How to regain privacy. And provide bitcoin btcpay invoices. From multiple websites with one local bitcoin node. The focus here is establishing yourself online with privacy, then invoicing and accepting online payments in bitcoin. Privacy Steps: Purchase a new or used mobile phone that supports grapheneOS, maybe Pixel pro 6 or greater - https://grapheneos.org/faq#supported-devices Install grapheneOS onto it, don't buy pre installed - https://grapheneos.org Buy an eSim with phone number using mixed or non kyc bitcoin, bitcoin-lightning or monero - https://silent.link to get confirmation text messages (note that twitter and telegram don't appear to accept these non-kyc numbers for verification, why do they need to know where we live?) Buy a vpn service, pay with mixed or non kyc bitcoin, or swap for monero(https://unstoppableswap.net) - https://mullvad.net Setup a new email address with proton.me. Confirm you account with sms to your new phone eSim number. Only use this new email for setting up the website for now. Use you new website email address for worry free communication. Be sure ssl encryption is turned on in mail smtp connection in your mobile device. Don't use google. Don't use facebook. Don't use snapchat. Remain anon on twitter. Use nostr. Use your own mail server. Payments Steps: One caveat here is, the dns record for the subdomain will point to your fixed IP and can be looked up with whois. The main domain will not point to your fixed IP. I'll update here if I find free non-kyc method to obscure this (or let me know). Until then using an orange online virtual server VPS as a redirect is an idea it's $23 USD/mth though which seems a lot just to redirect, or $150/mth to get storage size to go fully online with the full bitcoin blockchain. There are better vps deals, Check https://bitcoin-vps.com/ I'm looking into https://1984.hosting $6/mth from this list right now. If a vps is used, all the settings below will be the same, but use in the vps, and change the 127.0.0.1 in nginx config to your fixed IP. I will continue now assuming we are using your local node, and this is not a concern for you. Buy a web domain from orange.net. Confirm your identity with you new proton.me email address. RapidSSL Standard for a green tick website with privacy. Pay for the website with bitcoin lighting, pay>bitpay>electrum>bitcoin lightning. Use new web domain to setup your daily email address. Use this new domain email on your new phone. Use Thunderbird on phone and pc for email Navigate to name servers to use if hosting domains>my domains>down arrow next to spanner>manage domain>nameservers>custom siti.ns.orangewebsite.com buffy.ns.orangewebsite.com don't manage dns or subdomains here, there is no cpanel. Instead go to services>MyServices>Click In Bronze Hosting Area>login to cpanel domain>zone editor>manage add subdomain .btcpay , add an a-name for it, direct it to your fixed IP. You will need a fixed IP for the home network, so your webpage subdomain can point to it. Use these port fowards on you home/office router, ensure the local router has port-fowards the linux server we are setting up. 80 and 443 are the web data coming from your website subdomain's 'a-name' 15080 and 15443 will be ports your server nginx looks at for incoming connections. You can use different ports here, but they must match the nginx further below. Service Name External Port Start External Port End Protocol Internal Port Start Internal Port End Server IP Address BTCPay NGINX HTTP 80 80 TCP 15080 15080 10.0.1.57 BTCPay NGINX HTTPS 443 443 TCP 15443 15443 10.0.1.57 internal ip is your server, give it a fixed ip or have your dhcp allocate the same ip every time. Following parmanode instructions, buy a cheap pc or laptop. Or install oracleVM and spin up a linux machine. Must be always on pc, or online server. On your new linux mint lts server, must be always on. install parmanode visit https://parmanode.com/install to learn curl https://parmanode.com/install.sh | sh from parmanode install bitcoin/electrum/lightning and install Install btcpay server. remove need for sudo password if you want sudo visudo add this line to the file with your username
yourusername ALL=(ALL) NOPASSWD: ALL
sudo apt update sudo apt upgrade sudo apt-get install nginx #Error port80 bacause config to15080 isnt changed yet sudo apt install net-tools sudo netstat -tulnp | grep :80 #Check what is using 80 nginx config file for reverse proxy, and certbot setup sudo nano /etc/nginx/sites-available/btcpay2sites paste details from btcpay2sites below and save sudo ln -sf /etc/nginx/sites-available/btcpay2sites /etc/nginx/sites-enabled/ #creates symbolic link< #not this yet#sudo rm /etc/nginx/sites-enabled/default #removes the default link< to test the file #not ready to test yet# sudo nginx -t activate the file in nginx sudo systemctl reload nginx or sudo systemctl restart nginx install certbot this is for linux mint lts - use snapd for latest ubuntu sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface python3-certbot-nginx nginx #maybe not this# sudo sed -i 's/80 default_server/15080/g' /etc/nginx/sites-available/default sudo apt install -f service nginx status sudo tail -f /var/log/nginx/error.log Don't use this, it's here