diff --git a/how-to-self-host-hardened-bitcoin-node/README.md b/how-to-self-host-hardened-bitcoin-node/README.md index d7b97ba..8249924 100644 --- a/how-to-self-host-hardened-bitcoin-node/README.md +++ b/how-to-self-host-hardened-bitcoin-node/README.md @@ -17,7 +17,6 @@ Listed: true ## Caveats -- Steps labelled as “bitcoin-dataset” are only required to bootstrap node using bitcoin-dataset. - When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command - When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command @@ -43,47 +42,7 @@ $ apt update $ apt install -y apt-transport-https build-essential clang cmake curl git gnupg sudo ``` -### Step 3 (bitcoin-dataset): install bitcoin-dataset dependencies - -```console -$ apt install -y lz4 transmission-cli transmission-daemon - -$ systemctl disable transmission-daemon - -$ systemctl stop transmission-daemon -``` - -### Step 4 (bitcoin-dataset): configure transmission-daemon - -#### Increase `rmem_max` and `wmem_max` - -```console -$ cat << "EOF" >> /etc/sysctl.conf -net.core.rmem_max = 4194304 -net.core.wmem_max = 1048576 -EOF - -$ sysctl -p -``` - -#### Overwrite default settings - -```shell -cat << "EOF" > /etc/transmission-daemon/settings.json -{ - "dht-enabled": false, - "encryption": 2, - "message-level": 1, - "pex-enabled": false, - "port-forwarding-enabled": true, - "rpc-authentication-required": false, - "rpc-enabled": true, - "utp-enabled": false -} -EOF -``` - -### Step 5: add user to sudo group +### Step 3: add user to sudo group > Heads-up: replace `pi-admin` with user. @@ -91,7 +50,7 @@ EOF usermod -aG sudo pi-admin ``` -### Step 6: log out and log in to enable sudo privileges +### Step 4: log out and log in to enable sudo privileges > Heads-up: replace `~/.ssh/pi` with path to private key and `pi-admin@10.0.1.94` with server or Raspberry Pi SSH destination. @@ -105,7 +64,7 @@ $ ssh -i ~/.ssh/pi pi-admin@10.0.1.94 $ sudo su - ``` -### Step 7: install and configure [WireGuard](https://www.wireguard.com/) +### Step 5: install and configure [WireGuard](https://www.wireguard.com/) #### Install WireGuard @@ -200,7 +159,7 @@ You are connected to Mullvad 👍 -### Step 8: install [Cargo](https://doc.rust-lang.org/cargo/index.html) +### Step 6: install [Cargo](https://doc.rust-lang.org/cargo/index.html) ```console $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh @@ -263,19 +222,7 @@ source $HOME/.cargo/env $ source $HOME/.cargo/env ``` -### Step 9 (bitcoin-dataset): install [b3sum](https://github.com/BLAKE3-team/BLAKE3) - -```console -$ cargo install b3sum - Updating crates.io index - Installing b3sum v1.3.1 - … - Installed package `b3sum v1.3.1` (executable `b3sum`) - -$ mv /root/.cargo/bin/b3sum /usr/bin/ -``` - -### Step 10: import Sun’s PGP public key (used to verify downloads below) +### Step 7: import Sun’s PGP public key (used to verify downloads below) ```console $ curl --fail https://sunknudsen.com/sunknudsen.asc | gpg --import @@ -294,7 +241,7 @@ imported: 1 👍 -### Step 11: verify integrity of Sun’s PGP public key (learn how [here](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint)) +### Step 8: verify integrity of Sun’s PGP public key (learn how [here](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint)) ```console $ gpg --fingerprint hello@sunknudsen.com @@ -310,35 +257,7 @@ Fingerprint matches published fingerprints 👍 -### Step 12: download and verify [bitcoind.service](./bitcoind.service) - -```console -$ curl --fail --output /lib/systemd/system/bitcoind.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoind.service - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 2184 100 2184 0 0 2112 0 0:00:01 0:00:01 --:--:-- 2114 - -$ curl --fail --output /lib/systemd/system/bitcoind.