feat: add lnproxy server, webui and check payment hashes as a client (#3637)

* lnproxy: check if payment hashes match #3636 * go update to 1.19.5 and verify checkums * add lnproxy install script * add lnproxy-webui * pin versions and fix formatting * add nginx configs for lnproxy
2025-02-28 16:58:03 +01:00 · 2023-02-05 20:36:51 +00:00 · 2023-02-05 20:36:51 +00:00 · e9c98ab822
commit e9c98ab822
parent d11dafd1db
7 changed files with 473 additions and 53 deletions
--- a/home.admin/_commands.sh
+++ b/home.admin/_commands.sh
@ -78,16 +78,17 @@ function blitzhelp() {
  echo "  ckbunker     CKbunker"
  echo
  echo "Extras:"
-  echo "  manage       use the lndmanage bonus app"
  echo "  whitepaper   download the whitepaper from the blockchain to /home/admin/bitcoin.pdf"
  echo "  notifyme     wrapper for blitz.notify.sh that will send a notification using the configured method and settings"
  echo "  suez         visualize channels (for the default ln implementation and chain when installed)"
+  exho "  lnproxy      wrap invoices with lnproxy"
  echo
  echo "LND:"
  echo "  lncli        LND commandline interface (when installed)"
  echo "  balance      your satoshi balance"
  echo "  channels     your lightning channels"
  echo "  fwdreport    show forwarding report"
+  echo "  manage       use the lndmanage bonus app"
  echo
  echo "CLN:"
  echo " lightning-cli Core Lightning commandline interface (when installed)"
@ -529,17 +530,32 @@ function bm() {

 # command: lnproxy
 function lnproxy() {
-  if [ $(cat /mnt/hdd/raspiblitz.conf 2>/dev/null | grep -c "runBehindTor=on") -eq 1 ]; then
-    echo
-    echo "Requesting a wrapped invoice from rdq6tvulanl7aqtupmoboyk2z3suzkdwurejwyjyjf4itr3zhxrm2lad.onion ..."
-    echo
-    torify curl http://rdq6tvulanl7aqtupmoboyk2z3suzkdwurejwyjyjf4itr3zhxrm2lad.onion/api/${1}
+  source /mnt/hdd/raspiblitz.conf
+  if [ $# -gt 0 ]; then
+    invoice=$1
  else
-    echo
-    echo "Requesting a wrapped invoice from https://lnproxy.org ..."
-    echo
-    curl https://lnproxy.org/api/${1}
+    echo "Paste the invoice to be wrapped and press enter:"
+    read -r invoice
  fi
+  if systemctl is-active --quiet tor@default; then
+    if [ -z "${lnproxy_override_tor}" ]; then
+      lnproxy_override_tor="rdq6tvulanl7aqtupmoboyk2z3suzkdwurejwyjyjf4itr3zhxrm2lad.onion/api"
+    fi
+    wrapped=$(torsocks curl -sS http://${lnproxy_override_tor}/${invoice})
+    echo
+    echo "Requesting a wrapped invoice from ${lnproxy_override_tor}"
+  else
+    if [ -z "${lnproxy_override_clearnet}" ]; then
+      lnproxy_override_clearnet="lnproxy.org/api"
+    fi
+    wrapped=$(curl -sS https://${lnproxy_override_clearnet}/${invoice})
+    echo
+    echo "Requesting a wrapped invoice from ${lnproxy_override_clearnet}"
+  fi
+  echo
+  /home/admin/config.scripts/blitz.check-invoice-wrap.py "$1" "$wrapped"
+  echo
+  echo $wrapped
 }

 # command: suez
--- a/home.admin/assets/nginx/sites-available/lnproxy_ssl.conf
+++ b/home.admin/assets/nginx/sites-available/lnproxy_ssl.conf
@ -0,0 +1,27 @@
+## lnproxy_ssl.conf
+
+server {
+    listen 4749 ssl http2;
+    listen [::]:4749 ssl http2;
+    server_name _;
+
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data.conf;
+
+    include /etc/nginx/snippets/gzip-params.conf;
+
+    access_log /var/log/nginx/access_lnproxy.log;
