Merge pull request #211 from geco91/master

v1.0 RC1 fixes & enhancements

README.md

@@ -269,6 +269,14 @@ To do so you can register at an DynamicDomain service like freedns.afraid.org, f
 
 You will be asked for your dynamic domain name such like "mynode.crabdance.org" and you can also optionally set an URL that will be called regularly to update your routers IP with the dynnamic domain service. At freedns.afraid.org this URL is called "Direct URL" under the menu "Dynamic DNS" once you added one.
 
+## Auto-unlock LND on startup
+
+This feature is based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_6A_auto-unlock.md
+
+It can be activated under "Services" -> "Auto-unlock LND". Its recommended to be turned on, when DynamicDNS is used. Because on a public IP change of your router, LND gets restarted automatically and without Auto-Unlock it will stay inactive/unreachbale until you manually unlock it.
+
+But keep in mind that when activated, your Password C will be stored on the RaspiBlitz SD card. That lowers your security in (physical) attack scenarios. On an update you would need to re-enter your password C.
+
 ## Get a Debug Report
 
 If your RaspiBlitz is not working right and you like to get help from the community, its good to provide more debug information, so other can better diagnose your problem - please follow the following steps to generate a debug report:
@@ -312,7 +320,7 @@ If you fork the RaspiBlitz repo (much welcome) and you want to run that code on
 
 * The long way: If you like to install/remove/change services and system configurations you need to build a SD card from your own code. Prepare like in `Build the SD Card Image` but in the end run the command:
 
-`wget https://raw.githubusercontent.com/[GITHUB-USERNAME]/raspiblitz/dev/build.sdcard/raspbianStretchDesktop.sh && sudo bash raspbianStretchDesktop.sh [BRANCH] [GITHUB-USERNAME]`
+`wget https://raw.githubusercontent.com/[GITHUB-USERNAME]/raspiblitz/[BRANCH]/build.sdcard/raspbianStretchDesktop.sh && sudo bash raspbianStretchDesktop.sh [BRANCH] [GITHUB-USERNAME]`
 
 ## Update to a new SD Card Release
 

build.sdcard/raspbianStretchDesktop.sh

@@ -10,7 +10,7 @@
 
 echo ""
 echo "*****************************************"
-echo "* RASPIBLITZ SD CARD IMAGE SETUP v0.98  *"
+echo "* RASPIBLITZ SD CARD IMAGE SETUP v0.99  *"
 echo "*****************************************"
 echo ""
 
@@ -438,6 +438,8 @@ sudo -u admin cp -r /home/admin/raspiblitz/home.admin/config.scripts /home/admin
 sudo -u admin chmod +x /home/admin/config.scripts/*.sh
 
 # bash aoutstart for admin
+sudo bash -c "echo '# shortcut commands' >> /home/admin/.bashrc"
+sudo bash -c "echo 'source /home/admin/_commands.sh' >> /home/admin/.bashrc"
 sudo bash -c "echo '# automatically start main menu for admin' >> /home/admin/.bashrc"
 sudo bash -c "echo './00mainMenu.sh' >> /home/admin/.bashrc"
 

home.admin/00infoLCD.sh

@@ -131,7 +131,7 @@ while :
       l2="---> ${message}\n"
       l3="Please keep running until reboot."
       boxwidth=$((${#localip} + 28))
-      dialog --backtitle "RaspiBlitz ${codeVersion} (${state})" --infobox "$l1$l2$l3" 5 ${boxwidth}
+      dialog --backtitle "RaspiBlitz ${codeVersion} (${state}) ${localip}" --infobox "$l1$l2$l3" 5 ${boxwidth}
       sleep 3
       continue
     fi
@@ -178,6 +178,10 @@ while :
         l2="Open: http://${localip}:3000\n"
         l3="Use Password C to unlock\n"
       fi
+      if [ "${autoUnlock}" = "on" ]; then
+        l2="ssh admin@${localip}\n"
+        l3="Waiting for AUTO-UNLOCK"
+      fi
       boxwidth=$((${#localip} + 24))
       dialog --backtitle "RaspiBlitz ${codeVersion} (${localip}) - ${hostname}" --infobox "$l1$l2$l3" 5 ${boxwidth}
       sleep 5

