s83/privacy-guides
1
0
Fork 0
mirror of https://github.com/sunknudsen/privacy-guides.git synced 2025-02-22 16:53:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Deprecated bitcoin-dataset

Browse Source
This commit is contained in:
Sun Knudsen 2022-08-03 13:35:27 -04:00
parent ac829a6f0c
commit ccc62a404c
No known key found for this signature in database
GPG Key ID: 02C43AD072D57783
12 changed files with 20 additions and 746 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

272
how-to-self-host-hardened-bitcoin-node/README.md
View File

@ -17,7 +17,6 @@ Listed: true
## Caveats ## Caveats
- Steps labelled as “bitcoin-dataset” are only required to bootstrap node using bitcoin-dataset.
- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command - When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
- When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command - When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command
@ -43,47 +42,7 @@ $ apt update
$ apt install -y apt-transport-https build-essential clang cmake curl git gnupg sudo $ apt install -y apt-transport-https build-essential clang cmake curl git gnupg sudo
``` ```
### Step 3 (bitcoin-dataset): install bitcoin-dataset dependencies ### Step 3: add user to sudo group
```console
$ apt install -y lz4 transmission-cli transmission-daemon
$ systemctl disable transmission-daemon
$ systemctl stop transmission-daemon
```
### Step 4 (bitcoin-dataset): configure transmission-daemon
#### Increase `rmem_max` and `wmem_max`
```console
$ cat << "EOF" >> /etc/sysctl.conf
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
EOF
$ sysctl -p
```
#### Overwrite default settings
```shell
cat << "EOF" > /etc/transmission-daemon/settings.json
{
"dht-enabled": false,
"encryption": 2,
"message-level": 1,
"pex-enabled": false,
"port-forwarding-enabled": true,
"rpc-authentication-required": false,
"rpc-enabled": true,
"utp-enabled": false
}
EOF
```
### Step 5: add user to sudo group
> Heads-up: replace `pi-admin` with user. > Heads-up: replace `pi-admin` with user.
@ -91,7 +50,7 @@ EOF
usermod -aG sudo pi-admin usermod -aG sudo pi-admin
``` ```
### Step 6: log out and log in to enable sudo privileges ### Step 4: log out and log in to enable sudo privileges
> Heads-up: replace `~/.ssh/pi` with path to private key and `pi-admin@10.0.1.94` with server or Raspberry Pi SSH destination. > Heads-up: replace `~/.ssh/pi` with path to private key and `pi-admin@10.0.1.94` with server or Raspberry Pi SSH destination.
@ -105,7 +64,7 @@ $ ssh -i ~/.ssh/pi pi-admin@10.0.1.94
$ sudo su - $ sudo su -
``` ```
### Step 7: install and configure [WireGuard](https://www.wireguard.com/) ### Step 5: install and configure [WireGuard](https://www.wireguard.com/)
#### Install WireGuard #### Install WireGuard
@ -200,7 +159,7 @@ You are connected to Mullvad
👍 👍
### Step 8: install [Cargo](https://doc.rust-lang.org/cargo/index.html) ### Step 6: install [Cargo](https://doc.rust-lang.org/cargo/index.html)
```console ```console
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh $ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
@ -263,19 +222,7 @@ source $HOME/.cargo/env
$ source $HOME/.cargo/env $ source $HOME/.cargo/env
``` ```
### Step 9 (bitcoin-dataset): install [b3sum](https://github.com/BLAKE3-team/BLAKE3) ### Step 7: import Suns PGP public key (used to verify downloads below)
```console