+    error_log /var/log/nginx/error_lnproxy.log;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:4747;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:4748;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
--- a/home.admin/assets/nginx/sites-available/lnproxy_tor.conf
+++ b/home.admin/assets/nginx/sites-available/lnproxy_tor.conf
@ -0,0 +1,26 @@
+## lnproxy_tor.conf
+
+server {
+    listen 4750;
+    server_name _;
+
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data.conf;
+
+    include /etc/nginx/snippets/gzip-params.conf;
+
+    access_log /var/log/nginx/access_lnproxy.log;
+    error_log /var/log/nginx/error_lnproxy.log;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:4747;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:4748;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
--- a/home.admin/assets/nginx/sites-available/lnproxy_tor_ssl.conf
+++ b/home.admin/assets/nginx/sites-available/lnproxy_tor_ssl.conf
@ -0,0 +1,26 @@
+## lnproxy_tor_ssl.conf
+
+server {
+    listen 4751 ssl http2;
+    server_name _;
+
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data.conf;
+
+    include /etc/nginx/snippets/gzip-params.conf;
+
+    access_log /var/log/nginx/access_lnproxy.log;
+    error_log /var/log/nginx/error_lnproxy.log;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:4747;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:4748;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
--- a/home.admin/config.scripts/blitz.check-invoice-wrap.py
+++ b/home.admin/config.scripts/blitz.check-invoice-wrap.py
@ -0,0 +1,54 @@
+#!/usr/bin/env python3
+# adapted from: https://github.com/lnproxy/lnproxy-cli/blob/fe18d16e42b58f635b94c7da59a34d5e092e4d56/check-wrap.py
+# Parses payment hashes and amounts in bolt11 invoices to check lnproxy
+# Can skip most bolt11 checks since both the user's wallet and lnproxy will do that
+
+from decimal import Decimal
+
+CHARSET = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"
+units = {
+	'p': 10**12,
+	'n': 10**9,
+	'u': 10**6,
+	'm': 10**3,
+}
+
+def parse(invoice):
+	invoice = invoice.lower()
+	pos = invoice.rfind('1')
+	amount = invoice[4:pos]
+	if amount == '':
+		amount = Decimal(0)
+	else:
+		amount = Decimal(amount[:-1]) / units[amount[-1]]
+	data = invoice[pos+1+7:]
+	i = 0
+	while i < len(data):
+		if data[i] == 'p' and data[i+1:i+1+2] == 'p5':
+			payment_hash = data[i+1+2:i+1+2+52]
+			break
+		else:
+			i += 3 + CHARSET.find(data[i+1]) * 32 + CHARSET.find(data[i+1+1])
+	return (amount, payment_hash)
+
+from sys import stderr, argv
+try:
+	if len(argv) != 3:
+		raise Exception("Incorrect number of arguments")
+
+	amt1, hash1 = parse(argv[1])
+	amt2, hash2 = parse(argv[2])
+
+	if hash1 != hash2:
+		print(f"Payment hashes do not match!", file=stderr)
+		exit(3)
+
+	if amt1 != Decimal(0):
+		print(f"Hashes match, routing fee is {(amt2-amt1)*10**8:0,.0f} sat ({(amt2-amt1)/amt1*100:0.2f}%)")
+	else:
+		print(f"Hashes match")
+
+except Exception as err:
+	print('Error:', err)
+	print(f"usage: {argv[0]} <original invoice> <wrapped invoice>", file=stderr)
+	exit(2)
--- a/home.admin/config.scripts/bonus.go.sh
+++ b/home.admin/config.scripts/bonus.go.sh
@ -1,10 +1,15 @@
 #!/usr/bin/env sh

 # set version, check: https://golang.org/dl/
-goVersion="1.18.7"
+goVersion="1.19.5"
+# checksums:
+amd64Checksum="36519702ae2fd573c9869461990ae550c8c0d955cd28d2827a6b159fda81ff95"
+armv6lChecksum="ec14f04bdaf4a62bdcf8b55b9b6434cc27c2df7d214d0bb7076a7597283b026a"
+arm64Checksum="fc0aa29c933cec8d76f5435d859aaf42249aa08c74eb2d154689ae44c08d23b3"
+
 downloadFolder="/home/admin/download"

-usage(){
+usage() {
  printf "Config script to install or remove Go\n"
  printf "./bonus.go.sh [on|off]\n"
  exit 1
@ -12,51 +17,65 @@ usage(){

 case "$1" in

-  1|on) # switch on
-    . /etc/profile # get Go vars - needed if there was no log-out since Go installed
-    printf "Check Framework: Go\n"
-    if go version 2>/dev/null | grep -q "${goVersion}" ; then
-      printf "\nThe requested version of Go is already installed.\n"
-      go version
-      printf "\n"
+1 | on)          # switch on
+  . /etc/profile # get Go vars - needed if there was no log-out since Go installed
+  printf "# Check Framework: Go\n"
+  if go version 2>/dev/null | grep -q "${goVersion}"; then
+    printf "\nThe requested version of Go is already installed.\n"
+    go version
+    printf "\n"
+  else
+    goOSversion=$(dpkg --print-architecture)
+    if [ ${goOSversion} = "armv6l" ]; then
+      checksum=${armv6lChecksum}
+    elif [ ${goOSversion{} = "arm64" ]; then
+      checksum=${arm64Checksum}
+    elif [ ${goOSversion} = "amd64" ]; then
+      checksum=${amd64Checksum}
    else
-      architecture="$(uname -m)"
-      case "${architecture}" in
-        arm*) goOSversion="armv6l";;
-        aarch64) goOSversion="arm64";;
-        x86_64) goOSversion="amd64";;
-        *) printf %s"Not available for architecture=${architecture}\n"; exit 1
-      esac
-      printf %s"\n*** Installing Go v${goVersion} for ${goOSversion} \n***"
-      wget https://dl.google.com/go/go${goVersion}.linux-${goOSversion}.tar.gz -P ${downloadFolder}
-      if [ ! -f "${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz" ]; then
-        printf "# FAIL # Download failed.\n"
-        rm -fv go${goVersion}.linux-${goOSversion}.tar.gz*
-        exit 1
-      fi
-      printf "Clean old Go version\n"
-      sudo rm -rf /usr/local/go /usr/local/gocode
-      sudo tar -C /usr/local -xzf ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz
-      rm -fv ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz*
-      sudo mkdir -v /usr/local/gocode
-      sudo chmod -v 777 /usr/local/gocode
-      export GOROOT=/usr/local/go
-      export PATH=$PATH:$GOROOT/bin
-      export GOPATH=/usr/local/gocode
-      export PATH=$PATH:$GOPATH/bin
-      sudo grep -q "GOROOT=" /etc/profile || { printf "\nGOROOT=/usr/local/go\nPATH=\$PATH:\$GOROOT/bin/\nGOPATH=/usr/local/gocode\nPATH=\$PATH:\$GOPATH/bin/\n\n" | sudo tee -a /etc/profile; }
-      go env -w GOPATH=/usr/local/gocode # set GOPATH https://github.com/golang/go/wiki/SettingGOPATH
-      go version | grep -q "go" || { printf "FAIL: Unable to install Go\n"; exit 1; }
-      printf %s"Installed $(go version 2>/dev/null)\n\n"
+      echo "# architecture $goOSversion not supported"
+      exit 1
    fi
-  ;;

-  0|off) # switch off
-    printf "*** REMOVING GO ***\n"
+    printf %s"\n*** Installing Go v${goVersion} for ${goOSversion} \n***"
+    wget https://dl.google.com/go/go${goVersion}.linux-${goOSversion}.tar.gz -P ${downloadFolder}
+    if [ ! -f "${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz" ]; then
