#1758 Adding Sphinx Relay (#1770)

home.admin/00mainMenu.sh

@@ -110,6 +110,9 @@ fi
 if [ "${pool}" == "on" ]; then
   OPTIONS+=(POOL "Lightning Pool")
 fi
+if [ "${sphinxrelay}" == "on" ]; then
+  OPTIONS+=(SPHINX "Sphinx Chat Relay")
+fi
 
 # Basic Options
 OPTIONS+=(INFO "RaspiBlitz Status Screen")
@@ -249,6 +252,9 @@ case $CHOICE in
         POOL)
             sudo /home/admin/config.scripts/bonus.pool.sh menu
             ;;
+        SPHINX)
+            sudo /home/admin/config.scripts/bonus.sphinxrelay.sh menu
+            ;;
         SUBSCRIBE)
             /home/admin/config.scripts/blitz.subscriptions.py
             ;;

home.admin/00settingsMenuServices.sh

@@ -21,6 +21,7 @@ if [ ${#bos} -eq 0 ]; then bos="off"; fi
 if [ ${#pyblock} -eq 0 ]; then pyblock="off"; fi
 if [ ${#thunderhub} -eq 0 ]; then thunderhub="off"; fi
 if [ ${#pool} -eq 0 ]; then pool="off"; fi
+if [ ${#sphinxrelay} -eq 0 ]; then sphinxrelay="off"; fi
 
 # show select dialog
 echo "run dialog ..."
@@ -37,10 +38,11 @@ OPTIONS+=(a 'Mempool Explorer' ${mempoolExplorer})
 OPTIONS+=(j 'JoinMarket' ${joinmarket})
 OPTIONS+=(l 'Lightning Loop' ${loop})
 OPTIONS+=(o 'Balance of Satoshis' ${bos})
-OPTIONS+=(y 'PyBLOCK' ${pyblock})
 OPTIONS+=(f 'Faraday' ${faraday})
-OPTIONS+=(m 'lndmanage' ${lndmanage})
 OPTIONS+=(c 'Lightning Pool' ${pool})
+OPTIONS+=(y 'PyBLOCK' ${pyblock})
+OPTIONS+=(m 'lndmanage' ${lndmanage})
+OPTIONS+=(x 'Sphinx-Relay' ${sphinxrelay})
 
 CHOICES=$(dialog --title ' Additional Services ' --checklist ' use spacebar to activate/de-activate ' 20 45 12  "${OPTIONS[@]}" 2>&1 >/dev/tty)
 
@@ -363,6 +365,20 @@ else
   echo "Pool setting unchanged."
 fi
 
+# Sphinx Relay
+choice="off"; check=$(echo "${CHOICES}" | grep -c "x")
+if [ ${check} -eq 1 ]; then choice="on"; fi
+if [ "${sphinxrelay}" != "${choice}" ]; then
+  echo "Sphinx-Relay Setting changed .."
+  anychange=1
+  sudo -u admin /home/admin/config.scripts/bonus.sphinxrelay.sh ${choice}
+  if [ "${choice}" =  "on" ]; then
+    sudo -u admin /home/admin/config.scripts/bonus.sphinxrelay.sh menu
+  fi
+else
+  echo "Sphinx Relay unchanged."
+fi
+
 # JoinMarket process choice
 choice="off"; check=$(echo "${CHOICES}" | grep -c "j")
 if [ ${check} -eq 1 ]; then choice="on"; fi

home.admin/97addMobileWallet.sh

@@ -135,7 +135,8 @@ checkIP2TOR()
 OPTIONS=(ZAP_IOS "Zap Wallet (iOS)" \
         ZAP_ANDROID "Zap Wallet (Android)" \
         ZEUS_IOS "Zeus Wallet (iOS)" \
-        ZEUS_ANDROID "Zeus Wallet (Android)"
+        ZEUS_ANDROID "Zeus Wallet (Android)" \
+		SPHINX "Sphinx Chat (Android or iOS)"
 	)
 