$ cargo install b3sum
Updating crates.io index
Installing b3sum v1.3.1
Installed package `b3sum v1.3.1` (executable `b3sum`)
$ mv /root/.cargo/bin/b3sum /usr/bin/
```
### Step 10: import Suns PGP public key (used to verify downloads below)
```console ```console
$ curl --fail https://sunknudsen.com/sunknudsen.asc | gpg --import $ curl --fail https://sunknudsen.com/sunknudsen.asc | gpg --import
@ -294,7 +241,7 @@ imported: 1
👍 👍
### Step 11: verify integrity of Suns PGP public key (learn how [here](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint)) ### Step 8: verify integrity of Suns PGP public key (learn how [here](../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint))
```console ```console
$ gpg --fingerprint hello@sunknudsen.com $ gpg --fingerprint hello@sunknudsen.com
@ -310,35 +257,7 @@ Fingerprint matches published fingerprints
👍 👍
### Step 12: download and verify [bitcoind.service](./bitcoind.service) ### Step 9: download and verify [electrs.service](./electrs.service)
```console
$ curl --fail --output /lib/systemd/system/bitcoind.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoind.service
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2184 100 2184 0 0 2112 0 0:00:01 0:00:01 --:--:-- 2114
$ curl --fail --output /lib/systemd/system/bitcoind.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoind.service.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 228 100 228 0 0 258 0 --:--:-- --:--:-- --:--:-- 258
$ gpg --verify /lib/systemd/system/bitcoind.service.asc
gpg: assuming signed data in 'bitcoind.service'
gpg: Signature made Wed 16 Feb 2022 14:02:09 EST
gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783
```
Good signature
👍
### Step 13: download and verify [electrs.service](./electrs.service)
```console ```console
$ curl --fail --output /lib/systemd/system/electrs.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/electrs.service $ curl --fail --output /lib/systemd/system/electrs.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/electrs.service
@ -366,34 +285,7 @@ Good signature
👍 👍
### Step 14 (bitcoin-dataset): download and verify [transmission-daemon.service](./transmission-daemon.service) ### Step 10: download and verify [tor-client-auth.sh](./tor-client-auth.sh)
```console
$ curl --fail --output /lib/systemd/system/transmission-daemon.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1598 100 1598 0 0 568 0 0:00:02 0:00:02 --:--:-- 568
$ curl --fail --output /lib/systemd/system/transmission-daemon.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
$ gpg --verify /lib/systemd/system/transmission-daemon.service.asc
gpg: assuming signed data in '/lib/systemd/system/transmission-daemon.service'
gpg: Signature made Sun 27 Feb 2022 01:47:27 PM EST
gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783
```
Good signature
👍
### Step 15: download and verify [tor-client-auth.sh](./tor-client-auth.sh)
```console ```console
$ curl --fail --output /usr/bin/tor-client-auth.sh https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/tor-client-auth.sh $ curl --fail --output /usr/bin/tor-client-auth.sh https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/tor-client-auth.sh
@ -423,7 +315,7 @@ Good signature
👍 👍
