd #{exec_flags}", Restart: 'always', RestartSec: '30', TimeoutSec: '240', @@ -108,3 +111,8 @@ firewall_rule 'lnd' do protocol :tcp command :allow end + +if node['bitcoin']['tor_enabled'] + node.override['tor']['ControlPort'] = 9051 + node.override['tor']['CookieAuthentication'] = true +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index e92a80f..51df04f 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -81,6 +81,14 @@ user bitcoin_user do shell "/bin/bash" end +if node['bitcoin']['tor_enabled'] + group 'debian-tor' do + action :modify + members bitcoin_user + append true + end +end + [bitcoin_datadir, bitcoin_walletdir].each do |path| directory path do owner bitcoin_user