reorganize docker and add static certs/macroon to lnd

This commit is contained in:
keyan 2024-03-08 13:11:15 -06:00
parent 7fe959a720
commit 215f330771
14 changed files with 88 additions and 30 deletions

View File

@ -47,21 +47,13 @@ OPENSEARCH_MODEL_ID=
# if you want to work with payments you'll need these # # if you want to work with payments you'll need these #
####################################################### #######################################################
# lnd # lnurl ... you'll need a tunnel to localhost:3000 for these
LND_CERT=
LND_MACAROON=
LND_SOCKET=sn_lnd:10009
# lnurl
LNAUTH_URL= LNAUTH_URL=
LNWITH_URL= LNWITH_URL=
# nostr (NIP-57 zap receipts) #########################
NOSTR_PRIVATE_KEY= # SNDEV STUFF WE PRESET #
#########################
###############
# LEAVE AS IS #
###############
# static things # static things
NEXTAUTH_URL=http://localhost:3000/api/auth NEXTAUTH_URL=http://localhost:3000/api/auth
@ -72,6 +64,16 @@ NEXTAUTH_SECRET=3_0W_PhDRZVanbeJsZZGIEljexkKoGbL6qGIqSwTjjI
JWT_SIGNING_PRIVATE_KEY={"kty":"oct","kid":"FvD__hmeKoKHu2fKjUrWbRKfhjimIM4IKshyrJG4KSM","alg":"HS512","k":"3_0W_PhDRZVanbeJsZZGIEljexkKoGbL6qGIqSwTjjI"} JWT_SIGNING_PRIVATE_KEY={"kty":"oct","kid":"FvD__hmeKoKHu2fKjUrWbRKfhjimIM4IKshyrJG4KSM","alg":"HS512","k":"3_0W_PhDRZVanbeJsZZGIEljexkKoGbL6qGIqSwTjjI"}
INVOICE_HMAC_KEY=a4c1d9c81edb87b79d28809876a18cf72293eadb39f92f3f4f2f1cfbdf907c91 INVOICE_HMAC_KEY=a4c1d9c81edb87b79d28809876a18cf72293eadb39f92f3f4f2f1cfbdf907c91
# lnd
# xxd -p -c0 docker/lnd/sn/macaroons/admin.macaroon
LND_CERT=2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494943516a43434165696741774942416749516139493834682b48653350385a437541525854554d54414b42676771686b6a4f50515144416a41344d5238770a485159445651514b45785a73626d5167595856306232646c626d56795958526c5a43426a5a584a304d5255774577594456515144457778694e6a41785a5749780a4d474d354f444d774868634e4d6a51774d7a41334d5463774d6a45355768634e4d6a55774e5441794d5463774d6a4535576a41344d523877485159445651514b0a45785a73626d5167595856306232646c626d56795958526c5a43426a5a584a304d5255774577594456515144457778694e6a41785a5749784d474d354f444d770a5754415442676371686b6a4f5051494242676771686b6a4f50514d4242774e4341415365596a4b62542b4a4a4a37624b6770677a6d6c3278496130364e3174680a2f4f7033533173382b4f4a41387836647849682f326548556b4f7578675a36703549434b496f375a544c356a5963764375793941334b6e466f3448544d4948510a4d41344741315564447745422f775145417749437044415442674e56485355454444414b4267677242674546425163444154415042674e5648524d42416638450a425441444151482f4d4230474131556444675157424252545756796e653752786f747568717354727969466d6a36736c557a423542674e5648524545636a42770a676778694e6a41785a5749784d474d354f444f4343577876593246736147397a64494947633235666247356b6768526f62334e304c6d52765932746c636935700a626e526c636d356862494945645735706549494b64573570654842685932746c64494948596e566d59323975626f6345667741414159635141414141414141410a41414141414141414141414141596345724273414254414b42676771686b6a4f5051514441674e4941444246416945413873616c4a667134476671465557532f0a35347a335461746c6447736673796a4a383035425a5263334f326f434943794e6e3975716976566f5575365935345143624c3966394c575779547a516e61616e0a656977482f51696b0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a
LND_MACAROON=0201036c6e6402f801030a10206f3a63d5bf8355755851ace460077d1201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620bc992b1c727644c462370b69a3dd39575666f3a7ac9ec120c97e3e7906dc4cb2
LND_SOCKET=sn_lnd:10009
# nostr (NIP-57 zap receipts)
# openssl rand -hex 32
NOSTR_PRIVATE_KEY=5f30b7e7714360f51f2be2e30c1d93b7fdf67366e730658e85777dfcc4e4245f
# imgproxy options # imgproxy options
IMGPROXY_ENABLE_WEBP_DETECTION=1 IMGPROXY_ENABLE_WEBP_DETECTION=1
IMGPROXY_ENABLE_AVIF_DETECTION=1 IMGPROXY_ENABLE_AVIF_DETECTION=1

