├── BTCPayServer ├── BTCPayServer_on_the_RaspiBlitz.md ├── README.md ├── addSubdomains.md ├── bonus.btcpaysetdomain.sh ├── btcpay_to_blitz.sh └── certbot.md ├── CNAME ├── Electrum_ColdCard_Trezor_Ledger_EPS.md ├── JouleToRaspiBlitz.md ├── README.md ├── ZAPtoRaspiBolt ├── README.md ├── zap1.png └── zap2.png ├── Zap_to_RaspiBlitz_through_Tor.md ├── Zeus_to_RaspiBlitz_through_Tor.md ├── _config.yml ├── aarch64-linux-desktop └── fedora-asahi-remix-notes.md ├── ai ├── nvidia-driver-install.sh └── stable-diffusion.sh ├── backups ├── README.md ├── coldcard.md ├── joinmarket.md ├── lnd-onchain-wallet-only.md ├── lnd.md ├── pgp-encryption.md ├── samouraiwallet.md ├── seedxor.md └── specterdiy.md ├── boltcard └── README.md ├── ci └── README.md ├── ckbunker_on_blitz.md ├── electrs ├── README.md ├── Tor_Hidden_Service_for_Electrs.md ├── config.scripts │ └── revert_ electrs_automation_for_Eclair.sh ├── electrs_to_RaspiBlitz.sh ├── electrum_wallet.sh ├── images │ ├── electrs_status.png │ ├── electrum.png │ ├── electrum_icon_lan.png │ ├── electrum_icon_tor.png │ └── electrum_tor.png ├── modules │ ├── 2_electrs_systemd_service.sh │ ├── 3_Nginx_and_Certbot_for_SSL.sh │ ├── 3_SSL.sh │ ├── certbot.sh │ └── tor_hidden_service.sh └── testnet │ ├── t1_electrs_on_RaspiBlitz.sh │ └── t2_electrs_systemd_service.sh ├── electrumx.md ├── fulcrum.md ├── images ├── DroidBlitzXU4_HC1.jpg ├── HC1.jpeg ├── RaspiBlitz.png ├── RaspiBlitzPhoto.jpg ├── RaspiBlitz_Logo_Berry.png ├── XU4.jpeg ├── ckbunker.hsmmode.jpg ├── ckbunker.starthsm.jpg ├── joinmarket_logo.png ├── joinmarket_maxsize.png ├── joinmarket_minsize.png ├── joule1.png ├── orbot.jpg ├── raspilogo_400px.png ├── zap_on_tor.jpg ├── zap_on_tor_logo.jpg ├── zeus_on_tor.jpg └── zeus_on_tor_logo.jpg ├── joinmarket ├── README.md ├── joinmarket_desktop_to_blitz.md ├── joinmarket_private_flow.md └── systemd │ ├── jmdir_mainnet.service │ ├── jmdir_signet.service │ └── ob-watcher.service ├── k8s ├── README.md ├── devenv.k3d.sh ├── devenv.mickrok8s.sh ├── galoy.mainnet.sh ├── galoy.testnet.sh ├── install.microk8s.sh └── nixenv.sh ├── nginx ├── README.md ├── bonus.SSL_for_RTL.sh ├── btcpayserver_forward.conf ├── btcpayserver_subdomain.sh ├── custom_website_subdomain.sh ├── electrum_server_subdomain.sh ├── https_redirect_to_subdomain.sh ├── mempool_subdomain.sh ├── nostr-relay.sh └── nostr_lnaddress_snippets.conf ├── nokyc └── README.md ├── nostr ├── README.md └── ligess.md ├── openbazaar ├── README.md ├── migrate_store_from_linux_desktop.txt ├── openbazaar_client_to_desktop.sh └── openbazaar_to_raspiblitz.sh ├── phonewallet.md ├── proxy └── server.js ├── raspiblitz-custom-install-scripts ├── README.md ├── custom-installs.sh └── tailscale.sh ├── raspiblitz.updates ├── README.md ├── bitcoincore.update.v0.19.1.sh ├── bitcoincore.update.v0.20.0.sh ├── bitcoincore.update.v0.21.0.sh └── bitcoincore.update.v22.0.sh ├── satochip ├── README.md ├── card-and-reader01.png ├── card-and-reader02.png ├── card-and-reader03.png ├── card-and-reader04.png ├── load-satochip-to-sparrow01.png ├── load-satochip-to-sparrow02.png ├── load-satochip-to-sparrow03.png ├── load-satochip-to-sparrow04.png ├── load-satochip-to-sparrow05.png ├── load-satochip-to-sparrow06.png └── load-satochip-to-sparrow07.png ├── sparrowwallet └── sparrow.update.sh ├── ssh_tunnel.md ├── tor ├── checkHiddenService.sh └── crontab.sh ├── tor2IP_tunnel_443.md ├── tor2IP_tunnel_80.md ├── tor2ip.grpc.md ├── tor2ip.rest.md ├── tor2ip_tunnel.md ├── tor_hidden_service_example.md ├── wireguard └── killswitch.md ├── zerotier └── README.md └── zfs ├── create-ext4-raspiblitz-disk.md ├── create-raspiblitz-zfs-disk.md ├── restore-raspiblitz-zfs-disk.md ├── sync-chain.md ├── sync-fulcrum-db.md └── truenasbuild.md /BTCPayServer/README.md: -------------------------------------------------------------------------------- 1 | ## Install BTCPayServer on the RaspiBlitz 2 | 3 | Run BTCPayServer on your RaspiBlitz using the already synced bitcoin blockchain and local LND node. 4 | Benefit from the backup and security features of the RaspiBlitz and LND. 5 | No added synchronization is needed. 6 | 7 | Requirements: 8 | * a domain name or dynamic DNS 9 | * the ports 80, 443 and 9735 forwarded on the router to the RaspiBlitz LAN IP 10 | 11 | Tested on: 12 | * RaspiBlitz v1.3 13 | * RPi4 4GB (2GB RAM is sufficient) 14 | 15 | ### [Automated Script](https://github.com/openoms/bitcoin-tutorials/blob/master/BTCPayServer/btcpay_to_blitz.sh) 16 | 17 | The BTCPay Server installation will be part of the next RaspiBlitz release. 18 | To try it on your node follow the instructions: 19 | https://github.com/openoms/raspiblitz-extras#test-the-functions-coming-to-the-next-release 20 | 21 | * BTCpayServer, NBXplorer and the .NET Core is confined to the user `btcpay`. 22 | * The BTCPay data and store settings are stored on the HDD `/mnt/hdd/.btcpayserver` and recoverable on a reinstall / SDcard update. 23 | * Sets up a Tor Hidden Service if Tor is active 24 | * Gives an option to use only the Tor Hidden Service and a self-signed certificate to be used without a clearnet domain 25 | * to change the BTCpay domain or update run the most recent script again 26 | 27 | ### Setting up BTCPayServer 28 | 29 | * Go to your domain 30 | * Register the first (administrator) account 31 | * Create a Store 32 | * In Store settings set up the derivation scheme (add an xpub from a secure/hardware wallet) 33 | * Set up LN with the connection string: 34 | `type=lnd-rest;server=https://127.0.0.1:8080/;macaroonfilepath=/home/btcpay/admin.macaroon;allowinsecure=true` 35 | 36 | * Find more detailed info on https://docs.btcpayserver.org/getting-started/ 37 | 38 | --- 39 | 40 | ### Getting help 41 | 42 | The setup has multiple components and dependencies which can change when updated or modified by the maintainers. 43 | 44 | * see the original guide this is based on: 45 | 46 | * shared experiences: 47 | 48 | * if `Nginx` breaks: 49 | `sudo nginx -t` 50 | is a very useful debug tool. Runs a test and displays detailed info on which line in the configuration is problematic. 51 | 52 | * Try to run the commands manually one-by-one, spot which is causing the problem and copy the output 53 | 54 | * Open an issue [here](https://github.com/openoms/bitcoin-tutorials/issues) with the details of your harware and software environment (SBC model, RaspiBlitz version) and I will be happy to help to solve it. 55 | 56 | * Join the BTCPay Server Community Chat on 57 | -------------------------------------------------------------------------------- /BTCPayServer/addSubdomains.md: -------------------------------------------------------------------------------- 1 | # Add subdomains and redirects to BTCPayServer 2 | 3 | In this example configuration I am using a main domain for BTCpayserver and two apps to redirect the subdomains to. 4 | 5 | All subdomains need an A record pointing to the same IP address where BTCPayServer is exposed. 6 | 7 | ``` 8 | echo "Input your email:" 9 | read EMAIL 10 | 11 | echo "Input 3 subdomains separated with commas (eg: pay.example.com,tips.example.com,status.example.com)" 12 | read SUBDOMAINS 13 | 14 | echo "Input the URL to be redirected to the second domain" 15 | read REDIRECT1 16 | echo "Input the URL to be redirected to for the third domain" 17 | read REDIRECT2 18 | 19 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 20 | -d $SUBDOMAINS --expand -n --pre-hook "service nginx stop" \ 21 | --post-hook "service nginx start" || exit 1 22 | 23 | firstDomain=$(echo $SUBDOMAINS|cut -d"," -f1) 24 | 25 | # copy in place if needed 26 | #sudo cat /etc/letsencrypt/live/$firstDomain/fullchain.pem 27 | #sudo cat /etc/letsencrypt/live/$firstDomain/privkey.pem 28 | 29 | # Add to /etc/nginx/sites-available/btcpayserver 30 | echo " 31 | server { 32 | listen 443 ssl; 33 | server_name $(echo $SUBDOMAINS|cut -d"," -f2); 34 | return 301 $REDIRECT1; 35 | ssl on; 36 | 37 | ssl_certificate /etc/letsencrypt/live/$firstDomain/fullchain.pem; 38 | ssl_certificate_key /etc/letsencrypt/live/$firstDomain/privkey.pem; 39 | ssl_session_timeout 1d; 40 | ssl_session_cache shared:SSL:50m; 41 | ssl_session_tickets off; 42 | ssl_protocols TLSv1.1 TLSv1.2; 43 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 44 | ssl_prefer_server_ciphers on; 45 | ssl_stapling on; 46 | ssl_stapling_verify on; 47 | ssl_trusted_certificate /etc/letsencrypt/live/$firstDomain/chain.pem; 48 | 49 | location / { 50 | proxy_set_header Host \$host; 51 | proxy_set_header X-Real-IP \$remote_addr; 52 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 53 | proxy_set_header X-Forwarded-Proto \$scheme; 54 | proxy_pass http://localhost:23000; 55 | } 56 | } 57 | 58 | server { 59 | listen 443 ssl; 60 | server_name $(echo $SUBDOMAINS|cut -d"," -f3); 61 | return 301 $REDIRECT2; 62 | ssl on; 63 | 64 | ssl_certificate /etc/letsencrypt/live/$firstDomain/fullchain.pem; 65 | ssl_certificate_key /etc/letsencrypt/live/$firstDomain/privkey.pem; 66 | ssl_session_timeout 1d; 67 | ssl_session_cache shared:SSL:50m; 68 | ssl_session_tickets off; 69 | ssl_protocols TLSv1.1 TLSv1.2; 70 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 71 | ssl_prefer_server_ciphers on; 72 | ssl_stapling on; 73 | ssl_stapling_verify on; 74 | ssl_trusted_certificate /etc/letsencrypt/live/$firstDomain/chain.pem; 75 | 76 | location / { 77 | proxy_set_header Host \$host; 78 | proxy_set_header X-Real-IP \$remote_addr; 79 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 80 | proxy_set_header X-Forwarded-Proto \$scheme; 81 | proxy_pass http://localhost:23000; 82 | } 83 | } " | sudo tee -a /etc/nginx/sites-available/btcpayserver 84 | ``` 85 | -------------------------------------------------------------------------------- /BTCPayServer/certbot.md: -------------------------------------------------------------------------------- 1 | # Certbot commands 2 | 3 | ``` 4 | echo "Input your email:" 5 | read EMAIL 6 | 7 | echo "Input 3 subdomains separated with commas (eg: pay.example.com,tips.example.com,status.example.com)" 8 | read SUBDOMAINS 9 | 10 | firstDomain=$(echo $SUBDOMAINS|cut -d"," -f1) 11 | ``` 12 | 13 | * see details of a certificate 14 | ``` 15 | sudo openssl x509 -in /etc/letsencrypt/live/$firstDomain/fullchain.pem -text 16 | ``` 17 | 18 | * force renewal 19 | ``` 20 | sudo certbot certonly --force-renewal -a standalone -m $EMAIL --agree-tos -d $SUBDOMAINS --expand -n --pre-hook "service nginx stop" --post-hook "service nginx start" 21 | ``` 22 | 23 | * logs 24 | ``` 25 | sudo tail -n100 /var/log/letsencrypt/letsencrypt.log 26 | ``` -------------------------------------------------------------------------------- /CNAME: -------------------------------------------------------------------------------- 1 | tutorials.lightningnode.info -------------------------------------------------------------------------------- /Electrum_ColdCard_Trezor_Ledger_EPS.md: -------------------------------------------------------------------------------- 1 | # Install Electrum with support for ColdCard, Trezor and Ledger connected to your own Electrum Personal Server 2 | 3 | * make sure the system is up-to-date 4 | ``` 5 | sudo apt-get update 6 | sudo apt-get upgrade 7 | sudo apt install git-all 8 | ``` 9 | ## download, verify, install Electrum 10 | 11 | https://electrum.org/#download 12 | 13 | * Download package: 14 | 15 | ` $ wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz` 16 | 17 | * Verify Electrum's downloaded source code 18 | 19 | At this stage, we are ready to verify Electrum's source code. The source code is signed by Thomas Voegtlin (https://electrum.org). 20 | Let's import his public key: 21 | 22 | `$ gpg --keyserver pool.sks-keyservers.net --recv-keys 2BD5824B7F9470E6` 23 | ``` 24 | gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) " imported 25 | gpg: no ultimately trusted keys found 26 | gpg: Total number processed: 1 27 | gpg: imported: 1 28 | ``` 29 | * Confirm a correct key import and proceed to verify the downloaded file with the help of the signature file: 30 | 31 | `$ wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz.asc` 32 | 33 | `$ gpg --verify Electrum-3.3.4.tar.gz.asc` 34 | ``` 35 | gpg: Signature made Tue 12 Dec 2017 17:06:09 AEDT 36 | gpg: using RSA key 2BD5824B7F9470E6 37 | gpg: Good signature from "Thomas Voegtlin (https://electrum.org) " [unknown] 38 | gpg: aka "ThomasV " [unknown] 39 | gpg: aka "Thomas Voegtlin " [unknown] 40 | gpg: WARNING: This key is not certified with a trusted signature! 41 | gpg: There is no indication that the signature belongs to the owner. 42 | Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6 43 | ``` 44 | 45 | * Note gpg: Good signature on Line 3. All seems to be in order! 46 | * Install Electrum 47 | 48 | To install Electrum bitcoin wallet, we first need to preform an installation of all prerequisites: 49 | 50 | Install dependencies: 51 | 52 | 53 | `sudo apt-get install python3-setuptools python3-pyqt5 python3-pip` 54 | 55 | Install Electrum using the command: 56 | 57 | `python3 -m pip install --user Electrum-3.3.4.tar.gz[fast]` 58 | 59 | `cd Electrum-3.3.4` 60 | 61 | ## (optional) zbar to read QR codes with the camera 62 | `sudo apt-get install zbar-tools` 63 | 64 | ## (optional) install and activate a virtual environment 65 | `apt-get install python3-venv` 66 | 67 | `python3 -m venv venv` 68 | 69 | `source venv/bin/activate` 70 | 71 | --- 72 | 73 | ## ColdCard for Electrum 74 | ``` 75 | sudo apt-get install python-dev libusb-1.0-0-dev libudev-dev 76 | sudo pip install --upgrade setuptools 77 | sudo pip install hidapi pyqt5 "ckcc-protocol[cli]" 78 | ``` 79 | add the udev rules 80 | ``` 81 | cd /etc/udev/rules.d/ 82 | sudo wget https://raw.githubusercontent.com/Coldcard/ckcc-protocol/master/51-coinkite.rules 83 | sudo udevadm control --reload-rules && sudo udevadm trigger 84 | ``` 85 | 86 | ## Trezor for Electrum 87 | ``` 88 | sudo apt-get install python3-dev python3-pip cython3 libusb-1.0-0-dev libudev-dev 89 | sudo pip3 install --upgrade setuptools 90 | pip3 install trezor 91 | sudo pip3 install trezor[hidapi] 92 | ``` 93 | Add the udev rules: 94 | ``` 95 | cd /etc/udev/rules.d 96 | sudo wget https://raw.githubusercontent.com/trezor/trezor-common/master/udev/51-trezor.rules` 97 | 98 | sudo cp udev/*.rules /etc/udev/rules.d/ 99 | sudo udevadm trigger 100 | sudo udevadm control -- reload-rules 101 | sudo groupadd plugdev 102 | sudo usermod -aG plugdev `whoami` 103 | ``` 104 | 105 | ## Ledger for Electrum 106 | ``` 107 | apt-get install libudev-dev libusb-1.0-0-dev 108 | ln -s /lib/x86_64-linux-gnu/libudev.so.1 /lib/x86_64-linux-gnu/libudev.so 109 | sudo pip3 install btchip-python 110 | wget -q -O - https://raw.githubusercontent.com/LedgerHQ/udev-rules/master/add_udev_rules.sh | sudo bash 111 | ``` 112 | https://support.ledger.com/hc/en-us/articles/115005165269-What-if-Ledger-Wallet-is-not-recognized-on-Linux- 113 | 114 | ## Documentation on how to add udev rules in Linux: 115 | 116 | https://github.com/bitcoin-core/HWI/tree/master/udev 117 | https://github.com/spesmilo/electrum-docs/blob/master/hardware-linux.rst 118 | 119 | --- 120 | 121 | ## Electrum Personal Server 122 | 123 | Follow Stadicus`s guide: 124 | https://github.com/Stadicus/RaspiBolt/blob/master/raspibolt_64_electrum.md 125 | 126 | some permissions I needed to fix: 127 | 128 | >ssh admin@Raspibolt 129 | 130 | >sudo su - bitcoin 131 | 132 | >ls -la 133 | 134 | `drwx------ 6 bitcoin bitcoin 4096 Jan 2 23:55 .local` 135 | 136 | >chmod 755 .local 137 | 138 | `drwxr-xr-x 6 bitcoin bitcoin 4096 Jan 2 23:55 .local` 139 | 140 | monitor the log: 141 | >tail -f /tmp/electrumpersonalserver.log 142 | 143 | restrict Electrum to use your own EPS, point it to the LAN IP of your Raspibolt 144 | >python3 run_electrum --oneserver --server [RaspiBolt.IP]:50002:s 145 | -------------------------------------------------------------------------------- /JouleToRaspiBlitz.md: -------------------------------------------------------------------------------- 1 | ## Connect the Joule browser extension to the RaspiBlitz 2 | 3 | https://lightningjoule.com/ 4 | Bring the power of lightning to the web with in-browser payments and identity, all with your own node. 5 | 6 | 7 | ### Preparation on the Pi 8 | 9 | For Joule to work you will need to allow connection to your RaspiBolt from any IP (0.0.0.0). The communications will remain encrypted with TLS, but there is a a risk of a DDOS or other attack. 10 | 11 | * Open the LND configuration file: 12 | `$ sudo nano /home/bitcoin/.lnd/lnd.conf` 13 | 14 | Add the following line to the section `[Application Options]`: 15 | ```tlsextraip=0.0.0.0``` 16 | * Delete tls.cert (restarting LND will recreate it): 17 | `$ sudo rm /home/bitcoin/.lnd/tls.*` 18 | 19 | * Restart LND : 20 | `$ sudo systemctl restart lnd` 21 | 22 | * Copy the new tls.cert to user "admin", as it is needed for lncli: 23 | `$ sudo cp /home/bitcoin/.lnd/tls.cert /home/admin/.lnd` 24 | 25 | * Unlock wallet 26 | `$ lncli unlock` 27 | 28 | * Allow the REST api communicate with any IP address: 29 | `$ sudo ufw allow 8080 comment 'allow REST api from public internet'` 30 | 31 | * restart and check the firewall: 32 | `$ sudo ufw enable` 33 | `$ sudo ufw status` 34 | 35 | 36 | ### On the Linux desktop 37 | 38 | * Install Joule for Chrome 39 | https://chrome.google.com/webstore/detail/joule/aejmoogjdllanidlpfjmmmmimfaficio 40 | 41 | * Click to the Joule extension button 42 | 43 | * Fill in the LAN address of your RaspiBolt: 44 | `https://your.RaspiBolt.LAN.IP:8080` 45 | 46 | * Click "try clicking this link" in the error message 47 | 48 | * Click the "Not secure" sign left from the URL 49 | 50 | * Certificate > Details tab > Export > save the file to your Home directory 51 | 52 | alternatively you can extract the certificate form your node and copy it to your Home dir: 53 | `$ scp admin@your.RaspiBolt.LAN.IP:/home/admin/.lnd/tls.cert ~/` 54 | 55 | * Menu > Settings > Advanced (on the bottom) > Manage certificates > Authorities tab > Import > Choose to show "all files" and select the file you saved > Tick all three boxes > OK 56 | 57 | The certificate will appear under "org-lnd autogenerated cert" if you would need to modify it later 58 | 59 | * Go back to the Joule Tab and try connecting again 60 | 61 | * Now you need your macaroons. Copy the admin.macaroon and the readonly.macaroon from your node to your home directory: 62 | `$ scp admin@your.RaspiBolt.LAN.IP:/home/bitcoin/.lnd/admin.macaroon ~/` 63 | 64 | `$ scp admin@your.RaspiBolt.LAN.IP:/home/bitcoin/.lnd/readonly.macaroon ~/` 65 | 66 | * Drop the two macaroon files to the Joule window and continue. 67 | 68 | * Confirm your node and create a password for Joule on the next screens and you are good to go. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Guides for the RaspiBlitz and Linux desktop 2 | 3 | Start at 4 | * #### [Phone as a wallet](phonewallet.md) 5 | A guide to store bitcoin on a clean Android or iPhone secured with multisignature in the Blockstream Green Wallet. 6 | Recommendations to people who are looking into how to take custody of their first satoshis and not running their own node yet. 7 | * #### [Single seed multi-location backup schemes](backups/README.md) 8 | Create 3 packages of cryptographically secure backups where the funds cannot be recovered from any single package, but can be recovered with the combination of any two. Can be thought of as a physical 2-of-3 multisig solution for ColdCard, JoinMarket and LND wallets. 9 | * #### [Forward ports with a reverse SSH tunnel](ssh_tunnel.md) 10 | No port forwarding needed on the local router. 11 | Hides the IP of the host and provides an encrypted connection. 12 | * #### [Tor-to-IP tunnel service](tor2ip_tunnel.md) 13 | Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet. 14 | * #### [Create a Tor Hidden Service](tor_hidden_service_example.md) 15 | A simple example of creating and using a Tor Hidden Service. 16 | * #### [ZeroTier remote access](zerotier/README.md) 17 | ZeroTier is a VPN service which is an easy option to connect remotely when neither port forwarding nor using Tor is possible (e.g. iOS on a remote network) 18 | The drawback is that it requires installing a trusted package which gives access to your private network. 19 | * #### [CoinKite Bunker on the RaspiBlitz](ckbunker_on_blitz.md) 20 |

21 | 22 |

23 | * #### [Connect JoinMarket running on a Linux desktop to a remote node](joinmarket/joinmarket_desktop_to_blitz.md) 24 | In order to use the JoinMarketQT GUI (and other scripts) it needs to connect to a Bitcoin Core node. A pruned node with the wallet enabled will do and txindex is not required. 25 | * #### [JoinMarket on the RaspiBlitz](joinmarket/README.md) 26 | A long standing coinjoin implementation with decentralised coordination and incentive structure. 27 | * #### [BTCPayServer on the RaspiBlitz](BTCPayServer/README.md) 28 | This guide will make you have BTCPayServer running on your node using the already synced bitcoin blockchain and local LND node and benefit from the backup and security features of RaspiBlitz and the stock LND. 29 | No added synchronization needed. 30 | 31 | * #### [ElectrumX Server](electrumx.md) 32 | A more performant Electrum server for serious hardware. 33 | 34 | * #### [Electrum wallet](electrs/electrum_wallet.sh) 35 | Download, verify and install the chosen version on a Linux desktop. 36 | ``` 37 | # download 38 | wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/electrum_wallet.sh 39 | # inspect the script 40 | cat electrum_wallet.sh 41 | # run 42 | bash electrum_wallet.sh 43 | ``` 44 | * #### [Electrum Server in Rust (electrs) on the RaspiBlitz](electrs/README.md) 45 | Can be used as the backend of: 46 | * Blue wallet 47 | * Phoenix / Eclair Mobile Bitcoin and Lightning wallet 48 | * Electrum wallet 49 | * BitBoxApp 50 | 51 | \`The server indexes the entire Bitcoin blockchain, and the resulting index enables fast queries for any given user wallet, allowing the user to keep real-time track of his balances and his transaction history using the Electrum wallet. Since it runs on the user's own machine, there is no need for the wallet to communicate with external Electrum servers, thus preserving the privacy of the user's addresses and balances.\` - 52 | 53 | * #### [Electrum wallet installation on Linux with support for ColdCard, Trezor and Ledger](Electrum_ColdCard_Trezor_Ledger_EPS.md) 54 | 55 | * #### [Zap iOS Tor Connection](Zap_to_RaspiBlitz_through_Tor.md) 56 | Remote wallet for LND connected through Tor on iOS TestFlight 57 | 58 | * #### [ZeusLN Android Tor connection](Zeus_to_RaspiBlitz_through_Tor.md) 59 | Remote wallet for LND connected through Tor on Android 60 | 61 | * #### [RTL SSL/HTTPS access](nginx/README.md) 62 | Secure remote connection for the Ride the Lightning Web UI 63 | 64 | * #### [Zap Desktop Lightning wallet connection](ZAPtoRaspiBolt/README.md) 65 | The desktop app [ZAP](https://github.com/LN-Zap/zap-desktop) is a cross platform Lightning Network wallet focused on user experience and ease of use. 66 | 67 | * #### [Joule browser extension](JouleToRaspiBlitz.md) 68 | Bring the power of lightning to the web with in-browser payments and identity, all with your own node. 69 | 70 | * #### [OpenBazaar installation and store migration](https://gist.github.com/openoms/ba843f7c44ff9c7ca0b5a80e12a0aeb4) 71 | Truly decentralized, peer-to-peer ecommerce - https://openbazaar.org/ 72 | 73 | * #### [RaspiBlitz updates](raspiblitz.updates/README.md) 74 | Update scripts for the RaspiBlitz and compatible systems. 75 | 76 | * #### [LND updates](https://github.com/openoms/lightning-node-management/blob/master/lnd.updates/README.md) 77 | Scripts to download, verify and update LND to the latest release or build from source up to a chosen commit. 78 | --- 79 | 80 | * #### [RaspiBlitz v1.3 SDcard image for the Odroid HC1/HC2/XU4/XU4Q](https://github.com/openoms/raspiblitz/releases/tag/v1.3) 81 | Based on the RaspiBlitz v1.3 and contains: 82 | * armbian 5.95 83 | * LND v0.7.1-beta 84 | * Bitcoin Core v0.18.1 85 | 86 |

87 | 88 | 89 |

90 | -------------------------------------------------------------------------------- /ZAPtoRaspiBolt/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Connect the ZAP Desktop Lightning wallet to the RaspiBolt 4 | 5 | The desktop app ZAP (https://github.com/LN-Zap/zap-desktop) 6 | ) is a cross platform Lightning Network wallet focused on user experience and ease of use. 7 | 8 | Download ZAP for your operating system: 9 | https://github.com/LN-Zap/zap-desktop/releases 10 | Install instructions: https://github.com/LN-Zap/zap-desktop#install 11 | 12 | ### Preparation on the Pi 13 | 14 | * Allow connections to the RaspiBolt from your LAN. Check what your LAN IP address is starting with eg. 192.168.0.xxx or 192.168.1.xxx and use the address accordingly. Changing the last number (xxx) with .0/24 will allow all IP addresses from your local network. 15 | `$ sudo nano /home/bitcoin/.lnd/lnd.conf` 16 | 17 | Add the following line to the section `[Application Options]`: 18 | ```tlsextraip=192.168.0.0/24``` 19 | 20 | * Delete tls.cert (restarting LND will recreate it): 21 | `$ sudo rm /home/bitcoin/.lnd/tls.*` 22 | 23 | * Restart LND : 24 | `$ sudo systemctl restart lnd` 25 | 26 | * Copy the new tls.cert to user "admin", as it is needed for lncli: 27 | `$ sudo cp /home/bitcoin/.lnd/tls.cert /home/admin/.lnd` 28 | 29 | * Unlock wallet 30 | `$ lncli unlock` 31 | 32 | * Allow the ufw firewall to listen on 10009 from the LAN: 33 | `$ sudo ufw allow from 192.168.0.0/24 to any port 10009 comment 'allow LND grpc from local LAN'` 34 | 35 | * restart and check the firewall: 36 | `$ sudo ufw enable` 37 | `$ sudo ufw status` 38 | 39 | --- 40 | 41 | ## To use the Connection String method (available from ZAP 0.4 beta): 42 | 43 | ### On the RaspiBolt: 44 | * Install LndConnect: 45 | `$ cd ~` 46 | `$ go get -d github.com/LN-Zap/lndconnect` - this can take a couple of minutes 47 | `$ cd ~/go/src/github.com/LN-Zap/lndconnect` 48 | `$ make install` 49 | 50 | * Generate the Connection String 51 | `$ cd ~/go/bin` 52 | `$ ./lndconnect --lnddir=/home/admin/.lnd --image --host=your.RaspiBolt.LAN.IP --port=10009` 53 | 54 | Copy the resulting text starting with lndconnect://... 55 | 56 | ### Set up ZAP: 57 | 58 | * Start ZAP on your desktop 59 | * Create new wallet 60 | * Connect to your node 61 | * Paste the Connection string generated with LndConnect 62 | * Confirm and Connect 63 | 64 | --- 65 | 66 | ## To use the files method: 67 | 68 | ### On your Linux desktop terminal: 69 | 70 | * Copy the tls.cert to your home directory: 71 | `$ scp admin@your.RaspiBolt.LAN.IP:/home/admin/.lnd/tls.cert ~/` 72 | 73 | * Copy the admin.macaroon to your home directory: 74 | `$ scp bitcoin@your.RaspiBolt.LAN.IP:/home/bitcoin/.lnd/data/chain/bitcoin/mainnet/admin.macaroon ~/` 75 | 76 | ### Configure ZAP: 77 | 78 | * Start the app and select: 79 | ```Connect your own node``` 80 | 81 | 82 | 83 | 84 | * Fill in the next screen: 85 | `your.RaspiBolt.LAN.IP:10009` 86 | `~/tls.cert` 87 | `~/admin.macaroon` 88 | 89 | 90 | 91 | * Confirm the settings on the following screen and you are done! 92 | 93 | -------------------------------------------------------------------------------- /ZAPtoRaspiBolt/zap1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/ZAPtoRaspiBolt/zap1.png -------------------------------------------------------------------------------- /ZAPtoRaspiBolt/zap2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/ZAPtoRaspiBolt/zap2.png -------------------------------------------------------------------------------- /Zap_to_RaspiBlitz_through_Tor.md: -------------------------------------------------------------------------------- 1 | # WARNING: Zap iOS is unmaintained, use desktop or Android version. Zeus works on iOS. 2 | # Connect Zap over Tor to the RaspiBlitz 3 | 4 |

