-
Notifications
You must be signed in to change notification settings - Fork 18
/
deploy.yml
383 lines (343 loc) · 15.2 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access
Type: 'AWS::EC2::KeyPair::KeyName'
LSPName:
Description: LSP Name
Type: String
VPCID:
Description: The ID of the VPC in which to create the resources
Type: 'AWS::EC2::VPC::Id'
Mappings:
AMIRegionMap:
ap-northeast-1:
AMIID: ami-0deffe25fb08894f5
ap-northeast-2:
AMIID: ami-097243fad67b35a40
ap-northeast-3:
AMIID: ami-03ad2f651aaddff3a
ap-south-1:
AMIID: ami-0361008010558ea2d
ap-southeast-1:
AMIID: ami-07bf64b7ca62c96ee
ap-southeast-2:
AMIID: ami-0cc8e61f3957442b8
ca-central-1:
AMIID: ami-0cfe1aac5d0b881ff
eu-central-1:
AMIID: ami-0042e6537994c4181
eu-north-1:
AMIID: ami-00347e40213620217
eu-west-1:
AMIID: ami-04620cb5b85309067
eu-west-2:
AMIID: ami-0315c69b482426e70
eu-west-3:
AMIID: ami-0dcc6ef9e7a6e70f2
sa-east-1:
AMIID: ami-027ba68d27297f530
us-east-1:
AMIID: ami-01e8fbda99c153c6b
us-east-2:
AMIID: ami-0ef27e70f95b439e8
us-west-1:
AMIID: ami-09d529cbaf5cc7e6f
us-west-2:
AMIID: ami-0acfc42b227d0b719
Resources:
# EC2 Instance
EC2Instance:
Type: 'AWS::EC2::Instance'
Properties:
InstanceType: m6a.xlarge
ImageId: !FindInMap [AMIRegionMap, !Ref "AWS::Region", AMIID]
KeyName: !Ref KeyName
BlockDeviceMappings: # resize root volume to 1TB
- DeviceName: "/dev/xvda"
Ebs:
VolumeSize: 1024
VolumeType: gp2
DeleteOnTermination: true
UserData:
Fn::Base64:
!Sub |
#!/bin/bash
# Elevate privileges
if [ "$EUID" -ne 0 ]; then
sudo bash "$0" "$@"
exit
fi
# Redirect all outputs to a log file
exec > >(tee -a "/tmp/deployment.log") 2>&1
# fix locale if on debian
if grep -q "Debian" /etc/os-release; then
sed -i '/^# en_US.UTF-8 UTF-8/s/^# //' /etc/locale.gen
locale-gen
echo "export LC_ALL=en_US.UTF-8" >> /etc/bash.bashrc
echo "export LANG=en_US.UTF-8" >> /etc/bash.bashrc
fi
source /etc/bash.bashrc
# create users
sudo adduser --disabled-password --gecos "" lightning
sudo adduser --disabled-password --gecos "" bitcoin
sudo adduser --disabled-password --gecos "" lspd
# Create a file to store the credentials
CREDENTIALS="/home/lspd/credentials.txt"
touch "$CREDENTIALS"
# Generate a random password for PostgreSQL users
LSPD_DB_PASSWORD=$(</dev/urandom tr -dc 'A-Za-z0-9' | head -c 20)
LIGHTNING_DB_PASSWORD=$(</dev/urandom tr -dc 'A-Za-z0-9' | head -c 20)
# Output the password to a file
echo "### PostgreSQL Credentials ###" >> "$CREDENTIALS"
echo "postgres lspd:" >> "$CREDENTIALS"
echo "username: lspd " >> "$CREDENTIALS"
echo "password: $LSPD_DB_PASSWORD" >> "$CREDENTIALS"
echo "postgres lightning:" >> "$CREDENTIALS"
echo "username: lightning" >> "$CREDENTIALS"
echo "password: $LIGHTNING_DB_PASSWORD" >> "$CREDENTIALS"
# Generic name if no name is provided (running locally)
if [ -z "$LSPName" ]; then
LSPName="lsp-$(</dev/urandom tr -dc 'A-Za-z0-9' | head -c 5)"
fi
# Install dependencies and required packages
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get upgrade -y
