diff --git a/data_bags/credentials/btcpay.json b/data_bags/credentials/btcpay.json new file mode 100644 index 0000000..352f5f5 --- /dev/null +++ b/data_bags/credentials/btcpay.json @@ -0,0 +1,10 @@ +{ + "id": "btcpay", + "postgres_password": { + "encrypted_data": "sDiikAwXFqRCguREzzL0ybo33pl3CiSnJt5pqqnY7Q==\n", + "iv": "2qY/agvlvTJCGaj+\n", + "auth_tag": "kC5KmBBtlR0Yzi44WU5Ntw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json index 9bd540c..60bc247 100644 --- a/nodes/bitcoin-2.json +++ b/nodes/bitcoin-2.json @@ -8,17 +8,21 @@ "automatic": { "fqdn": "bitcoin-2", "os": "linux", - "os_version": "5.4.0-54-generic", + "os_version": "5.4.0-58-generic", "hostname": "bitcoin-2", "ipaddress": "192.168.122.148", "roles": [ - + "btcpay" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos-bitcoin::source", + "kosmos-bitcoin::c-lightning", "kosmos-bitcoin::lnd", + "kosmos-bitcoin::dotnet", + "kosmos-bitcoin::nbxplorer", + "kosmos-bitcoin::btcpay", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -37,7 +41,18 @@ "kosmos-bitcoin::firewall", "git::default", "git::package", - "golang::default" + "golang::default", + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "kosmos-nginx::firewall", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", @@ -56,6 +71,8 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos-bitcoin::source]", - "recipe[kosmos-bitcoin::lnd]" + "recipe[kosmos-bitcoin::c-lightning]", + "recipe[kosmos-bitcoin::lnd]", + "role[btcpay]" ] } \ No newline at end of file diff --git a/roles/btcpay.rb b/roles/btcpay.rb new file mode 100644 index 0000000..05749c1 --- /dev/null +++ b/roles/btcpay.rb @@ -0,0 +1,7 @@ +name "btcpay" + +run_list %w( + kosmos-bitcoin::dotnet + kosmos-bitcoin::nbxplorer + kosmos-bitcoin::btcpay +) diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 306c2c7..e61fe0f 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -25,6 +25,35 @@ node.default['bitcoin']['conf'] = { zmqpubrawtx: 'tcp://127.0.0.1:8338' } +node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning' +node.default['c-lightning']['revision'] = 'v0.9.2' +node.default['c-lightning']['source_dir'] = '/opt/c-lightning' +node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning" +node.default['c-lightning']['alias'] = 'ln3.kosmos.org' +node.default['c-lightning']['rgb'] = '0D4F99' +node.default['c-lightning']['log_level'] = 'info' +node.default['c-lightning']['public_ip'] = '148.251.237.73' + node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd' -node.default['lnd']['revision'] = 'v0.11.0-beta' +node.default['lnd']['revision'] = 'v0.11.1-beta' node.default['lnd']['source_dir'] = '/opt/lnd' + +node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb" +node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991" + +node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer' +node.default['nbxplorer']['revision'] = 'latest' +node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer' +node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config" +node.default['nbxplorer']['port'] = '24445' + +node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver' +node.default['btcpay']['revision'] = 'latest' +node.default['btcpay']['source_dir'] = '/opt/btcpay' +node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config" +node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log" +node.default['btcpay']['port'] = '23001' +node.default["btcpay"]["domain"] = 'btcpay.kosmos.org' +node.default['btcpay']['postgres']['port'] = 5432 +node.default['btcpay']['postgres']['database'] = 'btcpayserver' +node.default['btcpay']['postgres']['user'] = 'satoshi' diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb index a462885..992350f 100644 --- a/site-cookbooks/kosmos-bitcoin/metadata.rb +++ b/site-cookbooks/kosmos-bitcoin/metadata.rb @@ -22,3 +22,4 @@ chef_version '>= 14.0' depends 'ark' depends 'git' depends 'golang' +depends 'kosmos-nginx' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb new file mode 100644 index 0000000..dc0657b --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb @@ -0,0 +1,113 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: btcpay +# + +build_essential + +include_recipe "git" + +git node['btcpay']['source_dir'] do + repository node['btcpay']['repo'] + revision