aljaz/bitcoin-tutorials
1
1
Fork 0
mirror of https://github.com/openoms/bitcoin-tutorials.git synced 2025-12-19 12:54:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14 from openoms/electrs_dev

Browse Source 
Unify scripts
This commit is contained in:
bluecell296
2019-09-22 14:37:03 +01:00
committed by GitHub
parent 80516ec273 0e8b340ece
commit 92d87e6002
12 changed files with 461 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
electrs/1_electrs_on_RaspiBlitz.sh
View File

@@ -1,107 +0,0 @@
# Download and run this script on the RaspiBlitz:
# $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_install_on_RaspiBlitz.sh && bash electrs_install_on_RaspiBlitz.sh
# https://github.com/romanz/electrs/blob/master/doc/usage.md
echo ""
echo "***"
echo "Creating the electrs user"
echo "***"
echo ""
sudo adduser --disabled-password --gecos "" electrs
cd /home/electrs
echo ""
echo "***"
echo "Installing Rust"
echo "***"
echo ""
sudo -u electrs curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sudo -u electrs sh -s -- -y
#source $HOME/.cargo/env
sudo apt update
sudo apt install -y clang cmake # for building 'rust-rocksdb'
echo ""
echo "***"
echo "Downloading and building electrs. This will take ~30 minutes" # ~22 min on an Odroid XU4
echo "***"
echo ""
sudo -u electrs git clone https://github.com/romanz/electrs
cd /home/electrs/electrs
sudo -u electrs /home/electrs/.cargo/bin/cargo build --release
echo ""
echo "***"
echo "The electrs database will be built in /mnt/hdd/electrs/db. Takes ~18 hours and ~50Gb diskspace"
echo "***"
echo ""
sudo mkdir /mnt/hdd/electrs 2>/dev/null
sudo chown -R electrs:electrs /mnt/hdd/electrs
echo ""
echo "***"
echo "getting RPC credentials from the bitcoin.conf"
echo "***"
echo ""
#echo "Type the PASSWORD B of your RaspiBlitz followed by [ENTER] (needed for Electrs to access the bitcoind RPC):"
#read PASSWORD_B
RPC_USER=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-)
PASSWORD_B=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcpassword | cut -c 13-)
echo "Done"
echo ""
echo "***"
echo "generating electrs.toml setting file with the RPC passwords"
echo "***"
echo ""
# generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134
# https://github.com/romanz/electrs/blob/master/doc/usage.md#configuration-files-and-environment-variables
sudo rm -f /home/electrs/.electrs/config.toml
sudo -u electrs mkdir /home/electrs/.electrs 2>/dev/null
touch /home/admin/config.toml
chmod 600 /home/admin/config.toml || exit 1
cat > /home/admin/config.toml <<EOF
verbose = 4
timestamp = true
jsonrpc_import = true
db_dir = "/mnt/hdd/electrs/db"
cookie = "$RPC_USER:$PASSWORD_B"
EOF
sudo mv /home/admin/config.toml /home/electrs/.electrs/config.toml
sudo chown electrs:electrs /home/electrs/.electrs/config.toml
echo ""
echo "***"
echo "Open port 50001 on UFW "
echo "***"
echo ""
sudo ufw allow 50001
echo ""
echo "***"
echo "Checking for config.toml"
echo "***"
echo ""
if [ ! -f "/home/electrs/.electrs/config.toml" ]
then
echo "Failed to create config.toml"
exit 1
else
echo "OK"
fi
echo ""
echo "***"
echo "Start Electrs "
echo "***"
echo ""
sudo -u electrs /home/electrs/.cargo/bin/cargo run --release -- --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001"
# to preserve settings:
# see https://github.com/romanz/electrs/blob/master/src/config.rs
# sudo nano $HOME/electrs/src/config.rs
# change the lines:
# 73: from: .takes_value(true), to: .default_value("raspibolt:PASSWORD B"),
# 132: from .default_value("Welcome to electrs (Electrum Rust Server)!") to your custom message

78
electrs/README.md
View File

@@ -11,29 +11,16 @@ Tested on:
* Odroid HC1 and XU4 (~18 hours)
* Raspberry Pi 3 B+ (~two days to build the database from scratch). For the RPi3 the lighter weight [Electrum Personal Server](https://stadicus.github.io/RaspiBolt/raspibolt_64_electrum.html) is a good alternative, but only watches the preconfigured addresses and xpubs.