5 | 6 |

7 | 8 | ## Use the MOBILE menu on the RaspiBlitz for QR codes on the display and/or in the terminal. 9 | 10 | ## Manual process 11 | 12 | ### Create the Hidden Service: 13 | * In the RaspiBlitz terminal: 14 | 15 | `$ sudo nano /etc/tor/torrc` 16 | 17 | * paste on the end of the file 18 | ``` 19 | HiddenServiceDir /mnt/hdd/tor/lnd_REST/ 20 | HiddenServiceVersion 3 21 | HiddenServicePort 8080 127.0.0.1:8080 22 | ``` 23 | 24 | Save (Ctrl+O, ENTER) and exit (Ctrl+X) 25 | 26 | If you want to use a different port: 27 | ``` 28 | HiddenServicePort THIS_CAN_BE_ANY_PORT 127.0.0.1:8080 29 | ``` 30 | 31 | * Restart Tor: 32 | 33 | `$ sudo systemctl restart tor` 34 | 35 | * Take note of the `HIDDEN_SERVICE_ADDRESS.onion`: 36 | 37 | `$ sudo cat /mnt/hdd/tor/lnd_REST/hostname` 38 | 39 | example output: 40 | ``` 41 | 32zzibxmqi2ybxpqyggwwuwz7a3lbvtzoloti7cxoevyvijexvgsfeid.onion 42 | ``` 43 | 44 | ### Install lndconnect 45 | 46 | * Install Go and the latest lndconnect manually: 47 | 48 | ``` 49 | # check if Go is installed (should be v1.11 or higher): 50 | go version 51 | # If need to install Go, run these: 52 | wget https://storage.googleapis.com/golang/go1.13.linux-armv6l.tar.gz 53 | sudo tar -C /usr/local -xzf go1.13.linux-armv6l.tar.gz 54 | sudo rm *.gz 55 | sudo mkdir /usr/local/gocode 56 | sudo chmod 777 /usr/local/gocode 57 | export GOROOT=/usr/local/go 58 | export PATH=$PATH:$GOROOT/bin 59 | export GOPATH=/usr/local/gocode 60 | export PATH=$PATH:$GOPATH/bin 61 | # make the path persist 62 | sudo bash -c "echo 'PATH=\$PATH:/usr/local/gocode/bin/' >> /etc/profile" 63 | 64 | # Install lndconnect from source: 65 | go get -d github.com/LN-Zap/lndconnect 66 | cd $GOPATH/src/github.com/LN-Zap/lndconnect 67 | make 68 | ``` 69 | 70 | ### Generate the lndconnect string 71 | * Run lndconnect with the `HIDDEN_SERVICE_ADDRESS.onion` filled in: 72 | `lndconnect --host=HIDDEN_SERVICE_ADDRESS.onion --port=8080 --nocert` 73 | 74 | Example: 75 | `lndconnect --host=32zzibxmqi2ybxpqyggwwuwz7a3lbvtzoloti7cxoevyvijexvgsfeid.onion --port=8080 --nocert` 76 | 77 | 78 | Maximise the window and reduce the text size to fit the screen. 79 | Use CTRL + - or the middle mouse wheel on Windows. 80 | 81 | 82 | * Alternatively run lndconnect with the -j option to display the text string: 83 | `lndconnect --host=HIDDEN_SERVICE_ADDRESS.onion --port=8080 --nocert -j` 84 | 85 | The correct string format is: 86 | ``` 87 | lndconnect://HIDDEN_SERVICE_ADDRESS.onion:8080?macaroon= 88 | ``` 89 | 90 | ### Connect Zap through Tor 91 | * Scan the QR code with your Tor enabled Zap 92 | 93 | or 94 | 95 | * Share the string to your phone in an encrypted chat message to yourself and paste the string into Zap 96 | 97 | * Enjoy your private and encrypted remote connection! 98 | 99 |

100 | 101 |

102 | -------------------------------------------------------------------------------- /Zeus_to_RaspiBlitz_through_Tor.md: -------------------------------------------------------------------------------- 1 | 2 | # Connect Zeus over Tor to the RaspiBlitz 3 | 4 |

5 | 6 |

7 | 8 | Zeus v0.5.0 has native Tor support on both iOS and Android (can forget Orbot)! 9 | 10 | Get the test versions from https://t.me/zeusLN or https://twitter.com/ZeusLN. 11 | Tested on the RaspiBlitz v1.6.3 with Tor activated. 12 | 13 | Download the [Zeus](https://zeusln.app/) app. 14 | Available on: 15 | * [GitHub](https://github.com/ZeusLN/zeus/releases), 16 | * [F-Droid](https://f-droid.org/en/packages/com.zeusln.zeus/) 17 | * [Google Play](https://play.google.com/store/apps/details?id=com.zeusln.zeus) 18 | * [iOS TestFlight](https://testflight.apple.com/join/gpVFzEHN) 19 | 20 | 21 | 22 | Display a QR code with the Tor connection details on the LCD and the terminal: 23 | ```bash 24 | $ config.scripts/bonus.lndconnect.sh zeus-android tor 25 | ``` 26 | same for iOS and Android shows the QR with a v2 Tor address (to reduce the size of the QR code). The v3 onion address is preferred because it is not brute-forceable or guessable. 27 | 28 | After the dependencies have been installed with the script above a QRcode with a v3 address can be displayed in the terminal with: 29 | ```bash 30 | $ lndconnect --host=$(sudo cat /mnt/hdd/tor/lndrest8080/hostname) --port=8080 31 | ``` 32 | 33 | If the QRcode does not fit the terminal generate a the lndconnect string by adding the `-j` option: 34 | ```bash 35 | $ lndconnect --host=$(sudo cat /mnt/hdd/tor/lndrest8080/hostname) --port=8080 -j 36 | ``` 37 | use a local QRcode generator to display the image (never paste the string into a website). 38 | A list of open-source QRcode generators for Windows: 39 | 40 | 41 | 42 | --- 43 | ## Deprecated manual instructions: 44 | 45 | Tested on the RaspiBlitz v1.3 with Tor activated. 46 | ### Create the Hidden Service: 47 | * In the RaspiBlitz terminal: 48 | 49 | `$ sudo nano /etc/tor/torrc` 50 | 51 | * paste on the end of the file: 52 | ``` 53 | HiddenServiceDir /mnt/hdd/tor/lnd_REST/ 54 | HiddenServiceVersion 3 55 | HiddenServicePort 8080 127.0.0.1:8080 56 | ``` 57 | Save (Ctrl+O, ENTER) and exit (Ctrl+X) 58 | 59 | If you want to use a different port: 60 | ``` 61 | HiddenServicePort THIS_CAN_BE_ANY_PORT 127.0.0.1:8080 62 | ``` 63 | * Restart Tor: 64 | 65 | `$ sudo systemctl restart tor` 66 | 67 | * Take note of the HIDDEN_SERVICE_ADDRESS.onion: 68 | 69 | `$ sudo cat /mnt/hdd/tor/lnd_REST/hostname` 70 | 71 | Example output: 72 | ``` 73 | 32zzibxmqi2ybxpqyggwwuwz7a3lbvtzoloti7cxoevyvijexvgsfeid.onion 74 | ``` 75 | 76 | ### Install lndconnect 77 | 78 | * Install Go and the latest lndconnect manually: 79 | 80 | ``` 81 | # check if Go is installed (should be v1.11 or higher): 82 | go version 83 | # If need to install Go, run these: 84 | wget https://storage.googleapis.com/golang/go1.13.linux-armv6l.tar.gz 85 | sudo tar -C /usr/local -xzf go1.13.linux-armv6l.tar.gz 86 | sudo rm *.gz 87 | sudo mkdir /usr/local/gocode 88 | sudo chmod 777 /usr/local/gocode 89 | export GOROOT=/usr/local/go 90 | export PATH=$PATH:$GOROOT/bin 91 | export GOPATH=/usr/local/gocode 92 | export PATH=$PATH:$GOPATH/bin 93 | # make the path persist 94 | sudo bash -c "echo 'PATH=\$PATH:/usr/local/gocode/bin/' >> /etc/profile" 95 | 96 | # Install lndconnect from source: 97 | go get -d github.com/LN-Zap/lndconnect 98 | cd $GOPATH/src/github.com/LN-Zap/lndconnect 99 | make 100 | ``` 101 | ### Generate the lndconnect string 102 | * Run lndconnect with the HIDDEN_SERVICE_ADDRESS.onion filled in: 103 | 104 | `$ lndconnect --host=HIDDEN_SERVICE_ADDRESS.onion --port=8080` 105 | 106 | Example: 107 | 108 | `lndconnect --host=32zzibxmqi2ybxpqyggwwuwz7a3lbvtzoloti7cxoevyvijexvgsfeid.onion --port=8080` 109 | 110 | Maximise the window and reduce the text size to fit the screen. 111 | Use CTRL + - or the middle mouse wheel on Windows. 112 | 113 | ### Set up [Orbot](https://guardianproject.info/apps/orbot/ ) 114 | Available on 115 | * [F-Droid](https://guardianproject.info/fdroid) 116 | * [Google Play](https://market.android.com/details?id=org.torproject.android) 117 | * [Direct link](https://guardianproject.info/releases/orbot-latest.apk) 118 | 119 | On Orbot's main screen select the gear icon under `tor enabled apps`. 120 | Add `Zeus`, then press back. 121 | Click `STOP` on the big onion logo. 122 | Exit Orbot and reopen it. Turn on `VPN Mode`. 123 | Start your connection to the Tor network by clicking on the big onion (if it has not automatically connected already) 124 | 125 | If Orbot is misbehaving try stopping other VPN services on the phone and/or restart. 126 | 127 | To open Zeus click on it's icon at the `Tor_Enabled-Apps`: 128 | 129 |

130 | 131 |

132 | 133 | ### Connect Zeus 134 | * Scan the QR code with your Zeus 135 | * Enjoy your private and encrypted remote connection! 136 | 137 |

138 | 139 |

140 | 141 | SEND SATOSHIS PRIVATELY! 142 | Get that beautiful onion png in the top left of Zeus. 143 | Self Sovereignty for the streets! 144 | 145 | ### Resources: 146 | 147 | * this guide is based on: 148 | 149 | * Have a look at the proposal of @seth586 about connecting light wallets through Tor: 150 | 151 | 152 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | 2 | #theme: jekyll-theme-minimal 3 | remote_theme: pmarsceill/just-the-docs 4 | search_enabled: true 5 | aux_links: 6 | "Issues": 7 | - "https://github.com/openoms/bitcoin-tutorials/issues" 8 | "Source on GitHub": 9 | - "https://github.com/openoms/bitcoin-tutorials/" -------------------------------------------------------------------------------- /ai/nvidia-driver-install.sh: -------------------------------------------------------------------------------- 1 | sudo apt-get install -y linux-headers-$(uname -r) 2 | # for TCMalloc (improves CPU memory usage) 3 | sudo apt install -y libgoogle-perftools-dev 4 | 5 | 6 | wget https://us.download.nvidia.com/XFree86/Linux-x86_64/535.86.05/NVIDIA-Linux-x86_64-535.86.05.run 7 | 8 | chmod +x NVIDIA-Linux-x86_64-535.86.05.run 9 | 10 | sudo ./NVIDIA-Linux-x86_64-535.86.05.run 11 | 12 | # disable nuveau drivers 13 | # needs reboot 14 | 15 | # ? install pkg-config -------------------------------------------------------------------------------- /ai/stable-diffusion.sh: -------------------------------------------------------------------------------- 1 | Got a fresh instance of the https://github.com/AUTOMATIC1111/stable-diffusion-webui for logo design experiments at: https://stablediffusion.diynodes.com/ 2 | To generate .svg files - choose the script `Vector Studio` on the bottom. 3 | more info at: https://github.com/GeorgLegato/stable-diffusion-webui-vectorstudio 4 | Promting it is a bit of an art, but go ahead and play until my disk is full or the server crashes. 5 | 6 | sudo adduser --disabled-password --gecos "" sd 7 | sudo su - sd 8 | 9 | cd download 10 | git clone https://github.com/AUTOMATIC1111/stable-diffusion-webui 11 | cd stable-diffusion-webui 12 | ./webui.sh 13 | 14 | https://github.com/AUTOMATIC1111/stable-diffusion-webui/wiki/Xformers#building-xformers-on-linux-from-anonymous-user 15 | 16 | # REVERSE PROXY 17 | sudo nano /etc/nginx/conf.d/stablediffusionwebui.conf 18 | 19 | server { 20 | listen 0.0.0.0:7861; 21 | 22 | location / { 23 | proxy_pass http://127.0.0.1:7860; 24 | proxy_http_version 1.1; 25 | proxy_set_header Upgrade $http_upgrade; 26 | proxy_set_header Connection "upgrade"; 27 | proxy_set_header Host $host; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | } 31 | } 32 | 33 | sudo nginx -t && sudo systemctl restart nginx 34 | 35 | # SYSTEMD SERVICE 36 | sudo systemctl edit --full --force stablediffusionwebui.service 37 | [Unit] 38 | Description=Web UI script 39 | 40 | [Service] 41 | Type=simple 42 | User=sd 43 | Group=sd 44 | WorkingDirectory=/home/sd/stable-diffusion-webui 45 | ExecStart=/bin/bash /home/sd/stable-diffusion-webui/webui.sh 46 | Restart=always 47 | StandardOutput=journal 48 | StandardError=journal 49 | TimeoutSec=60 50 | Restart=always 51 | RestartSec=60 52 | 53 | # Hardening measures 54 | PrivateTmp=true 55 | ProtectSystem=full 56 | NoNewPrivileges=true 57 | # PrivateDevices=true - breaks CUDA check 58 | 59 | [Install] 60 | WantedBy=multi-user.target 61 | 62 | sudo systemctl enable --now stablediffusionwebui.service 63 | 64 | sudo systemctl restart stablediffusionwebui.service 65 | 66 | 67 | https://github.com/GeorgLegato/stable-diffusion-webui-vectorstudio 68 | sudo apt install potrace 69 | ln -s /usr/bin/potrace extensions/stable-diffusion-webui-vectorstudio/bin/potrace 70 | 71 | nano webui-user.sh 72 | export COMMANDLINE_ARGS="--xformers --share" 73 | 74 | 75 | tmux a 76 | ~/download/stable-diffusion-webui/webui.sh -------------------------------------------------------------------------------- /backups/README.md: -------------------------------------------------------------------------------- 1 | # Single seed multi-location backup schemes 2 | 3 | The aim is to create 3 packages of cryptographically secure 4 | backups where the funds cannot be recovered from any single package, 5 | but can be recovered with the combination of any two. 6 | Can be thought of as a physical 2-of-3 multisig solution. 7 | 8 | ## [SeedXOR](seedxor.md) 9 | ## [SpecterDIY](specterdiy.md) 10 | ## [ColdCard](coldcard.md) 11 | ## [JoinMarket](joinmarket.md) 12 | ## [LND](lnd.md) 13 | ## [Samourai Wallet](samouraiwallet.md) 14 | --- 15 | ### Electrum Wallet seed as a passphrase 16 | A well proven way to generate a random 12 word list is to create a new wallet seed in [Electrum Wallet](https://electrum.org/#download). 17 | To use Electrum boot [Tails](https://tails.boum.org/) (ideally offline) or [download and verify the wallet](https://electrum.org/#download) on an existing system. 18 | 19 | Follow steps 1-5 in this [guide](https://bitcoinelectrum.com/creating-an-electrum-wallet/) to get the seed. The wallet file is not needed, only write down the words and store them accordingly. The 12 words are to be used as a passphrase, encryption passphrase, cypher phrase or wallet unlock password. Do not reuse passphrases for more than one purpose and label the backups clearly. 20 | 21 | The [Electrum word list](https://github.com/spesmilo/electrum/blob/master/electrum/wordlist/english.txt) is based on the same 2048 words as the [BIP39 word list](https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt) which the ColdCard firmware contains so the keyboard entry is facilitated by the menu. 22 | 23 | An Electrum Wallet seed provides [135 bits of entropy](https://electrum.readthedocs.io/en/latest/seedphrase.html#security-implications) which is stronger than a [12 word BIP39 seed](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki). 24 | -------------------------------------------------------------------------------- /backups/coldcard.md: -------------------------------------------------------------------------------- 1 | ## ColdCard single seed multi-location backup scheme 2 | Original idea by [@KollerTobias](https://twitter.com/KollerTobias) and [@21isenough](https://github.com/21isenough/). 3 | Documentation of Coldcard backups: 4 | The scheme only works if the seed is not locked down to a passphrase: 5 | 6 | In this case the passphrase is not tied to a PIN, 7 | but needs to be written in the CC every time the wallet is opened. 8 | 9 | The ColdCards should be stored uninitialized, best to be freshly acquired in the tamper resistant package from the manufacturer () to minimize the risk of evil-maid and supply-chain attacks. 10 | 11 | --- 12 | ### Components grouped together by the requirement for a full restore 13 | #### Full backup 1 14 | * any BIP39 compatible wallet 15 | * Seed mnemonic (12/18/24 words) 16 | * Passphrase 17 | #### Full backup 2 18 | * ColdCard 19 | * Backupfile (.7z archive on the SD) 20 | * Backup password (12 words) 21 | * Passphrase 22 | 23 | --- 24 | ### Packages for a 2-of-3 setup 25 | #### Location 1 26 | - Seed mnemonic (12/18/24 words) 27 | - Backup password (12 words) 28 | - Backupfile (.7z archive on the SD) 29 | 30 | #### Location 2 31 | - ColdCard 32 | - Passphrase (BIP39) 33 | - Backupfile (.7z archive on the SD) 34 | 35 | #### Location 3 36 | - ColdCard 37 | - Passphrase (BIP39) 38 | - Backup password (12 words) 39 | -------------------------------------------------------------------------------- /backups/joinmarket.md: -------------------------------------------------------------------------------- 1 | ## JoinMarket single seed multi-location backup scheme 2 | Documentation on JoinMarket wallet recovery: 3 | When the wallet is restored connected to a bitcoin node with which it was not previously used, will need to rescan the blockchain to register the transactions and look up the wallet balance. Having the wallet birthday helps to do the rescan only from when the wallet was created, but it is not absolutely necessary. 4 | 5 | --- 6 | ### Components grouped together by the requirement for a full restore 7 | #### Full backup 1 8 | * Seed (12 words) 9 | * Passphrase (BIP39) 10 | #### Full backup 2 11 | * Wallet file (.jmdat) 12 | * Encryption passphrase 13 | 14 | --- 15 | ### Packages for a 2-of-3 setup 16 | #### Location 1 17 | - Seed (12 words) 18 | - Wallet file (.jmdat) 19 | - First tx blockheight (optional) 20 | 21 | #### Location 2 22 | - Passphrase (BIP39) 23 | - Encryption passphrase 24 | - First tx blockheight (optional) 25 | 26 | #### Location 3 27 | - Seed (12 words) 28 | - Encryption passphrase 29 | - First tx blockheight (optional) 30 | -------------------------------------------------------------------------------- /backups/lnd-onchain-wallet-only.md: -------------------------------------------------------------------------------- 1 | # LND single seed multi-location backup scheme for the onchain funds only 2 | 3 | The aim is to create a redundant backup where the secret can be restored from any two locations. 4 | If someone in charge bootstrapping an LND node can use this method to share the parts with 3 other people who will not be able to restore the wallet alone. 5 | 6 | The 24 words seed should not be split in more than 2 parts as 8 words are close to be brute-forceable. 7 | 8 | For the Cypher Phrase a good option is to use 12 words from the standard wordlist to ease the offline backup and keep the security of parts roughly the same. 9 | An example to generate 12 words separated by spaces using a [diceware](https://github.com/ulif/diceware#diceware) sourcing the entropy from `/dev/urandom` : 10 | ``` 11 | $ sudo apt install diceware 12 | $ diceware -n 12 -d' ' --no-caps 13 | ``` 14 | Note that the password asked first when generating the wallet is only used to encrypt the file and not relevant to the secret itself. 15 | 16 | More on LND wallet recovery: 17 | LND seed format (different from Bip39 or Electrum): 18 | Test at https://guggero.github.io/cryptography-toolkit/#!/aezeed 19 | 20 | Include the Node ID on all backup locations. It is derived from the bip32 root key (encoded by the Seed + Cypher Phrase) so it can be used to identify the backup and test the successful recovery. 21 | Obtain the Node ID with 22 | ``` 23 | $ lncli getinfo | grep identity_pubkey 24 | ``` 25 | 26 | --- 27 | ## Full backup required to restore 28 | * Seed (24 words - split in two) 29 | * Seed words #1 - #12 30 | * Seed words #13 - #24 31 | * Cypher Phrase (aka passphrase) 32 | * Node ID (for verification) 33 | --- 34 | ## Packages for a 2-of-3 setup 35 | ### Location 1 36 | * Node ID 37 | * Seed words #1 - #12 38 | * Cypher Phrase 39 | 40 | ### Location 2 41 | * Node ID 42 | * Seed words #13 - #24 43 | * Cypher Phrase 44 | 45 | ### Location 3 46 | * Node ID 47 | * Seed words #1 - #12 48 | * Seed words #13 - #24 49 | -------------------------------------------------------------------------------- /backups/lnd.md: -------------------------------------------------------------------------------- 1 | ## LND single seed multi-location backup scheme 2 | Notes on LND wallet recovery: 3 | Notes on LND seed format (different from Bip39 or Electrum): 4 | 5 | --- 6 | ### Components grouped together by the requirement for a full restore 7 | #### Full backup 1 8 | * Seed (24 words) 9 | * Cypher Phrase (passphrase) 10 | * Static Channel Backup (channel.backup) 11 | * needs to be updated to include every new channel and recovery requires the peers to be online 12 | 13 | #### Full backup 2 14 | * LND folder with the !!**latest**!! state (wallet.db + channel.db) 15 | * requires to have physical (screen and keyboard) or remote SSH access to the node (can be a Tor Hidden Service address for the port 22) 16 | * if the latest channel.db is not available restoring the channel.backup is safer 17 | * Wallet Unlock Password 18 | * include logins and/or the SSH password to allow access to the node 19 | 20 | --- 21 | ### Packages for a 2-of-3 setup 22 | #### Location 1 23 | * Seed (24 word) 24 | * Static Channel Backup (channel.backup) 25 | * LND folder (wallet.db + channel.db) 26 | 27 | #### Location 2 28 | * Cypher Phrase (passphrase) 29 | * Wallet Unlock Password 30 | 31 | #### Location 3 32 | * Seed (24 words) 33 | * Static Channel Backup (channel.backup) 34 | * Wallet Unlock Password -------------------------------------------------------------------------------- /backups/pgp-encryption.md: -------------------------------------------------------------------------------- 1 | ## PGP encryption 2 | 3 | ``` 4 | # work in an ephemeral directory in the RAM 5 | mkdir /dev/shm/tmp 6 | cd /dev/shm/tmp 7 | 8 | # create the cleartext files with the secrets 9 | 10 | ## encrypt using GPG 11 | # import the pubkey of the recipient with curl 12 | curl https://keybase.io/${username}/key.asc | gpg --import 13 | # encrypt the file 14 | gpg --recipient ${username_or_email_or_PGPpubkey} --armor --output ${file_out} --encrypt ${file_in} 15 | # same in short 16 | gpg -ar ${username_or_email_or_PGPpubkey} -o ${file_out} -e ${file_in} 17 | 18 | ## encrypt using keybase (https://keybase.io/encrypt) 19 | # using `keybase pgp pull` which 20 | # imports to GPG key chain for you 21 | keybase follow ${username} 22 | keybase pgp pull ${username} 23 | # encrypt 24 | keybase pgp encrypt -i ${file_in} -o ${file_out} ${username} 25 | 26 | # send the encrypted file(s) to the recipient(s) 27 | 28 | # secure delete the directory 29 | srm -r /dev/shm/tmp 30 | ``` 31 | -------------------------------------------------------------------------------- /backups/samouraiwallet.md: -------------------------------------------------------------------------------- 1 | ## Samourai Wallet single seed multi-location backup scheme 2 | Documentation on Samourai Wallet recovery: 3 | 4 | 5 | 6 | In case of restoring the wallet in different software (eg. Electrum) check 7 | for the derivation paths used. 8 | 9 | Note that Samourai Wallet does not allow spaces in the passphrase. 10 | 11 | --- 12 | ### Components grouped together by the requirement for a full restore 13 | #### Full backup 1 14 | * Seed (12 words) 15 | * Passphrase (without spaces) 16 | #### Full backup 2 17 | * Backup file (encrypted text) 18 | * Passphrase (without spaces) 19 | #### Full backup 3 20 | * Android device with the wallet loaded (locked with PIN codes) 21 | * use a secondary, dedicated device for backup 22 | * have 2*8 digits PINs which are different from the primary device 23 | * have a locked bootloader with the latest security patches 24 | * PIN codes to the Android Device AND Samourai Wallet 25 | * test if the phone and the wallet can be unlocked with the PINs even after a restart 26 | 27 | --- 28 | ### Packages for a 2-of-3 setup 29 | #### Location 1 30 | - Seed (12 words) 31 | - Backup file (encrypted text) 32 | - PIN codes to the Android Device AND Samourai Wallet 33 | 34 | #### Location 2 35 | - Passphrase (without spaces) 36 | - PIN codes to the Android Device AND Samourai Wallet 37 | 38 | #### Location 3 39 | - Seed (12 words) 40 | - Android device with the wallet loaded (locked with PIN codes) 41 | -------------------------------------------------------------------------------- /backups/seedxor.md: -------------------------------------------------------------------------------- 1 | ## SeedXOR multi-location backup scheme 2 | Full documentation: [seedxor.com/](https://seedxor.com/) 3 | 4 | Existing seeds can be broken up with seedXOR or can be used as components of a new a scheme. 5 | If there was a BIP39 passphrase used keep a copy of the passphrase on every location. 6 | 7 | Currently the scheme can be used on a [ColdCard](https://github.com/Coldcard/firmware/blob/master/docs/seed-xor.md) and is planned to be implemented in [SeedSigner](https://github.com/SeedSigner/seedsigner/issues/43). 8 | The seed can also be calculated manually so the ColdCard is not strictly necessary for recovery 9 | 10 | --- 11 | ### Components required for a full restore 12 | * Coldcard or manual calculation + any BIP32 compatible wallet 13 | * Seed1 14 | * Seed2 15 | * Seed3 16 | 17 | --- 18 | ### Packages for a 2-of-3 setup 19 | #### Location 1 20 | * Seed1 21 | * Seed2 22 | 23 | #### Location 2 24 | * Seed2 25 | * Seed3 26 | 27 | #### Location 3 28 | * Seed1 29 | * Seed3 30 | -------------------------------------------------------------------------------- /backups/specterdiy.md: -------------------------------------------------------------------------------- 1 | ## SpecterDIY single seed multi-location backup scheme 2 | 3 | The smartcard reader is part of the Specter Shield ([out of stock currently](https://specter.solutions/shop/)) or can be used as a USB extension. 4 | 5 | Do not encrypt the secret on the smartcard to be able to restore in any other SpecterDIY device. 6 | Use a long PIN for the smartcard. 8 or more digits are recommended. 7 | 8 | --- 9 | ### Components grouped together by the requirement for a full restore 10 | #### Full backup 1 11 | * SpecterDIY hardware wallet with a smartcard reader 12 | * Smartcard with the secret stored 13 | * Smartcard PIN 14 | * BIP39 passphrase 15 | #### Full backup 2 16 | * Any BIP39 compatible wallet 17 | * Seed mnemonic (12/24 words) 18 | * BIP39 passphrase 19 | 20 | --- 21 | ### Packages for a 2-of-3 setup 22 | #### Location 1 23 | * SpecterDIY hardware wallet with a smartcard reader 24 | * Smartcard with the secret stored 25 | * BIP39 passphrase 26 | 27 | #### Location 2 28 | * SpecterDIY hardware wallet with a smartcard reader 29 | * Smartcard PIN 30 | * BIP39 passphrase 31 | 32 | #### Location 3 33 | * Seed mnemonic (12/24 words) -------------------------------------------------------------------------------- /boltcard/README.md: -------------------------------------------------------------------------------- 1 | # Bolt card setup using LNbits 2 | 3 | ## Tools used 4 | * Card: NXP NTAG424 DNA https://zipnfc.com/nfc-pvc-card-credit-card-size-ntag424-dna.html 5 | * Raspiblitz node running: 6 | * Core Lightning 7 | * LNbits with the Bolt Cards extension activated 8 | * Boltcard NFC Card Creator Android app 9 | 10 | ## Preparation 11 | ### (optional) Run the latest experimental scripts of Raspiblitz 12 | * `menu` -> `PATCH ` 13 | * `REPO`: raspiblitz 14 | * `BRANCH`: dev 15 | 16 | ### (optional) To update LNbits to the latest commit in the master branch 17 | * Run: 18 | ``` 19 | config.scripts/bonus.lnbits.com sync 20 | ``` 21 | ### Expose LNbits on a public domain 22 | * can use a cheap, minimal VPS tunneled from the node with Tailscale 23 | * point an A-record with a subdomain to the public IPaddress of the VPS 24 | * download Tailscale on the node and the VPS: https://tailscale.com/download/linux 25 | * log in on both (consider using a dedicated github account) 26 | * on the VPS set up nginx to forward a subdomain to the `TailscaleIP:LNbitsPORT` on the node: https://github.com/openoms/bitcoin-tutorials/tree/master/nginx 27 | 28 | ### Download the Boltcard NFC Card Creator Android app 29 | * https://play.google.com/store/apps/details?id=com.lightningnfcapp 30 | * https://github.com/boltcard/bolt-nfc-android-app 31 | 32 | ## Steps to set up a Bolt Card 33 | * open LNbits on the public domain 34 | * create a wallet and save the link 35 | * add the Bolt Cards extension (to serve the boltcard API) 36 | * open the extension and create a bolt card 37 | * scan the QRcode with the keys with the Boltcard NFC Card Creator app 38 | * write the keys on a blank card by touching it to the phone 39 | 40 | The setup of the bolt card is complete! 41 | 42 | Don't forget to fund the LNbits wallet backing the card to be able to pay. 43 | 44 | ## Test 45 | * Blink 46 | * Breez 47 | * Wallet of Satoshi 48 | * NFC enabled webwallet 49 | * LNbits TPOS: https://clnbits.diynodes.com/tpos/gyZytJ3eLygXbe7EsJoi8C 50 | * BTCPay Server: https://tips.diynodes.com 51 | * NFC enabled PoS terminals 52 | 53 | Resources: 54 | * https://www.boltcard.org/ 55 | * https://github.com/boltcard/boltcard 56 | * https://github.com/boltcard/bolt-nfc-android-app 57 | * https://github.com/lnbits/lnbits/tree/main/lnbits/extensions/boltcards 58 | * Post on stacker.news: https://stacker.news/items/81920 59 | -------------------------------------------------------------------------------- /ci/README.md: -------------------------------------------------------------------------------- 1 | # CI notes 2 | 3 | ### FreeBSD 4 | ``` 5 | 6 | # attach shared to the jail eg to /media 7 | 8 | pkg install -y gh 9 | git clone https://github.com/openoms/joininbox 10 | cd joininbox 11 | gh run download 12 | 13 | shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.gz.sha256 14 | gzip -dkv joininbox-amd64-debian-11.5.qcow2.gz 15 | shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.sha256 16 | 17 | pkg install qemu 18 | 19 | qemu-image convert joininbox-amd64-debian-11.5.qcow2 /media/joininbox.img 20 | 21 | # In the FreeBSD root 22 | # create a zvol with the exact size of the raw image 23 | 24 | dd if=/mnt/cryptic/blitz/images/joininbox.img of=/dev/zvol/cryptic/blitz/jb221210 bs=4M status=progress 25 | ``` 26 | 27 | ## Manage the artifacts and workflows with the GitHub CLI 28 | * https://github.com/cli/cli#installation 29 | 30 | ## Download artifacts in CLI 31 | * https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts 32 | 33 | ## Delete workflow runs 34 | ``` 35 | OWNER= 36 | REPO= 37 | 38 | # list workflow ids 39 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows | jq '.workflows[] | .name,.id' 40 | 41 | WORKFLOW_ID= 42 | 43 | # list runs 44 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10 45 | 46 | # delete failed runs 47 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="failure") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} 48 | 49 | # delete cancelled runs 50 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="cancelled") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} 51 | 52 | # delete oldest 10 workflows (won't delete the running one) 53 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} 54 | 55 | # delete newest 10 workflows (won't delete the running one) 56 | gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | head -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} 57 | ``` 58 | -------------------------------------------------------------------------------- /ckbunker_on_blitz.md: -------------------------------------------------------------------------------- 1 | # CoinKite Bunker on the RaspiBlitz 2 | 3 | https://ckbunker.com/ 4 | 5 |

