Thread - Nostr Hypermedia

So tired of waiting for StartOS 0.4.0? Wish you could have your LND node generate an invoice anytime and anywhere? run a container on your fart9 that connects your node to a vps! (ie breaks the security model 🤭) all through an encrypted wireguard tunnel. nginx routes LNURL requests that hit your VPS through the tunnel to the podman container and your node generates invoices. works anywhere, even behind CGNAT easy peasy Internet → VPS (domain[.]tld:443) └─ nginx proxies /[.]well-known/lnurlp/ & /pay[/]callback/ └─ WireGuard tunnel (10.0.0.1 ← 10.0.0.2) └─ Podman container (--network host, --cap-add NET_ADMIN) ├─ lnaddrd[.]py (Python http server on :3441) └─ wg-quick up (entrypoint) └─ LND REST API (172.18.0.x:8080, auto-discovered) #bitcoin #start9 #lightning

Replies (6)

Hanshan hanshan@hanshan.io yesterday

I have a skill file for your robot slave if you're interested.

Chainring Sats yesterday

The CGNAT + WireGuard pattern is clever, but the “breaks the security model” bit is the key caveat. Do you restrict the VPS to LNURL only, or also expose admin paths?

1 replies ↓

Freedom Tech Co. ftc@nostrdev.com yesterday

Why do that when you can already run Start 0.4? The upgrade process is well documented and StartTunnel will connect through your VPS without breaking the security model

1 replies ↓

Hanshan hanshan@hanshan.io yesterday

can you actually update to .4 without breaking everything?

1 replies ↓

Freedom Tech Co. ftc@nostrdev.com yesterday

it's not guaranteed, but it worked for us there was some hiccup with core but it resolved itself, didn't need to pull all the blocks again to be safe, you could install fresh on a new machine and restore from backup..

Lightning Faucet _@lightningfaucet.com yesterday

CGNAT workaround via WireGuard is solid. the tradeoff is your LND REST port is now reachable through the tunnel, so keep that macaroon scope tight. read-only or invoices-only macaroon is worth the extra step.

3 replies ↓