home.admin/00mainMenu.sh

@@ -396,7 +396,9 @@ case $CHOICE in
             ;;   
         X)
             lncli -h
-            echo "SUCH WOW come back with ./00mainMenu.sh"
+            echo "OK you now on the command line."
+            echo "You can return to the main menu with the command:"
+            echo "raspiblitz"
             ;;
         R)
             ./00mainMenu.sh

home.admin/00settingsMenuServices.sh

@@ -4,6 +4,7 @@
 source /mnt/hdd/raspiblitz.conf
 if [ ${#autoPilot} -eq 0 ]; then autoPilot="off"; fi
 if [ ${#autoNatDiscovery} -eq 0 ]; then autoNatDiscovery="off"; fi
+if [ ${#autoUnlock} -eq 0 ]; then autoUnlock="off"; fi
 if [ ${#runBehindTor} -eq 0 ]; then runBehindTor="off"; fi
 if [ ${#rtlWebinterface} -eq 0 ]; then rtlWebinterface="off"; fi
 if [ ${#chain} -eq 0 ]; then chain="main"; fi
@@ -28,6 +29,7 @@ CHOICES=$(dialog --checklist 'Activate/Deactivate Services:' 15 45 7 \
 4 ${dynDomainMenu} ${domainValue} \
 5 'Run behind TOR' ${runBehindTor} \
 6 'RTL Webinterface' ${rtlWebinterface} \
+7 'LND Auto-Unlock' ${autoUnlock} \
 2>&1 >/dev/tty)
 dialogcancel=$?
 clear
@@ -174,9 +176,21 @@ else
   echo "RTL Webinterface Setting unchanged."
 fi
 
+# LND Auto-Unlock
+choice="off"; check=$(echo "${CHOICES}" | grep -c "7")
+if [ ${check} -eq 1 ]; then choice="on"; fi
+if [ "${autoUnlock}" != "${choice}" ]; then
+  echo "LND Autounlock Setting changed .."
+  sudo /home/admin/config.scripts/lnd.autounlock.sh ${choice}
+  needsReboot=1
+else
+  echo "LND Autounlock Setting unchanged."
+fi
+
 if [ ${needsReboot} -eq 1 ]; then
    sleep 2
-   dialog --title 'OK' --msgbox 'System will reboot to activate changes.' 6 26
-   echo "rebooting .."
+   dialog --pause "OK. System will reboot to activate changes." 8 58 8
+   echo "rebooting .. (please wait)"
+   sleep 3
    sudo shutdown -r now
 fi

home.admin/20recoverDialog.sh

@@ -58,10 +58,25 @@ Write them down & store them in a safe place.
       # remove flag that freshly recovered
       sudo rm /home/admin/raspiblitz.recover.info
 
-      # sucess info dialog
-      dialog --backtitle "RaspiBlitz" --msgbox "New SSH password A is '$result'\nFINAL REBOOT IS NEEDED." 6 52
-      sudo shutdown -r now
+      # when auto-unlock is activated then Password C is needed to be restored on SD card
+      if [ "${autoUnlock}" = "on" ]; then
+
+        # reset auto-unlock feature
+        dialog --backtitle "RaspiBlitz - Setup" --msgbox "You had the Auto-Unlock feature enabled.
+
+In the next dialog you need to re-enter your
+ACTUAL/OLD Password C to re-activate the
+Auto-Unlock feature. Enter a empty password
+to deactivate the Auto-Unlock feature.
+" 10 52
+        sudo /home/admin/config.scripts/lnd.autounlock.sh on
+        dialog --backtitle "RaspiBlitz" --msgbox "FINAL REBOOT IS NEEDED." 6 52
+
+      else
+        dialog --backtitle "RaspiBlitz" --msgbox "New SSH password A is '$result'\nFINAL REBOOT IS NEEDED." 6 52
+      fi
 