 # add SEND MANY APP
@@ -156,6 +157,24 @@ case $CHOICE in
   CLOSE)
   	exit 1;
     ;;
+	SPHINX)
+	  if [ "${sphinxrelay}" != "on" ]; then
+	  	whiptail --title " Install Sphinx Relay Server? " \
+	    --yes-button "Install" \
+		--no-button "Cancel" \
+		--yesno "To use the Sphinx Chat App you need to install the Sphinx Relay Server on your RaspiBlitz. If you want to deinstall the relay later on, just switch it off under MENU > SERVICES.\n\nDo you want to install the Sphinx Relay Server now?" 14 60
+	  	if [ "$?" = "0" ]; then
+	      /home/admin/config.scripts/bonus.sphinxrelay.sh on
+	  	else
+		  echo "No install ... returning to main menu."
+		  sleep 2
+	  	  exit 0
+		fi
+	  fi
+	  # make pairing thru sphinx relay script
+      /home/admin/config.scripts/bonus.sphinxrelay.sh menu
+	  exit 1;
+	  ;;
 	SHANGO_IOS)
 	  appstoreLink="https://testflight.apple.com/join/WwCjFnS8"
 	  /home/admin/config.scripts/blitz.lcd.sh qr ${appstoreLink}

home.admin/_bootstrap.provision.sh

@@ -528,6 +528,15 @@ else
   echo "Provisioning Pool - keep default" >> ${logFile}
 fi
 
+# sphinxrelay
+if [ "${sphinxrelay}" = "on" ]; then
+  echo "Sphinx-Relay - run config script" >> ${logFile}
+  sudo sed -i "s/^message=.*/message='Setup Sphinx-Relay'/g" ${infoFile}
+  sudo -u admin /home/admin/config.scripts/bonus.sphinxrelay.sh on >> ${logFile} 2>&1
+else
+  echo "Sphinx-Relay - keep default" >> ${logFile}
+fi
+
 # custom install script from user
 customInstallAvailable=$(sudo ls /mnt/hdd/app-data/custom-installs.sh 2>/dev/null | grep -c "custom-installs.sh")
 if [ ${customInstallAvailable} -gt 0 ]; then

home.admin/assets/nginx/sites-available/sphinxrelay_ssl.conf

@@ -0,0 +1,24 @@
+## lnbits_ssl.conf
+
+server {
+    listen 3301 ssl;
+    listen [::]:3301 ssl;
+    server_name _;
+
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data.conf;
+
+    access_log /var/log/nginx/access_sphinxrelay.log;
+    error_log /var/log/nginx/error_sphinxrelay.log;
+
+    location /static {
+        root /home/sphinxrelay/sphinxrelay/sphinxrelay;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3300;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+}

home.admin/assets/nginx/sites-available/sphinxrelay_tor.conf

@@ -0,0 +1,21 @@
+## lnbits_tor.conf
+
+server {
+    listen localhost:3302;
+    listen [::1]:3302;
+    server_name _;
+
+    access_log /var/log/nginx/access_sphinxrelay.log;
+    error_log /var/log/nginx/error_sphinxrelay.log;
+
+    location /static {
+        root /home/sphinxrelay/sphinxrelay/sphinxrelay;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3300;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+}

home.admin/assets/nginx/sites-available/sphinxrelay_tor_ssl.conf

@@ -0,0 +1,24 @@
+## sphinxrelay_tor_ssl.conf
+
+server {
+    listen localhost:3303 ssl;
+    listen [::1]:3303 ssl;
+    server_name _;
+
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data-tor.conf;
+
+    access_log /var/log/nginx/access_sphinxrelay.log;
+    error_log /var/log/nginx/error_sphinxrelay.log;
+
+    location /static {
+        root /home/sphinxrelay/sphinxrelay/sphinxrelay;
+    }
+
+    location / {
+        proxy_pass http://127.0.0.1:3300;
+
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+
+}

home.admin/config.scripts/blitz.subscriptions.ip2tor.py

@@ -39,6 +39,7 @@ SERVICE_LND_REST_API = "LND-REST-API"
 SERVICE_LND_GRPC_API = "LND-GRPC-API"
 SERVICE_LNBITS = "LNBITS"
 SERVICE_BTCPAY = "BTCPAY"
+SERVICE_SPHINX = "SPHINX"
 