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoind.service.asc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 228 100 228 0 0 258 0 --:--:-- --:--:-- --:--:-- 258 - -$ gpg --verify /lib/systemd/system/bitcoind.service.asc -gpg: assuming signed data in 'bitcoind.service' -gpg: Signature made Wed 16 Feb 2022 14:02:09 EST -gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 -gpg: Good signature from "Sun Knudsen " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 - Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 -``` - -Good signature - -👍 - -### Step 13: download and verify [electrs.service](./electrs.service) +### Step 9: download and verify [electrs.service](./electrs.service) ```console $ curl --fail --output /lib/systemd/system/electrs.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/electrs.service @@ -366,34 +285,7 @@ Good signature 👍 -### Step 14 (bitcoin-dataset): download and verify [transmission-daemon.service](./transmission-daemon.service) - -```console -$ curl --fail --output /lib/systemd/system/transmission-daemon.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 1598 100 1598 0 0 568 0 0:00:02 0:00:02 --:--:-- 568 - -$ curl --fail --output /lib/systemd/system/transmission-daemon.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - -$ gpg --verify /lib/systemd/system/transmission-daemon.service.asc -gpg: assuming signed data in '/lib/systemd/system/transmission-daemon.service' -gpg: Signature made Sun 27 Feb 2022 01:47:27 PM EST -gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 -gpg: Good signature from "Sun Knudsen " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 - Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 -``` - -Good signature - -👍 - -### Step 15: download and verify [tor-client-auth.sh](./tor-client-auth.sh) +### Step 10: download and verify [tor-client-auth.sh](./tor-client-auth.sh) ```console $ curl --fail --output /usr/bin/tor-client-auth.sh https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/tor-client-auth.sh @@ -423,7 +315,7 @@ Good signature 👍 -### Step 16: install and configure [Tor](https://www.torproject.org/) +### Step 11: install and configure [Tor](https://www.torproject.org/) > Heads-up: replace `bullseye` with Debian version codename (run `cat /etc/os-release` to find Debian version codename). @@ -460,7 +352,7 @@ EOF $ systemctl restart tor ``` -### Step 17: configure Tor hidden services client authorization (see [docs](https://community.torproject.org/onion-services/advanced/client-auth/)) +### Step 12: configure Tor hidden services client authorization (see [docs](https://community.torproject.org/onion-services/advanced/client-auth/)) ```console $ cd /var/lib/tor/ssh @@ -476,7 +368,7 @@ $ systemctl restart tor $ cd ``` -### Step 18: create bitcoin user +### Step 13: create bitcoin user ```console $ adduser --group --no-create-home --system bitcoin @@ -488,131 +380,7 @@ Not creating home directory `/home/bitcoin'. $ usermod -aG debian-tor bitcoin ``` -### Step 19 (bitcoin-dataset): download and verify bitcoin-dataset torrent - -```console -$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 4271k 100 4271k 0 0 3911k 0 0:00:01 0:00:01 --:--:-- 3911k - -$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 228 100 228 0 0 740 0 --:--:-- --:--:-- --:--:-- 740 - -$ gpg --verify bitcoin-dataset.torrent.asc -gpg: assuming signed data in 'bitcoin-dataset.torrent' -gpg: Signature made Tue 01 Mar 2022 15:18:45 EST -gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 -gpg: Good signature from "Sun Knudsen " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 - Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 -``` - -Good signature - -👍 - -### Step 20 (bitcoin-dataset): temporarily allow BitTorrent peer-to-peer over Mullvad - -> Heads-up: replace `mullvad-ca10` with Mullvad endpoint. - -```console -$ MULLVAD_ENDPOINT=mullvad-ca10 - -$ nft add rule ip firewall