#2827 improve lnd.service files

added:
ExecStop=/usr/local/bin/lncli -n=${CHAIN} --rpcserver localhost:1${rpcportmod}009 stop
PIDFile=/home/bitcoin/.lnd/${netprefix}lnd.pid
Restart=on-failure # was always
Type=notify # was simple
MemoryDenyWriteExecute=true

Increased timeouts:
TimeoutStartSec=1200
TimeoutStopSec=3600

home.admin/assets/lnd.service

@@ -1,8 +1,11 @@
 # RaspiBlitz: systemd unit for lnd
+# based on https://github.com/lightningnetwork/lnd/blob/master/contrib/init/lnd.service
 
 [Unit]
-Description=LND Lightning Daemon
-Wants=bitcoind.service
+Description=Lightning Network Daemon
+
+# Make sure lnd starts after bitcoind is ready
+Requires=bitcoind.service
 After=bitcoind.service
 
 # for use with sendmail alert
@@ -11,22 +14,47 @@ After=bitcoind.service
 [Service]
 ExecStartPre=-/home/admin/config.scripts/lnd.check.sh prestart mainnet
 ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/lnd.conf
+ExecStop=/usr/local/bin/lncli stop
 PIDFile=/home/bitcoin/.lnd/lnd.pid
+
 User=bitcoin
 Group=bitcoin
-LimitNOFILE=128000
-Type=simple
-TimeoutSec=180
-Restart=always
+
+# Try restarting lnd if it stops due to a failure
+Restart=on-failure
 RestartSec=60
+
+# Type=notify is required for lnd to notify systemd when it is ready
+Type=notify
+
+# An extended timeout period is needed to allow for database compaction
+# and other time intensive operations during startup. We also extend the
+# stop timeout to ensure graceful shutdowns of lnd.
+TimeoutStartSec=1200
+TimeoutStopSec=3600
+
+LimitNOFILE=128000
 StandardOutput=null
 StandardError=journal
 
-# Hardening measures
-PrivateTmp=true
+# Hardening Measures
+####################
+
+# Mount /usr, /boot/ and /etc read-only for the process.
 ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
 NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
 PrivateDevices=true
 
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
+PrivateTmp=true
+
 [Install]
 WantedBy=multi-user.target

home.admin/config.scripts/lnd.install.sh

@@ -275,29 +275,61 @@ bitcoin.node=bitcoind
   # systemd service  
   removeParallelService
   echo "# Create /etc/systemd/system/.lnd.service"
+  # based on https://github.com/lightningnetwork/lnd/blob/master/contrib/init/lnd.service
   echo "
 [Unit]
-Description=LND on $CHAIN
+Description=Lightning Network Daemon on $CHAIN
+
+# Make sure lnd starts after bitcoind is ready
+Requires=${netprefix}bitcoind.service
+After=${netprefix}bitcoind.service
 
 [Service]
-User=bitcoin
-Group=bitcoin
-Type=simple
 EnvironmentFile=/mnt/hdd/raspiblitz.conf
+
 ExecStartPre=-/home/admin/config.scripts/lnd.check.sh prestart ${CHAIN}
 ExecStart=/usr/local/bin/lnd --configfile=/home/bitcoin/.lnd/${netprefix}lnd.conf
-Restart=always
-TimeoutSec=240
-RestartSec=30
+ExecStop=/usr/local/bin/lncli -n=${CHAIN} --rpcserver localhost:1${rpcportmod}009 stop
+PIDFile=/home/bitcoin/.lnd/${netprefix}lnd.pid
+
+User=bitcoin
+Group=bitcoin
+
+# Try restarting lnd if it stops due to a failure
+Restart=on-failure
+RestartSec=60
+
+# Type=notify is required for lnd to notify systemd when it is ready
+Type=notify
+
+# An extended timeout period is needed to allow for database compaction
+# and other time intensive operations during startup. We also extend the
+# stop timeout to ensure graceful shutdowns of lnd.
+TimeoutStartSec=1200
+TimeoutStopSec=3600
+
 StandardOutput=null
 StandardError=journal
 
-# Hardening measures
-PrivateTmp=true
+# Hardening Measures
+####################
+
+# Mount /usr, /boot/ and /etc read-only for the process.
 ProtectSystem=full
+
+# Disallow the process and all of its children to gain
+# new privileges through execve().
 NoNewPrivileges=true
+
+# Use a new /dev namespace only populated with API pseudo devices
+# such as /dev/null, /dev/zero and /dev/random.
 PrivateDevices=true
 
+# Deny the creation of writable and executable memory mappings.
+MemoryDenyWriteExecute=true
+
+PrivateTmp=true
+
 [Install]
 WantedBy=multi-user.target
 " | sudo tee /etc/systemd/system/${netprefix}lnd.service