1
.gitignore vendored
View File

@ -20,7 +20,6 @@ node_modules/
.DS_Store .DS_Store
*.pem *.pem
/*.sql /*.sql
!/anon.sql
lnbits/ lnbits/
# debug # debug

View File

@ -8,4 +8,6 @@ WORKDIR /app
EXPOSE 3000 EXPOSE 3000
CMD ["sh","-c","npm ci --loglevel verbose --legacy-peer-deps && npx prisma migrate dev && npm run dev"] COPY package.json package-lock.json ./
RUN npm ci --legacy-peer-deps --loglevel verbose
CMD ["sh","-c","npm install --loglevel verbose --legacy-peer-deps && npx prisma migrate dev && npm run dev"]

View File

@ -2,7 +2,7 @@ version: "3"
services: services:
db: db:
container_name: db container_name: db
build: ./db build: ./docker/db
restart: unless-stopped restart: unless-stopped
healthcheck: healthcheck:
test: ["CMD-SHELL", "PGPASSWORD=${POSTGRES_PASSWORD} psql -U ${POSTGRES_USER} ${POSTGRES_DB} -c 'SELECT 1 FROM users LIMIT 1'"] test: ["CMD-SHELL", "PGPASSWORD=${POSTGRES_PASSWORD} psql -U ${POSTGRES_USER} ${POSTGRES_DB} -c 'SELECT 1 FROM users LIMIT 1'"]
@ -15,9 +15,9 @@ services:
ports: ports:
- "5431:5432" - "5431:5432"
env_file: env_file:
- ./.env.sndev - .env.sndev
volumes: volumes:
- ./anon.sql:/docker-entrypoint-initdb.d/anon.sql - ./docker/db/seed.sql:/docker-entrypoint-initdb.d/seed.sql
- db:/var/lib/postgresql/data - db:/var/lib/postgresql/data
app: app:
container_name: app container_name: app
@ -37,7 +37,7 @@ services:
condition: service_healthy condition: service_healthy
restart: true restart: true
env_file: env_file:
- ./.env.sndev - .env.sndev
expose: expose:
- "3000" - "3000"
ports: ports:
@ -63,7 +63,7 @@ services:
condition: service_healthy condition: service_healthy
restart: true restart: true
env_file: env_file:
- ./.env.sndev - .env.sndev
volumes: volumes:
- ./:/app - ./:/app
links: links:
@ -85,7 +85,7 @@ services:
start_period: 1m start_period: 1m
restart: unless-stopped restart: unless-stopped
env_file: env_file:
- ./.env.sndev - .env.sndev
ports: ports:
- "3001:8080" - "3001:8080"
links: links:
@ -101,7 +101,7 @@ services:
start_period: 1m start_period: 1m
restart: unless-stopped restart: unless-stopped
env_file: env_file:
- ./.env.sndev - .env.sndev
environment: environment:
- OPENSEARCH_INITIAL_ADMIN_PASSWORD=mVchg1T5oA9wudUh - OPENSEARCH_INITIAL_ADMIN_PASSWORD=mVchg1T5oA9wudUh
ports: ports:
@ -131,7 +131,7 @@ services:
condition: service_healthy condition: service_healthy
restart: true restart: true
env_file: env_file:
- ./.env.sndev - .env.sndev
environment: environment:
- opensearch.ssl.verificationMode=none - opensearch.ssl.verificationMode=none
- OPENSEARCH_HOSTS=http://opensearch:9200 - OPENSEARCH_HOSTS=http://opensearch:9200
@ -195,7 +195,7 @@ services:
condition: service_healthy condition: service_healthy
restart: true restart: true
env_file: env_file:
- ./.env.sndev - .env.sndev
command: command:
- 'lnd' - 'lnd'
- '--noseedbackup' - '--noseedbackup'
@ -222,6 +222,9 @@ services:
