#!/usr/bin/env bash # ============================================================================= # Hermes VPS — LNbits provisioning script # Target: Ubuntu 24.04 LTS (tested on root@143.198.27.163) # # Usage: # export DB_PASS="$(openssl rand -hex 20)" # export TAILSCALE_IP="$(tailscale ip -4)" # e.g. 100.x.x.x # bash scripts/hermes-lnbits/provision.sh # # Required env vars (no defaults — operator must supply): # DB_PASS — password for the lnbits PostgreSQL role # TAILSCALE_IP — Tailscale IPv4 of this host (Nginx binds only to this) # # Backend note: # FakeWallet is used rather than VoidWallet because FakeWallet settles # internal (self-payment) invoices in real-time, which is required for # the dev/test payment simulation loop. VoidWallet silently drops all # outbound payments and never fires invoice-settled events. # # After this script: # 1. Extract the admin key non-interactively (see step below). # 2. Set Replit secrets: # LNBITS_URL=http://${TAILSCALE_IP}:5000 # LNBITS_API_KEY= # 3. Restart the api-server workflow. # ============================================================================= set -euo pipefail : "${DB_PASS:?DB_PASS must be set. Run: export DB_PASS=\$(openssl rand -hex 20)}" : "${TAILSCALE_IP:?TAILSCALE_IP must be set. Run: export TAILSCALE_IP=\$(tailscale ip -4)}" LNBITS_VERSION="${LNBITS_VERSION:-0.12.12}" LNBITS_PORT="${LNBITS_PORT:-5000}" LNBITS_DIR="${LNBITS_DIR:-/opt/lnbits}" SERVICE_USER="${SERVICE_USER:-lnbits}" DB_NAME=lnbits DB_USER=lnbits echo "==> Installing system deps" apt-get update -qq apt-get install -y -qq python3.11 python3.11-venv python3-pip \ postgresql postgresql-contrib nginx curl git openssl jq echo "==> Creating dedicated service user (non-root)" id -u "${SERVICE_USER}" &>/dev/null || \ useradd -r -m -d "${LNBITS_DIR}" -s /usr/sbin/nologin "${SERVICE_USER}" echo "==> Configuring PostgreSQL" systemctl enable --now postgresql sudo -u postgres psql -tc "SELECT 1 FROM pg_roles WHERE rolname='${DB_USER}'" \ | grep -q 1 || sudo -u postgres createuser -D -R -S "${DB_USER}" sudo -u postgres psql -c "ALTER ROLE ${DB_USER} WITH PASSWORD '${DB_PASS}';" sudo -u postgres psql -tc "SELECT 1 FROM pg_database WHERE datname='${DB_NAME}'" \ | grep -q 1 || sudo -u postgres createdb -O "${DB_USER}" "${DB_NAME}" echo "==> Creating LNbits venv at ${LNBITS_DIR}/.venv" mkdir -p "${LNBITS_DIR}/data" python3.11 -m venv "${LNBITS_DIR}/.venv" "${LNBITS_DIR}/.venv/bin/pip" install --quiet --upgrade pip "${LNBITS_DIR}/.venv/bin/pip" install --quiet "lnbits==${LNBITS_VERSION}" psycopg2-binary echo "==> Writing ${LNBITS_DIR}/.env (mode 600, owned by ${SERVICE_USER})" cat > "${LNBITS_DIR}/.env" << ENVFILE LNBITS_BACKEND_WALLET_CLASS=FakeWallet HOST=0.0.0.0 PORT=${LNBITS_PORT} LNBITS_DATA_FOLDER=${LNBITS_DIR}/data LNBITS_DATABASE_URL=postgres://${DB_USER}:${DB_PASS}@localhost:5432/${DB_NAME} LNBITS_SITE_TITLE=Timmy Tower LNbits ENVFILE chmod 600 "${LNBITS_DIR}/.env" chown "${SERVICE_USER}:${SERVICE_USER}" "${LNBITS_DIR}/.env" echo "==> Writing ${LNBITS_DIR}/run.sh" cat > "${LNBITS_DIR}/run.sh" << 'RUNSH' #!/usr/bin/env bash set -a source /opt/lnbits/.env set +a exec /opt/lnbits/.venv/bin/lnbits --host 0.0.0.0 --port "${PORT}" RUNSH chmod 750 "${LNBITS_DIR}/run.sh" chown -R "${SERVICE_USER}:${SERVICE_USER}" "${LNBITS_DIR}" echo "==> Installing systemd unit (User=${SERVICE_USER}, hardened)" cat > /etc/systemd/system/lnbits.service << UNIT [Unit] Description=LNbits Lightning wallet server After=network.target postgresql.service Requires=postgresql.service [Service] Type=simple User=${SERVICE_USER} WorkingDirectory=${LNBITS_DIR} ExecStart=${LNBITS_DIR}/run.sh Restart=always RestartSec=5 NoNewPrivileges=true ProtectSystem=strict ReadWritePaths=${LNBITS_DIR}/data [Install] WantedBy=multi-user.target UNIT systemctl daemon-reload systemctl enable lnbits systemctl restart lnbits echo "==> Waiting for LNbits to start (20 s)..." sleep 20 echo "==> Ensuring FakeWallet is set in DB" sudo -u postgres psql "${DB_NAME}" -c \ "INSERT INTO system_settings (id, value) VALUES ('lnbits_backend_wallet_class', '\"FakeWallet\"') ON CONFLICT (id) DO UPDATE SET value = EXCLUDED.value;" 2>/dev/null || true echo "==> Configuring Nginx (Tailscale-only listener on ${TAILSCALE_IP})" cat > /etc/nginx/sites-available/lnbits << NGINX # Bind only to the Tailscale interface — not exposed on public IP server { listen ${TAILSCALE_IP}:80; server_name _; location / { proxy_pass http://127.0.0.1:${LNBITS_PORT}; proxy_set_header Host \$host; proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_read_timeout 120s; proxy_connect_timeout 10s; } } NGINX ln -sf /etc/nginx/sites-available/lnbits /etc/nginx/sites-enabled/lnbits rm -f /etc/nginx/sites-enabled/default nginx -t && systemctl enable --now nginx && systemctl reload nginx echo "==> Health check" if HEALTH=$(curl -sf "http://localhost:${LNBITS_PORT}/api/v1/health" 2>&1); then echo " LNbits health: ${HEALTH}" else echo " WARNING: health check failed" journalctl -u lnbits -n 30 --no-pager exit 1 fi echo "==> Extracting admin key (non-interactive)" # LNbits >= 0.12 creates a superuser on first start. Query the DB directly. ADMIN_KEY=$(sudo -u postgres psql "${DB_NAME}" -tAc \ "SELECT adminkey FROM wallets WHERE deleted = false LIMIT 1;" 2>/dev/null || true) if [[ -n "${ADMIN_KEY}" ]]; then echo " Admin key: ${ADMIN_KEY}" echo " Set in Replit: LNBITS_API_KEY=${ADMIN_KEY}" else echo " No wallet found yet — open LNbits UI to create one, then run:" echo " sudo -u postgres psql lnbits -c \"SELECT adminkey FROM wallets LIMIT 1;\"" fi systemctl status lnbits --no-pager | head -8 echo "" echo "==> DONE. Set these Replit secrets:" echo " LNBITS_URL=http://${TAILSCALE_IP}:80" echo " LNBITS_API_KEY=${ADMIN_KEY:-}" echo " Then restart the api-server workflow."