+      printf "# FAIL # Download failed.\n"
+      rm -fv go${goVersion}.linux-${goOSversion}.tar.gz*
+      exit 1
+    fi
+    if ! echo ${checksum} ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz | sha256sum -c; then
+      printf "# FAIL: Download corrupted\n"
+      rm -fv ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz*
+      exit 1
+    fi
+
+    printf "# Clean old Go version\n"
    sudo rm -rf /usr/local/go /usr/local/gocode
-    printf "OK Go removed.\n"
+    sudo tar -C /usr/local -xzf ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz
+    rm -fv ${downloadFolder}/go${goVersion}.linux-${goOSversion}.tar.gz*
+    sudo mkdir -v /usr/local/gocode
+    sudo chmod -v 777 /usr/local/gocode
+    export GOROOT=/usr/local/go
+    export PATH=$PATH:$GOROOT/bin
+    export GOPATH=/usr/local/gocode
+    export PATH=$PATH:$GOPATH/bin
+    sudo grep -q "GOROOT=" /etc/profile || { printf "\nGOROOT=/usr/local/go\nPATH=\$PATH:\$GOROOT/bin/\nGOPATH=/usr/local/gocode\nPATH=\$PATH:\$GOPATH/bin/\n\n" | sudo tee -a /etc/profile; }
+    go env -w GOPATH=/usr/local/gocode # set GOPATH https://github.com/golang/go/wiki/SettingGOPATH
+    go version | grep -q "go" || {
+      printf "FAIL: Unable to install Go\n"
+      exit 1
+    }
+    printf %s"Installed $(go version 2>/dev/null)\n\n"
+  fi
  ;;

-  *) usage
+0 | off) # switch off
+  printf "*** REMOVING GO ***\n"
+  sudo rm -rf /usr/local/go /usr/local/gocode
+  printf "# OK Go removed.\n"
+  ;;

-esac
+*) usage ;;
+
+esac
--- a/home.admin/config.scripts/bonus.lnproxy.sh
+++ b/home.admin/config.scripts/bonus.lnproxy.sh
@ -0,0 +1,252 @@
+#!/bin/bash
+
+# https://github.com/lnproxy/lnproxy/commits/main
+LNPROXYVERSION="423723b58cc45daa2fdf6c8b22537d560aca4d7a"
+# https://github.com/lnproxy/lnproxy-webui/commits/main
+WEBUIVERSION=24d291c884a0b60126c1915301f29c893900a155
+
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "config script to install or uninstall the lnproxy server"
+  echo "bonus.lnproxy.sh [on|off|menu]"
+  echo "installs the version $LNPROXYVERSION by default"
+  exit 1
+fi
+
+source /mnt/hdd/raspiblitz.conf
+localip=$(hostname -I | awk '{print $1}')
+
+# menu
+if [ "$1" = "menu" ]; then
+
+  if systemctl is-active --quiet lnproxy; then
+    # get network info
+    torAddress=$(sudo cat /mnt/hdd/tor/lnproxy/hostname 2>/dev/null)
+    fingerprint=$(openssl x509 -in /mnt/hdd/app-data/nginx/tls.cert -fingerprint -noout | cut -d"=" -f2)
+
+    if [ "${runBehindTor}" = "on" ] && [ -n "${torAddress}" ]; then
+      # Info with Tor
+      sudo /home/admin/config.scripts/blitz.display.sh qr "${torAddress}"
+      whiptail --title " lnproxy-webui and API" --msgbox "\
+Open in your local web browser:
+http://${localip}:4748
+https://${localip}:4749 with Fingerprint:
+${fingerprint}\n
+Hidden Service address for Tor Browser (see LCD for QR):
+${torAddress}\n
+To use the API:
+curl -k https://${localip}:4749/api/{invoice}?routing_msat={budget}\n
+The Tor Hidden Service address to share for using the API:
+${torAddress}/api
+" 19 67
+      sudo /home/admin/config.scripts/blitz.display.sh hide
+    else
+      # Info without Tor
+      whiptail --title " lnproxy-webui " --msgbox "Open in your local web browser:
+http://${localip}:4748\n
+Activate Tor to access the web interface from outside your local network.
