#!/bin/bash set -e set -x export DEBIAN_FRONTEND=noninteractive sleep 30 # Install packages apt-get update apt-get upgrade -y apt-get install software-properties-common sudo git make -y apt-get install certbot nginx python3 python3-virtualenv -y apt-get install docker.io docker-compose -y apt-get install tor -y # Setup Tor mkdir -p /run/tor chown -R debian-tor:debian-tor /run/tor chmod 700 -R /run/tor mkdir -p /var/www/tor cat << EOF > /etc/tor/torrc ControlSocket /run/tor/control ControlSocketsGroupWritable 1 CookieAuthentication 1 CookieAuthFileGroupReadable 1 CookieAuthFile /run/tor/control.authcookie DataDirectory /var/lib/tor ExitPolicy reject6 *:*, reject *:* ExitRelay 0 IPv6Exit 0 Log notice stdout ORPort 127.0.0.1:9001 PublishServerDescriptor 0 SOCKSPort 9051 HiddenServiceDir /var/lib/tor/monero HiddenServicePort 18081 EOF systemctl enable tor systemctl restart tor sleep 20 cp /var/lib/tor/monero/hostname /var/www/tor/index.html chown -R nobody:nogroup /var/www/tor chmod 644 /var/www/tor/index.html # Setup certs and Nginx mkdir -p /etc/nginx/conf.d mkdir -p /etc/ssl/certs rm -f /etc/nginx/sites-enabled/default openssl dhparam -out /etc/ssl/certs/dhparam.pem -2 2048 cat << EOF > /etc/nginx/conf.d/ssl.conf ## SSL Certs are referenced in the actual Nginx config per-vhost # Disable insecure SSL v2. Also disable SSLv3, as TLS 1.0 suffers a downgrade attack, allowing an attacker to force a connection to use SSLv3 and therefore disable forward secrecy. # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Strong ciphers for PFS ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; # Use server's preferred cipher, not the client's # ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; # Use ephemeral 4096 bit DH key for PFS ssl_dhparam /etc/ssl/certs/dhparam.pem; # Use OCSP stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 valid=300s; resolver_timeout 5s; EOF cat << EOF > /etc/nginx/sites-enabled/${DOMAIN}.conf # Redirect inbound http to https server { listen 80 default_server; server_name ${DOMAIN}; index index.php index.html; return 301 https://${DOMAIN}$request_uri; } # Load SSL configs and serve SSL site server { listen 443 ssl; server_name ${DOMAIN}; error_log /var/log/nginx/${DOMAIN}-error.log warn; access_log /var/log/nginx/${DOMAIN}-access.log; client_body_in_file_only clean; client_body_buffer_size 32K; # set max upload size client_max_body_size 8M; sendfile on; send_timeout 600s; location /grafana { proxy_pass http://127.0.0.1:3000; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Frame-Options "SAMEORIGIN"; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_redirect off; } location /tor { alias /var/www/tor; } include conf.d/ssl.conf; ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem; } EOF service nginx stop certbot certonly --standalone -d ${DOMAIN} --agree-tos -m ${ACME_EMAIL} -n service nginx start # Setup app users useradd -m -s $(which false) monero usermod -aG docker monero # Setup Monero node umount /dev/sda mkdir -p /opt/monero mount /dev/sda /opt/monero rm -rf /opt/monero/* git clone https://github.com/lalanza808/docker-monero-node /opt/monero cat << EOF > /opt/monero/.env DATA_DIR=/opt/monero/data GRAFANA_URL=https://${DOMAIN}/grafana GF_SERVER_SERVE_FROM_SUB_PATH=true P2P_PORT=18080 RESTRICTED_PORT=18081 ZMQ_PORT=18082 UNRESTRICTED_PORT=18083 GF_AUTH_ANONYMOUS_ENABLED=true GF_AUTH_BASIC_ENABLED=true GF_AUTH_DISABLE_LOGIN_FORM=false GF_SECURITY_ADMIN_PASSWORD=${GRAF_PASS} GF_SECURITY_ADMIN_USER=${GRAF_USER} EOF chown -R monero:monero /opt/monero # Run Monero node as monero user sudo -u monero bash -c "cd /opt/monero && make up" # Post nodes to monero.fail ONION_ADDR=$(cat /var/lib/tor/monero/hostname) ONION_URL="http://${ONION_ADDR}:18081" CLEAR_URL="http://$(hostname).${DOMAIN}:18081" curl -q -X POST https://monero.fail/add -d node_url="${ONION_URL}" curl -q -X POST https://monero.fail/add -d node_url="${CLEAR_URL}"