#2356 using lnd internal autounlock (#4752)

* #2356 rewritten lndautounlock.sh
2025-05-12 19:20:48 +02:00 · 2024-10-02 11:30:29 +02:00 · 2024-10-02 11:30:29 +02:00 · 5d27f7aad4
commit 5d27f7aad4
parent 224259694c
9 changed files with 146 additions and 114 deletions
--- a/home.admin/00settingsMenuBasics.sh
+++ b/home.admin/00settingsMenuBasics.sh
@ -6,7 +6,6 @@ source /home/admin/raspiblitz.info
 source /mnt/hdd/raspiblitz.conf

 echo "services default values"
-if [ ${#autoUnlock} -eq 0 ]; then autoUnlock="off"; fi
 if [ ${#runBehindTor} -eq 0 ]; then runBehindTor="off"; fi
 if [ ${#networkUPnP} -eq 0 ]; then networkUPnP="off"; fi
 if [ ${#touchscreen} -eq 0 ]; then touchscreen=0; fi
@ -19,6 +18,9 @@ if [ ${#clAutoUnlock} -eq 0 ]; then clAutoUnlock="off"; fi
 if [ ${#clWatchtowerClient} -eq 0 ]; then clWatchtowerClient="off"; fi
 if [ ${#blitzapi} -eq 0 ]; then blitzapi="off"; fi

+# detect if LND auto-unlock is active
+source <(/home/admin/config.scripts/lnd.autounlock.sh status)
+
 echo "# map LND to on/off"
 lndNode="off"
 if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then
--- a/home.admin/98repairMenu.sh
+++ b/home.admin/98repairMenu.sh
@ -175,7 +175,6 @@ case $CHOICE in
    ;;
  COPY-SOURCE)
    /home/admin/config.scripts/blitz.copychain.sh source
-    /home/admin/config.scripts/lnd.unlock.sh
    ;;
 esac

--- a/home.admin/BlitzTUI/data/raspiblitz.conf
+++ b/home.admin/BlitzTUI/data/raspiblitz.conf
@ -1,7 +1,6 @@
 # RASPIBLITZ CONFIG FILE
 autoNatDiscovery=off
 autoPilot=off
-autoUnlock=on
 chain=test
 dynDomain=''
 dynUpdateUrl=''
--- a/home.admin/_background.sh
+++ b/home.admin/_background.sh
@ -197,6 +197,7 @@ do

      # only restart LND if auto-unlock is activated
      # AND neither the old nor the new IPv6 address is "::1"
+      source <(/home/admin/config.scripts/lnd.autounlock.sh status)
      if [ "${autoUnlock}" = "on" ]; then
        if [ "${publicIP_Old}" != "::1" ] && [ "${publicIP_New}" != "::1" ]; then
          echo "restart LND to pickup up new publicIP"
@ -726,31 +727,6 @@ do

  fi

-  ###############################
-  # LND AUTO-UNLOCK
-  ###############################
-
-  # check every 10secs (only if LND is active)
-  recheckAutoUnlock=0
-  if [ "${lightning}" == "lnd" ] || [ "${lnd}" == "on" ]; then
-    recheckAutoUnlock=$((($counter % 10)+1))
-  fi
-  if [ ${recheckAutoUnlock} -eq 1 ]; then
-
-    # check if auto-unlock feature if activated
-    if [ "${autoUnlock}" = "on" ]; then
-
-      # check if lnd is locked
-      source <(/home/admin/config.scripts/lnd.unlock.sh status)
-      if [ "${locked}" != "0" ]; then
-
-        echo "STARTING AUTO-UNLOCK ..."
-        /home/admin/config.scripts/lnd.unlock.sh
-
-      fi
-    fi
-  fi
-
  ###############################
  # Prepare next loop
  ###############################
--- a/home.admin/config.scripts/blitz.passwords.sh
+++ b/home.admin/config.scripts/blitz.passwords.sh
@ -506,8 +506,11 @@ elif [ "${abcd}" = "c" ]; then

    echo "# CHANGE LND - PASSWORD C (only mainnet)"

