_intro
I am using archlinux on my home server as main OS. I am running several services on it. Once I decided to run bitcoin full node. First motivation was help to network and why not. During deployment I learn a lot so I am happy that I have done it and also I did get more privacy. At begining I did used only clearnet and also forwarded port on router so other nodes could connect to mine. Then I did start using a tor and I ended with configuration that my node is using tor network to connect to other nodes {they can be hidden with onion address or clear net nodes} and accepting connection only from tor.
yes, there are many tutorials how to run full node but I decided to write my journey. Maybe it will be helpful to someone ;-) and of course I am open for improvements or correction if I done something not in good way.
_tor
install
sudo pacman -S tor nyx/etc/tor/torrc
User tor
Log notice syslog
DataDirectory /var/lib/tor
ControlPort 9051
CookieAuthentication 1
CookieAuthFile /var/lib/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
DataDirectoryGroupReadable 1
enable, so it will start after reboot
sudo systemctl enable tor.servicemonitoring
I did add my user {I am not using root account} to tor group so I can run
I did add my user {I am not using root account} to tor group so I can run
nyx program to see what is going on._bitcoind
install
sudo pacman -S bitcoin-daemon bitcoin-txinit
- I have two hdd in server, second one has 1TB and is used only for NODE data, there is only one partition and it is mounted to
/mnt/node_1 - creating directory
/mnt/node_1/blockchain - changing owner and permisions of that directory so only 'bitcoin' user can access it. Also group owner is bitcoin.
- insert new line into fstab so disk will be mounted after reboot
- I did add user bitcoin to group tor
- editing systemd unit and removing datadir argument
sudo systemctl edit bitcoind.service
[Service]
ExecStart=
ExecStart=/usr/bin/bitcoind -pid=/run/bitcoind/bitcoind.pid \
-conf=/etc/bitcoin/bitcoin.conf \
-startupnotify='systemd-notify --ready' \
-shutdownnotify='systemd-notify --stopping'
- I did change home directory of bitcoin user in
/etc/passwdpoiting to same directory as data is stored
/etc/bitcoin/bitcoin.conf
datadir=/mnt/node_1/blockchain
blockfilterindex=1
peerblockfilters=1
maxmempool=280
maxorphantx=40
mempoolexpiry=240
txindex=1
bind=127.0.0.1 ## if you want to accept inbound connection from another nodes over clear net then you need to set here your local IP of server if server is behind NAT otherwise public IP of server.
dnsseed=0
dns=0 ## means that peers are not searching over dns, at begining this is good to have, but when node is running it store peers localy so you can disable this
listenonion=1
maxconnections=25
maxuploadtarget=512M
onlynet=onion ## means that OutBound connection going to hidden services
onlynet=ipv4 ## meand that OutBound connection going to public clearnet nodes
proxy=127.0.0.1:9050 ## all outbound connection going to tor proxy, this apply for all network types
v2transport=1
printtoconsole=0 ## logs are writen to `/mnt/node_1/blockchain/debug` file only
rpcauth=EXPLOR:XYX_XYZ
rpcauth=FULC:YZX_YZX ## see below how to create those users
creating access over RPC
you need this python program
you need this python program
python rpcauth.py foo_user will generate hash and password for user foo_user, you will insert hash into bitcoin config like this rpcauth=foo_user:HASH_PASS and password will be used in application which will connect to bitcoind_fulcrum
electrs alternative which works better for me.