+      sudo shutdown -r now
     fi
 
   done

home.admin/80scanLND.sh

@@ -58,11 +58,19 @@ if [ ${isInitialChainSync} -gt 0 ]; then
   fi
 else
   heigh=7
-  infoStr=$(echo " Lightning ${action} Blockchain\n Progress: ${scanstate}\n Please wait - this can take some time\n ssh admin@${localip}\n Password A")
-  if [ "$USER" = "admin" ]; then
-    heigh=6
-    width=53
-    infoStr=$(echo " Lightning ${action} Blockchain\n Progress: ${scanstate}\n Please wait - this can take some long time.\n Its OK to close terminal and ssh back in later.")
+  # check if wallet has any UTXO
+  # reason see: https://github.com/lightningnetwork/lnd/issues/2326
+  txlines=$(sudo -u bitcoin lncli listchaintxns 2>/dev/null | wc -l)
+  # has just 4 lines if empty
+  if [ ${txlines} -eq 4 ]; then
+    infoStr=$(echo " Lightning ${action} Blockchain\n Progress: ${scanstate}\n re-rescan every start until funding\n ssh admin@${localip}\n Password A")
+  else
+    infoStr=$(echo " Lightning ${action} Blockchain\n Progress: ${scanstate}\n Please wait - this can take some time\n ssh admin@${localip}\n Password A")
+    if [ "$USER" = "admin" ]; then
+      heigh=6
+      width=53
+      infoStr=$(echo " Lightning ${action} Blockchain\n Progress: ${scanstate}\n Please wait - this can take some long time.\n Its OK to close terminal and ssh back in later.")
+    fi
   fi
 fi
 

home.admin/XXupdateScripts.sh

@@ -20,10 +20,13 @@ else
   echo "USAGE-INFO: ./XXupdateScripts.sh '[BRANCHNAME]'"
 fi
 
+origin=$(git remote -v | grep 'origin' | tail -n1)
+
 echo ""
 echo "*** UPDATING SHELL SCRIPTS FROM GITHUB ***"
 echo "justincase, not the final upadte mechanism"
-echo "BRANCH --> ${activeBranch} <---"
+echo "REPO ----> ${origin}"
+echo "BRANCH --> ${activeBranch}"
 echo "******************************************"
 git pull
 cd ..

home.admin/_background.sh

@@ -3,7 +3,6 @@
 # This script runs on after start in background
 # as a service and gets restarted on failure
 # it runs ALMOST every seconds
-# DEBUG: sudo journalctl -f -u background
 
 # INFOFILE - state data from bootstrap
 infoFile="/home/admin/raspiblitz.info"
@@ -11,12 +10,16 @@ infoFile="/home/admin/raspiblitz.info"
 # CONFIGFILE - configuration of RaspiBlitz
 configFile="/mnt/hdd/raspiblitz.conf"
 
+# LOGS see: sudo journalctl -f -u background
+
 # Check if HDD contains configuration
 configExists=$(ls ${configFile} | grep -c '.conf')
 if [ ${configExists} -eq 1 ]; then
     source ${configFile}
 fi
 
+echo "_background.sh STARTED"
+
 counter=0
 while [ 1 ]
 do
@@ -28,6 +31,9 @@ do
   # count up
   counter=$(($counter+1))
 
+  # gather the uptime seconds
+  upSeconds=$(cat /proc/uptime | grep -o '^[0-9]\+')
+
   ####################################################
   # RECHECK DHCP-SERVER 
   # https://github.com/rootzoll/raspiblitz/issues/160
@@ -80,11 +86,15 @@ do
         sed -i "s/^publicIP=.*/publicIP=${freshPublicIP}/g" ${configFile}
         publicIP=${freshPublicIP}
 