## Install Electrs
The install instructions are adapted to the RaspiBlitz are in this script, take a look: [1_electrs_on_RaspiBlitz.sh](1_electrs_on_RaspiBlitz.sh)
## [Install Electrs](1_electrs_on_RaspiBlitz.sh)
To download and run on the RaspiBlitz (logged in as the user `admin`):
`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/1_electrs_on_RaspiBlitz.sh && bash 1_electrs_on_RaspiBlitz.sh`
`$ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_to_RaspiBlitz.sh && bash electrs_to_RaspiBlitz.sh`
This will only run the server until the terminal window is open.
To restart electrs manually run:
`$ sudo -u electrs /home/electrs/electrs/target/release/electrs --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001"`
or install the Electrs systemd service (next step)
---
## Set up the Electrs systemd service
Set up the systemd service to run electrs continuously in the background.
Take a look: [2_electrs_systemd_service.sh](2_electrs_systemd_service.sh)
To download and run:
`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/2_electrs_systemd_service.sh && bash 2_electrs_systemd_service.sh`
This will install:
* Rust
* Electrs
* Nginx for connecting through SSL with a self-signed certificate
* Tor Hidden Service if Tor is active
If running the always-on electrs service is taking up too much RAM of your RPi3 stop it with:
`$ sudo systemctl stop electrs`
@@ -64,7 +51,6 @@ Look for the output:
electrs 2532 admin 17u IPv4 32885 0t0 TCP *:50001 (LISTEN)
```
---
## Install Electrum wallet on your desktop
@@ -74,56 +60,45 @@ electrs 2532 admin 17u IPv4 32885 0t0 TCP *:50001 (LISTEN)
Follow the instructions on https://electrum.org/#download
### Linux desktop: install, configure and run the Electrum wallet
The instruction are in the script: [4_electrum_install.sh](4_electrum_install.sh)
The instruction are in the script: [electrum_wallet.sh](electrum_wallet.sh)
Tested on Ubuntu 18.04.
To download and run on the Linux desktop:
`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/4_electrum_install.sh && bash 4_electrum_install.sh`
`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/electrum_wallet.sh && bash electrum_wallet.sh`
### Connect the Electrum wallet to Electrs:
For an unencrypted TCP connection (suitable inside a secure LAN):
For an unencrypted TCP connection (only to be used inside a secure LAN):
`electrum --oneserver --server RASPIBLITZ_IP:50001:t`
To connect through SSL (requires setting up the Nginx server):
To connect through SSL:
`electrum --oneserver --server YOUR_DOMAIN:50002:s`
After a reinstall will need to delete the SSL certificate from the Electrum data directory to be able to connect again to the same domain:
* on Linux delete the relevant file from the `~/.electrs/certs` directory
---
## Remote connection options
Any communication outside a secure LAN must be encrypted.
### Tor Hidden Service
### Remote SSL connection
The easiest option is to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md)
### Reverse SSH tunnel
See the guide from @cryptomulde to connect to a VPS through a reverse ssh tunnel: https://medium.com/@cryptomulde/private-electrum-server-electrs-for-your-raspiblitz-full-node-without-forwarding-ports-417e4c3af975
The more secure option is to continue with setting up the SSL connection as described in the next section.
### Nginx and Certbot to serve an SSL connection
For the SSL certificate to be obtained successfully a **dynamic DNS** and **port forwarding is necessary**.
Forward the port 80 to the IP of your RaspiBlitz for Certbot.
Forward the port 50002 to be able to access electrs from the outside of your LAN (optional).
The script sets up the automatic start Nginx and Certbot.
Assumes that electrs is already installed.
Forward the port 50002 on the router to be able to access electrs from the outside of the LAN.
Can be used as the secure backend of:
Eclair Mobile Bitcoin and Ligthtning wallet
Electrum wallet
Electrum wallet (desktop and mobile)
BitBox App
Take a look: [3_Nginx_and_Certbot_for_SSL.sh](3_Nginx_and_Certbot_for_SSL.sh)
For the Eclair Mobile Bitcoin and Lightning wallet the server needs to have a CA validated certificate for which the usage of certbot/letsencypt is required.
