From c87e0b93b9ac54b7afcdca061c4cdb82426471ad Mon Sep 17 00:00:00 2001 From: openoms Date: Sat, 21 Sep 2019 22:52:34 +0100 Subject: [PATCH 1/8] elecrs: add a HIdden service if Tor is active --- electrs/1_electrs_on_RaspiBlitz.sh | 7 ------- electrs/2_electrs_systemd_service.sh | 28 +++++++++++++++++++++++++++- 2 files changed, 27 insertions(+), 8 deletions(-) diff --git a/electrs/1_electrs_on_RaspiBlitz.sh b/electrs/1_electrs_on_RaspiBlitz.sh index f993187..c8ff14b 100644 --- a/electrs/1_electrs_on_RaspiBlitz.sh +++ b/electrs/1_electrs_on_RaspiBlitz.sh @@ -98,10 +98,3 @@ echo "Start Electrs " echo "***" echo "" sudo -u electrs /home/electrs/.cargo/bin/cargo run --release -- --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001" - -# to preserve settings: -# see https://github.com/romanz/electrs/blob/master/src/config.rs -# sudo nano $HOME/electrs/src/config.rs -# change the lines: -# 73: from: .takes_value(true), to: .default_value("raspibolt:PASSWORD B"), -# 132: from .default_value("Welcome to electrs (Electrum Rust Server)!") to your custom message \ No newline at end of file diff --git a/electrs/2_electrs_systemd_service.sh b/electrs/2_electrs_systemd_service.sh index c71e8a6..76d76e3 100644 --- a/electrs/2_electrs_systemd_service.sh +++ b/electrs/2_electrs_systemd_service.sh @@ -30,4 +30,30 @@ WantedBy=multi-user.target " | sudo tee -a /etc/systemd/system/electrs.service sudo systemctl enable electrs -sudo systemctl start electrs \ No newline at end of file +sudo systemctl start electrs + +# Hidden Service for electrs if Tor active + +source /mnt/hdd/raspiblitz.conf + +if [ "${runBehindTor}" = "on" ]; then + isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs') + if [ ${isElectrsTor} -eq 0 ]; then + echo " + # Hidden Service for Electrum Server + HiddenServiceDir /mnt/hdd/tor/electrs + HiddenServiceVersion 3 + HiddenServicePort 50001 127.0.0.1:50001 + " | sudo tee -a /etc/tor/torrc + + sudo systemctl restart tor + sudo systemctl restart tor@default + fi + TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname) + echo "" + echo "***" + echo "The hidden service address for electrs is:" + echo "$TOR_ADDRESS" + echo "***" + echo "" +fi \ No newline at end of file From 7a4df66f5016c67beed8bfd75ee691505c686fee Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 00:17:41 +0100 Subject: [PATCH 2/8] elecrs: change to self signed SSL certificate --- ..._Nginx_and_Certbot_for_SSL.sh => 3_SSL.sh} | 117 +++++++----------- electrs/certbot.sh | 84 +++++++++++++ 2 files changed, 126 insertions(+), 75 deletions(-) rename electrs/{3_Nginx_and_Certbot_for_SSL.sh => 3_SSL.sh} (51%) create mode 100644 electrs/certbot.sh diff --git a/electrs/3_Nginx_and_Certbot_for_SSL.sh b/electrs/3_SSL.sh similarity index 51% rename from electrs/3_Nginx_and_Certbot_for_SSL.sh rename to electrs/3_SSL.sh index ab13bb3..1a0a376 100644 --- a/electrs/3_Nginx_and_Certbot_for_SSL.sh +++ b/electrs/3_SSL.sh @@ -4,27 +4,6 @@ # To download and run: # $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh -# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed -# Need to forward port 80 to the IP of your RaspiBlitz for certbot -# Forward port 50002 to be able to access you electrs from outside of your LAN - -# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md - -echo "" -echo "***" -echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]" -read YOUR_DOMAIN - -echo "" -echo "***" -echo "Please type an email that will be used to register the SSL certificate and press [ENTER]" -read YOUR_EMAIL - -echo "" -echo "***" -echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" -read key - echo "" echo "***" echo "installing Nginx" @@ -34,70 +13,58 @@ echo "" sudo apt-get install -y nginx sudo /etc/init.d/nginx start -echo "allow port 80 on ufw" -sudo ufw allow 80 - -# https://certbot.eff.org/lets-encrypt/debianother-nginx echo "" echo "***" -echo "Installing certbot" -echo "Will ask for an email address and a domain name - a dynamic DNS can be used" -echo "Use the default settings in the other options" +echo "Create a self signed SSL certificate" echo "***" echo "" -#wget https://dl.eff.org/certbot-auto -#chmod +x certbot-auto -#sudo ./certbot-auto --nginx - -sudo apt install -y certbot -# get SSL cert -sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" - - -# Your certificate and chain have been saved at: -# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem -# Your key file has been saved at: -# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem - -echo "" -echo "***" -echo "Setting up certbot-auto renewal service" -echo "***" -echo "" +#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes +#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts echo " -[Unit] -Description=Certbot-auto renewal service +[req] +prompt=no +default_bits = 2048 +default_keyfile = localhost.key +distinguished_name = req_distinguished_name +req_extensions = req_ext +x509_extensions = v3_ca -[Timer] -OnBootSec=20min -OnCalendar=*-*-* 4:00:00 +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = New York +localityName = Locality Name (eg, city) +localityName_default = Rochester +organizationName = Organization Name (eg, company) +organizationName_default = localhost +organizationalUnitName = organizationalunit +organizationalUnitName_default = Development +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = localhost +commonName_max = 64 -[Install] -WantedBy=timers.target -" | sudo tee -a /etc/systemd/system/certbot.timer +[req_ext] +subjectAltName = @alt_names -echo " -[Unit] -Description=Certbot-auto renewal service -After=bitcoind.service +[v3_ca] +subjectAltName = @alt_names -[Service] -WorkingDirectory=/home/admin/ -ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" +[alt_names] +DNS.1 = localhost +DNS.2 = 127.0.0.1 +" | sudo tee /mnt/hdd/electrs/localhost.conf -User=admin -Group=admin -Type=simple -KillMode=process -TimeoutSec=60 -Restart=always -RestartSec=60 -" | sudo tee -a /etc/systemd/system/certbot.service +cd /mnt/hdd/electrs +sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -sudo systemctl enable certbot.timer +sudo cp localhost.crt /etc/ssl/certs/localhost.crt +sudo cp localhost.key /etc/ssl/private/localhost.key +echo "" +echo "***" echo "Setting up nginx.conf" echo "***" echo "" @@ -119,8 +86,8 @@ stream { server { listen 50002 ssl; proxy_pass electrs; - ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; ssl_session_cache shared:SSL-electrs:1m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; @@ -138,8 +105,8 @@ stream { server { listen 50002 ssl; proxy_pass electrs; - ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; ssl_session_cache shared:SSL-electrs:1m; ssl_session_timeout 4h; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; diff --git a/electrs/certbot.sh b/electrs/certbot.sh new file mode 100644 index 0000000..4e3fd25 --- /dev/null +++ b/electrs/certbot.sh @@ -0,0 +1,84 @@ +# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed +# Need to forward port 80 to the IP of your RaspiBlitz for certbot +# Forward port 50002 to be able to access you electrs from outside of your LAN + +# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md + +echo "" +echo "***" +echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]" +read YOUR_DOMAIN + +echo "" +echo "***" +echo "Please type an email that will be used to register the SSL certificate and press [ENTER]" +read YOUR_EMAIL + +echo "" +echo "***" +echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]" +read key + +echo "allow port 80 on ufw" +sudo ufw allow 80 + +# https://certbot.eff.org/lets-encrypt/debianother-nginx +echo "" +echo "***" +echo "Installing certbot" +echo "Will ask for an email address and a domain name - a dynamic DNS can be used" +echo "Use the default settings in the other options" +echo "***" +echo "" + +#wget https://dl.eff.org/certbot-auto +#chmod +x certbot-auto +#sudo ./certbot-auto --nginx + +sudo apt install -y certbot +# get SSL cert +sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start" + + +# Your certificate and chain have been saved at: +# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem +# Your key file has been saved at: +# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem + +echo "" +echo "***" +echo "Setting up certbot-auto renewal service" +echo "***" +echo "" + +echo " +[Unit] +Description=Certbot-auto renewal service + +[Timer] +OnBootSec=20min +OnCalendar=*-*-* 4:00:00 + +[Install] +WantedBy=timers.target +" | sudo tee -a /etc/systemd/system/certbot.timer + +echo " +[Unit] +Description=Certbot-auto renewal service +After=bitcoind.service + +[Service] +WorkingDirectory=/home/admin/ +ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\" + +User=admin +Group=admin +Type=simple +KillMode=process +TimeoutSec=60 +Restart=always +RestartSec=60 +" | sudo tee -a /etc/systemd/system/certbot.service + +sudo systemctl enable certbot.timer \ No newline at end of file From ad837e459e3a5756c76bd82d7e91ea2f3a29fadb Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 01:20:40 +0100 Subject: [PATCH 3/8] electrs: unify scripts --- electrs/electrs_to_RaspiBlitz.sh | 287 +++++++++++++++++++++++++++++++ 1 file changed, 287 insertions(+) create mode 100644 electrs/electrs_to_RaspiBlitz.sh diff --git a/electrs/electrs_to_RaspiBlitz.sh b/electrs/electrs_to_RaspiBlitz.sh new file mode 100644 index 0000000..3647012 --- /dev/null +++ b/electrs/electrs_to_RaspiBlitz.sh @@ -0,0 +1,287 @@ +# Download and run this script on the RaspiBlitz: +# $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_to_RaspiBlitz.sh && bash electrs_to_RaspiBlitz.sh + +# https://github.com/romanz/electrs/blob/master/doc/usage.md + +echo "" +echo "***" +echo "Creating the electrs user" +echo "***" +echo "" +sudo adduser --disabled-password --gecos "" electrs +cd /home/electrs + +echo "" +echo "***" +echo "Installing Rust" +echo "***" +echo "" +sudo -u electrs curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sudo -u electrs sh -s -- -y +#source $HOME/.cargo/env +sudo apt update +sudo apt install -y clang cmake # for building 'rust-rocksdb' + +echo "" +echo "***" +echo "Downloading and building electrs. This will take ~30 minutes" # ~22 min on an Odroid XU4 +echo "***" +echo "" +sudo -u electrs git clone https://github.com/romanz/electrs +cd /home/electrs/electrs +sudo -u electrs /home/electrs/.cargo/bin/cargo build --release + +echo "" +echo "***" +echo "The electrs database will be built in /mnt/hdd/electrs/db. Takes ~18 hours and ~50Gb diskspace" +echo "***" +echo "" +sudo mkdir /mnt/hdd/electrs 2>/dev/null +sudo chown -R electrs:electrs /mnt/hdd/electrs + +echo "" +echo "***" +echo "getting RPC credentials from the bitcoin.conf" +echo "***" +echo "" +#echo "Type the PASSWORD B of your RaspiBlitz followed by [ENTER] (needed for Electrs to access the bitcoind RPC):" +#read PASSWORD_B +RPC_USER=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-) +PASSWORD_B=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcpassword | cut -c 13-) +echo "Done" + +echo "" +echo "***" +echo "generating electrs.toml setting file with the RPC passwords" +echo "***" +echo "" +# generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134 +# https://github.com/romanz/electrs/blob/master/doc/usage.md#configuration-files-and-environment-variables + +sudo rm -f /home/electrs/.electrs/config.toml +sudo -u electrs mkdir /home/electrs/.electrs 2>/dev/null + +touch /home/admin/config.toml +chmod 600 /home/admin/config.toml || exit 1 +cat > /home/admin/config.toml </dev/null | grep -c 'upstream electrs') +if [ ${isElectrs} -gt 0 ]; then + echo "electrs is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`" + +elif [ ${isElectrs} -eq 0 ]; then + + isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {') + if [ ${isStream} -eq 0 ]; then + + echo " +stream { + upstream electrs { + server 127.0.0.1:50001; + } + server { + listen 50002 ssl; + proxy_pass electrs; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; + ssl_session_cache shared:SSL-electrs:1m; + ssl_session_timeout 4h; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + } +}" | sudo tee -a /etc/nginx/nginx.conf + + elif [ ${isStream} -eq 1 ]; then + sudo truncate -s-2 /etc/nginx/nginx.conf + echo " + + upstream electrs { + server 127.0.0.1:50001; + } + server { + listen 50002 