reorganize docker and add static certs/macroon to lnd

2024-03-08 13:11:15 -06:00 · 2024-03-08 13:11:15 -06:00 · 215f330771
parent 7fe959a720
commit 215f330771
14 changed files with 88 additions and 30 deletions
--- a/.env.sample
+++ b/.env.sample
@ -47,21 +47,13 @@ OPENSEARCH_MODEL_ID=
 # if you want to work with payments you'll need these #
 #######################################################

-# lnd
-LND_CERT=
-LND_MACAROON=
-LND_SOCKET=sn_lnd:10009
-
-# lnurl
+# lnurl ... you'll need a tunnel to localhost:3000 for these
 LNAUTH_URL=
 LNWITH_URL=

-# nostr (NIP-57 zap receipts)
-NOSTR_PRIVATE_KEY=
-
-###############
-# LEAVE AS IS #
-###############
+#########################
+# SNDEV STUFF WE PRESET #
+#########################

 # static things
 NEXTAUTH_URL=http://localhost:3000/api/auth
@ -72,6 +64,16 @@ NEXTAUTH_SECRET=3_0W_PhDRZVanbeJsZZGIEljexkKoGbL6qGIqSwTjjI
 JWT_SIGNING_PRIVATE_KEY={"kty":"oct","kid":"FvD__hmeKoKHu2fKjUrWbRKfhjimIM4IKshyrJG4KSM","alg":"HS512","k":"3_0W_PhDRZVanbeJsZZGIEljexkKoGbL6qGIqSwTjjI"}
 INVOICE_HMAC_KEY=a4c1d9c81edb87b79d28809876a18cf72293eadb39f92f3f4f2f1cfbdf907c91

+# lnd
+# xxd -p -c0 docker/lnd/sn/macaroons/admin.macaroon
+LND_CERT=2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494943516a43434165696741774942416749516139493834682b48653350385a437541525854554d54414b42676771686b6a4f50515144416a41344d5238770a485159445651514b45785a73626d5167595856306232646c626d56795958526c5a43426a5a584a304d5255774577594456515144457778694e6a41785a5749780a4d474d354f444d774868634e4d6a51774d7a41334d5463774d6a45355768634e4d6a55774e5441794d5463774d6a4535576a41344d523877485159445651514b0a45785a73626d5167595856306232646c626d56795958526c5a43426a5a584a304d5255774577594456515144457778694e6a41785a5749784d474d354f444d770a5754415442676371686b6a4f5051494242676771686b6a4f50514d4242774e4341415365596a4b62542b4a4a4a37624b6770677a6d6c3278496130364e3174680a2f4f7033533173382b4f4a41387836647849682f326548556b4f7578675a36703549434b496f375a544c356a5963764375793941334b6e466f3448544d4948510a4d41344741315564447745422f775145417749437044415442674e56485355454444414b4267677242674546425163444154415042674e5648524d42416638450a425441444151482f4d4230474131556444675157424252545756796e653752786f747568717354727969466d6a36736c557a423542674e5648524545636a42770a676778694e6a41785a5749784d474d354f444f4343577876593246736147397a64494947633235666247356b6768526f62334e304c6d52765932746c636935700a626e526c636d356862494945645735706549494b64573570654842685932746c64494948596e566d59323975626f6345667741414159635141414141414141410a41414141414141414141414141596345724273414254414b42676771686b6a4f5051514441674e4941444246416945413873616c4a667134476671465557532f0a35347a335461746c6447736673796a4a383035425a5263334f326f434943794e6e3975716976566f5575365935345143624c3966394c575779547a516e61616e0a656977482f51696b0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a
+LND_MACAROON=0201036c6e6402f801030a10206f3a63d5bf8355755851ace460077d1201301a160a0761646472657373120472656164120577726974651a130a04696e666f120472656164120577726974651a170a08696e766f69636573120472656164120577726974651a210a086d616361726f6f6e120867656e6572617465120472656164120577726974651a160a076d657373616765120472656164120577726974651a170a086f6666636861696e120472656164120577726974651a160a076f6e636861696e120472656164120577726974651a140a057065657273120472656164120577726974651a180a067369676e6572120867656e657261746512047265616400000620bc992b1c727644c462370b69a3dd39575666f3a7ac9ec120c97e3e7906dc4cb2
+LND_SOCKET=sn_lnd:10009
+
+# nostr (NIP-57 zap receipts)
+# openssl rand -hex 32
+NOSTR_PRIVATE_KEY=5f30b7e7714360f51f2be2e30c1d93b7fdf67366e730658e85777dfcc4e4245f
+
 # imgproxy options
 IMGPROXY_ENABLE_WEBP_DETECTION=1
 IMGPROXY_ENABLE_AVIF_DETECTION=1
--- a/.gitignore
+++ b/.gitignore
@ -20,7 +20,6 @@ node_modules/
 .DS_Store
 *.pem
 /*.sql
-!/anon.sql
 lnbits/