install
sudo pacman -S fulcruminit
- creating directory
/mnt/node_1/fulcrum - changing owner and permisions of that directory
- editing systemd unit so fulcrum will start after bitcoind and removing datadir argument
sudo systemctl edit fulcrum.service
[Unit]
Requires=bitcoind.service
After=bitcoind.service
[Service]
ExecStart=
ExecStart=/usr/bin/fulcrum -S /etc/fulcrum.conf
/etc/fulcrum.conf
datadir = /mnt/node_1/fulcrum
bitcoind = 127.0.0.1:8332
rpcuser = FULC
rpcpassword = YZX_YZX ## created by that python program
tcp = 127.0.0.1:50001 ## not encrypted port is open only on localhost
ssl = LOCAL_IP_OF_SERVER:50002
cert = /docker_vols/swag/etc/letsencrypt/live/MY_DOMAIN/fullchain.pem
key = /docker_vols/swag/etc/letsencrypt/live/MY_DOMAIN/privkey.pem
admin = 127.0.0.1:58008 ## there is a fulcrum-admin program whih used this
peering = false
announce = false ## not participating in network
bitcoind_clients = 4
bitcoind_timeout = 45.0
worker_threads = 2
enable, so it will start after reboot
sudo systemctl enable fulcrum.serviceNOTES
I am running also nginx as reverse proxy with Letsencrypt for my domain so I am using that certificate also for fulcrum that is a reason why I am opening only port 50002. For begining you can open also 50001 and access it only in local network. I am forwarding port 50002 on router from wan to server so my wallets can connect to node when I am not at home.
I am running also nginx as reverse proxy with Letsencrypt for my domain so I am using that certificate also for fulcrum that is a reason why I am opening only port 50002. For begining you can open also 50001 and access it only in local network. I am forwarding port 50002 on router from wan to server so my wallets can connect to node when I am not at home.
_btc-rpc-explorer
this was bit tricky and I did spend few hours to find way which works. These are 3 simplify steps.
- pull source code from github
- build docker image
- start container
container is running on host network because it is easy to connect over rpc to bitcoind and to fulcrum. maybe it could be done over 'host.docker.internal' so container could run in separate net.
here is docker-compose.yml
here is docker-compose.yml
services:
btc-rpc-explorer:
image: btc-rpc-explorer:3.4.0-524
container_name: btc-rpc-explorer
user: 1000:984
environment:
- BTCEXP_BASEURL=/explorer/
- BTCEXP_HOST=0.0.0.0
- BTCEXP_BITCOIND_USER=EXPLOR
- BTCEXP_BITCOIND_PASS=XYX_XYZ
- BTCEXP_BITCOIND_RPC_TIMEOUT=30000
- BTCEXP_ADDRESS_API=electrum
- BTCEXP_ELECTRUM_SERVERS=tcp://127.0.0.1:50001
- BTCEXP_SLOW_DEVICE_MODE=true
- BTCEXP_BASIC_AUTH_PASSWORD=PaSS
- BTCEXP_NO_RATES=false
- BTCEXP_PRIVACY_MODE=false
- BTCEXP_DISPLAY_CURRENCY=btc
- BTCEXP_LOCAL_CURRENCY=eur
- BTCEXP_UI_TIMEZONE=local
- TZ=Europe/Brusel
restart: unless-stopped
network_mode: host
NOTES
I am accessing explorer over url subdomain.MY_DOMAIN.com/explorer what is done over nginx reverse proxy {SWAG}
I am accessing explorer over url subdomain.MY_DOMAIN.com/explorer what is done over nginx reverse proxy {SWAG}
_hidden services
I want to access fulcrum and explorer also over TOR net so I did create two hidden services. That is done by adding following lines into config.
HiddenServiceDir /var/lib/tor/btc_rpc_explorer/
HiddenServicePort 80 127.0.0.1:3002
HiddenServiceDir /var/lib/tor/fulcrum/
HiddenServicePort 50001 127.0.0.1:50001
After tor is restarted it will create file
hostname in HiddenServiceDir which contain onion address for each service._Final NOTES
I did start only bitcoind and wait until it was synced. Then I did start fulcrum and wait again until it was synced. And finally I did start btc-explorer.
connection string for wallet needs to end with :t or :s depends what connection you use.
- In case of clearnet, I am using subdomain.MY_DOMAIN.com:50002:s
- In case of tor, I am using asfalsfjaifjaosfj.onion:50001:t
I am backing up time to time. That means that I stop all programs and rsync blockchain and fulcrum directory to external hdd. I think it is good to have some already verified state so if something happen I will not have to wait for long first sync.