To download and run on the RaspiBlitz:
`$ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh`
### Tor Hidden Service
Need to activate Tor on the RaspiBlitz + on the computer used for Electrum and [configure a Tor Hidden Service for Electrs](Tor_Hidden_Service_for_Electrs.md)
### Reverse SSH tunnel
See the guide from @cryptomulde to connect to a VPS through a reverse ssh tunnel: https://medium.com/@cryptomulde/private-electrum-server-electrs-for-your-raspiblitz-full-node-without-forwarding-ports-417e4c3af975
---
@@ -139,8 +114,9 @@ Shared experiences:
* https://github.com/openoms/bitcoin-tutorials/issues/2
If you run into problems:
* try to run the commands manually one-by-one, spot which is causing the problem and copy the output
* if after a reinstall Electrum would not connect try deleting the relevant certificate from the .electrum/certs directory on your desktop.
* try to run the commands manually one-by-one, spot which is causing the problem and copy the output
* open an issue here with the details and I will be happy to help to solve it
* join the Community Raspiblitz Telegram group on https://t.me/raspiblitz
Bear in mind that this guide and the parts used are free-opensource projects, you use them at your own responsibility and there are no guarantees of any kind.

17
electrs/assets/certbot.service
View File

@@ -1,17 +0,0 @@
# RaspiBlitz systemd service unit for certbot-auto renewal timer
[Unit]
Description=Electrs
After=bitcoind.service
[Service]
WorkingDirectory=/home/admin/
ExecStart=/home/admin/certbot-auto renew
User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60

12
electrs/assets/certbot.timer
View File

@@ -1,12 +0,0 @@
# RaspiBlitz systemd timer unit for certbot-auto renewal service
[Unit]
Description=Certbot-auto renewal service
[Timer]
OnBootSec=20min
OnCalendar=*-*-* 4:00:00
OnCalendar=*-*-* 16:00:00
[Install]
WantedBy=timers.target

20
electrs/assets/electrs.service
View File

@@ -1,20 +0,0 @@
# RaspiBlitz systemd unit for electrs
[Unit]
Description=Electrs
After=bitcoind.service
[Service]
WorkingDirectory=/home/admin/electrs
ExecStart=/home/admin/electrs/target/release/electrs --index-batch-size=10 --jsonrpc_import --db-dir /mnt/hdd/electrs/db --electrum-rpc-addr="0.0.0.0:50001"
User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target

281
electrs/electrs_to_RaspiBlitz.sh Normal file
View File

@@ -0,0 +1,281 @@
# Download and run this script on the RaspiBlitz:
# $ wget https://github.com/openoms/bitcoin-tutorials/raw/master/electrs/electrs_to_RaspiBlitz.sh && bash electrs_to_RaspiBlitz.sh
# https://github.com/romanz/electrs/blob/master/doc/usage.md
#cleanup
sudo systemctl stop electrs
sudo systemctl disable electrs
sudo rm -f /etc/systemd/system/electrs.service
sudo rm -f /home/electrs/.electrs/config.toml
echo ""
echo "***"
echo "Creating the electrs user"
echo "***"
echo ""
sudo adduser --disabled-password --gecos "" electrs
cd /home/electrs
echo ""
echo "***"
echo "Installing Rust"
echo "***"
echo ""
sudo -u electrs curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sudo -u electrs sh -s -- -y
#source $HOME/.cargo/env
sudo apt update
sudo apt install -y clang cmake # for building 'rust-rocksdb'
echo ""
echo "***"
echo "Downloading and building electrs. This will take ~30 minutes" # ~22 min on an Odroid XU4
echo "***"
echo ""
sudo -u electrs git clone https://github.com/romanz/electrs
cd /home/electrs/electrs
sudo -u electrs /home/electrs/.cargo/bin/cargo build --release
echo ""
echo "***"
echo "The electrs database will be built in /mnt/hdd/electrs/db. Takes ~18 hours and ~50Gb diskspace"
echo "***"
echo ""
sudo mkdir /mnt/hdd/electrs 2>/dev/null
sudo chown -R electrs:electrs /mnt/hdd/electrs
echo ""
echo "***"
echo "getting RPC credentials from the bitcoin.conf"
echo "***"
echo ""
#echo "Type the PASSWORD B of your RaspiBlitz followed by [ENTER] (needed for Electrs to access the bitcoind RPC):"
