From a6a64ea590a091aefe324d2eac06df9ae4551eae Mon Sep 17 00:00:00 2001
From: openoms <oms@tuta.io>
Date: Mon, 25 Mar 2024 10:44:16 +0100
Subject: [PATCH] add nginx notes, sparrow update, fulcrum sync, servr.js

---
 k8s/nixenv.sh                        | 53 +++++++++++++++++
 nginx/custom_website_subdomain.sh    | 12 ++--
 nginx/https_redirect_to_subdomain.sh |  7 +--
 nginx/nostr-relay.sh                 | 88 ++++++++++++++++++++++++++++
 proxy/server.js                      | 34 +++++++++++
 sparrowwallet/sparrow.update.sh      | 17 ++++++
 zfs/sync-fulcrum-db.md               | 41 +++++++++++++
 7 files changed, 242 insertions(+), 10 deletions(-)
 create mode 100644 k8s/nixenv.sh
 create mode 100644 nginx/nostr-relay.sh
 create mode 100644 proxy/server.js
 create mode 100644 sparrowwallet/sparrow.update.sh
 create mode 100644 zfs/sync-fulcrum-db.md

diff --git a/k8s/nixenv.sh b/k8s/nixenv.sh
new file mode 100644
index 0000000..d227b3f
--- /dev/null
+++ b/k8s/nixenv.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+# dedicated user
+USERNAME=k3d
+PASSWORD=""
+
+echo "# add the user: ${USERNAME}"
+sudo adduser --system --group --shell /bin/bash --home /home/${USERNAME} ${USERNAME}
+echo "Copy the skeleton files for login"
+sudo -u ${USERNAME} cp -r /etc/skel/. /home/${USERNAME}/
+sudo adduser ${USERNAME} sudo
+
+# set a password
+echo "$USERNAME:$PASSWORD" | sudo chpasswd
+
+
+  # docker
+  if ! docker version 2>/dev/null; then
+    # look for raspiblitz install script
+    if [ -f /home/admin/config.scripts/blitz.docker.sh ]; then
+      /home/admin/config.scripts/blitz.docker.sh on
+    else
+      # https://docs.docker.com/desktop/linux/install/debian/
+      curl -fsSL https://get.docker.com -o get-docker.sh
+      sh get-docker.sh
+    fi
+  fi
+  sudo groupadd docker
+  sudo usermod -aG docker $USERNAME
+
+# need to log back in to get the group change
+
+
+
+# nix
+# manual install step
+curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
+
+echo "$PATH:/nix/var/nix/profiles/default/bin/nix" >> ~/.bashrc
+
+# direnv
+sudo apt install -y direnv
+echo "eval \"\$(direnv hook bash)\"" >> ~/.bashrc
+source ~/.bashrc
+
+
+sudo su - k3d
+https://github.com/GaloyMoney/charts
+
+direnv allow
+
+cd dev
+make create-cluster
diff --git a/nginx/custom_website_subdomain.sh b/nginx/custom_website_subdomain.sh
index c3bad93..8d6c76b 100644
--- a/nginx/custom_website_subdomain.sh
+++ b/nginx/custom_website_subdomain.sh
@@ -51,12 +51,12 @@ server {
     proxy_set_header Upgrade \$http_upgrade;
     proxy_set_header Connection \"upgrade\";
 
-  # from https://github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/assets/nginx/snippets/ssl-proxy-params.conf
-  proxy_redirect off;
-  proxy_set_header Host \$http_host;
-  proxy_set_header X-Real-IP \$remote_addr;
-  proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
+    # from https://github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/assets/nginx/snippets/ssl-proxy-params.conf
+    proxy_redirect off;
+    proxy_set_header Host \$http_host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
   }
 }" | sudo tee /etc/nginx/sites-available/$SUBDOMAIN
 
diff --git a/nginx/https_redirect_to_subdomain.sh b/nginx/https_redirect_to_subdomain.sh
index d8351a5..2b2d75c 100644
--- a/nginx/https_redirect_to_subdomain.sh
+++ b/nginx/https_redirect_to_subdomain.sh
@@ -34,10 +34,9 @@ server {
   listen 443 ssl;
   server_name SUBDOMAIN;
   return 301  $REDIRECT;
-  ssl on;
 
-  ssl_certificate /etc/letsencrypt/live/tips.diynodes.com/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/tips.diynodes.com/privkey.pem;
+  ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem;
   ssl_session_timeout 1d;
   ssl_session_cache shared:SSL:50m;
   ssl_session_tickets off;
@@ -46,7 +45,7 @@ server {
   ssl_prefer_server_ciphers on;
   ssl_stapling on;
   ssl_stapling_verify on;
-  ssl_trusted_certificate /etc/letsencrypt/live/tips.diynodes.com/chain.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem;
 
   location / {
     proxy_set_header Host \$host;
diff --git a/nginx/nostr-relay.sh b/nginx/nostr-relay.sh
new file mode 100644
index 0000000..d1c4ed8
--- /dev/null
+++ b/nginx/nostr-relay.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+echo "
+Input your email:
+"
+read EMAIL
+
+echo "
+Input a subdomain set up with an A record pointing to this server:
+eg.: mempool.example.com
+"
+read SUBDOMAIN
+
+echo "
+Input the URL where the server is running:
+eg.: http://192.168.1.42:5000
+"
+read SERVER
+
+echo "
+Input the address of the relay after the IPaddress or domain:
+eg.: /nostrrelay/nNZ59JFH
+"
+read RELAY
+
+sudo certbot certonly -a standalone -m $EMAIL --agree-tos \
+-d $SUBDOMAIN --expand -n --pre-hook "service nginx stop" \
+--post-hook "service nginx start" || exit 1
+
+# copy in place on a remote machine if needed
+#sudo cat /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem
+#sudo cat /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem
+
+# add to /etc/nginx/sites-available/
+echo "\
+server {
+  listen 80;
+  listen 443 ssl;
+  server_name $SUBDOMAIN;
+
+  ssl_certificate /etc/letsencrypt/live/$SUBDOMAIN/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/$SUBDOMAIN/privkey.pem;
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+  ssl_prefer_server_ciphers on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_trusted_certificate /etc/letsencrypt/live/$SUBDOMAIN/chain.pem;
+
+  location / {
+    proxy_pass      https://${SUBDOMAIN}${RELAY};
+    # to allow wss:// connections
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection \"upgrade\";
+
+    # from https://github.com/rootzoll/raspiblitz/blob/v1.7/home.admin/assets/nginx/snippets/ssl-proxy-params.conf
+    proxy_SERVER off;
+    proxy_set_header Host \$http_host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+  }
+
+  location $RELAY {
+    proxy_pass      $SERVER;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade \$http_upgrade;
+    proxy_set_header Connection \"upgrade\";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+  }
+}" | sudo tee /etc/nginx/sites-available/$SUBDOMAIN
+
+# edit with
+# sudo nano /etc/nginx/sites-available/$SUBDOMAIN
+
+# add to /etc/nginx/sites-enabled/
+sudo ln -s /etc/nginx/sites-available/$SUBDOMAIN /etc/nginx/sites-enabled/
+
+sudo nginx -t || exit 1
+
+sudo systemctl restart nginx
diff --git a/proxy/server.js b/proxy/server.js
new file mode 100644
index 0000000..a31da61
--- /dev/null
+++ b/proxy/server.js
@@ -0,0 +1,34 @@
+/*
+# Install dependencies:
+npm install express http-proxy-middleware
+# Start with the command:
+node server.js
+*/
+
+const express = require('express');
+const { createProxyMiddleware } = require('http-proxy-middleware');
+
+const app = express();
+
+app.use('/api', createProxyMiddleware({
+  target: 'https://api.staging.galoy.io/graphql', // The target API endpoint
+  changeOrigin: true,
+  pathRewrite: {
+    '^/api': '', // Rewrite the API path, if needed
+  },
+  onProxyRes: function (proxyRes, req, res) {
+    // Add CORS headers to the response from the proxied server
+    res.header('Access-Control-Allow-Origin', '*');
+    res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
+    res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
+    if (req.method === 'OPTIONS') {
+      // Preflight request, end it after setting headers
+      res.sendStatus(200);
+    }
+  },
+}));
+
+const PORT = 3000; // The port your proxy server will listen on
+app.listen(PORT, () => {
+  console.log(`Proxy server is running on http://localhost:${PORT}`);
+});
diff --git a/sparrowwallet/sparrow.update.sh b/sparrowwallet/sparrow.update.sh
new file mode 100644
index 0000000..c170cc1
--- /dev/null
+++ b/sparrowwallet/sparrow.update.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+VERSION='1.8.4'
+
+cd Downloads
+
+wget -O sparrow_${VERSION}-1_amd64.deb https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow_${VERSION}-1_amd64.deb || exit 1
+wget -O sparrow-${VERSION}-manifest.txt https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow-${VERSION}-manifest.txt || exit 1
+wget -O sparrow-${VERSION}-manifest.txt.asc https://github.com/sparrowwallet/sparrow/releases/download/${VERSION}/sparrow-${VERSION}-manifest.txt.asc || exit 1
+
+
+gpg --verify sparrow-${VERSION}-manifest.txt.asc sparrow-${VERSION}-manifest.txt || exit 1
+sha256sum -c sparrow-${VERSION}-manifest.txt --ignore-missing || exit 1
+
+sudo dpkg -i sparrow_${VERSION}-1_amd64.deb || exit 1
+
+exit 0
diff --git a/zfs/sync-fulcrum-db.md b/zfs/sync-fulcrum-db.md
new file mode 100644
index 0000000..758ffd2
--- /dev/null
+++ b/zfs/sync-fulcrum-db.md
@@ -0,0 +1,41 @@
+# Snapshot and mount a datadisk
+
+## Create the snapshot, clone and mount
+```
+# create snapshot of /mnt/hdd - datadisk/hdd@hdd-snapshot
+sudo zfs snap datadisk/hdd@hdd-snapshot
+# display snapshots
+zfs list -t snap
+# clone snapshot (datadisk/hdd/hdd-snapshot-clone)
+sudo zfs clone datadisk/hdd@hdd-snapshot datadisk/hdd/hdd-snapshot-clone
+# see if mounted
+zfs list
+```
+
+
+## Copy over the network
+### on the remote computer
+```
+sudo mkdir -p /mnt/hdd/fulcrum_db
+sudo chown admin:admin /mnt/hdd/fulcrum_db
+```
+### on the source computer
+```
+sudo scp -r /mnt/hdd/hdd-snapshot-clone/app-storage/fulcrum/db admin@$REMOTE_IP:/mnt/hdd/fulcrum_db/
+```
+### on the remote computer once finished
+sudo mv /mnt/hdd/app-storage/fulcrum/db /mnt/hdd/app-storage/fulcrum/db-corrupt
+sudo mv /mnt/hdd/fulcrum_db/db /mnt/hdd/app-storage/fulcrum/
+sudo chown -R fulcrum:fulcrum /mnt/hdd/app-storage/fulcrum/db
+sudo rm -rf /mnt/hdd/fulcrum_db
+
+## OFF
+```
+zfs list
+# destroy the clone filesystem
+sudo zfs destroy datadisk/hdd/hdd-snapshot-clone
+# destroy the snapshot
+sudo zfs destroy datadisk/hdd@hdd-snapshot
+zfs list
+```
+