sudo apt-get install -y git autoconf automake build-essential libtool libgmp-dev libsqlite3-dev python3 python3-pip net-tools zlib1g-dev postgresql postgresql-client-common postgresql-client postgresql postgresql-contrib libpq5 libsodium-dev gettext cargo protobuf-compiler libgmp3-dev python-is-python3 libpq-dev jq
sudo pip3 install mako grpcio grpcio-tools
# Modify the pg_hba.conf file to set md5 password authentication for local connections
PG_VERSION=$(psql -V | awk '{print $3}' | awk -F"." '{print $1}')
sed -i 's/local all all peer/local all all md5/g' /etc/postgresql/$PG_VERSION/main/pg_hba.conf
# Create PostgreSQL users and databases
sudo -i -u postgres psql -c "CREATE ROLE lightning;"
sudo -i -u postgres psql -c "CREATE DATABASE lightning;"
sudo -i -u postgres psql -c "ALTER ROLE lightning WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD '$LIGHTNING_DB_PASSWORD';"
sudo -i -u postgres psql -c "ALTER DATABASE lightning OWNER TO lightning;"
sudo -i -u postgres psql -c "CREATE ROLE lspd;"
sudo -i -u postgres psql -c "ALTER ROLE lspd WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS PASSWORD '$LSPD_DB_PASSWORD';"
sudo -i -u postgres psql -c "CREATE DATABASE lspd WITH TEMPLATE = template0 ENCODING = 'UTF8' LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8';"
sudo -i -u postgres psql -c "ALTER DATABASE lspd OWNER TO lspd;"
# Restart PostgreSQL to apply changes
service postgresql restart
# Create directories under /opt
sudo mkdir -p /opt/lightning /opt/lspd
# Install go
wget https://go.dev/dl/go1.20.6.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.20.6.linux-amd64.tar.gz
echo "export PATH=$PATH:/usr/local/go/bin" | sudo tee -a /etc/bash.bashrc
source /etc/bash.bashrc
# Install rust
curl https://sh.rustup.rs -sSf | sh -s -- -y
# Install bitcoin
wget https://bitcoincore.org/bin/bitcoin-core-25.0/bitcoin-25.0-x86_64-linux-gnu.tar.gz -O /opt/bitcoin.tar.gz
tar -xzf /opt/bitcoin.tar.gz -C /opt/
cd /opt/bitcoin-*/bin
chmod 710 /etc/bitcoin
sudo install -m 0755 -t /usr/local/bin *
cat <<EOL | sudo tee /etc/systemd/system/bitcoind.service
[Unit]
Description=Bitcoin daemon
After=network.target
[Service]
WorkingDirectory=/var/lib/bitcoind
ExecStart=bitcoind -pid=/run/bitcoind/bitcoind.pid -conf=/etc/bitcoin/bitcoin.conf
PermissionsStartOnly=true
ExecStartPre=/bin/chgrp bitcoin /var/lib/bitcoind
Type=forking
PIDFile=/run/bitcoind/bitcoind.pid
Restart=on-failure
TimeoutStartSec=infinity
TimeoutStopSec=600
User=bitcoin
Group=bitcoin
RuntimeDirectory=bitcoind
RuntimeDirectoryMode=0710
ConfigurationDirectory=bitcoin
StateDirectory=bitcoind
StateDirectoryMode=0710
PrivateTmp=true
ProtectSystem=full
ProtectHome=true
NoNewPrivileges=true
PrivateDevices=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
EOL
# cat to a bitcoin.conf file
RPCPASSWORD=$(</dev/urandom tr -dc 'A-Za-z0-9' | head -c 20)
echo "### Bitcoin Configuration ###" >> "$CREDENTIALS"
echo "rpcuser: cln" >> "$CREDENTIALS"
