just merging (#8)

* raspiblitz#2221 change hdmi mode (raspiblitz#2224)

* unlock LND after Bitcoin Core install if ready (raspiblitz#2214)

* unlock LND after Bitcoin Core install if ready
* bitcoin.update: improve output and comments

* show nginx systemd logs (raspiblitz#2220)

This is important, normally nginx fails and this is not shown.

* Update stacking-sats-kraken version (raspiblitz#2216)

* small ux thing - bigger dialog box

* raspiblitz#2070 checking version & resetting password c (raspiblitz#2226)

* Table of options on how to have blitz (raspiblitz#2219)

* Create SECURITY.md (raspiblitz#2212)

* raspiblitz#2151 Update Documentation for v1.7 (raspiblitz#2227)

* upload of raspiblitz-v1.7.0-2021-04-24.img.gz

* update version 1.7.0

* upload image raspiblitz-v1.7.0-2021-04-25.img.gz

* correct signature link for v1.7.0

* SECURITY.md typos (raspiblitz#2229)

please correct this before v1.7 @rootzoll

* raspiblitz#2151 adding torrent download for v1.7.0

* fix torrent link label

* update README for v1.7.0

* fix typo

Co-authored-by: /rootzoll <christian@geektank.de>
Co-authored-by: openoms <43343391+openoms@users.noreply.github.com>
Co-authored-by: d11n <mail@dennisreimann.de>

CHANGES.md

@@ -2,7 +2,7 @@
 
 ## What's new in Version 1.7.0 of RaspiBlitz?
 
-- New: Raspberry Pi OS Base Image 64-bit (August 2020)
+- New: Raspberry Pi OS Base Image 64-bit (April 2021)
 - New: Build SD card Image with parameters & FatPack [details](https://github.com/rootzoll/raspiblitz/pull/2044)
 - New: Improve LND uptime and reliability over Tor [details](https://github.com/rootzoll/raspiblitz/pull/2148)
 - New: Lightning Terminal v0.4.1-alpha (Loop, Pool & Faraday UI Bundle) [details](https://github.com/lightninglabs/lightning-terminal#lightning-terminal-lit)

FAQ.md

@@ -73,6 +73,7 @@
   - [Let's Encrypt - eMail Address](#lets-encrypt---email-address)
   - [Let's Encrypt - Installation details](#lets-encrypt---installation-details)
   - [How can I customize my RaspiBlitz or add other software?](#how-can-i-customize-my-raspiblitz-or-add-other-software)
+- [How do I find the IP address when running without a display?](#how-do-i-find-the-ip-address-when-running-without-a-display)
 
 ---
 
@@ -931,3 +932,12 @@ The RaspiBlitz is your computer to experiment with. Feel free to add your own sc
 - Hot fixes & new features for minor verisons will be created as single branches from the release branch, and once ready will be merged back into that release branch as a Pull Request using 'Squash-Merge' AND then, this 'Squash-Merge' (one single commit) will get cherry-picked into the  'dev' branch ('git cherry-pick COMMITHASH' - may call 'git fetch' & 'git pull' before to make a clean cherry-pick into dev).
 
 
+# How do I find the IP address when running without a display?
+
+If you can login into your local internet router it should show you the IP address assigned to the RaspberryPi.
+
+Another way is to use [Angry IP Scanner](https://angryip.org/) to find the IP address.
+
+You can also put an empty file just called `hdmi` (without any ending) onto the sd card when connected to your laptop and then start it up on the RaspberryPi. This will activate the HDMI port and if you connect a HDMI monitor to the RaspberryPi it will show you the RaspiBlitz status screen containing the local IP address.
+
+