-    echo "# Make sure Auto-Unlocks off"
-    sudo /home/admin/config.scripts/lnd.autounlock.sh off
+    source <(/home/admin/config.scripts/lnd.autounlock.sh status)
+    if [ "${autoUnlock}" == "on" ]; then
+      echo "# Make sure Auto-Unlocks off"
+      sudo /home/admin/config.scripts/lnd.autounlock.sh off
+    fi

    echo "# LND needs to be restarted to lock wallet first .. (please wait)"
    sudo systemctl restart lnd
@ -521,6 +524,13 @@ elif [ "${abcd}" = "c" ]; then
      exit 0
    fi

+    if [ "${autoUnlock}" == "on" ]; then
+      echo "# Make sure Auto-Unlocks on"
+      sudo /home/admin/config.scripts/lnd.autounlock.sh on "${newPassword}"
+    fi
+
+    echo "# Password changed"
+
  else
    echo "# LND not installed/active"
  fi
@ -537,7 +547,7 @@ elif [ "${abcd}" = "c" ]; then
    echo "# CORE LIGHTNING not installed/active/encrypted"
  fi

-  # store password hash
+  # store password hash (either for lnd or core lightning)
  mkpasswd -m sha-512 "${newPassword}" -S "${hashedPasswordSalt:0:16}" > ${hashedPasswordStoragePath}/c.hash
  chown admin:admin ${hashedPasswordStoragePath}/c.hash
  chmod 660 ${hashedPasswordStoragePath}/c.hash
--- a/home.admin/config.scripts/lnd.autounlock.sh
+++ b/home.admin/config.scripts/lnd.autounlock.sh
@ -3,10 +3,21 @@
 # command info
 if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
 echo "# small config script to autounlock lnd after restart"
+ echo "# lnd.autounlock.sh status"
 echo "# lnd.autounlock.sh [on|off] [?passwordC]"
 exit 1
 fi

+if [ "$1" = "status" ]; then
+  autoUnlock=$(sudo cat /mnt/hdd/lnd/lnd.conf 2>/dev/null | grep -c "^wallet-unlock-password-file=")
+  if [ ${autoUnlock} -eq 0 ]; then
+    echo "autoUnlock=off"
+  else
+    echo "autoUnlock=on"
+  fi
+  exit 0
+fi
+
 # 1. parameter [on|off]
 turn="off"
 if [ "$1" = "1" ] || [ "$1" = "on" ]; then turn="on"; fi
@ -58,23 +69,29 @@ fi

 # lnd conf file
 lndConfig="/mnt/hdd/lnd/lnd.conf"
+passwordFile="/mnt/hdd/lnd/data/chain/bitcoin/mainnet/password.info"

 # switch on
 if [ "$1" = "1" ] || [ "$1" = "on" ]; then

  echo "# switching the Auto-Unlock ON"

-  # setting value in raspi blitz config
-  /home/admin/config.scripts/blitz.conf.sh set autoUnlock "on"
-
  # password C needs to be stored on RaspiBlitz
-  echo "# storing password for root in /root/lnd.autounlock.pwd"
-  sudo sh -c "echo \"${passwordC}\" > /root/lnd.autounlock.pwd"
-  sudo chmod 660 /root/lnd.autounlock.pwd
-  sudo chown root:sudo /root/lnd.autounlock.pwd
+  echo "# storing password on hdd ${passwordFile}"
+  sudo sh -c "echo \"${passwordC}\" > ${passwordFile}"
+  sudo chmod 660 "${passwordFile}"
+  sudo chown bitcoin:bitcoin "${passwordFile}"

-  echo "# Auto-Unlock is now ON"
-  echo "# NOTE: you may need to reconnect mobile/external wallets (macaroon/tls)"
+  # remove any existing active config in lnd.conf
+  sudo sed -i "/^wallet-unlock-password-file=/d" /mnt/hdd/lnd/lnd.conf
+
+  # add the config line under [Application Options] section
+  sudo sed -i "/^\[Application Options\]/ { 
+n
+a wallet-unlock-password-file=${passwordFile}
+}" /mnt/hdd/lnd/lnd.conf
+
+  echo "# Auto-Unlock is now ON (after manual lnd restart)"
  exit 0
 fi

