Merge pull request lightningdevkit#10 from grizznaut/blog-v1-infra-notes

add blog post on payjoin v1 infrastructure

Author: DanGould

docs/.vuepress/config.js

@@ -66,6 +66,32 @@ module.exports = {
     themeColor,
     tags: ['Bitcoin', 'Payjoin', 'PDK', 'Payjoin Dev Kit', 'Documentation']
   }),
+  plugins: [
+    [
+      '@vuepress/blog',
+      {
+        directories: [
+          {
+            id: 'blog',
+            dirname: '_blog',
+            path: '/blog/',
+          },
+        ],
+        frontmatters: [
+          {
+            id: 'tag',
+            keys: ['tag', 'tags'],
+            path: '/blog/tags/',
+          },
+          {
+            id: 'author',
+            keys: ['author', 'authors'],
+            path: '/blog/author/',
+          }
+        ]
+      },
+    ],
+  ],
   themeConfig: {
     domain: baseUrl,
     logo: '/img/logo.svg',

docs/_blog/payjoin-v1-infrastructure.md

@@ -0,0 +1,166 @@
+---
+title: "Notes on payjoin v1 infrastructure"
+description: "A guide on setting up a payjoin receiver on signet"
+date: "2024-05-22"
+authors:
+  - spacebear
+tags:
+  - PDK
+  - Infrastructure
+---
+
+<br/>
+
+Payjoin v1 coordinates payjoins over a public server endpoint secured by either TLS or Tor hidden service hosted by the receiver. This requires setting up either a HTTPS proxy or a Tor proxy when testing payjoins across different implementations.
+
+## Setting up a HTTPS payjoin server with nginx
+
+This guide requires a dedicated server that you can `ssh` into, with the ability to `sudo`, and a domain name pointing to that server.
+
+### Configure a nginx proxy
+
+First, ensure nginx is installed on the server or [install nginx](https://nginx.org/en/docs/install.html). 
+
+Then, we'll edit `/etc/nginx/nginx.conf` to proxy traffic to the payjoin server (more on that later) by adding the following block:
+
+```
+# nginx.conf
+    server {
+        server_name pj.example.com; # Replace this with your domain name
+
+        location / {
+            proxy_pass http://localhost:3000; # This is the port on which we'll run the payjoin server
+
+            proxy_set_header        Host $host;
+            proxy_set_header        X-Real-IP $remote_addr;
+            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header        X-Forwarded-Proto $scheme;
+        }
+    }
+```
+
+Note that the above configuration uses the `pj` subdomain to avoid conflicts with anything that may already be running on the root domain.
+
+### Get a certificate
+
+Next, we'll need to obtain a valid TLS certificate from a Certificate Authority. There are many ways to do this, but one free and relatively easy option is to use [certbot](https://certbot.eff.org/instructions), an open-source tool by [letsencrypt.org](https://letsencrypt.org).
+
+Once certbot is installed, we can obtain a certificate and automatically update the nginx configuration:
+
+```sudo certbot -d <server_name from the nginx.conf above> --nginx```
+
+`/etc/nginx/nginx.conf` should now look something like this:
+
+```
+# nginx.conf
+    server {
+        server_name pj.example.com;
+
+        location / {
+            proxy_pass http://localhost:3000;
+
+            proxy_set_header        Host $host;
+            proxy_set_header        X-Real-IP $remote_addr;
+            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header        X-Forwarded-Proto $scheme;
+        }
+
+        listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
+        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    }
+```
+
+Verify the installation with `curl`:
+
+```
+[ec2-user@ip-172-31-94-70 ~]$ curl -v https://<server_name>
+* Host pj.example.com:443 was resolved.
+* IPv6: (none)
+* IPv4: 54.156.128.153
+*   Trying 54.156.128.153:443...
+* Connected to pj.example.com (54.156.128.153) port 443
+* ALPN: curl offers h2,http/1.1
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
+*  CApath: none
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
+* ALPN: server accepted http/1.1
+* Server certificate:
+*  subject: CN=spacebear.dev
+*  start date: Apr 18 01:37:16 2024 GMT
+*  expire date: Jul 17 01:37:15 2024 GMT
+*  subjectAltName: host "pj.example.com" matched cert's "pj.example.com"
+*  issuer: C=US; O=Let's Encrypt; CN=R3
+*  SSL certificate verify ok.
+
+...
+
+<html>
+<head><title>502 Bad Gateway</title></head>
+<body>
+<center><h1>502 Bad Gateway</h1></center>
+<hr><center>nginx/1.25.0</center>
+</body>
+</html>
+```
+
+If everything worked, we should see "SSL certificate verify ok."! We now have a legit HTTPS server proxying traffic to port 3000, but as indicated by the 502 error there is nothing running there. The next step is to setup a payjoin receiver to run on that port.
+
+#### (Optional) Make a cronjob to auto-renew the certificate on a schedule
+
+```
+echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
+```
+
+### Set up Bitcoin Core on signet
+
+Because we're testing between wallets on different machines, regtest won't work (at least not trivially). We need a "real" Bitcoin network like signet. [Install Bitcoin Core](https://bitcoincore.org/) and edit `~/.bitcoin/bitcoin.conf`:
+
+```
+# bitcoin.conf
+chain=signet
+server=1
+rpcuser=payjoin
+rpcpassword=payjoin
+```
+
+`bitcoind` will take a few minutes to sync. In the meantime, let's create `sender` and `receiver` wallets and fund them. Use a signet faucet like https://signetfaucet.com/ if you don't have any signet coins on hand.
+
+### Install and run payjoin-cli receiver
+
+Finally, we'll install (or build from source) [payjoin-cli](https://github.com/payjoin/rust-payjoin/tree/master/payjoin-cli#install-payjoin-cli) and make a `config.toml` in the directory we plan on running payjoin-cli from:
+
+```
+# config.toml
+bitcoind_rpcuser = "payjoin"
+bitcoind_rpcpass = "payjoin"
+bitcoind_rpchost = "http://localhost:38332/wallet/receiver"
+```
+
+We can now run the receiver:
+
+```
+$ payjoin-cli receive 10000
+Listening at 0.0.0.0:3000. Configured to accept payjoin at BIP 21 Payjoin Uri:
+bitcoin:tb1q9e5qgztf6w4zz2m3ts3w2zp3psdqpgmtdkf7y0?amount=0.0001&pj=https://localhost:3000/&pjos=0
+```
+
+### Send payjoin!
+
+Send a payjoin to the BIP21 Uri generated above, taking care to replace `localhost:3000` in the `pj=` parameter with the domain name where your server is running. This should work from any wallet that implements payjoin support, from any machine. 
+
+E.g. sending from joinmarket:
+
+```
+(jmvenv) $ sendpayment.py -m 0 wallet.jmdat "bitcoin:tb1q9e5qgztf6w4zz2m3ts3w2zp3psdqpgmtdkf7y0?amount=0.0001&pj=https://pj.example.com/&pjos=0"
+```

docs/_blog/pdk-an-sdk-for-payjoin-transactions.md

@@ -9,8 +9,6 @@ tags:
   - PDK
 ---
 
-<br/>
-<br/>
 <br/>
 
 PDK is here to make Payjoin a drop in upgrade for all software touching Bitcoin. I cover the project's history, why you should consider it to add Payjoin to your stack, and some of the project's priorities moving forward. The PDK team will be updating this new blog with development updates, feature forecasts and the details of releases.