feat: add ckbunker install script (#3148)

* feat: add ckbunker install script * ckbunker: don't run the service by default
2025-03-27 02:01:53 +01:00 · 2022-06-17 21:01:54 +01:00 · 2022-06-17 21:01:54 +01:00 · fc765de029
commit fc765de029
parent 77db8b5de8
2 changed files with 311 additions and 0 deletions
--- a/home.admin/_commands.sh
+++ b/home.admin/_commands.sh
@ -67,6 +67,7 @@ function blitzhelp() {
  echo "  lit          Lightning Terminal"
  echo "  jm           JoinMarket"
  echo "  pyblock      PyBlock"
+  echo "  ckbunker     CKbunker"
  echo
  echo "Extras:"
  echo "  whitepaper   download the whitepaper from the blockchain to /home/admin/bitcoin.pdf"
@ -311,6 +312,19 @@ function jm() {
  fi
 }

+# command: ckbunker
+# switch to the ckbunker user
+function ckbunker() {
+  if [ $(grep -c "ckbunker=on"  < /mnt/hdd/raspiblitz.conf) -eq 1 ]; then
+    echo "# switching to the ckbunker user with the command: 'sudo su - ckbunker'"
+    sudo su - ckbunker
+    echo "# use command 'raspiblitz' to return to menu"
+  else
+    echo "ckbunker is not installed - to install run:"
+    echo "sudo /home/admin/config.scripts/bonus.ckbunker.sh on"
+  fi
+}
+
 # command: lit
 # switch to the lit user for the loop, pool & faraday services
 function lit() {
--- a/home.admin/config.scripts/bonus.ckbunker.sh
+++ b/home.admin/config.scripts/bonus.ckbunker.sh
@ -0,0 +1,297 @@
+#!/bin/bash
+
+GITHUB_REPO="https://github.com/Coldcard/ckbunker"
+VERSION="bf08623875b576c4bc4498dc68e749cdf6b5de31"
+
+# command info
+if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
+  echo "# Config script to switch the CKbunker on or off"
+  echo "# Installs CKBunker ${GITHUB_REPO}/commit/${VERSION}"
+  echo "# bonus.ckbunker.sh status   -> status information (key=value)"
+  echo "# bonus.ckbunker.sh on       -> install the app"
+  echo "# bonus.ckbunker.sh off      -> uninstall the app"
+  echo "# bonus.ckbunker.sh menu     -> SSH menu dialog"
+  echo "# bonus.ckbunker.sh prestart -> will be called by systemd before start"
+  exit 1
+fi
+
+source /mnt/hdd/raspiblitz.conf
+
+GITHUB_SIGN_AUTHOR="web-flow"
+GITHUB_SIGN_PUBKEYLINK="https://github.com/web-flow.gpg"
+GITHUB_SIGN_FINGERPRINT="4AEE18F83AFDEB23"
+
+PORT_CLEAR="9823"
+PORT_SSL="9824"
+PORT_TOR_CLEAR="9825"
+PORT_TOR_SSL="9826"
+
+localIP=$(hostname -I | awk '{print $1}')
+
+# check if app is already installed
+isInstalled=$(sudo ls /etc/systemd/system/ckbunker.service 2>/dev/null | grep -c "ckbunker.service")
+
+# check if service is running
+isRunning=$(systemctl status ckbunker 2>/dev/null | grep -c 'active (running)')
+
+if [ "${isInstalled}" == "1" ]; then
+
+  # gather address info (whats needed to call the app)
+  toraddress=$(sudo cat /mnt/hdd/tor/ckbunker/hostname 2>/dev/null)
+  fingerprint=$(openssl x509 -in /mnt/hdd/app-data/nginx/tls.cert -fingerprint -noout | cut -d"=" -f2)
+
+fi
+
+if [ "$1" = "status" ]; then
+  echo "appID='ckbunker'"
+  echo "githubRepo='${GITHUB_REPO}'"
+  echo "githubVersion='${GITHUB_VERSION}'"
+  echo "githubSignature='${GITHUB_SIGNATURE}'"
+  echo "isInstalled=${isInstalled}"
+  echo "isRunning=${isRunning}"
+  if [ "${isInstalled}" == "1" ]; then
+    echo "portCLEAR=${PORT_CLEAR}"
+    echo "portSSL=${PORT_SSL}"
+    echo "localIP='${localIP}'"
+    echo "toraddress='${toraddress}'"
+    echo "fingerprint='${fingerprint}'"
+    echo "toraddress='${toraddress}'"
+  fi
+  exit
+fi
+
+# show info menu
+if [ "$1" = "menu" ]; then
+  dialogTitle="CKbunker setup"
+  dialogText="# To set up first switch to the 'ckbunker' user:
+sudo su - ckbunker
+# run:
+ckbunker setup
+# open in your local web browser:
+https://${localIP}:${PORT_SSL}/setup with Fingerprint:
+${fingerprint}\n
+# follow the guide at:
+https://ckbunker.com/setup.html
+(save your password)
+
+# When the setup is done start the service in the background:
+sudo systemctl enable ckbunker
+sudo systemctl start ckbunker"
+
+  # use whiptail to show SSH dialog & exit
+  whiptail --title "${dialogTitle}" --msgbox "${dialogText}" 21 67
+  echo "please wait ..."
