Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TOR patch V2 (re: #1521) #1548

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .env.development
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,9 @@ AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
PERSISTENCE=1
SKIP_SSL_CERT_DOWNLOAD=1

# tor
TOR_PROXY=http://127.0.0.1:7050/
# tor proxy
TOR_PROXY=http://tor:7050/
grpc_proxy=http://tor:7050/

# lnbits
LNBITS_WEB_PORT=5001
Expand Down
3 changes: 2 additions & 1 deletion api/lnd/index.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { cachedFetcher } from '@/lib/fetch'
import { toPositiveNumber } from '@/lib/validate'
import { authenticatedLndGrpc, getIdentity, getHeight, getWalletInfo, getNode } from 'ln-service'
import { authenticatedLndGrpc } from 'proxied-lnd-service'
import { getIdentity, getHeight, getWalletInfo, getNode } from 'ln-service'

const lnd = global.lnd || authenticatedLndGrpc({
cert: process.env.LND_CERT,
Expand Down
49 changes: 40 additions & 9 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,18 @@ services:
labels:
CONNECT: "localhost:5431"
cpu_shares: "${CPU_SHARES_IMPORTANT}"
tor:
build:
context: ./docker/tor
container_name: tor
restart: unless-stopped
volumes:
- tordata:/tordata/
cpu_shares: "${CPU_SHARES_LOW}"
env_file: *env_file
healthcheck:
<<: *healthcheck
test: ["CMD-SHELL", "bash /tor.sh check"]
app:
container_name: app
stdin_open: true
Expand Down Expand Up @@ -359,8 +371,13 @@ services:
healthcheck:
<<: *healthcheck
test: ["CMD-SHELL", "lncli", "getinfo"]
depends_on: *depends_on_bitcoin
depends_on:
tor:
condition: service_healthy
restart: true
<<: *depends_on_bitcoin
env_file: *env_file
entrypoint: /tor-entrypoint
command:
- 'lnd'
- '--noseedbackup'
Expand All @@ -369,6 +386,7 @@ services:
- '--externalip=stacker_lnd'
- '--tlsextradomain=stacker_lnd'
- '--tlsextradomain=host.docker.internal'
- '--tlsextradomain=$${ONION_DOMAIN}'
- '--listen=0.0.0.0:9735'
- '--rpclisten=0.0.0.0:10009'
- '--rpcmiddleware.enable'
Expand All @@ -394,6 +412,7 @@ services:
- "${STACKER_LND_GRPC_PORT}:10009"
volumes:
- stacker_lnd:/home/lnd/.lnd
- tordata:/home/lnd/.tor
labels:
ofelia.enabled: "true"
ofelia.job-exec.stacker_lnd_channel_cron.schedule: "@every 1m"
Expand Down Expand Up @@ -452,7 +471,11 @@ services:
healthcheck:
<<: *healthcheck
test: ["CMD-SHELL", "su clightning -c 'lightning-cli --network=regtest getinfo'"]
depends_on: *depends_on_bitcoin
depends_on:
tor:
condition: service_healthy
restart: true
<<: *depends_on_bitcoin
env_file: *env_file
command:
- 'lightningd'
Expand All @@ -471,6 +494,7 @@ services:
- "${STACKER_CLN_REST_PORT}:3010"
volumes:
- stacker_cln:/home/clightning/.lightning
- tordata:/home/clightning/.tor
labels:
ofelia.enabled: "true"
ofelia.job-exec.stacker_cln_channel_cron.schedule: "@every 1m"
Expand Down Expand Up @@ -528,16 +552,16 @@ services:
condition: service_healthy
restart: true
volumes:
- ./docker/lnd/stacker:/app/.lnd
- nwc_send:/app
- stacker_lnd:/app/.lnd
environment:
- RUST_LOG=info
entrypoint:
- './nostr-wallet-connect-lnd'
- '--relay'
- 'wss://relay.primal.net'
- '--macaroon-file'
- '/app/.lnd/regtest/admin.macaroon'
- '/app/.lnd/data/chain/bitcoin/regtest/admin.macaroon'
- '--cert-file'
- '/app/.lnd/tls.cert'
- '--lnd-host'
Expand All @@ -562,16 +586,16 @@ services:
condition: service_healthy
restart: true
volumes:
- ./docker/lnd/stacker:/app/.lnd
- nwc_recv:/app
- stacker_lnd:/app/.lnd
environment:
- RUST_LOG=info
entrypoint:
- './nostr-wallet-connect-lnd'
- '--relay'
- 'wss://relay.primal.net'
- '--invoice-macaroon-file'
- '/app/.lnd/regtest/invoice.macaroon'
- '/app/.lnd/data/chain/bitcoin/regtest/invoice.macaroon'
- '--cert-file'
- '/app/.lnd/tls.cert'
- '--lnd-host'
Expand All @@ -595,16 +619,22 @@ services:
ports:
- "${LNBITS_WEB_PORT}:5000"
depends_on:
- stacker_lnd
tor:
condition: service_healthy
restart: true
stacker_lnd:
condition: service_healthy
restart: true
environment:
- LNBITS_ADMIN_UI=true
- LNBITS_BACKEND_WALLET_CLASS=LndWallet
- LND_GRPC_ENDPOINT=stacker_lnd
- LND_GRPC_PORT=10009
- LND_GRPC_CERT=/app/.lnd/tls.cert
- LND_GRPC_MACAROON=/app/.lnd/regtest/admin.macaroon
- LND_GRPC_MACAROON=/app/.lnd/data/chain/bitcoin/regtest/admin.macaroon
volumes:
- ./docker/lnd/stacker:/app/.lnd
- stacker_lnd:/app/.lnd
- tordata:/app/.tor
labels:
CONNECT: "localhost:${LNBITS_WEB_PORT}"
cpu_shares: "${CPU_SHARES_LOW}"
Expand All @@ -618,3 +648,4 @@ volumes:
s3:
nwc_send:
nwc_recv:
tordata:
Binary file modified docker/lnbits/data/database.sqlite3
Binary file not shown.
5 changes: 4 additions & 1 deletion docker/lnd/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,7 @@ RUN apt-get update -y \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