echo "rpcpassword: $RPCPASSWORD" >> "$CREDENTIALS"
sudo mkdir /etc/bitcoin/
sudo touch /etc/bitcoin/bitcoin.conf
cat <<EOL | sudo tee /etc/bitcoin/bitcoin.conf
txindex=1
daemon=1
datadir=/var/lib/bitcoind
startupnotify='systemd-notify --ready'
shutdownnotify='systemd-notify --stopping'
rpcuser=cln
rpcpassword=$RPCPASSWORD
minrelaytxfee=0.00000000
incrementalrelayfee=0.00000010
zmqpubrawblock=tcp://127.0.0.1:28332
zmqpubrawtx=tcp://127.0.0.1:28333
EOL
chown -R bitcoin:bitcoin /etc/bitcoin
chmod 755 /etc/bitcoin
sudo mkdir /home/lightning/.bitcoin/
sudo mkdir /root/.bitcoin/
sudo ln -s /etc/bitcoin/bitcoin.conf /home/lightning/.bitcoin/bitcoin.conf
sudo ln -s /etc/bitcoin/bitcoin.conf /root/.bitcoin/bitcoin.conf
###################################
######## Install lightning ########
###################################
sudo mkdir /home/lightning/.lightning/
sudo mkdir /etc/lightningd
#cat <<EOL | sudo tee /home/lightning/.lightning/config
cat <<EOL | sudo tee /etc/lightningd/lightningd.conf
developer
bitcoin-rpcuser=cln
bitcoin-rpcpassword=$RPCPASSWORD
bitcoin-rpcconnect=127.0.0.1
bitcoin-rpcport=8332
addr=:9735
bitcoin-retry-timeout=3600
alias="${LSPName}"
wallet=postgres://lightning:$LIGHTNING_DB_PASSWORD@localhost:5432/lightning
plugin=/home/lightning/.lightning/plugins/lspd_cln_plugin
lsp-listen=127.0.0.1:12312
grpc-port=12313
max-concurrent-htlcs=30
dev-allowdustreserve=true
log-file=/var/log/lightningd/lightningd.log
EOL
chmod 755 /etc/lightningd/
git clone https://github.com/ElementsProject/lightning.git /opt/lightning
cd /opt/lightning
git checkout v24.02.1
./configure
make
make install
cat <<EOL | sudo tee /etc/systemd/system/lightningd.service
[Unit]
Description=Lightning Network Daemon (lightningd)
Wants=network-online.target
After=network.target
[Service]
ExecStart=/usr/local/bin/lightningd --daemon --conf /etc/lightningd/lightningd.conf --pid-file=/run/lightningd/lightningd.pid
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
Type=forking
PrivateTmp=true
ProtectSystem=full
Restart=on-failure
User=lightning
Group=lightning
RuntimeDirectory=lightningd
ConfigurationDirectory=lightningd
LogsDirectory=lightningd
[Install]
WantedBy=multi-user.target
EOL
# Install lspd
git clone https://github.com/breez/lspd.git /opt/lspd
cd /opt/lspd
source /etc/bash.bashrc
export PATH=$PATH:/usr/local/go/bin
sudo env "PATH=$PATH" make release-all
sudo cp lspd /usr/local/bin/
sudo mkdir /home/lightning/.lightning/plugins
sudo cp lspd_cln_plugin /home/lightning/.lightning/plugins/
cat <<EOL | sudo tee /etc/systemd/system/lspd.service
[Unit]
Description=Lightning Service Daemon (lspd)
After=network.target
[Service]
User=lspd
EnvironmentFile=/home/lspd/.env
WorkingDirectory=/opt/lspd
ExecStart=/usr/local/bin/lspd
Restart=on-failure
RestartSec=5
EOL
sudo chown -R lightning:lightning /home/lightning/
sudo systemctl daemon-reload
sudo systemctl enable bitcoind.service
sudo systemctl enable lspd.service
sudo systemctl enable lightningd.service
