blitzapi: add dedicated user and conf entry (#3191)

* blitzapi: add dedicated user and conf entry * blitzapi: add to sudo group, allow systemd access * store blitz_we code under /home/blitzapi * add SERVICES menu option for Blitz API and webUI * blitz.passwords: allow non-sudo to check passwords * change blitz_web path * blitzapi: fix SERVICES menu entry
2025-03-17 21:31:45 +01:00 · 2022-06-28 18:35:21 +01:00 · 2022-06-28 18:35:21 +01:00 · d4448d4652
commit d4448d4652
parent c8bd9a646d
5 changed files with 83 additions and 32 deletions
--- a/build_sdcard.sh
+++ b/build_sdcard.sh
@ -786,9 +786,9 @@ if ${fatpack}; then

  # set build code as new default
  sudo rm -r /home/admin/assets/nginx/www_public
-  sudo cp -a /root/blitz_web/build/* /home/admin/assets/nginx/www_public
+  sudo cp -a /home/blitzapi/blitz_web/build/* /home/admin/assets/nginx/www_public
  sudo chown admin:admin /home/admin/assets/nginx/www_public
-  sudo rm -r /root/blitz_web/build/*
+  sudo rm -r /home/blitzapi/blitz_web/build/*

 else
  echo "* skipping FATPACK"
--- a/home.admin/00settingsMenuServices.sh
+++ b/home.admin/00settingsMenuServices.sh
@ -32,6 +32,7 @@ if [ ${#helipad} -eq 0 ]; then helipad="off"; fi
 if [ ${#bitcoinminds} -eq 0 ]; then bitcoinminds="off"; fi
 if [ ${#squeaknode} -eq 0 ]; then squeaknode="off"; fi
 if [ ${#itchysats} -eq 0 ]; then itchysats="off"; fi
+if [ ${#blitzapi} -eq 0 ]; then blitzapi="off"; fi

 # show select dialog
 echo "run dialog ..."
@ -78,6 +79,7 @@ if [ "${lightning}" == "cl" ] || [ "${cl}" == "on" ]; then
 fi

 OPTIONS+=(m 'Homer Dashboard' ${homer})
+OPTIONS+=(A 'Blitz API + webUI' ${blitzapi})

 CHOICES=$(dialog --title ' Additional Mainnet Services ' \
          --checklist ' use spacebar to activate/de-activate ' \
@ -543,6 +545,25 @@ else
  echo "Homer Setting unchanged."
 fi

+# Blitz API + webUI process choice
+choice="off"; check=$(echo "${CHOICES}" | grep -c "A")
+if [ ${check} -eq 1 ]; then choice="on"; fi
+if [ "${blitzapi}" != "${choice}" ]; then
+  echo "Blitz API + webUI settings changed .."
+  anychange=1
+  sudo /home/admin/config.scripts/blitz.web.api.sh ${choice}
+  sudo /home/admin/config.scripts/blitz.web.ui.sh ${choice}
+  errorOnInstall=$?
+  if [ "${choice}" =  "on" ]; then
+    whiptail --title " Installed Blitz API + webUI" --msgbox "\
+The Blitz API + webUI was installed.\n
+See the status screen for more info.\n
+" 10 35
+  fi
+else
+  echo "Blitz API + webUI Setting unchanged."
+fi
+
 # BitcoinMinds process choice
 choice="off"; check=$(echo "${CHOICES}" | grep -c "v")
 if [ ${check} -eq 1 ]; then choice="on"; fi
--- a/home.admin/config.scripts/blitz.passwords.sh
+++ b/home.admin/config.scripts/blitz.passwords.sh
@ -12,13 +12,6 @@ if [ "$1" == "" ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
 exit 1
 fi

-# check if started with sudo
-echo "runningUser='$EUID'"
-if [ "$EUID" -ne 0 ]; then 
-  echo "error='need user root'"
-  exit 1
-fi
-
 # prepare hased password storage
 hashedPasswordSalt=""
 hashedPasswordStoragePath="/mnt/hdd/app-data/passwords"
@ -98,6 +91,13 @@ fi
 # SETTING PASSWORDS
 ############################