just for completeness If using the latest new ubuntu install with snap use this, this fails on the current linux mint version due to jammy drivers<< sudo apt-get install software-properties-common sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot # failed older system , jammy snap --version sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot This is unneccessary too, but for --nginx in certbot this is needed sudo mkdir -p /var/www/html/.well-known/acme-challenge/ sudo bash -c 'echo "test" > /var/www/html/.well-known/acme-challenge/test' --certonly means your nginx config file (btcpay2sites) will not be edited by certbot, we copied the config file and edited the website names for the *.pen files already. the certbot test run sudo certbot certonly --webroot -w /var/www/html -d btcpay.fubarhome.com -m webmaster@fubarhome.com --agree-tos --debug-challenges --dry-run -v sudo certbot certonly --webroot -w /var/www/html -d btcpay.fubarwork.com -m webmaster@fubarwork.com --agree-tos --debug-challenges --dry-run -v the certbot live certification sudo certbot certonly --webroot -w /var/www/html -d btcpay.fubarhome.com -m webmaster@fubarhome.com --agree-tos sudo certbot certonly --webroot -w /var/www/html -d btcpay.fubarwork.com -m webmaster@fubarwork.com --agree-tos that's it! If you had success your btcpay subdomain is now ssl certified and points to your ip on the correct ports, only network traffic that is from your btcpay subdomain is accepted by your node, all other traffic is blocked or ignored. You can manage your btcpayserver by browsing to your btcpay subdomain. Don't use this, if using the latest new ubuntu install with snap use this, this fails on the current linux mint due to file permissions --nginx command caused erors but --webroot worked well. sudo certbot --nginx -d btcpay.fubarhome.com -m webmaster@fubarhome.com --agree-tos sudo certbot --nginx -d btcpay.fubarwork.com.au -m letsencrypt@fubarwork.com.au --agree-tos sudo certbot renew --dry-run sudo certbot renew --force-renewal btcpay released a fix - if you see a btcpayserver error when connecting remotely. find and change into directory /app-data/btcpay-server/ then type nano .env.app_proxy paste in this line
PROXY_TRUST_UPSTREAM=true
Then save using: Control + X, then: Y, then: >enter< restart BTCPay Server, reboot if you don't know how. The btcpay2sites data is shown below 23001 is default on parmanode btcpay server, this is 3003 in umbrel You have copied the below text, and put it in a file called btcpay2sites with no extension, edit names in the file as required If you only have one site, put # in front of all the lines referencing the second site, if you have more sites, add more sections. btcpay2sites
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name btcpay.fubarwork.com.au;
listen [::]:15443 ssl ipv6only=on;
listen 15443 ssl;
location / {
proxy_pass http://127.0.0.1:23001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/btcpay.fubarwork.com.au/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/btcpay.fubarwork.com.au/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
server_name btcpay.fubarhome.com;
listen [::]:15443 ssl; # ipv6only=on;
listen 15443 ssl;
location / {
proxy_pass http://127.0.0.1:23001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
ssl_certificate /etc/letsencrypt/live/btcpay.fubarhome.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/btcpay.fubarhome.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
# http to https for btcpay.fubarwork.com.au
server {
listen 15080;
listen [::]:15080;
server_name btcpay.fubarwork.com.au;
# ACME challenge configuration
location ~ /.well-known/acme-challenge/ {
allow all;
root /var/www/html;
try_files $uri =444;
}
location / {
return 301 https://$host$request_uri;
}
}
# http to https for btcpay.fubarhome.com
server {
listen 15080;
listen [::]:15080;
server_name btcpay.fubarhome.com;
# ACME challenge configuration
location ~ /.well-known/acme-challenge/ {
allow all;
root /var/www/html;
try_files $uri =444;
}
location / {
return 301 https://$host$request_uri;
}
}
# Default server block for unknown hosts
server {
listen 15080 default_server;
listen [::]:15080 default_server;
#return 404; # 404 too chatty
return 444; # just closes the connection
}
To receive lightning payments on btcpayserver into your lightning wallet, you will require 'inbound liquidity' this is value you can pull back after
sending it. One way to get inbound liquidity is to send lighting value out, so I send onchain bitcoin to myself from an exchange, then send lightning payment
back to the exchange, this is now all inbound liquidity. Some services sell inbound liquidity.
My first steps to privacy is thanks to @_k3tan's website https://k3tan.com
Reverse DNS proxy concept from Jorijn, his original link is no longer active, but now references https://docs.btcpayserver.org/FAQ/Deployment/
@parman_the for developing a no bs bitcoin node, and for everything else here https://armantheparman.com
All the best!
@freeonlineuser
nostr npub1myh7r64lemswzc055slpg2kcy33wj04qgphely2sx08w5dkqjp8scpmpph
If you've found value here you can let me know with a lightning payment message of support.
Lightning Link
Why not test my operational btcpay button below.