 #####################
 # BASIC SETTINGS
@@ -621,6 +622,8 @@ def menuMakeSubscription(blitzServiceName, torAddress, torPort):
             hosts = shopList(shopurl)
         except Exception as e:
             # shopurl not working
+            eprint(e)
+            time.sleep(3)
             Dialog(dialog="dialog", autowidgetsize=True).msgbox('''
 Cannot reach a shop under that address.
 Please check domain or cancel dialog.
@@ -1067,7 +1070,6 @@ def subscription_by_service():
 
     try:
         if os.path.isfile(SUBSCRIPTIONS_FILE):
-            os.system("sudo chown admin:admin {0}".format(SUBSCRIPTIONS_FILE))
             subs = toml.load(SUBSCRIPTIONS_FILE)
             for idx, sub in enumerate(subs['subscriptions_ip2tor']):
                 if sub['active'] and sub['name'] == service_name:
@@ -1101,7 +1103,6 @@ def ip_by_tor():
 
     try:
         if os.path.isfile(SUBSCRIPTIONS_FILE):
-            os.system("sudo chown admin:admin {0}".format(SUBSCRIPTIONS_FILE))
             subs = toml.load(SUBSCRIPTIONS_FILE)
             for idx, sub in enumerate(subs['subscriptions_ip2tor']):
                 if sub['active'] and (sub['tor'] == onion or sub['tor'].split(":")[0] == onion):

home.admin/config.scripts/blitz.subscriptions.py

@@ -19,6 +19,7 @@ SERVICE_LND_REST_API = "LND-REST-API"
 SERVICE_LND_GRPC_API = "LND-GRPC-API"
 SERVICE_LNBITS = "LNBITS"
 SERVICE_BTCPAY = "BTCPAY"
+SERVICE_SPHINX = "SPHINX"
 
 # load config 
 cfg = RaspiBlitzConfig()
@@ -274,6 +275,7 @@ def main():
         lnd_grpc_api = False
         lnbits = False
         btcpay = False
+        sphinx = False
         try:
             if os.path.isfile(SUBSCRIPTIONS_FILE):
                 os.system("sudo chown admin:admin {0}".format(SUBSCRIPTIONS_FILE))
@@ -289,6 +291,8 @@ def main():
                         lnbits = True
                     if sub['active'] and sub['name'] == SERVICE_BTCPAY:
                         btcpay = True
+                    if sub['active'] and sub['name'] == SERVICE_SPHINX:
+                        sphinx = True
         except Exception as e:
             print(e)
 
@@ -299,6 +303,13 @@ def main():
         if status_data.find("installed=1") > -1:
             btc_pay_server = True
 
+        # check if Sphinx-Relay is installed
+        sphinx_relay = False
+        status_data = subprocess.run(['/home/admin/config.scripts/bonus.sphinxrelay.sh', 'status'],
+                                     stdout=subprocess.PIPE).stdout.decode('utf-8').strip()
+        if status_data.find("installed=1") > -1:
+            sphinx_relay = True
+
         # ask user for which RaspiBlitz service the bridge should be used
         choices = list()
         choices.append(("REST", "LND REST API {0}".format("--> ALREADY BRIDGED" if lnd_rest_api else "")))
@@ -307,6 +318,8 @@ def main():
             choices.append(("LNBITS", "LNbits Webinterface {0}".format("--> ALREADY BRIDGED" if lnbits else "")))
         if btc_pay_server:
             choices.append(("BTCPAY", "BTCPay Server Webinterface {0}".format("--> ALREADY BRIDGED" if btcpay else "")))
+        if sphinx_relay:
+            choices.append(("SPHINX", "Sphinx Relay  {0}".format("--> ALREADY BRIDGED" if sphinx else "")))
         choices.append(("SELF", "Create a custom IP2TOR Bridge"))
 
         d = Dialog(dialog="dialog", autowidgetsize=True)
@@ -346,6 +359,12 @@ def main():
             tor_address = subprocess.run(['sudo', 'cat', '/mnt/hdd/tor/btcpay/hostname'],
                                          stdout=subprocess.PIPE).stdout.decode('utf-8').strip()
             tor_port = 443
+        if tag == "SPHINX":
+            # get TOR address for SPHINX
+            service_name = SERVICE_SPHINX
+            tor_address = subprocess.run(['sudo', 'cat', '/mnt/hdd/tor/sphinxrelay/hostname'],
+                                         stdout=subprocess.PIPE).stdout.decode('utf-8').strip()
+            tor_port = 443
         if tag == "SELF":
             service_name = "CUSTOM"
             try:

home.admin/config.scripts/bonus.sphinxrelay.sh

@@ -0,0 +1,454 @@
+#!/bin/bash
+
+# https://github.com/stakwork/sphinx-relay
+
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "config script to switch Sphinx-Relay on/off"
+  echo "bonus.sphinxrelay.sh on [?GITHUBUSER] [?BRANCH]"
+  echo "bonus.sphinxrelay.sh [off|status|menu|write-environment]"
+  echo "# DEVELOPMENT: TO SYNC WITH YOUR FORKED GITHUB-REPO"
+  echo "bonus.sphinxrelay.sh github sync"
+  exit 1
+fi
+
+source /mnt/hdd/raspiblitz.conf
+
+# show info menu
+if [ "$1" = "menu" ]; then
+
+  # get status info
+  echo "# collecting status info ... (please wait)"
+  source <(sudo /home/admin/config.scripts/bonus.sphinxrelay.sh status)
+
+  if [ ${#ip2torWarn} -gt 0 ]; then
+    whiptail --title " Warning " --msgbox "Your IP2TOR+LetsEncrypt may have problems:\n${ip2torWarn}" 8 55
+  fi
+
+  extraPairInfo=""
+  text="Go to https://sphinx.chat and download the Sphinx Chat app."
+
+  # When IP2TOR AND LETS ENCRYPT
+  if [ ${connection} = "ip2tor&letsencrypt" ]; then
+    text="${text}\n
+IP2TOR+LetsEncrypt: ${publicURL}
+SHA1 ${sslFingerprintTOR}"
+
+  # When DynDNS & LETSENCRYPT
+  elif [ ${connection} = "dns&letsencrypt" ]; then
+     text="${text}\n
+Public Domain: ${publicURL}
+port forwarding on router needs to be active & may change port" 
+
+  # When just IP2TOR
+  elif [ ${connection} = "ip2tor&selfsigned" ]; then
+    text="${text}\n
+IP2TOR: ${publicURL}
+For this connection to be secure it needs LetsEncrypt HTTPS
+go MAINMENU > SUBSCRIBE and add LetsEncrypt HTTPS Domain"
+
+  # When DynDNS
+  elif [ ${connection} = "dns&selfsigned" ]; then
+     text="${text}\n
+Public Domain: ${publicURL}
+port forwarding on router needs to be active & may change port"
+
+  # When nothing advise 
+  elif [ ${connection} = "localnetwork" ]; then
+    text="${text}\n
+At the moment your Sphinx Relay Server is just available
+within the local network - without transport encryption.
+Local server for test & debug: ${publicURL}\n
+To enable easy reachability from the outside consider
+adding a IP2TOR Bridge (MAINMENU > SUBSCRIBE) and reconnect."
+   extraPairInfo="You need to be on the same local network to make this work."
+
+  else
+    text="${text}\nUnknown Connection!"
+  fi
+
+  text="${text}\n\nUse 'Connect App' to pair Sphinx App with RaspiBlitz."
+
+  whiptail --title " SPHINX RELAY " --yes-button "Connect App" --no-button "Back" --yesno "${text}" 15 69
+  response=$?
+  if [ "${response}" == "1" ]; then
+      echo "please wait ..."
+      exit 0
+  fi
+
+  # show qr code on LCD & console
+  /home/admin/config.scripts/blitz.lcd.sh qr "${connectionCode}"
+	whiptail --title " Connect App with Sphinx Relay " \
+	  --yes-button "Done" \
+		--no-button "Show QR Code" \
+		--yesno "Open the Sphinx Chat app & scan the QR code displayed on the LCD. If you dont have a RaspiBlitz with LCD choose 'Show QR Code'.\n
+The connection string in clear text is: ${connectionCode}\n
+${extraPairInfo}" 13 70
+	  if [ $? -eq 1 ]; then
+      clear
+      qrencode -t ANSI256 "${connectionCode}"
+      /home/admin/config.scripts/blitz.lcd.sh hide
+      echo "--> Scan this code with your Sphinx Chat App"