output oifname $MULLVAD_ENDPOINT tcp accept -``` - -### Step 21 (bitcoin-dataset): download bitcoin-dataset - -> Heads-up: downloading bitcoin-dataset will likely take more than 24 hours on Raspberry Pi. - -> Heads-up: if download doesn’t start or hangs, try running `systemctl restart transmission-daemon`. - -```console -$ systemctl start transmission-daemon - -$ transmission-remote --add bitcoin-dataset.torrent --start - -$ watch transmission-remote --list -Every 2.0s: transmission-remote --list debian: Tue Mar 1 11:56:05 2022 - - ID Done Have ETA Up Down Ratio Status Name - 1 100% 458.4 GB Done 0.0 0.0 0.0 Idle bitcoin-dataset -Sum: 458.4 GB 0.0 0.0 -``` - -100% - -👍 - -### Step 22 (bitcoin-dataset): stop transmission-daemon - -```shell -systemctl stop transmission-daemon -``` - -### Step 23 (bitcoin-dataset): verify bitcoin-dataset checksums - -```console -$ cd /var/lib/transmission-daemon/downloads/bitcoin-dataset - -$ gpg --verify BLAKE3CHECKSUMS.asc -``` - -Good signature - -👍 - -### Step 24 (bitcoin-dataset): check integrity of bitcoin-dataset - -> Heads-up: checking integrity of bitcoin-dataset will likely take more than 15 minutes on Raspberry Pi. - -```console -$ b3sum --check BLAKE3CHECKSUMS -bitcoin.tar.lz4.part00: OK -… -electrs.tar.lz4.part03: OK -``` - -OK - -👍 - -### Step 25 (bitcoin-dataset): extract bitcoin-dataset - -> Heads-up: extracting bitcoin-dataset will likely take more than two hours on Raspberry Pi. - -```console -$ mkdir -m 710 -p /var/lib/bitcoind /var/lib/electrs - -$ for part in bitcoind.tar.lz4.part*; do - cat < "$part" || break - rm -f -- "$part" -done | - tar \ - --extract \ - --directory /var/lib/bitcoind \ - --use-compress-program lz4 \ - --verbose - -$ for part in electrs.tar.lz4.part*; do - cat < "$part" || break - rm -f -- "$part" -done | - tar \ - --extract \ - --directory /var/lib/electrs \ - --use-compress-program lz4 \ - --verbose - -$ cd -``` - -### Step 26: temporarily allow Bitcoin peer-to-peer over Mullvad +### Step 14: temporarily allow Bitcoin peer-to-peer over Mullvad > Heads-up: replace `mullvad-ca10` with Mullvad endpoint. @@ -624,7 +392,7 @@ $ nft add rule ip firewall input oifname $MULLVAD_ENDPOINT tcp dport 8333 accept $ nft add rule ip firewall output oifname $MULLVAD_ENDPOINT tcp dport 8333 accept ``` -### Step 27: install [Bitcoin Core](https://github.com/bitcoin/bitcoin) +### Step 15: install [Bitcoin Core](https://github.com/bitcoin/bitcoin) > Heads-up: replace `22.0` with [latest release](https://bitcoincore.org/en/releases/) semver. @@ -765,9 +533,9 @@ $ systemctl enable bitcoind $ systemctl start bitcoind ``` -### Step 28: watch initial block download +### Step 16: watch initial block download -> Heads-up: initial block download will likely take more than a week on Raspberry Pi unless node was bootstrapped using bitcoin-dataset. +> Heads-up: initial block download will likely take more than a week on Raspberry Pi. ```console $ sudo -u bitcoin watch bitcoin-cli -datadir=/var/lib/bitcoind getblockchaininfo @@ -832,7 +600,7 @@ Every 2.0s: bitcoin-cli -datadir=/var/lib/bitcoind getblockchaininfo 👍 -### Step 29: switch to Tor-only (see [docs](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md)) +### Step 17: switch to Tor-only (see [docs](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md)) > Heads-up: only run following once `"blocks": 724597` = `"headers": 724597` and `"initialblockdownload": false`. @@ -856,7 +624,7 @@ EOF $ systemctl start bitcoind ``` -### Step 30: install [electrs](https://github.com/romanz/electrs) (see [docs](https://github.com/romanz/electrs/blob/master/doc/install.md)) +### Step 18: install [electrs](https://github.com/romanz/electrs) (see [docs](https://github.com/romanz/electrs/blob/master/doc/install.md)) > Heads-up: build will likely take more than half and hour