Skip to content

feat: generate the Zallet encryption identity in-container#49

Merged
gustavovalverde merged 2 commits into
mainfrom
feat/in-container-encryption-identity
Jul 2, 2026
Merged

feat: generate the Zallet encryption identity in-container#49
gustavovalverde merged 2 commits into
mainfrom
feat/in-container-encryption-identity

Conversation

@gustavovalverde

@gustavovalverde gustavovalverde commented Jun 26, 2026

Copy link
Copy Markdown
Member

z3 now generates the Zallet age encryption identity in-container instead of shelling out to the external rage/rage-keygen binary on the host. Zallet v0.1.0-alpha.4 added generate-encryption-identity, which produces the identity from the age library Zallet already embeds, so the external tool is no longer a prerequisite.

The identity moves from a host file bind-mounted into the container to the per-network z3-<network>-zallet data volume, written in-container as the Zallet uid. Removing the host secret removes everything that existed to serve it: the rage prerequisite, both identity bind mounts, and the chmod/setfacl ACL handling in setup-network.sh that granted uid 1000 read access. CI drops the jobs that faked rage-keygen and asserted that ACL; it now runs the real command and checks the key lands in the volume owner-only.

The image moves to zodlinc/zallet:v0.1.0-alpha.4 (the publisher changed from electriccoinco). That image ships multiple wallet binaries, so z3 selects /usr/local/bin/zallet-zaino explicitly to keep the existing RPC-backed Zaino architecture instead of the zebra-state backend. The selected zaino-backed binary is currently available on amd64, so Zallet remains pinned to linux/amd64 in Compose.

The distroless image ships no /var/lib/zallet, so a freshly created named volume is root-owned and the uid-1000 process cannot write to it. The init flow chowns the volume to 1000:1000 before writing, which also lets init-wallet-encryption succeed on a fresh volume.

Migration: the identity previously lived outside the volume as a separate file and now lives inside it. The docs already instructed keeping the two together, so routine backup (the volume) is unchanged. Operators who backed up the key file separately should adjust.

Setting up a Z3 wallet no longer needs the external rage/rage-keygen
tool. Zallet v0.1.0-alpha.4 adds `generate-encryption-identity`, which
creates the age identity using the library Zallet already embeds. Z3 now
runs it in-container, writing the identity into the per-network
`z3-<network>-zallet` data volume instead of bind-mounting a host secret.

Removing the host identity file also removes everything that served it:
the rage prerequisite, both identity bind mounts, the chmod/setfacl ACL
handling in setup-network.sh, and the CI shims that faked rage-keygen.
Wallet backup is now just the data volume, which holds both the encrypted
database and the identity that decrypts it.

The image moves to zodlinc/zallet:v0.1.0-alpha.4. It is multi-arch, so the
forced linux/amd64 platform pin is dropped and arm64 hosts run natively.

A freshly created named volume is root-owned, so the init flow chowns it
to the Zallet uid before writing. This is uid-agnostic (always 1000:1000)
and also lets init-wallet-encryption succeed on a fresh volume.
@gustavovalverde

gustavovalverde commented Jun 26, 2026

Copy link
Copy Markdown
Member Author

Resolved by e65883a.

The alpha.4 image now includes /usr/local/bin/zallet-zaino on amd64. This PR selects that binary explicitly and keeps Zallet pinned to linux/amd64, because the arm64 manifest still lacks the zaino-backed binary. The old blocker was the default zallet entrypoint selecting the zebra-state backend; z3 no longer uses that entrypoint.

@gustavovalverde
gustavovalverde marked this pull request as ready for review July 2, 2026 20:24
@gustavovalverde
gustavovalverde merged commit 9ff400a into main Jul 2, 2026
7 checks passed
@gustavovalverde
gustavovalverde deleted the feat/in-container-encryption-identity branch July 2, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant