From d2142b046f33ff52f65cedb6316f7c4236ce6709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 15 Apr 2019 10:51:18 +0200
Subject: [PATCH 1/3] Reload nginx immediately after enabling the Let's Encrypt
 vhost

---
 site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
index 468499e..de6fc30 100644
--- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
+++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
@@ -32,6 +32,7 @@ action :create do
 
   nginx_site "#{domain}_certbot" do
     action :enable
+    notifies :reload, 'service[nginx]', :immediately
   end
 
   include_recipe "kosmos-base::letsencrypt"

From 6c7ec545ce41ec843e9d67ffe8fb53366f51be02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 15 Apr 2019 10:53:55 +0200
Subject: [PATCH 2/3] Initial kosmos-btcpayserver cookbook setting up an nginx
 reverse proxy

Closes #19
---
 site-cookbooks/kosmos-btcpayserver/.gitignore |  22 ++++
 site-cookbooks/kosmos-btcpayserver/Berksfile  |   4 +
 .../kosmos-btcpayserver/CHANGELOG.md          |   7 ++
 site-cookbooks/kosmos-btcpayserver/LICENSE    |  20 ++++
 site-cookbooks/kosmos-btcpayserver/README.md  |   4 +
 .../kosmos-btcpayserver/attributes/default.rb |   2 +
 site-cookbooks/kosmos-btcpayserver/chefignore | 104 ++++++++++++++++++
 .../kosmos-btcpayserver/metadata.rb           |  22 ++++
 .../kosmos-btcpayserver/recipes/default.rb    |   5 +
 .../kosmos-btcpayserver/recipes/proxy.rb      |  34 ++++++
 .../templates/nginx_conf_btcpayserver.erb     |  74 +++++++++++++
 11 files changed, 298 insertions(+)
 create mode 100644 site-cookbooks/kosmos-btcpayserver/.gitignore
 create mode 100644 site-cookbooks/kosmos-btcpayserver/Berksfile
 create mode 100644 site-cookbooks/kosmos-btcpayserver/CHANGELOG.md
 create mode 100644 site-cookbooks/kosmos-btcpayserver/LICENSE
 create mode 100644 site-cookbooks/kosmos-btcpayserver/README.md
 create mode 100644 site-cookbooks/kosmos-btcpayserver/attributes/default.rb
 create mode 100644 site-cookbooks/kosmos-btcpayserver/chefignore
 create mode 100644 site-cookbooks/kosmos-btcpayserver/metadata.rb
 create mode 100644 site-cookbooks/kosmos-btcpayserver/recipes/default.rb
 create mode 100644 site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb
 create mode 100644 site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

