diff --git a/ElectrumX.md b/ElectrumX.md index b2f18e5..8eab57f 100644 --- a/ElectrumX.md +++ b/ElectrumX.md @@ -1,262 +1,250 @@ # ElectrumX for VerusCoin -## Server +**NOTE:** For all downloads mentioned below you are encouraged use the [Verus Signature verification tool](https://verus.io/verify-signatures) or a local standalone Verus daemon to make sure the files are authentic and have not been tampered with. Additionally, the setup described below is in no way production ready but is meant to illustrate the general process only. **System hardening, firewalling, signature verification and other measures are outside of the scope of this guide. You will have to take care of it for yourself!** -A VPS with 4GB of RAM, anything above 40GB SSD storage and 2 CPU cores is the absolute minimum requirement. Start following the guide while logged in as `root`. +## Server +A VPS with 6GB of RAM, anything from 40GB SSD storage and 2 CPU cores is the absolute minimum requirement. Start following the guide while logged in as `root`. ## Operating System -This guide tailored to and tested on `Debian 9 "Stretch"`. Before starting, please install the latest updates: +This guide tailored to and tested on `Debian 10 "Buster"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. This guide contains `systemd`-specific instuctions below, make sure to adapt them to your init system of choice. Before starting, please install the latest updates and prerequisites. -``` +```bash apt update -apt -y upgrade +apt upgrade +apt install wget libgomp1 git python3.7 python3-pip build-essential libleveldb-dev libboost-all-dev +pip3 install multidict chardet plyvel uvloop ``` -## Wallet - -The packages required in order to compile a VerusCoin wallet can be installed like this: +With the minimum memory requirement above, `dphys-swapfile` will be necessary. It will create a 2GB swap file per default, which is sufficient. In situations where more memory is available, installation of `dphys-swapfile` can be skipped altogether. +```bash +apt install dphys-swapfile ``` -apt -y install build-essential git pkg-config libc6-dev m4 g++-multilib autoconf \ - libtool ncurses-dev unzip git python python-zmq zlib1g-dev wget \ - libcurl4-openssl-dev bsdmainutils automake curl -``` - -Create a useraccount for the wallet. Switch to that account. -``` -useradd -m -d /home/veruscoin -s /bin/bash veruscoin -su - veruscoin -``` +## Verus Node -Now, clone the source tree and build the binaries: +Create a user account for the Verus node and switch to it. -``` -git clone https://github.com/VerusCoin/VerusCoin -cd VerusCoin -./zcutil/fetch-params.sh -./zcutil/build.sh -j$(nproc) +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus ``` -After that is done, create a `~/bin` directory and copy over the binaries. Strip the debug symbols. +Prepare the `~/bin` directory and add it to the users' `PATH`. -``` +```bash mkdir ~/bin -cp src/komodod src/komodo-cli src/komodo-tx ~/bin -strip ~/bin/komodo* +echo export PATH=\"${PATH}:/home/verus/bin\" >> ~/.bashrc ``` -Start the VerusCoin daemon so we have a default configuration file: +Log out and back into the account to get the new `PATH` into the environment. -``` -komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 \ --ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 \ --ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 \ --addnode=185.64.105.111 -daemon +```bash +exit +su - verus ``` -Let it run for a few seconds and stop it again: +Download the **latest** (`v0.7.2-6` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases). Unpack, move them into place and clean up like so: +```bash +wget https://github.com/VerusCoin/VerusCoin/releases/download/v0.7.2-6/Verus-CLI-Linux-v0.7.2-6-amd64.tgz +tar xf Verus-CLI-Linux-v0.7.2-6-amd64.tgz; tar xf Verus-CLI-Linux-v0.7.2-6-amd64.tar.gz +mv