-        # 2) restart the LND
-        echo "restart LND with new environment config"
-        sudo systemctl restart lnd.service
+        # 2) only restart LND if dynDNS is activated
+        # because this signals that user wants "public node"
+        if [ ${#dynDomain} -gt 0 ]; then
+          echo "restart LND with new environment config"
+          # restart and let to auto-unlock (if activated) do the rest
+          sudo systemctl restart lnd.service
+        fi
 
-        # 3) trigger update if dnyamic domain (if set)
+        # 2) trigger update if dnyamic domain (if set)
         updateDynDomain=1
 
       else
@@ -97,6 +107,45 @@ do
 
   fi
 
+  ###############################
+  # LND AUTO-UNLOCK
+  ###############################
+
+  # check every 10secs
+  recheckAutoUnlock=$((($counter % 10)+1))
+  if [ ${recheckAutoUnlock} -eq 1 ]; then
+
+    # check if auto-unlock feature if activated
+    if [ "${autoUnlock}" = "on" ]; then
+
+      # check if lnd is locked
+      locked=$(sudo -u bitcoin /usr/local/bin/lncli --chain=${network} --network=${chain}net getinfo 2>&1 | grep -c unlock)
+      if [ ${locked} -gt 0 ]; then
+
+        echo "STARTING AUTO-UNLOCK ..."
+
+        # building REST command
+        passwordC=$(cat /root/lnd.autounlock.pwd)
+        sudo python /home/admin/config.scripts/lnd.unlock.py $passwordC
+
+        #walletPasswordBase64=$(cat /root/lnd.autounlock.pwd | tr -d '\n' | base64 -w0)
+        #MACAROON_HEADER="Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /mnt/hdd/lnd/data/chain/${network}/${chain}net/admin.macaroon)"
+        #POSTDATA="'{ \"wallet_password\":\"${walletPasswordBase64}\" }'"
+        #echo "MACAROON:${MACAROON_HEADER}"
+        #echo "POSTDATA:${POSTDATA}"
+        #command="sudo sh -c "curl -X POST -d ${POSTDATA} --cacert /home/bitcoin/.lnd/tls.cert --header \"$MACAROON_HEADER\" https://localhost:8080/v1/unlockwallet"
+        #echo "COMMAND:${command}"
+        #result=$(echo \"restlisten=\" >> /mnt/hdd/lnd/lnd.conf")
+        #echo "RESULT:${result}"
+
+      else
+        echo "lncli says not locked"
+      fi
+    else
+      echo "auto-unlock is OFF"
+    fi
+  fi
+
   ###############################
   # UPDATE DYNAMIC DOMAIN
   # like afraid.org

home.admin/_commands.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# SHORTCUT COMMANDS you can call as user 'admin' from terminal
+
+# command: raspiblitz
+# calls the the raspiblitz mainmenu
+function raspiblitz() {
+  /home/admin/00mainMenu.sh
+}

home.admin/_version.info

@@ -1,2 +1,2 @@
 # RaspiBlitz Version - always [main].[sub]
-codeVersion="0.98"
+codeVersion="0.99"

home.admin/assets/lnd.bitcoin.conf

@@ -9,8 +9,11 @@ nat=false
 
 # RPC open to all connections on Port 10009
 rpclisten=0.0.0.0:10009
+# REST open to all connections on Port 8080
+restlisten=0.0.0.0:8080
 # Domain, could use https://freedns.afraid.org
 #tlsextradomain=lightning.yourhost.com  
+tlsextraip=0.0.0.0
 
 [Bitcoin]
 bitcoin.active=1

home.admin/assets/lnd.litecoin.conf

@@ -9,8 +9,12 @@ nat=false
 
 # RPC open to all connections on Port 10009
 rpclisten=0.0.0.0:10009
+# REST open to all connections on Port 8080
+restlisten=0.0.0.0:8080
+
 # Domain, could use https://freedns.afraid.org
 #tlsextradomain=lightning.yourhost.com
+tlsextraip=0.0.0.0
 
