#1186 FinTS/HBCI interface (#3704)

* #1186 FinTS install script first draft

* only start app when blitz is ready

* improve menu

* improve dit lnbits config

* preserve edit

* improve edit

* improve edit

* fix insertion

* dont use fingerprint

* now use main repo

* add port

* show local ip

* fix typo

* show port SSL

CHANGES.md

@@ -12,6 +12,7 @@
 - New: BOS Telegram Bot Support (see OPTIONS on LND Balance of Satoshis menu entry)
 - New: LightningTipBot v0.5 [details](https://github.com/LightningTipBot/LightningTipBot)
 - New: CLI shortcut for ↬lnproxy [details](https://github.com/rootzoll/raspiblitz/pull/3333)
+- New: Homebanking Interface FinTS/HBCI (experimental) [details](https://github.com/rootzoll/raspiblitz/issues/1186)
 - New on WebUI: Jam (JoinMarket Web UI) v0.1.4 [details](https://github.com/joinmarket-webui/joinmarket-webui/releases/tag/v0.1.4)
 - Update: Bitcoin Core v24.0.1 [details](https://github.com/bitcoin/bitcoin/blob/master/doc/release-notes/release-notes-24.0.1.md)
 - Update: LND v0.15.5 [details](https://github.com/lightningnetwork/lnd/releases/tag/v0.15.5-beta)

home.admin/00mainMenu.sh

@@ -175,6 +175,9 @@ fi
 if [ "${lightningtipbot}" == "on" ]; then
   OPTIONS+=(LIGHTNINGTIPBOT "Show LightningTipBot details")
 fi
+if [ "${fints}" == "on" ]; then
+  OPTIONS+=(FINTS "Show FinTS/HBCI details")
+fi
 
 # dont offer to switch to "testnet view for now" - so no wswitch back to mainnet needed
 #if [ ${chain} != "main" ]; then
@@ -347,6 +350,9 @@ case $CHOICE in
         CIRCUITBREAKER)
             sudo /home/admin/config.scripts/bonus.circuitbreaker.sh menu
             ;;
+        FINTS)
+            sudo /home/admin/config.scripts/bonus.fints.sh menu
+            ;;
         TESTNETS)
             /home/admin/00parallelChainsMenu.sh
             ;;

home.admin/00settingsMenuServices.sh

@@ -36,6 +36,7 @@ if [ ${#bitcoinminds} -eq 0 ]; then bitcoinminds="off"; fi
 if [ ${#squeaknode} -eq 0 ]; then squeaknode="off"; fi
 if [ ${#itchysats} -eq 0 ]; then itchysats="off"; fi
 if [ ${#lightningtipbot} -eq 0 ]; then lightningtipbot="off"; fi
+if [ ${#fints} -eq 0 ]; then fints="off"; fi
 
 # show select dialog
 echo "run dialog ..."
@@ -86,6 +87,7 @@ if [ "${lightning}" == "cl" ] || [ "${cl}" == "on" ]; then
 fi
 
 OPTIONS+=(ma 'Homer Dashboard' ${homer})
+OPTIONS+=(fn 'FinTS/HBCI Interface (experimental)' ${fints})
 
 CHOICES=$(dialog --title ' Additional Mainnet Services ' \
           --checklist ' use spacebar to activate/de-activate ' \
@@ -734,6 +736,17 @@ else
   echo "ItchySats setting unchanged."
 fi
 
+# fints process choice  
+choice="off"; check=$(echo "${CHOICES}" | grep -c "fn")
+if [ ${check} -eq 1 ]; then choice="on"; fi
+if [ "${fints}" != "${choice}" ]; then
+  echo "fints setting changed .."
+  anychange=1
+  sudo -u admin /home/admin/config.scripts/bonus.fints.sh ${choice}
+else
+  echo "fints setting unchanged."
+fi
+
 if [ ${anychange} -eq 0 ]; then
      dialog --msgbox "NOTHING CHANGED!\nUse Spacebar to check/uncheck services." 8 58
      exit 0

home.admin/_provision_.sh

@@ -814,6 +814,15 @@ else
   echo "Provisioning LightningTipBot - keep default" >> ${logFile}
 fi
 