#read PASSWORD_B
RPC_USER=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcuser | cut -c 9-)
PASSWORD_B=$(sudo cat /mnt/hdd/bitcoin/bitcoin.conf | grep rpcpassword | cut -c 13-)
echo "Done"
echo ""
echo "***"
echo "generating electrs.toml setting file with the RPC passwords"
echo "***"
echo ""
# generate setting file: https://github.com/romanz/electrs/issues/170#issuecomment-530080134
# https://github.com/romanz/electrs/blob/master/doc/usage.md#configuration-files-and-environment-variables
sudo -u electrs mkdir /home/electrs/.electrs 2>/dev/null
touch /home/admin/config.toml
chmod 600 /home/admin/config.toml || exit 1
cat > /home/admin/config.toml <<EOF
verbose = 4
timestamp = true
jsonrpc_import = true
db_dir = "/mnt/hdd/electrs/db"
cookie = "$RPC_USER:$PASSWORD_B"
EOF
sudo mv /home/admin/config.toml /home/electrs/.electrs/config.toml
sudo chown electrs:electrs /home/electrs/.electrs/config.toml
echo ""
echo "***"
echo "Open port 50001 on UFW "
echo "***"
echo ""
sudo ufw allow 50001
echo ""
echo "***"
echo "Checking for config.toml"
echo "***"
echo ""
if [ ! -f "/home/electrs/.electrs/config.toml" ]
then
echo "Failed to create config.toml"
exit 1
else
echo "OK"
fi
echo ""
echo "***"
echo "installing Nginx"
echo "***"
echo ""
sudo apt-get install -y nginx
sudo /etc/init.d/nginx start
echo ""
echo "***"
echo "Create a self signed SSL certificate"
echo "***"
echo ""
#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
echo "
[req]
prompt = no
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
C = US
ST = California
L = Los Angeles
O = Our Company Llc
#OU = Org Unit Name
CN = Our Company Llc
#emailAddress = info@example.com
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
" | sudo tee /mnt/hdd/electrs/localhost.conf
cd /mnt/hdd/electrs
sudo openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
sudo cp localhost.crt /etc/ssl/certs/localhost.crt
sudo cp localhost.key /etc/ssl/private/localhost.key
echo ""
echo "***"
echo "Setting up nginx.conf"
echo "***"
echo ""
isElectrs=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'upstream electrs')
if [ ${isElectrs} -gt 0 ]; then
echo "electrs is already configured with Nginx. To edit manually run \`sudo nano /etc/nginx/nginx.conf\`"
elif [ ${isElectrs} -eq 0 ]; then
isStream=$(sudo cat /etc/nginx/nginx.conf 2>/dev/null | grep -c 'stream {')
if [ ${isStream} -eq 0 ]; then
echo "
stream {
upstream electrs {
server 127.0.0.1:50001;
}
server {
listen 50002 ssl;
proxy_pass electrs;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_session_cache shared:SSL-electrs:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
}" | sudo tee -a /etc/nginx/nginx.conf
elif [ ${isStream} -eq 1 ]; then
sudo truncate -s-2 /etc/nginx/nginx.conf
echo "
upstream electrs {
server 127.0.0.1:50001;
}
server {
listen 50002 ssl;
proxy_pass electrs;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_session_cache shared:SSL-electrs:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
}" | sudo tee -a /etc/nginx/nginx.conf
elif [ ${isStream} -gt 1 ]; then
echo " Too many \`stream\` commands in nginx.conf. Please edit manually: \`sudo nano /etc/nginx/nginx.conf\` and retry"
exit 1
fi
fi
echo "allow port 50002 on ufw"
sudo ufw allow 50002
sudo systemctl enable nginx
sudo systemctl restart nginx
echo ""
echo "***"
echo "Installing the systemd service"
echo "***"
echo ""
# sudo nano /etc/systemd/system/electrs.service
echo "
[Unit]
Description=Electrs
After=bitcoind.service
[Service]
WorkingDirectory=/home/electrs/electrs
ExecStart=/home/electrs/electrs/target/release/electrs --index-batch-size=10 --electrum-rpc-addr=\"0.0.0.0:50001\"
User=electrs
Group=electrs
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/electrs.service
# Hidden Service for electrs if Tor active
source /mnt/hdd/raspiblitz.conf
if [ "${runBehindTor}" = "on" ]; then
isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs')
if [ ${isElectrsTor} -eq 0 ]; then
echo "
# Hidden Service for Electrum Server
HiddenServiceDir /mnt/hdd/tor/electrs
HiddenServiceVersion 3
HiddenServicePort 50001 127.0.0.1:50001
" | sudo tee -a /etc/tor/torrc
sudo systemctl restart tor
sudo systemctl restart tor@default
fi
TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname)
echo ""
echo "***"
echo "The hidden service address for electrs is:"
echo "$TOR_ADDRESS"
echo "***"
echo ""
fi
echo ""
echo "***"
echo "Starting electrs in the background"
echo "***"
echo ""
# sudo -u electrs /home/electrs/.cargo/bin/cargo run --release -- --index-batch-size=10 --electrum-rpc-addr="0.0.0.0:50001"
sudo systemctl enable electrs
sudo systemctl start electrs
echo ""
echo "To connect from outside of the local network make sure the port 50002 is forwarded on the router"
echo "Electrum wallet: start with the options \`electrum --oneserver --server RaspiBlitz_IP:50002:s\`"
echo ""

0
electrs/4_electrum_install.sh → electrs/electrum_wallet.sh
View File

26
electrs/2_electrs_systemd_service.sh → electrs/modules/2_electrs_systemd_service.sh
View File

@@ -31,3 +31,29 @@ WantedBy=multi-user.target
sudo systemctl enable electrs
sudo systemctl start electrs
# Hidden Service for electrs if Tor active
source /mnt/hdd/raspiblitz.conf
if [ "${runBehindTor}" = "on" ]; then
isElectrsTor=$(sudo cat /etc/tor/torrc 2>/dev/null | grep -c 'electrs')
if [ ${isElectrsTor} -eq 0 ]; then
echo "
# Hidden Service for Electrum Server
HiddenServiceDir /mnt/hdd/tor/electrs
HiddenServiceVersion 3
HiddenServicePort 50001 127.0.0.1:50001
" | sudo tee -a /etc/tor/torrc
sudo systemctl restart tor
sudo systemctl restart tor@default
fi
TOR_ADDRESS=$(sudo cat /mnt/hdd/tor/electrs/hostname)
echo ""
echo "***"
echo "The hidden service address for electrs is:"
echo "$TOR_ADDRESS"
echo "***"
echo ""
fi

117
electrs/3_Nginx_and_Certbot_for_SSL.sh → electrs/modules/3_SSL.sh
View File

@@ -4,27 +4,6 @@
# To download and run:
# $ wget https://raw.githubusercontent.com/openoms/bitcoin-tutorials/master/electrs/3_Nginx_and_Certbot_for_SSL.sh && bash 3_Nginx_and_Certbot_for_SSL.sh
# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed
# Need to forward port 80 to the IP of your RaspiBlitz for certbot
# Forward port 50002 to be able to access you electrs from outside of your LAN
# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md
echo ""
echo "***"
echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]"
read YOUR_DOMAIN
echo ""
echo "***"
echo "Please type an email that will be used to register the SSL certificate and press [ENTER]"
read YOUR_EMAIL
echo ""
echo "***"
echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]"
read key
echo ""
echo "***"
echo "installing Nginx"
@@ -34,70 +13,58 @@ echo ""
sudo apt-get install -y nginx
sudo /etc/init.d/nginx start
echo "allow port 80 on ufw"
sudo ufw allow 80
# https://certbot.eff.org/lets-encrypt/debianother-nginx
echo ""
echo "***"
echo "Installing certbot"
echo "Will ask for an email address and a domain name - a dynamic DNS can be used"
echo "Use the default settings in the other options"
echo "Create a self signed SSL certificate"
echo "***"
echo ""
#wget https://dl.eff.org/certbot-auto
#chmod +x certbot-auto
#sudo ./certbot-auto --nginx
sudo apt install -y certbot
# get SSL cert
sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"
# Your certificate and chain have been saved at:
# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem
echo ""
echo "***"
echo "Setting up certbot-auto renewal service"
echo "***"
echo ""
#https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes
#https://stackoverflow.com/questions/8075274/is-it-possible-making-openssl-skipping-the-country-common-name-prompts
echo "
[Unit]
Description=Certbot-auto renewal service
[req]
prompt=no
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[Timer]