+      echo "To shrink QR code: macOS press CMD- / LINUX press CTRL-"
+      echo "Press ENTER when finished."
+      read key
+	  fi
+
+  exit 0
+fi
+
+# add default value to raspi config if needed
+if ! grep -Eq "^sphinxrelay=" /mnt/hdd/raspiblitz.conf; then
+  echo "sphinxrelay=off" >> /mnt/hdd/raspiblitz.conf
+fi
+
+# write environment configs fresh before every start
+# IMPORTANT: all this needs to work without sudo because will run from systemd as sphinxrelay user
+if [ "$1" = "write-environment" ]; then
+
+  # get basic data from status
+  source <(/home/admin/config.scripts/bonus.sphinxrelay.sh status)
+
+  # update node ip in config
+  cat /home/sphinxrelay/sphinx-relay/config/app.json | \
+  jq ".production.public_url = \"${publicURL}\"" | \
+  tee /home/sphinxrelay/sphinx-relay/config/app.json
+
+  # prepare production configs (loaded by nodejs app)
+  cp /home/sphinxrelay/sphinx-relay/config/app.json /home/sphinxrelay/sphinx-relay/dist/config/app.json
+  cp /home/sphinxrelay/sphinx-relay/config/config.json /home/sphinxrelay/sphinx-relay/dist/config/config.json
+  echo "# ok - copied fresh config.json & app.json into dist directory"
+
+  exit 0
+fi
+
+# status
+# IMPORTANT: make sure it can run as sphinxrelay user without sudo
+if [ "$1" = "status" ]; then
+
+  if [ "${sphinxrelay}" = "on" ]; then
+    echo "installed=1"
+  else
+    echo "installed=0"
+  fi
+
+  localIP=$(ip addr | grep 'state UP' -A2 | egrep -v 'docker0|veth' | grep 'eth0\|wlan0\|enp0' | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
+  echo "localIP='${localIP}'"
+  echo "httpsPort='3301'"
+  echo "httpPort='3300'"
+  echo "publicIP='${publicIP}'"
+
+  # get connection string from file
+  connectionCode=$(cat /home/sphinxrelay/sphinx-relay/connection_string.txt 2>/dev/null)
+  if [ -f "/home/sphinxrelay/sphinx-relay/connection_string.txt" ] && [ "${connectionCode}" = "" ]; then
+    # try again with sodu
+    connectionCode=$(sudo cat /home/sphinxrelay/sphinx-relay/connection_string.txt)
+  fi
+  echo "connectionCode='${connectionCode}'"
+
+  # check for LetsEnryptDomain for DynDns
+  error=""
+  source <(/home/admin/config.scripts/blitz.subscriptions.ip2tor.py ip-by-tor $publicIP)
+  publicDomain="${domain}"
+  if [ ${#error} -eq 0 ]; then
+    echo "publicDomain='${publicDomain}'"
+  else
+    echo "publicDomain=''"
+  fi
+
+  sslFingerprintIP=$(openssl x509 -in /mnt/hdd/app-data/nginx/tls.cert -fingerprint -noout 2>/dev/null | cut -d"=" -f2)
+  echo "sslFingerprintIP='${sslFingerprintIP}'"
+
+  toraddress=$(cat /mnt/hdd/tor/sphinxrelay/hostname 2>/dev/null)
+  echo "toraddress='${toraddress}'"
+
+  sslFingerprintTOR=$(openssl x509 -in /mnt/hdd/app-data/nginx/tor_tls.cert -fingerprint -noout 2>/dev/null | cut -d"=" -f2)
+  echo "sslFingerprintTOR='${sslFingerprintTOR}'"
+
+  # check for IP2TOR
+  error=""
+  ip2torIP=""
+  ip2torPort=""
+  source <(/home/admin/config.scripts/blitz.subscriptions.ip2tor.py ip-by-tor $toraddress)
+  if [ ${#error} -eq 0 ]; then
+    ip2torIP="${ip}"
+    ip2torPort="${port}"
+    echo "ip2torType='${ip2tor-v1}'"
+    echo "ip2torID='${id}'"
+    echo "ip2torIP='${ip}'"
+    echo "ip2torPort='${port}'"
+    # check for LetsEnryptDomain on IP2TOR