+# FinTS
+if [ "${fints}" = "on" ]; then
+  echo "Provisioning FinTS - run config script" >> ${logFile}
+  /home/admin/_cache.sh set message "Setup FinTS"
+  sudo -u admin /home/admin/config.scripts/bonus.fints.sh on >> ${logFile} 2>&1
+else
+  echo "Provisioning FinTS - keep default" >> ${logFile}
+fi
+
 # custom install script from user
 customInstallAvailable=$(ls /mnt/hdd/app-data/custom-installs.sh 2>/dev/null | grep -c "custom-installs.sh")
 if [ ${customInstallAvailable} -gt 0 ]; then

home.admin/config.scripts/blitz.debug.sh

@@ -406,6 +406,17 @@ else
   echo "- SPHINX is OFF by config"
 fi
 
+if [ "${fints}" == "on" ]; then  
+  echo
+  echo "*** LAST 20 FINTS LOGS ***"
+  echo "sudo journalctl -u fints -b --no-pager -n20"
+  sudo journalctl -u fints -b --no-pager -n20
+  echo "sudo tail -n 30 /home/fints/log/fuelifints.log"
+  sudo tail -n 30 /home/fints/log/fuelifints.log
+else
+  echo "- FINTS is OFF by config"
+fi
+
 echo
 echo "*** MOUNTED DRIVES ***"
 echo "df -T -h"

