From 7a52f2bd8976a5d632132e7561b1ca0745564a2a Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Tue, 24 May 2022 13:08:41 +0200
Subject: [PATCH] Allow BTCPay API access over private network

---
 site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
index 42cf3c6..648414d 100644
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@@ -97,13 +97,23 @@ systemd_unit 'btcpayserver.service' do
   action [:create, :enable, :start]
 end
 
+firewall_rule "BTCPay API private access" do
+  command  :allow
+  port     23001
+  protocol :tcp
+  source   "10.1.1.0/24"
+end
+
 #
 # HTTPS Reverse Proxy
+# TODO move to separate recipe, nginx proxy role
 #
 
 include_recipe "kosmos-nginx"
 server_name = node["btcpay"]["domain"]
 
+nginx_certbot_site server_name
+
 template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
   source "nginx_conf_btcpayserver.erb"
   owner node["nginx"]["user"]
@@ -118,5 +128,3 @@ end
 nginx_site server_name do
   action :enable
 end
-
-nginx_certbot_site server_name