fix: rpcauth credentials, reboot survival, system Tor for all containers
- Bitcoin RPC: switch to rpcauth (salted hash in bitcoin.conf, no plaintext in config or CLI). Password stable across reboots/restarts/deploys. - Remove daily-reboot-test.sh cron on both servers - Enable podman-restart.service for container auto-start after reboot - System Tor: SocksPort 0.0.0.0:9050 with SocksPolicy for container access - LND: tor.socks=host.containers.internal:9050 (system Tor, not container) - Bitcoin: -proxy=host.containers.internal:9050 for Tor outbound - bitcoin_rpc.rs: reads from secrets file, cached, stable credentials - package.rs: dynamic rpc_user/rpc_pass, rpcauth hash generation - network.rs: fix missing send_to_peer args (mesh encryption update) - first-boot-containers.sh: rpcauth generation, system Tor config - deploy-to-target.sh: rpcauth credentials, LND config migration - Mesh: encrypted channel message support (ChaCha20-Poly1305 updates) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
@@ -35,16 +35,43 @@ wait_for_container() {
|
||||
return 1
|
||||
}
|
||||
|
||||
# Generate per-installation credentials if not already saved
|
||||
# rpcauth: password hash in bitcoin.conf, plaintext in secrets file only.
|
||||
# Credentials are STABLE across reboots, restarts, and deploys.
|
||||
SECRETS_DIR="/var/lib/archipelago/secrets"
|
||||
mkdir -p "$SECRETS_DIR" && chmod 700 "$SECRETS_DIR"
|
||||
if [ ! -f "$SECRETS_DIR/bitcoin-rpc-password" ]; then
|
||||
openssl rand -base64 24 > "$SECRETS_DIR/bitcoin-rpc-password"
|
||||
openssl rand -hex 16 > "$SECRETS_DIR/bitcoin-rpc-password"
|
||||
chmod 600 "$SECRETS_DIR/bitcoin-rpc-password"
|
||||
fi
|
||||
BITCOIN_RPC_USER="archipelago"
|
||||
BITCOIN_RPC_PASS=$(cat "$SECRETS_DIR/bitcoin-rpc-password")
|
||||
|
||||
# Generate rpcauth line for bitcoin.conf (salted HMAC-SHA256 hash)
|
||||
generate_rpcauth() {
|
||||
local user="$1" pass="$2"
|
||||
local salt=$(openssl rand -hex 16)
|
||||
local hash=$(echo -n "$pass" | openssl dgst -sha256 -hmac "$salt" -hex 2>/dev/null | awk '{print $NF}')
|
||||
echo "${user}:${salt}\$${hash}"
|
||||
}
|
||||
|
||||
# Write bitcoin.conf with rpcauth if not exists or needs update
|
||||
BITCOIN_CONF="/var/lib/archipelago/bitcoin/bitcoin.conf"
|
||||
if [ ! -f "$BITCOIN_CONF" ] || ! grep -q "^rpcauth=" "$BITCOIN_CONF" 2>/dev/null; then
|
||||
mkdir -p /var/lib/archipelago/bitcoin
|
||||
RPCAUTH=$(generate_rpcauth "$BITCOIN_RPC_USER" "$BITCOIN_RPC_PASS")
|
||||
cat > "$BITCOIN_CONF" << BTCCONF
|
||||
# rpcauth: salted hash only — no plaintext password in config or CLI
|
||||
rpcauth=${RPCAUTH}
|
||||
server=1
|
||||
rpcbind=0.0.0.0
|
||||
rpcallowip=0.0.0.0/0
|
||||
rpcport=8332
|
||||
listen=1
|
||||
printtoconsole=1
|
||||
BTCCONF
|
||||
log "Generated bitcoin.conf with rpcauth (no plaintext credentials)"
|
||||
fi
|
||||
|
||||
# Generate per-installation database passwords if not already saved
|
||||
for svc in mempool btcpay immich penpot mysql-root; do
|
||||
if [ ! -f "$SECRETS_DIR/${svc}-db-password" ]; then
|
||||
@@ -226,8 +253,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE 'bitcoin-knots|arch
|
||||
docker.io/bitcoinknots/bitcoin:latest \
|