6 | 7 |

8 | 9 | ## Installation on the RaspiBlitz 10 | Tested on v1.4 11 | 12 | More info: https://ckbunker.com/install.html 13 | 14 | * Run in the RaspiBlitz terminal: 15 | 16 | ``` 17 | # dependencies 18 | sudo apt install -y virtualenv python-dev libusb-1.0-0-dev libudev-dev 19 | 20 | # open firewall to LAN (edit to the correct subnet) 21 | sudo ufw allow from 192.168.3.0/24 to any port 9823 comment "ckbunker" 22 | 23 | # add the udev rules 24 | cd /etc/udev/rules.d/ 25 | sudo wget https://raw.githubusercontent.com/Coldcard/ckcc-protocol/master/51-coinkite.rules 26 | sudo udevadm control --reload-rules && sudo udevadm trigger 27 | 28 | # change to bitcoin user - required to access the Tor auth_cookie 29 | sudo su - bitcoin 30 | 31 | # install ckbunker 32 | git clone --recursive https://github.com/Coldcard/ckbunker.git 33 | cd ckbunker 34 | # reset to the tested release: https://github.com/Coldcard/ckbunker/releases 35 | git reset --hard v0.9 36 | virtualenv -p python3 ENV 37 | source ENV/bin/activate 38 | pip install -r requirements.txt 39 | pip install --editable . 40 | ``` 41 | 42 | ## Setup ckbunker 43 | 44 | * Continue after the installation with the `bitcoin` user or run: 45 | ``` 46 | sudo su - bitcoin 47 | cd ckbunker 48 | source ENV/bin/activate 49 | ``` 50 | * start the ckbunker setup at the prompt `(ENV) bitcoin@raspberrypi:~/ckbunker $`: 51 | `$ ckbunker setup` 52 | 53 | Output: 54 | ``` 55 | [04/03/2020-16:17:27] Web server at: http://localhost:9823/setup 56 | [04/03/2020-16:17:27] Connecting to Coldcard. 57 | [04/03/2020-16:17:27] Tord version: 0.4.2.5 58 | [04/03/2020-16:17:27] Connected to Coldcard xxxxxxxx 59 | ``` 60 | * Open the address in a desktop browser on the same LAN (fill in the RASPIBLITZ_IP): 61 | `http://RASPIBLITZ_IP:9823/setup` 62 | 63 | 64 | * Follow https://ckbunker.com/setup.html 65 | 66 | ## Have fun and share what you made 67 | https://ckbunker.com/examples.html 68 | 69 | 70 |