 # debug
--- a/4
+++ b/4
@ -8,4 +8,6 @@ WORKDIR /app

 EXPOSE 3000

-CMD ["sh","-c","npm ci --loglevel verbose --legacy-peer-deps && npx prisma migrate dev && npm run dev"]
+COPY package.json package-lock.json ./
+RUN npm ci --legacy-peer-deps --loglevel verbose
+CMD ["sh","-c","npm install --loglevel verbose --legacy-peer-deps && npx prisma migrate dev && npm run dev"]
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,7 +2,7 @@ version: "3"
 services:
  db:
    container_name: db
-    build: ./db
+    build: ./docker/db
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "PGPASSWORD=${POSTGRES_PASSWORD} psql -U ${POSTGRES_USER} ${POSTGRES_DB} -c 'SELECT 1 FROM users LIMIT 1'"]
@ -15,9 +15,9 @@ services:
    ports:
      - "5431:5432"
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    volumes:
-      - ./anon.sql:/docker-entrypoint-initdb.d/anon.sql
+      - ./docker/db/seed.sql:/docker-entrypoint-initdb.d/seed.sql
      - db:/var/lib/postgresql/data
  app:
    container_name: app
@ -37,7 +37,7 @@ services:
        condition: service_healthy
        restart: true
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    expose:
      - "3000"
    ports:
@ -63,7 +63,7 @@ services:
        condition: service_healthy
        restart: true
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    volumes:
      - ./:/app
    links:
@ -85,7 +85,7 @@ services:
      start_period: 1m
    restart: unless-stopped
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    ports:
      - "3001:8080"
    links:
@ -101,7 +101,7 @@ services:
      start_period: 1m
    restart: unless-stopped
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    environment:
      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=mVchg1T5oA9wudUh
    ports:
@ -131,7 +131,7 @@ services:
        condition: service_healthy
        restart: true
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    environment:
      - opensearch.ssl.verificationMode=none
      - OPENSEARCH_HOSTS=http://opensearch:9200
@ -195,7 +195,7 @@ services:
        condition: service_healthy
        restart: true
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    command:
      - 'lnd'
      - '--noseedbackup'
@ -222,6 +222,9 @@ services:
      - "${LND_GRPC_PORT}:${LND_GRPC_PORT}"
    volumes:
      - sn_lnd:/home/lnd/.lnd
+      - ./docker/lnd/sn/macaroons/macaroons.db:/home/lnd/.lnd/data/chain/bitcoin/regtest/macaroons.db
+      - ./docker/lnd/sn/tls.cert:/home/lnd/.lnd/tls.cert
+      - ./docker/lnd/sn/tls.key:/home/lnd/.lnd/tls.key
  stacker_lnd:
    image: polarlightning/lnd:0.17.4-beta
    container_name: stacker_lnd
@ -237,14 +240,14 @@ services:
        condition: service_healthy
        restart: true
    env_file:
-      - ./.env.sndev
+      - .env.sndev
    command:
      - 'lnd'
      - '--noseedbackup'
      - '--trickledelay=5000'
-      - '--alias=sn_lnd'
-      - '--externalip=sn_lnd'
-      - '--tlsextradomain=sn_lnd'
+      - '--alias=stacker_lnd'
+      - '--externalip=stacker_lnd'
+      - '--tlsextradomain=stacker_lnd'
      - '--tlsextradomain=host.docker.internal'
      - '--listen=0.0.0.0:${STACKER_LND_P2P_PORT}'
      - '--rpclisten=0.0.0.0:${STACKER_LND_GRPC_PORT}'
@ -262,8 +265,13 @@ services:
    ports:
      - "${STACKER_LND_REST_PORT}:${STACKER_LND_REST_PORT}"
      - "${STACKER_LND_GRPC_PORT}:${STACKER_LND_GRPC_PORT}"
+    volumes:
+      - stacker_lnd:/home/lnd/.lnd
+      - ./docker/lnd/stacker/tls.cert:/home/lnd/.lnd/tls.cert
+      - ./docker/lnd/stacker/tls.key:/home/lnd/.lnd/tls.key
 volumes:
  db:
  os:
  bitcoin:
  sn_lnd:
+  stacker_lnd:
--- a/docker/db/Dockerfile
+++ b/docker/db/Dockerfile
--- a/docker/db/seed.sql
+++ b/docker/db/seed.sql