||||
-server=1 $BTC_EXTRA_ARGS \
|
||||
-rpcallowip=0.0.0.0/0 -rpcbind=0.0.0.0:8332 \
|
||||
-rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS \
|
||||
-proxy=127.0.0.1:9050 -listen=1 -bind=0.0.0.0:8333 \
|
||||
-proxy=host.containers.internal:9050 -listen=1 -bind=0.0.0.0:8333 \
|
||||
-dbcache=$BTC_DBCACHE 2>>"$LOG"; then
|
||||
log "Bitcoin Knots started"
|
||||
else
|
||||
@@ -237,7 +263,7 @@ else
|
||||
$DOCKER network connect archy-net bitcoin-knots 2>/dev/null || true
|
||||
log "Bitcoin Knots already running"
|
||||
fi
|
||||
# Wait for Bitcoin Knots RPC to be responsive (LND, NBXplorer, mempool depend on it)
|
||||
# Wait for Bitcoin Knots RPC to be responsive
|
||||
wait_for_container "Bitcoin Knots RPC" "$DOCKER exec bitcoin-knots bitcoin-cli -rpcuser=$BITCOIN_RPC_USER -rpcpassword=$BITCOIN_RPC_PASS getblockchaininfo" 60
|
||||
|
||||
# Ensure wallet exists (Bitcoin Knots no longer auto-creates a default wallet)
|
||||
@@ -270,7 +296,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q electrumx; then
|
||||
mkdir -p /var/lib/archipelago/electrumx
|
||||
$DOCKER run -d --name electrumx --restart unless-stopped --memory=$(mem_limit electrumx) --network archy-net \
|
||||
-p 50001:50001 -v /var/lib/archipelago/electrumx:/data \
|
||||
-e DAEMON_URL=http://$BITCOIN_RPC_USER:$BITCOIN_RPC_PASS@bitcoin-knots:8332/ \
|
||||
-e "DAEMON_URL=http://$BITCOIN_RPC_USER:$BITCOIN_RPC_PASS@bitcoin-knots:8332/" \
|
||||
-e COIN=Bitcoin -e DB_DIRECTORY=/data \
|
||||
-e SERVICES=tcp://:50001,rpc://0.0.0.0:8000 \
|
||||
docker.io/lukechilds/electrumx:v1.18.0 2>>"$LOG" || true
|
||||
@@ -284,7 +310,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q mempool-api; then
|
||||
-p 8999:8999 -v /var/lib/archipelago/mempool:/data \
|
||||
-e MEMPOOL_BACKEND=electrum -e ELECTRUM_HOST=electrumx -e ELECTRUM_PORT=50001 \
|
||||
-e ELECTRUM_TLS_ENABLED=false -e CORE_RPC_HOST="$TARGET_IP" -e CORE_RPC_PORT=8332 \
|
||||
-e CORE_RPC_USERNAME=$BITCOIN_RPC_USER -e CORE_RPC_PASSWORD=$BITCOIN_RPC_PASS \
|
||||
-e "CORE_RPC_USERNAME=$BITCOIN_RPC_USER" -e "CORE_RPC_PASSWORD=$BITCOIN_RPC_PASS" \
|
||||
-e DATABASE_ENABLED=true -e DATABASE_HOST="$MYSQL_CNT" -e DATABASE_DATABASE=mempool \
|
||||
-e DATABASE_USERNAME=mempool -e DATABASE_PASSWORD=$MEMPOOL_DB_PASS \
|
||||
docker.io/mempool/backend:v2.5.0 2>>"$LOG" || true
|
||||
@@ -358,7 +384,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q btcpay-server; then
|
||||
-e BTCPAY_HOST="$TARGET_IP:23000" -e BTCPAY_CHAINS=btc \
|
||||
-e BTCPAY_BTCEXPLORERURL=http://archy-nbxplorer:32838 \
|
||||
-e BTCPAY_BTCRPCURL=http://bitcoin-knots:8332 \
|
||||
-e BTCPAY_BTCRPCUSER=$BITCOIN_RPC_USER -e BTCPAY_BTCRPCPASSWORD=$BITCOIN_RPC_PASS \
|
||||
-e "BTCPAY_BTCRPCUSER=$BITCOIN_RPC_USER" -e "BTCPAY_BTCRPCPASSWORD=$BITCOIN_RPC_PASS" \
|
||||
-e BTCPAY_POSTGRES='User ID=btcpay;Password=$BTCPAY_DB_PASS;Host=archy-btcpay-db;Port=5432;Database=btcpay;Include Error Detail=true' \
|
||||
docker.io/btcpayserver/btcpayserver:1.13.5 2>>"$LOG" || true
|
||||
fi
|
||||
@@ -371,7 +397,7 @@ sleep 5 # Let databases stabilize
|
||||
if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -qE '^lnd$'; then
|
||||
log "Creating LND..."