COPY ["./$LN_NODE_FOR/regtest/*", "/home/lnd/.lnd/data/chain/bitcoin/regtest/"]
COPY ["./$LN_NODE_FOR/tls.*", "/home/lnd/.lnd/"]
COPY ["./$LN_NODE_FOR/tls.*", "/home/lnd/.lnd/"]

ADD tor-entrypoint.sh /tor-entrypoint
RUN chmod +x /tor-entrypoint
15 changes: 0 additions & 15 deletions docker/lnd/stacker/tls.cert

This file was deleted.

5 changes: 0 additions & 5 deletions docker/lnd/stacker/tls.key

This file was deleted.

13 changes: 13 additions & 0 deletions docker/lnd/tor-entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#!/bin/bash

ONION_DOMAIN=""

if [ -f /home/lnd/.tor/hidden_service/hostname ]; then
ONION_DOMAIN=$(cat /home/lnd/.tor/hidden_service/hostname)
fi

# expand the cmd arguments
args=$(echo "$@" | sed -e "s/\${ONION_DOMAIN}/$ONION_DOMAIN/g")

# Execute the original entry point script with the modified command line``
/entrypoint.sh $args
15 changes: 15 additions & 0 deletions docker/tor/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
FROM debian:bookworm

RUN apt-get update -y \
&& apt-get install -y tor bash openssl netcat-traditional \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

ADD torrc /etc/tor/torrc.template
ADD tor.sh /tor.sh
ADD services.conf /services.conf
RUN mkdir -p /tordata && groupadd -g 1000 tor && useradd -u 1000 -g 1000 -m tor && chown -R tor:tor /tordata
EXPOSE 9050 9051 7050
VOLUME "/tordata"
USER tor
ENTRYPOINT [ "bash", "/tor.sh" ]
3 changes: 3 additions & 0 deletions docker/tor/services.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
HiddenServicePort 10009 stacker_lnd:10009
HiddenServicePort 3010 stacker_cln:3010
HiddenServicePort 5000 lnbits:5000
68 changes: 68 additions & 0 deletions docker/tor/tor.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
#!/bin/bash

function initialize {
####################### generate and save control password ########################
cp -f /etc/tor/torrc.template /tordata/torrc
TOR_PASSWORD=""
if [ -f /tordata/.env.torpass ]; then source /tordata/.env.torpass; fi

if [ -z "$torPassword" ]; then
TOR_PASSWORD=$(openssl rand -hex 32)
echo "TOR_PASSWORD=$TOR_PASSWORD" > /tordata/.env.torpass
fi

TOR_PASSWORD_HASH=$(tor --hash-password "$TOR_PASSWORD" 2>/dev/null | tail -n 1)
echo "Replacing %HashedControlPassword% with $TOR_PASSWORD_HASH"
sed -i "s|%HashedControlPassword%|$TOR_PASSWORD_HASH|g" /tordata/torrc
##################################################################################
}

function mergeServices {
cat /services.conf >> /tordata/torrc
}

# There is a circular dependency between tor and stacker_lnd:
# <-> tor needs stacker_lnd to be running to resolve the hidden service target
# <-> stacker_lnd needs to wait for tor to start and generate the hidden service address
# Afaik there isn't an "official" solution for this issue.
#
# This workaround starts tor the first time without the lnd hidden service
# and then re-start tor with the full configuration after the lnd service is ready.


if [ -f /tordata/start.timestamp ];
then
# Remove leftovers from a previous run
rm /tordata/start.timestamp
fi

if [ "$1" = "check" ];
then
if [ ! -f /tordata/start.timestamp ]; then
# if still initializing we just check if the hidden service was generated and use this as a healthcheck
if [ -f /tordata/hidden_service/hostname ]; then exit 0; else exit 1; fi
else
# run the real healthcheck
echo -e 'AUTHENTICATE "'$TOR_PASSWORD'"\nGETINFO status/circuit-established\nQUIT' | nc 127.0.0.1 9051 | grep OK || exit 1
exit 0
fi
else
# Step 1: we start tor with a fake hidden service that points to port 8080,
# just to get it to generate the hidden service data, then we kill it immediately after
echo "Initializing..."
initialize
tor -f /tordata/torrc &
pid=$!
sleep 60
kill $pid

# debug
ls /tordata/hidden_service/

# Step 2: we merge the service configuration and start tor again
echo "Starting tor..."
initialize
mergeServices
date +%s > /tordata/start.timestamp
tor -f /tordata/torrc
fi
Loading
Loading