 [Litecoin]
 litecoin.active=1

home.admin/config.scripts/internet.dyndomain.sh

@@ -110,27 +110,8 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
   echo "DynamicDNS is now OFF"
 fi
 
-echo "deleting TLSCert"
-sudo rm /mnt/hdd/lnd/tls.* 2>/dev/null
-echo "let lnd generate new TLSCert"
-sudo -u bitcoin /usr/local/bin/lnd &>/dev/null &
-echo "wait until generated"
-newCertExists=0
-count=0
-while [ ${newCertExists} -eq 0 ]
-do
-  count=$(($count + 1))
-  echo "(${count}/60) check for cert"
-  if [ ${count} -gt 60 ]; then
-    echo "FAIL - was not able to generate new LND certs"
-    exit 1
-  fi
-  newCertExists=$(sudo ls /mnt/hdd/lnd/tls.cert 2>/dev/null | grep -c '.cert')
-  sleep 2
-done
-sudo killall /usr/local/bin/lnd
-echo "copy new cert to admin user"
-sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd
+# refresh TLS cert
+sudo /home/admin/config.scripts/lnd.newtlscert.sh
 
 echo "may needs reboot to run normal again"
 exit 0

home.admin/config.scripts/lnd.autounlock.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+ echo "small config script to autounlock lnd after restart"
+ echo "lnd.autounlock.sh [on|off] [?passwordC]"
+ exit 1
+fi
+
+# 1. parameter [on|off]
+turn="off"
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then turn="on"; fi
+
+# 2. parameter [?passwordC]
+passwordC=$2
+
+# run interactive if 'turn on' && no further parameters
+if [ "${turn}" = "on" ] && [ ${#passwordC} -eq 0 ]; then
+
+  dialog --backtitle "LND Auto-Unlock" --inputbox "ENTER your PASSWORD C:
+
+For more details see chapter in GitHub README 
+'Auto-unlock LND on startup'
+https://github.com/rootzoll/raspiblitz
+
+Password C will be stored on the device.
+" 13 52 2>./.tmp
+  passwordC=$( cat ./.tmp )
+  
+  # test if empty
+  if [ ${#passwordC} -eq 0 ]; then
+    echo "CANCEL input cannot be empty"
+    sleep 3
+    exit 1
+  fi
+  
+  # test if correct
+  echo "testing password .. please wait"
+  sudo systemctl restart lnd
+  sleep 4
+  result=$(sudo python /home/admin/config.scripts/lnd.unlock.py ${passwordC})
+  invalid=$(echo "${result}" | grep -c 'invalid')
+  if [ ${invalid} -gt 0 ];then
+    echo "PASSWORD C is wrong - try again or cancel"
+    sleep 3
+    sudo /home/admin/config.scripts/lnd.autounlock.sh on
+    exit 1
+  fi
+  shred ./.tmp
+fi
+
+# config file
+configFile="/mnt/hdd/raspiblitz.conf"
+
+# lnd conf file
+lndConfig="/mnt/hdd/lnd/lnd.conf"
+
+# check if config file exists
+configExists=$(ls ${configFile} | grep -c '.conf')
+if [ ${configExists} -eq 0 ]; then
+ echo "FAIL - missing ${configFile}"
+ exit 1
+fi
+
+# make sure entry line for 'autoUnlock' exists 
+entryExists=$(cat ${configFile} | grep -c 'autoUnlock=')
+if [ ${entryExists} -eq 0 ]; then
+  echo "autoUnlock=" >> ${configFile}
+fi
+
+# switch on
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+
+  # make sure config values are uncommented
+  sudo sed -i "s/^#restlisten=.*/restlisten=/g" /mnt/hdd/lnd/lnd.conf
+  sudo sed -i "s/^#tlsextraip=.*/tlsextraip=/g" /mnt/hdd/lnd/lnd.conf
+
+  # make sure config values exits
+  exists=$(sudo cat /mnt/hdd/lnd/lnd.conf | grep -c 'restlisten=')
+  if [ ${exists} -eq 0 ]; then
+    sudo sed -n -i 'p;4a restlisten=' /mnt/hdd/lnd/lnd.conf
+  fi
+  exists=$(sudo cat /mnt/hdd/lnd/lnd.conf | grep -c 'tlsextraip')
+  if [ ${exists} -eq 0 ]; then
+    sudo sed -n -i 'p;5a tlsextraip=' /mnt/hdd/lnd/lnd.conf
+  fi
+
+  # set needed config values
+  sudo sed -i "s/^restlisten=.*/restlisten=0.0.0.0:8080/g" /mnt/hdd/lnd/lnd.conf
+  sudo sed -i "s/^tlsextraip=.*/tlsextraip=0.0.0.0/g" /mnt/hdd/lnd/lnd.conf
+
+  # refresh TLS cert
+  sudo /home/admin/config.scripts/lnd.newtlscert.sh
+
+  echo "switching the Auto-Unlock ON"
+
+  # setting value in raspi blitz config
+  sudo sed -i "s/^autoUnlock=.*/autoUnlock=on/g" /mnt/hdd/raspiblitz.conf
+
+  # password C needs to be stored on RaspiBlitz
+  echo "storing password for root in /root/lnd.autounlock.pwd"
+  sudo sh -c "echo \"${passwordC}\" > /root/lnd.autounlock.pwd"
+
+  echo "Auto-Unlock is now ON"
+fi
+
+# switch off
+if [ "$1" = "0" ] || [ "$1" = "off" ]; then
+  echo "switching the Auto-Unlock OFF"
+
+  # setting value in raspi blitz config
+  sudo sed -i "s/^autoUnlock=.*/autoUnlock=off/g" /mnt/hdd/raspiblitz.conf
+
+  # delete password C securly
+  echo "shredding password on RaspiBlitz"
+  sudo shred -u /root/lnd.autounlock.pwd
+
+  echo "Auto-Unlock is now OFF"
+fi