- "${LND_GRPC_PORT}:${LND_GRPC_PORT}" - "${LND_GRPC_PORT}:${LND_GRPC_PORT}"
volumes: volumes:
- sn_lnd:/home/lnd/.lnd - sn_lnd:/home/lnd/.lnd
- ./docker/lnd/sn/macaroons/macaroons.db:/home/lnd/.lnd/data/chain/bitcoin/regtest/macaroons.db
- ./docker/lnd/sn/tls.cert:/home/lnd/.lnd/tls.cert
- ./docker/lnd/sn/tls.key:/home/lnd/.lnd/tls.key
stacker_lnd: stacker_lnd:
image: polarlightning/lnd:0.17.4-beta image: polarlightning/lnd:0.17.4-beta
container_name: stacker_lnd container_name: stacker_lnd
@ -237,14 +240,14 @@ services:
condition: service_healthy condition: service_healthy
restart: true restart: true
env_file: env_file:
- ./.env.sndev - .env.sndev
command: command:
- 'lnd' - 'lnd'
- '--noseedbackup' - '--noseedbackup'
- '--trickledelay=5000' - '--trickledelay=5000'
- '--alias=sn_lnd' - '--alias=stacker_lnd'
- '--externalip=sn_lnd' - '--externalip=stacker_lnd'
- '--tlsextradomain=sn_lnd' - '--tlsextradomain=stacker_lnd'
- '--tlsextradomain=host.docker.internal' - '--tlsextradomain=host.docker.internal'
- '--listen=0.0.0.0:${STACKER_LND_P2P_PORT}' - '--listen=0.0.0.0:${STACKER_LND_P2P_PORT}'
- '--rpclisten=0.0.0.0:${STACKER_LND_GRPC_PORT}' - '--rpclisten=0.0.0.0:${STACKER_LND_GRPC_PORT}'
@ -262,8 +265,13 @@ services:
ports: ports:
- "${STACKER_LND_REST_PORT}:${STACKER_LND_REST_PORT}" - "${STACKER_LND_REST_PORT}:${STACKER_LND_REST_PORT}"
- "${STACKER_LND_GRPC_PORT}:${STACKER_LND_GRPC_PORT}" - "${STACKER_LND_GRPC_PORT}:${STACKER_LND_GRPC_PORT}"
volumes:
- stacker_lnd:/home/lnd/.lnd
- ./docker/lnd/stacker/tls.cert:/home/lnd/.lnd/tls.cert
- ./docker/lnd/stacker/tls.key:/home/lnd/.lnd/tls.key
volumes: volumes:
db: db:
os: os:
bitcoin: bitcoin:
sn_lnd: sn_lnd:
stacker_lnd:

3
docker/lnd/README.md Normal file
View File

@ -0,0 +1,3 @@
We assume control of certs so that the app container doesn't need to inspect lnd for these things.
For the admin.macaroon, we do the same but we also need to store `macaroons.db` because it contains the master key.

Binary file not shown.

Binary file not shown.

15
docker/lnd/sn/tls.cert Normal file
View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICQjCCAeigAwIBAgIQa9I84h+He3P8ZCuARXTUMTAKBggqhkjOPQQDAjA4MR8w
HQYDVQQKExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEwxiNjAxZWIx
MGM5ODMwHhcNMjQwMzA3MTcwMjE5WhcNMjUwNTAyMTcwMjE5WjA4MR8wHQYDVQQK
ExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEwxiNjAxZWIxMGM5ODMw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASeYjKbT+JJJ7bKgpgzml2xIa06N1th
/Op3S1s8+OJA8x6dxIh/2eHUkOuxgZ6p5ICKIo7ZTL5jYcvCuy9A3KnFo4HTMIHQ
MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRTWVyne7RxotuhqsTryiFmj6slUzB5BgNVHREEcjBw
ggxiNjAxZWIxMGM5ODOCCWxvY2FsaG9zdIIGc25fbG5kghRob3N0LmRvY2tlci5p
bnRlcm5hbIIEdW5peIIKdW5peHBhY2tldIIHYnVmY29ubocEfwAAAYcQAAAAAAAA
AAAAAAAAAAAAAYcErBsABTAKBggqhkjOPQQDAgNIADBFAiEA8salJfq4GfqFUWS/
54z3TatldGsfsyjJ805BZRc3O2oCICyNn9uqivVoUu6Y54QCbL9f9LWWyTzQnaan
eiwH/Qik
-----END CERTIFICATE-----

