feat: generate the Zallet encryption identity in-container#49
Merged
Conversation
Setting up a Z3 wallet no longer needs the external rage/rage-keygen tool. Zallet v0.1.0-alpha.4 adds `generate-encryption-identity`, which creates the age identity using the library Zallet already embeds. Z3 now runs it in-container, writing the identity into the per-network `z3-<network>-zallet` data volume instead of bind-mounting a host secret. Removing the host identity file also removes everything that served it: the rage prerequisite, both identity bind mounts, the chmod/setfacl ACL handling in setup-network.sh, and the CI shims that faked rage-keygen. Wallet backup is now just the data volume, which holds both the encrypted database and the identity that decrypts it. The image moves to zodlinc/zallet:v0.1.0-alpha.4. It is multi-arch, so the forced linux/amd64 platform pin is dropped and arm64 hosts run natively. A freshly created named volume is root-owned, so the init flow chowns it to the Zallet uid before writing. This is uid-agnostic (always 1000:1000) and also lets init-wallet-encryption succeed on a fresh volume.
Member
Author
|
Resolved by The alpha.4 image now includes |
gustavovalverde
marked this pull request as ready for review
July 2, 2026 20:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
z3 now generates the Zallet age encryption identity in-container instead of shelling out to the external
rage/rage-keygenbinary on the host. Zallet v0.1.0-alpha.4 addedgenerate-encryption-identity, which produces the identity from theagelibrary Zallet already embeds, so the external tool is no longer a prerequisite.The identity moves from a host file bind-mounted into the container to the per-network
z3-<network>-zalletdata volume, written in-container as the Zallet uid. Removing the host secret removes everything that existed to serve it: therageprerequisite, both identity bind mounts, and thechmod/setfaclACL handling insetup-network.shthat granted uid 1000 read access. CI drops the jobs that fakedrage-keygenand asserted that ACL; it now runs the real command and checks the key lands in the volume owner-only.The image moves to
zodlinc/zallet:v0.1.0-alpha.4(the publisher changed fromelectriccoinco). That image ships multiple wallet binaries, so z3 selects/usr/local/bin/zallet-zainoexplicitly to keep the existing RPC-backed Zaino architecture instead of the zebra-state backend. The selected zaino-backed binary is currently available on amd64, so Zallet remains pinned tolinux/amd64in Compose.The distroless image ships no
/var/lib/zallet, so a freshly created named volume is root-owned and the uid-1000 process cannot write to it. The init flow chowns the volume to1000:1000before writing, which also letsinit-wallet-encryptionsucceed on a fresh volume.Migration: the identity previously lived outside the volume as a separate file and now lives inside it. The docs already instructed keeping the two together, so routine backup (the volume) is unchanged. Operators who backed up the key file separately should adjust.