71 | 72 |

73 | -------------------------------------------------------------------------------- /electrs/Tor_Hidden_Service_for_Electrs.md: -------------------------------------------------------------------------------- 1 | ## Configure a Tor Hidden Service for Electrs 2 | 3 | Tor needs to be active on the RaspiBlitz to use this method. 4 | No port forwarding or dynamicDNS required. 5 | 6 | ### Activate the Hidden Service in the RaspiBlitz terminal 7 | * Open the Tor configuration file: 8 | `$ sudo nano /etc/tor/torrc` 9 | 10 | * Insert the lines: 11 | ```bash 12 | # Hidden Service v3 for the Electrum desktop 13 | HiddenServiceDir /mnt/hdd/tor/electrs 14 | HiddenServiceVersion 3 15 | HiddenServicePort 50002 127.0.0.1:50002 16 | ``` 17 | * Restart Tor: 18 | `$ sudo systemctl restart tor` 19 | 20 | * Take note of the Tor address: 21 | `$ sudo cat /mnt/hdd/tor/electrs/hostname` 22 | 23 | ## Connect the Electrum wallet 24 | ### On a Linux PC 25 | 26 | * Start electrum with the Tor Browser open (proxy on port 9150): 27 | `$ electrum --oneserver --server Tor_address.onion:50002:s --proxy socks5:127.0.0.1:9150` 28 | 29 | * With Tor installed and running (proxy on port 9050): 30 | `$ electrum --oneserver --server Tor_address.onion:50002:s --proxy socks5:127.0.0.1:9050` 31 | 32 | ### Windows instructions: 33 | https://electrum.readthedocs.io/en/latest/tor.html#windows 34 | 35 | 36 | Check for the blue dot when finished: 37 | 38 | ![electrum behind Tor](./images/electrum_tor.png) 39 | 40 | ### [Electrum wallet on Android](https://play.google.com/store/apps/details?id=org.electrum.electrum&hl=en) 41 | * Open [Orbot](https://play.google.com/store/apps/details?id=org.torproject.android&hl=en) 42 | * Add Electrum to the Tor-Enabled Apps 43 | * Start Electrum from Orbot 44 | * In Electrum tap the dots in the right upper corner and select `Network` 45 | * Switch `One-server mode:` `ON` 46 | * In the `Server:` settings: 47 | * Fill the `Host:` with the .onion address 48 | * Set the `Port:` to `50002` and press `OK` 49 | * In the `Proxy:` settings set: 50 | * `Proxy mode` `socks5` 51 | * `Host` `127.0.0.1` 52 | * `Port` `9050` and press `OK` 53 | * Now should see the `Status; 1 connections.` on the top 54 | 55 | Note: if the Android Electrum wallet does not connect it worth trying to switch to a HiddenServiceVersion 2 56 | 57 | ### Based on: 58 | https://github.com/romanz/electrs/blob/master/doc/usage.md#tor-hidden-service 59 | -------------------------------------------------------------------------------- /electrs/config.scripts/revert_ electrs_automation_for_Eclair.sh: -------------------------------------------------------------------------------- 1 | sudo systemctl stop electrs 2 | sudo systemctl disable electrs 3 | 4 | #sudo systemctl stop nginx 5 | #sudo systemctl disable nginx 6 | #sudo sytemctl stop certbot 7 | #sudo sytemctl disable certbot 8 | #sudo apt purge nginx-common certbot 9 | 10 | #https://doc.rust-lang.org/1.0.0/book/installing-rust.html 11 | #sudo /usr/local/lib/rustlib/uninstall.sh 12 | 13 | -------------------------------------------------------------------------------- /electrs/electrum_wallet.sh: -------------------------------------------------------------------------------- 1 | # Download and run this script on a DEbian / Ubuntu desktop: 2 | 3 | # Download 4 | # wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/electrum_wallet.sh 5 | # Run: 6 | # bash electrum_wallet.sh 7 | 8 | echo " 9 | # Enter the version of Electrum Wallet to install. 10 | 11 | # Find the latest version number at: 12 | # https://electrum.org/#download 13 | 14 | # For example: 15 | 4.1.5" 16 | read electrumVersion 17 | 18 | echo " 19 | # Install dependencies: python3-pyqt5 and libsecp256k1-0 20 | " 21 | sudo apt-get install -y python3-pyqt5 libsecp256k1-0 22 | 23 | echo " 24 | # Download the package: 25 | # https://download.electrum.org/$electrumVersion/Electrum-$electrumVersion.tar.gz 26 | " 27 | rm -f Electrum-$electrumVersion.tar.gz.* 28 | wget https://download.electrum.org/$electrumVersion/Electrum-$electrumVersion.tar.gz 29 | 30 | echo " 31 | # Verify signature 32 | " 33 | rm -f ThomasV.asc 34 | wget https://raw.githubusercontent.com/spesmilo/electrum/master/pubkeys/ThomasV.asc 35 | gpg --import ThomasV.asc 36 | wget https://download.electrum.org/$electrumVersion/Electrum-$electrumVersion.tar.gz.ThomasV.asc 37 | verifyResult=$(gpg --verify Electrum-$electrumVersion.tar.gz.ThomasV.asc Electrum-$electrumVersion.tar.gz 2>&1) 38 | goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c) 39 | echo "goodSignature(${goodSignature})" 40 | if [ ${goodSignature} -lt 1 ]; then 41 | echo "" 42 | echo "!!! BUILD FAILED --> PGP Verify not OK / signature(${goodSignature})" 43 | exit 1 44 | fi 45 | 46 | echo " 47 | # Installing with the command: 48 | # python3 -m pip install --user Electrum-$electrumVersion.tar.gz[fast] 49 | " 50 | # Run without installing: tar -xvf Electrum-$electrumVersion.tar.gz 51 | # python3 Electrum-$electrumVersion/run_electrum 52 | # Install with PIP: 53 | sudo apt-get install -y python3-setuptools python3-pip 54 | python3 -m pip install --user Electrum-$electrumVersion.tar.gz[fast] 55 | 56 | isInPath=$(echo $PATH | grep -c ~/.local/bin) 57 | if [ $isInPath -eq 0 ]; then 58 | echo 59 | echo "add install dir to PATH" 60 | PATH=$PATH:~/.local/bin 61 | touch ~/.profile 62 | export PATH 63 | echo "PATH=$PATH" | tee -a ~/.profile 64 | else 65 | echo 66 | echo "The install dir is already in the PATH" 67 | fi 68 | 69 | echo " 70 | To start use: 71 | 'electrum --oneserver --server YOUR_ELECTRUM_SERVER_IP:50002:s' 72 | 73 | To start with your custom server now and save the setting: 74 | type the LAN_IP_ADDRESS of your Electrum Server followed by [ENTER]:" 75 | read RASPIBLITZ_IP 76 | 77 | echo " 78 | Make the oneserver config persist (editing ~/.electrum/config) 79 | " 80 | electrum setconfig oneserver true 81 | electrum setconfig server $RASPIBLITZ_IP:50002:s 82 | 83 | echo " 84 | # To run with the chosen server, just use: 85 | 'electrum' 86 | 87 | # To change the preset server: 88 | # edit the file ~/.electrum/config and change: 89 | \"server\": \":50002:s\" 90 | # or 91 | \"server\": \"toraddress.onion:50001:t\" 92 | " 93 | 94 | electrum --oneserver --server $RASPIBLITZ_IP:50002:s 95 | -------------------------------------------------------------------------------- /electrs/images/electrs_status.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/electrs/images/electrs_status.png -------------------------------------------------------------------------------- /electrs/images/electrum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/electrs/images/electrum.png -------------------------------------------------------------------------------- /electrs/images/electrum_icon_lan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/electrs/images/electrum_icon_lan.png -------------------------------------------------------------------------------- /electrs/images/electrum_icon_tor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/electrs/images/electrum_icon_tor.png -------------------------------------------------------------------------------- /electrs/images/electrum_tor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/electrs/images/electrum_tor.png -------------------------------------------------------------------------------- /electrs/modules/2_electrs_systemd_service.sh: -------------------------------------------------------------------------------- 1 | # Install the electrs systemd service. 2 | # Prerequisite: 1_electrs_on_RaspiBlitz.sh 3 | 4 | # To download and run: 5 | # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/2_electrs_systemd_service.sh && bash 2_electrs_systemd_service.sh 6 | 7 | sudo systemctl stop electrs 8 | sudo systemctl disable electrs 9 | sudo rm /etc/systemd/system/electrs.service 10 | 11 | # sudo nano /etc/systemd/system/electrs.service 12 | echo " 13 | [Unit] 14 | Description=Electrs 15 | After=bitcoind.service 16 | 17 | [Service] 18 | WorkingDirectory=/home/electrs/electrs 19 | ExecStart=/home/electrs/electrs/target/release/electrs --index-batch-size=10 --electrum-rpc-addr=\"0.0.0.0:50001\" 20 | User=electrs 21 | Group=electrs 22 | Type=simple 23 | KillMode=process 24 | TimeoutSec=60 25 | Restart=always 26 | RestartSec=60 27 | 28 | [Install] 29 | WantedBy=multi-user.target 30 | " | sudo tee -a /etc/systemd/system/electrs.service 31 | 32 | sudo systemctl enable electrs 33 | sudo systemctl start electrs 34 | 35 | # Hidden Service for electrs if Tor active 36 | 37 | source /mnt/hdd/raspiblitz.conf 38 | 39 | if [ "${runBehindTor}" = "on" ]; then 40 | isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs') 41 | if [ ${isElectrsTor} -eq 0 ]; then 42 | echo " 43 | # Hidden Service for Electrum Server 44 | HiddenServiceDir /mnt/hdd/tor/electrs 45 | HiddenServiceVersion 3 46 | HiddenServicePort 50001 127.0.0.1:50001 47 | " | sudo tee -a /etc/tor/torrc 48 | 49 | sudo systemctl restart tor 50 | sudo systemctl restart tor@default 51 | fi 52 | TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname) 53 | echo "" 54 | echo "***" 55 | echo "The hidden service address for electrs is:" 56 | echo "$TOR_ADDRESS" 57 | echo "***" 58 | echo "" 59 | fi -------------------------------------------------------------------------------- /electrs/modules/3_SSL.sh: -------------------------------------------------------------------------------- 1 | # A script to set up the Electrum Server in Rust on the RaspiBlitz to connect over SSL to Eclair and Electrum wallet 2 | # Sets up the automatic start of nginx and certbot 3 | 4 | # To download and run: 5 | # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh 6 | 7 | echo "" 8 | echo "***" 9 | echo "installing Nginx" 10 | echo "***" 11 | echo "" 12 | 13 | sudo apt-get install -y nginx 14 | sudo /etc/init.d/nginx start 15 | 16 | echo "" 17 | echo "***" 18 | echo "Create a self signed SSL certificate" 19 | echo "***" 20 | echo "" 21 | 22 | #https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes 23 | #https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts 24 | 25 | echo " 26 | [req] 27 | prompt=no 28 | default_bits = 2048 29 | default_keyfile = localhost.key 30 | distinguished_name = req_distinguished_name 31 | req_extensions = req_ext 32 | x509_extensions = v3_ca 33 | 34 | [req_distinguished_name] 35 | countryName = Country Name (2 letter code) 36 | countryName_default = US 37 | stateOrProvinceName = State or Province Name (full name) 38 | stateOrProvinceName_default = New York 39 | localityName = Locality Name (eg, city) 40 | localityName_default = Rochester 41 | organizationName = Organization Name (eg, company) 42 | organizationName_default = localhost 43 | organizationalUnitName = organizationalunit 44 | organizationalUnitName_default = Development 45 | commonName = Common Name (e.g. server FQDN or YOUR name) 46 | commonName_default = localhost 47 | commonName_max = 64 48 | 49 | [req_ext] 50 | subjectAltName = @alt_names 51 | 52 | [v3_ca] 53 | subjectAltName = @alt_names 54 | 55 | [alt_names] 56 | DNS.1 = localhost 57 | DNS.2 = 127.0.0.1 58 | " | sudo tee /mnt/hdd/electrs/localhost.conf 59 | 60 | cd /mnt/hdd/electrs 61 | sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf 62 | 63 | sudo cp localhost.crt /etc/ssl/certs/localhost.crt 64 | sudo cp localhost.key /etc/ssl/private/localhost.key 65 | 66 | echo "" 67 | echo "***" 68 | echo "Setting up nginx.conf" 69 | echo "***" 70 | echo "" 71 | 72 | isElectrs=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'upstream electrs') 73 | if [ ${isElectrs} -gt 0 ]; then 74 | echo "electrs is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`" 75 | 76 | elif [ ${isElectrs} -eq 0 ]; then 77 | 78 | isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {') 79 | if [ ${isStream} -eq 0 ]; then 80 | 81 | echo " 82 | stream { 83 | upstream electrs { 84 | server 127.0.0.1:50001; 85 | } 86 | server { 87 | listen 50002; 88 | proxy_pass electrs; 89 | ssl_certificate /etc/ssl/certs/localhost.crt; 90 | ssl_certificate_key /etc/ssl/private/localhost.key; 91 | ssl_session_cache shared:SSL-electrs:1m; 92 | ssl_session_timeout 4h; 93 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 94 | ssl_prefer_server_ciphers on; 95 | } 96 | }" | sudo tee -a /etc/nginx/nginx.conf 97 | 98 | elif [ ${isStream} -eq 1 ]; then 99 | sudo truncate -s-2 /etc/nginx/nginx.conf 100 | echo " 101 | 102 | upstream electrs { 103 | server 127.0.0.1:50001; 104 | } 105 | server { 106 | listen 50002; 107 | proxy_pass electrs; 108 | ssl_certificate /etc/ssl/certs/localhost.crt; 109 | ssl_certificate_key /etc/ssl/private/localhost.key; 110 | ssl_session_cache shared:SSL-electrs:1m; 111 | ssl_session_timeout 4h; 112 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 113 | ssl_prefer_server_ciphers on; 114 | } 115 | }" | sudo tee -a /etc/nginx/nginx.conf 116 | 117 | elif [ ${isStream} -gt 1 ]; then 118 | 119 | echo " Too many \`stream\` commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry" 120 | exit 1 121 | fi 122 | fi 123 | 124 | echo "allow port 50002 on ufw" 125 | sudo ufw allow 50002 126 | 127 | sudo systemctl enable nginx 128 | sudo systemctl restart nginx 129 | 130 | echo "" 131 | echo "To connect from outside of the local network make sure the port 50002 is forwarded on your router" 132 | echo "Eclair mobile wallet: In the \`Network info\` set the \`Current Electrum server\` to \`$YOUR_DOMAIN:50002\`" 133 | echo "Electrum wallet: start with the options \`electrum --oneserver --server $YOUR_DOMAIN:50002:s" 134 | echo "" 135 | -------------------------------------------------------------------------------- /electrs/modules/certbot.sh: -------------------------------------------------------------------------------- 1 | # For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed 2 | # Need to forward port 80 to the IP of your RaspiBlitz for certbot 3 | # Forward port 50002 to be able to access you electrs from outside of your LAN 4 | 5 | # https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md 6 | 7 | echo "" 8 | echo "***" 9 | echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]" 10 | read YOUR_DOMAIN 11 | 12 | echo "" 13 | echo "***" 14 | echo "Please type an email that will be used to register the SSL certificate and press [ENTER]" 15 | read YOUR_EMAIL 16 | 17 | echo "" 18 | echo "***" 19 | echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" 20 | read key 21 | 22 | echo "allow port 80 on ufw" 23 | sudo ufw allow 80 24 | 25 | # https://certbot.eff.org/lets-encrypt/debianother-nginx 26 | echo "" 27 | echo "***" 28 | echo "Installing certbot" 29 | echo "Will ask for an email address and a domain name - a dynamic DNS can be used" 30 | echo "Use the default settings in the other options" 31 | echo "***" 32 | echo "" 33 | 34 | #wget https://dl.eff.org/certbot-auto 35 | #chmod +x certbot-auto 36 | #sudo ./certbot-auto --nginx 37 | 38 | sudo apt install -y certbot 39 | # get SSL cert 40 | sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" 41 | 42 | 43 | # Your certificate and chain have been saved at: 44 | # /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem 45 | # Your key file has been saved at: 46 | # /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem 47 | 48 | echo "" 49 | echo "***" 50 | echo "Setting up certbot-auto renewal service" 51 | echo "***" 52 | echo "" 53 | 54 | echo " 55 | [Unit] 56 | Description=Certbot-auto renewal service 57 | 58 | [Timer] 59 | OnBootSec=20min 60 | OnCalendar=*-*-* 4:00:00 61 | 62 | [Install] 63 | WantedBy=timers.target 64 | " | sudo tee -a /etc/systemd/system/certbot.timer 65 | 66 | echo " 67 | [Unit] 68 | Description=Certbot-auto renewal service 69 | After=bitcoind.service 70 | 71 | [Service] 72 | WorkingDirectory=/home/admin/ 73 | ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" 74 | 75 | User=admin 76 | Group=admin 77 | Type=simple 78 | KillMode=process 79 | TimeoutSec=60 80 | Restart=always 81 | RestartSec=60 82 | " | sudo tee -a /etc/systemd/system/certbot.service 83 | 84 | sudo systemctl enable certbot.timer -------------------------------------------------------------------------------- /electrs/modules/tor_hidden_service.sh: -------------------------------------------------------------------------------- 1 | # Hidden Service for electrs if Tor active 2 | source /mnt/hdd/raspiblitz.conf 3 | if [ "${runBehindTor}" = "on" ]; then 4 | isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs') 5 | if [ ${isElectrsTor} -eq 0 ]; then 6 | echo " 7 | # Hidden Service for Electrum Server 8 | HiddenServiceDir /mnt/hdd/tor/electrs 9 | HiddenServiceVersion 3 10 | HiddenServicePort 50001 127.0.0.1:50001 11 | " | sudo tee -a /etc/tor/torrc 12 | 13 | sudo systemctl restart tor 14 | sudo systemctl restart tor@default 15 | fi 16 | TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname) 17 | echo "" 18 | echo "***" 19 | echo "The Tor Hidden Service address for electrs is:" 20 | echo "$TOR_ADDRESS" 21 | echo "***" 22 | echo "" 23 | fi -------------------------------------------------------------------------------- /electrs/testnet/t1_electrs_on_RaspiBlitz.sh: -------------------------------------------------------------------------------- 1 | # Download and run this script on the RaspiBlitz: 2 | # $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_install_on_RaspiBlitz.sh && bash electrs_install_on_RaspiBlitz.sh 3 | 4 | # https://github.com/romanz/electrs/blob/master/doc/usage.md 5 | 6 | #echo "Type the PASSWORD B of your RaspiBlitz followed by [ENTER] (needed for Electrs to access the bitcoind RPC):" 7 | #read PASSWORD_B 8 | echo "getting RPC credentials from the bitcoin.conf" 9 | RPC_USER=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-) 10 | PASSWORD_B=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcpassword | cut -c 13-) 11 | 12 | echo "" 13 | echo "***" 14 | echo "Installing Rust - press 1 and [ENTER] when prompted" 15 | echo "***" 16 | echo "" 17 | curl https://sh.rustup.rs -sSf | sh 18 | 19 | source $HOME/.cargo/env 20 | sudo apt update 21 | sudo apt install -y clang cmake # for building 'rust-rocksdb' 22 | 23 | echo "" 24 | echo "***" 25 | echo "Downloading and building electrs. This will take ~30 minutes" # ~22 min on an Odroid XU4 26 | echo "***" 27 | echo "" 28 | git clone https://github.com/romanz/electrs 29 | cd electrs 30 | cargo build --release 31 | 32 | echo "" 33 | echo "***" 34 | echo "The electrs database will be built in /mnt/hdd/electrs/testnetdb. Takes ~18 hours and ~50Gb diskspace" 35 | echo "***" 36 | echo "" 37 | 38 | sudo mkdir /mnt/hdd/electrs 39 | sudo chown -R admin:admin /mnt/hdd/electrs 40 | sudo ufw allow 60001 41 | 42 | # generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134 43 | mkdir /home/admin/.electrs/ 44 | sudo rm /home/admin/.electrs/config.toml 45 | touch /home/admin/.electrs/config.toml 46 | echo "generating electrs.toml setting file with the RPC passwords" 47 | ( 48 | echo " 49 | verbose = 4 50 | timestamp = true 51 | jsonrpc_import = true 52 | db_dir = \"/mnt/hdd/electrs/testnetdb\" 53 | cookie = \"$RPC_USER:$PASSWORD_B\" 54 | " | tee -a /home/admin/.electrs/config.toml 55 | ) &> /dev/null 56 | 57 | # Run with password B filled in: 58 | cargo run --release -- --index-batch-size=10 --db-dir /mnt/hdd/electrs/testnetdb --electrum-rpc-addr="0.0.0.0:60001" --network testnet 59 | 60 | # to preserve settings: 61 | # see https://github.com/romanz/electrs/blob/master/src/config.rs 62 | # sudo nano $HOME/electrs/src/config.rs 63 | # change the lines: 64 | # 73: from: .takes_value(true), to: .default_value("raspibolt:PASSWORD B"), 65 | # 132: from .default_value("Welcome to electrs (Electrum Rust Server)!") to your custom message -------------------------------------------------------------------------------- /electrs/testnet/t2_electrs_systemd_service.sh: -------------------------------------------------------------------------------- 1 | # Install the electrs systemd service. 2 | # Prerequisite: 1_electrs_on_RaspiBlitz.sh 3 | 4 | # To download and run: 5 | # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/2_electrs_systemd_service.sh && bash 2_electrs_systemd_service.sh 6 | 7 | sudo systemctl stop electrs 8 | sudo systemctl disable electrs 9 | sudo rm /etc/systemd/system/electrs.service 10 | 11 | # sudo nano /etc/systemd/system/electrs.service 12 | echo " 13 | [Unit] 14 | Description=Electrs 15 | After=bitcoind.service 16 | 17 | [Service] 18 | WorkingDirectory=/home/admin/electrs 19 | ExecStart=/home/admin/electrs/target/release/electrs --index-batch-size=10 --jsonrpc_import --db-dir /mnt/hdd/electrs/testnetdb --electrum-rpc-addr=\"0.0.0.0:60001\" --network testnet --timestamp -vvvv 20 | 21 | User=admin 22 | Group=admin 23 | Type=simple 24 | KillMode=process 25 | TimeoutSec=60 26 | Restart=always 27 | RestartSec=60 28 | 29 | [Install] 30 | WantedBy=multi-user.target 31 | " | sudo tee -a /etc/systemd/system/electrs.service 32 | 33 | sudo systemctl enable electrs 34 | sudo systemctl start electrs -------------------------------------------------------------------------------- /electrumx.md: -------------------------------------------------------------------------------- 1 | # ElectrumX on a RaspiBlitz 2 | 3 | This is a rough overview, the guide is work in progress. 4 | 5 | Tested environments: 6 | * X86_64 Xeon E5 with 32GB RAM and SSD storage - first sync time: 2d 16h 07m 7 | * Raspberry Pi4 8GB 64bit RaspberryOS with SSD is ~6.5 days 8 | 9 | Issue: 10 | 11 | ## Prepare the system and directories 12 | * Requires `txindex=1` for Bitcoin Core 13 | 14 | ``` 15 | # create a dedicated user 16 | sudo adduser --disabled-password --gecos "" electrumx 17 | cd /home/electrumx 18 | 19 | sudo -u electrumx git clone https://github.com/spesmilo/electrumx.git 20 | cd electrumx 21 | 22 | # installation 23 | # dependencies 24 | sudo -u electrumx pip install aiohttp pylru 25 | # from: https://github.com/spesmilo/electrumx/blob/master/contrib/raspberrypi3/install_electrumx.sh 26 | sudo apt-get install -y \ 27 | python3-pip \ 28 | build-essential \ 29 | libc6-dev \ 30 | libncurses5-dev \ 31 | libncursesw5-dev \ 32 | libreadline6-dev/stable \ 33 | libreadline6/stable \ 34 | libleveldb-dev 35 | sudo pip3 install plyvel 36 | 37 | # places the binaries in /home/electrumx/.local/bin/ 38 | sudo -u electrumx pip3 install . 39 | 40 | # alternative install method (places the binaries in /usr/local/bin): 41 | # sudo -u electrumx python3 setup.py build 42 | # sudo python3 setup.py install 43 | 44 | # create the database directory in /mnt/hdd/app-storage (on the disk) 45 | sudo mkdir -p /mnt/hdd/app-storage/electrumx/db 46 | sudo chown -R electrumx:electrumx /mnt/hdd/app-storage/electrumx 47 | 48 | # create a symlink to /home/electrumx/.electrumx 49 | sudo ln -s /mnt/hdd/app-storage/electrumx /home/electrumx/.electrumx 50 | sudo chown -R electrumx:electrumx /home/electrumx/.electrumx 51 | 52 | ``` 53 | 54 | ## Create a config file 55 | * 56 | * Can paste the this as a block to create the config file, but fill in the PASSWORD_B (Bitcoin Core RPC password): 57 | ``` 58 | PASSWORD_B="your-password-here" 59 | ``` 60 | ``` 61 | echo "\ 62 | DB_DIRECTORY=/home/electrumx/.electrumx/db 63 | DAEMON_URL=http://raspibolt:${PASSWORD_B}@127.0.0.1 64 | COIN=Bitcoin 65 | 66 | SERVICES = tcp://:50010,rpc:// 67 | PEER_DISCOVERY = off 68 | COST_SOFT_LIMIT = 0 69 | COST_HARD_LIMIT = 0 70 | 71 | NET=mainnet 72 | CACHE_MB=1200 73 | 74 | # SERVICES = tcp://:50010,ssl://:50011,rpc:// 75 | # SSL_CERTFILE=/home/electrumx/.electrumx/certfile.crt 76 | # SSL_KEYFILE=/home/electrumx/.electrumx/keyfile.key 77 | # BANNER_FILE=/home/electrumx/.electrumx/banner 78 | # DONATION_ADDRESS=your-donation-address 79 | " | sudo -u electrumx tee /home/electrumx/.electrumx/electrumx.conf 80 | ``` 81 | * the ports 50010 and 50011 are used to not interfere with a possible Electrs instance 82 | * edit afterwards with `sudo nano /home/electrumx/.electrumx/electrumx.conf` 83 | 84 | ## Create a systemd service 85 | * 86 | * Can paste this as a block to create the electrumx.service file: 87 | ``` 88 | echo "\ 89 | [Unit] 90 | Description=Electrumx 91 | After=network.target bitcoind.service 92 | 93 | [Service] 94 | EnvironmentFile=/home/electrumx/.electrumx/electrumx.conf 95 | ExecStart=/home/electrumx/.local/bin/electrumx_server 96 | User=electrumx 97 | LimitNOFILE=8192 98 | TimeoutStopSec=30min 99 | 100 | [Install] 101 | WantedBy=multi-user.target 102 | " | sudo tee /etc/systemd/system/electrumx.service 103 | ``` 104 | 105 | ## Start 106 | * depending on the available RAM it is a good idea to keep at least 10GB swap: 107 | 108 | can consider ZRAM: 109 | 110 | 111 | ``` 112 | sudo systemctl enable electrumx 113 | sudo systemctl start electrumx 114 | ``` 115 | 116 | ## Monitor 117 | ``` 118 | sudo journalctl -fu electrumx 119 | sudo systemctl status electrumx 120 | ``` 121 | 122 | ## Remove the electrumx user and installation (not the database) 123 | ``` 124 | sudo systemctl disable electrumx 125 | sudo systemctl stop electrumx 126 | sudo userdel -rf electrumx 127 | # to remove the database directory: 128 | # sudo rm -rf /mnt/hdd/app-storage/electrumx 129 | ``` 130 | 131 | ## Set SSL 132 | * 133 | 134 | 135 | ## Sources: 136 | * 137 | * 138 | * 139 | * [Running an ElectrumX server on Ubuntu by @k3tan172](https://www.youtube.com/watch?v=QiX0rR_o_fI) -------------------------------------------------------------------------------- /images/DroidBlitzXU4_HC1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/DroidBlitzXU4_HC1.jpg -------------------------------------------------------------------------------- /images/HC1.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/HC1.jpeg -------------------------------------------------------------------------------- /images/RaspiBlitz.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/RaspiBlitz.png -------------------------------------------------------------------------------- /images/RaspiBlitzPhoto.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/RaspiBlitzPhoto.jpg -------------------------------------------------------------------------------- /images/RaspiBlitz_Logo_Berry.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/RaspiBlitz_Logo_Berry.png -------------------------------------------------------------------------------- /images/XU4.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/XU4.jpeg -------------------------------------------------------------------------------- /images/ckbunker.hsmmode.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/ckbunker.hsmmode.jpg -------------------------------------------------------------------------------- /images/ckbunker.starthsm.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/ckbunker.starthsm.jpg -------------------------------------------------------------------------------- /images/joinmarket_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/joinmarket_logo.png -------------------------------------------------------------------------------- /images/joinmarket_maxsize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/joinmarket_maxsize.png -------------------------------------------------------------------------------- /images/joinmarket_minsize.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/joinmarket_minsize.png -------------------------------------------------------------------------------- /images/joule1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/joule1.png -------------------------------------------------------------------------------- /images/orbot.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/orbot.jpg -------------------------------------------------------------------------------- /images/raspilogo_400px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/raspilogo_400px.png -------------------------------------------------------------------------------- /images/zap_on_tor.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/zap_on_tor.jpg -------------------------------------------------------------------------------- /images/zap_on_tor_logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/zap_on_tor_logo.jpg -------------------------------------------------------------------------------- /images/zeus_on_tor.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/zeus_on_tor.jpg -------------------------------------------------------------------------------- /images/zeus_on_tor_logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/images/zeus_on_tor_logo.jpg -------------------------------------------------------------------------------- /joinmarket/systemd/jmdir_mainnet.service: -------------------------------------------------------------------------------- 1 | # /etc/systemd/system/jm_hs_mainnet.service 2 | [Unit] 3 | Description=JM mainnet directory node 4 | Requires=network-online.target 5 | After=network-online.target 6 | 7 | [Service] 8 | Type=simple 9 | ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver && source jmvenv/bin/activate \ 10 | && cd scripts && python start-dn.py --datadir=/home/joinmarket/.joinmarket-mainnet mainnet-directory-node' 11 | User=joinmarket 12 | Restart=always 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /joinmarket/systemd/jmdir_signet.service: -------------------------------------------------------------------------------- 1 | # /etc/systemd/system/jmdir_signet.service 2 | [Unit] 3 | Description=JM signet directory node 4 | Requires=network-online.target 5 | After=network-online.target 6 | 7 | [Service] 8 | Type=simple 9 | ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver \ 10 | && source jmvenv/bin/activate && cd scripts && \ 11 | python start-dn.py --datadir=/home/${user}/.joinmarket-signet signet-directory-node' 12 | User=joinmarket 13 | Restart=always 14 | 15 | [Install] 16 | WantedBy=multi-user.target 17 | -------------------------------------------------------------------------------- /joinmarket/systemd/ob-watcher.service: -------------------------------------------------------------------------------- 1 | # /etc/systemd/system/ob-watcher.service 2 | [Unit] 3 | Description=ob-watcher 4 | 5 | [Service] 6 | WorkingDirectory=/home/joinmarket/joinmarket-clientserver/scripts/obwatch 7 | ExecStart=/bin/sh -c \ 8 | '. /home/joinmarket/joinmarket-clientserver/jmvenv/bin/activate && python ob-watcher.py' 9 | User=joinmarket 10 | Group=joinmarket 11 | Type=simple 12 | TimeoutSec=600 13 | Restart=on-failure 14 | 15 | # Hardening measures 16 | PrivateTmp=true 17 | ProtectSystem=full 18 | NoNewPrivileges=true 19 | PrivateDevices=true 20 | 21 | [Install] 22 | WantedBy=multi-user.target 23 | -------------------------------------------------------------------------------- /k8s/devenv.mickrok8s.sh: -------------------------------------------------------------------------------- 1 | # from install.microk8s.sh 2 | 3 | sudo apt install -y snapd 4 | sudo snap install microk8s --classic --channel=1.23/stable 5 | 6 | sudo adduser --disabled-password --gecos "" k8s 7 | sudo usermod -a -G sudo,bitcoin,debian-tor,microk8s k8s 8 | echo '/usr/share/doc/fzf/examples/key-bindings.bash' >> /home/k8s/.bashrc 9 | echo '/usr/share/doc/fzf/examples/completion.bash' >> /home/k8s/.bashrc 10 | echo 'export PATH=/snap/bin:$PATH' | sudo tee -a /home/k8s/.profile 11 | echo "\ 12 | alias kubectl='microk8s kubectl' 13 | alias egrep='egrep --color=auto' 14 | alias fgrep='fgrep --color=auto' 15 | alias g='git' 16 | alias grep='grep --color=auto' 17 | alias gs='git status' 18 | alias k='kubectl' 19 | alias l='ls -CF' 20 | alias la='ls -A' 21 | alias ll='ls -alF' 22 | alias ls='ls --color=auto' 23 | alias tf='terraform'\ 24 | " | sudo -u k8s tee -a /home/k8s/.bash_aliases 25 | 26 | sudo -u k8s /snap/bin/microk8s enable storage 27 | 28 | sudo snap install helm --classic 29 | 30 | # https://github.com/GaloyMoney/galoy-infra/blob/main/modules/inception/gcp/bastion.tf 31 | cfssl_version = "1.6.1" 32 | bitcoin_version = "22.0" 33 | cepler_version = "0.7.8" 34 | lnd_version = "0.13.3" 35 | kubectl_version = "1.21.9" 36 | k9s_version = "0.25.18" 37 | 38 | # https://github.com/GaloyMoney/galoy-infra/blob/main/modules/inception/gcp/bastion-startup.tmpl#L12-L20 39 | 40 | sed -i'' 's/pam_mkhomedir.so$/pam_mkhomedir.so umask=0077/' /etc/pam.d/sshd # Make all files private by default 41 | 42 | curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add - 43 | apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" 44 | 45 | # Keep make and terraform the first items installed as they are needed 46 | # for testflight to complete 47 | apt-get update && apt-get install -y make terraform jq tree wget redis postgresql 48 | 49 | cat < /etc/profile.d/aliases.sh 50 | alias tf="terraform" 51 | alias k="kubectl" 52 | alias g="git" 53 | alias gs="git status" 54 | alias kauth="gcloud container clusters get-credentials ${cluster_name} --zone ${zone} --project ${project}" 55 | 56 | export GALOY_ENVIRONMENT=${project} 57 | export KUBE_CONFIG_PATH=~/.kube/config 58 | EOF 59 | 60 | %{ if bastion_revoke_on_exit } 61 | cat <> /etc/profile.d/auto-revoke.sh 62 | onExit() { 63 | gcloud auth revoke 64 | echo Y | gcloud auth application-default revoke 65 | } 66 | trap onExit EXIT 67 | EOF 68 | %{ endif } 69 | 70 | curl -LO https://storage.googleapis.com/kubernetes-release/release/v${kubectl_version}/bin/linux/amd64/kubectl 71 | chmod +x ./kubectl 72 | mv ./kubectl /usr/local/bin 73 | 74 | curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash 75 | 76 | wget -O- https://k14s.io/install.sh | bash 77 | 78 | wget https://github.com/bodymindarts/cepler/releases/download/v${cepler_version}/cepler-x86_64-unknown-linux-musl-${cepler_version}.tar.gz \ 79 | && tar -zxvf cepler-x86_64-unknown-linux-musl-${cepler_version}.tar.gz \ 80 | && mv cepler-x86_64-unknown-linux-musl-${cepler_version}/cepler /usr/local/bin \ 81 | && chmod +x /usr/local/bin/cepler \ 82 | && rm -rf ./cepler-* 83 | 84 | wget https://bitcoincore.org/bin/bitcoin-core-${bitcoin_version}/bitcoin-${bitcoin_version}-x86_64-linux-gnu.tar.gz \ 85 | && tar -xvf bitcoin-${bitcoin_version}-x86_64-linux-gnu.tar.gz \ 86 | && mv bitcoin-${bitcoin_version}/bin/* /usr/local/bin 87 | 88 | wget -qO - https://www.mongodb.org/static/pgp/server-5.0.asc | apt-key add - \ 89 | && echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu bionic/mongodb-org/5.