on Raspberry Pi. @@ -878,9 +646,9 @@ $ systemctl start electrs $ cd ``` -### Step 31: watch initial sync +### Step 19: watch initial sync -> Heads-up: initial sync will likely take more than a day on Raspberry Pi unless node was bootstrapped using bitcoin-dataset. +> Heads-up: initial sync will likely take more than a day on Raspberry Pi. > Heads-up: run following commands concurrently. @@ -950,7 +718,7 @@ bitcoin-cli `"blocks": 724597` = electrs `height=724597` 👍 -### Step 32: reboot +### Step 20: reboot ```shell systemctl reboot diff --git a/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent b/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent deleted file mode 100755 index 6b4b5a6..0000000 Binary files a/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent and /dev/null differ diff --git a/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc b/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc deleted file mode 100755 index 7d8e7b8..0000000 --- a/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHUEABYIAB0WIQSceIfhtfy84t/tDhwCxDrQctV3gwUCYh5/pQAKCRACxDrQctV3 -g3IAAQDnNmtyP9W0BRvINe8sx49vG3y6AiscTw/7VzfS/xQI5gEAgZUDgR1oJv/4 -pPh1JWf9DE1reCG5TA0ZrXFn6aVp+Ao= -=lrvY ------END PGP SIGNATURE----- diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-generate-bitcoin-dataset/README.md b/how-to-self-host-hardened-bitcoin-node/misc/how-to-generate-bitcoin-dataset/README.md deleted file mode 100644 index 6cb8f63..0000000 --- a/how-to-self-host-hardened-bitcoin-node/misc/how-to-generate-bitcoin-dataset/README.md +++ /dev/null @@ -1,107 +0,0 @@ - - -# How to generate bitcoin-dataset - -## Requirements - -- [Hardened Bitcoin node](../..) (with at least 2TB of SSD storage) -- Linux or macOS computer - -## Caveats - -- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command - -## Guide - -### Step 1: create bitcoin-dataset directory - -```console -$ mkdir -p /root/bitcoin-dataset - -$ cd /root/bitcoin-dataset -``` - -### Step 2: create bitcoind and electrs archive - -```console -$ tar \ - --create \ - --directory /var/lib/bitcoind \ - --use-compress-program=lz4 \ - --verbose \ - anchors.dat \ - blocks \ - chainstate \ - fee_estimates.dat \ - indexes \ - mempool.dat \ - peers.dat | \ - split \ - --bytes 10G \ - --numeric-suffixes \ - - \ - bitcoind.tar.lz4.part - -$ tar \ - --create \ - --directory /var/lib/electrs \ - --use-compress-program=lz4 \ - --verbose \ - . | \ - split \ - --bytes 10G \ - --numeric-suffixes \ - - \ - electrs.tar.lz4.part -``` - -### Step 3: create bitcoind and electrs archive checksums - -```shell -b3sum \ - bitcoind.tar.lz4.part* \ - electrs.tar.lz4.part* \ - > BLAKE3CHECKSUMS -``` - -### Step 4: sign checksums - -```shell -gpg \ - --detach-sig \ - --armor \ - --output \ - BLAKE3CHECKSUMS.asc \ - BLAKE3CHECKSUMS -``` - -### Step 5: create torrent - -```console -$ cd - -$ transmission-create \ - --private \ - --tracker https://tracker.sunknudsen.com/announce \ - --outfile bitcoin-dataset.torrent \ - bitcoin-dataset -``` - -### Step 6: sign torrent - -```shell -gpg \ - --detach-sig \ - --armor \ - --output \ - bitcoin-dataset.torrent.asc \ - bitcoin-dataset.torrent -``` diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/README.md b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/README.md deleted file mode 100644 index bc2ac07..0000000 --- a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/README.md +++ /dev/null @@ -1,66 +0,0 @@ - - -# How to seed bitcoin-dataset on desktop - -## Requirements - -- Linux, macOS or Windows desktop (with at least 500GB of available SSD storage and unlimited bandwidth) -- Transmission app - -## Guide - -### Step 1: configure port forwarding - -> Heads-up: following step forwards inbound TCP requests on port `51413` to desktop (bypassing NAT firewall). - -Go to router port