--- a/docker/lnd/README.md
+++ b/docker/lnd/README.md
@ -0,0 +1,3 @@
+We assume control of certs so that the app container doesn't need to inspect lnd for these things.
+
+For the admin.macaroon, we do the same but we also need to store `macaroons.db` because it contains the master key.
--- a/docker/lnd/sn/macaroons/admin.macaroon
+++ b/docker/lnd/sn/macaroons/admin.macaroon
--- a/docker/lnd/sn/macaroons/macaroons.db
+++ b/docker/lnd/sn/macaroons/macaroons.db
--- a/docker/lnd/sn/tls.cert
+++ b/docker/lnd/sn/tls.cert
@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICQjCCAeigAwIBAgIQa9I84h+He3P8ZCuARXTUMTAKBggqhkjOPQQDAjA4MR8w
+HQYDVQQKExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEwxiNjAxZWIx
+MGM5ODMwHhcNMjQwMzA3MTcwMjE5WhcNMjUwNTAyMTcwMjE5WjA4MR8wHQYDVQQK
+ExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEwxiNjAxZWIxMGM5ODMw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASeYjKbT+JJJ7bKgpgzml2xIa06N1th
+/Op3S1s8+OJA8x6dxIh/2eHUkOuxgZ6p5ICKIo7ZTL5jYcvCuy9A3KnFo4HTMIHQ
+MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBRTWVyne7RxotuhqsTryiFmj6slUzB5BgNVHREEcjBw
+ggxiNjAxZWIxMGM5ODOCCWxvY2FsaG9zdIIGc25fbG5kghRob3N0LmRvY2tlci5p
+bnRlcm5hbIIEdW5peIIKdW5peHBhY2tldIIHYnVmY29ubocEfwAAAYcQAAAAAAAA
+AAAAAAAAAAAAAYcErBsABTAKBggqhkjOPQQDAgNIADBFAiEA8salJfq4GfqFUWS/
+54z3TatldGsfsyjJ805BZRc3O2oCICyNn9uqivVoUu6Y54QCbL9f9LWWyTzQnaan
+eiwH/Qik
+-----END CERTIFICATE-----
--- a/docker/lnd/sn/tls.key
+++ b/docker/lnd/sn/tls.key
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIPw/v7CND3euIqjULW5tCnD5tve0L0E0N8dBtRkJM3u2oAoGCCqGSM49
+AwEHoUQDQgAEnmIym0/iSSe2yoKYM5pdsSGtOjdbYfzqd0tbPPjiQPMencSIf9nh
+1JDrsYGeqeSAiiKO2Uy+Y2HLwrsvQNypxQ==
+-----END EC PRIVATE KEY-----
--- a/docker/lnd/stacker/tls.cert
+++ b/docker/lnd/stacker/tls.cert
@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICRzCCAe2gAwIBAgIQc06vWIBuP9uKeQNHKbFllDAKBggqhkjOPQQDAjA4MR8w
+HQYDVQQKExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEww4Y2M4NDFk
+MjY2MzgwHhcNMjQwMzA3MTcwMjE5WhcNMjUwNTAyMTcwMjE5WjA4MR8wHQYDVQQK
+ExZsbmQgYXV0b2dlbmVyYXRlZCBjZXJ0MRUwEwYDVQQDEww4Y2M4NDFkMjY2Mzgw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQT/nwvMHaVCfdVaeIgv8MKS+SHAS9c
+Elif7Xqa7qsVvPiW7Vnh4MDVEBlM5rg0nkaH6V17sCC3rse/OqPLfVY1o4HYMIHV
+MA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8E
+BTADAQH/MB0GA1UdDgQWBBQmamVn/KcRqHoNR9dk9C1g2M+jSTB+BgNVHREEdzB1
+ggw4Y2M4NDFkMjY2MziCCWxvY2FsaG9zdIILc3RhY2tlcl9sbmSCFGhvc3QuZG9j
+a2VyLmludGVybmFsggR1bml4ggp1bml4cGFja2V0ggdidWZjb25uhwR/AAABhxAA
+AAAAAAAAAAAAAAAAAAABhwSsGwAGMAoGCCqGSM49BAMCA0gAMEUCIFD273WBcMKz
+UPoOL8bwq15JXtrSGePKpAeN1TblY4Q5AiEAvKtuk+ssx9WQFZBEiWxCSjW5geKk
+6HB7TdxsU+ZbfLg=
+-----END CERTIFICATE-----
--- a/docker/lnd/stacker/tls.key
+++ b/docker/lnd/stacker/tls.key
@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOxH9uY8mpnlo/X5gRAAVOzOuEPIAOuHHlezkba3vIuHoAoGCCqGSM49
+AwEHoUQDQgAEE/58LzB2lQn3VWniIL/DCkvkhwEvXBJYn+16mu6rFbz4lu1Z4eDA
+1RAZTOa4NJ5Gh+lde7Agt67Hvzqjy31WNQ==
+-----END EC PRIVATE KEY-----
--- a/10
+++ b/10
@ -1,5 +1,9 @@
 #!/bin/sh

+docker__compose() {
+  command docker compose --env-file .env.sndev "$@"
+}
+
 sndev__start() {
  if [ ! -x "$(command -v docker-compose)" ]; then
    echo "docker compose is not installed"
@ -14,17 +18,17 @@ sndev__start() {
  fi

  echo "Starting application"
-  docker compose --env-file .env.sndev up --build
+  docker__compose up --build
 }

 sndev__stop() {
  echo "Stopping application"
-  docker compose --env-file .env.sndev down
+  docker__compose down
 }

 sndev__delete() {
  echo "Deleting application"
-  docker compose --env-file .env.sndev down --volumes --remove-orphans
+  docker__compose down --volumes --remove-orphans
 }

 sndev__help() {