diff --git a/ci/README.md b/ci/README.md index 5bfe494..3ff27a5 100644 --- a/ci/README.md +++ b/ci/README.md @@ -1,5 +1,35 @@ # CI notes +### FreeBSD +``` + +# attach shared to the jail eg to /media + +pkg install -y gh +git clone https://github.com/openoms/joininbox +cd joininbox +gh run download + +shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.gz.sha256 +gzip -dkv joininbox-amd64-debian-11.5.qcow2.gz +shasum -a256 -c joininbox-amd64-debian-11.5.qcow2.sha256 + +pkg install qemu + +qemu-image convert joininbox-amd64-debian-11.5.qcow2 /media/joininbox.img + +# In the FreeBSD root +# create a zvol with the exact size of the raw image + +dd if=/mnt/cryptic/blitz/images/joininbox.img of=/dev/zvol/cryptic/blitz/jb221210 bs=4M status=progress +``` + +## Manage the artifacts and workflows with the GitHub CLI +* https://github.com/cli/cli#installation + +## Download artifacts in CLI +* https://docs.github.com/en/actions/managing-workflow-runs/downloading-workflow-artifacts + ## Delete workflow runs ``` OWNER= @@ -13,9 +43,15 @@ WORKFLOW_ID= # list runs gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10 +# delete failed runs +gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="failure") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} + +# delete cancelled runs +gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | select(.conclusion=="cancelled") | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} + # delete oldest 10 workflows (won't delete the running one) gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | tail -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} - # delete newest 10 workflows (won't delete the running one) gh api -X GET /repos/$OWNER/$REPO/actions/workflows/$WORKFLOW_ID/runs | jq '.workflow_runs[] | .id' | head -n 10 | xargs -I{} gh api -X DELETE /repos/$OWNER/$REPO/actions/runs/{} +``` diff --git a/joinmarket/systemd/jmdir_mainnet.service b/joinmarket/systemd/jmdir_mainnet.service index fc8a730..f0b0b31 100644 --- a/joinmarket/systemd/jmdir_mainnet.service +++ b/joinmarket/systemd/jmdir_mainnet.service @@ -6,9 +6,10 @@ After=network-online.target [Service] Type=simple -ExecStart=/bin/bash -c 'cd /home/jmdir/joinmarket-clientserver && \ - source jmvenv/bin/activate && cd scripts && python start-dn.py' -User=jmdir +ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver && source jmvenv/bin/activate \ +&& cd scripts && python start-dn.py --datadir=/home/joinmarket/.joinmarket-mainnet mainnet-directory-node' +User=joinmarket +Restart=always [Install] WantedBy=multi-user.target diff --git a/joinmarket/systemd/jmdir_signet.service b/joinmarket/systemd/jmdir_signet.service index 09f00e9..03350e8 100644 --- a/joinmarket/systemd/jmdir_signet.service +++ b/joinmarket/systemd/jmdir_signet.service @@ -6,9 +6,11 @@ After=network-online.target [Service] Type=simple -ExecStart=/bin/bash -c 'cd /home/jmdir/joinmarket-clientserver && \ - source jmvenv/bin/activate && cd scripts && python start-dn.py --datadir=/home/jmdir/.joinmarket-signet' -User=jmdir +ExecStart=/bin/bash -c 'cd /home/joinmarket/joinmarket-clientserver \ +&& source jmvenv/bin/activate && cd scripts && \ +python start-dn.py --datadir=/home/${user}/.joinmarket-signet signet-directory-node' +User=joinmarket +Restart=always [Install] WantedBy=multi-user.target diff --git a/nginx/btcpayserver_forward.conf b/nginx/btcpayserver_forward.conf new file mode 100644 index 0000000..357bbe5 --- /dev/null +++ b/nginx/btcpayserver_forward.conf @@ -0,0 +1,158 @@ +## fill in the DOMAIN_NAME +## fill in the PREFIX_BTCPAY_PORT + +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} +# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the +# server port the client connected to +map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; +} +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} +# Apply fix for very long server names +#server_names_hash_bucket_size 128; +# Prevent Nginx Information Disclosure +#server_tokens off; +# Default dhparam +# Set appropriate X-Forwarded-Ssl header +map $scheme $proxy_x_forwarded_ssl { + default off; + https on; +} + +#gzip on; + gzip_min_length 1000; + gzip_types image/svg+xml text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; + log_format vhost '$host $remote_addr - $remote_user [$time_local + ] ' + '"$request" $status $body_bytes_sent ' +'"$http_referer""$http_user_agent"'; + access_log off; +# HTTP 1.1 support + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $proxy_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; + proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; + client_header_buffer_size 500k; + large_client_header_buffers 4 500k; +# Mitigate httpoxy attack (see README for details) + proxy_set_header Proxy ""; + +server { + listen 80 http2; + listen 443 ssl http2; + server_name pay.diynodes.com; + + # add_header 'Access-Control-Allow-Origin' '*'; + + ssl_certificate /etc/letsencrypt/live/$DOMAIN_NAME/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$DOMAIN_NAME/privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL: 50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN_NAME/chain.pem; + + location / { + # add_header 'Access-Control-Allow-Origin' '*'; + + proxy_pass $PREFIX_BTCPAY_PORT; + + # For websockets + #proxy_set_header Upgrade $http_upgrade; + #proxy_set_header Connection $http_connection; + + proxy_redirect off; + + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $proxy_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; + proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; + proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; + client_max_body_size 100M; + + + #proxy_set_header Host $http_host; + #proxy_set_header X-Real-IP $remote_addr; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto https; + #proxy_read_timeout 600; + #proxy_connect_timeout 600; + #proxy_send_timeout 600; + } + + + #location = /.well-known/nostr.json { + # return 301 https: //nostr.diynodes.com$request_uri; + # +} + +location /.well-known/nostr.json { + add_header 'Access-Control-Allow-Origin' '*'; + alias /var/www/html/.well-known/nostr.json; +} + + +# location /.well-known/lnurlp/openoms { +# add_header 'Access-Control-Allow-Origin' '*'; +# proxy_pass https: //100.106.178.118:23001; +#proxy_redirect off; +#proxy_set_header Host $http_host; +#proxy_set_header X-Real-IP $remote_addr; +#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +#proxy_set_header X-Forwarded-Proto https; +# +#proxy_read_timeout 600; +#proxy_connect_timeout 600; +#proxy_send_timeout 600; +# +## remove if not needed +## proxy_set_header X-Forwarded-Host $server_name; +# +} +# +# +location /BTC/UILNURL/pay/i { + add_header 'Access-Control-Allow-Origin' '*'; + proxy_pass $PREFIX_BTCPAY_PORT; + proxy_redirect off; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 600; + proxy_connect_timeout 600; + proxy_send_timeout 600; + + # remove if not needed + # proxy_set_header X-Forwarded-Host $server_name; +} +} diff --git a/nginx/btcpayserver_subdomain.sh b/nginx/btcpayserver_subdomain.sh index 394b0b0..a741ca3 100644 --- a/nginx/btcpayserver_subdomain.sh +++ b/nginx/btcpayserver_subdomain.sh @@ -1,6 +1,7 @@ #!