forwarding configuration page and forward inbound TCP port `51413` to IP address of desktop and port `51413` (see example below). - -![Port forwarding](./port-forwarding.png) - -### Step 2: install [Transmission](https://transmissionbt.com/) - -Go to https://transmissionbt.com/download/, download and install latest release of Transmission. - -### Step 3: configure Transmission - -> Heads-up: following configuration is tailored to bitcoin-dataset and may not be suited to other use cases. - -#### Bandwidth (optional) - -> Heads-up: allocating unlimited bandwidth is preferred. - -On “Bandwidth” tab, limit bandwidth using “Global bandwidth limits”. - -![Bandwidth](./transmission-bandwidth.png) - -#### Peers - -On “Peers” tab, disable “User peer exchange (PEX) for public torrents” and “Use distributed hash table (DHT) for public torrents” and enable “Prefer encrypted peers” and “Ignore unencrypted peers”. - -![Peers](./transmission-peers.png) - -#### Network - -On “Network” tab, disable “Enable Micro Transport Protocol (μTP)” and set “Peer listening port” to “51413”. - -If [port forwarding](#step-1-configure-port-forwarding) is properly configured, green dot is displayed alongside “Port is open”. - -![Network](./transmission-network.png) - -### Step 4: download (and optionally verify) bitcoin-dataset [torrent](../../bitcoin-dataset.torrent) ([PGP signature](../../bitcoin-dataset.torrent.asc), [PGP public key](https://sunknudsen.com/sunknudsen.asc)) - -### Step 5: download bitcoin-dataset - -Double-click `bitcoin-dataset.torrent`, select “Download to” path and click “Add”. - -### Step 6: seed bitcoin-dataset - -👍 diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/port-forwarding.png b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/port-forwarding.png deleted file mode 100644 index a667bd7..0000000 Binary files a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/port-forwarding.png and /dev/null differ diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-bandwidth.png b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-bandwidth.png deleted file mode 100755 index 29cd9ba..0000000 Binary files a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-bandwidth.png and /dev/null differ diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-network.png b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-network.png deleted file mode 100755 index 4ed739f..0000000 Binary files a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-network.png and /dev/null differ diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-peers.png b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-peers.png deleted file mode 100755 index d345bc6..0000000 Binary files a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-peers.png and /dev/null differ diff --git a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-headless-server/README.md b/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-headless-server/README.md deleted file mode 100644 index da750a3..0000000 --- a/how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-headless-server/README.md +++ /dev/null @@ -1,241 +0,0 @@ - - -# How to seed bitcoin-dataset on headless server - -## Requirements - -- [Hardened Debian server](../../../how-to-configure-hardened-debian-server) (with at least 500GB of available SSD storage and unlimited bandwidth) -- Transmission app SSD storage, IPv6 disabled and unlimited bandwidth) -- Linux or macOS computer - -## Caveats - -- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command -- When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command - -## Guide - -### Step 1: install dependencies - -```console -$ apt update - -$ apt upgrade - -$ apt install -y curl gnupg transmission-cli transmission-daemon - -$ systemctl disable transmission-daemon - -$ systemctl stop