diff --git a/site-cookbooks/kosmos-btcpayserver/.gitignore b/site-cookbooks/kosmos-btcpayserver/.gitignore
new file mode 100644
index 0000000..13e41c4
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/.gitignore
@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+.kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
diff --git a/site-cookbooks/kosmos-btcpayserver/Berksfile b/site-cookbooks/kosmos-btcpayserver/Berksfile
new file mode 100644
index 0000000..0656a99
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/Berksfile
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+source 'https://supermarket.chef.io'
+
+metadata
diff --git a/site-cookbooks/kosmos-btcpayserver/CHANGELOG.md b/site-cookbooks/kosmos-btcpayserver/CHANGELOG.md
new file mode 100644
index 0000000..6a6cce2
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/CHANGELOG.md
@@ -0,0 +1,7 @@
+# kosmos-btcpayserver CHANGELOG
+
+This file is used to list changes made in each version of the kosmos-btcpayserver cookbook.
+
+# 0.1.0
+
+Initial release.
diff --git a/site-cookbooks/kosmos-btcpayserver/LICENSE b/site-cookbooks/kosmos-btcpayserver/LICENSE
new file mode 100644
index 0000000..f3b5d1c
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2019 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/site-cookbooks/kosmos-btcpayserver/README.md b/site-cookbooks/kosmos-btcpayserver/README.md
new file mode 100644
index 0000000..231c93b
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/README.md
@@ -0,0 +1,4 @@
+# kosmos-btcpayserver
+
+TODO: Enter the cookbook description here.
+
diff --git a/site-cookbooks/kosmos-btcpayserver/attributes/default.rb b/site-cookbooks/kosmos-btcpayserver/attributes/default.rb
new file mode 100644
index 0000000..c87d02f
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/attributes/default.rb
@@ -0,0 +1,2 @@
+node.default["kosmos-btcpayserver"]["nginx"]["server_name"] = "btcpay.kosmos.org"
+node.default["kosmos-btcpayserver"]["port"] = 23001
diff --git a/site-cookbooks/kosmos-btcpayserver/chefignore b/site-cookbooks/kosmos-btcpayserver/chefignore
new file mode 100644
index 0000000..4439807
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/chefignore
@@ -0,0 +1,104 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a chef-server or supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+Icon?
+nohup.out
+ehthumbs.db
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+\#*
+.#*
+*~
+*.sw[a-z]
+*.bak
+REVISION
+TAGS*
+tmtags
+*_flymake.*
+*_flymake
+*.tmproj
+.project
+.settings
+mkmf.log
+
+## COMPILED ##
+##############
+a.out
+*.o
+*.pyc
+*.so
+*.com
+*.class
+*.dll
+*.exe
+*/rdoc/
+
+# Testing #
+###########
+.watchr
+.rspec
+spec/*
+spec/fixtures/*
+test/*
+features/*
+examples/*
+Guardfile
+Procfile
+.kitchen*
+kitchen.yml*
+.rubocop.yml
+spec/*
+Rakefile
+.travis.yml
+.foodcritic
+.codeclimate.yml
+
+# SCM #
+#######
+.git
+*/.git
+.gitignore
+.gitmodules
+.gitconfig
+.gitattributes
+.svn
+*/.bzr/*
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CONTRIBUTING*
+CHANGELOG*
+TESTING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile
diff --git a/site-cookbooks/kosmos-btcpayserver/metadata.rb b/site-cookbooks/kosmos-btcpayserver/metadata.rb
new file mode 100644
index 0000000..23960cc
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/metadata.rb
@@ -0,0 +1,22 @@
+name 'kosmos-btcpayserver'
+maintainer 'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license 'All Rights Reserved'
+description 'Installs/Configures kosmos-btcpayserver'
+long_description 'Installs/Configures kosmos-btcpayserver'
+version '0.1.0'
+chef_version '>= 13.0'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/kosmos-btcpayserver/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/kosmos-btcpayserver'
+depends "kosmos-nginx"
+depends "kosmos-base"
diff --git a/site-cookbooks/kosmos-btcpayserver/recipes/default.rb b/site-cookbooks/kosmos-btcpayserver/recipes/default.rb
new file mode 100644
index 0000000..8d36e08
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/recipes/default.rb
@@ -0,0 +1,5 @@
+#
+# Cookbook:: kosmos-btcpayserver
+# Recipe:: default
+#
+# Copyright:: 2019, Kosmos Developers, All Rights Reserved.
diff --git a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb
new file mode 100644
index 0000000..4a47729
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb
@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos-btcpayserver
+# Recipe:: proxy
+#
+# Copyright:: 2019, Kosmos, All Rights Reserved.
+#
+include_recipe "kosmos-nginx"
+server_name = node["kosmos-btcpayserver"]["nginx"]["server_name"]
+
+template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
+  source "nginx_conf_btcpayserver.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables btcpay_port: node["kosmos-btcpayserver"]["port"],
+            server_name: server_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name
+
+unless node.chef_environment == "development"
+  include_recipe "firewall"
+  firewall_rule "btcpayserver" do
+    port     node["kosmos-btcpayserver"]["port"]
+    protocol :tcp
+    command  :allow
+  end
+end
diff --git a/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb b/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
new file mode 100644
index 0000000..48a34cb
--- /dev/null
+++ b/site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb
@@ -0,0 +1,74 @@
+upstream _btcpayserver {
+  server localhost:<%= @btcpay_port %>;
+}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack
+proxy_set_header Proxy "";
+
+server {
+  client_max_body_size 100M;
+  server_name <%= @server_name %>;
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  <% else -%>
+  listen 80;
+  <% end -%>
+
+  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
+
+  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 5m;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=15768000";
+  <% end -%>
+
+  location / {
+    proxy_pass http://_btcpayserver;
+  }
+}

From 6da6d2a2bf5a21251173910192b66e511d06342b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 15 Apr 2019 10:54:35 +0200
Subject: [PATCH 3/3] Add the kosmos-btcpayserver nginx reverse proxy to
 andromeda

---
 nodes/andromeda.kosmos.org.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json
index ec0c673..37486f8 100644
--- a/nodes/andromeda.kosmos.org.json
+++ b/nodes/andromeda.kosmos.org.json
@@ -5,7 +5,8 @@
     "role[ipfs_cluster_with_tls]",
     "kosmos-mediawiki",
     "sockethub",
-    "sockethub::proxy"
+    "sockethub::proxy",
+    "kosmos-btcpayserver::proxy"
   ],
   "automatic": {
     "ipaddress": "andromeda.kosmos.org"