Web app
We install Ride The Lightning, a powerful web interface to manage your Lightning node.
Table of contents
Preparations
Install Node.js
Starting with user “admin”, we add the Node.js package repository. If you installed BTC RPC Explorer, then you’ve already accomplished this step.
- Install Node.js (LTS version) using nodesource distributions
-
Download and import the Nodesource GPG key
$ sudo apt-get update $ sudo apt-get install -y ca-certificates curl gnupg $ sudo mkdir -p /etc/apt/keyrings $ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg -
Create deb repository
$ NODE_MAJOR=20 $ echo "deb [arch=arm64 signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | sudo tee /etc/apt/sources.list.d/nodesource.list -
Update apt and install Node.js using the apt package manager
$ sudo apt-get update $ sudo apt-get install nodejs -y
Firewall & reverse proxy
In the Security section, we already set up NGINX as a reverse proxy. Now we can add the RTL configuration.
-
Enable NGINX reverse proxy to route external encrypted HTTPS traffic internally to RTL
$ sudo nano /etc/nginx/streams-enabled/rtl-reverse-proxy.confupstream rtl { server 127.0.0.1:3000; } server { listen 4001 ssl; proxy_pass rtl; } -
Test and reload NGINX configuration
$ sudo nginx -t $ sudo systemctl reload nginx -
Configure firewall to allow incoming HTTPS requests:
$ sudo ufw allow 4001/tcp comment 'allow RTL SSL' $ sudo ufw status
Ride the Lightning
Installation
We do not want to run Ride the Lightning alongside bitcoind and lnd because of security reasons. For that we will create a separate user and we will be running the code as the new user. We are going to install Ride the Lightning in the home directory since it doesn’t take much space and doesn’t use a database.
- Create a new user, copy the LND credentials and open a new session
$ sudo adduser --disabled-password --gecos "" rtl $ sudo cp /data/lnd/data/chain/bitcoin/mainnet/admin.macaroon /home/rtl/admin.macaroon $ sudo chown rtl:rtl /home/rtl/admin.macaroon $ sudo su - rtl -
Download the PGP keys that are used to sign the software release
$ curl https://keybase.io/suheb/pgp_keys.asc | gpg --import > gpg: key 00C9E2BC2E45666F: public key "saubyk (added uid) <39208279+saubyk@users.noreply.github.com>" imported -
Retrieve the source code repository, check for the latest release and verify the code signature
$ git clone https://github.com/Ride-The-Lightning/RTL.git $ cd RTL $ git tag | grep -E "v[0-9]+.[0-9]+.[0-9]+$" | sort --version-sort | tail -n 1 > v0.15.0 $ git checkout v0.15.0 $ git verify-tag v0.15.0 > gpg: Signature made Thu 07 Dec 2023 05:40:57 AM CET > gpg: using RSA key 3E9BD4436C288039CA827A9200C9E2BC2E45666F > gpg: Good signature from "saubyk (added uid) <39208279+saubyk@users.noreply.github.com>" [unknown] > gpg: aka "Suheb <39208279+saubyk@users.noreply.github.com>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: 3E9B D443 6C28 8039 CA82 7A92 00C9 E2BC 2E45 666F -
Now install RTL through the Node Package Manager (NPM). Downloading all dependencies can sometimes be very slow, so be patient and let the process run its course.
$ npm install --omit=dev
The installation can take some time, and can hang on a single package for a long time. If that happens, just be patient and wait a bit longer. If anything’s wrong, it will time out sooner or later.
-
Also, there might be a lot of confusing output. If you something similar to the following at the end, installation was successful:
[...] added 362 packages, and audited 363 packages in 12m 24 packages are looking for funding run `npm fund` for details found 0 vulnerabilities
Configuration
Now we take the sample configuration file and add change it to our needs.
-
Copy the sample config file, and open it in the text editor.
$ cp Sample-RTL-Config.json ./RTL-Config.json $ nano RTL-Config.json -
Set password [E] to access the RTL web interface. This should be a dedicated password not used anywhere else.
