From 61accc05c2eae65be1bc75873b08291915ab9644 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Tue, 29 Dec 2020 15:56:53 +0100
Subject: [PATCH] Add nginx proxy for BTCPay

---
 nodes/bitcoin-2.json                          | 13 +++-
 .../kosmos-bitcoin/attributes/default.rb      |  1 +
 site-cookbooks/kosmos-bitcoin/metadata.rb     |  1 +
 .../kosmos-bitcoin/recipes/btcpay.rb          | 24 +++++++
 .../templates/nginx_conf_btcpayserver.erb     | 70 +++++++++++++++++++
 5 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb

diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json
index e873c80..60bc247 100644
--- a/nodes/bitcoin-2.json
+++ b/nodes/bitcoin-2.json
@@ -41,7 +41,18 @@
       "kosmos-bitcoin::firewall",
       "git::default",
       "git::package",
-      "golang::default"
+      "golang::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
index e5ba53a..e61fe0f 100644
--- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb
+++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb
@@ -53,6 +53,7 @@ node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"
 node.default['btcpay']['port'] = '23001'
+node.default["btcpay"]["domain"] = 'btcpay.kosmos.org'
 node.default['btcpay']['postgres']['port'] = 5432
 node.default['btcpay']['postgres']['database'] = 'btcpayserver'
 node.default['btcpay']['postgres']['user'] = 'satoshi'
diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb
index a462885..992350f 100644
--- a/site-cookbooks/kosmos-bitcoin/metadata.rb
+++ b/site-cookbooks/kosmos-bitcoin/metadata.rb
@@ -22,3 +22,4 @@ chef_version '>= 14.0'
 depends 'ark'
 depends 'git'
 depends 'golang'
+depends 'kosmos-nginx'
diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
index 3d15031..dc0657b 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@@ -87,3 +87,27 @@ systemd_unit 'btcpayserver.service' do
   triggers_reload true
   action [:create, :enable, :start]
 end
+
+#
+# HTTPS Reverse Proxy
+#
+
+include_recipe "kosmos-nginx"
+server_name = node["btcpay"]["domain"]
+
+template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
+  source "nginx_conf_btcpayserver.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables btcpay_port: node["btcpay"]["port"],
+            server_name: server_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name
diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
new file mode 100644
index 0000000..bf17dab
--- /dev/null
+++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_btcpayserver.erb
@@ -0,0 +1,70 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+upstream _btcpayserver {
+  server localhost:<%= @btcpay_port %>;
+}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack
+proxy_set_header Proxy "";
+
+server {
+  client_max_body_size 100M;
+  server_name <%= @server_name %>;
+  listen 443 ssl http2;
+
+  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
+
+  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 5m;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  location / {
+    proxy_pass http://_btcpayserver;
+  }
+}
+<% end -%>