From d9a154c287283803a942d054a61ca3fbf3a3bb37 Mon Sep 17 00:00:00 2001
From: openoms <oms@tuta.io>
Date: Thu, 2 Feb 2023 16:11:39 +0000
Subject: [PATCH] add nginx template for btcpayserver

---
 nginx/btcpayserver_subdomain.sh | 91 +++++++++++++++++++++++++++++++++
 1 file changed, 91 insertions(+)
 create mode 100644 nginx/btcpayserver_subdomain.sh

diff --git a/nginx/btcpayserver_subdomain.sh b/nginx/btcpayserver_subdomain.sh
new file mode 100644
index 0000000..772d63b
--- /dev/null
+++ b/nginx/btcpayserver_subdomain.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# WOWRK IN PROGRESS
+
+echo "
+Input your email:
+"
+read EMAIL
+
+echo "
+Input a subdomain set up with an A record pointing to this server:
+eg.: btcpay.example.com
+"
+read SUBDOMAIN
+
+echo "
+Input the URL to be redirected to:
+eg.: https://192.168.1.42:23001
+"
+read REDIRECT
+
+sudo certbot certonly -a standalone -m $EMAIL --agree-tos \
+-d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \
+--post-hook "service nginx start" || exit 1
+
+# copy in place on a remote machine if needed
+#sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem
+#sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem
+
+# add to /etc/nginx/sites-available/
+cat EOF | sudo tee /etc/nginx/sites-available/${SUBDOMAIN}
+# sudo cat /etc/nginx/sites-enabled/${SUBDOMAIN}
+server {
+  listen 80;
+  listen 443 ssl;
+  server_name ${SUBDOMAIN};
+
+  ssl_certificate /etc/letsencrypt/live/${SUBDOMAIN}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/${SUBDOMAIN}/privkey.pem;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+  ssl_prefer_server_ciphers on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /etc/letsencrypt/live/${SUBDOMAIN}/chain.pem;
+
+  location / {
+    proxy_pass      ${REDIRECT};
+
+    # from https://github.com/rootzoll/raspiblitz/blob/v1.9/home.admin/assets/nginx/snippets/ssl-proxy-params.conf
+    proxy_redirect off;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_read_timeout 600;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+  }
+
+  location /.well-known/lnurlp/openoms {
+    add_header 'Access-Control-Allow-Origin' '*';
+
+    proxy_pass      ${REDIRECT};
+
+    proxy_redirect off;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+
+    proxy_read_timeout 600;
+    proxy_connect_timeout 600;
+    proxy_send_timeout 600;
+  }
+}
+EOF
+
+# edit with
+# sudo nano /etc/nginx/sites-available/$SUBDOMAIN
+
+# add to /etc/nginx/sites-enabled/
+sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/
+
+sudo nginx -t || exit 1
+
+sudo systemctl restart nginx