ssl; + proxy_pass electrs; + ssl_certificate /etc/ssl/certs/localhost.crt; + ssl_certificate_key /etc/ssl/private/localhost.key; + ssl_session_cache shared:SSL-electrs:1m; + ssl_session_timeout 4h; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + } +}" | sudo tee -a /etc/nginx/nginx.conf + + elif [ ${isStream} -gt 1 ]; then + + echo " Too many \`stream\` commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry" + exit 1 + fi +fi + +echo "allow port 50002 on ufw" +sudo ufw allow 50002 + +sudo systemctl enable nginx +sudo systemctl restart nginx + +echo "" +echo "***" +echo "Installing the systemd service" +echo "***" +echo "" + +sudo systemctl stop electrs +sudo systemctl disable electrs +sudo rm /etc/systemd/system/electrs.service + +# sudo nano /etc/systemd/system/electrs.service +echo " +[Unit] +Description=Electrs +After=bitcoind.service + +[Service] +WorkingDirectory=/home/electrs/electrs +ExecStart=/home/electrs/electrs/target/release/electrs --index-batch-size=10 --electrum-rpc-addr=\"0.0.0.0:50001\" +User=electrs +Group=electrs +Type=simple +KillMode=process +TimeoutSec=60 +Restart=always +RestartSec=60 + +[Install] +WantedBy=multi-user.target +" | sudo tee -a /etc/systemd/system/electrs.service + +# Hidden Service for electrs if Tor active + +source /mnt/hdd/raspiblitz.conf + +if [ "${runBehindTor}" = "on" ]; then + isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs') + if [ ${isElectrsTor} -eq 0 ]; then + echo " + # Hidden Service for Electrum Server + HiddenServiceDir /mnt/hdd/tor/electrs + HiddenServiceVersion 3 + HiddenServicePort 50001 127.0.0.1:50001 + " | sudo tee -a /etc/tor/torrc + + sudo systemctl restart tor + sudo systemctl restart tor@default + fi + TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname) + echo "" + echo "***" + echo "The hidden service address for electrs is:" + echo "$TOR_ADDRESS" + echo "***" + echo "" +fi + +echo "" +echo "***" +echo "Starting electrs in the background" +echo "***" +echo "" +# sudo -u electrs /home/electrs/.cargo/bin/cargo run --release -- --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001" +sudo systemctl enable electrs +sudo systemctl start electrs + +echo "" +echo "To connect from outside of the local network make sure the port 50002 is forwarded on the router" +echo "Electrum wallet: start with the options \`electrum --oneserver --server RaspiBlitz_IP:50002:s" +echo "" \ No newline at end of file From ced01bddffd1b5889095186cf258763cc829ddec Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 01:21:14 +0100 Subject: [PATCH 4/8] electrs: update readme --- electrs/README.md | 68 +++++++++++++++-------------------------------- 1 file changed, 22 insertions(+), 46 deletions(-) diff --git a/electrs/README.md b/electrs/README.md index 13fb213..c193a15 100644 --- a/electrs/README.md +++ b/electrs/README.md @@ -11,29 +11,16 @@ Tested on: * Odroid HC1 and XU4 (~18 hours) * Raspberry Pi 3 B+ (~two days to build the database from scratch). For the RPi3 the lighter weight [Electrum Personal Server](https://stadicus.github.io/RaspiBolt/raspibolt_64_electrum.html) is a good alternative, but only watches the preconfigured addresses and xpubs. -## Install Electrs - -The install instructions are adapted to the RaspiBlitz are in this script, take a look: [1_electrs_on_RaspiBlitz.sh](1_electrs_on_RaspiBlitz.sh) +## [Install Electrs](1_electrs_on_RaspiBlitz.sh) To download and run on the RaspiBlitz (logged in as the user `admin`): -`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/1_electrs_on_RaspiBlitz.sh && bash 1_electrs_on_RaspiBlitz.sh` +`$ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_to_RaspiBlitz.sh && bash electrs_to_RaspiBlitz.sh` -This will only run the server until the terminal window is open. -To restart electrs manually run: -`$ sudo -u electrs /home/electrs/electrs/target/release/electrs --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001"` - -or install the Electrs systemd service (next step) - ---- - -## Set up the Electrs systemd service - -Set up the systemd service to run electrs continuously in the background. - -Take a look: [2_electrs_systemd_service.sh](2_electrs_systemd_service.sh) - -To download and run: -`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/2_electrs_systemd_service.sh && bash 2_electrs_systemd_service.sh` +This will install: +* Rust +* Electrs +* Nginx for connecting through SSL with a self-signed certificate +* Tor Hidden Service if Tor is active If running the always-on electrs service is taking up too much RAM of your RPi3 stop it with: `$ sudo systemctl stop electrs` @@ -74,14 +61,12 @@ electrs 2532 admin 17u IPv4 32885 0t0 TCP *:50001 (LISTEN) Follow the instructions on https://electrum.org/#download ### Linux desktop: install, configure and run the Electrum wallet -The instruction are in the script: [4_electrum_install.sh](4_electrum_install.sh) +The instruction are in the script: [electrum_wallet.sh](electrum_wallet.sh) Tested on Ubuntu 18.04. To download and run on the Linux desktop: `$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/4_electrum_install.sh && bash 4_electrum_install.sh` - - ### Connect the Electrum wallet to Electrs: For an unencrypted TCP connection (suitable inside a secure LAN): @@ -95,35 +80,24 @@ To connect through SSL (requires setting up the Nginx server): ## Remote connection options Any communication outside a secure LAN must be encrypted. -### Tor Hidden Service +### Remote SSL connection -The easiest option is to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md) - -### Reverse SSH tunnel -See the guide from @cryptomulde to connect to a VPS through a reverse ssh tunnel: https://medium.com/@cryptomulde/private-electrum-server-electrs-for-your-raspiblitz-full-node-without-forwarding-ports-417e4c3af975 - -The more secure option is to continue with setting up the SSL connection as described in the next section. - -### Nginx and Certbot to serve an SSL connection - -For the SSL certificate to be obtained successfully a **dynamic DNS** and **port forwarding is necessary**. -Forward the port 80 to the IP of your RaspiBlitz for Certbot. -Forward the port 50002 to be able to access electrs from the outside of your LAN (optional). - -The script sets up the automatic start Nginx and Certbot. - -Assumes that electrs is already installed. +Forward the port 50002 on the router to be able to access electrs from the outside of the LAN. Can be used as the secure backend of: - Eclair Mobile Bitcoin and Ligthtning wallet - Electrum wallet + Electrum wallet (desktop and mobile) BitBox App -Take a look: [3_Nginx_and_Certbot_for_SSL.sh](3_Nginx_and_Certbot_for_SSL.sh) +For the Eclair Mobile Bitcoin and Ligthtning wallet the server needs to have a CA validated certificate +for which the usage of certbot/letsencypt is required. -To download and run on the RaspiBlitz: -`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh` +### Tor Hidden Service + +The easiest option is to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md) + +### Reverse SSH tunnel +See the guide from @cryptomulde to connect to a VPS through a reverse ssh tunnel: https://medium.com/@cryptomulde/private-electrum-server-electrs-for-your-raspiblitz-full-node-without-forwarding-ports-417e4c3af975 --- @@ -139,7 +113,9 @@ Shared experiences: * https://github.com/openoms/bitcoin-tutorials/issues/2 If you run into problems: -* try to run the commands manually one-by-one, spot which is causing the problem and copy the output + +* if after a reinstall Electrum would not connect try deleting the relevant certificate form the .electrum/certs directory on your desktop. +* try to run the commands manually one-by-one, spot which is causing the problem and copy the output * open an issue here with the details and I will be happy to help to solve it * join the Community Raspiblitz Telegram group on https://t.me/raspiblitz From f1914ff6a1205dc1a3f0c6a21d294d6137ab7269 Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 01:21:25 +0100 Subject: [PATCH 5/8] electrs: reorganize files --- electrs/1_electrs_on_RaspiBlitz.sh | 100 ------------------ electrs/assets/certbot.service | 17 --- electrs/assets/certbot.timer | 12 --- electrs/assets/electrs.service | 20 ---- ...electrum_install.sh => electrum_wallet.sh} | 0 .../2_electrs_systemd_service.sh | 0 electrs/{ => modules}/3_SSL.sh | 0 electrs/{ => modules}/certbot.sh | 0 .../{ => testnet}/t1_electrs_on_RaspiBlitz.sh | 0 .../t2_electrs_systemd_service.sh | 0 10 files changed, 149 deletions(-) delete mode 100644 electrs/1_electrs_on_RaspiBlitz.sh delete mode 100644 electrs/assets/certbot.service delete mode 100644 electrs/assets/certbot.timer delete mode 100644 electrs/assets/electrs.service rename electrs/{4_electrum_install.sh => electrum_wallet.sh} (100%) rename electrs/{ => modules}/2_electrs_systemd_service.sh (100%) rename electrs/{ => modules}/3_SSL.sh (100%) rename electrs/{ => modules}/certbot.sh (100%) rename electrs/{ => testnet}/t1_electrs_on_RaspiBlitz.sh (100%) rename electrs/{ => testnet}/t2_electrs_systemd_service.sh (100%) diff --git a/electrs/1_electrs_on_RaspiBlitz.sh b/electrs/1_electrs_on_RaspiBlitz.sh deleted file mode 100644 index c8ff14b..0000000 --- a/electrs/1_electrs_on_RaspiBlitz.sh +++ /dev/null @@ -1,100 +0,0 @@ -# Download and run this script on the RaspiBlitz: -# $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_install_on_RaspiBlitz.sh && bash electrs_install_on_RaspiBlitz.sh - -# https://github.com/romanz/electrs/blob/master/doc/usage.md - -echo "" -echo "***" -echo "Creating the electrs user" -echo "***" -echo "" -sudo adduser --disabled-password --gecos "" electrs -cd /home/electrs - -echo "" -echo "***" -echo "Installing Rust" -echo "***" -echo "" -sudo -u electrs curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sudo -u electrs sh -s -- -y -#source $HOME/.cargo/env -sudo apt update -sudo apt install -y clang cmake # for building 'rust-rocksdb' - -echo "" -echo "***" -echo "Downloading and building electrs. This will take ~30 minutes" # ~22 min on an Odroid XU4 -echo "***" -echo "" -sudo -u electrs git clone https://github.com/romanz/electrs -cd /home/electrs/electrs -sudo -u electrs /home/electrs/.cargo/bin/cargo build --release - -echo "" -echo "***" -echo "The electrs database will be built in /mnt/hdd/electrs/db. Takes ~18 hours and ~50Gb diskspace" -echo "***" -echo "" -sudo mkdir /mnt/hdd/electrs 2>/dev/null -sudo chown -R electrs:electrs /mnt/hdd/electrs - -echo "" -echo "***" -echo "getting RPC credentials from the bitcoin.conf" -echo "***" -echo "" -#echo "Type the PASSWORD B of your RaspiBlitz followed by [ENTER] (needed for Electrs to access the bitcoind RPC):" -#read PASSWORD_B -RPC_USER=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-) -PASSWORD_B=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcpassword | cut -c 13-) -echo "Done" - -echo "" -echo "***" -echo "generating electrs.toml setting file with the RPC passwords" -echo "***" -echo "" -# generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134 -# https://github.com/romanz/electrs/blob/master/doc/usage.md#configuration-files-and-environment-variables - -sudo rm -f /home/electrs/.electrs/config.toml -sudo -u electrs mkdir /home/electrs/.electrs 2>/dev/null - -touch /home/admin/config.toml -chmod 600 /home/admin/config.toml || exit 1 -cat > /home/admin/config.toml < Date: Sun, 22 Sep 2019 01:27:19 +0100 Subject: [PATCH 6/8] electrs: make self signed cert valid for 5 years --- electrs/electrs_to_RaspiBlitz.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/electrs/electrs_to_RaspiBlitz.sh b/electrs/electrs_to_RaspiBlitz.sh index 3647012..92d328d 100644 --- a/electrs/electrs_to_RaspiBlitz.sh +++ b/electrs/electrs_to_RaspiBlitz.sh @@ -146,7 +146,7 @@ DNS.2 = 127.0.0.1 " | sudo tee /mnt/hdd/electrs/localhost.conf cd /mnt/hdd/electrs -sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf +sudo openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf sudo cp localhost.crt /etc/ssl/certs/localhost.crt sudo cp localhost.key /etc/ssl/private/localhost.key From a50c45e96c89d42a8769703b775678bb992f9e72 Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 14:35:02 +0100 Subject: [PATCH 7/8] electrs: update readme --- electrs/README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/electrs/README.md b/electrs/README.md index