+  exit 0
+fi
+
+# switch on
+if [ "$1" = "1" ] || [ "$1" = "on" ]; then
+  echo "# Install CKBunker"
+
+  if [ ${isInstalled} -eq 1 ]; then
+    echo "# ckbunker.service is already installed."
+    exit 1
+  fi
+
+  echo "# Installing ckbunker ..."
+
+  # dependencies
+  sudo apt install -y virtualenv python-dev libusb-1.0-0-dev libudev-dev
+
+  # create dedicated user
+  sudo adduser --disabled-password --gecos "" ckbunker
+
+  # add the user to the Tor group
+  sudo usermod -a -G debian-tor ckbunker
+
+  if ! [ -d /mnt/hdd/app-data/ckbunker ]; then
+    echo "# create app-data directory"
+    sudo mkdir /mnt/hdd/app-data/ckbunker 2>/dev/null
+    sudo chown ckbunker:ckbunker -R /mnt/hdd/app-data/ckbunker
+  else
+    echo "# reuse existing app-directory"
+    sudo chown ckbunker:ckbunker -R /mnt/hdd/app-data/ckbunker
+  fi
+
+  echo "# download the source code & verify"
+  sudo -u ckbunker git clone --recursive ${GITHUB_REPO} /home/ckbunker/ckbunker
+  cd /home/ckbunker/ckbunker || exit 1
+  sudo -u ckbunker git reset --hard ${VERSION}
+  if [ "${GITHUB_SIGN_AUTHOR}" != "" ]; then
+    sudo -u ckbunker /home/admin/config.scripts/blitz.git-verify.sh \
+     "${GITHUB_SIGN_AUTHOR}" "${GITHUB_SIGN_PUBKEYLINK}" "${GITHUB_SIGN_FINGERPRINT}" || exit 1
+  fi
+
+  sudo -u ckbunker virtualenv -p python3 ENV
+  sudo -u ckbunker sh -c '. /home/ckbunker/ckbunker/ENV/bin/activate && \
+   pip install -r requirements.txt && pip install --editable .'
+
+  echo "# add the udev rules"
+  cd /etc/udev/rules.d/
+  sudo wget https://raw.githubusercontent.com/Coldcard/ckcc-protocol/master/51-coinkite.rules
+  sudo udevadm control --reload-rules && sudo udevadm trigger
+
+  echo "source /home/ckbunker/ckbunker/ENV/bin/activate" | sudo -u ckbunker tee -a /home/ckbunker/.bashrc
+  echo "PATH=\$PATH:~/ckbunker/ENV/bin/" | sudo -u ckbunker tee -a /home/ckbunker/.bashrc
+  echo "cd /home/ckbunker/ckbunker" | sudo -u ckbunker tee -a /home/ckbunker/.bashrc
+
+  echo "# updating Firewall"
+  sudo ufw allow ${PORT_CLEAR} comment "ckbunker HTTP"
+  sudo ufw allow ${PORT_SSL} comment "ckbunker HTTPS"
+
+  echo "# create systemd service: ckbunker.service"
+  echo "
+[Unit]
+Description=ckbunker
+Wants=bitcoind
+After=bitcoind
+
+[Service]
+WorkingDirectory=/home/ckbunker/ckbunker/
+ExecStartPre=-/home/admin/config.scripts/bonus.ckbunker.sh prestart
+ExecStart=sh -c '. ENV/bin/activate && ENV/bin/ckbunker run'
+User=ckbunker
+Restart=always
+TimeoutSec=120
+RestartSec=30
+StandardOutput=null
+StandardError=journal
+
+# Hardening measures
+PrivateTmp=true
+ProtectSystem=full
+NoNewPrivileges=true
+PrivateDevices=true
+
+[Install]
+WantedBy=multi-user.target
+" | sudo tee /etc/systemd/system/ckbunker.service
+    sudo chown root:root /etc/systemd/system/ckbunker.service
+
+  # when tor is set on also install the hidden service
+  if [ "${runBehindTor}" = "on" ]; then
+    # activating tor hidden service
+    /home/admin/config.scripts/tor.onion-service.sh ckbunker 80 ${PORT_TOR_CLEAR} 443 ${PORT_TOR_SSL}
+  fi
+
+  echo "# setup nginx config"
+  # write the HTTPS config
+  echo "
+server {
+    listen ${PORT_SSL} ssl;
+    listen [::]:${PORT_SSL} ssl;
+    server_name _;
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data.conf;
+    access_log /var/log/nginx/access_ckbunker.log;
+    error_log /var/log/nginx/error_ckbunker.log;
+    location / {
+        proxy_pass http://127.0.0.1:${PORT_CLEAR};
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