+    error=""
+    source <(/home/admin/config.scripts/blitz.subscriptions.letsencrypt.py domain-by-ip $ip)
+    if [ ${#error} -eq 0 ]; then
+      ip2torDomain="${domain}"
+      echo "ip2torDomain='${ip2torDomain}'"
+      # by default the relay gives a 404 .. so just test of no HTTP code at all comes back
+      httpcode=$(/home/admin/config.scripts/blitz.subscriptions.letsencrypt.py subscription-detail ${domain} ${port} | jq -r ".https_response")
+      if [ "${httpcode}" = "0" ]; then
+        echo "ip2torWarn='Not able to get HTTPS response.'"
+      fi
+    fi
+  fi
+
+  # determnine the public url for the pairing code based on best setup
+  connection=""
+  publicURL=""
+
+  # 1) IP2TOR & LETS ENCRYPT HTTPS
+  if [ "${ip2torDomain}" != "" ]; then
+    connection="ip2tor&letsencrypt"
+    publicURL="https://${ip2torDomain}:${ip2torPort}"
+
+  # 2) DYNDNS & LETS ENCRYPT HTTPS (forwarding same port)
+  elif [ "${publicDomain}" != "" ]; then
+    connection="dns&letsencrypt"
+    publicURL="https://${publicDomain}:3301"
+
+  # 3) IP2TOR & SELFSIGNED HTTPS
+  elif [ "${ip2torIP}" != "" ]; then
+    connection="ip2tor&selfsigned"
+    publicURL="https://${ip2torIP}:${ip2torPort}"
+
+  # 4) DYNDOMAIN & SELFSIGNED HTTPS (forwarding same port)
+  elif [ "${dynDomain}" != "" ]; then
+    connection="dns&selfsigned"
+    publicURL="https://${dynDomain}:3301"
+
+  # 5) LOCAL NETWORK (just HTTP)
+  else
+    connection="localnetwork"
+    publicURL="http://${localIP}:3300"
+
+  fi
+  echo "connection='${connection}'"
+  echo "publicURL='${publicURL}'"
+
+  exit 0
+fi
+
+if [ "$1" = "sync" ]; then
+  echo "# pull all changes from github repo"
+  # output basic info
+  cd /home/sphinxrelay/sphinx-relay
+  sudo git remote -v
+  sudo git branch -v
+  # pull latest code
+  sudo git pull
+  # update npm installs
+  npm install
+  # write environment
+  sudo -u sphinxrelay /home/admin/config.scripts/bonus.sphinxrelay.sh write-environment
+  # restart service
+  sudo systemctl restart sphinxrelay
+  echo "# server is restarting ... maybe takes some seconds until available"
+  exit 0
+fi
+
+# stop service
+echo "# making sure services are not running"
+sudo systemctl stop sphinxrelay 2>/dev/null
+
+# switch on
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+  echo "*** INSTALL SPHINX-RELAY ***"
+
+  isInstalled=$(sudo ls /etc/systemd/system/sphinxrelay.service 2>/dev/null | grep -c 'sphinxrelay.service')
+  if [ ${isInstalled} -eq 0 ]; then
+
+    # check and install NodeJS
+    /home/admin/config.scripts/bonus.nodejs.sh on
+
+    # make sure keysend is on
+    /home/admin/config.scripts/lnd.keysend.sh on
+
+    echo "*** Add the 'sphinxrelay' user ***"
+    sudo adduser --disabled-password --gecos "" sphinxrelay
+    sudo /usr/sbin/usermod --append --groups lndadmin sphinxrelay
+
+    # install needed install packages
+    sudo apt install -y sqlite3
+
+    # get optional github parameter
+    githubUser="stakwork"
+    if [ "$2" != "" ]; then
+      githubUser="$2"
+    fi
+    githubBranch="v1.0.15"
+    if [ "$3" != "" ]; then
+      githubBranch="$3"
+    fi
+
+    # install from GitHub
+    echo "# get the github code user(${githubUser}) branch(${githubBranch})"