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-5.0.list \ 90 | && apt-get update \ 91 | && apt-get install -y mongodb-org-tools 92 | 93 | wget https://github.com/lightningnetwork/lnd/releases/download/v${lnd_version}-beta/lnd-linux-amd64-v${lnd_version}-beta.tar.gz \ 94 | && tar -xvf lnd-linux-amd64-v${lnd_version}-beta.tar.gz \ 95 | && mv lnd-linux-amd64-v${lnd_version}-beta/lncli /usr/local/bin \ 96 | && rm -rf lnd-linux-amd64-v${lnd_version}-* 97 | 98 | mkdir k9s && cd k9s \ 99 | && wget https://github.com/derailed/k9s/releases/download/v${k9s_version}/k9s_Linux_x86_64.tar.gz \ 100 | && tar -xvf k9s_Linux_x86_64.tar.gz \ 101 | && mv k9s /usr/local/bin \ 102 | && cd .. && rm -rf k9s* 103 | -------------------------------------------------------------------------------- /k8s/galoy.mainnet.sh: -------------------------------------------------------------------------------- 1 | # charts 2 | helm repo add galoy-repo https://galoymoney.github.io/charts/ 3 | 4 | # add the bitnami charts https://charts.bitnami.com/ 5 | helm repo add bitnami https://charts.bitnami.com/bitnami 6 | 7 | helm repo update 8 | 9 | # bitcoind 10 | helm show values galoy-repo/bitcoind 11 | helm install bitcoind galoy-repo/bitcoind 12 | 13 | # lnd 14 | echo "\ 15 | configmap: 16 | customValues: 17 | - bitcoin.mainnet=true 18 | - bitcoind.rpchost=bitcoind:8332 19 | - bitcoind.zmqpubrawblock=tcp://bitcoind:28332 20 | - bitcoind.zmqpubrawtx=tcp://bitcoind:28333 21 | - minchansize=200000 22 | - db.bolt.auto-compact=true 23 | autoGenerateSeed: 24 | enabled: true 25 | " | tee -a lndvalues.yaml 26 | 27 | helm install lnd -f lndvalues.yaml galoy-repo/lnd 28 | 29 | # galoy 30 | # secrets 31 | mkdir -p ~/test-secrets/galoy-mongodb 32 | cd ~/test-secrets/galoy-mongodb 33 | echo -n "$(openssl rand -hex 64)" > ./mongodb-password 34 | echo -n "$(openssl rand -hex 64)" > ./mongodb-root-password 35 | echo -n "$(openssl rand -hex 64)" > ./mongodb-replica-set-key 36 | kubectl create secret generic galoy-mongodb \ 37 | --from-file=./mongodb-password \ 38 | --from-file=./mongodb-root-password \ 39 | --from-file=./mongodb-replica-set-key 40 | 41 | mkdir -p ~/test-secrets/galoy-price-history-postgres-creds 42 | cd ~/test-secrets/galoy-price-history-postgres-creds 43 | echo -n "$(openssl rand -hex 48)" > ./password 44 | 45 | kubectl create secret generic galoy-price-history-postgres-creds \ 46 | --from-file=./password \ 47 | --from-literal=username=price-history \ 48 | --from-file=database=price-history 49 | 50 | kubectl create secret generic dropbox-access-token \ 51 | --from-literal=token='' 52 | 53 | kubectl create secret generic gcs-sa-key 54 | 55 | kubectl create secret generic geetest-key 56 | --from-literal=key='dummy' \ 57 | --from-literal=id='dummy' 58 | 59 | 60 | cd 61 | 62 | echo "\ 63 | global: 64 | network: mainnet 65 | bitcoind: 66 | port: 8332 67 | needFirebaseServiceAccount: false 68 | twilio: false 69 | devDisableMongoBackup: true 70 | lnd1: 71 | dns: lnd1.default.svc.cluster.local 72 | lnd2: 73 | dns: lnd1.default.svc.cluster.local 74 | " | tee galoyvalues.yaml 75 | 76 | helm install galoy -f galoyvalues.yaml galoy-repo/galoy 77 | -------------------------------------------------------------------------------- /k8s/install.microk8s.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # install microk8s and helm on Debian 11 - RaspiBlitz 4 | 5 | if [ "$1" = on ]; then 6 | sudo apt update 7 | 8 | SSDmount="/mnt/ext" 9 | sudo mkdir -p /var/snap 10 | sudo mv -f /var/snap ${SSDmount}/ 11 | sudo ln -s ${SSDmount}/snap /var/snap 12 | 13 | sudo apt install -y snapd 14 | sudo snap install microk8s --classic --channel=1.23/stable 15 | 16 | sudo adduser --disabled-password --gecos "" k8s 17 | sudo usermod -a -G sudo,bitcoin,debian-tor,microk8s k8s 18 | echo '/usr/share/doc/fzf/examples/key-bindings.bash' >> /home/k8s/.bashrc 19 | echo '/usr/share/doc/fzf/examples/completion.bash' >> /home/k8s/.bashrc 20 | echo 'export PATH=/snap/bin:$PATH' | sudo tee -a /home/k8s/.profile 21 | echo "\ 22 | alias kubectl='microk8s kubectl' 23 | alias egrep='egrep --color=auto' 24 | alias fgrep='fgrep --color=auto' 25 | alias g='git' 26 | alias grep='grep --color=auto' 27 | alias gs='git status' 28 | alias k='kubectl' 29 | alias l='ls -CF' 30 | alias la='ls -A' 31 | alias ll='ls -alF' 32 | alias ls='ls --color=auto' 33 | alias tf='terraform'\ 34 | " | sudo -u k8s tee -a /home/k8s/.bash_aliases 35 | 36 | # troubleshooting steps on Debian 37 | # https://microk8s.io/docs/troubleshooting 38 | sudo iptables -P FORWARD ACCEPT 39 | sudo apt-get install -y iptables-persistent 40 | echo '{ 41 | "insecure-registries" : ["localhost:32000"] 42 | } 43 | ' | sudo tee -a /etc/docker/daemon.json 44 | 45 | sudo ufw allow in on vxlan.calico && sudo ufw allow out on vxlan.calico 46 | sudo ufw allow in on cali+ && sudo ufw allow out on cali+ 47 | sudo ufw allow 16443 comment "microk8s" 48 | sudo ufw allow 10443 comment "kubernetes-dashboard" 49 | 50 | ## part of the docker install script 51 | # echo "### 3) Symlink the working directory to the SSD" 52 | sudo systemctl stop docker 53 | sudo systemctl stop docker.socket 54 | sudo mkdir -p /var/lib/docker 55 | sudo mv -f /var/lib/docker ${SSDmount}/ 56 | sudo ln -s ${SSDmount}/docker /var/lib/docker 57 | sudo systemctl start docker 58 | sudo systemctl start docker.socket 59 | 60 | sudo -u k8s /snap/bin/microk8s stop 61 | 62 | ## symlink the microk8s containerd and default-storage to the SSD 63 | SSDmount="/mnt/ext" 64 | 65 | sudo mkdir -p ${SSDmount}/microk8s/common/var/lib/containerd 66 | sudo mkdir -p ${SSDmount}/microk8s/common/run/containerd 67 | 68 | # echo "--config \${SNAP_DATA}/args/containerd.toml 69 | # --root ${SSDmount}/microk8s/common/var/lib/containerd 70 | # --state ${SSDmount}/microk8s/common/run/containerd 71 | # --address \${SNAP_COMMON}/run/containerd.sock 72 | # " | sudo tee /var/snap/microk8s/current/args/containerd 73 | 74 | sudo -u k8s /snap/bin/microk8s start 75 | 76 | sudo -u k8s /snap/bin/microk8s enable storage 77 | #microk8s enable helm 78 | #microk8s enable dns 79 | #microk8s enable dashboard 80 | #microk8s enable ingress 81 | #microk8s enable registry 82 | 83 | # make the config permanent 84 | sudo -u k8s /snap/bin/microk8s config | sudo -u k8s tee /home/k8s/.kube/config 85 | sudo chmod 0600 /home/k8s/.kube/config 86 | 87 | # helm 88 | sudo snap install helm --classic 89 | fi 90 | 91 | if [ "$1" = off ]; then 92 | 93 | helm uninstall galoy 94 | sudo snap remove helm 95 | microk8s reset --destroy-storage 96 | microk8s stop 97 | sudo snap remove microk8s 98 | sudo apt remove -y snapd --purge 99 | sudo rm -rf /mnt/ext/snap 100 | 101 | fi -------------------------------------------------------------------------------- /k8s/nixenv.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # dedicated user 4 | USERNAME=k3d 5 | PASSWORD="" 6 | 7 | echo "# add the user: ${USERNAME}" 8 | sudo adduser --system --group --shell /bin/bash --home /home/${USERNAME} ${USERNAME} 9 | echo "Copy the skeleton files for login" 10 | sudo -u ${USERNAME} cp -r /etc/skel/. /home/${USERNAME}/ 11 | sudo adduser ${USERNAME} sudo 12 | 13 | # set a password 14 | echo "$USERNAME:$PASSWORD" | sudo chpasswd 15 | 16 | 17 | # docker 18 | if ! docker version 2>/dev/null; then 19 | # look for raspiblitz install script 20 | if [ -f /home/admin/config.scripts/blitz.docker.sh ]; then 21 | /home/admin/config.scripts/blitz.docker.sh on 22 | else 23 | # https://docs.docker.com/desktop/linux/install/debian/ 24 | curl -fsSL https://get.docker.com -o get-docker.sh 25 | sh get-docker.sh 26 | fi 27 | fi 28 | sudo groupadd docker 29 | sudo usermod -aG docker $USERNAME 30 | 31 | # need to log back in to get the group change 32 | 33 | 34 | 35 | # nix 36 | # manual install step 37 | curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install 38 | 39 | echo "$PATH:/nix/var/nix/profiles/default/bin/nix" >> ~/.bashrc 40 | 41 | # direnv 42 | sudo apt install -y direnv 43 | echo "eval \"\$(direnv hook bash)\"" >> ~/.bashrc 44 | source ~/.bashrc 45 | 46 | 47 | sudo su - k3d 48 | https://github.com/GaloyMoney/charts 49 | 50 | direnv allow 51 | 52 | cd dev 53 | make create-cluster 54 | -------------------------------------------------------------------------------- /nginx/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Nginx scripts 3 | 4 | - [Lightning Payable VPS services](#lightning-payable-vps-services) 5 | - [Add a custom subdomain](#add-a-custom-subdomain) 6 | - [Snippets for NIP5, LNaddress and LNURLpay](#snippets-for-nip5-lnaddress-and-lnurlpay) 7 | - [CORS headers for ln-address](#cors-headers-for-ln-address) 8 | - [Add a subdomain for a Mempool instance](#add-a-subdomain-for-a-mempool-instance) 9 | - [Add subdomain for an Electrum Server](#add-subdomain-for-an-electrum-server) 10 | - [Set up SSL access for the Ride The Lightning web UI on the RaspiBlitz](#set-up-ssl-access-for-the-ride-the-lightning-web-ui-on-the-raspiblitz) 11 | - [Resources](#resources) 12 | 13 | 14 | ## Lightning Payable VPS services 15 | * [host4coins.net](https://host4coins.net) - from $8/month - only email address is required 16 | * A long list of providers: 17 | 18 | ## Add a custom subdomain 19 | 20 | In this example configuration a redirect is added to a custom service on the LAN (or VPN). 21 | 22 | To download, check and run: 23 | ``` 24 | wget -O custom_website_subdomain.sh https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/nginx/custom_website_subdomain.sh 25 | 26 | cat custom_website_subdomain.sh 27 | 28 | bash custom_website_subdomain.sh 29 | ``` 30 | 31 | ## Snippets for NIP5, LNaddress and LNURLpay 32 | * [snippets](/nginx/nostr_lnaddress_snippets.conf) 33 | 34 | ## CORS headers for ln-address 35 | 36 | * allow the `GET` `request_method` with these lines in `location / { }` 37 | ``` 38 | location / { 39 | 40 | if ($request_method != 'GET') { 41 | return 403; 42 | } 43 | add_header 'Access-Control-Allow-Origin' '*'; 44 | 45 | } 46 | ``` 47 | 48 | * More info from https://enable-cors.org/server_nginx.html 49 | 50 | ## Add a subdomain for a Mempool instance 51 | 52 | In this example configuration a redirect is added to a Mempool instance on the LAN (or VPN). 53 | 54 | To download, check and run: 55 | ``` 56 | wget -O mempool_subdomain.sh https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/nginx/mempool_subdomain.sh 57 | 58 | cat mempool_subdomain.sh 59 | 60 | bash mempool_subdomain.sh 61 | ``` 62 | 63 | ## Add subdomain for an Electrum Server 64 | 65 | In this example configuration a redirect and SSL encryption added to a Fulcrum instance. 66 | 67 | To download, check and run: 68 | ``` 69 | wget -O electrum_server_subdomain.sh 70 | https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/nginx/electrum_server_subdomain.sh 71 | 72 | cat electrum_server_subdomain.sh 73 | 74 | bash electrum_server_subdomain.sh 75 | ``` 76 | 77 | ## Set up SSL access for the Ride The Lightning web UI on the RaspiBlitz 78 | 79 | Have a look through the script here: [bonus.SSL_for_RTL.sh](bonus.SSL_for_RTL.sh). 80 | 81 | To download, check and run: 82 | ``` 83 | wget -O bonus.SSL_for_RTL.sh https://github.com/openoms/bitcoin-tutorials/raw/master/nginx/bonus.SSL_for_RTL.sh 84 | 85 | cat bonus.SSL_for_RTL.sh 86 | 87 | bash bonus.SSL_for_RTL.sh 88 | ``` 89 | 90 | ## Resources 91 | 92 | * Virtual Hosts on nginx 93 | -------------------------------------------------------------------------------- /nginx/bonus.SSL_for_RTL.sh: -------------------------------------------------------------------------------- 1 | # Script to install nginx and certbot to enable SSL connection for RTL 2 | # To download and run: 3 | # $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/nginx/bonus.SSL_for_RTL.sh && bash bonus.SSL_for_RTL.sh 4 | 5 | # For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed 6 | # Need to forward port 80 to the IP of your RaspiBlitz for certbot 7 | # Forward port 3002 to be able to access RTL from outside of your LAN 8 | 9 | # https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md 10 | 11 | # check for certbot and nginx 12 | if dpkg -l | grep -qw "certbot"; then 13 | echo "# certbot is already installed" 14 | else 15 | sudo apt install -y certbot 16 | fi 17 | if dpkg -l | grep -qw "nginx"; then 18 | echo "# nginx is already installed" 19 | else 20 | sudo apt install -y nginx 21 | fi 22 | 23 | echo "" 24 | echo "***" 25 | echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" 26 | read key 27 | 28 | echo "" 29 | echo "***" 30 | echo "Please type the domain/ddns you have generated the certificate for followed by [ENTER]" 31 | read YOUR_DOMAIN 32 | 33 | echo "" 34 | echo "***" 35 | echo "Type an email address that will be used to register the SSL certificate and press [ENTER]" 36 | read YOUR_EMAIL 37 | 38 | echo "installing Nginx and certbot" 39 | sudo apt-get install -y nginx-full certbot 40 | sudo /etc/init.d/nginx start 41 | 42 | echo "allow port 80 on ufw" 43 | sudo ufw allow 80 44 | 45 | # get SSL cert 46 | sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" 47 | 48 | echo "" 49 | echo "***" 50 | echo "Setting up certbot-auto renewal service" 51 | echo "***" 52 | echo "" 53 | 54 | sudo rm -f /etc/systemd/system/certbot.timer 55 | echo " 56 | [Unit] 57 | Description=Certbot-auto renewal service 58 | 59 | [Timer] 60 | OnBootSec=20min 61 | OnCalendar=*-*-* 4:00:00 62 | 63 | [Install] 64 | WantedBy=timers.target 65 | " | sudo tee -a /etc/systemd/system/certbot.timer 66 | 67 | sudo rm -f /etc/systemd/system/certbot.service 68 | echo " 69 | [Unit] 70 | Description=Certbot-auto renewal service 71 | After=bitcoind.service 72 | 73 | [Service] 74 | WorkingDirectory=/home/admin/ 75 | ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" 76 | 77 | User=admin 78 | Group=admin 79 | Type=simple 80 | KillMode=process 81 | TimeoutSec=60 82 | Restart=always 83 | RestartSec=60 84 | " | sudo tee -a /etc/systemd/system/certbot.service 85 | 86 | sudo systemctl enable certbot.timer 87 | 88 | echo "Setting up nginx.conf" 89 | echo "***" 90 | echo "" 91 | 92 | isRTL=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'upstream RTL') 93 | if [ ${isRTL} -gt 0 ]; then 94 | echo "RTL is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`" 95 | 96 | elif [ ${isRTL} -eq 0 ]; then 97 | 98 | isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {') 99 | if [ ${isStream} -eq 0 ]; then 100 | 101 | echo " 102 | stream { 103 | upstream RTL { 104 | server 127.0.0.1:3000; 105 | } 106 | server { 107 | listen 3002 ssl; 108 | proxy_pass RTL; 109 | ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; 110 | ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; 111 | ssl_session_cache shared:SSL-RTL:1m; 112 | ssl_session_timeout 4h; 113 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 114 | ssl_prefer_server_ciphers on; 115 | } 116 | }" | sudo tee -a /etc/nginx/nginx.conf 117 | 118 | elif [ ${isStream} -eq 1 ]; then 119 | sudo truncate -s-2 /etc/nginx/nginx.conf 120 | echo " 121 | 122 | upstream RTL { 123 | server 127.0.0.1:3000; 124 | } 125 | server { 126 | listen 3002 ssl; 127 | proxy_pass RTL; 128 | ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; 129 | ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; 130 | ssl_session_cache shared:SSL:1m; 131 | ssl_session_timeout 4h; 132 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 133 | ssl_prefer_server_ciphers on; 134 | } 135 | }" | sudo tee -a /etc/nginx/nginx.conf 136 | 137 | elif [ ${isStream} -gt 1 ]; then 138 | 139 | echo " Too many \`stream\` commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry" 140 | exit 1 141 | fi 142 | fi 143 | 144 | echo "allow port 3002 on ufw" 145 | sudo ufw allow 3002 146 | 147 | sudo systemctl enable nginx 148 | sudo systemctl restart nginx 149 | 150 | echo "" 151 | echo "Connect to RTL through https on the port 3002 and forward the port on your router to access outside of the LAN" 152 | -------------------------------------------------------------------------------- /nginx/btcpayserver_subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # WORK IN PROGRESS 4 | # see https://gist.github.com/NicolasDorier/1a7fce6836ee55a7fa2c7f65417b88b5 5 | 6 | # check for certbot and nginx 7 | if dpkg -l | grep -qw "certbot"; then 8 | echo "# certbot is already installed" 9 | else 10 | sudo apt install -y certbot 11 | fi 12 | if dpkg -l | grep -qw "nginx"; then 13 | echo "# nginx is already installed" 14 | else 15 | sudo apt install -y nginx 16 | fi 17 | 18 | echo " 19 | Input your email: 20 | " 21 | read EMAIL 22 | 23 | echo " 24 | Input a subdomain set up with an A record pointing to this server: 25 | eg.: btcpay.example.com 26 | " 27 | read SUBDOMAIN 28 | 29 | echo " 30 | Input the URL to be redirected to: 31 | eg.: https://192.168.1.42:23001 32 | " 33 | read REDIRECT 34 | 35 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 36 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 37 | --post-hook "service nginx start" || exit 1 38 | 39 | # copy in place on a remote machine if needed 40 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem 41 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem 42 | 43 | # add to /etc/nginx/sites-available/ 44 | cat EOF | sudo tee /etc/nginx/sites-available/${SUBDOMAIN} 45 | # sudo cat /etc/nginx/sites-enabled/${SUBDOMAIN} 46 | server { 47 | listen 80 http2; 48 | listen 443 ssl http2; 49 | server_name ${SUBDOMAIN}; 50 | 51 | ssl_certificate /etc/letsencrypt/live/${SUBDOMAIN}/fullchain.pem; 52 | ssl_certificate_key /etc/letsencrypt/live/${SUBDOMAIN}/privkey.pem; 53 | ssl_session_timeout 1d; 54 | ssl_session_cache shared:SSL:50m; 55 | ssl_session_tickets off; 56 | ssl_protocols TLSv1.2 TLSv1.3; 57 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 58 | ssl_prefer_server_ciphers on; 59 | ssl_stapling on; 60 | ssl_stapling_verify on; 61 | ssl_trusted_certificate /etc/letsencrypt/live/${SUBDOMAIN}/chain.pem; 62 | 63 | location / { 64 | proxy_pass ${REDIRECT}; 65 | 66 | # For websockets 67 | proxy_set_header Upgrade $http_upgrade; 68 | proxy_set_header Connection $http_connection; 69 | 70 | # from https://github.com/rootzoll/raspiblitz/blob/v1.9/home.admin/assets/nginx/snippets/ssl-proxy-params.conf 71 | proxy_redirect off; 72 | proxy_set_header Host $http_host; 73 | proxy_set_header X-Real-IP $remote_addr; 74 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 75 | proxy_set_header X-Forwarded-Proto https; 76 | 77 | proxy_read_timeout 600; 78 | proxy_connect_timeout 600; 79 | proxy_send_timeout 600; 80 | } 81 | 82 | location /.well-known/lnurlp/openoms { 83 | add_header 'Access-Control-Allow-Origin' '*'; 84 | 85 | proxy_pass ${REDIRECT}; 86 | 87 | proxy_redirect off; 88 | proxy_set_header Host $http_host; 89 | proxy_set_header X-Real-IP $remote_addr; 90 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 91 | proxy_set_header X-Forwarded-Proto https; 92 | 93 | proxy_read_timeout 600; 94 | proxy_connect_timeout 600; 95 | proxy_send_timeout 600; 96 | } 97 | } 98 | EOF 99 | 100 | # edit with 101 | # sudo nano /etc/nginx/sites-available/$SUBDOMAIN 102 | 103 | # add to /etc/nginx/sites-enabled/ 104 | sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/ 105 | 106 | sudo nginx -t || exit 1 107 | 108 | sudo systemctl restart nginx 109 | -------------------------------------------------------------------------------- /nginx/custom_website_subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # check for certbot and nginx 4 | if dpkg -l | grep -qw "certbot"; then 5 | echo "# certbot is already installed" 6 | else 7 | sudo apt install -y certbot 8 | fi 9 | if dpkg -l | grep -qw "nginx"; then 10 | echo "# nginx is already installed" 11 | else 12 | sudo apt install -y nginx 13 | fi 14 | 15 | echo " 16 | Input your email: 17 | " 18 | read EMAIL 19 | 20 | echo " 21 | Input a subdomain set up with an A record pointing to this server: 22 | eg.: mempool.example.com 23 | " 24 | read SUBDOMAIN 25 | 26 | echo " 27 | Input the URL to be redirected to: 28 | eg.: https://192.168.1.42:4081 29 | " 30 | read REDIRECT 31 | 32 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 33 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 34 | --post-hook "service nginx start" || exit 1 35 | 36 | # copy in place on a remote machine if needed 37 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem 38 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem 39 | 40 | # add to /etc/nginx/sites-available/ 41 | echo "\ 42 | server { 43 | listen 80; 44 | listen 443 ssl; 45 | server_name $SUBDOMAIN; 46 | 47 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 48 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem; 49 | ssl_session_timeout 1d; 50 | ssl_session_cache shared:SSL:50m; 51 | ssl_session_tickets off; 52 | ssl_protocols TLSv1.2 TLSv1.3; 53 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 54 | ssl_prefer_server_ciphers on; 55 | ssl_stapling on; 56 | ssl_stapling_verify on; 57 | ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem; 58 | 59 | location / { 60 | proxy_pass $REDIRECT; 61 | # to allow wss:// connections 62 | proxy_http_version 1.1; 63 | proxy_set_header Upgrade \$http_upgrade; 64 | proxy_set_header Connection \"upgrade\"; 65 | 66 | # from https://github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/assets/nginx/snippets/ssl-proxy-params.conf 67 | proxy_redirect off; 68 | proxy_set_header Host \$http_host; 69 | proxy_set_header X-Real-IP \$remote_addr; 70 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 71 | proxy_set_header X-Forwarded-Proto https; 72 | } 73 | }" | sudo tee /etc/nginx/sites-available/$SUBDOMAIN 74 | 75 | # edit with 76 | # sudo nano /etc/nginx/sites-available/$SUBDOMAIN 77 | 78 | # add to /etc/nginx/sites-enabled/ 79 | sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/ 80 | 81 | sudo nginx -t || exit 1 82 | 83 | sudo systemctl restart nginx 84 | -------------------------------------------------------------------------------- /nginx/electrum_server_subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # check for certbot and nginx 4 | if dpkg -l | grep -qw "certbot"; then 5 | echo "# certbot is already installed" 6 | else 7 | sudo apt install -y certbot 8 | fi 9 | if dpkg -l | grep -qw "nginx"; then 10 | echo "# nginx is already installed" 11 | else 12 | sudo apt install -y nginx 13 | fi 14 | 15 | echo " 16 | Input your email: 17 | " 18 | read EMAIL 19 | 20 | echo " 21 | Input a subdomain set up with an A record pointing to this server: 22 | eg.: electrum.example.com 23 | " 24 | read SUBDOMAIN 25 | 26 | echo " 27 | Input the TCP port of the Electrum Server to be redirected to: 28 | eg.: 192.168.1.42:50002 29 | " 30 | read REDIRECT 31 | 32 | 33 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 34 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 35 | --post-hook "service nginx start" || exit 1 36 | 37 | 38 | # Setting up the nginx.conf 39 | isConfigured=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'upstream electrum') 40 | if [ ${isConfigured} -gt 0 ]; then 41 | echo "electrum is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`" 42 | 43 | elif [ ${isConfigured} -eq 0 ]; then 44 | 45 | isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {') 46 | if [ ${isStream} -eq 0 ]; then 47 | 48 | echo "\ 49 | stream { 50 | upstream electrum { 51 | server $REDIRECT; 52 | } 53 | server { 54 | listen 50002 ssl; 55 | proxy_pass electrum; 56 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 57 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem ; 58 | ssl_session_cache shared:SSL-electrum:1m; 59 | ssl_session_timeout 4h; 60 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; 61 | ssl_prefer_server_ciphers on; 62 | } 63 | }" | sudo tee -a /etc/nginx/nginx.conf 64 | 65 | elif [ ${isStream} -eq 1 ]; then 66 | sudo truncate -s-2 /etc/nginx/nginx.conf 67 | echo "\ 68 | upstream electrum { 69 | server $REDIRECT; 70 | } 71 | server { 72 | listen 50022 ssl; 73 | proxy_pass electrum; 74 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 75 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem; 76 | ssl_session_cache shared:SSL-electrum:1m; 77 | ssl_session_timeout 4h; 78 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; 79 | ssl_prefer_server_ciphers on; 80 | } 81 | }" | sudo tee -a /etc/nginx/nginx.conf 82 | 83 | elif [ ${isStream} -gt 1 ]; then 84 | echo " Too many 'stream' commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry" 85 | exit 1 86 | fi 87 | fi 88 | 89 | # test nginx 90 | sudo nginx -t || exit 1 91 | 92 | # restart 93 | sudo systemctl restart nginx 94 | -------------------------------------------------------------------------------- /nginx/https_redirect_to_subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # check for certbot and nginx 4 | if dpkg -l | grep -qw "certbot"; then 5 | echo "# certbot is already installed" 6 | else 7 | sudo apt install -y certbot 8 | fi 9 | if dpkg -l | grep -qw "nginx"; then 10 | echo "# nginx is already installed" 11 | else 12 | sudo apt install -y nginx 13 | fi 14 | 15 | echo " 16 | Input your email: 17 | " 18 | read EMAIL 19 | 20 | echo " 21 | Input a subdomain set up with an A record pointing to this server: 22 | eg.: tips.diynodes.com 23 | " 24 | read SUBDOMAIN 25 | 26 | echo " 27 | Input the URL where the subdomain should be redirected to: 28 | eg.: https://pay.diynodes.com/apps/otJAn2YiMRKeHnKrsZYQF8VuCJD/pos 29 | " 30 | read SERVER 31 | 32 | echo " 33 | Input the host address where the site is served: 34 | eg.: https://192.168.1.42:23001 35 | " 36 | read SERVER 37 | 38 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 39 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 40 | --post-hook "service nginx start" || exit 1 41 | 42 | 43 | echo "\ 44 | server { 45 | listen 80; 46 | listen 443 ssl; 47 | server_name SUBDOMAIN; 48 | return 301 $REDIRECT; 49 | 50 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 51 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem; 52 | ssl_session_timeout 1d; 53 | ssl_session_cache shared:SSL:50m; 54 | ssl_session_tickets off; 55 | ssl_protocols TLSv1.2 TLSv1.3; 56 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 57 | ssl_prefer_server_ciphers on; 58 | ssl_stapling on; 59 | ssl_stapling_verify on; 60 | ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem; 61 | 62 | location / { 63 | proxy_set_header Host \$host; 64 | proxy_set_header X-Real-IP \$remote_addr; 65 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 66 | proxy_set_header X-Forwarded-Proto \$scheme; 67 | proxy_pass $SERVER; 68 | } 69 | } 70 | " | sudo tee /etc/nginx/sites-available/$SUBDOMAIN 71 | 72 | # edit with 73 | # sudo nano /etc/nginx/sites-available/$SUBDOMAIN 74 | 75 | # add to /etc/nginx/sites-enabled/ 76 | sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/ 77 | 78 | sudo nginx -t || exit 1 79 | 80 | sudo systemctl restart nginx 81 | -------------------------------------------------------------------------------- /nginx/mempool_subdomain.