### Step 16: install and configure [Tor](https://www.torproject.org/) ### Step 11: install and configure [Tor](https://www.torproject.org/)
> Heads-up: replace `bullseye` with Debian version codename (run `cat /etc/os-release` to find Debian version codename). > Heads-up: replace `bullseye` with Debian version codename (run `cat /etc/os-release` to find Debian version codename).
@ -460,7 +352,7 @@ EOF
$ systemctl restart tor $ systemctl restart tor
``` ```
### Step 17: configure Tor hidden services client authorization (see [docs](https://community.torproject.org/onion-services/advanced/client-auth/)) ### Step 12: configure Tor hidden services client authorization (see [docs](https://community.torproject.org/onion-services/advanced/client-auth/))
```console ```console
$ cd /var/lib/tor/ssh $ cd /var/lib/tor/ssh
@ -476,7 +368,7 @@ $ systemctl restart tor
$ cd $ cd
``` ```
### Step 18: create bitcoin user ### Step 13: create bitcoin user
```console ```console
$ adduser --group --no-create-home --system bitcoin $ adduser --group --no-create-home --system bitcoin
@ -488,131 +380,7 @@ Not creating home directory `/home/bitcoin'.
$ usermod -aG debian-tor bitcoin $ usermod -aG debian-tor bitcoin
``` ```
### Step 19 (bitcoin-dataset): download and verify bitcoin-dataset torrent ### Step 14: temporarily allow Bitcoin peer-to-peer over Mullvad
```console
$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4271k 100 4271k 0 0 3911k 0 0:00:01 0:00:01 --:--:-- 3911k
$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 228 100 228 0 0 740 0 --:--:-- --:--:-- --:--:-- 740
$ gpg --verify bitcoin-dataset.torrent.asc
gpg: assuming signed data in 'bitcoin-dataset.torrent'
gpg: Signature made Tue 01 Mar 2022 15:18:45 EST
gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783
```
Good signature
👍
### Step 20 (bitcoin-dataset): temporarily allow BitTorrent peer-to-peer over Mullvad
> Heads-up: replace `mullvad-ca10` with Mullvad endpoint.
```console
$ MULLVAD_ENDPOINT=mullvad-ca10
$ nft add rule ip firewall output oifname $MULLVAD_ENDPOINT tcp accept
```
### Step 21 (bitcoin-dataset): download bitcoin-dataset
> Heads-up: downloading bitcoin-dataset will likely take more than 24 hours on Raspberry Pi.
> Heads-up: if download doesnt start or hangs, try running `systemctl restart transmission-daemon`.
```console
$ systemctl start transmission-daemon
$ transmission-remote --add bitcoin-dataset.torrent --start
$ watch transmission-remote --list
Every 2.0s: transmission-remote --list debian: Tue Mar 1 11:56:05 2022
ID Done Have ETA Up Down Ratio Status Name
1 100% 458.4 GB Done 0.0 0.0 0.0 Idle bitcoin-dataset
Sum: 458.4 GB 0.0 0.0
```
100%
👍
### Step 22 (bitcoin-dataset): stop transmission-daemon
```shell
systemctl stop transmission-daemon
```
### Step 23 (bitcoin-dataset): verify bitcoin-dataset checksums
```console
$ cd /var/lib/transmission-daemon/downloads/bitcoin-dataset
$ gpg --verify BLAKE3CHECKSUMS.asc
```
Good signature
👍
### Step 24 (bitcoin-dataset): check integrity of bitcoin-dataset
> Heads-up: checking integrity of bitcoin-dataset will likely take more than 15 minutes on Raspberry Pi.
```console
$ b3sum --check BLAKE3CHECKSUMS
bitcoin.tar.lz4.part00: OK
electrs.tar.lz4.part03: OK
```
OK
👍
### Step 25 (bitcoin-dataset): extract bitcoin-dataset
> Heads-up: extracting bitcoin-dataset will likely take more than two hours on Raspberry Pi.
```console
$ mkdir -m 710 -p /var/lib/bitcoind /var/lib/electrs
$ for part in bitcoind.tar.lz4.part*; do