"multiPass": "YourPassword[E]" -
Specify the values where RTL can find the authentication macaroon file and the LND configuration
"macaroonPath": "/home/rtl" "configPath": "/data/lnd/lnd.conf" -
Change
localhostto127.0.0.1on the following lines to avoid errors"lnServerUrl": "https://127.0.0.1:8080" "swapServerUrl": "https://127.0.0.1:8081" "boltzServerUrl": "https://127.0.0.1:9003" -
Save and exit
First start
Test starting “Ride the Lightning” manually first to make sure it works.
$ cd /home/rtl/RTL
$ node rtl
> Server is up and running, please open the UI at http://localhost:3000
Now point your browser to the secure access point provided by the NGINX web proxy, for example https://raspibolt.local:4001 (or your nodes ip address, e.g. https://192.168.0.20:4001).
Your browser will display a warning, because we use a self-signed SSL certificate. There’s nothing we can do about that, because we would need a proper domain name (e.g. https://yournode.com) to get an official certificate which browsers recognize. Click on “Advanced” and proceed to the RTL web interface.
If everything worked, stop RTL in the terminal with CTRL-C and exit the “rtl” user session.
$ exit
Autostart on boot
Now we’ll make sure Ride The Lightning starts as a service on the Raspberry Pi so it’s always running. In order to do that, we create a systemd unit that starts the service on boot directly after LND.
-
As user “admin”, create the service file.
$ sudo nano /etc/systemd/system/rtl.service -
Paste the following configuration. Save and exit.
# RaspiBolt: systemd unit for Ride the Lightning # /etc/systemd/system/rtl.service [Unit] Description=Ride the Lightning After=lnd.service [Service] WorkingDirectory=/home/rtl/RTL ExecStart=/usr/bin/node rtl User=rtl Restart=always RestartSec=30 [Install] WantedBy=multi-user.target -
Enable the service, start it and check log logging output.
$ sudo systemctl enable rtl $ sudo systemctl start rtl $ sudo journalctl -f -u rtl
Optional
Remote access over Tor
You can easily add a Tor hidden service on the RaspiBolt and access the Ride the Lightning interface with the Tor browser from any device.
-
Add the following three lines in the section for “location-hidden services” in the
torrcfile. Save and exit$ sudo nano /etc/tor/torrc############### This section is just for location-hidden services ### # Hidden Service RTL HiddenServiceDir /var/lib/tor/hidden_service_rtl/ HiddenServiceVersion 3 HiddenServicePort 80 127.0.0.1:3000Update Tor configuration changes and get your connection address.
$ sudo systemctl reload tor $ sudo cat /var/lib/tor/hidden_service_rtl/hostname > abcefg...................zyz.onion
With the Tor browser (link this), you can access this onion address from any device.
Congratulations! You now have Ride the Lightning running to manage your Lightning service on our own node.
Enable 2-Factor-Authentication
If you want to be extra careful, you can enable 2FA for access to your RTL interface.
- Log in to RTL
- Click on the RTL logo top right, and choose “Settings”
- Select the “Authentication” tab and click on the “Enable 2FA” button
- Follow the instructions, using a 2FA app like Google Authenticator or Authy
For the future: RTL upgrade
Updating to a new release is straight-forward. Make sure to read the release notes first.
-
From user “admin”, stop the service and open a “rtl” user session.
$ sudo systemctl stop rtl $ sudo su - rtl -
Fetch the latest GitHub repository information, display the latest release tag, ignoring release candidates and update:
$ cd /home/rtl/RTL $ git fetch $ git reset --hard $ latest=$(git tag | grep -E "v[0-9]+.[0-9]+.[0-9]+$" | sort --version-sort | tail -n 1); echo $latest $ git checkout $latest $ git verify-tag $latest $ npm install --omit=dev $ exit -
Start the service again.
$ sudo systemctl start rtl $ sudo journalctl -f -u rtl
Next: Mobile app »