@ -87,8 +104,11 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then

  # delete password C securely
  echo "# shredding password on for RaspiBlitz Auto-Unlock"
-  sudo shred -u /root/lnd.autounlock.pwd 2>/dev/null
+  sudo shred -u "${passwordFile}" 2>/dev/null

-  echo "# Auto-Unlock is now OFF"
+  # remove any existing active config in lnd.conf
+  sudo sed -i "/^wallet-unlock-password-file=/d" /mnt/hdd/lnd/lnd.conf
+
+  echo "# Auto-Unlock is now OFF (after manual lnd restart)"
  exit 0
 fi
--- a/home.admin/config.scripts/lnd.backup.sh
+++ b/home.admin/config.scripts/lnd.backup.sh
@ -388,11 +388,6 @@ if [ ${mode} = "lnd-import-gui" ]; then
  source <(sudo /home/admin/config.scripts/lnd.backup.sh lnd-import ${filename})

  # TODO: check if update of LND is needed (see detailes in lnd-import) for edge case
-
-  # turn off auto-unlock if activated because password c might now change
-  if [ "${autoUnlock}" == "on" ]; then
-    /home/admin/config.scripts/lnd.autounlock.sh off
-  fi
  
  # restarting lnd & give final info
  sudo systemctl start lnd
--- a/home.admin/config.scripts/lnd.monitor.sh
+++ b/home.admin/config.scripts/lnd.monitor.sh
@ -36,6 +36,10 @@ else
  exit 1
 fi

+# general info on the lnd service
+lnd_running=$(systemctl show ${netprefix}lnd --property=ActiveState 2>/dev/null | grep -c "=active")
+lnd_locked=$(systemctl show ${netprefix}lnd --property=StatusText 2>/dev/null | grep -c "Wallet locked")
+
 ######################################################
 # STATUS
 # check general status info
@ -44,55 +48,54 @@ fi
 if [ "$2" = "status" ]; then

  lnd_version=$($lndcli_alias --version 2>/dev/null | cut -d ' ' -f3)
-  lnd_running=$(systemctl status ${netprefix}lnd 2>/dev/null | grep -c "active (running)")
  lnd_ready="0"
  lnd_online="0"
-  lnd_locked="0"
  lnd_error_short=""
  lnd_error_full=""

  if [ "${lnd_running}" != "0" ]; then
    lnd_running="1"
+    # only if wallet is not locked get more info
+    if [ ${lnd_locked} -eq 0 ]; then
+      # test connection - record win & fail info
+      randStr=$(echo "$RANDOM")
+      rm /var/cache/raspiblitz/.lnd-${randStr}.out 2>/dev/null
+      rm /var/cache/raspiblitz/.lnd-${randStr}.error 2>/dev/null
+      touch /var/cache/raspiblitz/.lnd-${randStr}.out
+      touch /var/cache/raspiblitz/.lnd-${randStr}.error
+      echo "# $lndcli_alias getinfo"
+      $lndcli_alias getinfo 1>/var/cache/raspiblitz/.lnd-${randStr}.out 2>/var/cache/raspiblitz/.lnd-${randStr}.error
+      winData=$(cat /var/cache/raspiblitz/.lnd-${randStr}.out 2>/dev/null)
+      failData=$(cat /var/cache/raspiblitz/.lnd-${randStr}.error 2>/dev/null)
+      rm /var/cache/raspiblitz/.lnd-${randStr}.out
+      rm /var/cache/raspiblitz/.lnd-${randStr}.error

-    # test connection - record win & fail info
-    randStr=$(echo "$RANDOM")
-    rm /var/cache/raspiblitz/.lnd-${randStr}.out 2>/dev/null
-    rm /var/cache/raspiblitz/.lnd-${randStr}.error 2>/dev/null
-    touch /var/cache/raspiblitz/.lnd-${randStr}.out
-    touch /var/cache/raspiblitz/.lnd-${randStr}.error
-    echo "# $lndcli_alias getinfo"
-    $lndcli_alias getinfo 1>/var/cache/raspiblitz/.lnd-${randStr}.out 2>/var/cache/raspiblitz/.lnd-${randStr}.error
-    winData=$(cat /var/cache/raspiblitz/.lnd-${randStr}.out 2>/dev/null)
-    failData=$(cat /var/cache/raspiblitz/.lnd-${randStr}.error 2>/dev/null)
-    rm /var/cache/raspiblitz/.lnd-${randStr}.out
-    rm /var/cache/raspiblitz/.lnd-${randStr}.error
+      # check for errors
+      if [ "${failData}" != "" ]; then
+        lnd_ready="0"