cat < "$part" || break
rm -f -- "$part"
done |
tar \
--extract \
--directory /var/lib/bitcoind \
--use-compress-program lz4 \
--verbose
$ for part in electrs.tar.lz4.part*; do
cat < "$part" || break
rm -f -- "$part"
done |
tar \
--extract \
--directory /var/lib/electrs \
--use-compress-program lz4 \
--verbose
$ cd
```
### Step 26: temporarily allow Bitcoin peer-to-peer over Mullvad
> Heads-up: replace `mullvad-ca10` with Mullvad endpoint. > Heads-up: replace `mullvad-ca10` with Mullvad endpoint.
@ -624,7 +392,7 @@ $ nft add rule ip firewall input oifname $MULLVAD_ENDPOINT tcp dport 8333 accept
$ nft add rule ip firewall output oifname $MULLVAD_ENDPOINT tcp dport 8333 accept $ nft add rule ip firewall output oifname $MULLVAD_ENDPOINT tcp dport 8333 accept
``` ```
### Step 27: install [Bitcoin Core](https://github.com/bitcoin/bitcoin) ### Step 15: install [Bitcoin Core](https://github.com/bitcoin/bitcoin)
> Heads-up: replace `22.0` with [latest release](https://bitcoincore.org/en/releases/) semver. > Heads-up: replace `22.0` with [latest release](https://bitcoincore.org/en/releases/) semver.
@ -765,9 +533,9 @@ $ systemctl enable bitcoind
$ systemctl start bitcoind $ systemctl start bitcoind
``` ```
### Step 28: watch initial block download ### Step 16: watch initial block download
> Heads-up: initial block download will likely take more than a week on Raspberry Pi unless node was bootstrapped using bitcoin-dataset. > Heads-up: initial block download will likely take more than a week on Raspberry Pi.
```console ```console
$ sudo -u bitcoin watch bitcoin-cli -datadir=/var/lib/bitcoind getblockchaininfo $ sudo -u bitcoin watch bitcoin-cli -datadir=/var/lib/bitcoind getblockchaininfo
@ -832,7 +600,7 @@ Every 2.0s: bitcoin-cli -datadir=/var/lib/bitcoind getblockchaininfo
👍 👍
### Step 29: switch to Tor-only (see [docs](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md)) ### Step 17: switch to Tor-only (see [docs](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md))
> Heads-up: only run following once `"blocks": 724597` = `"headers": 724597` and `"initialblockdownload": false`. > Heads-up: only run following once `"blocks": 724597` = `"headers": 724597` and `"initialblockdownload": false`.
@ -856,7 +624,7 @@ EOF
$ systemctl start bitcoind $ systemctl start bitcoind
``` ```
### Step 30: install [electrs](https://github.com/romanz/electrs) (see [docs](https://github.com/romanz/electrs/blob/master/doc/install.md)) ### Step 18: install [electrs](https://github.com/romanz/electrs) (see [docs](https://github.com/romanz/electrs/blob/master/doc/install.md))
> Heads-up: build will likely take more than half and hour on Raspberry Pi. > Heads-up: build will likely take more than half and hour on Raspberry Pi.
@ -878,9 +646,9 @@ $ systemctl start electrs
$ cd $ cd
``` ```
### Step 31: watch initial sync ### Step 19: watch initial sync
> Heads-up: initial sync will likely take more than a day on Raspberry Pi unless node was bootstrapped using bitcoin-dataset. > Heads-up: initial sync will likely take more than a day on Raspberry Pi.
> Heads-up: run following commands concurrently. > Heads-up: run following commands concurrently.
@ -950,7 +718,7 @@ bitcoin-cli `"blocks": 724597` = electrs `height=724597`
👍 👍
### Step 32: reboot ### Step 20: reboot
```shell ```shell
systemctl reboot systemctl reboot

