Moved pay.domain.tld to proxy btcpay on bridge.

This commit is contained in:
Derek Smith 2022-08-20 17:44:37 -04:00
parent 207d88e90b
commit a1d3ff6465
Signed by: farscapian
GPG Key ID: 8F1CD799CCA516CC
5 changed files with 94 additions and 13 deletions

View File

@ -35,16 +35,12 @@ fi
cd btcpayserver-docker cd btcpayserver-docker
export BTCPAY_HOST="${FQDN}" export BTCPAY_HOST="${BTCPAY_USER_FQDN}"
export NBITCOIN_NETWORK="${BTC_CHAIN}" export NBITCOIN_NETWORK="${BTC_CHAIN}"
export LIGHTNING_ALIAS="${DOMAIN_NAME}" export LIGHTNING_ALIAS="${DOMAIN_NAME}"
export LETSENCRYPT_EMAIL="${CERTIFICATE_EMAIL_ADDRESS}"
export BTCPAYGEN_LIGHTNING="clightning" export BTCPAYGEN_LIGHTNING="clightning"
export BTCPAYGEN_CRYPTO1="btc" export BTCPAYGEN_CRYPTO1="btc"
export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage;opt-add-btctransmuter;opt-add-nostr-relay;" export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage;opt-add-btctransmuter;opt-add-nostr-relay;"
export BTCPAY_ADDITIONAL_HOSTS="${BTCPAY_ADDITIONAL_HOSTNAMES}"
export BTCPAYGEN_REVERSEPROXY="nginx" export BTCPAYGEN_REVERSEPROXY="nginx"
export BTCPAY_ENABLE_SSH=false export BTCPAY_ENABLE_SSH=false
export BTCPAY_BASE_DIRECTORY=${REMOTE_HOME} export BTCPAY_BASE_DIRECTORY=${REMOTE_HOME}
@ -54,6 +50,12 @@ EOL
if [ "$VPS_HOSTING_TARGET" = lxd ]; then if [ "$VPS_HOSTING_TARGET" = lxd ]; then
cat >> "$SITE_PATH/btcpay.sh" <<EOL cat >> "$SITE_PATH/btcpay.sh" <<EOL
export BTCPAYGEN_EXCLUDE_FRAGMENTS="nginx-https" export BTCPAYGEN_EXCLUDE_FRAGMENTS="nginx-https"
export REVERSEPROXY_DEFAULT_HOST="$BTCPAY_USER_FQDN"
EOL
elif [ "$VPS_HOSTING_TARGET" = aws ]; then
cat >> "$SITE_PATH/btcpay.sh" <<EOL
export BTCPAY_ADDITIONAL_HOSTS="${BTCPAY_ADDITIONAL_HOSTNAMES}"
export LETSENCRYPT_EMAIL="${CERTIFICATE_EMAIL_ADDRESS}"
EOL EOL
fi fi

View File

@ -2,7 +2,7 @@
set -eux set -eux
VIRTUAL_MACHINE="$1" LXD_HOSTNAME="$1"
# generate the custom cloud-init file. Cloud init installs and configures sshd # generate the custom cloud-init file. Cloud init installs and configures sshd
SSH_AUTHORIZED_KEY=$(<"$SSH_HOME/id_rsa.pub") SSH_AUTHORIZED_KEY=$(<"$SSH_HOME/id_rsa.pub")
@ -10,7 +10,7 @@ eval "$(ssh-agent -s)"
ssh-add "$SSH_HOME/id_rsa" ssh-add "$SSH_HOME/id_rsa"
export SSH_AUTHORIZED_KEY="$SSH_AUTHORIZED_KEY" export SSH_AUTHORIZED_KEY="$SSH_AUTHORIZED_KEY"
export FILENAME="$VIRTUAL_MACHINE.yml" export FILENAME="$LXD_HOSTNAME.yml"
mkdir -p "$CLUSTER_PATH/cloud-init" mkdir -p "$CLUSTER_PATH/cloud-init"
YAML_PATH="$CLUSTER_PATH/cloud-init/$FILENAME" YAML_PATH="$CLUSTER_PATH/cloud-init/$FILENAME"
@ -23,7 +23,7 @@ config:
EOF EOF
# if VIRTUAL_MACHINE=sovereign-stack then we are building the base image. # if VIRTUAL_MACHINE=sovereign-stack then we are building the base image.
if [ "$VIRTUAL_MACHINE" = "sovereign-stack" ]; then if [ "$LXD_HOSTNAME" = "sovereign-stack" ]; then
# this is for the base image only... # this is for the base image only...
cat >> "$YAML_PATH" <<EOF cat >> "$YAML_PATH" <<EOF
user.vendor-data: | user.vendor-data: |
@ -259,9 +259,9 @@ EOF
fi fi
# let's create a profile for the BCM TYPE-1 VMs. This is per VM. # let's create a profile for the BCM TYPE-1 VMs. This is per VM.
if ! lxc profile list --format csv | grep -q "$VIRTUAL_MACHINE"; then if ! lxc profile list --format csv | grep -q "$LXD_HOSTNAME"; then
lxc profile create "$VIRTUAL_MACHINE" lxc profile create "$LXD_HOSTNAME"
fi fi
# configure the profile with our generated cloud-init.yml file. # configure the profile with our generated cloud-init.yml file.
cat "$YAML_PATH" | lxc profile edit "$VIRTUAL_MACHINE" cat "$YAML_PATH" | lxc profile edit "$LXD_HOSTNAME"