+# check if started with sudo
+echo "runningUser='$EUID'"
+if [ "$EUID" -ne 0 ]; then 
+  echo "error='need user root'"
+  exit 1
+fi
+
 if [ "$1" != "set" ]; then
    echo "error='unkown parameter'"
    exit 1
@ -128,7 +128,7 @@ if [ ${#abcd} -eq 0 ]; then
      OPTIONS+=(C "LND Lightning Wallet Password")
    fi
    if [ "${cl}" == "on" ] && [ "${clEncryptedHSM}" == "on" ]; then
-      OPTIONS+=(CL "C-Lightning Wallet Password")
+      OPTIONS+=(CL "Core Lightning Wallet Password")
    fi
    CHOICE=$(dialog --clear \
                --backtitle "RaspiBlitz" \
--- a/home.admin/config.scripts/blitz.web.api.sh
+++ b/home.admin/config.scripts/blitz.web.api.sh
@ -45,10 +45,32 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
  fi

  echo "# INSTALL Web API ..."
+  # clean old source
  rm -r /root/blitz_api 2>/dev/null
-  cd /root || exit 1
-  # git clone https://github.com/fusion44/blitz_api.git /root/blitz_api
-  if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /root/blitz_api; then
+  rm -r /home/blitzapi/blitz_api 2>/dev/null
+
+  # create user
+  adduser --disabled-password --gecos "" blitzapi
+
+  # sudo capability for manipulating passwords
+  /usr/sbin/usermod --append --groups sudo blitzapi
+  # access password hash and salt
+  /usr/sbin/usermod --append --groups admin blitzapi
+  # access lnd creds
+  /usr/sbin/usermod --append --groups lndadmin blitzapi
+  # access cln creds
+  /usr/sbin/usermod --append --groups bitcoin blitzapi
+  echo "# allowing user as part of the bitcoin group to RW RPC hook"
+  chmod 770 /home/bitcoin/.lightning/bitcoin
+  chmod 660 /home/bitcoin/.lightning/bitcoin/lightning-rpc
+  CLCONF="/home/bitcoin/.lightning/config"
+  if [ "$(cat ${CLCONF} | grep -c "^rpc-file-mode=0660")" -eq 0 ]; then
+    echo "rpc-file-mode=0660" | tee -a ${CLCONF}
+  fi
+
+  cd /home/blitzapi || exit 1
+  # git clone https://github.com/fusion44/blitz_api.git /home/blitzapi/blitz_api
+  if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git /home/blitzapi/blitz_api; then
    echo "error='git clone failed'"
    exit 1
  fi
@ -61,9 +83,6 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
    echo "error='pip install failed'"
    exit 1
  fi
-  chown -R admin:admin /root/blitz_api
-  chmod a+x /root
-  chmod -R a+x /root/blitz_api

  # build the config and set unique secret (its OK to be a new secret every install/upadte)
  /home/admin/config.scripts/blitz.web.api.sh update-config
@ -78,22 +97,20 @@ Wants=network.target
 After=network.target mnt-hdd.mount

 [Service]
-WorkingDirectory=/root/blitz_api
+WorkingDirectory=/home/blitzapi/blitz_api
 # before every start update the config with latest credentials/settings
 ExecStartPre=-/home/admin/config.scripts/blitz.web.api.sh update-config
 ExecStart=/usr/bin/python -m uvicorn app.main:app --port 11111 --host=0.0.0.0 --root-path /api
-User=root
-Group=root
+User=blitzapi
+Group=blitzapi
 Type=simple
 Restart=always
 StandardOutput=journal
 StandardError=journal
 RestartSec=60

-# Hardening measures
+# Hardening
 PrivateTmp=true
-NoNewPrivileges=true
-PrivateDevices=true

 [Install]
 WantedBy=multi-user.target
@ -129,7 +146,7 @@ if [ "$1" = "update-config" ]; then
  fi

  # prepare config update
-  cd /root/blitz_api
+  cd /home/blitzapi/blitz_api
  cp ./.env_sample ./.env
  dateStr=$(date)
  echo "# Update Web API CONFIG (${dateStr})"
@ -213,6 +230,9 @@ if [ "$1" = "update-config" ]; then
      sed -i "s/^ln_node=.*/ln_node=/g" ./.env
  fi