SECURITY.md

@@ -0,0 +1,73 @@
+# Security Policy
+
+*NOTE: This document is just a first draft and still under contruction.*
+
+Only use this software with funds you could afford to lose. Especially a lightning wallet that is a hot wallet, which has constant connection to the internet and can be target of exploitation.
+
+Just because the software is OpenSource does not mean its free of errors. Especially if you run additional apps, the RaspiBlitz team cannot review all the code of those external projects.
+
+The software is provided "AS IS", without warrenty of any kind. In no event shall the
+authors or copyright holders be liable for any claim, damages or other
+liability. [details on legal license](LICENSE.md)
+
+## Supported Versions
+
+Updates are made only for the latest version.
+
+Security patches can be done with `MAINMENU > UPDATE > PATCH` for the current branch in the case of a high risk issue before next release.
+
+The latest version always have the `latest` tag. To make sure you are using the lastest version, run:
+```
+curl -s https://api.github.com/repos/rootzoll/raspiblitz/releases/latest|grep tag_name|head -1|cut -d '"' -f4
+```
+
+## Reporting a Vulnerability
+
+To report security issues send an email to christian@rotzoll.de (not for support).
+
+The following keys may be used to communicate sensitive information to developers:
+
+| Name | Fingerprint | 64-bit |
+|------|-------------|--------|
+|Rootzoll|92A7 46AE 33A3 C186 D014 BF5C 1C73 060C 7C17 6461|1C73 060C 7C17 6461|
+|Openoms|13C6 88DB 5B9C 745D E4D2 E454 5BFB 7760 9B08 1B65|5BFB 7760 9B08 1B65|
+
+You can import a key by running the following command with that individual’s fingerprint:
+```
+curl https://keybase.io/rootzoll/pgp_keys.asc | gpg --import
+curl https://keybase.io/oms/pgp_keys.asc | gpg --import
+```
+Ensure that you put quotes around fingerprints containing spaces if importing with other methods.
+
+# Online Security
+
+* Wi-fi and Bluetooth is disabled by default in the build script.
+* UFW is active and only specific ports are open, closing ports and removing hidden services when services are uninstalled.
+* Fail-2-Ban is protecting the SSH login against brute-force-attacks.
+* Admin (and Joinmarket [optional]) users have passwordless sudo access to be able to perform installations and read password without much user interaction.
+
+# Physical Security
+
+* The lightning wallet and user interfaces are password protected by default so this has more privacy implications (in the case of physical theft) than security.
+* Optional log in through SSH using a hardware wallet.
+* LUKS encryption would be welcome in the future.
+
+# On-chain Funds
+
+Please keep in mind that there can be two different on-chain wallets on the RaspiBlitz:
+
+## Lightning Wallet (default)
+
+The default is the on-chain lightning wallet - that's the wallet where you normally send your funds before opening a channel & where your funds return to when you close a channel. With the initial word seed you get during RaspiBlitz setup, you can get access again to this on-chain wallet. Keep the seed words secure in a off-line location.
+
+## Bitcoin Core Wallet (deactivated by default)
+
+Beside lightning you have a bitcoin core installed. Normally, bitcoin core acts just as a blockchain informational service to the lightning wallet and its internal seperate on-chain wallet is deactivated. 
+
+Some apps (like Fully Noded or JoinMarket) activate the bitcoin core wallet and use it for their own needs. This on-chain balance will not be reflected in the rest of the RaspiBlitz software and is NOT backuped by the seed words from the RaspiBlitz setup. If you make use of the bitcoin core wallet please take care of these funds. 
+
+# Off-chain Funds (Lightning Channels)
+
+Please note that there is no perfect backup concept for the funds in your lightning channels yet. We strongly recommend using the `Static Channel Backup` provided by LND and consider off-line location backup of that file to have the best chances to recover Lightning funds in a case of recoverying from a disaster.
+
+For more practical information on this topic see: [Backup Channel Funds](README.md#backup-for-on-chain---channel-funds)

home.admin/20recoverDialog.sh

@@ -35,7 +35,7 @@ Write them down & store them in a safe place.
   if [ "$?" != "0" ]; then
     dialog --backtitle "RaspiBlitz - Setup" --msgbox "Please write down your Password C:\n${oldPasswordC}" 10 52
   else
-    dialog --backtitle "RaspiBlitz" --msgbox "OK - password C was set\nuse it to unlock your Lightning Wallet after restarts." 6 52
+    dialog --backtitle "RaspiBlitz" --msgbox "OK - password C was set\nuse it to unlock your Lightning Wallet after restarts." 8 52
   fi
 