BIN
how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent
View File

Binary file not shown.

7
how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYIAB0WIQSceIfhtfy84t/tDhwCxDrQctV3gwUCYh5/pQAKCRACxDrQctV3
g3IAAQDnNmtyP9W0BRvINe8sx49vG3y6AiscTw/7VzfS/xQI5gEAgZUDgR1oJv/4
pPh1JWf9DE1reCG5TA0ZrXFn6aVp+Ao=
=lrvY
-----END PGP SIGNATURE-----

107
how-to-self-host-hardened-bitcoin-node/misc/how-to-generate-bitcoin-dataset/README.md
View File

@ -1,107 +0,0 @@
<!--
Title: How to generate bitcoin-dataset
Description: Learn how to generate bitcoin-dataset.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Reviewers:
Publication date: 2022-03-01T17:31:42.392Z
Listed: true
-->
# How to generate bitcoin-dataset
## Requirements
- [Hardened Bitcoin node](../..) (with at least 2TB of SSD storage)
- Linux or macOS computer
## Caveats
- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
## Guide
### Step 1: create bitcoin-dataset directory
```console
$ mkdir -p /root/bitcoin-dataset
$ cd /root/bitcoin-dataset
```
### Step 2: create bitcoind and electrs archive
```console
$ tar \
--create \
--directory /var/lib/bitcoind \
--use-compress-program=lz4 \
--verbose \
anchors.dat \
blocks \
chainstate \
fee_estimates.dat \
indexes \
mempool.dat \
peers.dat | \
split \
--bytes 10G \
--numeric-suffixes \
- \
bitcoind.tar.lz4.part
$ tar \
--create \
--directory /var/lib/electrs \
--use-compress-program=lz4 \
--verbose \
. | \
split \
--bytes 10G \
--numeric-suffixes \
- \
electrs.tar.lz4.part
```
### Step 3: create bitcoind and electrs archive checksums
```shell
b3sum \
bitcoind.tar.lz4.part* \
electrs.tar.lz4.part* \
> BLAKE3CHECKSUMS
```
### Step 4: sign checksums
```shell
gpg \
--detach-sig \
--armor \
--output \
BLAKE3CHECKSUMS.asc \
BLAKE3CHECKSUMS
```
### Step 5: create torrent
```console
$ cd
$ transmission-create \
--private \
--tracker https://tracker.sunknudsen.com/announce \
--outfile bitcoin-dataset.torrent \
bitcoin-dataset
```
### Step 6: sign torrent
```shell
gpg \
--detach-sig \
--armor \
--output \
bitcoin-dataset.torrent.asc \
bitcoin-dataset.torrent
```

66
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/README.md
View File

@ -1,66 +0,0 @@
<!--
Title: How to seed bitcoin-dataset on desktop
Description: Learn how to seed bitcoin-dataset on desktop.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Reviewers:
Publication date: 2022-03-01T17:31:42.392Z
Listed: true
-->
# How to seed bitcoin-dataset on desktop
## Requirements
- Linux, macOS or Windows desktop (with at least 500GB of available SSD storage and unlimited bandwidth)
- Transmission app
## Guide
### Step 1: configure port forwarding
> Heads-up: following step forwards inbound TCP requests on port `51413` to desktop (bypassing NAT firewall).
Go to router port forwarding configuration page and forward inbound TCP port `51413` to IP address of desktop and port `51413` (see example below).
![Port forwarding](./port-forwarding.png)
### Step 2: install [Transmission](https://transmissionbt.com/)
Go to https://transmissionbt.com/download/, download and install latest release of Transmission.
### Step 3: configure Transmission
> Heads-up: following configuration is tailored to bitcoin-dataset and may not be suited to other use cases.
#### Bandwidth (optional)
> Heads-up: allocating unlimited bandwidth is preferred.
On “Bandwidth” tab, limit bandwidth using “Global bandwidth limits”.
![Bandwidth](./transmission-bandwidth.png)
#### Peers
On “Peers” tab, disable “User peer exchange (PEX) for public torrents” and “Use distributed hash table (DHT) for public torrents” and enable “Prefer encrypted peers” and “Ignore unencrypted peers”.
![Peers](./transmission-peers.png)
#### Network
On “Network” tab, disable “Enable Micro Transport Protocol (μTP)” and set “Peer listening port” to “51413”.
If [port forwarding](#step-1-configure-port-forwarding) is properly configured, green dot is displayed alongside “Port is open”.
![Network](./transmission-network.png)
### Step 4: download (and optionally verify) bitcoin-dataset [torrent](../../bitcoin-dataset.torrent) ([PGP signature](../../bitcoin-dataset.torrent.asc), [PGP public key](https://sunknudsen.com/sunknudsen.asc))
### Step 5: download bitcoin-dataset
Double-click `bitcoin-dataset.torrent`, select “Download to” path and click “Add”.
### Step 6: seed bitcoin-dataset
👍

BIN
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/port-forwarding.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 359 KiB

BIN
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-bandwidth.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 123 KiB

BIN
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-network.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 126 KiB

BIN
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-desktop/transmission-peers.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 177 KiB

241
how-to-self-host-hardened-bitcoin-node/misc/how-to-seed-bitcoin-dataset-on-headless-server/README.md
View File

