raspiblitz/home.admin/config.scripts/bonus.btcpaysetdomain.sh

#!/bin/bash

# script to set up nginx and the SSL certificate for BTCPay Server
# calls the config.scripts/internet.hiddenservice.sh for the Tor connection

HEIGHT=20
WIDTH=73
CHOICE_HEIGHT=2
BACKTITLE="RaspiBlitz"
TITLE=""
MENU="Choose 'DOMAIN' if you want to use a Domain Name or dynamicDNS 
pointing to your public IP.\n
You will need the ports 80, 443 and 9735 forwarded to your RaspiBlitz
and an email address to be used for communication about the SSL certificate.\n\n
Choose 'TOR' if you want to set up BTCPayServer
as a Tor Hidden service and use a self signed SSL certificate.\n\n
Find more information about using the BTCPayServer on the RaspiBlitz here:
https://github.com/openoms/bitcoin-tutorials/tree/master/BTCPayServer"
OPTIONS=(DOMAIN "use a Domain Name or dynamicDNS" \
          TOR "Tor access and a self-signed certificate")

CHOICE=$(dialog --clear \
                --backtitle "$BACKTITLE" \
                --title "$TITLE" \
                --menu "$MENU" \
                $HEIGHT $WIDTH $CHOICE_HEIGHT \
                "${OPTIONS[@]}" \
                2>&1 >/dev/tty)

dialogcancel=$?
echo "done dialog"
clear

# check if user canceled dialog
echo "dialogcancel(${dialogcancel})"
if [ ${dialogcancel} -eq 1 ]; then
  echo "user cancelled"
  exit 1
fi

clear
case $CHOICE in

        DOMAIN)
            echo "setting up with own domain"
            ownDomain=1
            ;;
        TOR) 
            echo "setting up for Tor only"
            ownDomain=0
            ;;
esac

if [ ${#ownDomain} -eq 0 ]; then
  echo "user cancelled"
  exit 1
fi

echo ""
echo "***"
echo "Setting up Nginx and Certbot"
echo "***"
echo ""

if [ $ownDomain -eq 1 ]; then
  echo ""
  echo "***"
  echo "Confirm that the port 80, 443 and 9735 are forwarded to the IP of your RaspiBlitz by pressing [ENTER] or use [CTRL + C] to exit"
  read key
  
  echo ""
  echo "***"
  echo "Type your domain/ddns pointing to your public IP and press [ENTER] or use [CTRL + C] to exit"
  echo "example:"
  echo "btcpay.example.com"
  read YOUR_DOMAIN
  
  echo ""
  echo "***"
  echo "Type an email address that will be used to message about the SSL certificate and press [ENTER] or use [CTRL + C] to exit"
  echo "example:"
  echo "name@email.com"
  read YOUR_EMAIL
  
  echo ""
  echo "***"
  echo "Creating the btcpay user"
  echo "***"
  echo ""

  # install nginx and certbot
  sudo apt-get install nginx-full certbot -y
  
  sudo ufw allow 80 comment 'btcpayserver TCP'
  sudo ufw allow 443 comment 'btcpayserver SSL'
  
  # get SSL cert
  sudo systemctl stop certbot 2>/dev/null
  sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"

  # set nginx
  sudo rm -f /etc/nginx/sites-enabled/default
  sudo rm -f /etc/nginx/sites-enabled/btcpayserver
  sudo rm -f /etc/nginx/sites-available/btcpayserver
  
  echo "
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map \$http_x_forwarded_proto \$proxy_x_forwarded_proto {
  default \$http_x_forwarded_proto;
  ''      \$scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map \$http_x_forwarded_port \$proxy_x_forwarded_port {
  default \$http_x_forwarded_port;
  ''      \$server_port;
}
# If we receive Upgrade, set Connection to \"upgrade\"; otherwise, delete any
# Connection header that may have been passed to this server
map \$http_upgrade \$proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
#server_names_hash_bucket_size 128;
# Prevent Nginx Information Disclosure
server_tokens off;
# Default dhparam
# Set appropriate X-Forwarded-Ssl header
map \$scheme \$proxy_x_forwarded_ssl {
  default off;
  https on;
}

gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '\$host \$remote_addr - \$remote_user [\$time_local] '
                 '\"\$request\" \$status \$body_bytes_sent '
                 '\"\$http_referer\" \"\$http_user_agent\"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host \$http_host;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$proxy_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl \$proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port \$proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy \"\";


server {
    listen 80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}

server {
  listen 443 ssl;
  server_name $YOUR_DOMAIN;
  ssl on;

  ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  ssl_prefer_server_ciphers on;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/chain.pem;

  location / {
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://localhost:23000;
  }
}
" | sudo tee -a /etc/nginx/sites-available/btcpayserver

  sudo ln -s /etc/nginx/sites-available/btcpayserver /etc/nginx/sites-enabled/ 2>/dev/null
  
  sudo systemctl restart nginx
  
  echo ""
  echo "***"
  echo "Setting up certbot-auto renewal service"
  echo "***"
  echo ""
  
  sudo rm -f /etc/systemd/system/certbot.timer
  echo "
[Unit]
Description=Certbot-auto renewal service

[Timer]
OnBootSec=20min
OnCalendar=*-*-* 4:00:00

[Install]
WantedBy=timers.target
" | sudo tee -a /etc/systemd/system/certbot.timer

  sudo rm -f /etc/systemd/system/certbot.service
  echo "
[Unit]
Description=Certbot-auto renewal service
After=bitcoind.service

[Service]
WorkingDirectory=/home/admin/
ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"

User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
" | sudo tee -a /etc/systemd/system/certbot.service

  sudo systemctl enable certbot.timer
    
elif [ $ownDomain -eq 0 ]; then
  YOUR_DOMAIN=localhost
  
  # disable certbot
  sudo systemctl stop certbot.timer 2>/dev/null
  sudo systemctl disable certbot.timer 2>/dev/null
  sudo systemctl stop certbot 2>/dev/null
  sudo systemctl disable certbot 2>/dev/null
  
  # create a self-signed ssl certificate
  /home/admin/config.scripts/internet.selfsignedcert.sh
  
  # allow the HTTPS connection through the firewall
  sudo ufw allow 443 comment 'Nginx'

  # set nginx
  sudo rm -f /etc/nginx/sites-enabled/default
  sudo rm -f /etc/nginx/sites-enabled/btcpayserver
  sudo rm -f /etc/nginx/sites-available/btcpayserver
  
  echo "
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map \$http_x_forwarded_proto \$proxy_x_forwarded_proto {
  default \$http_x_forwarded_proto;
  ''      \$scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map \$http_x_forwarded_port \$proxy_x_forwarded_port {
  default \$http_x_forwarded_port;
  ''      \$server_port;
}
# If we receive Upgrade, set Connection to \"upgrade\"; otherwise, delete any
# Connection header that may have been passed to this server
map \$http_upgrade \$proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
#server_names_hash_bucket_size 128;
# Prevent Nginx Information Disclosure
server_tokens off;
# Default dhparam
# Set appropriate X-Forwarded-Ssl header
map \$scheme \$proxy_x_forwarded_ssl {
  default off;
  https on;
}

gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '\$host \$remote_addr - \$remote_user [\$time_local] '
                 '\"\$request\" \$status \$body_bytes_sent '
                 '\"\$http_referer\" \"\$http_user_agent\"';
access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host \$http_host;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$proxy_connection;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl \$proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port \$proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy \"\";


server {
    listen 80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
}

server {
  listen 443 ssl;
  server_name $YOUR_DOMAIN;
  ssl on;

  ssl_certificate /etc/ssl/certs/localhost.crt;
  ssl_certificate_key /etc/ssl/private/localhost.key;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  ssl_prefer_server_ciphers on;
  ssl_stapling off;
  ssl_stapling_verify on;