node['btcpay']['revision'] + action :sync + notifies :run, 'bash[build_btcpay]', :immediately +end + +bash 'build_btcpay' do + cwd node['btcpay']['source_dir'] + code './build.sh' + action :nothing +end + +directory "/home/#{node['bitcoin']['username']}/.btcpayserver" do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0750' + recursive true +end + +directory File.dirname(node['btcpay']['config_path']) do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0750' + recursive true +end + +credentials = Chef::EncryptedDataBagItem.load('credentials', 'btcpay') + +template node['btcpay']['config_path'] do + source "btcpay-settings.config.erb" + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0640' + variables bitcoin_network: node['bitcoin']['network'], + nbxplorer_url: "http://127.0.0.1:#{node['nbxplorer']['port']}", + btcpay_port: node['btcpay']['port'], + btcpay_log_path: node['btcpay']['log_path'], + postgres_host: "192.168.122.1", + postgres_port: node['btcpay']['postgres']['port'], + postgres_database: node['btcpay']['postgres']['database'], + postgres_user: node['btcpay']['postgres']['user'], + postgres_password: credentials['postgres_password'] +end + +directory '/run/btcpayserver' do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0640' +end + +systemd_unit 'btcpayserver.service' do + content({ + Unit: { + Description: 'BTCPay Server daemon', + Documentation: ['https://docs.btcpayserver.org/ManualDeployment/'], + Requires: 'nbxplorer.service', + After: 'nbxplorer.service' + }, + Service: { + User: node['bitcoin']['username'], + Group: node['bitcoin']['usergroup'], + Type: 'simple', + WorkingDirectory: node['btcpay']['source_dir'], + ExecStart: "#{node['btcpay']['source_dir']}/run.sh --conf=#{node['btcpay']['config_path']}", + PIDFile: '/run/btcpayserver/btcpayserver.pid', + Restart: 'on-failure', + PrivateTmp: true, + ProtectSystem: 'full', + NoNewPrivileges: true, + PrivateDevices: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end + +# +# HTTPS Reverse Proxy +# + +include_recipe "kosmos-nginx" +server_name = node["btcpay"]["domain"] + +template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do + source "nginx_conf_btcpayserver.erb" + owner node["nginx"]["user"] + mode 0640 + variables btcpay_port: node["btcpay"]["port"], + server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + notifies :reload, "service[nginx]", :delayed +end + +nginx_site server_name do + action :enable +end + +nginx_certbot_site server_name diff --git a/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb new file mode 100644 index 0000000..cb9f14d --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb @@ -0,0 +1,96 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: c-lightning +# + +build_essential +include_recipe "git" + +%w{ + autoconf automake libtool libgmp-dev libsqlite3-dev + python3 python3-mako net-tools zlib1g-dev + libsodium-dev gettext +}.each do |pkg| + apt_package pkg +end + +git node['c-lightning']['source_dir'] do + repository node['c-lightning']['repo'] + revision node['c-lightning']['revision'] + action :sync + notifies :run, 'bash[compile_c-lightning]', :immediately +end + +bash "compile_c-lightning" do + cwd node['c-lightning']['source_dir'] + code <<-EOH + ./configure + make + make install + EOH + action :nothing + notifies :restart, "systemd_unit[lightningd.service]", :delayed +end + +bitcoin_user = node['bitcoin']['username'] +bitcoin_group = node['bitcoin']['usergroup'] +lightning_dir = node['c-lightning']['lightning_dir'] + +bitcoin_credentials = Chef::EncryptedDataBagItem.load('credentials', 'bitcoin') + +directory lightning_dir do + owner bitcoin_user + group bitcoin_group + mode '0750' + action :create +end + +template "#{lightning_dir}/config" do + source "c-lightning.config.erb" + owner bitcoin_user + group bitcoin_group + mode '0640' + variables lighting_dir: lightning_dir, + lightning_alias: node['c-lightning']['alias'], + lightning_rgb: node['c-lightning']['rgb'], + lightning_log_level: node['c-lightning']['log_level'], + bitcoin_datadir: node['bitcoin']['datadir'], + bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'], + bitcoin_rpc_password: bitcoin_credentials["rpcpassword"], + bitcoin_rpc_host: node['bitcoin']['conf']['rpcbind'], + public_ip: node['c-lightning']['public_ip'] + notifies :restart, "systemd_unit[lightningd.service]", :delayed +end + +systemd_unit 'lightningd.service' do + content({ + Unit: { + Description: 'C-Lightning daemon', + Documentation: ['https://github.com/ElementsProject/lightning'], + Requires: 'bitcoind.service', + After: 'bitcoind.service' + }, + Service: { + User: node['bitcoin']['username'], + Group: node['bitcoin']['usergroup'], + Type: 'simple', + ExecStart: "/usr/local/bin/lightningd", + Restart: 'always', + RestartSec: '30', + TimeoutSec: '240', + RuntimeDirectory: 'lightningd', # /run/lightningd + RuntimeDirectoryMode: '0710', + PrivateTmp: true, + ProtectSystem: 'full', + NoNewPrivileges: true, + PrivateDevices: true, + MemoryDenyWriteExecute: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb b/site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb new file mode 100644 index 0000000..4af8314 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb @@ -0,0 +1,33 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: dotnet +# + +build_essential + +apt_repository 'universe' do + uri 'http://archive.ubuntu.com/ubuntu/' + distribution 'focal' + components ['universe'] +end + +apt_package 'apt-transport-https' + +remote_file '/opt/packages-microsoft-prod.deb' do + source node['dotnet']['ms_packages_src_url'] + checksum node['dotnet']['ms_packages_src_checksum'] + action :create_if_missing +end + +dpkg_package 'packages-microsoft-prod' do + source '/opt/packages-microsoft-prod.deb' + action :install + notifies :run, 'execute[apt_update]' +end + +execute 'apt_update' do + command 'apt update' + action :nothing +end + +apt_package 'dotnet-sdk-3.1' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index 4708447..b730a8e 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -2,28 +2,6 @@ # Cookbook:: kosmos-bitcoin # Recipe:: lnd # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. -# include_recipe "git" include_recipe "golang" diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb new file mode 100644 index 0000000..729e076 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/nbxplorer.rb @@ -0,0 +1,83 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: nbxplorer +# + +build_essential + +include_recipe "git" + +git node['nbxplorer']['source_dir'] do + repository node['nbxplorer']['repo'] + revision node['nbxplorer']['revision'] + action :sync + notifies :run, 'bash[build_nbxplorer]', :immediately +end + +bash 'build_nbxplorer' do + cwd node['nbxplorer']['source_dir'] + code './build.sh' + action :nothing +end + +bitcoin_credentials = Chef::EncryptedDataBagItem.load('credentials', 'bitcoin') + +directory "/home/#{node['bitcoin']['username']}/.nbxplorer" do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0750' + recursive true +end + +directory File.dirname(node['nbxplorer']['config_path']) do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0750' + recursive true +end + +template node['nbxplorer']['config_path'] do + source "nbxplorer-settings.config.erb" + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0640' + variables bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'], + bitcoin_rpc_password: bitcoin_credentials["rpcpassword"], + bitcoin_rpc_url: "http://#{node['bitcoin']['conf']['rpcbind']}", + nbxplorer_port: node['nbxplorer']['port'] +end + +directory '/run/nbxplorer' do + owner node['bitcoin']['username'] + group node['bitcoin']['usergroup'] + mode '0640' +end + +systemd_unit 'nbxplorer.service' do + content({ + Unit: { + Description: 'NBXplorer daemon', + Documentation: ['https://github.com/dgarage/NBXplorer'], + Requires: 'bitcoind.service', + After: 'bitcoind.service' + }, + Service: { + User: node['bitcoin']['username'], + Group: node['bitcoin']['usergroup'], + Type: 'simple', + ExecStart: "/usr/bin/dotnet '#{node['nbxplorer']['source_dir']}/NBXplorer/bin/Release/netcoreapp3.1/NBXplorer.dll' -c #{node['nbxplorer']['config_path']} --noauth", + PIDFile: '/run/nbxplorer/nbxplorer.pid', + Restart: 'on-failure', + PrivateTmp: true, + ProtectSystem: 'full', + NoNewPrivileges: true, + PrivateDevices: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index 0d60853..34e138d 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -2,28 +2,6 @@ # Cookbook:: kosmos-bitcoin # Recipe:: source # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. -# # TODO move to custom kosmos cookbook before publshing bitcoin cookbook systemd_unit "mnt-data-bitcoin.mount" do @@ -46,10 +24,9 @@ systemd_unit "mnt-data-bitcoin.mount" do action [:create, :enable, :start] end - +build_essential include_recipe 'ark' -build_essential %w{ libtool autotools-dev make automake cmake curl g++-multilib libtool binutils-gold bsdmainutils pkg-config python3 patch }.each do |pkg| diff --git a/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb b/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb new file mode 100644 index 0000000..fc6ed31 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb @@ -0,0 +1,8 @@ +network=<%= @bitcoin_network %> +port=<%= @btcpay_port %> +bind=127.0.0.1 +chains=btc +BTC.explorer.url=<%= @nbxplorer_url %> +postgres=User ID=<%= @postgres_user %>;Password=<%= @postgres_password %>;Host=<%= @postgres_host %>;Port=<%= @postgres_port %>;Database=<%= @postgres_database %>; +debuglog=<%= @btcpay_log_path %> +<%# TODO BTC.lightning=type=clightning;server=/mnt/data/lightningd/lightning-rpc %> diff --git a/site-cookbooks/kosmos-bitcoin/templates/c-lightning.config.erb b/site-cookbooks/kosmos-bitcoin/templates/c-lightning.config.erb new file mode 100644 index 0000000..7f9700e --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/c-lightning.config.erb @@ -0,0 +1,13 @@ +network=bitcoin +bitcoin-datadir=<%= @bitcoin_datadir %> +alias=<%= @lightning_alias %> +rgb=<%= @lightning_rgb %> +bitcoin-rpcuser=<%= @bitcoin_rpc_user %> +bitcoin-rpcpassword=<%= @bitcoin_rpc_password %> +bitcoin-rpcconnect=<%= @bitcoin_rpc_host %> +log-level=<%= @lightning_log_level %> +bind-addr=0.0.0.0 +announce-addr=<%= @public_ip %> +disable-dns +<%# plugin=/home/satoshi/lightning-plugins/summary/summary.py %> +<%# plugin=/home/satoshi/lightning-plugins/rebalance/rebalance.py %> diff --git a/site-cookbooks/kosmos-bitcoin/templates/nbxplorer-settings.config.erb b/site-cookbooks/kosmos-bitcoin/templates/nbxplorer-settings.config.erb new file mode 100644 index 0000000..b16efc9 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/nbxplorer-settings.config.erb @@ -0,0 +1,5 @@ +btc.rpc.auth=<%= @bitcoin_rpc_user %>:<%= @bitcoin_rpc_password %> +btc.rpc.url=<%= @bitcoin_rpc_url %> +btc.node.endpoint=127.0.0.1:8333 +port=<%= @nbxplorer_port %> +mainnet=1 diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb new file mode 100644 index 0000000..bf17dab --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb @@ -0,0 +1,70 @@ +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +upstream _btcpayserver { + server localhost:<%= @btcpay_port %>; +} + +# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the +# scheme used to connect to this server +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $http_x_forwarded_proto; + '' $scheme; +} + +# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the +# server port the client connected to +map $http_x_forwarded_port $proxy_x_forwarded_port { + default $http_x_forwarded_port; + '' $server_port; +} + +# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any +# Connection header that may have been passed to this server +map $http_upgrade $proxy_connection { + default upgrade; + '' close; +} + +# Set appropriate X-Forwarded-Ssl header +map $scheme $proxy_x_forwarded_ssl { + default off; + https on; +} + +# HTTP 1.1 support +proxy_http_version 1.1; +proxy_buffering off; +proxy_set_header Host $http_host; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header Connection $proxy_connection; +proxy_set_header X-Real-IP $remote_addr; +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; +proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; + +# Mitigate httpoxy attack +proxy_set_header Proxy ""; + +server { + client_max_body_size 100M; + server_name <%= @server_name %>; + listen 443 ssl http2; + + access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json; + error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn; + + ssl_prefer_server_ciphers on; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + add_header Strict-Transport-Security "max-age=15768000"; + + location / { + proxy_pass http://_btcpayserver; + } +} +<% end -%>