home.admin/config.scripts/lnd.newtlscert.sh

@@ -0,0 +1,29 @@
+
+#!/bin/bash
+
+# stop services
+echo "making sure services are not running"
+sudo systemctl stop lnd 2>/dev/null
+
+echo "deleting TLSCert"
+sudo rm /mnt/hdd/lnd/tls.* 2>/dev/null
+echo "let lnd generate new TLSCert"
+sudo -u bitcoin /usr/local/bin/lnd &>/dev/null &
+echo "wait until generated"
+newCertExists=0
+count=0
+while [ ${newCertExists} -eq 0 ]
+do
+  count=$(($count + 1))
+  echo "(${count}/60) check for cert"
+  if [ ${count} -gt 60 ]; then
+    echo "FAIL - was not able to generate new LND certs"
+    exit 1
+  fi
+  newCertExists=$(sudo ls /mnt/hdd/lnd/tls.cert 2>/dev/null | grep -c '.cert')
+  sleep 2
+done
+sudo killall /usr/local/bin/lnd
+echo "copy new cert to admin user"
+sudo cp /mnt/hdd/lnd/tls.cert /home/admin/.lnd
+echo "OK TLS certs are fresh"

home.admin/config.scripts/lnd.unlock.py

@@ -0,0 +1,9 @@
+# parameter #1: password c to unlock wallet
+import base64, codecs, json, requests, sys
+url = 'https://localhost:8080/v1/unlockwallet'
+cert_path = '/mnt/hdd/lnd/tls.cert'
+data = {
+    'wallet_password': base64.b64encode(sys.argv[1]).decode()
+}
+r = requests.post(url, verify=cert_path, data=json.dumps(data))
+print(r.json())