+    sudo rm -r /home/sphinxrelay/sphinx-relay 2>/dev/null
+    cd /home/sphinxrelay
+    sudo -u sphinxrelay git clone https://github.com/${githubUser}/sphinx-relay.git
+    cd /home/sphinxrelay/sphinx-relay
+    sudo -u sphinxrelay git checkout ${githubBranch}
+
+    echo "# NPM install dependencies ..."
+    sudo -u sphinxrelay npm install
+
+    # set database path to HDD data so that its survives updates and migrations
+    sudo mkdir /mnt/hdd/app-data/sphinxrelay 2>/dev/null
+    sudo chown sphinxrelay:sphinxrelay -R /mnt/hdd/app-data/sphinxrelay
+
+    # database config
+    sudo cat /home/sphinxrelay/sphinx-relay/config/config.json | \
+    jq ".production.storage = \"/mnt/hdd/app-data/sphinxrelay/sphinx.db\"" | \
+    sudo -u sphinxrelay tee /home/sphinxrelay/sphinx-relay/config/config.json
+
+    # general config
+    sudo cat /home/sphinxrelay/sphinx-relay/config/app.json | \
+    jq ".production.tls_location = \"/mnt/hdd/app-data/lnd/tls.cert\"" | \
+    jq ".production.macaroon_location = \"/mnt/hdd/app-data/lnd/data/chain/${network}/${chain}net/admin.macaroon\"" | \
+    jq ".production.lnd_log_location = \"/mnt/hdd/lnd/logs/${network}/${chain}net/lnd.log\"" | \
+    jq ".production.node_http_port = \"3300\"" | \
+    sudo -u sphinxrelay tee /home/sphinxrelay/sphinx-relay/config/app.json
+
+    # set permissions on connection string
+    # sudo -u sphinxrelay touch /home/sphinxrelay/sphinx-relay/connection_string.txt
+    # sudo chmod 640 /home/sphinxrelay/sphinx-relay/connection_string.txt
+
+    # write environment
+    /home/admin/config.scripts/bonus.sphinxrelay.sh write-environment
+
+    # open firewall
+    echo
+    echo "*** Updating Firewall ***"
+    sudo ufw allow 3300 comment 'sphinxrelay HTTP'
+    sudo ufw allow 3301 comment 'sphinxrelay HTTPS'
+    echo ""
+
+    # install service
+    echo "*** Install systemd ***"
+    cat > /home/admin/sphinxrelay.service <<EOF
+[Unit]
+Description=SphinxRelay
+Wants=lnd.service
+After=lnd.service
+
+[Service]
+WorkingDirectory=/home/sphinxrelay/sphinx-relay
+ExecStartPre=/home/admin/config.scripts/bonus.sphinxrelay.sh write-environment
+ExecStart=env NODE_ENV=production /usr/bin/node dist/app.js
+User=sphinxrelay
+Restart=always
+TimeoutSec=120
+RestartSec=30
+StandardOutput=null
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    sudo mv /home/admin/sphinxrelay.service /etc/systemd/system/sphinxrelay.service
+    sudo chown root:root /etc/systemd/system/sphinxrelay.service
+
+    sudo systemctl enable sphinxrelay
+
+    source /home/admin/raspiblitz.info
+    if [ "${state}" == "ready" ]; then
+      echo "# OK - sphinxrelay service is enabled, system is on ready so starting service"
+      sudo systemctl start sphinxrelay
+    else
+      echo "# OK - sphinxrelay service is enabled, but needs reboot or manual starting: sudo systemctl start sphinxrelay"
+    fi
+
+  else
+    echo "# sphinxrelay already installed."
+  fi
+
+  # setup nginx symlinks
+  if ! [ -f /etc/nginx/sites-available/sphinxrelay_ssl.conf ]; then
+     sudo cp /home/admin/assets/nginx/sites-available/sphinxrelay_ssl.conf /etc/nginx/sites-available/sphinxrelay_ssl.conf
+  fi
