cloud init script

5 days ago · 019b0ac31c
parent cc3cf18114
commit 019b0ac31c
1 changed files with 188 additions and 0 deletions
--- a/cloud-init.sh
+++ b/cloud-init.sh
@ -0,0 +1,188 @@
 #!/bin/bash
 # Sets up the BTCPayServer Wownero edition on a fresh Ubuntu VPS
 set -e
 if [[ -z $BTCPAY_HOST ]];
 then
    echo Please provide a BTCPAY_HOST variable with the URL you will host your BTCPayServer at
    exit 1
 fi
 if [[ -z $EMAIL ]]
 then
    echo Please provide a EMAIL variable to register for Lets Encrypt certificates
    exit 1
 fi
 export DEBIAN_FRONTEND=noninteractive
 # Install packages
 apt-get update
 apt-get upgrade -y
 apt-get install -y \
    software-properties-common \
    sudo \
    git \
    certbot \
    nginx \
    ufw \
    tor
 # Setup basic firewall rules
 ufw default deny incoming
 ufw default allow outgoing
 ufw allow 22
 ufw allow 80
 ufw allow 443
 ufw -f enable
 # Install docker engine + docker compose
 curl -s https://get.docker.com | bash
 # Install btcpayserver wownero
 git clone https://github.com/lalanza808/btcpayserver-wownero /opt/btcpay
 echo BTCPAY_HOST=$BTCPAY_HOST > /opt/btcpay/.env
 cd /opt/btcpay
 docker compose up -d
 # Setup Tor
 mkdir -p /run/tor
 chown -R debian-tor:debian-tor /run/tor
 chmod 700 -R /run/tor
 mkdir -p /var/www/tor
 cat << EOF > /etc/tor/torrc
 ControlSocket /run/tor/control
 ControlSocketsGroupWritable 1
 CookieAuthentication 1
 CookieAuthFileGroupReadable 1
 CookieAuthFile /run/tor/control.authcookie
 DataDirectory /var/lib/tor
 ExitPolicy reject6 *:*, reject *:*
 ExitRelay 0
 IPv6Exit 0
 Log notice stdout
 ORPort 127.0.0.1:9001
 PublishServerDescriptor 0
 SOCKSPort 9050
 HiddenServiceDir /var/lib/tor/btcpayserver
 HiddenServicePort 80 127.0.0.1:80
 EOF
 systemctl enable tor
 systemctl restart tor
 sleep 10
 mkdir -p /var/www/tor/
 cp /var/lib/tor/btcpayserver/hostname /var/www/tor/index.html
 chmod 644 /var/www/tor/index.html
 chmod 755 /var/www/tor/
 chown -R nobody:nogroup /var/www/tor
 # Setup certs and Nginx
 mkdir -p /etc/nginx/conf.d
 mkdir -p /etc/ssl/certs
 rm -f /etc/nginx/sites-enabled/default
 openssl dhparam -out /etc/ssl/certs/dhparam.pem -2 2048
 cat << EOF > /etc/nginx/conf.d/ssl.conf
 ## SSL Certs are referenced in the actual Nginx config per-vhost
 # Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy.
 # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 # Strong ciphers for PFS
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 # Use server's preferred cipher, not the client's
 # ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 # Use ephemeral 4096 bit DH key for PFS
 ssl_dhparam /etc/ssl/certs/dhparam.pem;
 # Use OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 1.1.1.1 valid=300s;
 resolver_timeout 5s;
 EOF
 cat << EOF > /etc/nginx/sites-enabled/${BTCPAY_HOST}.conf
 # Redirect inbound http to https
 server {
    listen 80 default_server;
    server_name ${BTCPAY_HOST};
    index index.php index.html;
    return 301 https://${BTCPAY_HOST}$request_uri;
 }
 # Load SSL configs and serve SSL site
 server {
    listen 443 ssl;
    server_name ${BTCPAY_HOST};
    error_log /var/log/nginx/${BTCPAY_HOST}-error.log warn;
    access_log /var/log/nginx/${BTCPAY_HOST}-access.log;
    client_body_in_file_only clean;
    client_body_buffer_size 32K;
    # set max upload size
    client_max_body_size 8M;
    sendfile on;
    send_timeout 600s;
    location / {
        proxy_pass http://127.0.0.1:49392;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Frame-Options "SAMEORIGIN";
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_redirect off;
        # WebSocket-specific headers
        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        # Optional timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        # Disable caching
        proxy_buffering off;
    }
    location /tor {
        alias /var/www/tor/;
    }
    include conf.d/ssl.conf;
    ssl_certificate /etc/letsencrypt/live/${BTCPAY_HOST}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/${BTCPAY_HOST}/privkey.pem;
 }
 EOF
 cat << EOF > /etc/nginx/sites-enabled/btcpay-tor.conf
 server {
    listen 80;
    server_name $(cat /var/lib/tor/btcpayserver/hostname);
    error_log /var/log/nginx/btcpay-tor-error.log warn;
    access_log /var/log/nginx/btcpay-tor-access.log;
    client_body_in_file_only clean;
    client_body_buffer_size 32K;
    location / {
        proxy_pass http://127.0.0.1:49392;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Frame-Options "SAMEORIGIN";
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_redirect off;
    }
 }
 EOF
 service nginx stop
 certbot certonly --standalone -d ${BTCPAY_HOST} --agree-tos -m ${EMAIL} -n
 sed -i 's/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 128;/' /etc/nginx/nginx.conf
 service nginx start
 # Final output
 echo -e "\n\n[+] Wallet seed details"
 cat /opt/btcpay/data/wallet/init.log
 echo -e "\nOnion site for BTCPayServer: $(cat /var/lib/tor/btcpayserver/hostname)"
 echo -e "\nYou may now setup your BTCPayServer at ${BTCPAY_HOST}"