+" 15 57
+    fi
+    echo "# please wait ..."
+  else
+    echo "# *** LNPROXY IS NOT INSTALLED ***"
+  fi
+  exit 0
+fi
+
+# install
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+
+  if systemctl is-active --quiet lnproxy; then
+    echo "# FAIL - lnproxy already installed"
+    sleep 3
+    exit 1
+  fi
+
+  echo "*** INSTALL LNPROXY ***"
+  # check and install Go
+  /home/admin/config.scripts/bonus.go.sh on
+
+  # create lnproxy user
+  sudo adduser --disabled-password --gecos "" lnproxy
+
+  # create macaroon
+  cd /home/bitcoin || exit 1
+  sudo -u bitcoin lncli bakemacaroon --save_to lnproxy.macaroon \
+    uri:/lnrpc.Lightning/DecodePayReq \
+    uri:/lnrpc.Lightning/LookupInvoice \
+    uri:/invoicesrpc.Invoices/AddHoldInvoice \
+    uri:/invoicesrpc.Invoices/SubscribeSingleInvoice \
+    uri:/invoicesrpc.Invoices/CancelInvoice \
+    uri:/invoicesrpc.Invoices/SettleInvoice \
+    uri:/routerrpc.Router/SendPaymentV2
+  sudo mv ./lnproxy.macaroon /home/lnproxy/
+  sudo chown lnproxy:lnproxy /home/lnproxy/lnproxy.macaroon
+  sudo chmod 600 /home/lnproxy/lnproxy.macaroon
+
+  # make sure symlink to central app-data directory exists
+  sudo rm -rf /home/lnproxy/.lnd # not a symlink.. delete it silently
+  # create symlink
+  sudo ln -s "/mnt/hdd/app-data/lnd/" "/home/lnproxy/.lnd"
+
+  # download source code
+  cd /home/lnproxy/ || exit 1
+  sudo -u lnproxy git clone https://github.com/lnproxy/lnproxy.git /home/lnproxy/lnproxy
+  cd /home/lnproxy/lnproxy || exit 1
+  sudo -u lnproxy git reset --hard ${LNPROXYVERSION} || exit 1
+
+  # build
+  sudo -u lnproxy /usr/local/go/bin/go get lnproxy
+  sudo -u lnproxy /usr/local/go/bin/go build
+
+  # manual start (in tmux)
+  # sudo -u lnproxy /home/lnproxy/lnproxy/lnproxy -lnd-cert /home/lnproxy/.lnd/tls.cert /home/lnproxy/lnproxy.macaroon
+
+  # create systemd service
+  cat <<EOF | sudo tee /etc/systemd/system/lnproxy.service
+[Unit]
+Description=lnproxy
+After=lnd.service
+
+[Service]
+User=lnproxy
+Group=lnproxy
+Type=simple
+ExecStart=/home/lnproxy/lnproxy/lnproxy -lnd-cert /home/lnproxy/.lnd/tls.cert /home/lnproxy/lnproxy.macaroon
+Restart=on-failure
+RestartSec=30
+TimeoutSec=120
+
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  # enable and start service
+  sudo systemctl enable lnproxy
+
+  source <(/home/admin/_cache.sh get state)
+  if [ "${state}" == "ready" ]; then
+    echo "# OK - the lnproxy.service is enabled, system is on ready so starting service"
+    sudo systemctl start lnproxy
+  else
+    echo "# OK - the lnproxy.service is enabled, to start manually use: sudo systemctl start lnproxy"
+  fi
+
+  # lnproxy-webui
+  cd /home/lnproxy/ || exit 1
+  sudo -u lnproxy git clone https://github.com/lnproxy/lnproxy-webui
+  cd /home/lnproxy/lnproxy-webui || exit 1
+  sudo -u lnproxy git reset --hard ${WEBUIVERSION} || exit 1
+
+  # build
+  sudo -u lnproxy /usr/local/go/bin/go get lnproxy-webui
+  sudo -u lnproxy /usr/local/go/bin/go build
+
+  # create systemd service