sudo systemctl start bitcoind.service
sudo systemctl start lightningd.service
sleep 60
echo "### Lightning Credentials ###" >> "$CREDENTIALS"
sudo echo "cln hsm_secret backup:" >> "$CREDENTIALS"
sudo xxd /home/lightning/.lightning/bitcoin/hsm_secret >> "$CREDENTIALS"
# Post install
PUBKEY=$(sudo -u lightning lightning-cli getinfo | jq .id | cut -d "\"" -f 2)
LSPD_PRIVATE_KEY=$(lspd genkey | awk -F= '{print $2}' | cut -d "\"" -f 2)
TOKEN=$(lspd genkey | awk -F= '{print $2}' | cut -d "\"" -f 2)
EXTERNAL_IP=$(curl -s http://whatismyip.akamai.com/)
echo "### LSPD Credentials ###" >> "$CREDENTIALS"
echo "token: $TOKEN" >> "$CREDENTIALS"
echo "lspd_private_key: $LSPD_PRIVATE_KEY" >> "$CREDENTIALS"
cat <<EOL | sudo tee /home/lspd/.env
LISTEN_ADDRESS=0.0.0.0:8888
LSPD_PRIVATE_KEY="$LSPD_PRIVATE_KEY"
AWS_REGION="<REPLACE ME>"
AWS_ACCESS_KEY_ID="<REPLACE ME>"
AWS_SECRET_ACCESS_KEY="<REPLACE ME>"
DATABASE_URL="postgres://lspd:$LSPD_DB_PASSWORD@localhost/lspd"
OPENCHANNEL_NOTIFICATION_TO='["REPLACE ME <[email protected]>"]'
OPENCHANNEL_NOTIFICATION_CC='["REPLACE ME <[email protected]>"]'
OPENCHANNEL_NOTIFICATION_FROM="[email protected]"
CHANNELMISMATCH_NOTIFICATION_TO='["REPLACE ME <[email protected]>"]'
CHANNELMISMATCH_NOTIFICATION_CC='["REPLACE ME <[email protected]>"]'
CHANNELMISMATCH_NOTIFICATION_FROM="[email protected]"
MEMPOOL_API_BASE_URL=https://mempool.space/api/v1/
MEMPOOL_PRIORITY=economy
NODES='[ { "name": "${LSPName}", "nodePubkey": "$PUBKEY", "lspdPrivateKey": "$LSPD_PRIVATE_KEY", "tokens": ["$TOKEN"], "host": "$EXTERNAL_IP:9735", "targetConf": "6", "minConfs": "6", "minHtlcMsat": "600", "baseFeeMsat": "1000", "feeRate": "0.000001", "timeLockDelta": "144", "channelFeePermyriad": "40", "channelMinimumFeeMsat": "2000000", "additionalChannelCapacity": "100000", "maxInactiveDuration": "3888000", "cln": { "pluginAddress": "127.0.0.1:12312", "grpcAddress": "127.0.0.1:12313", "caCert": "/home/lightning/.lightning/mainnet/ca.pem", "clientCert": "/home/lightning/.lightning/mainnet/client.pem", "clientKey": "/home/lightning/.lightning/mainnet/client-key.pem" } } ]'
EOL
sudo systemctl start lspd.service
echo "Installation complete"
sudo chmod 400 /home/lspd/credentials.txt
echo "Make sure to backup the credentials.txt file that can be found at /home/lspd/credentials.txt"
SecurityGroupIds:
- !GetAtt EC2SecurityGroup.GroupId
Tags:
- Key: Name
Value: lspd
# EC2 Elastic IP
EIP:
Type: 'AWS::EC2::EIP'
Properties:
Tags:
- Key: Name
Value: lspd
# EC2 Elastic IP Association
EIPAssociation:
Type: 'AWS::EC2::EIPAssociation'
Properties:
InstanceId: !Ref EC2Instance
EIP: !Ref EIP
# EC2 Security Group
EC2SecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
VpcId: !Ref VPCID
GroupDescription: Security Group for EC2 instance
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 84.255.203.183/32
- IpProtocol: tcp
FromPort: 9735
ToPort: 9735
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 8888
ToPort: 8888
CidrIp: 0.0.0.0/0