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # check for certbot and nginx 4 | if dpkg -l | grep -qw "certbot"; then 5 | echo "# certbot is already installed" 6 | else 7 | sudo apt install -y certbot 8 | fi 9 | if dpkg -l | grep -qw "nginx"; then 10 | echo "# nginx is already installed" 11 | else 12 | sudo apt install -y nginx 13 | fi 14 | 15 | echo " 16 | Input your email:" 17 | read EMAIL 18 | 19 | echo " 20 | Input a subdomain set up with an A record pointing to this server: 21 | eg.: mempool.example.com" 22 | read SUBDOMAIN 23 | 24 | echo " 25 | Input the full mempool URL to be redirected to: 26 | eg.: https://192.168.1.42:4081" 27 | read REDIRECT 28 | 29 | echo " 30 | Input the IP only to be redirected to (needed fro the API on port 8999): 31 | eg.: 192.168.1.42" 32 | read IP_ONLY 33 | 34 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 35 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 36 | --post-hook "service nginx start" || exit 1 37 | 38 | # copy in place if needed 39 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem 40 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem 41 | 42 | echo "\ 43 | server { 44 | listen 80; 45 | listen 443 ssl; 46 | server_name $SUBDOMAIN; 47 | 48 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 49 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem; 50 | ssl_session_timeout 1d; 51 | ssl_session_cache shared:SSL:50m; 52 | ssl_session_tickets off; 53 | ssl_protocols TLSv1.2 TLSv1.3; 54 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 55 | ssl_prefer_server_ciphers on; 56 | ssl_stapling on; 57 | ssl_stapling_verify on; 58 | ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem; 59 | 60 | location / { 61 | proxy_pass $REDIRECT; 62 | } 63 | 64 | # mainnet API 65 | location /api/v1/donations { 66 | resolver 1.1.1.1; 67 | proxy_pass https://mempool.space; 68 | } 69 | location /api/v1/donations/images { 70 | resolver 1.1.1.1; 71 | proxy_pass https://mempool.space; 72 | } 73 | location /api/v1/ws { 74 | proxy_pass http://$IP_ONLY:8999/; 75 | proxy_http_version 1.1; 76 | proxy_set_header Upgrade \$http_upgrade; 77 | proxy_set_header Connection \"Upgrade\"; 78 | } 79 | location /api/v1 { 80 | proxy_pass http://$IP_ONLY:8999/api/v1; 81 | } 82 | location /api/ { 83 | proxy_pass http://$IP_ONLY:8999/api/v1/; 84 | } 85 | # mainnet API 86 | location /ws { 87 | proxy_pass http://$IP_ONLY:8999/; 88 | proxy_http_version 1.1; 89 | proxy_set_header Upgrade \$http_upgrade; 90 | proxy_set_header Connection \"Upgrade\"; 91 | } 92 | }" | sudo tee /etc/nginx/sites-available/$SUBDOMAIN 93 | 94 | # edit with 95 | # sudo nano /etc/nginx/sites-available/$SUBDOMAIN 96 | 97 | sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/ 98 | 99 | sudo nginx -t || exit 1 100 | 101 | sudo systemctl restart nginx 102 | -------------------------------------------------------------------------------- /nginx/nostr-relay.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # check for certbot and nginx 4 | if dpkg -l | grep -qw "certbot"; then 5 | echo "# certbot is already installed" 6 | else 7 | sudo apt install -y certbot 8 | fi 9 | if dpkg -l | grep -qw "nginx"; then 10 | echo "# nginx is already installed" 11 | else 12 | sudo apt install -y nginx 13 | fi 14 | 15 | echo " 16 | Input your email: 17 | " 18 | read EMAIL 19 | 20 | echo " 21 | Input a subdomain set up with an A record pointing to this server: 22 | eg.: mempool.example.com 23 | " 24 | read SUBDOMAIN 25 | 26 | echo " 27 | Input the URL where the server is running: 28 | eg.: http://192.168.1.42:5000 29 | " 30 | read SERVER 31 | 32 | echo " 33 | Input the address of the relay after the IPaddress or domain: 34 | eg.: /nostrrelay/nNZ59JFH 35 | " 36 | read RELAY 37 | 38 | sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ 39 | -d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \ 40 | --post-hook "service nginx start" || exit 1 41 | 42 | # copy in place on a remote machine if needed 43 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem 44 | #sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem 45 | 46 | # add to /etc/nginx/sites-available/ 47 | echo "\ 48 | server { 49 | listen 80; 50 | listen 443 ssl; 51 | server_name $SUBDOMAIN; 52 | 53 | ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem; 54 | ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem; 55 | ssl_session_timeout 1d; 56 | ssl_session_cache shared:SSL:50m; 57 | ssl_session_tickets off; 58 | ssl_protocols TLSv1.2 TLSv1.3; 59 | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; 60 | ssl_prefer_server_ciphers on; 61 | ssl_stapling on; 62 | ssl_stapling_verify on; 63 | ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem; 64 | 65 | location / { 66 | proxy_pass ${SERVER}${RELAY}; 67 | 68 | # WebSocket support 69 | proxy_http_version 1.1; 70 | proxy_set_header Upgrade \$http_upgrade; # Upgrade header for WebSocket 71 | proxy_set_header Connection \"upgrade\"; # Connection header for WebSocket 72 | 73 | # Additional headers 74 | proxy_set_header Host \$host; 75 | proxy_set_header X-Real-IP \$remote_addr; 76 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 77 | proxy_set_header X-Forwarded-Proto https; 78 | 79 | # Disable proxy redirects 80 | proxy_redirect off; 81 | } 82 | }" | sudo tee /etc/nginx/sites-available/$SUBDOMAIN 83 | 84 | # edit with 85 | # sudo nano /etc/nginx/sites-available/$SUBDOMAIN 86 | 87 | # add to /etc/nginx/sites-enabled/ 88 | sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/ 89 | 90 | sudo nginx -t || exit 1 91 | 92 | sudo systemctl restart nginx 93 | -------------------------------------------------------------------------------- /nginx/nostr_lnaddress_snippets.conf: -------------------------------------------------------------------------------- 1 | # nginx snippets for NIP5, LNaddress and LNURLpay 2 | 3 | #for NIP5 fill in the file /var/www/html/.well-known/nostr.json 4 | location /.well-known/nostr.json { 5 | add_header 'Access-Control-Allow-Origin' '*'; 6 | alias /var/www/html/.well-known/nostr.json; 7 | } 8 | 9 | #for the LN address fill in the PREFIX_BTCPAY_PORT 10 | location /.well-known/lnurlp { 11 | proxy_pass $PREFIX_BTCPAY_PORT; 12 | proxy_redirect off; 13 | 14 | proxy_set_header Host $http_host; 15 | proxy_set_header X-Real-IP $remote_addr; 16 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 17 | proxy_set_header X-Forwarded-Proto https; 18 | proxy_read_timeout 600; 19 | proxy_connect_timeout 600; 20 | proxy_send_timeout 600; 21 | } 22 | 23 | #for the LNURLpay callback fill in the PREFIX_BTCPAY_PORT 24 | location /BTC/UILNURL/pay/i { 25 | add_header 'Access-Control-Allow-Origin' '*'; 26 | proxy_pass $PREFIX_BTCPAY_PORT; 27 | proxy_redirect off; 28 | 29 | proxy_set_header Host $http_host; 30 | proxy_set_header X-Real-IP $remote_addr; 31 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 32 | proxy_set_header X-Forwarded-Proto https; 33 | proxy_read_timeout 600; 34 | proxy_connect_timeout 600; 35 | proxy_send_timeout 600; 36 | } 37 | -------------------------------------------------------------------------------- /nokyc/README.md: -------------------------------------------------------------------------------- 1 | # Run the nokyc scripts in every 10 minutes in a tmux window 2 | 3 | Based on: 4 | * https://github.com/j4imefoo/nokyc 5 | * https://github.com/tmuxinator/tmuxinator 6 | 7 | ## Install 8 | ``` 9 | sudo apt-get install -y git tor tmux rubygems 10 | 11 | cd 12 | git clone https://github.com/openoms/nokyc 13 | cd nokyc 14 | pip install -r requirements.txt 15 | 16 | # create nokycconfig.ini 17 | cat << EOF > nokyc/nokycconfig.ini 18 | [DEFAULT] 19 | # Local port where tor is running. 9050 for tor daemon, 9150 for tor browser 20 | TOR_PORT = 9050 21 | # Payment methods to avoid. In lower case. 22 | avoid_methods = ["ripple", "litecoin", "ethereum", "cardano", "binance smart chain (bsc)", "amazon fr giftcard"] 23 | EOF 24 | 25 | # install https://github.com/tmuxinator/tmuxinator 26 | sudo gem install tmuxinator 27 | sudo wget https://raw.githubusercontent.com/tmuxinator/tmuxinator/master/completion/tmuxinator.bash -O /etc/bash_completion.d/tmuxinator.bash 28 | echo "export EDITOR=$(which nano)" >> ~/.bashrc 29 | 30 | # tmuxinator config 31 | cat << EOF > ~/.config/tmuxinator/nokyceur.yml 32 | name: nokyc 33 | root: ~/nokyc/ 34 | 35 | windows: 36 | - nokyc: 37 | layout: even-vertical 38 | panes: 39 | - selleur: 40 | - while true; do ./nokyc.py -f eur -t sell -d 5; sleep 600; done 41 | - sellgbp: 42 | - while true; do ./nokyc.py -f gbp -t sell -d 5; sleep 600; done 43 | - buyeur: 44 | - while true; do ./nokyc.py -f eur -t buy -d 5; sleep 600; done 45 | EOF 46 | ``` 47 | 48 | ## Start 49 | ``` 50 | bash 51 | mux s nokyc 52 | ``` 53 | ## Exit window 54 | `CTRL+b` -> `&` -> `y` 55 | -------------------------------------------------------------------------------- /nostr/README.md: -------------------------------------------------------------------------------- 1 | ## LNaddress an Zap provider (NIP57 and NIP05) on a VPS 2 | * [set up ligess](ligess.md) 3 | 4 | ## LNURLpay over Tor 5 | * https://gist.github.com/openoms/9be181ffba14afcfb458cd3e1d726b5e 6 | -------------------------------------------------------------------------------- /nostr/ligess.md: -------------------------------------------------------------------------------- 1 | # Set up your lightning address and Zap (NIP57) server with [ligess](https://github.com/Dolu89/ligess) 2 | 3 | ## Requirements 4 | * an LND node accessible over Tor (a Raspiblitz env assumed here) 5 | * a simple linux VPS with root access 6 | * a (sub)domain with the A Record pointing to public IPaddress of the VPS 7 | ## Install ligess 8 | * 9 | ``` 10 | # install nodejs from https://github.com/nodesource/distributions 11 | curl -fsSL https://deb.nodesource.com/setup_19.x | sudo bash - &&\ 12 | sudo apt-get install -y nodejs 13 | # yarn 14 | sudo npm install --global yarn 15 | sudo yarn config set --home enableTelemetry 0 16 | 17 | # create user 18 | sudo adduser --disabled-password --gecos "" ligess 19 | cd /home/ligess || exit 1 20 | 21 | sudo -u ligess yarn config set --home enableTelemetry 0 22 | 23 | # download ligess 24 | sudo -u ligess git clone https://github.com/dolu89/ligess 25 | cd ligess 26 | sudo -u ligess yarn install 27 | 28 | sudo -u ligess cp .env.example .env 29 | ``` 30 | 31 | ## Bootstrap the zapper node 32 | * generate a new private key at https://iris.to 33 | * save the hex private key for ligess 34 | * save the hex public key (for NIP-05) 35 | * keep the window open to add the NIP-05 identifier when ready 36 | 37 | ## Edit the .env config file with your info 38 | * 39 | ``` 40 | sudo nano /home/ligess/ligess/.env 41 | ``` 42 | ### Fill the following options 43 | * using Tor to connect to the REST port of an LND node (Raspiblitz) 44 | ``` 45 | # choose a username 46 | LIGESS_USERNAME=ligess 47 | # set your domain 48 | LIGESS_DOMAIN=YOUR_DOMAIN.com 49 | # choose a port 50 | PORT=3100 51 | # don't use Tor on the same machine as the node 52 | LIGESS_TOR_PROXY_URL=socks5h://127.0.0.1:9050 53 | LIGESS_LN_BACKEND=LND 54 | LIGESS_LND_REST=https://:8080 55 | LIGESS_LND_MACAROON= 56 | LIGESS_NOSTR_ZAPPER_PRIVATE_KEY= 57 | ``` 58 | * a faster and more reliable option is to use your own VPN between the node and the VPS 59 | * set up [Tailscale](https://tailscale.com/download/), [ZeroTier](https://www.zerotier.com/download/) or your own Wireguard config on both 60 | * fill in the config as above, but skip the `LIGESS_TOR_PROXY_URL` and use the VPN address of the node 61 | ``` 62 | LIGESS_LND_REST=https://:8080 63 | ``` 64 | 65 | ## Run the server 66 | * in `tmux` to keep running after the terminal is closed 67 | ``` 68 | sudo -u ligess yarn dev 69 | ``` 70 | * alternatively set up a systemd service to return after VPS restarts 71 | 72 | 73 | # NIP05 74 | ## create a json file called nostr.json with your and the zapper username and hex pubkeys 75 | * 76 | ``` 77 | sudo nano /var/www/html/.well-known/nostr.json 78 | ``` 79 | ``` 80 | { 81 | "names": { 82 | "username": "hex_public_key_1", 83 | "zapper": "hex_public_key_2" 84 | } 85 | } 86 | ``` 87 | 88 | # SSL config 89 | ## Set up SSL for a (sub)domain 90 | * use ths script to set up nginx: https://github.com/openoms/bitcoin-tutorials/tree/master/nginx#add-a-custom-subdomain 91 | * consider using [Caddy](https://github.com/caddyserver/caddy) to have a much simpler configuration 92 | 93 | ## Nginx snippets 94 | * paste these in your nginx config file in `/etc/nginx/sites-enabled/YOURDOMAIN.conf` 95 | * test and restart nginx: 96 | ``` 97 | sudo nginx -t && sudo systemctl restart nginx 98 | ``` 99 | 100 | ### NIP-05 101 | * 102 | ``` 103 | location /.well-known/nostr.json { 104 | add_header 'Access-Control-Allow-Origin' '*'; 105 | alias /var/www/html/.well-known/nostr.json; 106 | } 107 | ``` 108 | ### LNaddress and Zap server 109 | * 110 | ``` 111 | location /.well-known/lnurlp { 112 | add_header 'Access-Control-Allow-Origin' '*'; 113 | 114 | proxy_pass http://127.0.0.1:3100; 115 | proxy_redirect off; 116 | 117 | proxy_set_header Host $http_host; 118 | proxy_set_header X-Real-IP $remote_addr; 119 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 120 | proxy_set_header X-Forwarded-Proto https; 121 | 122 | proxy_read_timeout 600; 123 | proxy_connect_timeout 600; 124 | proxy_send_timeout 600; 125 | } 126 | } 127 | ``` 128 | 129 | ## Finish 130 | * add the NIP-05 identifier and lightning address to your nostr profile 131 | * add the NIP-05 identifier to the zapper profile and broadcast it's relays publicly 132 | -------------------------------------------------------------------------------- /openbazaar/README.md: -------------------------------------------------------------------------------- 1 | https://openbazaar.zendesk.com/hc/enac-us/articles/115002761352-How-do-I-move-my-OpenBazaar-store-from-one-computer-to-another- 2 | 3 | logs are in the store directory/logs/ob.log 4 | 5 | monitor on linux: 6 | tail -f ~/.openbazaar/logs/ob/log -------------------------------------------------------------------------------- /openbazaar/migrate_store_from_linux_desktop.txt: -------------------------------------------------------------------------------- 1 | # on the RaspiBlitz 2 | go run openbazaard.go stop 3 | rm -r /home/admin/.openbazaar 4 | 5 | # on the linux desktop: 6 | echo "Type the LAN IP ADDRESS of your RaspiBlitz followed by [ENTER]:" 7 | read RASPIBLITZ_IP 8 | scp -r ~/.openbazaar admin@$RASPIBLITZ_IP:/home/admin/ 9 | 10 | # To restore your OpenBazaar node only from the backup seed: 11 | root@DietPi:~# go run $GOPATH/src/github.com/OpenBazaar/openbazaar-go/openbazaard.go restore -d /root/.openbazaar -m "word1 word2 word3 word4 word5 word6 word7 word8 word9 word10 word11 word12" 12 | https://openbazaar.zendesk.com/hc/en-us/articles/360002820331-How-do-I-restore-my-OpenBazaar-wallet-from-seed- 13 | 14 | # Restore your shop from a backup copy your existing .openbazaar dir to /root/.openbazaar 15 | fdisk -l 16 | mount /dev/sda1 /mnt/usbdrive 17 | cp -R /mnt/usbdrive/OpenBazaar2.0/* /root/.openbazaar/ 18 | 19 | 20 | # links and paths for DietPi 21 | sudo nano /mnt/dietpi_userdata/openbazaar/config 22 | sudo nano /root/.openbazaar/config 23 | cd /mnt/dietpi_userdata/go/src/github.com/OpenBazaar/openbazaar-go/ 24 | 25 | 26 | 27 | root@DietPi:/mnt/dietpi_userdata/go/src/github.com/OpenBazaar/openbazaar-go# go run openbazaard.go -h 28 | Usage: 29 | openbazaard [OPTIONS] 30 | 31 | Application Options: 32 | -v, --version Print the version number and exit 33 | 34 | Help Options: 35 | -h, --help Show this help message 36 | 37 | Available commands: 38 | convert convert this node to a different coin type 39 | decryptdatabase decrypt your database 40 | encryptdatabase encrypt your database 41 | gencerts Generate certificates 42 | init initialize a new repo and exit 43 | restart restart the server 44 | restore restore user data 45 | setapicreds set API credentials 46 | start start the OpenBazaar-Server 47 | status get the repo status 48 | stop shutdown the server and disconnect 49 | 50 | 51 | -------------------------------------------------------------------------------- /openbazaar/openbazaar_client_to_desktop.sh: -------------------------------------------------------------------------------- 1 | # Install openbazaar client (https://github.com/OpenBazaar/openbazaar-desktop) 2 | # https://freedomnode.com/blog/80/how-to-install-and-configure-new-openbazaar-2-0-on-linux-and-mac-os-x 3 | 4 | git clone https://github.com/OpenBazaar/openbazaar-desktop 5 | npm install 6 | npm start 7 | 8 | -------------------------------------------------------------------------------- /openbazaar/openbazaar_to_raspiblitz.sh: -------------------------------------------------------------------------------- 1 | # https://www.zokos.com/blog/site/public/2019/01/12/Self-Host%20your%20Own%20OpenBazaar%20Store/ 2 | # https://github.com/OpenBazaar/openbazaar-go/blob/master/docs/install-linux.md 3 | 4 | sudo apt-get update 5 | sudo apt-get -y upgrade 6 | sudo apt-get install build-essential git -y 7 | export GOROOT=/usr/local/go 8 | export PATH=$PATH:$GOROOT/bin 9 | export GOPATH=/usr/local/gocode 10 | export PATH=$PATH:$GOPATH/bin 11 | go get github.com/OpenBazaar/openbazaar-go 12 | 13 | cd /usr/local/gocode/src/github.com/OpenBazaar/openbazaar-go 14 | 15 | go run openbazaard.go init 16 | 17 | # Generating Ed25519 keypair...Done 18 | # 2019/03/09 10:57:29 Initializing OpenBazaar node at /home/admin/.openbazaar 19 | # OpenBazaar repo initialized at /home/admin/.openbazaar 20 | 21 | go run openbazaard.go setapicreds 22 | # Enter username: 23 | # Enter a veerrrry strong password: 24 | # Confirm your password: 25 | cd $HOME/.openbazaar 26 | 27 | sed -i -- 's/127.0.0.1/0.0.0.0/g' config 28 | cd /usr/local/gocode/src/github.com/OpenBazaar/openbazaar-go 29 | sudo ufw allow 4002 30 | 31 | go run openbazaard.go start & 32 | 33 | ----------------- 34 | 35 | 36 | # https://github.com/OpenBazaar/openbazaar-go/blob/master/docs/install-pi3.md 37 | # https://github.com/OpenBazaar/openbazaar-go 38 | # https://github.com/OpenBazaar/openbazaar-go#usage 39 | 40 | 41 | sudo mkdir /mnt/hdd/openbazaar 42 | sudo chown -R bitcoin:bitcoin /mnt/hdd/openbazaar 43 | sudo su bitcoin 44 | /home/admin/config.scripts/go.install.sh 45 | go get github.com/OpenBazaar/openbazaar-go 46 | cd $GOPATH/src/github.com/OpenBazaar/openbazaar-go 47 | git checkout v0.13.6 48 | 49 | #echo "export GOPATH=/home/admin/go" >> .profile 50 | #echo "export PATH=$PATH:/usr/local/go/bin" >> .profile 51 | source ~/.profile 52 | 53 | 54 | go run $GOPATH/src/github.com/OpenBazaar/openbazaar-go/openbazaard.go init -d /mnt/hdd/openbazaar -v 55 | 56 | go run $GOPATH/src/github.com/OpenBazaar/openbazaar-go/openbazaard.go setapicreds -d /mnt/hdd/openbazaar -v 57 | 58 | go run $GOPATH/src/github.com/OpenBazaar/openbazaar-go/openbazaard.go start --tor -d /mnt/hdd/openbazaar -v 59 | 60 | # https://api.docs.openbazaar.org/ 61 | 62 | sed -i -- 's/127.0.0.1/0.0.0.0/g' /mnt/hdd/openbazaar/config 63 | 64 | sudo ufw allow 4002 comment 'openbazaar' 65 | -------------------------------------------------------------------------------- /proxy/server.js: -------------------------------------------------------------------------------- 1 | /* 2 | # Install dependencies: 3 | npm install express http-proxy-middleware 4 | # Start with the command: 5 | node server.js 6 | */ 7 | 8 | const express = require('express'); 9 | const { createProxyMiddleware } = require('http-proxy-middleware'); 10 | 11 | const app = express(); 12 | 13 | app.use('/api', createProxyMiddleware({ 14 | target: 'https://api.staging.galoy.io/graphql', // The target API endpoint 15 | changeOrigin: true, 16 | pathRewrite: { 17 | '^/api': '', // Rewrite the API path, if needed 18 | }, 19 | onProxyRes: function (proxyRes, req, res) { 20 | // Add CORS headers to the response from the proxied server 21 | res.header('Access-Control-Allow-Origin', '*'); 22 | res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS'); 23 | res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization'); 24 | if (req.method === 'OPTIONS') { 25 | // Preflight request, end it after setting headers 26 | res.sendStatus(200); 27 | } 28 | }, 29 | })); 30 | 31 | const PORT = 3000; // The port your proxy server will listen on 32 | app.listen(PORT, () => { 33 | console.log(`Proxy server is running on http://localhost:${PORT}`); 34 | }); 35 | -------------------------------------------------------------------------------- /raspiblitz-custom-install-scripts/README.md: -------------------------------------------------------------------------------- 1 | Raspiblitz custom installs 2 | 3 | * default: 4 | ``` 5 | cat /mnt/hdd/app-data/custom-installs.sh 6 | ``` 7 | ``` 8 | #!/bin/bash 9 | 10 | # This script runs with sudo rights after an update/recovery from a fresh sd card. 11 | # This is the place to put all the install commands, cronjobs or editing of system configs 12 | # for your personal modifications of RaspiBlitz 13 | 14 | # note: use absolute paths if you point to specific files 15 | 16 | echo "There are no custom user installs so far." 17 | ``` 18 | -------------------------------------------------------------------------------- /raspiblitz-custom-install-scripts/custom-installs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ./tailscale.sh 4 | -------------------------------------------------------------------------------- /raspiblitz-custom-install-scripts/tailscale.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # once tailscale is installed and logged in use this to copy the config to the data disk: 4 | # sudo cp -R /var/lib/tailscale /mnt/hdd/app-data/ 5 | 6 | # these commands can be put in the custom-installs.sh 7 | echo "# Install Tailscale" 8 | mv /var/lib/tailscale /var/lib/tailscale.backup 9 | curl -fsSL https://tailscale.com/install.sh | sh 10 | systemctl stop tailscaled 11 | rm -rf /var/lib/tailscale 12 | cp -r /mnt/hdd/app-data/tailscale /var/lib 13 | systemctl start tailscaled 14 | echo "# Tailscale install done" 15 | -------------------------------------------------------------------------------- /raspiblitz.updates/README.md: -------------------------------------------------------------------------------- 1 | ## Automated update scripts for the RaspiBlitz and compatible systems 2 | 3 | ## Bitcoin Core Updates 4 | 5 | ### [v22.0](/raspiblitz.updates/bitcoincore.update.v22.0.sh) 6 | * To download, check and run in the RaspiBlitz terminal: 7 | ``` 8 | #download: 9 | wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/raspiblitz.updates/bitcoincore.update.v22.0.sh 10 | #inspect the script: 11 | cat bitcoincore.update.v22.0.sh 12 | #run: 13 | bash bitcoincore.update.v22.0.sh 14 | ``` 15 | 16 | ### [v0.21.0](/raspiblitz.updates/bitcoincore.update.v0.21.0.sh) 17 | * On RaspiBlitz v1.6.3 the peers won't be diplayed correctly. 18 | Use: `bitcoin-cli getnetworkinfo` 19 | * To download, check and run in the RaspiBlitz terminal: 20 | ``` 21 | #download: 22 | wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/raspiblitz.updates/bitcoincore.update.v0.21.0.sh 23 | #inspect the script: 24 | cat bitcoincore.update.v0.21.0.sh 25 | #run: 26 | bash bitcoincore.update.v0.21.0.sh 27 | ``` 28 | 29 | ### [v0.20.0](/raspiblitz.updates/bitcoincore.update.v0.20.0.sh) 30 | * Not compatible with LND under v0.8.1, use with RaspiBlitz v1.4 or update LND first. 31 | * To download and run with a single line paste to the RaspiBlitz terminal: 32 | `$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/raspiblitz.updates/bitcoincore.update.v0.20.0.sh && bash bitcoincore.update.v0.20.0.sh` 33 | 34 | ### [v0.19.1](/raspiblitz.updates/bitcoincore.update.v0.19.1.sh) 35 | * Not compatible with LND under v0.8.1, use with RaspiBlitz v1.4 or update LND first. 36 | * To download and run with a single line paste to the RaspiBlitz terminal: 37 | `$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/raspiblitz.updates/bitcoincore.update.v0.19.1.sh && bash bitcoincore.update.v0.19.1.sh` 38 | 39 | ## LND updates 40 | Find in: [https://github.com/openoms/lightning-node-management](https://github.com/openoms/lightning-node-management/blob/en/hardware/raspiblitz/lnd.updates.md) -------------------------------------------------------------------------------- /raspiblitz.updates/bitcoincore.update.v0.19.1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_30_bitcoin.md#installation 4 | 5 | # set version (change if update is available) 6 | # https://bitcoincore.org/en/download/ 7 | bitcoinVersion="0.19.1" 8 | 9 | # needed to check code signing 10 | laanwjPGP="01EA5486DE18A882D4C2684590C8019E36C2E964" 11 | 12 | echo "Detecting CPU architecture ..." 13 | isARM=$(uname -m | grep -c 'arm') 14 | isAARCH64=$(uname -m | grep -c 'aarch64') 15 | isX86_64=$(uname -m | grep -c 'x86_64') 16 | isX86_32=$(uname -m | grep -c 'i386\|i486\|i586\|i686\|i786') 17 | if [ ${isARM} -eq 0 ] && [ ${isAARCH64} -eq 0 ] && [ ${isX86_64} -eq 0 ] && [ ${isX86_32} -eq 0 ] ; then 18 | echo "!!! FAIL !!!" 19 | echo "Can only build on ARM, aarch64, x86_64 or i386 not on:" 20 | uname -m 21 | exit 1 22 | else 23 | echo "OK running on $(uname -m) architecture." 24 | fi 25 | 26 | echo "Checking if LND is up-to-date..." 27 | lndVersion=$(lnd --version | awk '{print $3}' | cut -d'-' -f1 | sed 's/\.//g') 28 | if [ ${lndVersion} -ge 081 ]; then 29 | echo "LND is up-to-date." 30 | else 31 | echo "" 32 | echo "LND is not up-to-date." 33 | echo "LND < v0.8.1 is incompatible with Bitcoin Core v0.19.0.1 and above" 34 | echo "Please update LND via the update script found here:" 35 | echo "https://github.com/openoms/lightning-node-management/tree/master/lnd.updates" 36 | exit 1 37 | fi 38 | 39 | echo "" 40 | echo "*** PREPARING BITCOIN ***" 41 | 42 | # prepare directories 43 | sudo rm -rf /home/admin/download 2>/dev/null 44 | sudo -u admin mkdir /home/admin/download 2>/dev/null 45 | cd /home/admin/download 46 | 47 | # download, check and import signer key 48 | sudo -u admin wget https://bitcoin.org/laanwj-releases.asc 49 | if [ ! -f "./laanwj-releases.asc" ] 50 | then 51 | echo "!!! FAIL !!! Download laanwj-releases.asc not success." 52 | exit 1 53 | fi 54 | gpg ./laanwj-releases.asc 55 | fingerprint=$(gpg ./laanwj-releases.asc 2>/dev/null | grep "${laanwjPGP}" -c) 56 | if [ ${fingerprint} -lt 1 ]; then 57 | echo "" 58 | echo "!!! BUILD WARNING --> Bitcoin PGP author not as expected" 59 | echo "Should contain laanwjPGP: ${laanwjPGP}" 60 | echo "PRESS ENTER to TAKE THE RISK if you think all is OK" 61 | read key 62 | fi 63 | gpg --import ./laanwj-releases.asc 64 | 65 | # download signed binary sha256 hash sum file and check 66 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/SHA256SUMS.asc 67 | verifyResult=$(gpg --verify SHA256SUMS.asc 2>&1) 68 | goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c) 69 | echo "goodSignature(${goodSignature})" 70 | correctKey=$(echo ${verifyResult} | grep "using RSA key ${laanwjPGP: -16}" -c) 71 | echo "correctKey(${correctKey})" 72 | if [ ${correctKey} -lt 1 ] || [ ${goodSignature} -lt 1 ]; then 73 | echo "" 74 | echo "!!! BUILD FAILED --> LND PGP Verify not OK / signatute(${goodSignature}) verify(${correctKey})" 75 | exit 1 76 | else 77 | echo "" 78 | echo "****************************************" 79 | echo "OK --> BITCOIN MANIFEST IS CORRECT" 80 | echo "****************************************" 81 | echo "" 82 | fi 83 | 84 | # get the sha256 value for the corresponding platform from signed hash sum file 85 | if [ ${isARM} -eq 1 ] ; then 86 | bitcoinOSversion="arm-linux-gnueabihf" 87 | fi 88 | if [ ${isAARCH64} -eq 1 ] ; then 89 | bitcoinOSversion="aarch64-linux-gnu" 90 | fi 91 | if [ ${isX86_64} -eq 1 ] ; then 92 | bitcoinOSversion="x86_64-linux-gnu" 93 | fi 94 | if [ ${isX86_32} -eq 1 ] ; then 95 | bitcoinOSversion="i686-pc-linux-gnu" 96 | fi 97 | bitcoinSHA256=$(grep -i "$bitcoinOSversion" SHA256SUMS.asc | cut -d " " -f1) 98 | 99 | echo "" 100 | echo "*** BITCOIN v${bitcoinVersion} for ${bitcoinOSversion} ***" 101 | 102 | # download resources 103 | binaryName="bitcoin-${bitcoinVersion}-${bitcoinOSversion}.tar.gz" 104 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/${binaryName} 105 | if [ ! -f "./${binaryName}" ] 106 | then 107 | echo "!!! FAIL !!! Download BITCOIN BINARY not success." 108 | exit 1 109 | fi 110 | 111 | # check binary checksum test 112 | binaryChecksum=$(sha256sum ${binaryName} | cut -d " " -f1) 113 | if [ "${binaryChecksum}" != "${bitcoinSHA256}" ]; then 114 | echo "!!! FAIL !!! Downloaded BITCOIN BINARY not matching SHA256 checksum: ${bitcoinSHA256}" 115 | exit 1 116 | else 117 | echo "" 118 | echo "****************************************" 119 | echo "OK --> VERIFIED BITCOIN CHECKSUM CORRECT" 120 | echo "****************************************" 121 | echo "" 122 | fi 123 | 124 | echo "Stopping bitcoind and lnd" 125 | sudo systemctl stop lnd 126 | sudo systemctl stop bitcoind 127 | echo "" 128 | 129 | echo "Installing Bitcoin Core v${bitcoinVersion}" 130 | sudo -u admin tar -xvf ${binaryName} 131 | sudo install -m 0755 -o root -g root -t /usr/local/bin/ bitcoin-${bitcoinVersion}/bin/* 132 | sleep 3 133 | installed=$(sudo -u admin bitcoind --version | grep "${bitcoinVersion}" -c) 134 | if [ ${installed} -lt 1 ]; then 135 | echo "" 136 | echo "!!! BUILD FAILED --> Was not able to install bitcoind version(${bitcoinVersion})" 137 | exit 1 138 | fi 139 | 140 | sudo systemctl start bitcoind 141 | sleep 2 142 | 143 | echo "" 144 | echo "Installed $(sudo -u admin bitcoind --version | grep version)" 145 | echo "" 146 | 147 | sudo systemctl start lnd 148 | sleep 10 149 | 150 | echo "Unlock lnd with the Password C" 151 | lncli unlock 152 | echo "" 153 | 154 | echo "A restart is recommended to bring all services back online. Use: '$ sudo reboot -f'" 155 | echo "" -------------------------------------------------------------------------------- /raspiblitz.updates/bitcoincore.update.v0.20.0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_30_bitcoin.md#installation 4 | 5 | # set version (change if update is available) 6 | # https://bitcoincore.org/en/download/ 7 | bitcoinVersion="0.20.0" 8 | 9 | # needed to check code signing 10 | laanwjPGP="01EA5486DE18A882D4C2684590C8019E36C2E964" 11 | 12 | echo "Detecting CPU architecture ..." 13 | isARM=$(uname -m | grep -c 'arm') 14 | isAARCH64=$(uname -m | grep -c 'aarch64') 15 | isX86_64=$(uname -m | grep -c 'x86_64') 16 | isX86_32=$(uname -m | grep -c 'i386\|i486\|i586\|i686\|i786') 17 | if [ ${isARM} -eq 0 ] && [ ${isAARCH64} -eq 0 ] && [ ${isX86_64} -eq 0 ] && [ ${isX86_32} -eq 0 ] ; then 18 | echo "!!! FAIL !!!" 19 | echo "Can only build on ARM, aarch64, x86_64 or i386 not on:" 20 | uname -m 21 | exit 1 22 | else 23 | echo "OK running on $(uname -m) architecture." 24 | fi 25 | 26 | echo "Checking if LND is up-to-date..." 27 | lndVersion=$(lnd --version | awk '{print $3}' | cut -d'-' -f1 | sed 's/\.//g') 28 | if [ ${lndVersion} -ge 081 ]; then 29 | echo "LND is up-to-date." 30 | else 31 | echo "" 32 | echo "LND is not up-to-date." 33 | echo "LND < v0.8.1 is incompatible with Bitcoin Core v0.19.0.1 and above" 34 | echo "Please update LND via the update script found here:" 35 | echo "https://github.com/openoms/lightning-node-management/tree/master/lnd.updates" 36 | exit 1 37 | fi 38 | 39 | echo "" 40 | echo "*** PREPARING BITCOIN ***" 41 | 42 | # prepare directories 43 | sudo rm -rf /home/admin/download 2>/dev/null 44 | sudo -u admin mkdir /home/admin/download 2>/dev/null 45 | cd /home/admin/download 46 | 47 | # download, check and import signer key 48 | sudo -u admin wget https://bitcoin.org/laanwj-releases.asc 49 | if [ ! -f "./laanwj-releases.asc" ] 50 | then 51 | echo "!!! FAIL !!! Download laanwj-releases.asc not success." 