 elif [ ${resetAlsoPasswordB} -gt 0 ]; then

home.admin/XXdebugLogs.sh

@@ -71,6 +71,10 @@ echo "sudo tail -n 30 /mnt/hdd/lnd/logs/${network}/${chain}net/lnd.log"
 sudo tail -n 30 /mnt/hdd/lnd/logs/${network}/${chain}net/lnd.log
 echo ""
 
+echo "*** NGINX SYSTEMD STATUS ***"
+sudo systemctl status nginx -n2 --no-pager
+echo ""
+
 echo "*** LAST NGINX LOGS ***"
 echo "sudo journalctl -u nginx -b --no-pager -n20"
 sudo journalctl -u nginx -b --no-pager -n20

home.admin/_version.info

@@ -1,2 +1,2 @@
 # RaspiBlitz Version - always [major].[main].[sub] (sub can be a string like '2rc1')
-codeVersion="1.7.0RC3"
+codeVersion="1.7.0"

home.admin/config.scripts/bitcoin.update.sh

@@ -2,15 +2,15 @@
 
 # command info
 if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then
- echo "Interim optional Bitcoin Core updates between RaspiBlitz releases."
- echo "bitcoin.update.sh [info|tested|reckless|custom]"
- echo "info -> get actual state and possible actions"
- echo "tested -> only do a tested update by the RaspiBlitz team"
- echo "reckless -> the update was not tested by the RaspiBlitz team"
- echo "custom -> update to a chosen version"
- echo " the binary will be checked by signature and checksum in all cases"
- echo
- exit 1
+  echo "Interim optional Bitcoin Core updates between RaspiBlitz releases."
+  echo "bitcoin.update.sh [info|tested|reckless|custom]"
+  echo "info -> get actual state and possible actions"
+  echo "tested -> only do a tested update by the RaspiBlitz team"
+  echo "reckless -> the update was not tested by the RaspiBlitz team"
+  echo "custom -> update to a chosen version"
+  echo " the binary will be checked by signature and checksum in all cases"
+  echo
+  exit 1
 fi
 
 source /home/admin/raspiblitz.info
@@ -156,9 +156,9 @@ if [ "${mode}" = "tested" ]||[ "${mode}" = "reckless" ]||[ "${mode}" = "custom"
     echo "# !!! FAIL !!! Download laanwj-releases.asc not success."
     exit 1
   fi
-  gpg ./laanwj-releases.asc
-  fingerprint=$(gpg ./laanwj-releases.asc 2>/dev/null | grep "${laanwjPGP}" -c)
-  if [ ${fingerprint} -lt 1 ]; then
+  gpg --import-options show-only --import ./laanwj-releases.asc
+  fingerprint=$(gpg ./laanwj-releases.asc 2>/dev/null | grep -c "${laanwjPGP}")
+  if [ ${fingerprint} -eq 0 ]; then
     echo
     echo "# !!! BUILD WARNING --> Bitcoin PGP author not as expected"
     echo "# Should contain laanwjPGP: ${laanwjPGP}"
@@ -184,13 +184,7 @@ if [ "${mode}" = "tested" ]||[ "${mode}" = "reckless" ]||[ "${mode}" = "custom"
     echo
   fi
 
-  # get the sha256 value for the corresponding platform from signed hash sum file
-  bitcoinSHA256=$(grep -i "$bitcoinOSversion" SHA256SUMS.asc | cut -d " " -f1)
-
-  echo
-  echo "# BITCOIN v${bitcoinVersion} for ${bitcoinOSversion}"
-
-  # download resources
+  echo "# Downloading Bitcoin Core v${bitcoinVersion} for ${bitcoinOSversion} ..."
   binaryName="bitcoin-${bitcoinVersion}-${bitcoinOSversion}.tar.gz"
   sudo -u admin wget https://bitcoincore.org/bin/bitcoin-core-${pathVersion}/${binaryName}
   if [ ! -f "./${binaryName}" ]
@@ -200,26 +194,31 @@ if [ "${mode}" = "tested" ]||[ "${mode}" = "reckless" ]||[ "${mode}" = "custom"
   fi
 
   echo "# Checking binary checksum ..."
-  binaryChecksum=$(sha256sum ${binaryName} | cut -d " " -f1)
-  if [ "${binaryChecksum}" != "${bitcoinSHA256}" ]; then
-    echo "!!! FAIL !!! Downloaded BITCOIN BINARY not matching SHA256 checksum: ${bitcoinSHA256}"
+  checksumTest=$(sha256sum -c --ignore-missing SHA256SUMS.asc ${binaryName} 2>/dev/null \
+                | grep -c "${binaryName}: OK")
+  if [ "${checksumTest}" -eq 0 ]; then
+    # get the sha256 value for the corresponding platform from signed hash sum file
+    bitcoinSHA256=$(grep -i "$bitcoinOSversion" SHA256SUMS.asc | cut -d " " -f1)
+    echo "!!! FAIL !!! Downloaded BITCOIN BINARY CHECKSUM:"
+    echo "$(sha256sum ${binaryName})"
+    echo "NOT matching SHA256 checksum:"
+    echo "${bitcoinSHA256}"
     exit 1
   else
     echo
-    echo "# OK --> VERIFIED BITCOIN CHECKSUM CORRECT"
+    echo "# OK --> VERIFIED BITCOIN CHECKSUM IS CORRECT"
     echo
   fi
 
 fi 
 
 if [ "${mode}" = "tested" ]||[ "${mode}" = "custom" ]; then
-  # note: install will be done the same as reckless further down
   bitcoinInterimsUpdateNew="${bitcoinVersion}"
 elif [ "${mode}" = "reckless" ]; then
   bitcoinInterimsUpdateNew="reckless"
 fi
 
-# JOINED INSTALL (tested & RECKLESS)
+# JOINED INSTALL
 if [ "${mode}" = "tested" ]||[ "${mode}" = "reckless" ]||[ "${mode}" = "custom" ];then
 
   # install
@@ -247,14 +246,18 @@ if [ "${mode}" = "tested" ]||[ "${mode}" = "reckless" ]||[ "${mode}" = "custom"
 
   echo "# OK Bitcoin Core ${bitcoinVersion} is installed"
   if [ "${state}" == "ready" ]; then
+    echo
+    echo "# Starting ..."
     sudo systemctl start bitcoind
-    sudo systemctl start lnd
+    sleep 10
     echo
-    echo "# Restarted LND"
-    echo "# Use: 'lncli unlock' to unlock the LND wallet once Bitcoin Core is synced"
+    sudo systemctl start lnd
+    echo "# Starting LND ..."
+    sleep 10
     echo
-    echo "# Press ENTER to exit to the menu ..."
+    echo "# Press ENTER to proceed to unlock the LND wallet ..."
     read key
+    sudo /home/admin/config.scripts/lnd.unlock.sh
   fi
   exit 0
 

home.admin/config.scripts/blitz.display.sh

@@ -267,6 +267,8 @@ function install_lcd() {
 
     # modify /boot/config.txt 
     sudo sed -i "s/^hdmi_force_hotplug=.*//g" /boot/config.txt 
+    sudo sed -i '/^hdmi_group=/d' /boot/config.txt 2>/dev/null
+    sudo sed -i "/^hdmi_mode=/d" /boot/config.txt 2>/dev/null
     #echo "hdmi_force_hotplug=1" >> /boot/config.txt
     sudo sed -i "s/^dtparam=i2c_arm=.*//g" /boot/config.txt 
     # echo "dtparam=i2c_arm=on" >> /boot/config.txt --> this is to be called I2C errors - see: https://github.com/rootzoll/raspiblitz/issues/1058#issuecomment-739517713
@@ -327,7 +329,11 @@ function uninstall_lcd() {
 