-    # check for errors
-    if [ "${failData}" != "" ]; then
-      lnd_ready="0"
-
-      # store error messages 
-      lnd_error_short=""
-      lnd_error_full=$(echo ${failData} | tr -d "'" | tr -d '"')
-
-      # check if error because wallet is locked
-      if [ $(echo "${failData}" | grep -c "wallet locked") -gt 0 ]; then
-        # signal wallet locked
-        lnd_locked="1"
-        # dont report it as error
+        # store error messages 
        lnd_error_short=""
-        lnd_error_full=""
-      fi
+        lnd_error_full=$(echo ${failData} | tr -d "'" | tr -d '"')

-    # check results if proof for online
-    else
-      lnd_ready="1"
-      connections=$( echo "${winData}" | grep "num_peers\"" | tr -cd '[[:digit:]]')
-      if [ "${connections}" != "" ] && [ "${connections}" != "0" ]; then
-        lnd_online="1"
-      fi
-    fi
+        # check if error because wallet is locked
+        if [ $(echo "${failData}" | grep -c "wallet locked") -gt 0 ]; then
+          # signal wallet locked
+          lnd_locked="1"
+          # dont report it as error
+          lnd_error_short=""
+          lnd_error_full=""
+        fi

+      # check results if proof for online
+      else
+        lnd_ready="1"
+        connections=$( echo "${winData}" | grep "num_peers\"" | tr -cd '[[:digit:]]')
+        if [ "${connections}" != "" ] && [ "${connections}" != "0" ]; then
+          lnd_online="1"
+        fi
+      fi
+    fi  
  fi 

  # print results
@ -135,6 +138,18 @@ fi

 if [ "$2" = "info" ]; then

+  # quick if not running
+  if [ "${lnd_running}" == "0" ]; then
+    echo "error='not running'"
+    exit 1
+  fi
+
+  # quick if wallet is locked
+  if [ "${lnd_locked}" == "1" ]; then
+    echo "error='wallet locked'"
+    exit 1
+  fi
+
  # raw data demo:
  # sudo /usr/local/bin/lncli -n=mainnet --rpcserver=localhost:10009 --macaroonpath=/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --tlscertpath=/home/bitcoin/.lnd/tls.cert getinfo

@ -212,6 +227,18 @@ fi

 if [ "$2" = "wallet" ]; then

+  # quick if not running
+  if [ "${lnd_running}" == "0" ]; then
+    echo "error='not running'"
+    exit 1
+  fi
+
+  # quick if wallet is locked
+  if [ "${lnd_locked}" == "1" ]; then
+    echo "error='wallet locked'"
+    exit 1
+  fi
+
  # raw data demo:
  # /usr/local/bin/lncli -n=mainnet --rpcserver=localhost:10009 --macaroonpath=/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --tlscertpath=/home/bitcoin/.lnd/tls.cert walletbalance
  # /usr/local/bin/lncli -n=mainnet --rpcserver=localhost:10009 --macaroonpath=/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --tlscertpath=/home/bitcoin/.lnd/tls.cert channelbalance
@ -251,6 +278,18 @@ fi

 if [ "$2" = "channels" ]; then

+  # quick if not running
+  if [ "${lnd_running}" == "0" ]; then
+    echo "error='not running'"
+    exit 1
+  fi
+
+  # quick if wallet is locked
+  if [ "${lnd_locked}" == "1" ]; then
+    echo "error='wallet locked'"
+    exit 1
+  fi
+
  # raw data demo:
  # sudo /usr/local/bin/lncli -n=mainnet --rpcserver=localhost:10009 --macaroonpath=/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --tlscertpath=/home/bitcoin/.lnd/tls.cert listchannels