52 | exit 1 53 | fi 54 | gpg ./laanwj-releases.asc 55 | fingerprint=$(gpg ./laanwj-releases.asc 2>/dev/null | grep "${laanwjPGP}" -c) 56 | if [ ${fingerprint} -lt 1 ]; then 57 | echo "" 58 | echo "!!! BUILD WARNING --> Bitcoin PGP author not as expected" 59 | echo "Should contain laanwjPGP: ${laanwjPGP}" 60 | echo "PRESS ENTER to TAKE THE RISK if you think all is OK" 61 | read key 62 | fi 63 | gpg --import ./laanwj-releases.asc 64 | 65 | # download signed binary sha256 hash sum file and check 66 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/SHA256SUMS.asc 67 | verifyResult=$(gpg --verify SHA256SUMS.asc 2>&1) 68 | goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c) 69 | echo "goodSignature(${goodSignature})" 70 | correctKey=$(echo ${verifyResult} | grep "using RSA key ${laanwjPGP: -16}" -c) 71 | echo "correctKey(${correctKey})" 72 | if [ ${correctKey} -lt 1 ] || [ ${goodSignature} -lt 1 ]; then 73 | echo "" 74 | echo "!!! BUILD FAILED --> PGP Verify not OK / signature(${goodSignature}) verify(${correctKey})" 75 | exit 1 76 | else 77 | echo "" 78 | echo "****************************************" 79 | echo "OK --> BITCOIN MANIFEST IS CORRECT" 80 | echo "****************************************" 81 | echo "" 82 | fi 83 | 84 | # get the sha256 value for the corresponding platform from signed hash sum file 85 | if [ ${isARM} -eq 1 ] ; then 86 | bitcoinOSversion="arm-linux-gnueabihf" 87 | fi 88 | if [ ${isAARCH64} -eq 1 ] ; then 89 | bitcoinOSversion="aarch64-linux-gnu" 90 | fi 91 | if [ ${isX86_64} -eq 1 ] ; then 92 | bitcoinOSversion="x86_64-linux-gnu" 93 | fi 94 | if [ ${isX86_32} -eq 1 ] ; then 95 | bitcoinOSversion="i686-pc-linux-gnu" 96 | fi 97 | bitcoinSHA256=$(grep -i "$bitcoinOSversion" SHA256SUMS.asc | cut -d " " -f1) 98 | 99 | echo "" 100 | echo "*** BITCOIN v${bitcoinVersion} for ${bitcoinOSversion} ***" 101 | 102 | # download resources 103 | binaryName="bitcoin-${bitcoinVersion}-${bitcoinOSversion}.tar.gz" 104 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/${binaryName} 105 | if [ ! -f "./${binaryName}" ] 106 | then 107 | echo "!!! FAIL !!! Download BITCOIN BINARY not success." 108 | exit 1 109 | fi 110 | 111 | # check binary checksum test 112 | binaryChecksum=$(sha256sum ${binaryName} | cut -d " " -f1) 113 | if [ "${binaryChecksum}" != "${bitcoinSHA256}" ]; then 114 | echo "!!! FAIL !!! Downloaded BITCOIN BINARY not matching SHA256 checksum: ${bitcoinSHA256}" 115 | exit 1 116 | else 117 | echo "" 118 | echo "****************************************" 119 | echo "OK --> VERIFIED BITCOIN CHECKSUM CORRECT" 120 | echo "****************************************" 121 | echo "" 122 | fi 123 | 124 | echo "Stopping bitcoind and lnd" 125 | sudo systemctl stop lnd 126 | sudo systemctl stop bitcoind 127 | echo "" 128 | 129 | echo "Installing Bitcoin Core v${bitcoinVersion}" 130 | sudo -u admin tar -xvf ${binaryName} 131 | sudo install -m 0755 -o root -g root -t /usr/local/bin/ bitcoin-${bitcoinVersion}/bin/* 132 | sleep 3 133 | installed=$(sudo -u admin bitcoind --version | grep "${bitcoinVersion}" -c) 134 | if [ ${installed} -lt 1 ]; then 135 | echo "" 136 | echo "!!! BUILD FAILED --> Was not able to install bitcoind version(${bitcoinVersion})" 137 | exit 1 138 | fi 139 | 140 | sudo systemctl start bitcoind 141 | sleep 2 142 | 143 | echo "" 144 | echo "Installed $(sudo -u admin bitcoind --version | grep version)" 145 | echo "" 146 | 147 | sudo systemctl start lnd 148 | sleep 10 149 | 150 | echo "Unlock lnd with the Password C" 151 | lncli unlock 152 | echo "" 153 | 154 | echo "A restart is recommended to bring all services back online. Use: '$ sudo reboot -f'" 155 | echo "" 156 | -------------------------------------------------------------------------------- /raspiblitz.updates/bitcoincore.update.v0.21.0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_30_bitcoin.md#installation 4 | 5 | # set version (change if update is available) 6 | # https://bitcoincore.org/en/download/ 7 | bitcoinVersion="0.21.0" 8 | 9 | # needed to check code signing 10 | laanwjPGP="01EA5486DE18A882D4C2684590C8019E36C2E964" 11 | 12 | echo "Detecting CPU architecture ..." 13 | isARM=$(uname -m | grep -c 'arm') 14 | isAARCH64=$(uname -m | grep -c 'aarch64') 15 | isX86_64=$(uname -m | grep -c 'x86_64') 16 | if [ ${isARM} -eq 0 ] && [ ${isAARCH64} -eq 0 ] && [ ${isX86_64} -eq 0 ]; then 17 | echo "!!! FAIL !!!" 18 | echo "Can only build on ARM, aarch64, x86_64 or i386 not on:" 19 | uname -m 20 | exit 1 21 | else 22 | echo "OK running on $(uname -m) architecture." 23 | fi 24 | 25 | echo "Checking if LND is up-to-date..." 26 | lndVersion=$(lnd --version | awk '{print $3}' | cut -d'-' -f1 | sed 's/\.//g') 27 | if [ ${lndVersion} -ge 081 ]; then 28 | echo "LND is up-to-date." 29 | else 30 | echo 31 | echo "LND is not up-to-date." 32 | echo "LND < v0.8.1 is incompatible with Bitcoin Core v0.19.0.1 and above" 33 | echo "Please update LND via the update script found here:" 34 | echo "https://github.com/openoms/lightning-node-management/tree/master/lnd.updates" 35 | exit 1 36 | fi 37 | 38 | echo 39 | echo "*** PREPARING BITCOIN ***" 40 | 41 | # prepare directories 42 | sudo rm -rf /home/admin/download 2>/dev/null 43 | sudo -u admin mkdir /home/admin/download 2>/dev/null 44 | cd /home/admin/download 45 | 46 | # download, check and import signer key 47 | sudo -u admin wget https://bitcoin.org/laanwj-releases.asc 48 | if [ ! -f "./laanwj-releases.asc" ] 49 | then 50 | echo "!!! FAIL !!! Download laanwj-releases.asc not success." 51 | exit 1 52 | fi 53 | gpg ./laanwj-releases.asc 54 | fingerprint=$(gpg ./laanwj-releases.asc 2>/dev/null | grep "${laanwjPGP}" -c) 55 | if [ ${fingerprint} -lt 1 ]; then 56 | echo 57 | echo "!!! BUILD WARNING --> Bitcoin PGP author not as expected" 58 | echo "Should contain laanwjPGP: ${laanwjPGP}" 59 | echo "PRESS ENTER to TAKE THE RISK if you think all is OK" 60 | read key 61 | fi 62 | gpg --import ./laanwj-releases.asc 63 | 64 | # download signed binary sha256 hash sum file and check 65 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/SHA256SUMS.asc 66 | verifyResult=$(gpg --verify SHA256SUMS.asc 2>&1) 67 | goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c) 68 | echo "goodSignature(${goodSignature})" 69 | correctKey=$(echo ${verifyResult} | grep "using RSA key ${laanwjPGP: -16}" -c) 70 | echo "correctKey(${correctKey})" 71 | if [ ${correctKey} -lt 1 ] || [ ${goodSignature} -lt 1 ]; then 72 | echo 73 | echo "!!! BUILD FAILED --> PGP Verify not OK / signature(${goodSignature}) verify(${correctKey})" 74 | exit 1 75 | else 76 | echo 77 | echo "****************************************" 78 | echo "OK --> BITCOIN MANIFEST IS CORRECT" 79 | echo "****************************************" 80 | echo 81 | fi 82 | 83 | # get the sha256 value for the corresponding platform from signed hash sum file 84 | if [ ${isARM} -eq 1 ] ; then 85 | bitcoinOSversion="arm-linux-gnueabihf" 86 | fi 87 | if [ ${isAARCH64} -eq 1 ] ; then 88 | bitcoinOSversion="aarch64-linux-gnu" 89 | fi 90 | if [ ${isX86_64} -eq 1 ] ; then 91 | bitcoinOSversion="x86_64-linux-gnu" 92 | fi 93 | bitcoinSHA256=$(grep -i "$bitcoinOSversion" SHA256SUMS.asc | cut -d " " -f1) 94 | 95 | echo 96 | echo "*** BITCOIN v${bitcoinVersion} for ${bitcoinOSversion} ***" 97 | 98 | # download resources 99 | binaryName="bitcoin-${bitcoinVersion}-${bitcoinOSversion}.tar.gz" 100 | sudo -u admin wget https://bitcoin.org/bin/bitcoin-core-${bitcoinVersion}/${binaryName} 101 | if [ ! -f "./${binaryName}" ] 102 | then 103 | echo "!!! FAIL !!! Download BITCOIN BINARY not success." 104 | exit 1 105 | fi 106 | 107 | # check binary checksum test 108 | binaryChecksum=$(sha256sum ${binaryName} | cut -d " " -f1) 109 | if [ "${binaryChecksum}" != "${bitcoinSHA256}" ]; then 110 | echo "!!! FAIL !!! Downloaded BITCOIN BINARY not matching SHA256 checksum: ${bitcoinSHA256}" 111 | exit 1 112 | else 113 | echo 114 | echo "****************************************" 115 | echo "OK --> VERIFIED BITCOIN CHECKSUM CORRECT" 116 | echo "****************************************" 117 | echo 118 | fi 119 | 120 | echo "Stopping bitcoind and lnd" 121 | sudo systemctl stop lnd 122 | sudo systemctl stop bitcoind 123 | echo 124 | 125 | echo "Installing Bitcoin Core v${bitcoinVersion}" 126 | sudo -u admin tar -xvf ${binaryName} 127 | sudo install -m 0755 -o root -g root -t /usr/local/bin/ bitcoin-${bitcoinVersion}/bin/* 128 | sleep 3 129 | installed=$(sudo -u admin bitcoind --version | grep "${bitcoinVersion}" -c) 130 | if [ ${installed} -lt 1 ]; then 131 | echo 132 | echo "!!! BUILD FAILED --> Was not able to install bitcoind version(${bitcoinVersion})" 133 | exit 1 134 | fi 135 | 136 | sudo systemctl start bitcoind 137 | sleep 2 138 | 139 | echo 140 | echo "Installed $(sudo -u admin bitcoind --version | grep version)" 141 | echo 142 | 143 | sudo systemctl start lnd 144 | sleep 10 145 | 146 | echo "Unlock lnd with the Password C" 147 | lncli unlock 148 | echo 149 | echo "A restart is recommended to bring all services back online. Use: 'restart' or 'sudo shutdown now -r'" 150 | echo 151 | -------------------------------------------------------------------------------- /raspiblitz.updates/bitcoincore.update.v22.0.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # based on https://github.com/Stadicus/guides/blob/master/raspibolt/raspibolt_30_bitcoin.md#installation 4 | 5 | # set version (change if update is available) 6 | # https://bitcoincore.org/en/download/ 7 | bitcoinVersion="22.0" 8 | 9 | # needed to check code signing 10 | # https://github.com/laanwj 11 | laanwjPGP="71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6" 12 | 13 | downloadDir="$(pwd)/download/bitcoin-core-${bitcoinVersion}" 14 | 15 | echo "Detecting CPU architecture ..." 16 | isARM=$(uname -m | grep -c 'arm') 17 | isAARCH64=$(uname -m | grep -c 'aarch64') 18 | isX86_64=$(uname -m | grep -c 'x86_64') 19 | if [ ${isARM} -eq 0 ] && [ ${isAARCH64} -eq 0 ] && [ ${isX86_64} -eq 0 ]; then 20 | echo "!!! FAIL !!!" 21 | echo "Can only build on ARM, aarch64, x86_64 or i386 not on:" 22 | uname -m 23 | exit 1 24 | else 25 | echo "OK running on $(uname -m) architecture." 26 | fi 27 | 28 | echo 29 | echo "*** PREPARING BITCOIN ***" 30 | 31 | # prepare directories 32 | # rm -rf ${downloadDir} 2>/dev/null 33 | mkdir -p ${downloadDir} 2>/dev/null 34 | cd ${downloadDir} 35 | 36 | # download, check and import signer key 37 | if ! gpg --recv-key "71A3 B167 3540 5025 D447 E8F2 7481 0B01 2346 C9A6" 38 | then 39 | echo "!!! FAIL !!! Couldn't download Wladimir J. van der Laan PGP pubkey" 40 | exit 1 41 | fi 42 | 43 | # download signed binary sha256 hash sum file 44 | wget https://bitcoincore.org/bin/bitcoin-core-${bitcoinVersion}/SHA256SUMS -O SHA256SUMS 45 | 46 | # download signed binary sha256 hash sum file signatures 47 | wget https://bitcoincore.org/bin/bitcoin-core-${bitcoinVersion}/SHA256SUMS.asc -O SHA256SUMS.asc 48 | verifyResult=$(gpg --verify SHA256SUMS.asc 2>&1) 49 | goodSignature=$(echo ${verifyResult} | grep 'Good signature' -c) 50 | echo "goodSignature(${goodSignature})" 51 | correctKey=$(echo ${verifyResult} | grep "${laanwjPGP}" -c) 52 | echo "correctKey(${correctKey})" 53 | if [ ${correctKey} -lt 1 ] || [ ${goodSignature} -lt 1 ]; then 54 | echo 55 | echo "!!! BUILD FAILED --> PGP Verify not OK / signature(${goodSignature}) verify(${correctKey})" 56 | exit 1 57 | else 58 | echo 59 | echo "****************************************" 60 | echo "OK --> BITCOIN MANIFEST IS CORRECT" 61 | echo "****************************************" 62 | echo 63 | fi 64 | 65 | # get the sha256 value for the corresponding platform from signed hash sum file 66 | if [ ${isARM} -eq 1 ] ; then 67 | bitcoinOSversion="arm-linux-gnueabihf" 68 | fi 69 | if [ ${isAARCH64} -eq 1 ] ; then 70 | bitcoinOSversion="aarch64-linux-gnu" 71 | fi 72 | if [ ${isX86_64} -eq 1 ] ; then 73 | bitcoinOSversion="x86_64-linux-gnu" 74 | fi 75 | 76 | echo "*** BITCOIN CORE v${bitcoinVersion} for ${bitcoinOSversion} ***" 77 | # download resources 78 | binaryName="bitcoin-${bitcoinVersion}-${bitcoinOSversion}.tar.gz" 79 | if [ ! -f ${binaryName} ];then 80 | wget https://bitcoincore.org/bin/bitcoin-core-${bitcoinVersion}/${binaryName} -O ${binaryName} 81 | else 82 | echo "{binaryName} is already present." 83 | fi 84 | if [ ! -f "./${binaryName}" ] 85 | then 86 | echo "!!! FAIL !!! Could not download the BITCOIN BINARY." 87 | exit 1 88 | fi 89 | 90 | # check binary checksum test 91 | bitcoinSHA256=$(grep -i "${binaryName}" SHA256SUMS | cut -d " " -f1) 92 | binaryChecksum=$(sha256sum ${binaryName} | cut -d " " -f1) 93 | if [ "${binaryChecksum}" != "${bitcoinSHA256}" ]; then 94 | echo "!!! FAIL !!! Downloaded BITCOIN BINARY not matching SHA256 checksum: ${bitcoinSHA256}" 95 | echo "Press ENTER to remove the file: ${binaryName} or CTRL+C to abort" 96 | read key 97 | rm -f ${binaryName} 98 | exit 1 99 | else 100 | echo 101 | echo "********************************************" 102 | echo "OK --> VERIFIED BITCOIN CORE BINARY CHECKSUM" 103 | echo "********************************************" 104 | echo 105 | fi 106 | 107 | echo "Stopping bitcoind" 108 | sudo systemctl stop bitcoind 109 | echo 110 | 111 | echo "Installing Bitcoin Core v${bitcoinVersion}" 112 | tar -xvf ${binaryName} 113 | sudo install -m 0755 -o root -g root -t /usr/local/bin/ bitcoin-${bitcoinVersion}/bin/* 114 | sleep 3 115 | installed=$(bitcoind --version | grep "${bitcoinVersion}" -c) 116 | if [ ${installed} -lt 1 ]; then 117 | echo 118 | echo "!!! BUILD FAILED --> Was not able to install bitcoind version(${bitcoinVersion})" 119 | exit 1 120 | fi 121 | 122 | sudo systemctl start bitcoind 123 | sleep 2 124 | 125 | echo 126 | echo "Installed $(bitcoind --version | grep version)" 127 | echo 128 | -------------------------------------------------------------------------------- /satochip/README.md: -------------------------------------------------------------------------------- 1 | # Get started with Satochip 2 | 3 | What you need to access the wallet stored on the card: 4 | * the smartcard loaded with the Satochip java applet and initialized (this was likely done by the one handing the card to you) 5 | + a smartcard reader (here an ACS ACR39U-N1 PocketMate II USB) 6 | * a computer with a USB port capable to run: 7 | - [TailsOS](https://tails.net/) (can be used offline, but to see new transactions and the balance needs an internet connection) 8 | - Debian 12 9 | - Windows 10 10 | - other operating systems will likely work, just not tested 11 | 12 | ## Connect the Satochip Card 13 | * open the Smartcard Reader by turning 14 | 15 | 16 | 17 | 18 | * plug in the Card to the Reader with the chip facing up 19 | * connect the Reader to a USB port 20 | * the Reader will start flashing 21 | 22 | 23 | 24 | 25 | * remove other smartcards (like a Yubikey) temporarily 26 | 27 | ## Download and run Sparrow Wallet 28 | 29 | * find the files for your operating system at [sparrowwallet.com/download](https://sparrowwallet.com/download/) 30 | * follow the steps to verify the downloaded binary. Can use Sparrow Wallet itself to do the verification once installed. 31 | * if you don't have your own server use one public server which you know, eg.: `electrum.diynodes.com` 32 | 33 | ## Import the Satochip wallet to Sparrow Wallet 34 | 35 | * select `New Wallet` 36 | 37 | 38 | 39 | * type a name and `Create Wallet` 40 | 41 | 42 | 43 | * select `Airgapped Hardware Wallet` 44 | 45 | 46 | 47 | * click `Import` next to `Satochip` 48 | 49 | 50 | 51 | * enter the PIN code then click `Import` again 52 | 53 | 54 | 55 | * can see the details for the default derivation path. Save with `Apply`. 56 | 57 | 58 | 59 | * it is optional to set a password to protect the read-only wallet on saved on the desktop. 60 | 61 | * select the `Transaction` tab on the left to see the balance and transaction history of the wallet on the card. 62 | 63 | + make sure to wait for `Finished loading` 64 | 65 | 66 | 67 | * in case transactions are missing despite a connected server can try increase the `Gap limit` in `Settings` -> `Advanced` 68 | 69 | * refer to the Sparrow Wallet documentation to transact using your Satochip: https://sparrowwallet.com/docs/coldcard-wallet.html#sending-bitcoin 70 | 71 | ## Reference: 72 | * find the original Satochip cards at: [satochip.io/product/satochip](https://satochip.io/product/satochip/) 73 | 74 | * for the DIY version see this [gist](https://gist.github.com/openoms/510b2876cab19e15c4190456ea8aad82#file-satochip-javacard-applet-install) 75 | 76 | * the Smartcard Reader pictured: ACS ACR39U-N1 PocketMate II USB Smart Card Reader 77 | * [amazon.co.uk/dp/B0758TS5JR](https://www.amazon.co.uk/dp/B0758TS5JR/) 78 | * [aliexpress.com/item/1005002034557322.html](https://www.aliexpress.com/item/1005002034557322.html) 79 | 80 | * the Card pictured: JCOP Chip Card Dual Interface Chip Magnetic Stripe Java Card J3H145 (no NFC) 81 | * [alibaba.com/product-detail/JCOP-Dual-Interface-Support-RSA4096-ECC_1600070838098.html](https://www.alibaba.com/product-detail/JCOP-Dual-Interface-Support-RSA4096-ECC_1600070838098.html) 82 | -------------------------------------------------------------------------------- /satochip/card-and-reader01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/card-and-reader01.png -------------------------------------------------------------------------------- /satochip/card-and-reader02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/card-and-reader02.png -------------------------------------------------------------------------------- /satochip/card-and-reader03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/card-and-reader03.png -------------------------------------------------------------------------------- /satochip/card-and-reader04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/card-and-reader04.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow01.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow02.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow03.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow04.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow05.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow06.png -------------------------------------------------------------------------------- /satochip/load-satochip-to-sparrow07.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/openoms/bitcoin-tutorials/8c1bf7f2ed59115014b543b67bc8e7a5506156c0/satochip/load-satochip-to-sparrow07.png -------------------------------------------------------------------------------- /sparrowwallet/sparrow.update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | VERSION='1.8.4' 4 | 5 | cd Downloads 6 | 7 | wget -O sparrow_${VERSION}-1_amd64.deb https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow_${VERSION}-1_amd64.deb || exit 1 8 | wget -O sparrow-${VERSION}-manifest.txt https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow-${VERSION}-manifest.txt || exit 1 9 | wget -O sparrow-${VERSION}-manifest.txt.asc https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow-${VERSION}-manifest.txt.asc || exit 1 10 | 11 | 12 | gpg --verify sparrow-${VERSION}-manifest.txt.asc sparrow-${VERSION}-manifest.txt || exit 1 13 | sha256sum -c sparrow-${VERSION}-manifest.txt --ignore-missing || exit 1 14 | 15 | sudo dpkg -i sparrow_${VERSION}-1_amd64.deb || exit 1 16 | 17 | exit 0 18 | -------------------------------------------------------------------------------- /ssh_tunnel.md: -------------------------------------------------------------------------------- 1 | # Forward ports with a reverse SSH tunnel 2 | 3 | ## Advantages: 4 | * no port forwarding needed on the LAN of the host 5 | * encrypted connection 6 | * hides the IP of the host from the public 7 | 8 | ## Requirements: 9 | * a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month 10 | * root access on the VPS - only root can forward ports under no. 1000 11 | * ssh access to the host computer (where the ports will be forwarded from) 12 | 13 | ## On the host computer 14 | * login as root or run: 15 | `$ sudo su -` 16 | 17 | * Check for an ssh public key: 18 | `# cat ./.ssh/*.pub` 19 | 20 | * if there is none generate one (keep pressing ENTER): 21 | `# ssh-keygen -t rsa -b 4096` 22 | * keep pressing [ENTER] to use the default values: 23 | ``` 24 | Generating public/private rsa key pair. 25 | Enter file in which to save the key (/root/.ssh/id_rsa): 26 | Enter passphrase (empty for no passphrase): 27 | Enter same passphrase again: 28 | Your identification has been saved in /root/.ssh/id_rsa. 29 | Your public key has been saved in /root/.ssh/id_rsa.pub. 30 | The key fingerprint is: 31 | SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@hostname 32 | The key's randomart image is: 33 | +---[RSA 4096]----+ 34 | | xxxx | 35 | | xxxxx | 36 | | xxxxx | 37 | | xxxxxx | 38 | | xxxxxxxxx | 39 | | xxxxxxxx | 40 | | xxxxxxxxxx | 41 | | xxxxxxxxxxx | 42 | | xxxxxxxxxx | 43 | +----[SHA256]-----+ 44 | ``` 45 | 46 | * copy the ssh public key over to the VPS (fill in the VPS_IP_ADDRESS). 47 | Will be prompted for the root password of the VPS. 48 | `# ssh-copy-id root@VPS_IP_ADDRESS` 49 | 50 | ## Working on the VPS 51 | 52 | * login as root or run: 53 | `$ sudo su -` 54 | 55 | * edit the sshd config: 56 | `# nano /etc/ssh/sshd_config` 57 | 58 | * make sure these entries are active (uncommented, meaning there is no `#` at the beggining of the line). 59 | Can just paste these on the end of the file: 60 | ``` 61 | RSAAuthentication yes 62 | PubkeyAuthentication yes 63 | GatewayPorts yes 64 | AllowTcpForwarding yes 65 | ClientAliveInterval 60 66 | ``` 67 | CTRL+O, ENTER to save, CTRL+X to exit. 68 | 69 | * restart the sshd service (WARNING: you can lose access at this point if the config is wrong): 70 | `# systemctl restart sshd` 71 | 72 | ## Back to the host computer 73 | 74 | ### Set up a systemd service 75 | 76 | * create the service file: 77 | `# nano /etc/systemd/system/autossh-tunnel.service` 78 | 79 | * Paste the following and fill in the VPS_IP_ADDRESS. 80 | Add or remove ports as required. 81 | 82 | ``` 83 | [Unit] 84 | Description=AutoSSH tunnel service 85 | After=network.target 86 | 87 | [Service] 88 | User=root 89 | Group=root 90 | Environment="AUTOSSH_GATETIME=0" 91 | ExecStart=/usr/bin/autossh -C -M 0 -v -N -o "ServerAliveInterval=60" -R 9735:localhost:9735 -R 443:localhost:443 -R 80:localhost:80 root@VPS_IP_ADDRESS 92 | StandardOutput=journal 93 | 94 | [Install] 95 | WantedBy=multi-user.target 96 | ``` 97 | * Enable and start the service: 98 | `# systemctl enable autossh-tunnel` 99 | `# systemctl start autossh-tunnel` 100 | 101 | * The port forwarding with a reverse ssh-tunnel is now complete. 102 | You should be able access the ports/services of the host computer through the IP of the VPS. 103 | 104 | ## Monitoring 105 | 106 | * Check if there are any errors on the host computer: 107 | `# sudo journalctl -f -n 20 -u autossh-tunnel` 108 | * Look for the lines: 109 | ``` 110 | debug1: Authentication succeeded (publickey). 111 | debug1: Remote connections from LOCALHOST:9735 forwarded to local address localhost:9735 112 | debug1: Remote connections from LOCALHOST:443 forwarded to local address localhost:443 113 | debug1: Remote connections from LOCALHOST:80 forwarded to local address localhost:80 114 | debug1: remote forward success for: listen 9735, connect localhost:9735 115 | debug1: remote forward success for: listen 443, connect localhost:443 116 | debug1: remote forward success for: listen 80, connect localhost:80 117 | debug1: All remote forwarding requests processed 118 | ``` 119 | 120 | * To check if tunnel is active on the VPS: 121 | `# netstat -tulpn` 122 | 123 | * Look for the lines: 124 | ``` 125 | Active Internet connections (only servers) 126 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 127 | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7694/sshd: root 128 | tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7694/sshd: root 129 | tcp 0 0 0.0.0.0:9735 0.0.0.0:* LISTEN 7694/sshd: root 130 | tcp6 0 0 :::80 :::* LISTEN 7694/sshd: root 131 | tcp6 0 0 :::443 :::* LISTEN 7694/sshd: root 132 | tcp6 0 0 :::9735 :::* LISTEN 7694/sshd: root 133 | ``` 134 | 135 | ## Resources 136 | 137 | https://github.com/rootzoll/raspiblitz/blob/master/FAQ.md#how-to-setup-port-forwarding-with-a-ssh-tunnel 138 | 139 | https://stadicus.github.io/RaspiBolt/raspibolt_21_security.html#login-with-ssh-keys 140 | -------------------------------------------------------------------------------- /tor/checkHiddenService.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | hidden_service="xxxxxxxxxx.onion" 4 | port=80 5 | if ! torsocks nc -zv ${hidden_service} ${port}; then 6 | echo "restart Tor" 7 | sudo systemctl restart tor@default 8 | fi 9 | -------------------------------------------------------------------------------- /tor/crontab.sh: -------------------------------------------------------------------------------- 1 | if ! crontab -u admin -l | grep checkHiddenService; then 2 | cronjob="0,15,30,45 * * * * /home/admin/checkHiddenService" 3 | ( 4 | crontab -u admin -l 5 | echo "$cronjob" 6 | ) | crontab -u admin - 7 | fi 8 | echo "# The crontab for admin now is:" 9 | crontab -u admin -l 10 | echo 11 | -------------------------------------------------------------------------------- /tor2IP_tunnel_443.md: -------------------------------------------------------------------------------- 1 | # Tor-to-IP tunnel service for HTTPS 2 | 3 | Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet. 4 | 5 | ## Advantages: 6 | * hides the IP of the host from the public and from the VPS 7 | * no port forwarding needed on the LAN of the host 8 | * additional encryption by Tor between the host and the VPS 9 | 10 | ## Requirements: 11 | * SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month 12 | * Example Lightning Payable VPS services: 13 | * [host4coins.net](https://host4coins.net) 14 | * [bitclouds.sh](https://bitclouds.sh/) or [lntxbot](https://t.me/lntxbot) `/bitclouds` 15 | * Note that only the root user can forward to ports below 1000. 16 | * Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the `localhost` 17 | * Always check the terms and rules of the VPS provider to avoid bans and don't do anything causing them trouble to keep these services going. 18 | 19 | ## On the VPS 20 | 21 | * Login with ssh to the `root` user 22 | `ssh root@VPS_IP_ADDRESS` 23 | * Install `tor` (leave on default settings) and `socat` 24 | `# apt install tor socat` 25 | 26 | ### Set up a systemd service 27 | 28 | * make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed. 29 | Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: `tor2ip` 30 | 31 | * create the service file: 32 | `# nano /etc/systemd/system/tor2ip443.service` 33 | * Paste the following and fill in: 34 | * the `VPS_PORT` you want to use (facing the public) - in this example: 443. 35 | * the `TOR_HIDDEN_SERVICE_ADDRESS.onion` 36 | * generate the address with: 37 | * `config.scripts/internet.hidden.service.sh HTTPS 443 443` 38 | * this will expose the local port `443` on the `.onion:443` 39 | * The `TOR_PORT` the Hidden Service is using - in this example: 443 40 | 41 | ``` 42 | [Unit] 43 | Description=Tor2IP Tunnel Service 44 | After=network.target 45 | 46 | [Service] 47 | User=root 48 | Group=root 49 | ExecStart=/usr/bin/socat TCP4-LISTEN:443,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050 50 | StandardOutput=journal 51 | 52 | [Install] 53 | WantedBy=multi-user.target 54 | ``` 55 | * Enable and start the service: 56 | `# systemctl enable tor2ip443` 57 | `# systemctl start tor2ip443` 58 | 59 | Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. 60 | You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. 61 | To connect to the HTTPS website served from the node in the example: 62 | `https://VPS_IP_ADDRESS` 63 | 64 | ## Monitoring on the VPS 65 | 66 | * To check if tunnel is active on the VPS: 67 | `# netstat -tulpn` 68 | 69 | * Look for the lines: 70 | ``` 71 | Active Internet connections (only servers) 72 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 73 | 74 | tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 13684/socat 75 | ``` 76 | 77 | * Monitor the service with: 78 | `# systemctl status tor2ip443` 79 | ``` 80 | ● tor2ip443.service - Tor2IP Tunnel Service 81 | Loaded: loaded (/etc/systemd/system/tor2ip443.service; enabled; vendor preset: enabled) 82 | Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago 83 | Main PID: 13684 (socat) 84 | Tasks: 1 (limit: 1078) 85 | Memory: 540.0K 86 | CGroup: /system.slice/tor2ip443.service 87 | └─13684 /usr/bin/socat TCP4-LISTEN:443,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:443,socksport=9050 88 | 89 | Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. 90 | ``` 91 | 92 | ## Resources 93 | 94 | * `socat` manpage: 95 | * Thanks to [@emzy](https://twitter.com/emzy) for the original `socat` syntax. 96 | * Produced at the [#LightningHackSprint](https://wiki.fulmo.org/index.php?title=Lightning_HackSprint). 97 | -------------------------------------------------------------------------------- /tor2IP_tunnel_80.md: -------------------------------------------------------------------------------- 1 | # Tor-to-IP tunnel service for HTTP 2 | 3 | Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet. 4 | 5 | ## Advantages: 6 | * hides the IP of the host from the public and from the VPS 7 | * no port forwarding needed on the LAN of the host 8 | * additional encryption by Tor between the host and the VPS 9 | 10 | ## Requirements: 11 | * SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month 12 | * Example Lightning Payable VPS services: 13 | * [host4coins.net](https://host4coins.net) 14 | * [bitclouds.sh](https://bitclouds.sh/) or [lntxbot](https://t.me/lntxbot) `/bitclouds` 15 | * Note that only the root user can forward to ports below 1000. 16 | * Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the `localhost` 17 | * Always check the terms and rules of the VPS provider to avoid bans and don't do anything causing them trouble to keep these services going. 18 | 19 | ## On the VPS 20 | 21 | * Login with ssh to the `root` user 22 | `ssh root@VPS_IP_ADDRESS` 23 | * Install `tor` (leave on default settings) and `socat` 24 | `# apt install tor socat` 25 | 26 | ### Set up a systemd service 27 | 28 | * make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed. 29 | Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: `tor2ip` 30 | 31 | * create the service file: 32 | `# nano /etc/systemd/system/tor2ip80.service` 33 | * Paste the following and fill in: 34 | * the `VPS_PORT` you want to use (facing the public) - in this example: 80. 35 | * the `TOR_HIDDEN_SERVICE_ADDRESS.onion` 36 | * generate the address with: 37 | * `config.scripts/internet.hidden.service.sh HTTPS 80 80` 38 | * this will expose the local port `80` on the `.onion:80` 39 | * The `TOR_PORT` the Hidden Service is using - in this example: 80 40 | 41 | ``` 42 | [Unit] 43 | Description=Tor2IP Tunnel Service 44 | After=network.target 45 | 46 | [Service] 47 | User=root 48 | Group=root 49 | ExecStart=/usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050 50 | StandardOutput=journal 51 | 52 | [Install] 53 | WantedBy=multi-user.target 54 | ``` 55 | * Enable and start the service: 56 | `# systemctl enable tor2ip80` 57 | `# systemctl start tor2ip80` 58 | 59 | Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. 60 | You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. 61 | To connect to the HTTP website served from the node in the example: 62 | `http://VPS_IP_ADDRESS` 63 | 64 | ## Monitoring on the VPS 65 | 66 | * To check if tunnel is active on the VPS: 67 | `# netstat -tulpn` 68 | 69 | * Look for the lines: 70 | ``` 71 | Active Internet connections (only servers) 72 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 73 | 74 | tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 13684/socat 75 | ``` 76 | 77 | * Monitor the service with: 78 | `# systemctl status tor2ip80` 79 | ``` 80 | ● tor2ip80.service - Tor2IP Tunnel Service 81 | Loaded: loaded (/etc/systemd/system/tor2ip80.service; enabled; vendor preset: enabled) 82 | Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago 83 | Main PID: 13684 (socat) 84 | Tasks: 1 (limit: 1078) 85 | Memory: 540.0K 86 | CGroup: /system.slice/tor2ip80.service 87 | └─13684 /usr/bin/socat TCP4-LISTEN:80,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:80,socksport=9050 88 | 89 | Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. 