5
docker/lnd/sn/tls.key Normal file
View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPw/v7CND3euIqjULW5tCnD5tve0L0E0N8dBtRkJM3u2oAoGCCqGSM49
AwEHoUQDQgAEnmIym0/iSSe2yoKYM5pdsSGtOjdbYfzqd0tbPPjiQPMencSIf9nh
1JDrsYGeqeSAiiKO2Uy+Y2HLwrsvQNypxQ==
-----END EC PRIVATE KEY-----

View File

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICRzCCAe2gAwIBAgIQc06vWIBuP9uKeQNHKbFllDAKBggqhkjOPQQDAjA4MR8w
HQYDVQQKExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEww4Y2M4NDFk
MjY2MzgwHhcNMjQwMzA3MTcwMjE5WhcNMjUwNTAyMTcwMjE5WjA4MR8wHQYDVQQK
ExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEww4Y2M4NDFkMjY2Mzgw
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQT/nwvMHaVCfdVaeIgv8MKS+SHAS9c
Elif7Xqa7qsVvPiW7Vnh4MDVEBlM5rg0nkaH6V17sCC3rse/OqPLfVY1o4HYMIHV
MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBQmamVn/KcRqHoNR9dk9C1g2M+jSTB+BgNVHREEdzB1
ggw4Y2M4NDFkMjY2MziCCWxvY2FsaG9zdIILc3RhY2tlcl9sbmSCFGhvc3QuZG9j
a2VyLmludGVybmFsggR1bml4ggp1bml4cGFja2V0ggdidWZjb25uhwR/AAABhxAA
AAAAAAAAAAAAAAAAAAABhwSsGwAGMAoGCCqGSM49BAMCA0gAMEUCIFD273WBcMKz
UPoOL8bwq15JXtrSGePKpAeN1TblY4Q5AiEAvKtuk+ssx9WQFZBEiWxCSjW5geKk
6HB7TdxsU+ZbfLg=
-----END CERTIFICATE-----

View File

@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOxH9uY8mpnlo/X5gRAAVOzOuEPIAOuHHlezkba3vIuHoAoGCCqGSM49
AwEHoUQDQgAEE/58LzB2lQn3VWniIL/DCkvkhwEvXBJYn+16mu6rFbz4lu1Z4eDA
1RAZTOa4NJ5Gh+lde7Agt67Hvzqjy31WNQ==
-----END EC PRIVATE KEY-----

10
sndev
View File

@ -1,5 +1,9 @@
#!/bin/sh #!/bin/sh
docker__compose() {
command docker compose --env-file .env.sndev "$@"
}
sndev__start() { sndev__start() {
if [ ! -x "$(command -v docker-compose)" ]; then if [ ! -x "$(command -v docker-compose)" ]; then
echo "docker compose is not installed" echo "docker compose is not installed"
@ -14,17 +18,17 @@ sndev__start() {
fi fi
echo "Starting application" echo "Starting application"
docker compose --env-file .env.sndev up --build docker__compose up --build
} }
sndev__stop() { sndev__stop() {
echo "Stopping application" echo "Stopping application"
docker compose --env-file .env.sndev down docker__compose down
} }
sndev__delete() { sndev__delete() {
echo "Deleting application" echo "Deleting application"
docker compose --env-file .env.sndev down --volumes --remove-orphans docker__compose down --volumes --remove-orphans
} }
sndev__help() { sndev__help() {