home.admin/config.scripts/bonus.fints.sh

@@ -0,0 +1,430 @@
+#!/bin/bash
+
+APPID="fints"
+VERSION="2.23"
+
+# the git repo to get the source code from for install
+GITHUB_REPO="https://github.com/drmartinberger/FueliFinTS"
+
+# the github tag of the version of the source code to install
+# can also be a commit hash
+# if empty it will use the latest source version
+GITHUB_TAG=""
+
+# the github signature to verify the author
+# leave GITHUB_SIGN_AUTHOR empty to skip verifying
+GITHUB_SIGN_AUTHOR="" #web-flow
+GITHUB_SIGN_PUBKEYLINK="https://github.com/web-flow.gpg"
+GITHUB_SIGN_FINGERPRINT="4AEE18F83AFDEB23"
+
+# port numbers the app should run on
+# delete if not an web app
+PORT_CLEAR="3110"
+PORT_SSL="3111"
+
+# BASIC COMMANDLINE OPTIONS
+# you can add more actions or parameters if needed - for example see the bonus.rtl.sh
+# to see how you can deal with an app that installs multiple instances depending on
+# lightning implementation or testnets - but this should be OK for a start:
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "# Github Repo: ${GITHUB_REPO}"
+  echo "# Telegram Community Support: https://t.me/LN_FinTS"
+  echo "# bonus.${APPID}.sh status    -> status information (key=value)"
+  echo "# bonus.${APPID}.sh on        -> install the app"
+  echo "# bonus.${APPID}.sh off       -> uninstall the app"
+  echo "# bonus.${APPID}.sh menu      -> SSH menu dialog"
+  echo "# bonus.${APPID}.sh prestart  -> will be called by systemd before start"
+  exit 1
+fi
+
+# echoing comments is useful for logs - but start output with # when not a key=value
+echo "# Running: 'bonus.${APPID}.sh $*'"
+
+# check & load raspiblitz config
+source /mnt/hdd/raspiblitz.conf
+
+#########################
+# INFO
+#########################
+
+# this section is always executed to gather status information that
+# all the following commands can use & execute on
+
+# check if app is already installed
+isInstalled=$(sudo ls /etc/systemd/system/${APPID}.service 2>/dev/null | grep -c "${APPID}.service")
+
+# check if service is running
+isRunning=$(systemctl status ${APPID} 2>/dev/null | grep -c 'active (running)')
+
+if [ "${isInstalled}" == "1" ]; then
+
+  # gather address info (whats needed to call the app)
+  localIP=$(hostname -I | awk '{print $1}')
+  toraddress=$(sudo cat /mnt/hdd/tor/${APPID}/hostname 2>/dev/null)
+  #fingerprint=$(openssl x509 -in /mnt/hdd/app-data/nginx/tls.cert -fingerprint -noout | cut -d"=" -f2)
+
+fi
+
+# if the action parameter `status` was called - just stop here and output all
+# status information as a key=value list
+if [ "$1" = "status" ]; then
+  echo "appID='${APPID}'"
+  echo "version='${VERSION}'"
+  echo "githubRepo='${GITHUB_REPO}'"
+  echo "githubVersion='${GITHUB_TAG}'"
+  echo "githubSignature='${GITHUB_SIGNATURE}'"
+  echo "isInstalled=${isInstalled}"
+  echo "isRunning=${isRunning}"
+  if [ "${isInstalled}" == "1" ]; then
+    echo "portCLEAR=${PORT_CLEAR}"
+    echo "portSSL=${PORT_SSL}"
+    echo "localIP='${localIP}'"
+    echo "toraddress='${toraddress}'"
+    #echo "fingerprint='${fingerprint}'"
+    echo "toraddress='${toraddress}'"
+  fi
+  exit
+fi
+
+##########################
+# MENU
+#########################
+
+# The `menu` action should give at least a SSH info dialog - when an webapp show
+# URL to call (http & https+fingerprint) otherwise some instruction how to start it.
+
+# This SSH dialog will be later called by the MAIN MENU to be available to the user
+# when app is installed.
+
+# This menu can also have some more complex structure if you want to make it easy
+# to the user to set configurations or maintenance options - example bonus.lnbits.sh
+
+# show info menu
+if [ "$1" = "menu" ]; then
+
+  # get local ip
+  localIP=$(hostname -I | awk '{print $1}')
+
+  # set the title for the dialog
+  dialogTitle=" FinTS / HBCI Interface "
+
+  # basic info text - for an web app how to call with http & self-signed https