90 | ``` 91 | 92 | ## Resources 93 | 94 | * `socat` manpage: 95 | * Thanks to [@emzy](https://twitter.com/emzy) for the original `socat` syntax. 96 | * Produced at the [#LightningHackSprint](https://wiki.fulmo.org/index.php?title=Lightning_HackSprint). 97 | -------------------------------------------------------------------------------- /tor2ip.grpc.md: -------------------------------------------------------------------------------- 1 | * create the service file: 2 | `# nano /etc/systemd/system/tor2ip10175.service` 3 | * Paste the following and fill in: 4 | * the VPS_PORT you want to use (facing the public) - in this example: 10175. 5 | * the TOR_HIDDEN_SERVICE_ADDRESS.onion 6 | * get the address with: 7 | * `sudo cat /mnt/hdd/tor/SERVICE_NAME/hostname` 8 | * The TOR_PORT the Hidden Service is using - in this example: 8080 9 | 10 | ``` 11 | [Unit] 12 | Description=Tor2IP Tunnel Service 13 | After=network.target 14 | 15 | [Service] 16 | User=root 17 | Group=root 18 | ExecStart=/usr/bin/socat TCP4-LISTEN:10175,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:10009,socksport=9050 19 | StandardOutput=journal 20 | 21 | [Install] 22 | WantedBy=multi-user.target 23 | ``` 24 | * Enable and start the service: 25 | `# systemctl enable tor2ip10175` 26 | `# systemctl start tor2ip10175` 27 | 28 | Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. 29 | You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. 30 | -------------------------------------------------------------------------------- /tor2ip.rest.md: -------------------------------------------------------------------------------- 1 | * create the service file: 2 | `# nano /etc/systemd/system/tor2ip8175.service` 3 | * Paste the following and fill in: 4 | * the VPS_PORT you want to use (facing the public) - in this example: 8175. 5 | * the TOR_HIDDEN_SERVICE_ADDRESS.onion 6 | * get the address with: 7 | * `sudo cat /mnt/hdd/tor/SERVICE_NAME/hostname` 8 | * The TOR_PORT the Hidden Service is using - in this example: 8080 9 | 10 | ``` 11 | [Unit] 12 | Description=Tor2IP Tunnel Service 13 | After=network.target 14 | 15 | [Service] 16 | User=root 17 | Group=root 18 | ExecStart=/usr/bin/socat TCP4-LISTEN:8175,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:8080,socksport=9050 19 | StandardOutput=journal 20 | 21 | [Install] 22 | WantedBy=multi-user.target 23 | ``` 24 | * Enable and start the service: 25 | `# systemctl enable tor2ip8175` 26 | `# systemctl start tor2ip8175` 27 | 28 | Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. 29 | You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. 30 | -------------------------------------------------------------------------------- /tor2ip_tunnel.md: -------------------------------------------------------------------------------- 1 | # Tor-to-IP tunnel service 2 | 3 | Use the public IP address of a Virtual Private Server (VPS) to make Tor Hidden Services reachable on the clearnet. 4 | 5 | ## Advantages: 6 | * hides the IP of the host from the public and from the VPS 7 | * no port forwarding needed on the LAN of the host 8 | * additional encryption by Tor between the host and the VPS 9 | 10 | ## Requirements: 11 | * SSH access to a Virtual Private Server (VPS) - eg. a minimal package on Lunanode for ~3.5$/month 12 | * Example Lightning Payable VPS services: 13 | * [host4coins.net](https://host4coins.net) 14 | * 15 | * Note that only the root user can forward to ports below 1000. 16 | * Tor should not be the only encryption layer of the service as the traffic exposed on the VPS is meant to be for the `localhost` 17 | * Always check the terms and rules of the VPS provider to avoid bans and don't do anything causing them trouble to keep these services going. 18 | 19 | ## On the VPS 20 | 21 | * Login with ssh to the `root` user 22 | `ssh root@VPS_IP_ADDRESS` 23 | * Install `tor` (leave on default settings) and `socat` 24 | `# apt install tor socat` 25 | 26 | ### Set up a systemd service 27 | 28 | * make a separate process for every connected Hidden Service to avoid restarting every connection when a service added or removed. 29 | Suggestion for naming the service is to put the VPS_PORT used on the VPS into the name: `tor2ip` 30 | 31 | * create the service file: 32 | `# nano /etc/systemd/system/tor2ip9236.service` 33 | * Paste the following and fill in: 34 | * the VPS_PORT you want to use (facing the public) - in this example: 9326. 35 | * the TOR_HIDDEN_SERVICE_ADDRESS.onion 36 | * get the address with: 37 | * `lncli getinfo` for LND port 9735 38 | * `sudo cat /mnt/hdd/tor/SERVICE_NAME/hostname` 39 | * The TOR_PORT the Hidden Service is using - in this example: 9735 40 | 41 | ``` 42 | [Unit] 43 | Description=Tor2IP Tunnel Service 44 | After=network.target 45 | 46 | [Service] 47 | User=root 48 | Group=root 49 | ExecStart=/usr/bin/socat TCP4-LISTEN:9236,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:9735,socksport=9050 50 | StandardOutput=journal 51 | 52 | [Install] 53 | WantedBy=multi-user.target 54 | ``` 55 | * Enable and start the service: 56 | `# systemctl enable tor2ip9236` 57 | `# systemctl start tor2ip9236` 58 | 59 | Setting up this Tor-to-IP tunnel service is now complete. You can carry on adding other services using different ports on the VPS. 60 | You should be able access the ports/services of the host computer through: VPS_IP_ADDRESS:VPS_PORT. 61 | To connect to LND in the example: 62 | `lncli connect NODE_PUBLIC_KEY@VPS_IP_ADDRESS:9236` 63 | 64 | ## Monitoring on the VPS 65 | 66 | * To check if tunnel is active on the VPS: 67 | `# netstat -tulpn` 68 | 69 | * Look for the lines: 70 | ``` 71 | Active Internet connections (only servers) 72 | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name **** 73 | 74 | tcp 0 0 0.0.0.0:9236 0.0.0.0:* LISTEN 13684/socat 75 | ``` 76 | 77 | * Monitor the service with: 78 | `# systemctl status tor2ip9236` 79 | 80 | ``` 81 | ● tor2ip9236.service - Tor2IP Tunnel Service 82 | Loaded: loaded (/etc/systemd/system/tor2ip9236.service; enabled; vendor preset: enabled) 83 | Active: active (running) since Sun 2020-04-05 14:58:43 BST; 2min 23s ago 84 | Main PID: 13684 (socat) 85 | Tasks: 1 (limit: 1078) 86 | Memory: 540.0K 87 | CGroup: /system.slice/tor2ip9236.service 88 | └─13684 /usr/bin/socat TCP4-LISTEN:9236,bind=0.0.0.0,fork SOCKS4A:localhost:TOR_HIDDEN_SERVICE_ADDRESS.onion:9735,socksport=9050 89 | 90 | Apr 05 14:58:43 VPS_hostname systemd[1]: Started Tor2IP Tunnel Service. 91 | ``` 92 | 93 | ## Resources 94 | 95 | * `socat` manpage: 96 | * Thanks to [@emzy](https://twitter.com/emzy) for the original `socat` syntax. 97 | * Produced at the [#LightningHackSprint](https://wiki.fulmo.org/index.php?title=Lightning_HackSprint). 98 | -------------------------------------------------------------------------------- /tor_hidden_service_example.md: -------------------------------------------------------------------------------- 1 | ## Create a Tor Hidden Service 2 | A simple example of creating and using a Tor Hidden Service. 3 | 4 | Using SSH as an example, use any other name to be change the directory name. 5 | 6 | * Install Tor: 7 | ``` 8 | sudo apt install tor 9 | ``` 10 | * Edit the config file: 11 | ``` 12 | sudo nano /etc/tor/torrc 13 | ``` 14 | * Create a v3 onion address 15 | sharing the internal ssh port (22) on the custom port 8080 of the .onion service: 16 | ``` 17 | HiddenServiceDir /var/lib/tor/ssh/ 18 | HiddenServiceVersion 3 19 | HiddenServicePort 8080 127.0.0.1:22 20 | ``` 21 | * Restart Tor: 22 | ``` 23 | sudo systemctl restart tor 24 | ``` 25 | * List the files in the directory 26 | ``` 27 | $ sudo ls -la /var/lib/tor/ssh/ 28 | total 12 29 | drwx------ 1 debian-tor debian-tor 136 Jan 30 07:09 . 30 | drwx------ 1 debian-tor debian-tor 826 Jan 31 00:00 .. 31 | drwx------ 1 debian-tor debian-tor 0 Feb 11 2020 authorized_clients 32 | -rw------- 1 debian-tor debian-tor 63 Jan 30 07:09 hostname 33 | -rwx------ 1 debian-tor debian-tor 64 Feb 11 2020 hs_ed25519_public_key 34 | -rwx------ 1 debian-tor debian-tor 96 Feb 11 2020 hs_ed25519_secret_key 35 | ``` 36 | * Note the Hidden Service address: 37 | ``` 38 | sudo cat /var/lib/tor/ssh/hostname 39 | ``` 40 | * For `ssh` over Tor install Tor on your client 41 | * Linux: 42 | ``` 43 | sudo apt install tor 44 | ``` 45 | * On mobile can use Termux: 46 | ``` 47 | pkg install tor 48 | ``` 49 | run Tor in a different window: 50 | ``` 51 | tor 52 | ``` 53 | or in the background with: 54 | ``` 55 | tor & 56 | ``` 57 | * See this video for different Windows and MacOS: https://www.keepitsimplebitcoin.com/how-to-install-tor/ 58 | 59 | * SSH over Tor 60 | in a Linux terminal use (set the custom port used for ssh): 61 | ``` 62 | torsocks ssh -p8080 username@HiddenServiceAddress.onion 63 | ``` 64 | 65 | * If there is a website hosted on your .onion service use the [Tor Browser](https://www.torproject.org/) to open the address. 66 | 67 | ## Add client authorization (Optional) 68 | A simple example of requiring authentication credential in order to connect to the onion service 69 | 70 | * Install required packages: 71 | ``` 72 | sudo apt install basez openssl 73 | ``` 74 | * Generate key: 75 | ``` 76 | openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem 77 | ``` 78 | * Re-format key into base32 creating public and private keys: 79 | ``` 80 | cat /tmp/k1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key 81 | openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key 82 | ``` 83 | * Note the private key (client): 84 | ``` 85 | cat /tmp/k1.prv.key 86 | ``` 87 | * Note the public key: (server): 88 | ``` 89 | cat /tmp/k1.pub.key 90 | ``` 91 | * Server config: 92 | * Create .auth file: 93 | ``` 94 | sudo nano /var/lib/tor/ssh/authorized_clients/alice.auth 95 | ``` 96 | * Edit .auth file: 97 | ``` 98 | descriptor:x25519: 99 | ``` 100 | * Client config for (choose one): 101 | * GUI service (thunderhub): 102 | * Enter the private key noted above Tor Browser when prompted the [credential window](https://tb-manual.torproject.org/onion-services/). 103 | 104 | * Headless service (ssh): 105 | * Edit the config file: 106 | ``` 107 | ClientOnionAuthDir /var/lib/tor/onion_auth/ 108 | ``` 109 | * Create .auth_private file: 110 | ``` 111 | sudo nano /var/lib/tor/onion_auth/bob-ssh.auth_private 112 | ``` 113 | * Edit .auth_private file 114 | ``` 115 | <56-char-onion-addr-without-.onion-part>:descriptor:x25519: 116 | ``` 117 | * Remove keys stored in /tmp: 118 | ``` 119 | sudo rm -f /tmp/k1.pub.key /tmp/k1.prv.key /tmp/k1.prv.pem 120 | ``` 121 | * Restart Tor to apply changes (server and client): 122 | ``` 123 | sudo systemctl restart tor@default 124 | ``` 125 | 126 | #### Notes: 127 | 128 | * The SSL stripping attack is not applicable when the traffic does not leave the Tor network so usinga self-hosted Hidden Service in the Tor Browser is not at risk. 129 | * Always make sure that the clearnet site you open in the Tor Browser uses SSL encryption (HTTPS). 130 | 131 | #### Sources: 132 | 133 | * [Tor Guide - Setup Onion Service](https://community.torproject.org/onion-services/setup/) 134 | * [Tor Guide - Client Authorization](https://community.torproject.org/onion-services/advanced/client-auth/) 135 | * [Mike Tigas bash script](https://gist.github.com/mtigas/9c2386adf65345be34045dace134140b) or [Suphanat Chunhapanya rust script](https://github.com/ppopth/torkeygen) 136 | -------------------------------------------------------------------------------- /wireguard/killswitch.md: -------------------------------------------------------------------------------- 1 | # Forward all traffic through a wireguard VPN 2 | 3 | * VPN: https://lnvpn.net/ 4 | 5 | * How to: https://www.wireguard.com/netns/ 6 | 7 | * Kill Switch with PostUp and PreDown WG syntax https://www.ivpn.net/knowledgebase/linux/linux-wireguard-kill-switch/ 8 | 9 | * Simple ufw killswitch from https://www.reddit.com/r/WireGuard/comments/bpmssc/comment/envrhu2 10 | ``` 11 | another option is to create 2 bash scripts that make use of ufw. 12 | 13 | firewall.sh (change tun0 to what ever your wireguard interface is you can find it with "ifconfig" probably has "wg" in it somewhere) 14 | 15 | sudo ufw reset 16 | 17 | sudo ufw default deny incoming 18 | 19 | sudo ufw default deny outgoing 20 | 21 | sudo ufw allow out on tun0 from any to any 22 | 23 | sudo ufw enable 24 | 25 | And unfirewall.sh 26 | 27 | sudo ufw reset 28 | 29 | sudo ufw default deny incoming 30 | 31 | sudo ufw default allow outgoing 32 | 33 | sudo ufw enable 34 | 35 | make them both executable with chmod. then when you want the killswitch on "sudo bash firewall.sh" then you can test it by disconnecting from wireguard and ur internet shouldnt be working. 36 | 37 | and when you want to turn it off just run unfirewall.sh 38 | ``` -------------------------------------------------------------------------------- /zerotier/README.md: -------------------------------------------------------------------------------- 1 | ## Set up the RaspiBlitz for remote connections with ZeroTier 2 | 3 | ZeroTier is a VPN service which is an easy option to connect remotely when neither port forwarding nor using Tor is possible (e.g. iOS on a remote network) 4 | 5 | The drawback is that it requires installing a trusted (open-source) package which gives access to your private network. 6 | 7 | Steps to install: 8 | 9 | * Create a my.zerotier.com account and a network 10 | 11 | * Go to https://my.zerotier.com/login and register. 12 | Use a STRONG PASSWORD as anyone with your credentials will have access to your private network. 13 | 14 | * Click `Create a network` then record your `Network ID`. 15 | * Install ZeroTier on the RaspiBlitz (more details on https://www.zerotier.com/download.shtml): 16 | ``` 17 | $ curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import && \ 18 | if z=$(curl -s 'https://install.zerotier.com/' | gpg); then echo "$z" | sudo bash; fi 19 | ``` 20 | 21 | * Then run: 22 | 23 | `$ sudo zerotier-cli join [the network ID you previously recorded]` 24 | 25 | * Install ZeroTier on your other devices: iOS, Android, Windows, Mac, Linux, etc. Use the same `network ID` you recorded before. 26 | * Open https://my.zerotier.com `Networks` menu and accept the new devices pending approval. 27 | 28 | * On the Raspiblitz modify the lnd.conf manually: 29 | `$ sudo nano /mnt/hdd/lnd/lnd.conf` 30 | 31 | add the line: 32 | ``` 33 | tlsextraip=172.X 34 | ``` 35 | CTRL+O and ENTER to save, CTRL+X to exit 36 | 37 | Restart LND and unlock: 38 | `$ sudo systemctl restart lnd` 39 | `$ lncli unlock` 40 | 41 | * Renew the TLS certificates either from the EXPORT menu or run: 42 | `$ ./config.scripts/lnd.tlscert.sh` 43 | 44 | After setting up and activating ZeroTier on my Android phone successfully tested: 45 | * ZeusLN using the IP 172.x.x.x and port 8080 46 | * RTL from the outside on my 172.x.x.x:3000 address 47 | * Termius to connect with ssh to admin@172.x.x.x 48 | --- 49 | * To uninstall run: 50 | ```bash 51 | $ sudo systemctl stop zerotier-one 52 | $ sudo apt remove zerotier-one 53 | $ sudo rm -r /var/lib/zerotier-one 54 | ``` 55 | --- 56 | 57 | This guide is based on: https://medium.com/@ketominer/using-nodl-remotely-with-zerotier-a9a17cbb48cf 58 | 59 | Discussion: https://github.com/rootzoll/raspiblitz/issues/601 60 | 61 | -------------------------------------------------------------------------------- /zfs/create-ext4-raspiblitz-disk.md: -------------------------------------------------------------------------------- 1 | ``` 2 | parted -s /dev/${hdd} mkpart primary ext4 1024KiB 100% 3 | mkfs.ext4 -F -L BLOCKCHAIN /dev/${hdd} 4 | # for nvme 5 | mkfs.ext4 -F -L BLOCKCHAIN /dev/${hdd}p1 6 | tune2fs -c 1 /dev/${hdd} 7 | ``` 8 | 9 | ``` 10 | hddDataPartitionExt4=$hdd 11 | # loop until the uuids are available 12 | uuid1="" 13 | loopcount=0 14 | while [ ${#uuid1} -eq 0 ] 15 | do 16 | echo "# waiting until uuid gets available" 17 | sleep 2 18 | sync 19 | uuid1=$(lsblk -o NAME,UUID | grep "${hddDataPartitionExt4}" | awk '$1=$1' | cut -d " " -f 2 | grep "-") 20 | loopcount=$(($loopcount +1)) 21 | if [ ${loopcount} -gt 10 ]; then 22 | echo "error='no uuid'" 23 | exit 1 24 | fi 25 | done 26 | 27 | echo "# mount /mnt/hdd" 28 | mkdir -p /mnt/hdd 1>/dev/null 29 | updated=$(cat /etc/fstab | grep -c "/mnt/hdd") 30 | if [ $updated -eq 0 ]; then 31 | echo "# updating /etc/fstab" 32 | sed "/raspiblitz/ i UUID=${uuid1} /mnt/hdd ext4 noexec,defaults 0 2" -i /etc/fstab 1>/dev/null 33 | fi 34 | sync 35 | mount -a 1>/dev/null 36 | 37 | 38 | # make sure common base directory exits 39 | mkdir -p /mnt/hdd/lnd 40 | mkdir -p /mnt/hdd/app-data 41 | 42 | >&2 echo "# Creating EXT4 setup links" 43 | >&2 echo "# opening blockchain into /mnt/hdd" 44 | mkdir -p /mnt/hdd/bitcoin 45 | >&2 echo "# linking blockchain for user bitcoin" 46 | rm /home/bitcoin/.bitcoin 2>/dev/null 47 | ln -s /mnt/hdd/bitcoin /home/bitcoin/.bitcoin 48 | >&2 echo "# linking lnd for user bitcoin" 49 | rm /home/bitcoin/.lnd 2>/dev/null 50 | ln -s /mnt/hdd/lnd /home/bitcoin/.lnd 51 | >&2 echo "# creating default storage & temp folders" 52 | mkdir -p /mnt/hdd/app-storage 53 | mkdir -p /mnt/hdd/temp 54 | 55 | 56 | # fix ownership of linked files 57 | chown -R bitcoin:bitcoin /mnt/hdd/bitcoin 58 | chown -R bitcoin:bitcoin /mnt/hdd/lnd 59 | chown -R bitcoin:bitcoin /home/bitcoin/.lnd 60 | chown -R bitcoin:bitcoin /home/bitcoin/.bitcoin 61 | chown bitcoin:bitcoin /mnt/hdd/app-storage 62 | chown bitcoin:bitcoin /mnt/hdd/app-data 63 | chown -R bitcoin:bitcoin /mnt/hdd/temp 2>/dev/null 64 | chmod -R 777 /mnt/temp 2>/dev/null 65 | chmod -R 777 /mnt/hdd/temp 2>/dev/null 66 | 67 | # write info files about what directories are for 68 | 69 | echo "The /mnt/hdd/temp directory is for short time data and will get cleaned up on very start. Dont work with data here thats bigger then 25GB - because on BTRFS hdd layout this is a own partition with limited space. Also on BTRFS hdd layout the temp partition is an FAT format - so it can be easily mounted on Windows and OSx laptops by just connecting it to such laptops. Use this for easy export data. To import data make sure to work with the data before bootstrap is deleting the directory on startup." > ./README.txt 70 | mv ./README.txt /mnt/hdd/temp/README.txt 2>/dev/null 71 | 72 | echo "The /mnt/hdd/app-data directory should be used by additional/optional apps and services installed to the RaspiBlitz for their data that should survive an import/export/backup. Data that can be reproduced (indexes, etc.) should be stored in app-storage." > ./README.txt 73 | mv ./README.txt /mnt/hdd/app-data/README.txt 2>/dev/null 74 | 75 | echo "The /mnt/hdd/app-storage directory should be used by additional/optional apps and services installed to the RaspiBlitz for their non-critical and reproducible data (indexes, public blockchain, etc.) that does not need to survive an an import/export/backup. Data is critical should be in app-data." > ./README.txt 76 | mv ./README.txt /mnt/hdd/app-storage/README.txt 2>/dev/null 77 | 78 | >&2 echo "# OK - all symbolic links are built" 79 | ``` 80 | -------------------------------------------------------------------------------- /zfs/restore-raspiblitz-zfs-disk.md: -------------------------------------------------------------------------------- 1 | ## Import an existing ZFS pool 2 | * https://openzfs.github.io/openzfs-docs/Getting%20Started/Debian/index.html 3 | ``` 4 | poolname="fourdiskpool" 5 | zpool import ${poolname} -f 6 | 7 | # restore the key 8 | 9 | # load key and mount 10 | sudo /sbin/zfs load-key -a 11 | sudo /sbin/zfs mount -la 12 | 13 | # check 14 | df -h 15 | 16 | # automount with cron on reboot 17 | cronjob="@reboot sudo /sbin/zfs load-key -a; sudo /sbin/zfs mount -la" 18 | ( 19 | crontab -u admin -l 20 | echo "$cronjob" 21 | ) | crontab -u admin - 22 | # list the active crontab for admin 23 | crontab -u admin -l 24 | 25 | # disable swapfile service 26 | 27 | ``` 28 | 29 | ## Restore a Raspiblitz ZFS disk 30 | * do this when the pool is already mounted to /mnt/hdd 31 | ``` 32 | # switch off swapfile 33 | sudo dphys-swapfile swapoff 34 | sudo dphys-swapfile uninstall 35 | 36 | # make links and fix permissions 37 | sudo config.scripts/blitz.datadrive.sh link 38 | 39 | # run bootstrap again 40 | # sudo /home/admin/_bootstrap.sh 41 | sudo systemctl restart bootstrap.service 42 | 43 | # set state and setupPhase 44 | /home/admin/_cache.sh set state waitsetup 45 | /home/admin/_cache.sh set setupPhase recovery 46 | 47 | # change the password A 48 | sudo config.scripts/blitz.passwords.sh set a 49 | 50 | # run the recovery of the rest of the services (consider in tmux) 51 | sudo /home/admin/_provision_.sh 52 | 53 | # monitor in a new terminal 54 | tail -f raspiblitz.log 55 | 56 | # fix tor 57 | /home/admin/config.scripts/tor.install.sh enable 58 | 59 | # fix python3 60 | sudo rm /usr/lib/python3.*/EXTERNALLY-MANAGED 61 | 62 | ## mainnet 63 | # switch on bitcoind 64 | config.scripts/bitcoin.install.sh on mainnet 65 | 66 | # switch on CLN: 67 | config.scripts/cl.install.sh on mainnet 68 | 69 | # switch on LND: 70 | config.scripts/lnd.install.sh on mainnet 71 | 72 | 73 | ## signet 74 | # switch on bitcoind 75 | config.scripts/bitcoin.install.sh on signet 76 | 77 | # switch on CLN: 78 | config.scripts/cl.install.sh on signet 79 | 80 | # switch on LND: 81 | config.scripts/lnd.install.sh on signet 82 | 83 | # reboot to rerun the bootstrap script and synchronise the state with the redis database 84 | restart 85 | ``` 86 | -------------------------------------------------------------------------------- /zfs/sync-chain.md: -------------------------------------------------------------------------------- 1 | # Snapshot and mount a cloned bitcoin datadir 2 | 3 | ## Create the snapshot, clone and mount 4 | ``` 5 | # create snapshot of /mnt/hdd - fourdiskpool/hdd@hdd-snapshot 6 | sudo zfs snap fourdiskpool/hdd@hdd-snapshot 7 | # display snapshots 8 | zfs list -t snap 9 | # clone snapshot (fourdiskpool/hdd/hdd-snapshot-clone) 10 | sudo zfs clone fourdiskpool/hdd@hdd-snapshot fourdiskpool/hdd/hdd-snapshot-clone 11 | # see if mounted 12 | zfs list 13 | 14 | # delete lockfile 15 | sudo rm /mnt/hdd/hdd-snapshot-clone/bitcoin/.lock 16 | # delete bitcoin.conf 17 | sudo rm /mnt/hdd/hdd-snapshot-clone/bitcoin/bitcoin.conf 18 | ``` 19 | 20 | ## sync an existing snapshot 21 | ``` 22 | # make sure the source bitcoind is stopped 23 | # it is faster to just create a new snapshot 24 | sudo -u bitcoin rsync -v -r /mnt/hdd/bitcoin/blocks/ /mnt/hdd/hdd-snapshot-clone/bitcoin/blocks/ 25 | sudo -u bitcoin rsync -v -r /mnt/hdd/bitcoin/chainstate/ /mnt/hdd/hdd-snapshot-clone/bitcoin/chainstate/ 26 | ``` 27 | 28 | ## Start bitcoind with the cloned db to test 29 | ``` 30 | sudo -u bitcoin bitcoind --listen=0 --server=0 --datadir=/mnt/hdd/hdd-snapshot-clone/bitcoin 31 | ``` 32 | 33 | ## Remote bitcoin-qt 34 | ``` 35 | # to use the bitcoin-qt GUI use the password_B to log in with the bitcoin user (might need to permit it in the ssh settings) 36 | ssh -X bitcoin@raspiblitz_ip 37 | 38 | bitcoin-qt --listen=0 --server=0 --datadir=/mnt/hdd/hdd-snapshot-clone/bitcoin 39 | ``` 40 | 41 | ## Prepare a Raspiblitz SSD 42 | ``` 43 | # choose the disk to be prepared 44 | lsblk 45 | # !! careful here to choose the right disk !! 46 | hdd=sdf 47 | 48 | # create the filesystem and label 49 | # sudo /home/admin/config.scripts/blitz.datadrive.sh format ext4 /dev/${hdd} 50 | 51 | sudo parted -s /dev/${hdd} mklabel gpt 52 | sudo parted -s /dev/${hdd} mkpart primary ext4 1024KiB 100% 53 | sudo mkfs.ext4 -F -L BLOCKCHAIN /dev/${hdd}1 54 | 55 | # mount 56 | sudo mount /dev/${hdd}1 /media/usb 57 | sudo mkdir /media/usb/bitcoin 58 | sudo chown -R bitcoin:bitcoin /media/usb/bitcoin 59 | 60 | ## to delete an old chain 61 | #cd /media/usb/bitcoin/ 62 | #sudo rm -r ./chainstate ./blocks ./indexes ./testnet3 63 | 64 | # work in tmux 65 | tmux 66 | cd /mnt/hdd/hdd-snapshot-clone/bitcoin/ 67 | # use time to compare disks (see below) 68 | time sudo -u bitcoin cp -rv ./chainstate ./blocks ./indexes ./testnet3 /media/usb/bitcoin/ 69 | 70 | # monitor disk load in a split pane (CTRL+B, ") 71 | sudo iotop 72 | 73 | # remove disk 74 | sudo umount /media/usb 75 | ``` 76 | 77 | ## OFF 78 | ``` 79 | zfs list 80 | # destroy the clone filesystem 81 | sudo zfs destroy fourdiskpool/hdd/hdd-snapshot-clone 82 | # destroy the snapshot 83 | sudo zfs destroy fourdiskpool/hdd@hdd-snapshot 84 | zfs list 85 | ``` 86 | 87 | # Measurements 88 | ``` 89 | WD Blue 1TB 90 | real 49m35.539s 91 | user 0m8.089s 92 | sys 15m20.593s 93 | 94 | Samsung 870 QVO 1TB 95 | real 113m42.488s 96 | user 0m8.947s 97 | sys 16m33.474s 98 | 99 | Samsung 870 EVO 1TB 100 | real 53m11.247s 101 | user 0m9.899s 102 | sys 17m36.942s 103 | ``` -------------------------------------------------------------------------------- /zfs/sync-fulcrum-db.md: -------------------------------------------------------------------------------- 1 | # Snapshot and mount a datadisk 2 | 3 | ## Create the snapshot, clone and mount 4 | ``` 5 | # create snapshot of /mnt/hdd - datadisk/hdd@hdd-snapshot 6 | sudo zfs snap datadisk/hdd@hdd-snapshot 7 | # display snapshots 8 | zfs list -t snap 9 | # clone snapshot (datadisk/hdd/hdd-snapshot-clone) 10 | sudo zfs clone datadisk/hdd@hdd-snapshot datadisk/hdd/hdd-snapshot-clone 11 | # see if mounted 12 | zfs list 13 | ``` 14 | 15 | 16 | ## Copy over the network 17 | ### on the remote computer 18 | ``` 19 | sudo mkdir -p /mnt/hdd/fulcrum_db 20 | sudo chown admin:admin /mnt/hdd/fulcrum_db 21 | ``` 22 | ### on the source computer 23 | ``` 24 | sudo scp -r /mnt/hdd/hdd-snapshot-clone/app-storage/fulcrum/db admin@$REMOTE_IP:/mnt/hdd/fulcrum_db/ 25 | ``` 26 | ### on the remote computer once finished 27 | sudo mv /mnt/hdd/app-storage/fulcrum/db /mnt/hdd/app-storage/fulcrum/db-corrupt 28 | sudo mv /mnt/hdd/fulcrum_db/db /mnt/hdd/app-storage/fulcrum/ 29 | sudo chown -R fulcrum:fulcrum /mnt/hdd/app-storage/fulcrum/db 30 | sudo rm -rf /mnt/hdd/fulcrum_db 31 | 32 | ## OFF 33 | ``` 34 | zfs list 35 | # destroy the clone filesystem 36 | sudo zfs destroy datadisk/hdd/hdd-snapshot-clone 37 | # destroy the snapshot 38 | sudo zfs destroy datadisk/hdd@hdd-snapshot 39 | zfs list 40 | ``` 41 | 42 | -------------------------------------------------------------------------------- /zfs/truenasbuild.md: -------------------------------------------------------------------------------- 1 | # TrueNAS CORE server build 2 | 3 | Following [Guide to ₿itcoin & Lightning️ on FreeNAS / TrueNAS from @set586](https://github.com/seth586/guides/blob/master/FreeNAS/bitcoin/README.md) 4 | 5 | [FreeNAS became TrueNAS CORE](https://www.ixsystems.com/blog/freenas-truenas-unification/) 6 | 7 | [TrueNAS CORE Docs](https://www.truenas.com/docs/core/) 8 | 9 | [CORE Hardware Guide](https://www.truenas.com/docs/core/introduction/corehardwareguide/) 10 | 11 | 12 | ## Hardware 13 | 14 | Chose an affordable HP ProLiant ML310e Gen8 v2 microserver 15 | 16 | [User Guide](https://content.etilize.com/User-Manual/1028053012.pdf) 17 | 18 | up to 32 GB ECC RAM 19 | 120GB SSD to boot 20 | 6 x 1 TB SSD for storage 21 | 22 | ### Redundant disks 23 | 24 | TrueNAS uses ZFS. 25 | Recommended type: RAID-Z2 (Double parity with variable stripe width) 26 | [ZFS / RAIDZ Capacity Calculator](https://wintelguy.com/zfs-calc.pl) 27 | You can’t add drives to a volume once its setup, however you can replace drives with larger drives. 28 | 6 drives in RAIDZ2 (more than 50% of additive capacity) 29 | 4 drives in RAIDZ2 (less than 50% of additive capacity) 30 | 31 | #### Drive connectors: 32 | * 1 can boot from USB (SSD with a USB to SATA adapter) 33 | * 2 x onboard SATA 34 | * 4 x onboard SATA controller -> hotplug cage 35 | * \+ optional SAS card / HBA (2x4 SATA connector=8) 36 | 37 | max 6 without SATA card (+ USB) 38 | max 14 (+ USB) 39 | 40 | #### Physical drives 41 | * 4 or 8 in hotplug cage 42 | * 6\*2 2.5" or (2\*2 2.5"+ 2\*1 3.5") in 5.25 Optical Bay Drive Slot Case Adapter 43 | 44 | max 20 2.5" 45 | or 46 | 12 2.5" + 2 3.5" 47 | 48 | #### Actual: 49 | * 4 onboard SATA -> 4 2.5" adapter in LFF hotplug cage 50 | * 2 onboard SATA 51 | * 2 from SATA card -> 4 2.5" 52 | * 2 from SATA card -> 2 3.5" 53 | 54 | 10 disks 55 | 56 | 57 | #### Mirrored boot drives: 58 | 59 | Could benefit from a RAID card: 60 | https://www.truenas.com/community/threads/to-boot-with-usb-or-ssd-or-nvme.83594/post-620199 61 | 62 | RAID 1 configurations can tolerate one drive failure. If one physical drive in a RAID 1 configuration fails, the RAID volume is still intact as a degraded RAID 1. 63 | 64 | #### Harware notes 65 | B120i is just software RAID 66 | [B120i User guide](http://docshare04.docshare.tips/files/31252/312525081.pdf) 67 | 68 | Use the onboard SAS adapter (4 SATA connections) or choose a reputable HBA: 69 | https://www.servethehome.com/buyers-guides/top-hardware-components-freenas-nas-servers/top-picks-freenas-hbas/ 70 | 71 | In BIOS setup 72 | System Options, SATA Controller Options, Embedded SATA Configuration, Enable SATA AHCI support 73 | 74 | The embedded storage controller supports SATA drive installation only. For SAS drive installation, install a Smart Array card and a Mini-SAS cable option kit. Optional Smart Array controllers support both SATA and SAS drives. 75 | 76 | Beware! The two system fans are custom, and cannot be replaced with standard ones. A dead fan will prevent your system from even booting! So as you get it, better take a couple spares on the ebay/aliexpress ecc 77 | 78 | TEST: 79 | * does the onboard SATA controller work together with the B120i? 80 | * can the B120i be used to boot? 81 | 82 | #### Hardware debug 83 | [POST debug flowchart](https://i.stack.imgur.com/5NtIt.png) 84 | from https://serverfault.com/questions/465883/hp-proliant-dl360-g7-hangs-at-power-and-thermal-calibration-screen 85 | 86 | [HP ProLiant Servers Troubleshooting Guide](http://h10032.www1.hp.com/ctg/Manual/c00257512.pdf) 87 | 88 | ### Redundant power 89 | #### UPS 90 | [APC UPS config](https://www.cyberciti.biz/faq/how-to-install-apc-ups-on-freenas-server/) 91 | #### Dual power supply 92 | Can be connected to 2 UPS-es, the second backed by a large battery or generator 93 | 94 | ### Redundant network 95 | E.g broadband + 4G 96 | * router level (1 NIC) 97 | * dual router (2 NICs) 98 | The router + modem needs to be connected to the UPS as well. 99 | 100 | ## Setting up TrueNAS 101 | 102 | [Encryption](https://www.truenas.com/docs/core/storage/pools/storageencryption/) 103 | Keys for data-at-rest are managed on the local TrueNAS system. 104 | 105 | 106 | 107 | 108 | DebianVM: 109 | set VNC to 800x600: 110 | https://www.truenas.com/community/threads/debian-vm-display-is-not-clear-with-vnc.88501/post-613065 111 | 112 | fix boot: https://www.truenas.com/community/threads/howto-how-to-boot-linux-vms-using-uefi.54039/ 113 | 114 | Fix GUI desktop: 115 | https://www.truenas.com/community/threads/debian-vm-with-gui.90808/post-629025 116 | --------------------------------------------------------------------------------