_intro
I am using archlinux on my home server as main OS. I am running several services on it. Once I decided to run bitcoin full node. First motivation was help to network and why not. During deployment I learn a lot so I am happy that I have done it and also I did get more privacy. At begining I did used only clearnet and also forwarded port on router so other nodes could connect to mine. Then I did start using a tor and I ended with configuration that my node is using tor network to connect to other nodes {they can be hidden with onion address or clear net nodes} and accepting connection only from tor.
yes, there are many tutorials how to run full node but I decided to write my journey. Maybe it will be helpful to someone ;-) and of course I am open for improvements or correction if I done something not in good way.
_tor
install
sudo pacman -S tor nyx
/etc/tor/torrc
User tor Log notice syslog DataDirectory /var/lib/tor ControlPort 9051 CookieAuthentication 1 CookieAuthFile /var/lib/tor/control_auth_cookie CookieAuthFileGroupReadable 1 DataDirectoryGroupReadable 1
enable, so it will start after reboot
sudo systemctl enable tor.service
monitoring
I did add my user {I am not using root account} to tor group so I can run
I did add my user {I am not using root account} to tor group so I can run
nyx
program to see what is going on._bitcoind
install
sudo pacman -S bitcoin-daemon bitcoin-tx
init
- I have two hdd in server, second one has 1TB and is used only for NODE data, there is only one partition and it is mounted to
/mnt/node_1
- creating directory
/mnt/node_1/blockchain
- changing owner and permisions of that directory so only 'bitcoin' user can access it. Also group owner is bitcoin.
- insert new line into fstab so disk will be mounted after reboot
- I did add user bitcoin to group tor
- editing systemd unit and removing datadir argument
sudo systemctl edit bitcoind.service
[Service] ExecStart= ExecStart=/usr/bin/bitcoind -pid=/run/bitcoind/bitcoind.pid \ -conf=/etc/bitcoin/bitcoin.conf \ -startupnotify='systemd-notify --ready' \ -shutdownnotify='systemd-notify --stopping'
- I did change home directory of bitcoin user in
/etc/passwd
poiting to same directory as data is stored
/etc/bitcoin/bitcoin.conf
datadir=/mnt/node_1/blockchain blockfilterindex=1 peerblockfilters=1 maxmempool=280 maxorphantx=40 mempoolexpiry=240 txindex=1 bind=127.0.0.1 ## if you want to accept inbound connection from another nodes over clear net then you need to set here your local IP of server if server is behind NAT otherwise public IP of server. dnsseed=0 dns=0 ## means that peers are not searching over dns, at begining this is good to have, but when node is running it store peers localy so you can disable this listenonion=1 maxconnections=25 maxuploadtarget=512M onlynet=onion ## means that OutBound connection going to hidden services onlynet=ipv4 ## meand that OutBound connection going to public clearnet nodes proxy=127.0.0.1:9050 ## all outbound connection going to tor proxy, this apply for all network types v2transport=1 printtoconsole=0 ## logs are writen to `/mnt/node_1/blockchain/debug` file only rpcauth=EXPLOR:XYX_XYZ rpcauth=FULC:YZX_YZX ## see below how to create those users
creating access over RPC
you need this python program
you need this python program
python rpcauth.py foo_user
will generate hash and password for user foo_user, you will insert hash into bitcoin config like this rpcauth=foo_user:HASH_PASS
and password will be used in application which will connect to bitcoind_fulcrum
electrs alternative which works better for me.