+  dialogText="This is an very early experimental feature.\nServer-URL: ${localIP}:${PORT_SSL}\n\nSee GitHub Repo for more Details:\n${GITHUB_REPO}\n\nTelegram Community Chat & Support (say hi):\nhttps://t.me/LN_FinTS\n\nUse OPTIONS to config with LNbits & Debug.\n\n"
+
+  # add tor info (if available)
+  if [ "${toraddress}" != "" ]; then
+    dialogText="${dialogText}Hidden Service address for Tor Connection:\n${toraddress}"
+  fi
+
+  # use whiptail to show SSH dialog & exit
+  whiptail --title "${dialogTitle}" --yes-button "OK" --no-button "OPTIONS" --yesno "${dialogText}" 19 67
+  result=$?
+  if [ ${result} -eq 0 ]; then
+    exit 0
+  fi
+
+  OPTIONS=()
+  OPTIONS+=(LNBITS "Edit lnbits.properties")
+  OPTIONS+=(DEBUG "Print Logs")
+
+  WIDTH=66
+  CHOICE_HEIGHT=$(("${#OPTIONS[@]}/2+1"))
+  HEIGHT=$((CHOICE_HEIGHT+7))
+  CHOICE=$(dialog --clear \
+                --title " ${APPID} - Options" \
+                --ok-label "Select" \
+                --cancel-label "Back" \
+                --menu "Choose one of the following options:" \
+                $HEIGHT $WIDTH $CHOICE_HEIGHT \
+                "${OPTIONS[@]}" \
+                2>&1 >/dev/tty)
+  case $CHOICE in
+    DEBUG)
+      clear
+      echo "# sudo tail -n 100 /home/fints/log/fuelifints.log"
+      sudo tail -n 100 /home/fints/log/fuelifints.log
+      echo "# PRESS ENTER to continue"
+      read key
+      ;;
+    LNBITS)
+      edittemp=$(mktemp -p /dev/shm/)
+      sudo -u fints dialog --title "Editing /home/fints/config/lnbits.properties" --editbox "/home/fints/config/lnbits.properties" 200 200 2> "${edittemp}"
+      result=$?
+      clear
+      if [ "${result}" == "0" ]; then
+        echo "# saving changes to /home/fints/config/lnbits.properties"
+        sudo rm /home/fints/config/lnbits.properties
+        sudo mv ${edittemp} /home/fints/config/lnbits.properties
+        sudo chown fints:fints /home/fints/config/lnbits.properties
+      else
+        echo "# (${result}) no changes - dont save"
+      fi
+      echo "# restarting fints service"
+      sudo systemctl restart fints
+      sleep 2
+      ;;
+  esac
+
+  echo "please wait ..."
+  exit 0
+fi
+
+##########################
+# ON / INSTALL
+##########################
+
+# This section takes care of installing the app.
+# The template contains some basic steps but also look at other install scripts
+# to see how special cases are solved.
+
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+
+  # dont run install if already installed
+  if [ ${isInstalled} -eq 1 ]; then
+    echo "# ${APPID}.service is already installed."
+    exit 1
+  fi
+
+  echo "# Installing ${APPID} ..."
+
+  # install java & build tool
+  sudo apt install -y default-jdk
+  sudo apt install -y maven
+
+  # make sure mysql/myria db is available
+  sudo apt-get install -y mariadb-server mariadb-client
+
+  # create a dedicated user for the app
+  echo "# create user"
+  sudo adduser --disabled-password --gecos "" ${APPID} || exit 1
+
+  # add user to special groups with special access rights
+  # echo "# add use to special groups"
+  # sudo /usr/sbin/usermod --append --groups lndadmin ${APPID}
+
+  # create a data directory on /mnt/hdd/app-data/ for the app
+  if ! [ -d /mnt/hdd/app-data/${APPID} ]; then
+    echo "# create app-data directory"
+    sudo mkdir /mnt/hdd/app-data/${APPID} 2>/dev/null
+    sudo chown ${APPID}:${APPID} -R /mnt/hdd/app-data/${APPID}
+  else
+    echo "# reuse existing app-directory"
+    sudo chown ${APPID}:${APPID} -R /mnt/hdd/app-data/${APPID}
+  fi
+
+  # download source code and verify
+  # BACKGROUND is that now you download the code from github, reset to a given version tag/commit,
+  # verify the author. If you app provides its source/binaries in another way, may check
+  # other install scripts to see how that implement code download & verify.
+  echo "# download the source code & verify"
+  sudo -u ${APPID} git clone ${GITHUB_REPO} /home/${APPID}/${APPID}
+  cd /home/${APPID}/${APPID}
+
+  if [ "${GITHUB_TAG}" != "" ]; then
+    sudo -u ${APPID} git reset --hard $GITHUB_TAG
+  fi
+  if [ "${GITHUB_SIGN_AUTHOR}" != "" ]; then