/bin/bash -# WOWRK IN PROGRESS +# WORK IN PROGRESS +# see https://gist.github.com/NicolasDorier/1a7fce6836ee55a7fa2c7f65417b88b5 echo " Input your email: @@ -31,7 +32,7 @@ sudo certbot certonly -a standalone -m $EMAIL --agree-tos \ cat EOF | sudo tee /etc/nginx/sites-available/${SUBDOMAIN} # sudo cat /etc/nginx/sites-enabled/${SUBDOMAIN} server { - listen 80; + listen 80 http2; listen 443 ssl http2; server_name ${SUBDOMAIN}; diff --git a/raspiblitz-custom-install-scripts/README.md b/raspiblitz-custom-install-scripts/README.md new file mode 100644 index 0000000..2cd682b --- /dev/null +++ b/raspiblitz-custom-install-scripts/README.md @@ -0,0 +1,17 @@ +Raspiblitz custom installs + +* default: +``` +cat /mnt/hdd/app-data/custom-installs.sh +``` +``` +#!/bin/bash + +# This script runs with sudo rights after an update/recovery from a fresh sd card. +# This is the place to put all the install commands, cronjobs or editing of system configs +# for your personal modifications of RaspiBlitz + +# note: use absolute paths if you point to specific files + +echo "There are no custom user installs so far." +``` diff --git a/raspiblitz-custom-install-scripts/custom-installs.sh b/raspiblitz-custom-install-scripts/custom-installs.sh new file mode 100644 index 0000000..3e84695 --- /dev/null +++ b/raspiblitz-custom-install-scripts/custom-installs.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +./tailscale.sh diff --git a/raspiblitz-custom-install-scripts/tailscale.sh b/raspiblitz-custom-install-scripts/tailscale.sh new file mode 100644 index 0000000..e9f9263 --- /dev/null +++ b/raspiblitz-custom-install-scripts/tailscale.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +echo "# Install Tailscale" +mv /var/lib/tailscale /var/lib/tailscale.backup +curl -fsSL https://tailscale.com/install.sh | sh +systemctl stop tailscaled +rm -rf /var/lib/tailscale +cp -r /mnt/hdd/app-data/tailscale /var/lib +systemctl start tailscaled +echo "# Tailscale install done" diff --git a/tor/checkHiddenService.sh b/tor/checkHiddenService.sh new file mode 100644 index 0000000..f0ea347 --- /dev/null +++ b/tor/checkHiddenService.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +hidden_service="xxxxxxxxxx.onion" +port=80 +if ! torsocks nc -zv ${hidden_service} ${port}; then + echo "restart Tor" + sudo systemctl restart tor@default +fi diff --git a/tor/crontab.sh b/tor/crontab.sh new file mode 100644 index 0000000..4ae394c --- /dev/null +++ b/tor/crontab.sh @@ -0,0 +1,10 @@ +if ! crontab -u admin -l | grep checkHiddenService; then + cronjob="0,15,30,45 * * * * /home/admin/checkHiddenService" + ( + crontab -u admin -l + echo "$cronjob" + ) | crontab -u admin - +fi +echo "# The crontab for admin now is:" +crontab -u admin -l +echo diff --git a/zfs/create-ext4-raspiblitz-disk.md b/zfs/create-ext4-raspiblitz-disk.md new file mode 100644 index 0000000..232a96e --- /dev/null +++ b/zfs/create-ext4-raspiblitz-disk.md @@ -0,0 +1,77 @@ +parted -s /dev/${hdd} mkpart primary ext4 1024KiB 100% +mkfs.ext4 -F -L BLOCKCHAIN /dev/${hdd} +tune2fs -c 1 /dev/${hdd} + + + + hddDataPartitionExt4=$hdd + # loop until the uuids are available + uuid1="" + loopcount=0 + while [ ${#uuid1} -eq 0 ] + do + echo "# waiting until uuid gets available" + sleep 2 + sync + uuid1=$(lsblk -o NAME,UUID | grep "${hddDataPartitionExt4}" | awk '$1=$1' | cut -d " " -f 2 | grep "-") + loopcount=$(($loopcount +1)) + if [ ${loopcount} -gt 10 ]; then + echo "error='no uuid'" + exit 1 + fi + done + + echo "# mount /mnt/hdd" + mkdir -p /mnt/hdd 1>/dev/null + updated=$(cat /etc/fstab | grep -c "/mnt/hdd") + if [ $updated -eq 0 ]; then + echo "# updating /etc/fstab" + sed "/raspiblitz/ i UUID=${uuid1} /mnt/hdd ext4 noexec,defaults 0 2" -i /etc/fstab 1>/dev/null + fi + sync + mount -a 1>/dev/null + + + + + # make sure common base directory exits + mkdir -p /mnt/hdd/lnd + mkdir -p /mnt/hdd/app-data + + >&2 echo "# Creating EXT4 setup links" + >&2 echo "# opening blockchain into /mnt/hdd" + mkdir -p /mnt/hdd/bitcoin + >&2 echo "# linking blockchain for user bitcoin" + rm /home/bitcoin/.bitcoin 2>/dev/null + ln -s /mnt/hdd/bitcoin /home/bitcoin/.bitcoin + >&2 echo "# linking lnd for user bitcoin" + rm /home/bitcoin/.lnd 2>/dev/null + ln -s /mnt/hdd/lnd /home/bitcoin/.lnd + >&2 echo "# creating default storage & temp folders" + mkdir -p /mnt/hdd/app-storage + mkdir -p /mnt/hdd/temp + + + # fix ownership of linked files + chown -R bitcoin:bitcoin /mnt/hdd/bitcoin + chown -R bitcoin:bitcoin /mnt/hdd/lnd + chown -R bitcoin:bitcoin /home/bitcoin/.lnd + chown -R bitcoin:bitcoin /home/bitcoin/.bitcoin + chown bitcoin:bitcoin /mnt/hdd/app-storage + chown bitcoin:bitcoin /mnt/hdd/app-data + chown -R bitcoin:bitcoin /mnt/hdd/temp 2>/dev/null + chmod -R 777 /mnt/temp 2>/dev/null + chmod -R 777 /mnt/hdd/temp 2>/dev/null + + # write info files about what directories are for + + echo "The /mnt/hdd/temp directory is for short time data and will get cleaned up on very start. Dont work with data here thats bigger then 25GB - because on BTRFS hdd layout this is a own partition with limited space. Also on BTRFS hdd layout the temp partition is an FAT format - so it can be easily mounted on Windows and OSx laptops by just connecting it to such laptops. Use this for easy export data. To import data make sure to work with the data before bootstrap is deleting the directory on startup." > ./README.txt + mv ./README.txt /mnt/hdd/temp/README.txt 2>/dev/null + + echo "The /mnt/hdd/app-data directory should be used by additional/optional apps and services installed to the RaspiBlitz for their data that should survive an import/export/backup. Data that can be reproduced (indexes, etc.) should be stored in app-storage." > ./README.txt + mv ./README.txt /mnt/hdd/app-data/README.txt 2>/dev/null + + echo "The /mnt/hdd/app-storage directory should be used by additional/optional apps and services installed to the RaspiBlitz for their non-critical and reproducible data (indexes, public blockchain, etc.) that does not need to survive an an import/export/backup. Data is critical should be in app-data." > ./README.txt + mv ./README.txt /mnt/hdd/app-storage/README.txt 2>/dev/null + + >&2 echo "# OK - all symbolic links are built" \ No newline at end of file diff --git a/zfs/create-raspiblitz-zfs-disk.md b/zfs/create-raspiblitz-zfs-disk.md index 3cb8791..a2eba9c 100644 --- a/zfs/create-raspiblitz-zfs-disk.md +++ b/zfs/create-raspiblitz-zfs-disk.md @@ -27,11 +27,11 @@ # work as root sudo su - - echo "deb http://deb.debian.org/debian bullseye-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bullseye-backports.list - echo "deb-src http://deb.debian.org/debian bullseye-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bullseye-backports.list + echo "deb http://deb.debian.org/debian bookworm-backports main contrib + deb-src http://deb.debian.org/debian bookworm-backports main contrib" | sudo tee -a /etc/apt/sources.list.d/bookworm-backports.list echo "Package: src:zfs-linux" | sudo tee -a /etc/apt/preferences.d/90_zfs - echo "Pin: release n=bullseye-backports" | sudo tee -a /etc/apt/preferences.d/90_zfs + echo "Pin: release n=bookworm-backports" | sudo tee -a /etc/apt/preferences.d/90_zfs echo "Pin-Priority: 990" | sudo tee -a /etc/apt/preferences.d/90_zfs apt update @@ -248,9 +248,13 @@ ``` zpool import zpool import -a + + # restore the key + sudo /sbin/zfs load-key -a sudo /sbin/zfs mount -la + # automount with cron cronjob="@reboot sudo /sbin/zfs load-key -a; sudo /sbin/zfs mount -la" (