In Nix '' strings, '''' produces a literal ''. The sed pattern
to double single quotes needs this escaping.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Use SQL-standard single quote doubling instead of psql variable
syntax which doesn't work with -c flag.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add explicit 440 permissions to allow postgres group to read the
database password secret, fixing lamassu-postgres-setup service failure.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix SQL injection in PostgreSQL password setup by using psql's
parameterized variable syntax (:'password') instead of direct
string interpolation
- Change skip2FA default to false for secure-by-default behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add services.lamassu-server.mode option (default: development)
- NODE_ENV is now set based on mode in all services
- Development mode uses port 3001 for admin UI registration URLs
- Production mode uses standard HTTPS port (443)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove redundant source path from ReadWritePaths (already under dataDir)
- Remove gnused from build path (unused)
- Remove unused logs directory from tmpfiles
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm rebuild always fails due to signal handling issues and we
ignore the failure anyway. Since we explicitly rebuild the
problematic native modules (node-expat, iconv, argon2), the
pnpm rebuild step is unnecessary.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The build service only needs write access to the data directory.
Re-enable ProtectSystem, ProtectHome, NoNewPrivileges with
ReadWritePaths to allow writes to /var/lib/lamassu-server.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
argon2 uses node-pre-gyp instead of node-gyp for building.
Split the native module rebuild logic to handle this correctly.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add bash to PATH so node-gyp can find sh for native module builds
- Use setsid --wait for turbo build to isolate from signal propagation
(prevents pnpm's exit code -2 when turbo calls pnpm run build)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm rebuild often fails to properly build node-expat, iconv, and
argon2 native modules. This adds an explicit loop to rebuild these
specific modules using node-gyp after the general pnpm rebuild.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add lamassu-build systemd service that clones the lamassu-server repo
directly on the target and builds it. This makes the module self-contained
with no external deployment of source code required.
New options:
- source.url: Git repository URL (default: git.atitlan.io/aiolabs/lamassu-server)
- source.ref: Git ref to checkout (default: main)
The build service:
- Clones repo on first run, fetches updates on subsequent runs
- Only rebuilds when source changes or build artifacts are missing
- Source is stored in ${dataDir}/source
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace password-based TCP auth with Unix socket peer authentication:
- Remove lamassu-db-password secret (no password needed)
- Remove lamassu-postgres-setup service entirely
- Use DATABASE_URL with Unix socket: postgresql://user@/db?host=/run/postgresql
- Remove POSTGRES_HOST, POSTGRES_PORT, POSTGRES_PASSWORD env vars
This follows the same pattern as btcpayserver and simplifies the module
significantly. Peer auth uses OS-level user authentication via Unix socket.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace hardcoded database password with nix-bitcoin secrets pattern:
- Add lamassu-db-password secret (readable by lamassu user and postgres)
- Generate random 20-char password using makePasswordSecret
- Read password at runtime in service wrapper scripts
- Update lamassu-postgres-setup to read password from secrets
- Update helper scripts to read password at runtime
The password is now automatically generated on first deploy and stored
in ${secretsDir}/lamassu-db-password.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The hostname is embedded in the pairing QR code and tells ATMs where to
connect. Added a TODO to consider auto-populating certificate.extraIPs
from hostname when it's an IP address.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Current state:
- Admin UI runs on port 443 (hardcoded in upstream)
- devMode and nginx options commented out (would conflict with port 443)
- adminPort option removed (not configurable in upstream)
Future implementation documented in docs/lamassu-future-nginx.md:
- Add --ui-port flag to upstream lamassu-server
- Re-enable devMode, adminPort, and nginx options
- Allow nginx as reverse proxy on 443 with admin UI on internal port
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The serverPort option was not being passed to lamassu-server,
so the port was always defaulting to 3000 regardless of config.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Clarify adminPort is only used in dev mode (port 8070)
- Production mode always uses port 443 (hardcoded upstream)
- Remove unused ADMIN_SERVER_PORT env var (not read by upstream)
- Fix status script to show correct port and use https
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace runtime SSL generation with nix-bitcoin secrets integration
- Add certificate.extraIPs and certificate.extraDomains options (same pattern as LND)
- Certificates auto-regenerate when SAN configuration changes
- Add certPath and keyPath read-only options
- Update nginx and services to use secrets from secretsDir
- Add nix-bitcoin-secrets.target dependency
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