@ -279,6 +318,18 @@ if [ "$2" = "fees" ]; then
 # raw data demo:
 # sudo /usr/local/bin/lncli -n=mainnet --rpcserver=localhost:10009 --macaroonpath=/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --tlscertpath=/home/bitcoin/.lnd/tls.cert feereport

+  # quick if not running
+  if [ "${lnd_running}" == "0" ]; then
+    echo "error='not running'"
+    exit 1
+  fi
+
+  # quick if wallet is locked
+  if [ "${lnd_locked}" == "1" ]; then
+    echo "error='wallet locked'"
+    exit 1
+  fi
+
  # get data
  ln_feereport=$($lndcli_alias feereport 2>/dev/null)
  if [ "${ln_feereport}" == "" ]; then
--- a/home.admin/config.scripts/lnd.unlock.sh
+++ b/home.admin/config.scripts/lnd.unlock.sh
@ -38,6 +38,8 @@ if [ "${action}" == "chain-unlock" ]; then
    fi
 fi

+source <(/home/admin/config.scripts/network.aliases.sh getvars lnd ${chain}net)
+
 # dont if state is on reboot or shutdown
 source <(/home/admin/_cache.sh get state)
 if [ "${state}" == "reboot" ] || [ "${state}" == "shutdown" ]; then
@ -46,40 +48,27 @@ if [ "${state}" == "reboot" ] || [ "${state}" == "shutdown" ]; then
  exit 0
 fi

-source <(/home/admin/config.scripts/network.aliases.sh getvars lnd ${chain}net)
-
-# check if wallet is already unlocked
-# echo "# checking LND wallet ... (can take some time)"
-lndError=$(${lncli_alias} getinfo 2>&1)
-walletLocked=$(echo "${lndError}" | grep -c "Wallet is encrypted")
-if [ "${walletLocked}" == "0" ]; then
-    # test for new error message
-    walletLocked=$(echo "${lndError}" | grep -c "wallet locked")
+lndStatus=$(sudo systemctl show ${netprefix}lnd --property=StatusText)
+echo "# ${netprefix}lnd: ${lndStatus}"
+walletUnlocked=$( echo "${lndStatus}"| grep -c "Wallet unlocked")
+if [ ${walletUnlocked} -eq 0 ]; then
+    walletLocked=1
+else
+    walletLocked=0
 fi
-macaroonsMissing=$(echo "${lndError}" | grep -c "unable to read macaroon")

 # if action is just status
 if [ "${action}" == "status" ]; then
    echo "locked=${walletLocked}"
-    echo "missingMacaroons=${macaroonsMissing}"
    exit 0
 fi

 # if already unlocked all is done
-if [ ${walletLocked} -eq 0 ] && [ ${macaroonsMissing} -eq 0 ]; then
+if [ ${walletLocked} -eq 0 ]; then
    echo "# OK LND wallet was already unlocked"
    exit 0
 fi

-# if no password check if stored for auto-unlock
-if [ ${#passwordC} -eq 0 ]; then
-    autoUnlockExists=$(sudo ls /root/lnd.autounlock.pwd 2>/dev/null | grep -c "lnd.autounlock.pwd")
-    if [ ${autoUnlockExists} -eq 1 ]; then
-        echo "# using auto-unlock"
-        passwordC=$(sudo cat /root/lnd.autounlock.pwd)
-    fi
-fi
-
 # if still no password get from user
 manualEntry=0
 if [ ${#passwordC} -eq 0 ]; then
@ -113,15 +102,6 @@ while [ ${fallback} -eq 0 ]

        # SUCCESS UNLOCK
        echo "# OK LND wallet unlocked"
-
-        # if autoUnlock set in config (but this manual input was needed)
-        # there seems to be no stored password - make sure to store password c now
-        if [ "${autoUnlock}" == "on" ]; then
-            echo "# storing password C for future Auto-Unlock"
-            /home/admin/config.scripts/lnd.autounlock.sh on "${passwordC}"
-            sleep 1
-        fi
-
        exit 0

    elif [ ${wrongPassword} -gt 0 ]; then