+    sudo -u ${APPID} /home/admin/config.scripts/blitz.git-verify.sh \
+     "${GITHUB_SIGN_AUTHOR}" "${GITHUB_SIGN_PUBKEYLINK}" "${GITHUB_SIGN_FINGERPRINT}" "${GITHUB_TAG}" || exit 1
+  fi
+
+  # compile/install the app
+  echo "# compile/install the app"
+  cd /home/${APPID}/${APPID}
+  # install dependencies from pom.xml
+  sudo -u fints mvn package
+  if ! [ $? -eq 0 ]; then
+      echo "# FAIL - mvn package did not run correctly - deleting code & exit"
+      sudo rm -r /home/${APPID}/${APPID}
+      exit 1
+  fi
+  sudo -u fints cp /home/fints/fints/target/LN-FinTS-jar-with-dependencies.jar /home/fints/fints-fat.jar
+  if ! [ $? -eq 0 ]; then 
+      echo "# FAIL - was not able to copy /home/fints/fints-fat.jar"
+      sudo rm -r /home/${APPID}/${APPID}
+      exit 1
+  fi
+
+  # init database
+  sudo mariadb -e "DROP DATABASE IF EXISTS fints;"
+  sudo mariadb -e "CREATE DATABASE fints;"
+  sudo mariadb -e "GRANT ALL PRIVILEGES ON fints.* TO 'fintsuser' IDENTIFIED BY 'fints';"
+  sudo mariadb -e "FLUSH PRIVILEGES;"
+  if [ -f "dbsetup.sql" ]; then
+    mariadb -ufintsuser -pfints fints < dbsetup.sql
+  else
+    echo "# FAIL - dbsetup.sql not found - deleting code & exit"
+    sudo rm -r /home/${APPID}/${APPID}
+    exit 1
+  fi
+
+  # open the ports in the firewall
+  echo "# updating Firewall"
+  sudo ufw allow ${PORT_CLEAR} comment "${APPID} HTTP"
+  sudo ufw allow ${PORT_SSL} comment "${APPID} HTTPS"
+
+  # every app has their own systemd service that cares about starting &
+  # running the app in the background - see the PRESTART section for adhoc config
+  echo "# create systemd service: ${APPID}.service"
+  echo "
+[Unit]
+Description=${APPID}
+Wants=bitcoind
+After=bitcoind
+
+[Service]
+WorkingDirectory=/home/${APPID}
+Environment=\"HOME_PATH=/mnt/hdd/app-data/${APPID}\"
+ExecStartPre=-/home/admin/config.scripts/bonus.${APPID}.sh prestart
+ExecStart=java -jar /home/${APPID}/fints-fat.jar
+User=${APPID}
+Restart=always
+TimeoutSec=120
+RestartSec=30
+StandardOutput=null
+StandardError=journal
+
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
+[Install]
+WantedBy=multi-user.target
+" | sudo tee /etc/systemd/system/${APPID}.service
+  sudo chown root:root /etc/systemd/system/${APPID}.service
+
+  # when tor is set on also install the hidden service
+  if [ "${runBehindTor}" = "on" ]; then
+    # activating tor hidden service
+    /home/admin/config.scripts/tor.onion-service.sh ${APPID} 80 ${PORT_CLEAR} 443 ${PORT_SSL}
+  fi
+
+  # create keystore if needed
+  keystoreExists=$(sudo ls /mnt/hdd/app-data/fints/keystore.jks 2>/dev/null | grep -c 'keystore.jks')
+  if [ ${keystoreExists} -eq 0 ]; then
+    echo "# creating keystore"
+    sudo -u fints keytool -genkey -keyalg RSA -alias fints -keystore /mnt/hdd/app-data/fints/keystore.jks -storepass raspiblitz -noprompt -dname "CN=raspiblitz, OU=IT, O=raspiblitz, L=world, S=world, C=BZ"
+  else
+    echo "# keystore already exists"
+  fi
+  
+  # config app basics: lnbits.properties
+  sudo -u fints mkdir /home/fints/config
+  sudo -u fints cp /home/fints/fints/config/fuelifints.properties /home/fints/config/fuelifints.properties
+  sudo sed -i "s/^productinfo.csv.check=.*/productinfo.csv.check=false/g" /home/fints/config/fuelifints.properties
+  sudo sed -i "s/^rdh_port =.*/rdh_port = ${PORT_CLEAR}/g" /home/fints/config/fuelifints.properties
+  sudo sed -i "s/^ssl_port =.*/ssl_port = ${PORT_SSL}/g" /home/fints/config/fuelifints.properties
+  sudo sed -i "s/^keystore_location =.*/keystore_location = \/mnt\/hdd\/app-data\/fints\/keystore.jks/g" /home/fints/config/fuelifints.properties
+  sudo sed -i "s/^keystore_password =.*/keystore_password = raspiblitz/g" /home/fints/config/fuelifints.properties
+
+  # config app basics: blz.banking2.properties.example
+  sudo -u fints cp /home/fints/fints/config/blz.banking2.properties.example /home/fints/config/blz.banking2.properties
+
+  # config app basics: lnbits.properties
+  sudo -u fints cp /home/fints/fints/config/lnbits.properties.example /home/fints/config/lnbits.properties