verus-cli/{fetch-params,fetch-bootstrap,verusd,verus} ~/bin +rm -rf verus-cli Verus-CLI-Linux-v0.7.2-6-amd64.t* ``` -komodo-cli -ac_name=VRSC stop + +Use the supplied script to download a copy of the `zcparams` data. Watch for and fix any occuring errors until you can be sure you successfully have gotten a complete `zcparams` copy. + +```bash +fetch-params +# ... a lot of output from wget and sadly no clear conclusion notice ``` -Edit the resulting `~/.komodo/VRSC/VRSC.conf` to include the parameters listed below, adapt the ones that need to be adapted. -A resonably secure `rpcpassword` can be generated using this command: -`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`. +Use the supplied script to download and unpack the latest bootstrap into the default data directory. Watch for and fix any occuring errors until you can be sure you successfully got, checksum-verified and unpacked the latest bootstrap into the default Verus data directory location. +```bash +fetch-bootstrap +# ... some output +Enter blockchain data directory or leave blank for default: +Install bootstrap in /home/verus/.komodo/VRSC? ([1]Yes/[2]No)<1> +# ... some more output, then, ideally +Bootstrap successfully installed ``` -server=1 -listen=1 -listenonion=0 -maxconnections=256 -# logging related options -logtimestamps=1 -logips=1 -shrinkdebugfile=0 +Create (and where necessary, adapt) a `VRSC.conf` file. -# how many blocks to check on startup -checkblocks=64 +```bash +cat << EOF > ~/.komodo/VRSC/VRSC.conf +## +## verus electrum node config +## -# indexing options -txindex=1 -addressindex=1 -timestampindex=1 -spentindex=1 +# electrum doesn't need a wallet +disablewallet=1 -# make sure ipv4 & ipv6 is used -bind= -bind= +# network options +listen=1 +port=27485 +maxconnections=1024 -# rpc settings -rpcuser=veruscoin -rpcpassword= +# rpc options +server=1 +rpcuser=verus +rpcpassword=OBVIOUSLY-EDIT-HERE rpcport=27486 -rpcthreads=256 -rpcworkqueue=1024 rpcbind=127.0.0.1 rpcallowip=127.0.0.1 +rpcthreads=64 +rpcworkqueue=256 + +# logging options +logtimestamps=1 +logips=1 -# if a peer jacks up more than 25 times in a row, ban it -banscore=25 +# debug options +shrinkdebugfile=0 +debug=0 -# stake if possible, although it's probably not helping much -gen=1 -genproclimit=0 +# checks +checklevel=4 +checkblocks=1440 # addnodes -seednode=185.25.48.236:27485 -addnode=185.25.48.236:27487 -seednode=185.64.105.111:27485 -addnode=185.64.105.111:27487 -seednode=185.25.48.72:27485 -seednode=185.25.48.72:27487 +addnode=136.243.227.142:27485 +addnode=5.9.224.250:27485 +addnode=95.216.104.210:27485 +addnode=135.181.68.2:27485 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 + +# EOF +EOF ``` -For proper ElectrumX operation, `txindex=1` is crucial. Afterwards, start the daemon again and let it sync the blockchain: +A reasonably secure `rpcpassword` for the above config can be generated with the commands below. -``` -komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 \ --ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 \ --ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 \ --addnode=185.64.105.111 -daemon +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 ``` -To check the status and know when the initial sync has been completed, issue +Start `verusd` and follow the `debug.log` output to make sure `verusd` syncs to current height and otherwise comes up successfully. +```bash +cd ~/.komodo/VRSC && verusd -daemon 1>/dev/null 2>&1 +tail -f debug.log ``` -komodo-cli -ac_name=VRSC getinfo -``` - -When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are in fact not on a fork. While we wait for this to happen, lets continue. -## Python 3.7 & Prerequisites +Now exit the `verus` account. -It's not exactly a 'clean' solution, but a working one. Add the `buster` packages to `/etc/apt/sources.list`: - -``` -deb http://ftp.debian.org/debian