# ARRR Scripts

This repository contains helper tooling to bootstrap the Pirate Chain daemon stack and expose an `ARRRwallet` friendly gRPC endpoint. The primary entry point is `setup-arrr-lightwalletd.sh`, which compiles the upstream projects, configures systemd services, and (optionally) wires nginx/Certbot for TLS termination and gRPC proxying.

## What the script does

- Installs development/runtime dependencies, Go, and cloning `Pirate` plus `lightwalletd`.
- Builds Pirate Chain (`pirated`) and `lightwalletd`, links them under `/usr/local/bin`, and writes a `PIRATE.conf` for RPC access.
- Sets up nginx when you pass `--hostname`:
  - First writes a minimal HTTP-only nginx site serving `/.well-known/acme-challenge/` so Certbot can start without certs.
  - Requests certificates via `certbot certonly --webroot`, then rewrites the nginx site with the full HTTPS/gRPC proxy block (including `/etc/letsencrypt` includes and gRPC headers).
  - Ensures nginx is tested and reloaded after each stage.
- Creates systemd units for `pirated` and `lited` (the lightwalletd binary), wiring logs, data directories, and capabilities.
- If you opt out of nginx, the script runs `lited` with the provided TLS cert/key (or `--no-tls-very-insecure` when not supplied) directly on the host.

## Usage

```sh
./setup-arrr-lightwalletd.sh \
  --hostname <your-domain> \
  --email admin@example.com \
  --lets-encrypt \
  --bind-addr 127.0.0.1:9067 \
  --http-bind-addr 127.0.0.1:9068 \
  --data-dir /var/lib/lightwalletd
```

- `--hostname` enables nginx/Certbot and proxies `127.0.0.1:9067` (or your `--bind-addr`) over gRPC.
- `--lets-encrypt` pairs with `--email` so `certbot certonly --webroot` can obtain certs. The script keeps nginx challenge locations intact while the final config relies on `/etc/letsencrypt/live/<hostname>`.
- Without `--hostname`, nginx isn’t installed and `lited` runs with the TLS arguments you provide (`--tls-cert`/`--tls-key`) or falls back to `--no-tls-very-insecure`.
- `--go-version`, `--data-dir`, and bind addresses are all optional overrides. The defaults are documented in the script.

## After the run

- `systemctl status pirated lited` shows the daemon status; logs live under `/var/log/lited`.
- `sudo certbot certificates` confirms the issued certificate for your hostname.
- Let’s Encrypt installs its own renew timer, so nothing else is required for automatic renewal.

## Troubleshooting

- If nginx reports `host` variable errors, ensure the generated config keeps `\$host`/`\$request_uri` escaped; the script already does this in the heredoc.
- You can rerun the script after DNS is live—Certbot’s webroot challenge will reuse the shared `/var/www/certbot` directory and nginx rewrites happen in-place.