satoshi-node-kit/docker-compose.yml at main · SatoshiAPI/satoshi-node-kit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# SatoshiAPI Cluster Node Kit — Docker Compose
# Runs LND (mainnet) + Tor. Optionally includes bitcoind for a full node.
#
# Usage:
#   Light (lnd + tor only, Neutrino):     docker compose up -d
#   Full node (bitcoin + lnd + tor):      docker compose --profile full up -d
#
# Ports exposed:
#   9735  — LND peer-to-peer (Lightning)
#   10009 — LND gRPC (localhost only)
#   8080  — LND REST API (localhost only)
#
# NOTE: `version` key is omitted intentionally — it is deprecated in
#       Docker Compose v2 and causes warnings on every command.

services:

  # ─────────────────────────────────────────────
  # Tor SOCKS proxy for LND privacy
  # ─────────────────────────────────────────────
  #
  # Image: peterdavehello/tor-socks-proxy provides a Tor SOCKS5 proxy
  # on port 9150 (container-internal). LND connects to this for
  # outbound Tor traffic and hidden service creation.
  #
  # ⚠️ NOTE: This image exposes Tor SOCKS on port 9150 (not the standard 9050).
  # The lnd.conf tor.socks= setting must match: tor:9150
  tor:
    image: peterdavehello/tor-socks-proxy:latest
    container_name: satoshi-tor
    restart: unless-stopped
    volumes:
      - tor_data:/var/lib/tor
      - ./tor/torrc:/etc/tor/torrc:ro
    networks:
      - lnnet

  # ─────────────────────────────────────────────
  # LND — Lightning Network Daemon (mainnet)
  # ─────────────────────────────────────────────
  lnd:
    image: lightninglabs/lnd:v0.18.3-beta
    container_name: lnd
    restart: unless-stopped
    depends_on:
      - tor
    ports:
      - "9735:9735"                # P2P Lightning — must be public for peer connectivity
      # ⚠️ SECURITY: gRPC and REST are bound to localhost ONLY.
      # Never expose 10009 or 8080 to the internet — macaroon compromise = fund loss.
      # Use `docker exec lnd lncli ...` or SSH tunnels for remote access.
      - "127.0.0.1:10009:10009"  # gRPC — localhost only
      - "127.0.0.1:8080:8080"    # REST API — localhost only
    volumes:
      - lnd_data:/root/.lnd
      - ./lnd/lnd.conf:/root/.lnd/lnd.conf:ro
    environment:
      - HOME=/root
    command: lnd --configfile=/root/.lnd/lnd.conf
    networks:
      - lnnet
    healthcheck:
      test: ["CMD", "lncli", "--network=mainnet", "getinfo"]
      interval: 30s
      timeout: 10s
      retries: 5
      start_period: 60s

  # ─────────────────────────────────────────────
  # Bitcoin Core — optional full node backend
  # Enable with: docker compose --profile full up -d
  #
  # Image: lncm/bitcoind is a well-maintained community image.
  # ─────────────────────────────────────────────
  bitcoind:
    image: lncm/bitcoind:v27.1
    container_name: bitcoind
    profiles:
      - full
    restart: unless-stopped
    volumes:
      - bitcoind_data:/root/.bitcoin
    command: >
      bitcoind
      -server=1
      -txindex=1
      -mainnet=1
      -rpcuser=satoshi
      -rpcpassword=changeme_use_strong_password
      -rpcallowip=172.16.0.0/12
      -zmqpubrawblock=tcp://0.0.0.0:28332
      -zmqpubrawtx=tcp://0.0.0.0:28333
      -rpcbind=0.0.0.0
    ports:
      # ⚠️ SECURITY: RPC port bound to localhost only.
      # LND connects to bitcoind via Docker internal network (service name: bitcoind).
      - "127.0.0.1:8332:8332"   # RPC — localhost only
      - "8333:8333"   # P2P — must be public for full node connectivity
      - "28332:28332" # ZMQ blocks
      - "28333:28333" # ZMQ txs
    networks:
      - lnnet

networks:
  lnnet:
    driver: bridge

volumes:
  lnd_data:
    driver: local
  tor_data:
    driver: local
  bitcoind_data:
    driver: local