add groups and script for managing central credentials (e.g. macaroons)

2025-03-27 02:01:53 +01:00 · 2020-04-28 18:59:52 +01:00 · 2020-04-28 18:59:52 +01:00 · 5f6e31ea03
commit 5f6e31ea03
parent ff602000d5
2 changed files with 61 additions and 3 deletions
--- a/build_sdcard.sh
+++ b/build_sdcard.sh
@ -101,7 +101,7 @@ if [ "${baseImage}" = "raspbian" ] || [ "${baseImage}" = "dietpi" ] ; then
  sudo sed -i "s/^    SendEnv LANG LC.*/#   SendEnv LANG LC_*/g" /etc/ssh/ssh_config

  # remove unneccesary files
-  sudo rm -rf /home/pi/MagPi 
+  sudo rm -rf /home/pi/MagPi
 fi

 # remove some (big) packages that are not needed
@ -281,7 +281,7 @@ sudo apt-get install -y fbi
 sudo apt install -y sysbench

 # check for dependencies on DietPi, Ubuntu, Armbian
-sudo apt install -y build-essential 
+sudo apt install -y build-essential
 if [ "${baseImage}" = "armbian" ]; then
  # add armbian config
  sudo apt --fix-broken install -y
@ -330,6 +330,13 @@ echo "*** ADDING SERVICE USER bitcoin"
 sudo adduser --disabled-password --gecos "" bitcoin
 echo "bitcoin:raspiblitz" | sudo chpasswd

+echo ""
+echo "*** ADDING GROUPS FOR CREDENTIALS STORE ***"
+# access to credentials (e.g. macaroon files) in a central location is managed with unix groups and permissions
+sudo /usr/sbin/groupadd --force --gid 9700 lndadmin
+sudo /usr/sbin/groupadd --force --gid 9701 lndinvoice
+sudo /usr/sbin/groupadd --force --gid 9702 lndreadonly
+
 echo ""
 echo "*** SWAP FILE ***"
 # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_20_pi.md#moving-the-swap-file
@ -709,7 +716,7 @@ sudo -u admin chmod -R 755 LCD-show
 sudo -u admin chown -R admin:admin LCD-show
 cd LCD-show/
 # set comit hard to old version - that seemed to run better
-# 
+#
 sudo -u admin git reset --hard ce52014

 # install xinput calibrator package
--- a/home.admin/config.scripts/lnd.credentials.sh
+++ b/home.admin/config.scripts/lnd.credentials.sh
@ -0,0 +1,51 @@
+#!/bin/bash
+
+# command info
+if [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "tool to check and update credentials (e.g. macaroons)"
+  echo "lnd.credentials [check|update]"
+  exit 1
+fi
+
+# load data from config
+source /mnt/hdd/raspiblitz.conf
+
+########################
+# FUNCTIONS
+########################
+
+function copy_mac_set_perms() {
+  local file_name=${1}  # the file name (e.g. admin.macaroon)
+  local group_name=${2} # the unix group name (e.g. lndadmin)
+  local n=${3:-bitcoin} # the network (e.g. bitcoin or litecoin) defaults to bitcoin
+  local c=${4:-main} # the chain (e.g. main, test, sim, reg) defaults to main (for mainnet)
+
+  sudo /bin/cp /mnt/hdd/lnd/data/chain/${n}/${c}net/${file_name} /mnt/hdd/app-data/lnd/${n}/${c}net/${file_name}
+  sudo /bin/chown --silent admin:${group_name} /mnt/hdd/app-data/lnd/${n}/${c}net/${file_name}
+  sudo /bin/chmod --silent 640 /mnt/hdd/app-data/lnd/${n}/${c}net/${file_name}
+}
+
+########################
+# CHECK
+########################
+
+if [ "$1" = "check" ]; then
+  echo "CHECK"
+
+  # TODO(frennkie)
+
+fi
+
+########################
+# UPDATE
+########################
+if [ "$1" = "update" ]; then
+  echo "UPDATE"
+
+  sudo /bin/mkdir --mode 0755 --parents /mnt/hdd/app-data/lnd/${network}/${chain}net/
+
+  copy_mac_set_perms admin.macaroon lndadmin ${network} ${chain}
+  copy_mac_set_perms invoice.macaroon lndinvoice ${network} ${chain}
+  copy_mac_set_perms readonly.macaroon lndreadonly ${network} ${chain}
+
+fi