@ -1,241 +0,0 @@
<!--
Title: How to seed bitcoin-dataset on headless server
Description: Learn how to seed bitcoin-dataset on headless server.
Author: Sun Knudsen <https://github.com/sunknudsen>
Contributors: Sun Knudsen <https://github.com/sunknudsen>
Reviewers:
Publication date: 2022-03-01T17:31:42.392Z
Listed: true
-->
# How to seed bitcoin-dataset on headless server
## Requirements
- [Hardened Debian server](../../../how-to-configure-hardened-debian-server) (with at least 500GB of available SSD storage and unlimited bandwidth)
- Transmission app SSD storage, IPv6 disabled and unlimited bandwidth)
- Linux or macOS computer
## Caveats
- When copy/pasting commands that start with `$`, strip out `$` as this character is not part of the command
- When copy/pasting commands that start with `cat << "EOF"`, select all lines at once (from `cat << "EOF"` to `EOF` inclusively) as they are part of the same (single) command
## Guide
### Step 1: install dependencies
```console
$ apt update
$ apt upgrade
$ apt install -y curl gnupg transmission-cli transmission-daemon
$ systemctl disable transmission-daemon
$ systemctl stop transmission-daemon
```
### Step 2: increase `rmem_max` and `wmem_max`
```console
$ cat << "EOF" >> /etc/sysctl.conf
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
EOF
$ sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
```
### Step 3: configure firewall
> Heads-up: replace `eth0` with network interface (run `ip a` to find interface).
```console
$ NETWORK_INTERFACE=eth0
$ cat << EOF > /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table ip firewall {
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
iif != "lo" ip daddr 127.0.0.0/8 drop
iifname "$NETWORK_INTERFACE" tcp dport { 22, 51413 } accept
ct state established,related accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
oifname "$NETWORK_INTERFACE" tcp dport { 80, 443, 51413, 59726 } accept
oifname "$NETWORK_INTERFACE" udp dport { 53, 123 } accept
ct state established,related accept
}
}
table ip6 firewall {
chain input {
type filter hook input priority filter; policy drop;
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy drop;
}
}
EOF
$ nft -f /etc/nftables.conf
```
### Step 4: configure transmission-daemon
```shell
cat << "EOF" > /etc/transmission-daemon/settings.json
{
"dht-enabled": false,
"encryption": 2,
"message-level": 1,
"pex-enabled": false,
"port-forwarding-enabled": true,
"rpc-authentication-required": false,
"rpc-enabled": true,
"utp-enabled": false
}
EOF
```
### Step 5: import Suns PGP public key (used to verify downloads below)
```console
$ curl --fail https://sunknudsen.com/sunknudsen.asc | gpg --import
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2070 100 2070 0 0 3219 0 --:--:-- --:--:-- --:--:-- 3214
gpg: key 8C9CA674C47CA060: 1 signature not checked due to a missing key
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 8C9CA674C47CA060: public key "Sun Knudsen <hello@sunknudsen.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
```
imported: 1
👍
### Step 6: verify integrity of Suns PGP public key (learn how [here](../../how-to-encrypt-sign-and-decrypt-messages-using-gnupg-on-macos#verify-suns-pgp-public-key-using-fingerprint))
```console
$ gpg --fingerprint hello@sunknudsen.com
pub ed25519 2021-12-28 [C]
E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
uid [ unknown] Sun Knudsen <hello@sunknudsen.com>
sub ed25519 2021-12-28 [S] [expires: 2022-12-28]
sub cv25519 2021-12-28 [E] [expires: 2022-12-28]
sub ed25519 2021-12-28 [A] [expires: 2022-12-28]
```
Fingerprint matches published fingerprints
👍
### Step 7: download and verify [transmission-daemon.service](./transmission-daemon.service)
```console
$ curl --fail --output /lib/systemd/system/transmission-daemon.service https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1598 100 1598 0 0 568 0 0:00:02 0:00:02 --:--:-- 568
$ curl --fail --output /lib/systemd/system/transmission-daemon.service.asc https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
$ gpg --verify /lib/systemd/system/transmission-daemon.service.asc
gpg: assuming signed data in '/lib/systemd/system/transmission-daemon.service'
gpg: Signature made Sun 27 Feb 2022 01:47:27 PM EST
gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783
```
Good signature
👍
### Step 8: download and verify bitcoin-dataset torrent
```console
$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4271k 100 4271k 0 0 3911k 0 0:00:01 0:00:01 --:--:-- 3911k
$ curl --fail --remote-name https://raw.githubusercontent.com/sunknudsen/privacy-guides/master/how-to-self-host-hardened-bitcoin-node/bitcoin-dataset.torrent.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 228 100 228 0 0 740 0 --:--:-- --:--:-- --:--:-- 740
$ gpg --verify bitcoin-dataset.torrent.asc
gpg: assuming signed data in 'bitcoin-dataset.torrent'
gpg: Signature made Tue 01 Mar 2022 15:18:45 EST
gpg: using EDDSA key 9C7887E1B5FCBCE2DFED0E1C02C43AD072D57783
gpg: Good signature from "Sun Knudsen <hello@sunknudsen.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E786 274B C92B 47C2 3C1C F44B 8C9C A674 C47C A060
Subkey fingerprint: 9C78 87E1 B5FC BCE2 DFED 0E1C 02C4 3AD0 72D5 7783
```
Good signature
👍
### Step 9: enable and start transmission-daemon
```console
$ systemctl enable transmission-daemon
$ systemctl start transmission-daemon
```
### Step 10: start bitcoin-dataset torrent
```console
$ transmission-remote --add bitcoin-dataset.torrent --start
```
### Step 11: watch bitcoin-dataset torrent
```console
$ watch transmission-remote --list
Every 2.0s: transmission-remote --list debian: Tue Mar 1 11:56:05 2022
ID Done Have ETA Up Down Ratio Status Name
1 100% 458.4 GB Done 0.0 0.0 0.0 Idle bitcoin-dataset
Sum: 458.4 GB 0.0 0.0
```
100%
👍

