From cc4ac49de75707d912bbbdc64f9219544a3a74bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 7 Mar 2024 11:27:36 -0500
Subject: [PATCH] document the btcpay server reconfiguration
 (tpo/tpa/team#41549)

---
 service/BTCpayserver.md | 51 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 43 insertions(+), 8 deletions(-)

diff --git a/service/BTCpayserver.md b/service/BTCpayserver.md
index c9281bc0..4c6126c8 100644
--- a/service/BTCpayserver.md
+++ b/service/BTCpayserver.md
@@ -256,6 +256,13 @@ delete the data, and restart:
 
 ### Incorrect certificate
 
+Note: that procedure is out of date and kept for historical purposes
+only (if we ever rotate back to this old mechanism). Since
+[tpo/tpa/team#41549][], We now use standard HTTPS certificate
+issuance processes and this shouldn't occur anymore.
+
+ [tpo/tpa/team#41549]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41549
+
 If you try to connect to <https://btcpayserver.torproject.org/> and
 get a self-signed cert, that is because it's not the right
 server. Connect to <https://btcpay.torproject.org/> instead.
@@ -299,7 +306,7 @@ file:
 We are following the [full installation manual](https://docs.btcpayserver.org/Docker/#full-installation-for-technical-users), which is basically
 this questionable set of steps:
 
-```
+```shell
 mkdir BTCPayServer
 cd BTCPayServer
 git clone https://github.com/btcpayserver/btcpayserver-docker
@@ -308,17 +315,31 @@ cd btcpayserver-docker
 
 Then the procedure wants us to declare those:
 
-```
+```shell
 export BTCPAY_HOST="btcpayserver.torproject.org"
 export BTCPAY_ADDITIONAL_HOSTS="btcpayserver-02.torproject.org"
 export NBITCOIN_NETWORK="mainnet"
 export BTCPAYGEN_CRYPTO1="btc"
 export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage-s"
-export BTCPAYGEN_REVERSEPROXY="nginx"
 export BTCPAYGEN_LIGHTNING=""
 export BTCPAY_ENABLE_SSH=false
+export BTCPAYGEN_REVERSEPROXY="nginx"
 ```
 
+Update: we eventually went with our own reverse proxy deployment,
+which required this as well:
+
+```shell
+export BTCPAYGEN_REVERSEPROXY="none"
+export BTCPAYGEN_EXCLUDE_FRAGMENTS="$BTCPAYGEN_EXCLUDE_FRAGMENTS;nginx-https"
+export NOREVERSEPROXY_HTTP_PORT=127.0.0.1:8080
+export BTCPAYGEN_REVERSEPROXY="none"
+```
+
+This was done because of recurring issues with the container-based
+Nginx proxy and the HTTPS issuance process, see [tpo/tpa/team#41549][]
+for details.
+
 We explicitly changed those settings from upstream:
 
  * `BTCPAY_HOST` and `BTCPAY_ADDITIONAL_HOSTS`
@@ -328,7 +349,7 @@ We explicitly changed those settings from upstream:
 Then we launch the setup script, skipping the docker install because
 that's already done by Puppet:
 
-```
+```shell
 root@btcpayserver-02:~/BTCPayServer/btcpayserver-docker# . btcpay-setup.sh --docker-unavailable
 
 -------SETUP-----------
@@ -505,6 +526,10 @@ following components setup (looking at
  * tor-gen, also based on [docker-gen](https://hub.docker.com/r/btcpayserver/docker-gen) to generate a config for the
    above container
 
+Update: in March 2024, the nginx, nginx-gen and
+letsencrypt-nginx-proxy-companien containers were removed, see
+[tpo/tpa/team#41549][].
+
 On the previous server, this also included:
 
  * lnd_bitcoin (for the "lighting network", based on [their image](https://hub.docker.com/r/btcpayserver/lnd))
@@ -564,6 +589,9 @@ here:
 There's a bunch of Docker containers around this that generate
 configuration and glue things together, see above.
 
+Update: we managed to get rid of the Nginx container and its
+associated sidecars, in [tpo/tpa/team#41549][].
+
 ### Storage and queues
 
 It's unclear what is stored where. Transactions, presumably, get
@@ -698,6 +726,10 @@ infrastructure, but in doing so, significant problems were found with
 BTCpay in particular, but also with our cryptocurrency handling in
 general.
 
+In March 2024, the Nginx configuration was split out of the
+container-based setup and replaced with our standard Puppet-based
+configuration, see [tpo/tpa/team#41549][].
+
 ## Security review
 
 There was never a security review performed on BTCpay by Tor
@@ -721,12 +753,15 @@ upgrades, backups, and basic security (e.g. firewalls) would be
 covered. This still leaves a gaping hole for the update and
 maintenance of BTCpay itself.
 
+Update: the service is now hosted on TPA infrastructure and a cron job
+regularly pulls new releases.
+
 ## PII concerns
 
-There are no efforts in BTCpay to redact PII from logs. Nginx logs
-keep second-granular timestamps with full IP address and user agent
-information. It's unclear how long invoices are retained in the
-PostgreSQL database nor what information they contain.
+There are no efforts in BTCpay to redact PII from logs. It's unclear
+how long invoices are retained in the PostgreSQL database nor what
+information they contain. The Nginx webserver configuration has our
+standard data redaction policies in place since March 2024.
 
 BTCpay correctly generates a one-time Bitcoin address for
 transactions, so that is done correctly at least. But right next to
-- 
GitLab