View File

@ -27,6 +27,6 @@ elif [ "$VPS_HOSTING_TARGET" = lxd ]; then
-v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \ -v "$REMOTE_HOME/letsencrypt":/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \ -v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \ -v "$REMOTE_HOME/letsencrypt_logs":/var/log/letsencrypt \
certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS" certbot/certbot certonly -v --noninteractive --agree-tos --key-type ecdsa --standalone --expand -d "$DOMAIN_NAME" -d "$WWW_FQDN" -d "$BTCPAY_USER_FQDN" -d "$NEXTCLOUD_FQDN" -d "$GITEA_FQDN" -d "$NOSTR_FQDN" --email "$CERTIFICATE_EMAIL_ADDRESS"
fi fi

View File

@ -22,9 +22,25 @@ events {
http { http {
client_max_body_size 100m; client_max_body_size 100m;
server_names_hash_bucket_size 128;
server_tokens off; server_tokens off;
# next two sets commands and connection_upgrade block come from https://docs.btcpayserver.org/FAQ/Deployment/#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination
# Needed to allow very long URLs to prevent issues while signing PSBTs
server_names_hash_bucket_size 128;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size 500k;
http2_max_header_size 500k;
# Needed websocket support (used by Ledger hardware wallets)
map \$http_upgrade \$connection_upgrade {
default upgrade;
'' close;
}
# this server block returns a 403 for all non-explicit host requests. # this server block returns a 403 for all non-explicit host requests.
#server { #server {
# listen 80 default_server; # listen 80 default_server;
@ -89,6 +105,25 @@ cat >>"$NGINX_CONF_PATH" <<EOL
EOL EOL
fi fi
# REDIRECT FOR BTCPAY_USER_FQDN
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
server {
listen 80;
listen [::]:80;
server_name ${BTCPAY_USER_FQDN};
return 301 https://${BTCPAY_USER_FQDN}\$request_uri;
}
EOL
fi
fi
# TLS config for ghost. # TLS config for ghost.
cat >>"$NGINX_CONF_PATH" <<EOL cat >>"$NGINX_CONF_PATH" <<EOL
# global TLS settings # global TLS settings
@ -163,6 +198,49 @@ cat >>"$NGINX_CONF_PATH" <<EOL
EOL EOL
fi fi
# SERVER block for BTCPAY Server
if [ "$VPS_HOSTING_TARGET" = lxd ]; then
# gitea http to https redirect.
if [ "$DEPLOY_BTCPAY_SERVER" = true ]; then
cat >>"$NGINX_CONF_PATH" <<EOL
# http://${BTCPAY_USER_FQDN} redirect to https://${BTCPAY_USER_FQDN}
server {
listen 443 ssl http2;
ssl on;
server_name ${BTCPAY_USER_FQDN};
# Route everything to the real BTCPay server
location / {
# URL of BTCPay Server
proxy_pass http://10.139.144.10:80;
proxy_set_header Host \$http_host;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
# For websockets (used by Ledger hardware wallets)
proxy_set_header Upgrade \$http_upgrade;
}
}
EOL
fi
fi
# the open server block for the HTTPS listener # the open server block for the HTTPS listener
cat >>"$NGINX_CONF_PATH" <<EOL cat >>"$NGINX_CONF_PATH" <<EOL
server { server {

View File

@ -24,6 +24,7 @@ fi
# TODO, ensure VPS_HOSTING_TARGET is in range. # TODO, ensure VPS_HOSTING_TARGET is in range.
export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME" export NEXTCLOUD_FQDN="$NEXTCLOUD_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_FQDN="$BTCPAY_HOSTNAME.$DOMAIN_NAME"
export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME" export BTCPAY_USER_FQDN="$BTCPAY_HOSTNAME_IN_CERT.$DOMAIN_NAME"
export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME" export WWW_FQDN="$WWW_HOSTNAME.$DOMAIN_NAME"
export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME" export GITEA_FQDN="$GITEA_HOSTNAME.$DOMAIN_NAME"