  location / {
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://localhost:23000;
  }
}
" | sudo tee -a /etc/nginx/sites-available/btcpayserver

  sudo ln -s /etc/nginx/sites-available/btcpayserver /etc/nginx/sites-enabled/ 2>/dev/null
  
  sudo systemctl restart nginx
fi

if [ $ownDomain -eq 1 ]; then
  echo ""
  echo "Visit your BTCpayServer instance on https://$YOUR_DOMAIN"
  echo ""
elif [ $ownDomain -eq 0 ]; then
  # Hidden Service for BTCPay if Tor active
  source /mnt/hdd/raspiblitz.conf
  if [ "${runBehindTor}" = "on" ]; then
      /home/admin/config.scripts/internet.hiddenservice.sh btcpay 80 23000
  
      TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/btcpay/hostname)
      if [ -z "$TOR_ADDRESS" ]; then
        echo "Waiting for the Hidden Service"
        sleep 10
        TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/btcpay/hostname)
        if [ -z "$TOR_ADDRESS" ]; then
          echo " FAIL - The Hidden Service address could not be found - Tor error?"
          exit 1
        fi
      fi   
      echo ""
      echo "***"
      echo "Open the Hidden Service address in the Tor Browser to connect to your BTCPayServer instance."
      echo "$TOR_ADDRESS"
      echo "***"
      echo "" 
  fi
  localip=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
  echo ""
  echo "Open https://$localip in a browser to visit your BTCPayServer on your Local Network." 
  echo "Will need to accept the self-signed certificate in the browser to be able to connect outside of the Tor Browser"
  echo ""
fi
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`#!/bin/bash`

			`# script to set up nginx and the SSL certificate for BTCPay Server`
			`# calls the config.scripts/internet.hiddenservice.sh for the Tor connection`

allow to cancel BTCPay setup with dialog 2019-12-05 16:17:40 +00:00			`HEIGHT=20`
			`WIDTH=73`
			`CHOICE_HEIGHT=2`
			`BACKTITLE="RaspiBlitz"`
			`TITLE=""`
			`MENU="Choose 'DOMAIN' if you want to use a Domain Name or dynamicDNS`
			`pointing to your public IP.\n`
			`You will need the ports 80, 443 and 9735 forwarded to your RaspiBlitz`
			`and an email address to be used for communication about the SSL certificate.\n\n`
			`Choose 'TOR' if you want to set up BTCPayServer`
			`as a Tor Hidden service and use a self signed SSL certificate.\n\n`
improve messages for BTCPayServer 2019-12-05 15:31:07 +00:00			`Find more information about using the BTCPayServer on the RaspiBlitz here:`
allow to cancel BTCPay setup with dialog 2019-12-05 16:17:40 +00:00			`https://github.com/openoms/bitcoin-tutorials/tree/master/BTCPayServer"`
			`OPTIONS=(DOMAIN "use a Domain Name or dynamicDNS" \`
			`TOR "Tor access and a self-signed certificate")`

			`CHOICE=$(dialog --clear \`
			`--backtitle "$BACKTITLE" \`
			`--title "$TITLE" \`
			`--menu "$MENU" \`
			`$HEIGHT $WIDTH $CHOICE_HEIGHT \`
			`"${OPTIONS[@]}" \`
			`2>&1 >/dev/tty)`

			`dialogcancel=$?`
			`echo "done dialog"`
			`clear`

			`# check if user canceled dialog`
			`echo "dialogcancel(${dialogcancel})"`
			`if [ ${dialogcancel} -eq 1 ]; then`
btcpay: improve dialog logic 2019-12-05 17:10:23 +00:00			`echo "user cancelled"`
allow to cancel BTCPay setup with dialog 2019-12-05 16:17:40 +00:00			`exit 1`
			`fi`

