Merge #469: lnd: Use lndinit for wallet creation

a4a5c72 lnd: use `lndinit` for wallet creation (Erik Arvstedt)
e793a34 lndinit: init at 0.1.3-beta (Erik Arvstedt)

Pull request description:

ACKs for top commit:
  nixbitcoin:
    ACK a4a5c72
  jonasnick:
    utACK a4a5c72

Tree-SHA512: 5295c1014a5b7bed4b7347b2d671fd877fd719323ea5156bd3bcff6ec94004949f22a9d0698fcc1de925855d36d81d9ea0148dbf0c079ab77e5437a9f53b2bb8

Author: jonasnick

modules/lnd.nix

@@ -126,6 +126,7 @@ let
   nbLib = config.nix-bitcoin.lib;
   secretsDir = config.nix-bitcoin.secretsDir;
   runAsUser = config.nix-bitcoin.runAsUserCmd;
+  lndinit = "${config.nix-bitcoin.pkgs.lndinit}/bin/lndinit";
 
   bitcoind = config.services.bitcoind;
 
@@ -202,6 +203,21 @@ in {
             echo "externalip=$(${cfg.getPublicAddressCmd})"
           ''}
         } >> '${cfg.dataDir}/lnd.conf'
+
+        if [[ ! -f ${networkDir}/wallet.db ]]; then
+          mnemonic='${cfg.dataDir}/lnd-seed-mnemonic'
+
+          if [[ ! -f "$mnemonic" ]]; then
+            echo "Create lnd seed"
+            (umask u=r,go=; ${lndinit} gen-seed > "$mnemonic")
+          fi
+
+          echo "Create lnd wallet"
+          ${lndinit} -v init-wallet \
+            --file.seed="$mnemonic" \
+            --file.wallet-password='${secretsDir}/lnd-wallet-password' \
+            --init-file.output-wallet-dir='${cfg.networkDir}'
+        fi
       '';
       serviceConfig = nbLib.defaultHardening // {
         Type = "notify";
@@ -210,8 +226,7 @@ in {
         ExecStart = ''
           ${cfg.package}/bin/lnd \
             --configfile="${cfg.dataDir}/lnd.conf" \
-            --wallet-unlock-password-file="${secretsDir}/lnd-wallet-password" \
-            --wallet-unlock-allow-create
+            --wallet-unlock-password-file="${secretsDir}/lnd-wallet-password"
         '';
         User = cfg.user;
         TimeoutSec = "15min";
@@ -221,33 +236,9 @@ in {
         ExecStartPost = let
           curl = "${pkgs.curl}/bin/curl -s --show-error --cacert ${cfg.certPath}";
           restUrl = "https://${nbLib.addressWithPort cfg.restAddress cfg.restPort}/v1";
-        in [
-          (nbLib.script "lnd-create-wallet" ''
-            if [[ ! -f ${networkDir}/wallet.db ]]; then
-              mnemonic="${cfg.dataDir}/lnd-seed-mnemonic"
-              if [[ ! -f "$mnemonic" ]]; then
-                echo "Create lnd seed"
-                umask u=r,go=
-                ${curl} -X GET ${restUrl}/genseed | ${pkgs.jq}/bin/jq -c '.cipher_seed_mnemonic' > "$mnemonic"
-              fi
-
-              echo "Create lnd wallet"
-              ${curl} --output /dev/null \
-                -X POST -d "{\"wallet_password\": \"$(cat ${secretsDir}/lnd-wallet-password | tr -d '\n' | base64 -w0)\", \
-                \"cipher_seed_mnemonic\": $(cat "$mnemonic" | tr -d '\n')}" \
-                ${restUrl}/initwallet
-
-              echo "Wait until wallet is created"
-              getStatus() {
-                /run/current-system/systemd/bin/systemctl show -p StatusText lnd | cut -f 2 -d=
-              }
-              while [[ $(getStatus) == "Wallet locked" ]]; do
-                sleep 0.1
-              done
-            fi
-          '')
+        in
           # Setting macaroon permissions for other users needs root permissions
-          (nbLib.rootScript "lnd-create-macaroons" ''
+          nbLib.rootScript "lnd-create-macaroons" ''
             umask ug=r,o=
             ${lib.concatMapStrings (macaroon: ''
               echo "Create custom macaroon ${macaroon}"
@@ -260,8 +251,7 @@ in {
                 ${pkgs.jq}/bin/jq -c '.macaroon' | ${pkgs.xxd}/bin/xxd -p -r > "$macaroonPath"
               chown ${cfg.macaroons.${macaroon}.user}: "$macaroonPath"
             '') (attrNames cfg.macaroons)}
-          '')
-        ];
+          '';
       } // nbLib.allowedIPAddresses cfg.tor.enforce;
     };
 

pkgs/default.nix

@@ -10,6 +10,7 @@ let self = {
   clboss = pkgs.callPackage ./clboss { };
   clightning-plugins = pkgs.recurseIntoAttrs (import ./clightning-plugins pkgs self.nbPython3Packages);
   joinmarket = pkgs.callPackage ./joinmarket { inherit (self) nbPython3Packages; };
+  lndinit = pkgs.callPackage ./lndinit { };
   liquid-swap = pkgs.python3Packages.callPackage ./liquid-swap { };
   rtl = pkgs.callPackage ./rtl { };
   # The secp256k1 version used by joinmarket

pkgs/lndinit/default.nix

@@ -0,0 +1,24 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+
+buildGoModule rec {
+  pname = "lndinit";
+  version = "0.1.3-beta";
+
+  src = fetchFromGitHub {
+    owner = "lightninglabs";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-sO1DpbppCurxr9g9nUl9Vx82FJK1mTcUw3rY1Fm1wEU=";
+  };
+
+  vendorSha256 = "sha256-xdxxixSabcuGzwCctHrP/RV/Z8sCQDmk2PU4j1u8MX8=";
+
+  subPackages = [ "." ];
+
+  meta = with lib; {
+    description = "Wallet initializer utility for lnd";
+    homepage = "https://github.com/lightninglabs/lndinit";
+    license = licenses.mit;
+    maintainers = with maintainers; [ earvstedt ];
+  };
+}

pkgs/lndinit/get-sha256.sh

@@ -0,0 +1,26 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash -p git gnupg curl jq
+set -euo pipefail
+
+TMPDIR="$(mktemp -d -p /tmp)"
+trap "rm -rf $TMPDIR" EXIT
+cd $TMPDIR
+
+echo "Fetching latest release"
+repo=lightninglabs/lndinit
+latest=$(curl -s --show-error https://api.github.com/repos/$repo/releases/latest | jq -r .tag_name)
+echo "Latest release is $latest"
+git clone --depth 1 --branch $latest https://github.com/lightninglabs/lndinit 2>/dev/null
+cd lndinit
+
+# GPG verification
+export GNUPGHOME=$TMPDIR
+echo "Fetching Oliver Gugger's key"
+gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F4FC70F07310028424EFC20A8E4256593F177720 2> /dev/null
+echo "Verifying latest release"
+git verify-tag $latest
+
+echo "tag: $latest"
+git checkout -q tags/$latest
+rm -rf .git
+nix hash path .