+  # in file lnbits.properties replace the line starting with lnbitsUrl with the following line 'lnbitsUrl = http://127.0.0.1:5000'
+  sudo sed -i "s/lnbitsUrl =.*/lnbitsUrl = http:\/\/127.0.0.1:5000/g" /home/fints/config/lnbits.properties   
+
+  # mark app as installed in raspiblitz config
+  /home/admin/config.scripts/blitz.conf.sh set ${APPID} "on"
+
+  # enable app up thru systemd
+  sudo systemctl enable ${APPID}
+  echo "# OK - the ${APPID}.service is now enabled"
+
+  # start app (only when blitz is ready)
+  source <(/home/admin/_cache.sh get state)
+  if [ "${state}" == "ready" ]; then
+    sudo systemctl start ${APPID}
+    echo "# OK - the ${APPID}.service is now started"
+  fi
+
+  echo "# Monitor with: sudo journalctl -f -u ${APPID}"
+  exit 0
+
+fi
+
+##########################
+# PRESTART
+##########################
+
+# BACKGROUND is that this script will be called with `prestart` on every start & restart
+# of this apps systemd service. This has the benefit that right before the app is started
+# config parameters for this app can be updated so that it always starts with the most updated
+# values. With such an "adhoc config" it is for example possible to check right before start
+# what other apps are installed and configure connections. Even if those configs outdate later
+# while the app is running with the next restart they will then automatically update their config
+# again. If you dont need such "adhoc" config for your app - just leave it empty as it is, so
+# you maybe later on have the option to use it.
+
+if [ "$1" = "prestart" ]; then
+
+  # needs to be run as the app user - stop if not run as the app user
+  # keep in mind that in the prestart section you cannot use `sudo` command
+  if [ "$USER" != "${APPID}" ]; then
+    echo "# FAIL: run as user ${APPID}"
+    exit 1
+  fi
+
+  echo "## PRESTART CONFIG START for ${APPID} (called by systemd prestart)"
+  # at the moment no on the fly config is needed
+  echo "## PRESTART CONFIG DONE for ${APPID}"
+  exit 0
+fi
+
+###########################################
+# OFF / UNINSTALL
+# call with parameter `delete-data` to also
+# delete the persistent data directory
+###########################################
+
+# BACKGROUND is that this section removes entries in systemd, nginx, etc and then
+# deletes the user with its home directory to nuke all installed code
+
+# switch off
+if [ "$1" = "0" ] || [ "$1" = "off" ]; then
+
+  echo "# stop & remove systemd service"
+  sudo systemctl stop ${APPID} 2>/dev/null
+  sudo systemctl disable ${APPID}.service
+  sudo rm /etc/systemd/system/${APPID}.service
+
+  #echo "# remove nginx symlinks"
+  #sudo rm -f /etc/nginx/sites-enabled/${APPID}_ssl.conf 2>/dev/null
+  #sudo rm -f /etc/nginx/sites-enabled/${APPID}_tor.conf 2>/dev/null
+  #sudo rm -f /etc/nginx/sites-enabled/${APPID}_tor_ssl.conf 2>/dev/null
+  #sudo rm -f /etc/nginx/sites-available/${APPID}_ssl.conf 2>/dev/null
+  #sudo rm -f /etc/nginx/sites-available/${APPID}_tor.conf 2>/dev/null
+  #sudo rm -f /etc/nginx/sites-available/${APPID}_tor_ssl.conf 2>/dev/null
+  #sudo nginx -t
+  #sudo systemctl reload nginx
+
+  echo "# close ports on firewall"
+  sudo ufw deny "${PORT_CLEAR}"
+  sudo ufw deny "${PORT_SSL}"
+
+  echo "# delete user"
+  sudo userdel -rf ${APPID}
+
+  echo "# removing Tor hidden service (if active)"
+  /home/admin/config.scripts/tor.onion-service.sh off ${APPID}
+
+  echo "# mark app as uninstalled in raspiblitz config"
+  /home/admin/config.scripts/blitz.conf.sh set ${APPID} "off"
+
+  # only if 'delete-data' is an additional parameter then also the data directory gets deleted
+  if [ "$(echo "$@" | grep -c delete-data)" -gt 0 ]; then
+    echo "# found 'delete-data' parameter --> also deleting the app-data"
+    sudo rm -r /mnt/hdd/app-data/${APPID}
+  fi
+
+  echo "# OK - app should be uninstalled now"
+  exit 0
+
+fi
+
+# just a basic error message when unknown action parameter was given
+echo "# FAIL - Unknown Parameter $1"
+exit 1