			`clear`
			`case $CHOICE in`

			`DOMAIN)`
			`echo "setting up with own domain"`
			`ownDomain=1`
			`;;`
			`TOR)`
			`echo "setting up for Tor only"`
			`ownDomain=0`
			`;;`
			`esac`
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00
btcpay: improve dialog logic 2019-12-05 17:10:23 +00:00			`if [ ${#ownDomain} -eq 0 ]; then`
			`echo "user cancelled"`
			`exit 1`
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`fi`

			`echo ""`
			`echo "***"`
			`echo "Setting up Nginx and Certbot"`
			`echo "***"`
			`echo ""`

			`if [ $ownDomain -eq 1 ]; then`
			`echo ""`
			`echo "***"`
btcpay: improve dialog logic 2019-12-05 17:10:23 +00:00			`echo "Confirm that the port 80, 443 and 9735 are forwarded to the IP of your RaspiBlitz by pressing [ENTER] or use [CTRL + C] to exit"`
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`read key`

			`echo ""`
			`echo "***"`
btcpay: improve dialog logic 2019-12-05 17:10:23 +00:00			`echo "Type your domain/ddns pointing to your public IP and press [ENTER] or use [CTRL + C] to exit"`
			`echo "example:"`
			`echo "btcpay.example.com"`
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`read YOUR_DOMAIN`

			`echo ""`
			`echo "***"`
btcpay: improve dialog logic 2019-12-05 17:10:23 +00:00			`echo "Type an email address that will be used to message about the SSL certificate and press [ENTER] or use [CTRL + C] to exit"`
			`echo "example:"`
			`echo "name@email.com"`
add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`read YOUR_EMAIL`

			`echo ""`
			`echo "***"`
			`echo "Creating the btcpay user"`
			`echo "***"`
			`echo ""`

			`# install nginx and certbot`
			`sudo apt-get install nginx-full certbot -y`

			`sudo ufw allow 80 comment 'btcpayserver TCP'`
			`sudo ufw allow 443 comment 'btcpayserver SSL'`

			`# get SSL cert`
			`sudo systemctl stop certbot 2>/dev/null`
			`sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"`

			`# set nginx`
			`sudo rm -f /etc/nginx/sites-enabled/default`
			`sudo rm -f /etc/nginx/sites-enabled/btcpayserver`
			`sudo rm -f /etc/nginx/sites-available/btcpayserver`

			`echo "`
			`# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the`
			`# scheme used to connect to this server`
			`map \$http_x_forwarded_proto \$proxy_x_forwarded_proto {`
			`default \$http_x_forwarded_proto;`
			`'' \$scheme;`
			`}`
			`# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the`
			`# server port the client connected to`
			`map \$http_x_forwarded_port \$proxy_x_forwarded_port {`
			`default \$http_x_forwarded_port;`
			`'' \$server_port;`
			`}`
			`# If we receive Upgrade, set Connection to \"upgrade\"; otherwise, delete any`
			`# Connection header that may have been passed to this server`
			`map \$http_upgrade \$proxy_connection {`
			`default upgrade;`
			`'' close;`
			`}`
			`# Apply fix for very long server names`
			`#server_names_hash_bucket_size 128;`
			`# Prevent Nginx Information Disclosure`
			`server_tokens off;`
			`# Default dhparam`
			`# Set appropriate X-Forwarded-Ssl header`
			`map \$scheme \$proxy_x_forwarded_ssl {`
			`default off;`
			`https on;`
			`}`

			`gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;`
			`log_format vhost '\$host \$remote_addr - \$remote_user [\$time_local] '`
			`'\"\$request\" \$status \$body_bytes_sent '`
			`'\"\$http_referer\" \"\$http_user_agent\"';`
			`access_log off;`
			`# HTTP 1.1 support`
			`proxy_http_version 1.1;`
			`proxy_buffering off;`
			`proxy_set_header Host \$http_host;`
			`proxy_set_header Upgrade \$http_upgrade;`
			`proxy_set_header Connection \$proxy_connection;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$proxy_x_forwarded_proto;`
			`proxy_set_header X-Forwarded-Ssl \$proxy_x_forwarded_ssl;`
			`proxy_set_header X-Forwarded-Port \$proxy_x_forwarded_port;`
			`# Mitigate httpoxy attack (see README for details)`
			`proxy_set_header Proxy \"\";`