     # remove modifications of config.txt
     sudo sed -i '/^hdmi_force_hotplug=/d' /boot/config.txt 2>/dev/null
-    sudo sed -i "s/^dtoverlay=.*//g" /boot/config.txt 
+    sudo sed -i '/^hdmi_group=/d' /boot/config.txt 2>/dev/null
+    sudo sed -i "/^hdmi_mode=/d" /boot/config.txt 2>/dev/null
+    sudo sed -i "s/^dtoverlay=.*//g" /boot/config.txt 2>/dev/null
+    echo "hdmi_group=1" >> /boot/config.txt
+    echo "hdmi_mode=3" >> /boot/config.txt
     echo "dtoverlay=pi3-disable-bt" >> /boot/config.txt
     echo "dtoverlay=disable-bt" >> /boot/config.txt
 
@@ -400,7 +406,7 @@ function install_lcd_legacy() {
     # add waveshare mod
     sudo cp ./waveshare35a.dtbo /boot/overlays/
 
-    # modify /boot/config.txt 
+    # modify /boot/config.txt
     sudo sed -i "s/^hdmi_force_hotplug=.*//g" /boot/config.txt 
     #echo "hdmi_force_hotplug=1" >> /boot/config.txt
     sudo sed -i "s/^dtparam=i2c_arm=.*//g" /boot/config.txt 

home.admin/config.scripts/blitz.migration.sh

@@ -141,7 +141,33 @@ if [ "$1" = "migration-umbrel" ]; then
 
   echo "# starting to rearrange the data drive for raspiblitz .."
 
-  # extract data
+  # determine version
+  version=$(sudo cat /mnt/hdd/umbrel/info.json | jq -r '.version')
+  if [ "${version}" == "" ]; then
+    echo "err='not able to get version'"
+    exit 1
+  fi
+  versionMajor=$(echo "${version}" | cut -d "." -f1)
+  versionMiner=$(echo "${version}" | cut -d "." -f2)
+  versionPatch=$(echo "${version}" | cut -d "." -f3)
+  if [ "${versionMajor}" == "" ] || [ "${versionMiner}" == "" ] || [ "${versionPatch}" == "" ]; then
+    echo "err='not able processing version'"
+    exit 1
+  fi
+
+  # since 0.3.9 umbrel uses a fixed/default password for lnd wallet (before it was the user set one)
+  if [ ${versionMajor} -eq 0 ] && [ ${versionMiner} -lt 4 ] && [ ${versionPatch} -lt 9 ]; then
+    echo "# umbrel before 0.3.9 --> password c is old user set password"
+  else
+    echo "# umbrel 0.3.9 or higher --> password c is fixed 'moneyprintergobrrr'"
+    # set flag with standard password to be changed on final recovery setup
+    sudo touch /mnt/hdd/passwordc.flag
+    sudo chmod 777 /mnt/hdd/passwordc.flag
+    echo "moneyprintergobrrr" >> /mnt/hdd/passwordc.flag
+    sudo chown admin:admin /mnt/hdd/passwordc.flag
+  fi
+
+  # extract detailed data
   nameNode=$(sudo jq -r '.name' /mnt/hdd/umbrel/db/user.json)
 
   # move bitcoin/blockchain & call function to migrate config

home.admin/config.scripts/bonus.stacking-sats-kraken.sh

@@ -9,7 +9,7 @@ CONFIG_FILE=$APP_DATA_DIR/.env
 RASPIBLITZ_FILE=/mnt/hdd/raspiblitz.conf
 SCRIPT_DIR=$HOME_DIR/stacking-sats-kraken
 SCRIPT_NAME=stacksats.sh
-SCRIPT_VERSION=0.4.2
+SCRIPT_VERSION=0.4.3
 
 # command info
 if [ $# -eq 0 ] || [ "$1" = "-h" ] || [ "$1" = "-help" ]; then