transmission-daemon -``` - -### Step 2: increase `rmem_max` and `wmem_max` - -```console -$ cat << "EOF" >> /etc/sysctl.conf -net.core.rmem_max = 4194304 -net.core.wmem_max = 1048576 -EOF - -$ sysctl -p -net.ipv6.conf.all.disable_ipv6 = 1 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.lo.disable_ipv6 = 1 -net.core.rmem_max = 4194304 -net.core.wmem_max = 1048576 -``` - -### Step 3: configure firewall - -> Heads-up: replace `eth0` with network interface (run `ip a` to find interface). - -```console -$ NETWORK_INTERFACE=eth0 - -$ cat << EOF > /etc/nftables.conf -#!/usr/sbin/nft -f - -flush ruleset - -table ip firewall { - chain input { - type filter hook input priority filter; policy drop; - iif "lo" accept - iif != "lo" ip daddr 127.0.0.0/8 drop - iifname "$NETWORK_INTERFACE" tcp dport { 22, 51413 } accept - ct state established,related accept - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - - chain output { - type filter hook output priority filter; policy drop; - oif "lo" accept - oifname "$NETWORK_INTERFACE" tcp dport { 80, 443, 51413, 59726 } accept - oifname "$NETWORK_INTERFACE" udp dport { 53, 123 } accept - ct state established,related accept - } -} -table ip6 firewall { - chain input { - type filter hook input priority filter; policy drop; - } - - chain forward { - type filter hook forward priority filter; policy drop; - } - - chain output { - type filter hook output priority filter; policy drop; - } -} -EOF - -$ nft -f /etc/nftables.conf -``` - -### Step 4: configure transmission-daemon - -```shell -cat << "EOF" > /etc/transmission-daemon/settings.json -{ - "dht-enabled": false, - "encryption": 2, - "message-level": 1, - "pex-enabled": false, - "port-forwarding-enabled": true, - "rpc-authentication-required": false, - "rpc-enabled": true, - "utp-enabled": false -} -EOF -``` - -### Step 5: import Sun’s PGP public key (used to verify downloads below) - -```console -$ curl --fail https://sunknudsen.com/sunknudsen.asc | gpg --import - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 2070 100 2070 0 0 3219 0 --:--:-- --:--:-- --:--:-- 3214 -gpg: key 8C9CA674C47CA060: 1 signature not checked due to a missing key -gpg: /root/.gnupg/trustdb.gpg: trustdb created -gpg: key 8C9CA674C47CA060: public key "Sun Knudsen " imported -gpg: Total number processed: 1 -gpg: imported: 1 -gpg: no ultimately trusted keys found -``` - -imported: 1 - -👍 - -### Step 6: verify integrity of Sun’s PGP public key (learn how [here](../../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint)) - -```console -$ gpg --fingerprint hello@sunknudsen.com -pub ed25519 2021-12-28 [C] - E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 -uid [ unknown] Sun Knudsen -sub ed25519 2021-12-28 [S] [expires: 2022-12-28] -sub cv25519 2021-12-28 [E] [expires: 2022-12-28] -sub ed25519 2021-12-28 [A] [expires: 2022-12-28] -``` - -Fingerprint matches published fingerprints - -👍 - -### Step 7: download and verify [transmission-daemon.service](./transmission-daemon.service) - -```console -$ curl --fail --output /lib/systemd/system/transmission-daemon.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 1598 100 1598 0 0 568 0 0:00:02 0:00:02 --:--:-- 568 - -$ curl --fail --output /lib/systemd/system/transmission-daemon.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed - -$ gpg --verify /lib/systemd/system/transmission-daemon.service.asc -gpg: assuming signed data in '/lib/systemd/system/transmission-daemon.service' -gpg: Signature made Sun 27 Feb 2022 01:47:27 PM EST -gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 -gpg: Good signature from "Sun Knudsen " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 - Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 -``` - -Good signature - -👍 - -### Step 8: download and verify bitcoin-dataset torrent - -```console -$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 4271k 100 4271k 0 0 3911k 0 0:00:01 0:00:01 --:--:-- 3911k - -$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc - % Total % Received % Xferd Average Speed Time Time Time Current - Dload Upload Total Spent Left Speed -100 228 100 228 0 0 740 0 --:--:-- --:--:-- --:--:-- 740 - -$ gpg --verify bitcoin-dataset.torrent.asc -gpg: assuming signed data in 'bitcoin-dataset.torrent' -gpg: Signature made Tue 01 Mar 2022 15:18:45 EST -gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783 -gpg: Good signature from "Sun Knudsen " [unknown] -gpg: WARNING: This key is not certified with a trusted signature! -gpg: There is no indication that the signature belongs to the owner. -Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060 - Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783 -``` - -Good signature - -👍 - -### Step 9: enable and start transmission-daemon - -```console -$ systemctl enable transmission-daemon - -$ systemctl start transmission-daemon -``` - -### Step 10: start bitcoin-dataset torrent - -```console -$ transmission-remote --add bitcoin-dataset.torrent --start -``` - -### Step 11: watch bitcoin-dataset torrent - -```console -$ watch transmission-remote --list -Every 2.0s: transmission-remote --list debian: Tue Mar 1 11:56:05 2022 - - ID Done Have ETA Up Down Ratio Status Name - 1 100% 458.4 GB Done 0.0 0.0 0.0 Idle bitcoin-dataset -Sum: 458.4 GB 0.0 0.0 -``` - -100% - -👍 diff --git a/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service b/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service deleted file mode 100644 index 1a6ef0e..0000000 --- a/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service +++ /dev/null @@ -1,66 +0,0 @@ -[Unit] -Description=Transmission daemon - -After=network-online.target -Wants=network-online.target - -[Service] -ExecStart=/usr/bin/transmission-daemon \ - --config-dir /etc/transmission-daemon \ - --download-dir /var/lib/transmission-daemon/downloads \ - --encryption-required \ - --foreground -ExecStop=/bin/kill -s STOP $MAINPID -ExecReload=/bin/kill -s HUP $MAINPID - -# Make sure the config directory is readable by the service user -PermissionsStartOnly=true -ExecStartPre=/bin/chgrp debian-transmission /etc/transmission-daemon - -# Process management -#################### - -Type=notify -Restart=on-failure -TimeoutSec=60 - -# Directory creation and permissions -#################################### - -# Run as debian-transmission:debian-transmission -User=debian-transmission -Group=debian-transmission - -# /etc/transmission-daemon -ConfigurationDirectory=transmission-daemon -ConfigurationDirectoryMode=0710 - -# /var/lib/transmission-daemon -StateDirectory=transmission-daemon -StateDirectoryMode=0710 - -# Hardening measures -#################### - -# Provide a private /tmp and /var/tmp. -PrivateTmp=true - -# Mount /usr, /boot/ and /etc read-only for the process. -ProtectSystem=full - -# Deny access to /home, /root and /run/user -ProtectHome=true - -# Disallow the process and all of its children to gain -# new privileges through execve(). -NoNewPrivileges=true - -# Use a new /dev namespace only populated with API pseudo devices -# such as /dev/null, /dev/zero and /dev/random. -PrivateDevices=true - -# Deny the creation of writable and executable memory mappings. -MemoryDenyWriteExecute=true - -[Install] -WantedBy=multi-user.target diff --git a/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc b/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc deleted file mode 100644 index cae7ae8..0000000 --- a/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHUEABYKAB0WIQSceIfhtfy84t/tDhwCxDrQctV3gwUCYhvHPwAKCRACxDrQctV3 -gzhmAP9K9DvLA5T3fA6oiLhrD/wxuushmWXtG4OQg7OLt04XzwEAl+5+6COvGZIh -RQO7+mdgPFfQ0eYP3tVCDVqfgSkfjgs= -=l1uP ------END PGP SIGNATURE-----