			`server {`
			`listen 80 default_server;`
			`server_name _;`
			`return 301 https://\$host\$request_uri;`
			`}`

			`server {`
			`listen 443 ssl;`
			`server_name $YOUR_DOMAIN;`
			`ssl on;`

			`ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:SSL:50m;`
			`ssl_session_tickets off;`
			`ssl_protocols TLSv1.1 TLSv1.2;`
			ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
			`ssl_prefer_server_ciphers on;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`ssl_trusted_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/chain.pem;`

			`location / {`
			`proxy_set_header Host \$host;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$scheme;`
			`proxy_pass http://localhost:23000;`
			`}`
			`}`
			`" \| sudo tee -a /etc/nginx/sites-available/btcpayserver`

			`sudo ln -s /etc/nginx/sites-available/btcpayserver /etc/nginx/sites-enabled/ 2>/dev/null`

			`sudo systemctl restart nginx`

			`echo ""`
			`echo "***"`
			`echo "Setting up certbot-auto renewal service"`
			`echo "***"`
			`echo ""`

			`sudo rm -f /etc/systemd/system/certbot.timer`
			`echo "`
			`[Unit]`
			`Description=Certbot-auto renewal service`

			`[Timer]`
			`OnBootSec=20min`
			`OnCalendar=--* 4:00:00`

			`[Install]`
			`WantedBy=timers.target`
			`" \| sudo tee -a /etc/systemd/system/certbot.timer`

			`sudo rm -f /etc/systemd/system/certbot.service`
			`echo "`
			`[Unit]`
			`Description=Certbot-auto renewal service`
			`After=bitcoind.service`

			`[Service]`
			`WorkingDirectory=/home/admin/`
			`ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"`

			`User=admin`
			`Group=admin`
			`Type=simple`
			`KillMode=process`
			`TimeoutSec=60`
			`Restart=always`
			`RestartSec=60`
			`" \| sudo tee -a /etc/systemd/system/certbot.service`

			`sudo systemctl enable certbot.timer`

			`elif [ $ownDomain -eq 0 ]; then`
			`YOUR_DOMAIN=localhost`
btcpay: disable certbot if using self signed cert 2019-12-06 17:12:25 +00:00
			`# disable certbot`
			`sudo systemctl stop certbot.timer 2>/dev/null`
			`sudo systemctl disable certbot.timer 2>/dev/null`
			`sudo systemctl stop certbot 2>/dev/null`
			`sudo systemctl disable certbot 2>/dev/null`

add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`# create a self-signed ssl certificate`
			`/home/admin/config.scripts/internet.selfsignedcert.sh`
btcpay: allow 443 through firewall fixing https://github.com/rootzoll/raspiblitz/issues/214 2019-12-24 09:19:14 +01:00
			`# allow the HTTPS connection through the firewall`
			`sudo ufw allow 443 comment 'Nginx'`

add BTCpayServer self-signed certificate option 2019-12-05 13:37:33 +00:00			`# set nginx`
			`sudo rm -f /etc/nginx/sites-enabled/default`
			`sudo rm -f /etc/nginx/sites-enabled/btcpayserver`
			`sudo rm -f /etc/nginx/sites-available/btcpayserver`

			`echo "`
			`# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the`
			`# scheme used to connect to this server`
			`map \$http_x_forwarded_proto \$proxy_x_forwarded_proto {`
			`default \$http_x_forwarded_proto;`
			`'' \$scheme;`
			`}`
			`# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the`
			`# server port the client connected to`
			`map \$http_x_forwarded_port \$proxy_x_forwarded_port {`
			`default \$http_x_forwarded_port;`
			`'' \$server_port;`
			`}`
			`# If we receive Upgrade, set Connection to \"upgrade\"; otherwise, delete any`
			`# Connection header that may have been passed to this server`
			`map \$http_upgrade \$proxy_connection {`
			`default upgrade;`
			`'' close;`
			`}`
			`# Apply fix for very long server names`
			`#server_names_hash_bucket_size 128;`
			`# Prevent Nginx Information Disclosure`
			`server_tokens off;`
			`# Default dhparam`
			`# Set appropriate X-Forwarded-Ssl header`
			`map \$scheme \$proxy_x_forwarded_ssl {`
			`default off;`
			`https on;`
			`}`