+  # setting value in raspi blitz config
+  /home/admin/config.scripts/blitz.conf.sh set blitzapi "on"
+
  echo "# '.env' config updates - blitzapi maybe needs to be restarted"
  exit 0

@ -227,7 +247,7 @@ if [ "$1" = "update-code" ]; then
  if [ "${apiActive}" != "0" ]; then
    echo "# Update Web API CODE"
    systemctl stop blitzapi
-    cd /root/blitz_api
+    cd /home/blitzapi/blitz_api
    currentBranch=$(git rev-parse --abbrev-ref HEAD)
    echo "# updating local repo ..."
    oldCommit=$(git rev-parse HEAD)
@ -260,8 +280,13 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
  systemctl stop blitzapi
  systemctl disable blitzapi
  rm /etc/systemd/system/blitzapi.service
-  rm -r /root/blitz_api
-  rm -r /root/.blitz_api 2>/dev/null
+  userdel -rf blitzapi
+  # clean old source
+  rm -r /root/blitz_api 2>/dev/null
+
+  # setting value in raspi blitz config
+  /home/admin/config.scripts/blitz.conf.sh set blitzapi "off"
+
  exit 0

 fi
--- a/home.admin/config.scripts/blitz.web.ui.sh
+++ b/home.admin/config.scripts/blitz.web.ui.sh
@ -39,14 +39,18 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
  fi

  echo "# INSTALL WebUI"
+  # clean all source
  rm -r /root/blitz_web 2>/dev/null
  rm -r /root/${DEFAULT_GITHUB_REPO} 2>/dev/null
-  cd /root || exit 1
+  rm -r /home/blitzapi/blitz_web 2>/dev/null
+  rm -r /home/blitzapi/${DEFAULT_GITHUB_REPO} 2>/dev/null
+  
+  cd /home/blitzapi || exit 1
  if ! git clone https://github.com/${DEFAULT_GITHUB_USER}/${DEFAULT_GITHUB_REPO}.git; then
    echo "error='git clone failed'"
    exit 1
  fi
-  mv /root/${DEFAULT_GITHUB_REPO} /root/blitz_web
+  mv /home/blitzapi/${DEFAULT_GITHUB_REPO} /home/blitzapi/blitz_web
  cd blitz_web || exit 1
  if ! git checkout ${DEFAULT_GITHUB_BRANCH}; then
    echo "error='git checkout failed'"
@ -71,7 +75,7 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
  fi

  rm -r /var/www/public/* 2>/dev/null
-  cp -r /root/blitz_web/build/* /var/www/public
+  cp -r /home/blitzapi/blitz_web/build/* /var/www/public
  chown www-data:www-data -R /var/www/public

  # install info
@ -85,10 +89,10 @@ fi
 # UPDATE
 ###################
 if [ "$1" = "update" ]; then
-  webuiActive=$(sudo ls /root/blitz_web/README.md | grep -c "README")
+  webuiActive=$(sudo ls /home/blitzapi/blitz_web/README.md | grep -c "README")
  if [ "${webuiActive}" != "0" ]; then
    echo "# Update Web API"
-    cd /root/blitz_web
+    cd /home/blitzapi/blitz_web
    currentBranch=$(git rev-parse --abbrev-ref HEAD)
    echo "# updating local repo ..."
    oldCommit=$(git rev-parse HEAD)
@ -100,7 +104,7 @@ if [ "$1" = "update" ]; then
      ${NODEPATH}/yarn install
      ${NODEPATH}/yarn build
      sudo rm -r /var/www/public/* 2>/dev/null
-      sudo cp -r /root/blitz_web/build/* /var/www/public
+      sudo cp -r /home/blitzapi/blitz_web/build/* /var/www/public
      sudo chown www-data:www-data -R /var/www/public
    else
      echo "# no code changes"
@ -123,6 +127,7 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then

  echo "# UNINSTALL WebUI"
  sudo rm -r /root/blitz_web 2>/dev/null
+  sudo rm -r /home/blitzapi/blitz_web 2>/dev/null
  sudo rm -r /var/www/public/* 2>/dev/null
  exit 0
 fi