+  if ! [ -f /etc/nginx/sites-available/sphinxrelay_tor.conf ]; then
+     sudo cp /home/admin/assets/nginx/sites-available/sphinxrelay_tor.conf /etc/nginx/sites-available/sphinxrelay_tor.conf
+  fi
+  if ! [ -f /etc/nginx/sites-available/sphinxrelay_tor_ssl.conf ]; then
+     sudo cp /home/admin/assets/nginx/sites-available/sphinxrelay_tor_ssl.conf /etc/nginx/sites-available/sphinxrelay_tor_ssl.conf
+  fi
+  sudo ln -sf /etc/nginx/sites-available/sphinxrelay_ssl.conf /etc/nginx/sites-enabled/
+  sudo ln -sf /etc/nginx/sites-available/sphinxrelay_tor.conf /etc/nginx/sites-enabled/
+  sudo ln -sf /etc/nginx/sites-available/sphinxrelay_tor_ssl.conf /etc/nginx/sites-enabled/
+  sudo nginx -t
+  sudo systemctl reload nginx
+
+  # setting value in raspi blitz config
+  sudo sed -i "s/^sphinxrelay=.*/sphinxrelay=on/g" /mnt/hdd/raspiblitz.conf
+
+  # Hidden Service if Tor is active
+  source /mnt/hdd/raspiblitz.conf
+  if [ "${runBehindTor}" = "on" ]; then
+    # make sure to keep in sync with internet.tor.sh script
+    /home/admin/config.scripts/internet.hiddenservice.sh sphinxrelay 80 3302 443 3303
+    # allow everybody to read the hostname (no need for sudo for read)
+    sudo chmod +r /mnt/hdd/tor/sphinxrelay/hostname
+    sudo chmod +x /mnt/hdd/tor/sphinxrelay
+    sudo chmod +x /mnt/hdd/tor
+  fi
+  exit 0
+fi
+
+# switch off
+if [ "$1" = "0" ] || [ "$1" = "off" ]; then
+
+  # check for second parameter: should data be deleted?
+  deleteData=0
+  if [ "$2" = "--delete-data" ]; then
+    deleteData=1
+  elif [ "$2" = "--keep-data" ]; then
+    deleteData=0
+  else
+    if (whiptail --title " DELETE DATA? " --yesno "Do you want to delete\nthe SphinxRelay Data?" 8 30); then
+      deleteData=1
+   else
+      deleteData=0
+    fi
+  fi
+  echo "# deleteData(${deleteData})"
+
+  # setting value in raspi blitz config
+  sudo sed -i "s/^sphinxrelay=.*/sphinxrelay=off/g" /mnt/hdd/raspiblitz.conf
+
+  # remove nginx symlinks
+  sudo rm -f /etc/nginx/sites-enabled/sphinxrelay_ssl.conf
+  sudo rm -f /etc/nginx/sites-enabled/sphinxrelay_tor.conf
+  sudo rm -f /etc/nginx/sites-enabled/sphinxrelay_tor_ssl.conf
+  sudo rm -f /etc/nginx/sites-available/sphinxrelay_ssl.conf
+  sudo rm -f /etc/nginx/sites-available/sphinxrelay_tor.conf
+  sudo rm -f /etc/nginx/sites-available/sphinxrelay_tor_ssl.conf
+  sudo nginx -t
+  sudo systemctl reload nginx
+
+  # Hidden Service if Tor is active
+  if [ "${runBehindTor}" = "on" ]; then
+    /home/admin/config.scripts/internet.hiddenservice.sh off sphinxrelay
+  fi
+
+  isInstalled=$(sudo ls /etc/systemd/system/sphinxrelay.service 2>/dev/null | grep -c 'sphinxrelay.service')
+  if [ ${isInstalled} -eq 1 ] || [ "${sphinxrelay}" == "on" ]; then
+    echo "*** REMOVING SPHINXRELAY ***"
+    sudo systemctl stop sphinxrelay
+    sudo systemctl disable sphinxrelay
+    sudo rm /etc/systemd/system/sphinxrelay.service
+    sudo userdel -rf sphinxrelay
+
+    if [ ${deleteData} -eq 1 ]; then
+      echo "# deleting data"
+      sudo rm -R /mnt/hdd/app-data/sphinxrelay
+    else
+      echo "# keeping data"
+    fi
+
+    echo "OK sphinxrelay removed."
+  else
+    echo "sphinxrelay is not installed."
+  fi
+  exit 0
+fi
+
+echo "FAIL - Unknown Parameter $1"
+exit 1