+  cat <<EOF | sudo tee /etc/systemd/system/lnproxy-webui.service
+[Unit]
+Description=lnproxy-webui
+After=lnproxy.service
+
+[Service]
+WorkingDirectory=/home/lnproxy/lnproxy-webui
+User=lnproxy
+Group=lnproxy
+Type=simple
+ExecStart=/home/lnproxy/lnproxy-webui/lnproxy-webui
+Restart=on-failure
+RestartSec=30
+TimeoutSec=120
+
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+  # enable and start service
+  sudo systemctl enable lnproxy-webui
+
+  source <(/home/admin/_cache.sh get state)
+  if [ "${state}" == "ready" ]; then
+    echo "# OK - the lnproxy-webui.service is enabled, system is on ready so starting service"
+    sudo systemctl start lnproxy-webui
+  else
+    echo "# OK - the lnproxy-webui.service is enabled, to start manually use: sudo systemctl start lnproxy-webui"
+  fi
+
+  ##################
+  # NGINX
+  ##################
+  # setup nginx symlinks
+  if ! [ -f /etc/nginx/sites-available/lnproxy_ssl.conf ]; then
+    sudo cp -f /home/admin/assets/nginx/sites-available/lnproxy_ssl.conf /etc/nginx/sites-available/lnproxy_ssl.conf
+  fi
+  if ! [ -f /etc/nginx/sites-available/lnproxy_tor.conf ]; then
+    sudo cp /home/admin/assets/nginx/sites-available/lnproxy_tor.conf /etc/nginx/sites-available/lnproxy_tor.conf
+  fi
+  if ! [ -f /etc/nginx/sites-available/lnproxy_tor_ssl.conf ]; then
+    sudo cp /home/admin/assets/nginx/sites-available/lnproxy_tor_ssl.conf /etc/nginx/sites-available/lnproxy_tor_ssl.conf
+  fi
+  sudo ln -sf /etc/nginx/sites-available/lnproxy_ssl.conf /etc/nginx/sites-enabled/
+  sudo ln -sf /etc/nginx/sites-available/lnproxy_tor.conf /etc/nginx/sites-enabled/
+  sudo ln -sf /etc/nginx/sites-available/lnproxy_tor_ssl.conf /etc/nginx/sites-enabled/
+  sudo nginx -t
+  sudo systemctl reload nginx
+
+  sudo ufw allow 4747 comment lnproxy-HTTP
+  sudo ufw allow 4748 comment lnproxy-webui-HTTP
+  sudo ufw allow 4749 comment lnproxy-HTTPS
+
+  /home/admin/config.scripts/tor.onion-service.sh lnproxy 80 4750 443 4751
+
+  # setting value in raspi blitz config
+  /home/admin/config.scripts/blitz.conf.sh set lnproxy "on"
+
+  echo "# API:"
+  echo "curl http://${localip}:4747/{your_invoice}?routing_msat={routing_budget}"
+  echo "# WebUI:"
+  echo "http://${localip}:4748"
+  echo "# More info at:"
+  echo "https://github.com/lnproxy/lnproxy"
+
+  exit 0
+fi
+
+# switch off
+if [ "$1" = "0" ] || [ "$1" = "off" ]; then
+  echo "*** REMOVING LNPROXY***"
+  # remove user and home directory
+  sudo userdel -rf lnproxy
+
+  # remove systemd services
+  sudo systemctl disable --now lnproxy
+  /etc/systemd/system/lnproxy.service
+  sudo systemctl disable --now lnproxy-webui
+  /etc/systemd/system/lnproxy-webui.service
+
+  # remove Tor service
+  /home/admin/config.scripts/tor.onion-service.sh off lnproxy
+
+  # close ports on firewall
+  sudo ufw delete allow 4747
+  sudo ufw delete allow 4748
+  sudo ufw delete allow 4749
+
+  # setting value in raspi blitz config
+  /home/admin/config.scripts/blitz.conf.sh set lnproxy "off"
+
+  echo "# OK, lnproxy is removed."
+
+  exit 0
+fi