OnBootSec=20min
OnCalendar=*-*-* 4:00:00
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = Rochester
organizationName = Organization Name (eg, company)
organizationName_default = localhost
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[Install]
WantedBy=timers.target
" | sudo tee -a /etc/systemd/system/certbot.timer
[req_ext]
subjectAltName = @alt_names
echo "
[Unit]
Description=Certbot-auto renewal service
After=bitcoind.service
[v3_ca]
subjectAltName = @alt_names
[Service]
WorkingDirectory=/home/admin/
ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
" | sudo tee /mnt/hdd/electrs/localhost.conf
User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
" | sudo tee -a /etc/systemd/system/certbot.service
cd /mnt/hdd/electrs
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
sudo systemctl enable certbot.timer
sudo cp localhost.crt /etc/ssl/certs/localhost.crt
sudo cp localhost.key /etc/ssl/private/localhost.key
echo ""
echo "***"
echo "Setting up nginx.conf"
echo "***"
echo ""
@@ -119,8 +86,8 @@ stream {
server {
listen 50002 ssl;
proxy_pass electrs;
ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_session_cache shared:SSL-electrs:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -138,8 +105,8 @@ stream {
server {
listen 50002 ssl;
proxy_pass electrs;
ssl_certificate /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_session_cache shared:SSL-electrs:1m;
ssl_session_timeout 4h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

84
electrs/modules/certbot.sh Normal file
View File

@@ -0,0 +1,84 @@
# For the certificate to be obtained successfully a dynamic DNS and port forwarding is needed
# Need to forward port 80 to the IP of your RaspiBlitz for certbot
# Forward port 50002 to be able to access you electrs from outside of your LAN
# https://www.raspberrypi.org/documentation/remote-access/web-server/nginx.md
echo ""
echo "***"
echo "Please type the domain/dynamicDNS you want to use for Electrs and press [ENTER]"
read YOUR_DOMAIN
echo ""
echo "***"
echo "Please type an email that will be used to register the SSL certificate and press [ENTER]"
read YOUR_EMAIL
echo ""
echo "***"
echo "Please confirm that the port 80 is forwarded to the IP of the RaspiBlitz by pressing [ENTER]"
read key
echo "allow port 80 on ufw"
sudo ufw allow 80
# https://certbot.eff.org/lets-encrypt/debianother-nginx
echo ""
echo "***"
echo "Installing certbot"
echo "Will ask for an email address and a domain name - a dynamic DNS can be used"
echo "Use the default settings in the other options"
echo "***"
echo ""
#wget https://dl.eff.org/certbot-auto
#chmod +x certbot-auto
#sudo ./certbot-auto --nginx
sudo apt install -y certbot
# get SSL cert
sudo certbot certonly -a standalone -m $YOUR_EMAIL --agree-tos -d $YOUR_DOMAIN --pre-hook "service nginx stop" --post-hook "service nginx start"
# Your certificate and chain have been saved at:
# /etc/letsencrypt/live/$YOUR_DOMAIN/fullchain.pem
# Your key file has been saved at:
# /etc/letsencrypt/live/$YOUR_DOMAIN/privkey.pem
echo ""
echo "***"
echo "Setting up certbot-auto renewal service"
echo "***"
echo ""
echo "
[Unit]
Description=Certbot-auto renewal service
[Timer]
OnBootSec=20min
OnCalendar=*-*-* 4:00:00
[Install]
WantedBy=timers.target
" | sudo tee -a /etc/systemd/system/certbot.timer
echo "
[Unit]
Description=Certbot-auto renewal service
After=bitcoind.service
[Service]
WorkingDirectory=/home/admin/
ExecStart=sudo certbot renew --pre-hook \"service nginx stop\" --post-hook \"service nginx start\"
User=admin
Group=admin
Type=simple
KillMode=process
TimeoutSec=60
Restart=always
RestartSec=60
" | sudo tee -a /etc/systemd/system/certbot.service
sudo systemctl enable certbot.timer

0
electrs/t1_electrs_on_RaspiBlitz.sh → electrs/testnet/t1_electrs_on_RaspiBlitz.sh
View File

0
electrs/t2_electrs_systemd_service.sh → electrs/testnet/t2_electrs_systemd_service.sh
View File