c193a15..3d6e5d1 100644 --- a/electrs/README.md +++ b/electrs/README.md @@ -51,7 +51,6 @@ Look for the output: electrs 2532 admin 17u IPv4 32885 0t0 TCP *:50001 (LISTEN) ``` - --- ## Install Electrum wallet on your desktop @@ -64,17 +63,20 @@ Follow the instructions on https://electrum.org/#download The instruction are in the script: [electrum_wallet.sh](electrum_wallet.sh) Tested on Ubuntu 18.04. To download and run on the Linux desktop: -`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/4_electrum_install.sh && bash 4_electrum_install.sh` +`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/electrum_wallet.sh && bash electrum_wallet.sh` ### Connect the Electrum wallet to Electrs: -For an unencrypted TCP connection (suitable inside a secure LAN): +For an unencrypted TCP connection (only to be used inside a secure LAN): `electrum --oneserver --server RASPIBLITZ_IP:50001:t` -To connect through SSL (requires setting up the Nginx server): +To connect through SSL: `electrum --oneserver --server YOUR_DOMAIN:50002:s` +After a reinstall will need to delete the SSL certificate from the Electrum data directory to be able to connect again to the same domain: +* on Linux delete the relevant file from the `~/.electrs/certs` directory + --- ## Remote connection options @@ -89,12 +91,11 @@ Can be used as the secure backend of: Electrum wallet (desktop and mobile) BitBox App -For the Eclair Mobile Bitcoin and Ligthtning wallet the server needs to have a CA validated certificate -for which the usage of certbot/letsencypt is required. +For the Eclair Mobile Bitcoin and Lightning wallet the server needs to have a CA validated certificate for which the usage of certbot/letsencypt is required. ### Tor Hidden Service -The easiest option is to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md) +Need to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md) ### Reverse SSH tunnel See the guide from @cryptomulde to connect to a VPS through a reverse ssh tunnel: https://medium.com/@cryptomulde/private-electrum-server-electrs-for-your-raspiblitz-full-node-without-forwarding-ports-417e4c3af975 @@ -114,9 +115,8 @@ Shared experiences: If you run into problems: -* if after a reinstall Electrum would not connect try deleting the relevant certificate form the .electrum/certs directory on your desktop. +* if after a reinstall Electrum would not connect try deleting the relevant certificate from the .electrum/certs directory on your desktop. * try to run the commands manually one-by-one, spot which is causing the problem and copy the output * open an issue here with the details and I will be happy to help to solve it -* join the Community Raspiblitz Telegram group on https://t.me/raspiblitz Bear in mind that this guide and the parts used are free-opensource projects, you use them at your own responsibility and there are no guarantees of any kind. \ No newline at end of file From 0e8b340ece888871e68f41f436ba39cf57567135 Mon Sep 17 00:00:00 2001 From: openoms Date: Sun, 22 Sep 2019 14:35:51 +0100 Subject: [PATCH 8/8] electrs: set default settings for the SSL cert --- electrs/electrs_to_RaspiBlitz.sh | 36 +++++++++++++------------------- 1 file changed, 15 insertions(+), 21 deletions(-) diff --git a/electrs/electrs_to_RaspiBlitz.sh b/electrs/electrs_to_RaspiBlitz.sh index 92d328d..d310635 100644 --- a/electrs/electrs_to_RaspiBlitz.sh +++ b/electrs/electrs_to_RaspiBlitz.sh @@ -3,6 +3,12 @@ # https://github.com/romanz/electrs/blob/master/doc/usage.md +#cleanup +sudo systemctl stop electrs +sudo systemctl disable electrs +sudo rm -f /etc/systemd/system/electrs.service +sudo rm -f /home/electrs/.electrs/config.toml + echo "" echo "***" echo "Creating the electrs user" @@ -57,9 +63,7 @@ echo "" # generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134 # https://github.com/romanz/electrs/blob/master/doc/usage.md#configuration-files-and-environment-variables -sudo rm -f /home/electrs/.electrs/config.toml sudo -u electrs mkdir /home/electrs/.electrs 2>/dev/null - touch /home/admin/config.toml chmod 600 /home/admin/config.toml || exit 1 cat > /home/admin/config.toml <