buster main contrib non-free -deb-src http://ftp.debian.org/debian buster main contrib non-free +```bash +exit ``` -Update the package list and install all necessary packages: +## verushashpy -``` -apt update -apt -y install python3.7 python3.7-dev python3-multidict python3-setuptools git \ - build-essential cmake libtool autotools-dev automake pkg-config \ - libcurl4-gnutls-dev libssl-dev libevent-dev libdb++-dev zlib1g-dev libleveldb-dev \ - libboost-system-dev libboost-filesystem-dev libboost-chrono-dev libboost-program-options-dev libboost-test-dev libboost-thread-dev libboost-random-dev \ - unzip libsodium-dev sudo -``` - -After that has completed, remove the `buster` repos from `/etc/apt/sources.list` and update the package list again. To sum up, do this: +Install the `verushashpy` module as shown below. -``` -cd /usr/bin -rm python3 python3m -ln -s python3.7m python3m -ln -s python3.7 python3 +```bash +cd /usr/src +git clone https://github.com/veruscoin/verushashpy +cd verushashpy +python3.7 setup.py install ``` ## ElectrumX Installation -Create a new user, (temporarily) enable sudo without password and switch to it: +Create a new system user for `electrumx`. ``` -useradd -m -d /home/electrumx -s /bin/bash electrumx -echo "electrumx ALL=(ALL) NOPASSWD: ALL" >/etc/sudoers.d/010-electrumx -su - electrux +useradd -rMs /bin/false electrumx ``` -Now, check out the Veruscoin ElectrumX repo and install it: +Now, check out the ElectrumX repo and install it: ``` -git clone https://github.com/VerusCoin/electrumx -cd electrumx; sudo python3 setup.py install +cd /usr/src +git clone https://github.com/spesmilo/electrumx +cd electrumx; python3.7 setup.py install ``` ## ElectrumX Configuration -Switch back to root. Copy over the `systemd` unit file and create `/etc/electrumx.conf`. Create a datadir and assign ownership to the `electrumx` user. +Copy over the `systemd` unit file and create a datadir. Assign ownership of the datadir to the `electrumx` user. -``` -cp /home/electrumx/electrumx/contrib/systemd/electrumx.service /etc/systemd/system -cat </etc/electrumx.conf -COIN = Verus -DB_DIRECTORY = /electrumdb/VRSC -DAEMON_URL = http://veruscoin:@127.0.0.1:27486/ -RPC_HOST = 127.0.0.1 -RPC_PORT = 8000 -HOST = -TCP_PORT = 10000 -EVENT_LOOP_POLICY = uvloop -PEER_DISCOVERY = self -EOF -mkdir -p /electrumdb/VRSC && chown electrumx:electrumx /electrumdb/VRSC +```bash +cp /usr/src/electrumx/contrib/systemd/electrumx.service /etc/systemd/system +mkdir -p /electrumdb/VRSC +chown electrumx:electrumx /electrumdb/VRSC ``` -Make sure the VerusCoin wallet is running. You should now be able to start ElectrumX (as `root`, it will switch to `electrumx` user) successfully: +Create a config file for electrumx called `/etc/electrumx.conf`. See [here](https://electrumx.readthedocs.io/en/latest/environment.html) for the full list of configuration options. -``` -systemd start electrumx -``` +```bash +cat << EOF >/etc/electrumx.conf +COIN="Verus" +DB_DIRECTORY="/electrumdb/VRSC" +DAEMON_URL="http://verus:OBVIOUSLY-EDIT-HERE@127.0.0.1:27486/" -Display the logs with this command: +LOG_FORMAT="%(asctime)s %(levelname)s:%(name)s:%(message)s" +LOG_LEVEL="info" -``` -journalctrl -fu electrumx.service -``` +SERVICES="tcp://0.0.0.0:17485,tcp://[::]:17485,rpc://127.0.0.1:17489,rpc://[::1]:17489" +MAX_SESSIONS="5000" -Initial sync will take up to 2 hours to complete. Before that is done, ElectrumX will only allow RPC connections via loopback, but no external connections. To check ElectrumX status, do +DB_ENGINE="leveldb" +EVENT_LOOP_POLICY="uvloop" -``` -electrumx_rpc getinfo -``` +REQUEST_TIMEOUT="30" +SESSION_TIMEOUT="600" +BANDWIDTH_UNIT_COST="50000" +INITIAL_CONCURRENT="100" +COST_SOFT_LIMIT="0" +COST_HARD_LIMIT="0" -## Further considerations +CACHE_MB="1500" +EOF +``` -None of the topics below is strictly necessary, but