|
||||
mkdir -p /var/lib/archipelago/lnd
|
||||
# Create lnd.conf so LND auto-connects to Bitcoin Knots via archy-net
|
||||
# Create lnd.conf with rpcauth credentials (stable across restarts)
|
||||
if [ ! -f /var/lib/archipelago/lnd/lnd.conf ]; then
|
||||
cat > /var/lib/archipelago/lnd/lnd.conf <<LNDCONF
|
||||
[Application Options]
|
||||
@@ -381,7 +407,7 @@ restlisten=0.0.0.0:8080
|
||||
debuglevel=info
|
||||
noseedbackup=true
|
||||
tor.active=true
|
||||
tor.socks=127.0.0.1:9050
|
||||
tor.socks=host.containers.internal:9050
|
||||
tor.streamisolation=true
|
||||
|
||||
[Bitcoin]
|
||||
@@ -390,7 +416,7 @@ bitcoin.node=bitcoind
|
||||
|
||||
[Bitcoind]
|
||||
bitcoind.rpchost=bitcoin-knots:8332
|
||||
bitcoind.rpcuser=archipelago
|
||||
bitcoind.rpcuser=$BITCOIN_RPC_USER
|
||||
bitcoind.rpcpass=$BITCOIN_RPC_PASS
|
||||
bitcoind.rpcpolling=true
|
||||
bitcoind.estimatemode=ECONOMICAL
|
||||
@@ -398,7 +424,7 @@ bitcoind.estimatemode=ECONOMICAL
|
||||
[autopilot]
|
||||
autopilot.active=false
|
||||
LNDCONF
|
||||
log "LND config created (archy-net → bitcoin-knots:8332, rpcpolling)"
|
||||
log "LND config created (rpcauth credentials, Tor via system)"
|
||||
fi
|
||||
$DOCKER run -d --name lnd --restart unless-stopped --memory=$(mem_limit lnd) --network archy-net \
|
||||
--cap-drop ALL --cap-add CHOWN --cap-add FOWNER --cap-add SETUID --cap-add SETGID --cap-add DAC_OVERRIDE \
|
||||
@@ -417,7 +443,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q fedimint; then
|
||||
--security-opt no-new-privileges:true \
|
||||
-p 8173:8173 -p 8174:8174 -p 8175:8175 \
|
||||
-v /var/lib/archipelago/fedimint:/data \
|
||||
-e FM_DATA_DIR=/data -e FM_BITCOIND_USERNAME=$BITCOIN_RPC_USER -e FM_BITCOIND_PASSWORD=$BITCOIN_RPC_PASS \
|
||||
-e FM_DATA_DIR=/data -e "FM_BITCOIND_USERNAME=$BITCOIN_RPC_USER" -e "FM_BITCOIND_PASSWORD=$BITCOIN_RPC_PASS" \
|
||||
-e FM_BITCOIN_NETWORK=bitcoin -e FM_BIND_P2P=0.0.0.0:8173 \
|
||||
-e FM_BIND_API=0.0.0.0:8174 -e FM_BIND_UI=0.0.0.0:8175 \
|
||||
-e FM_P2P_URL=fedimint://"$TARGET_IP":8173 -e FM_API_URL=ws://"$TARGET_IP":8174 \
|
||||
@@ -445,7 +471,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q fedimint-gateway; th
|
||||
gatewayd --data-dir /data --listen 0.0.0.0:8176 \
|
||||
--bcrypt-password-hash "$FEDI_HASH" \
|
||||
--network bitcoin --bitcoind-url http://"$TARGET_IP":8332 \
|
||||
--bitcoind-username $BITCOIN_RPC_USER --bitcoind-password $BITCOIN_RPC_PASS \
|
||||
--bitcoind-username "$BITCOIN_RPC_USER" --bitcoind-password "$BITCOIN_RPC_PASS" \
|
||||
lnd --lnd-rpc-host "$TARGET_IP":10009 --lnd-tls-cert /lnd/tls.cert --lnd-macaroon /lnd/admin.macaroon 2>>"$LOG" || true
|
||||
else
|
||||
log " No LND found — using ldk (built-in Lightning)"
|
||||
@@ -458,7 +484,7 @@ if ! $DOCKER ps --format '{{.Names}}' 2>/dev/null | grep -q fedimint-gateway; th
|
||||
gatewayd --data-dir /data --listen 0.0.0.0:8176 \
|
||||
--bcrypt-password-hash "$FEDI_HASH" \
|
||||
--network bitcoin --bitcoind-url http://"$TARGET_IP":8332 \
|
||||
--bitcoind-username $BITCOIN_RPC_USER --bitcoind-password $BITCOIN_RPC_PASS \
|
||||
--bitcoind-username "$BITCOIN_RPC_USER" --bitcoind-password "$BITCOIN_RPC_PASS" \
|
||||
ldk --ldk-lightning-port 9737 --ldk-alias archipelago-gateway 2>>"$LOG" || true
|
||||
fi
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user