install
sudo pacman -S fulcrum
init
- creating directory
/mnt/node_1/fulcrum
- changing owner and permisions of that directory
- editing systemd unit so fulcrum will start after bitcoind and removing datadir argument
sudo systemctl edit fulcrum.service
[Unit] Requires=bitcoind.service After=bitcoind.service [Service] ExecStart= ExecStart=/usr/bin/fulcrum -S /etc/fulcrum.conf
/etc/fulcrum.conf
datadir = /mnt/node_1/fulcrum bitcoind = 127.0.0.1:8332 rpcuser = FULC rpcpassword = YZX_YZX ## created by that python program tcp = 127.0.0.1:50001 ## not encrypted port is open only on localhost ssl = LOCAL_IP_OF_SERVER:50002 cert = /docker_vols/swag/etc/letsencrypt/live/MY_DOMAIN/fullchain.pem key = /docker_vols/swag/etc/letsencrypt/live/MY_DOMAIN/privkey.pem admin = 127.0.0.1:58008 ## there is a fulcrum-admin program whih used this peering = false announce = false ## not participating in network bitcoind_clients = 4 bitcoind_timeout = 45.0 worker_threads = 2
enable, so it will start after reboot
sudo systemctl enable fulcrum.service
NOTES
I am running also nginx as reverse proxy with Letsencrypt for my domain so I am using that certificate also for fulcrum that is a reason why I am opening only port 50002. For begining you can open also 50001 and access it only in local network. I am forwarding port 50002 on router from wan to server so my wallets can connect to node when I am not at home.
I am running also nginx as reverse proxy with Letsencrypt for my domain so I am using that certificate also for fulcrum that is a reason why I am opening only port 50002. For begining you can open also 50001 and access it only in local network. I am forwarding port 50002 on router from wan to server so my wallets can connect to node when I am not at home.
_btc-rpc-explorer
this was bit tricky and I did spend few hours to find way which works. These are 3 simplify steps.
- pull source code from github
- build docker image
- start container
container is running on host network because it is easy to connect over rpc to bitcoind and to fulcrum. maybe it could be done over 'host.docker.internal' so container could run in separate net.
here is docker-compose.yml
here is docker-compose.yml
services: btc-rpc-explorer: image: btc-rpc-explorer:3.4.0-524 container_name: btc-rpc-explorer user: 1000:984 environment: - BTCEXP_BASEURL=/explorer/ - BTCEXP_HOST=0.0.0.0 - BTCEXP_BITCOIND_USER=EXPLOR - BTCEXP_BITCOIND_PASS=XYX_XYZ - BTCEXP_BITCOIND_RPC_TIMEOUT=30000 - BTCEXP_ADDRESS_API=electrum - BTCEXP_ELECTRUM_SERVERS=tcp://127.0.0.1:50001 - BTCEXP_SLOW_DEVICE_MODE=true - BTCEXP_BASIC_AUTH_PASSWORD=PaSS - BTCEXP_NO_RATES=false - BTCEXP_PRIVACY_MODE=false - BTCEXP_DISPLAY_CURRENCY=btc - BTCEXP_LOCAL_CURRENCY=eur - BTCEXP_UI_TIMEZONE=local - TZ=Europe/Brusel restart: unless-stopped network_mode: host
NOTES
I am accessing explorer over url subdomain.MY_DOMAIN.com/explorer what is done over nginx reverse proxy {SWAG}
I am accessing explorer over url subdomain.MY_DOMAIN.com/explorer what is done over nginx reverse proxy {SWAG}
_hidden services
I want to access fulcrum and explorer also over TOR net so I did create two hidden services. That is done by adding following lines into config.
HiddenServiceDir /var/lib/tor/btc_rpc_explorer/ HiddenServicePort 80 127.0.0.1:3002 HiddenServiceDir /var/lib/tor/fulcrum/ HiddenServicePort 50001 127.0.0.1:50001
After tor is restarted it will create file
hostname
in HiddenServiceDir
which contain onion address for each service._Final NOTES
I did start only bitcoind and wait until it was synced. Then I did start fulcrum and wait again until it was synced. And finally I did start btc-explorer.
connection string for wallet needs to end with :t or :s depends what connection you use.
- In case of clearnet, I am using subdomain.MY_DOMAIN.com:50002:s
- In case of tor, I am using asfalsfjaifjaosfj.onion:50001:t
I am backing up time to time. That means that I stop all programs and rsync blockchain and fulcrum directory to external hdd. I think it is good to have some already verified state so if something happen I will not have to wait for long first sync.