+" | sudo tee /etc/nginx/sites-available/ckbunker_ssl.conf
+  sudo ln -sf /etc/nginx/sites-available/ckbunker_ssl.conf /etc/nginx/sites-enabled/
+
+  # write the Tor config
+  echo "
+server {
+    listen localhost:${PORT_TOR_CLEAR};
+    server_name _;
+    access_log /var/log/nginx/access_ckbunker.log;
+    error_log /var/log/nginx/error_ckbunker.log;
+    location / {
+        proxy_pass http://127.0.0.1:${PORT_CLEAR};
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
+" | sudo tee /etc/nginx/sites-available/ckbunker_tor.conf
+  sudo ln -sf /etc/nginx/sites-available/ckbunker_tor.conf /etc/nginx/sites-enabled/
+
+  # write the Tor+HTTPS config
+  echo "
+server {
+    listen localhost:${PORT_TOR_SSL} ssl;
+    server_name _;
+    include /etc/nginx/snippets/ssl-params.conf;
+    include /etc/nginx/snippets/ssl-certificate-app-data-tor.conf;
+    access_log /var/log/nginx/access_ckbunker.log;
+    error_log /var/log/nginx/error_ckbunker.log;
+    location / {
+        proxy_pass http://127.0.0.1:${PORT_CLEAR};
+        include /etc/nginx/snippets/ssl-proxy-params.conf;
+    }
+}
+" | sudo tee /etc/nginx/sites-available/ckbunker_tor_ssl.conf
+  sudo ln -sf /etc/nginx/sites-available/ckbunker_tor_ssl.conf /etc/nginx/sites-enabled/
+
+  # test nginx config & activate thru reload
+  sudo nginx -t
+  sudo systemctl reload nginx
+
+  # mark app as installed in raspiblitz config
+  /home/admin/config.scripts/blitz.conf.sh set ckbunker "on"
+
+  echo "# OK - CKbunker is now installed"
+  echo "# To set up:
+# switch to the user
+sudo su - ckbunker
+# run:
+ckbunker setup
+# open in your local web browser:
+https://${localIP}:${PORT_SSL}/setup
+# and follow the guide at:
+https://ckbunker.com/setup.html
+
+# When the setup is done run the service in the backgound with:
+sudo systemctl enable ckbunker
+sudo systemctl start ckbunker
+"
+  exit 0
+fi
+
+
+# switch off
+if [ "$1" = "0" ] || [ "$1" = "off" ]; then
+
+  echo "# stop & remove systemd service"
+  sudo systemctl stop ckbunker 2>/dev/null
+  sudo systemctl disable ckbunker.service
+  sudo rm /etc/systemd/system/ckbunker.service
+
+  echo "# remove nginx symlinks"
+  sudo rm -f /etc/nginx/sites-enabled/ckbunker_ssl.conf 2>/dev/null
+  sudo rm -f /etc/nginx/sites-enabled/ckbunker_tor.conf 2>/dev/null
+  sudo rm -f /etc/nginx/sites-enabled/ckbunker_tor_ssl.conf 2>/dev/null
+  sudo rm -f /etc/nginx/sites-available/ckbunker_ssl.conf 2>/dev/null
+  sudo rm -f /etc/nginx/sites-available/ckbunker_tor.conf 2>/dev/null
+  sudo rm -f /etc/nginx/sites-available/ckbunker_tor_ssl.conf 2>/dev/null
+  sudo nginx -t
+  sudo systemctl reload nginx
+
+  echo "# close ports on firewall"
+  sudo ufw deny "${PORT_CLEAR}"
+  sudo ufw deny "${PORT_SSL}"
+
+  echo "# removing Tor hidden service (if active)"
+  /home/admin/config.scripts/tor.onion-service.sh off ckbunker
+
+  echo "# remove user"
+  sudo userdel -rf ckbunker
+
+  echo "# mark app as uninstalled in raspiblitz config"
+  /home/admin/config.scripts/blitz.conf.sh set ckbunker "off"
+
+  # only if 'delete-data' is an additional parameter then also the data directory gets deleted
+  if [ "$(echo "$@" | grep -c delete-data)" -gt 0 ]; then
+    echo "# found 'delete-data' parameter --> also deleting the app-data"
+    sudo rm -r /mnt/hdd/app-data/ckbunker
+  fi
+
+  echo "# OK - CKbunker is uninstalled now"
+  exit 0
+fi
+
+# just a basic error message when unknow action parameter was given
+echo "# FAIL - Unknown Parameter $1"
+exit 1