home.admin/config.scripts/bonus.template.sh

@@ -202,7 +202,9 @@ if [ "$1" = "1" ] || [ "$1" = "on" ]; then
   echo "# download the source code & verify"
   sudo -u ${APPID} git clone ${GITHUB_REPO} /home/${APPID}/${APPID}
   cd /home/${APPID}/${APPID}
+  if [ "${GITHUB_TAG}" != "" ]; then
     sudo -u ${APPID} git reset --hard $GITHUB_TAG
+  fi
   if [ "${GITHUB_SIGN_AUTHOR}" != "" ]; then
     sudo -u ${APPID} /home/admin/config.scripts/blitz.git-verify.sh \
      "${GITHUB_SIGN_AUTHOR}" "${GITHUB_SIGN_PUBKEYLINK}" "${GITHUB_SIGN_FINGERPRINT}" "${GITHUB_TAG}" || exit 1
@@ -237,6 +239,7 @@ Wants=bitcoind
 After=bitcoind
 
 [Service]
+WorkingDirectory=/home/${APPID}
 Environment=\"HOME_PATH=/mnt/hdd/app-data/${APPID}\"
 ExecStartPre=-/home/admin/config.scripts/bonus.${APPID}.sh prestart
 ExecStart=/usr/bin/node /home/${APPID}/${APPID}/${APPID}
@@ -327,10 +330,17 @@ server {
   # mark app as installed in raspiblitz config
   /home/admin/config.scripts/blitz.conf.sh set ${APPID} "on"
 
-  # start app up thru systemd
+  # enable app up thru systemd
   sudo systemctl enable ${APPID}
+  echo "# OK - the ${APPID}.service is now enabled"
+
+  # start app (only when blitz is ready)
+  source <(/home/admin/_cache.sh get state)
+  if [ "${state}" == "ready" ]; then
     sudo systemctl start ${APPID}
-  echo "# OK - the ${APPID}.service is now enabled & started"
+    echo "# OK - the ${APPID}.service is now started"
+  fi
+
   echo "# Monitor with: sudo journalctl -f -u ${APPID}"
   exit 0
 
@@ -422,6 +432,9 @@ if [ "$1" = "0" ] || [ "$1" = "off" ]; then
   sudo ufw deny "${PORT_CLEAR}"
   sudo ufw deny "${PORT_SSL}"
 
+  echo "# delete user"
+  sudo userdel -rf ${APPID}
+
   echo "# removing Tor hidden service (if active)"
   /home/admin/config.scripts/tor.onion-service.sh off ${APPID}