App Submission: Blockstream Blind Oracle (#950)

Co-authored-by: smolgrrr <smolgrrr@protonmail.com>
Co-authored-by: nmfretz <nmfretz@gmail.com>

blockstream-blind-oracle/data/server_private_key.key

@@ -0,0 +1 @@
+	µŇ~hMąřň„V>�<úŔ+<ŽéíP›śGÜM˙

blockstream-blind-oracle/data/server_public_key.pub

@@ -0,0 +1 @@
+2�`�#�e�5`�!o��Q8�r�!��,�V��

blockstream-blind-oracle/docker-compose.yml

@@ -0,0 +1,50 @@
+version: "3.7"
+
+services:
+  app_proxy:
+   environment:
+     APP_HOST: blockstream-blind-oracle_web_1
+     APP_PORT: $APP_PINSERVER_WEB_PORT
+     PROXY_AUTH_ADD: "false"
+
+  node:
+    image: tulipan81/blind_pin_server:v0.0.7@sha256:db8ce3f8de8da6cb083d60051a8ec720d5aa311e06148b259c42c4dfb7263c63
+    depends_on:
+      - web
+      - tor
+    restart: on-failure
+    stop_grace_period: 1m
+    ports:
+      - $APP_PINSERVER_PORT:8096
+    volumes:
+      - ${APP_DATA_DIR}/data/server_public_key.pub:/server_public_key.pub
+      - ${APP_DATA_DIR}/data/server_private_key.key:/server_private_key.key
+      - ${APP_DATA_DIR}/data/pins:/pins
+
+  web: 
+    image: tulipan81/pinserver_web:v0.0.36@sha256:a5214dbc14538478744a6a0c6bd40f03ab8ac2990abc9038139c18901064205b
+    depends_on:
+      - tor
+    restart: on-failure
+    ports:
+      - $APP_PINSERVER_WEB_PORT:$APP_PINSERVER_WEB_PORT
+    volumes:
+      - ${APP_DATA_DIR}/data/server_public_key.pub:/app/server_public_key.pub
+      - ${APP_DATA_DIR}/data/server_private_key.key:/app/server_private_key.key
+      - ${APP_DATA_DIR}/data/pins:/app/pins
+    environment:
+      PINSERVER_URL_A: ${APP_PINSERVER_HIDDEN_SERVICE}
+      PINSERVER_PORT_A: ${APP_PINSERVER_PORT}
+      PINSERVER_URL_B: ${APP_TAILSCALE_URL}
+      PINSERVER_PORT_B: ${APP_PINSERVER_PORT}
+      PINSERVER_CERT: ""
+
+  tor:
+    image: getumbrel/tor:0.4.7.8@sha256:2ace83f22501f58857fa9b403009f595137fa2e7986c4fda79d82a8119072b6a
+    user: "1000:1000"
+    restart: on-failure
+    volumes:
+      - ${APP_DATA_DIR}/torrc:/etc/tor/torrc:ro
+      - ${TOR_DATA_DIR}:/data
+    environment:
+      HOME: "/tmp"

blockstream-blind-oracle/exports.sh

@@ -0,0 +1,8 @@
+export APP_PINSERVER_PORT="8097"
+export APP_PINSERVER_WEB_PORT="8095"
+
+local app_pinserver_hidden_service_file="${EXPORTS_TOR_DATA_DIR}/app-${EXPORTS_APP_ID}-node/hostname"
+
+export APP_PINSERVER_HIDDEN_SERVICE="http://$(cat "${app_pinserver_hidden_service_file}" 2>/dev/null || echo "notyetset.onion")"
+
+export APP_TAILSCALE_URL="http://$(hostname 2>/dev/null || echo "notyetset.tailscale")"

blockstream-blind-oracle/hooks/pre-start

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Create hidden service for the node container and ensure the web container
+# gets the hidden service environment variable on first install.
+
+HIDDEN_SERVICE_FILE="${TOR_DATA_DIR}/app-${APP_ID}-node/hostname"
+
+if [[ -f "${HIDDEN_SERVICE_FILE}" ]]; then
+	exit
+fi
+
+# Start web container first to update secret
+"${UMBREL_ROOT}/scripts/app" compose "${APP_ID}" up --detach web
+
+# Start node container so that a hidden service can be created
+"${UMBREL_ROOT}/scripts/app" compose "${APP_ID}" up --detach node
+
+echo "App: ${APP_ID} - Generating Tor Hidden Service for node container..."
+"${UMBREL_ROOT}/scripts/app" compose "${APP_ID}" up --detach tor
+
+for attempt in $(seq 1 100); do
+	if [[ -f "${HIDDEN_SERVICE_FILE}" ]]; then
+		echo "App: ${APP_ID} - Hidden service file created successfully!"
+		# restart web container to source the new hidden service env var
+		echo "App: ${APP_ID} - Restarting web container..."
+		"${UMBREL_ROOT}/scripts/app" compose "${APP_ID}" restart web
+		break
+	fi
+	sleep 0.1
+done
+
+if [[ ! -f "${HIDDEN_SERVICE_FILE}" ]]; then
+	echo "App: ${APP_ID} - Hidden service file wasn't created"
+fi

blockstream-blind-oracle/torrc.template

@@ -0,0 +1,3 @@
+# pinserver Hidden Service
+HiddenServiceDir /data/app-$APP_ID-node
+HiddenServicePort $APP_PINSERVER_PORT blockstream-blind-oracle_node_1:8096

blockstream-blind-oracle/umbrel-app.yml

@@ -0,0 +1,34 @@
+manifestVersion: 1.1
+id: blockstream-blind-oracle
+category: bitcoin
+name: Blockstream Blind Oracle
+version: "0.1.1"
+tagline: Encrypt your wallet on Blockstream Jade
+description: >-
+        Run a personal blind oracle to encrypt the wallet material on your 
+        Blockstream Jade.
+
+
+        Your blind oracle holds the decryption key to your Jade that is needed 
+        to unlock your device. This allows your Jade to remain protected from 
+        physical key extraction while also enforcing a maximum of 3 PIN attempts. 
+        Your blind oracle does not learn any sensitive information and does not 
+        know anything about the wallet on Jade.
+
+
+        Blind oracle needs a Tor or a Tailscale connection, if you decide to use 
+        Tailscale please enable Tailscale's MagicDNS.
+developer: Blockstream
+website: https://blockstream.com
+dependencies: []
+repo: https://github.com/Blockstream/blind_pin_server
+support: https://t.me/blockstream_jade
+port: 3344
+gallery:
+  - 1.jpg
+  - 2.jpg
+  - 3.jpg
+path: ''
+deterministicPassword: false
+submitter: Blockstream
+submission: https://github.com/getumbrel/umbrel-apps/pull/950