diff --git a/service/BTCpayserver.md b/service/BTCpayserver.md index c9281bc0c2fe6c7487b2a70ab6fbd5639269380d..4c6126c8e55636383cf50e108575c949831c15b9 100644 --- a/service/BTCpayserver.md +++ b/service/BTCpayserver.md @@ -256,6 +256,13 @@ delete the data, and restart: ### Incorrect certificate +Note: that procedure is out of date and kept for historical purposes +only (if we ever rotate back to this old mechanism). Since +[tpo/tpa/team#41549][], We now use standard HTTPS certificate +issuance processes and this shouldn't occur anymore. + + [tpo/tpa/team#41549]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41549 + If you try to connect to <https://btcpayserver.torproject.org/> and get a self-signed cert, that is because it's not the right server. Connect to <https://btcpay.torproject.org/> instead. @@ -299,7 +306,7 @@ file: We are following the [full installation manual](https://docs.btcpayserver.org/Docker/#full-installation-for-technical-users), which is basically this questionable set of steps: -``` +```shell mkdir BTCPayServer cd BTCPayServer git clone https://github.com/btcpayserver/btcpayserver-docker @@ -308,17 +315,31 @@ cd btcpayserver-docker Then the procedure wants us to declare those: -``` +```shell export BTCPAY_HOST="btcpayserver.torproject.org" export BTCPAY_ADDITIONAL_HOSTS="btcpayserver-02.torproject.org" export NBITCOIN_NETWORK="mainnet" export BTCPAYGEN_CRYPTO1="btc" export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage-s" -export BTCPAYGEN_REVERSEPROXY="nginx" export BTCPAYGEN_LIGHTNING="" export BTCPAY_ENABLE_SSH=false +export BTCPAYGEN_REVERSEPROXY="nginx" ``` +Update: we eventually went with our own reverse proxy deployment, +which required this as well: + +```shell +export BTCPAYGEN_REVERSEPROXY="none" +export BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https" +export NOREVERSEPROXY_HTTP_PORT=127.0.0.1:8080 +export BTCPAYGEN_REVERSEPROXY="none" +``` + +This was done because of recurring issues with the container-based +Nginx proxy and the HTTPS issuance process, see [tpo/tpa/team#41549][] +for details. + We explicitly changed those settings from upstream: * `BTCPAY_HOST` and `BTCPAY_ADDITIONAL_HOSTS` @@ -328,7 +349,7 @@ We explicitly changed those settings from upstream: Then we launch the setup script, skipping the docker install because that's already done by Puppet: -``` +```shell root@btcpayserver-02:~/BTCPayServer/btcpayserver-docker# . btcpay-setup.sh --docker-unavailable -------SETUP----------- @@ -505,6 +526,10 @@ following components setup (looking at * tor-gen, also based on [docker-gen](https://hub.docker.com/r/btcpayserver/docker-gen) to generate a config for the above container +Update: in March 2024, the nginx, nginx-gen and +letsencrypt-nginx-proxy-companien containers were removed, see +[tpo/tpa/team#41549][]. + On the previous server, this also included: * lnd_bitcoin (for the "lighting network", based on [their image](https://hub.docker.com/r/btcpayserver/lnd)) @@ -564,6 +589,9 @@ here: There's a bunch of Docker containers around this that generate configuration and glue things together, see above. +Update: we managed to get rid of the Nginx container and its +associated sidecars, in [tpo/tpa/team#41549][]. + ### Storage and queues It's unclear what is stored where. Transactions, presumably, get @@ -698,6 +726,10 @@ infrastructure, but in doing so, significant problems were found with BTCpay in particular, but also with our cryptocurrency handling in general. +In March 2024, the Nginx configuration was split out of the +container-based setup and replaced with our standard Puppet-based +configuration, see [tpo/tpa/team#41549][]. + ## Security review There was never a security review performed on BTCpay by Tor @@ -721,12 +753,15 @@ upgrades, backups, and basic security (e.g. firewalls) would be covered. This still leaves a gaping hole for the update and maintenance of BTCpay itself. +Update: the service is now hosted on TPA infrastructure and a cron job +regularly pulls new releases. + ## PII concerns -There are no efforts in BTCpay to redact PII from logs. Nginx logs -keep second-granular timestamps with full IP address and user agent -information. It's unclear how long invoices are retained in the -PostgreSQL database nor what information they contain. +There are no efforts in BTCpay to redact PII from logs. It's unclear +how long invoices are retained in the PostgreSQL database nor what +information they contain. The Nginx webserver configuration has our +standard data redaction policies in place since March 2024. BTCpay correctly generates a one-time Bitcoin address for transactions, so that is done correctly at least. But right next to