66
how-to-self-host-hardened-bitcoin-node/transmission-daemon.service
View File

@ -1,66 +0,0 @@
[Unit]
Description=Transmission daemon
After=network-online.target
Wants=network-online.target
[Service]
ExecStart=/usr/bin/transmission-daemon \
--config-dir /etc/transmission-daemon \
--download-dir /var/lib/transmission-daemon/downloads \
--encryption-required \
--foreground
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID
# Make sure the config directory is readable by the service user
PermissionsStartOnly=true
ExecStartPre=/bin/chgrp debian-transmission /etc/transmission-daemon
# Process management
####################
Type=notify
Restart=on-failure
TimeoutSec=60
# Directory creation and permissions
####################################
# Run as debian-transmission:debian-transmission
User=debian-transmission
Group=debian-transmission
# /etc/transmission-daemon
ConfigurationDirectory=transmission-daemon
ConfigurationDirectoryMode=0710
# /var/lib/transmission-daemon
StateDirectory=transmission-daemon
StateDirectoryMode=0710
# Hardening measures
####################
# Provide a private /tmp and /var/tmp.
PrivateTmp=true
# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full
# Deny access to /home, /root and /run/user
ProtectHome=true
# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true
# Use a new /dev namespace only populated with API pseudo devices
# such as /dev/null, /dev/zero and /dev/random.
PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target

7
how-to-self-host-hardened-bitcoin-node/transmission-daemon.service.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iHUEABYKAB0WIQSceIfhtfy84t/tDhwCxDrQctV3gwUCYhvHPwAKCRACxDrQctV3
gzhmAP9K9DvLA5T3fA6oiLhrD/wxuushmWXtG4OQg7OLt04XzwEAl+5+6COvGZIh
RQO7+mdgPFfQ0eYP3tVCDVqfgSkfjgs=
=l1uP
-----END PGP SIGNATURE-----