			`gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;`
			`log_format vhost '\$host \$remote_addr - \$remote_user [\$time_local] '`
			`'\"\$request\" \$status \$body_bytes_sent '`
			`'\"\$http_referer\" \"\$http_user_agent\"';`
			`access_log off;`
			`# HTTP 1.1 support`
			`proxy_http_version 1.1;`
			`proxy_buffering off;`
			`proxy_set_header Host \$http_host;`
			`proxy_set_header Upgrade \$http_upgrade;`
			`proxy_set_header Connection \$proxy_connection;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$proxy_x_forwarded_proto;`
			`proxy_set_header X-Forwarded-Ssl \$proxy_x_forwarded_ssl;`
			`proxy_set_header X-Forwarded-Port \$proxy_x_forwarded_port;`
			`# Mitigate httpoxy attack (see README for details)`
			`proxy_set_header Proxy \"\";`


			`server {`
			`listen 80 default_server;`
			`server_name _;`
			`return 301 https://\$host\$request_uri;`
			`}`

			`server {`
			`listen 443 ssl;`
			`server_name $YOUR_DOMAIN;`
			`ssl on;`

			`ssl_certificate /etc/ssl/certs/localhost.crt;`
			`ssl_certificate_key /etc/ssl/private/localhost.key;`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:SSL:50m;`
			`ssl_session_tickets off;`
			`ssl_protocols TLSv1.1 TLSv1.2;`
			ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
			`ssl_prefer_server_ciphers on;`
			`ssl_stapling off;`
			`ssl_stapling_verify on;`

			`location / {`
			`proxy_set_header Host \$host;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$scheme;`
			`proxy_pass http://localhost:23000;`
			`}`
			`}`
			`" \| sudo tee -a /etc/nginx/sites-available/btcpayserver`

			`sudo ln -s /etc/nginx/sites-available/btcpayserver /etc/nginx/sites-enabled/ 2>/dev/null`

			`sudo systemctl restart nginx`
			`fi`

			`if [ $ownDomain -eq 1 ]; then`
			`echo ""`
			`echo "Visit your BTCpayServer instance on https://$YOUR_DOMAIN"`
			`echo ""`
			`elif [ $ownDomain -eq 0 ]; then`
			`# Hidden Service for BTCPay if Tor active`
			`source /mnt/hdd/raspiblitz.conf`
			`if [ "${runBehindTor}" = "on" ]; then`
			`/home/admin/config.scripts/internet.hiddenservice.sh btcpay 80 23000`

			`TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/btcpay/hostname)`
			`if [ -z "$TOR_ADDRESS" ]; then`
			`echo "Waiting for the Hidden Service"`
			`sleep 10`
			`TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/btcpay/hostname)`
			`if [ -z "$TOR_ADDRESS" ]; then`
			`echo " FAIL - The Hidden Service address could not be found - Tor error?"`
			`exit 1`
			`fi`
			`fi`
			`echo ""`
			`echo "***"`
			`echo "Open the Hidden Service address in the Tor Browser to connect to your BTCPayServer instance."`
			`echo "$TOR_ADDRESS"`
			`echo "***"`
			`echo ""`
			`fi`
			`localip=$(ip addr \| grep 'state UP' -A2 \| tail -n1 \| awk '{print $2}' \| cut -f1 -d'/')`
			`echo ""`
			`echo "Open https://$localip in a browser to visit your BTCPayServer on your Local Network."`
			`echo "Will need to accept the self-signed certificate in the browser to be able to connect outside of the Tor Browser"`
			`echo ""`
			`fi`