most of them are recommended. +Make sure the VerusCoin wallet is running. You should now be able to start ElectrumX. + +``` +systemctl start electrumx.service +``` -### Improving SSH security +Display the logs with this command: -If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't go google the comic, you might have missed a laugh there! +``` +journalctl -fu electrumx.service +``` -As `root`, generate a proper `/etc/ssh/moduli` like this: +Enable autostart with this command: ``` -ssh-keygen -G "/root/moduli.candidates" -b 4096 -mv /etc/ssh/moduli /etc/ssh/moduli.old -ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" -rm "/root/moduli.candidates" +systemctl enable electrumx.service ``` -Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: +Initial sync will take up to 3 hours to complete. Before that is done, ElectrumX will only allow RPC connections via loopback, but no external connections. To check ElectrumX status, do ``` -cd /etc/ssh -rm ssh_host_*key* -ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null -ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null +electrumx_rpc getinfo ``` -To finish, restart the ssh server: +To see info about connected clients, execute ``` -/etc/init.d/sshd restart +electrumx_rpc sessions ``` -### Enable `logrotate` +### Enable `logrotate` for `verusd` -As `root` user, create a file called `/etc/logrotate.d/pool` with these contents: +As `root` user, create a file called `/etc/logrotate.d/verus` with these contents: ``` -/home/veruscoin/.komodo/VRSC/debug.log +/home/verus/.komodo/VRSC/debug.log { rotate 14 daily @@ -268,128 +256,12 @@ As `root` user, create a file called `/etc/logrotate.d/pool` with these contents } ``` -### Autostart using `cron` - -Switch to the `veruscoin` user. Edit the `crontab` using `crontab -e` and include the lines below: - -``` -@reboot /home/veruscoin/bin/komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 -ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 -ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 -addnode=185.64.105.111 -daemon 1>/dev/null 2>&1 -``` +### Autostart `verusd` using `cron` -Switch to the `s-nomp` user. Edit the `crontab` using `crontab -e` and include the line below: -``` -@reboot /bin/sleep 60 && cd /home/s-nomp/s-nomp && /usr/bin/pm2 start init.js --name s-nomp -``` - -### Simplify wallet usage - -Switch to the `veruscoin` user. Create a file called `/home/veruscoin/bin/veruscoind` that looks like this: - -``` -#!/bin/bash -OLDPWD="$(pwd)" -cd /home/veruscoin/.komodo/VRSC -/home/veruscoin/bin/komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 -ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 -ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 -addnode=185.64.105.111 ${@} -cd "${OLDPWD}" -``` - -Create another file called `/home/veruscoin/bin/veruscoin-cli` that looks like this: - -``` -#!/bin/bash -/home/veruscoin/bin/komodo-cli -ac_name=VRSC ${@} -``` - -Make both files executable: - -``` -chmod +x /home/veruscoin/bin/veruscoin* -``` - -From now on, any time you would have to use the huge `komodod` or `komodo-cli` commands, you can just use them as shown below: - -``` -veruscoind -daemon 1>/dev/null 2>&1 -veruscoin-cli addnode 1.2.3.4 onetry -``` - -### Increase open files limit - -Add this to your `/etc/security/limits.conf`: - -``` -* soft nofile 1048576 -* hard nofile 1048576 -``` - -Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place. - - -### Networking optimizations - -If your pool is expected to receive a lot of load, consider implementing below changes, all as `root`: - -Enable the `tcp_bbr` kernel module: - -``` -modprobe tcp_bbr -echo tcp_bbr >> /etc/modules -``` - -Edit your `/etc/sysctl.conf` to include below settings: - -``` -net.ipv4.tcp_congestion_control=bbr -net.core.rmem_default = 1048576 -net.core.wmem_default = 1048576 -net.core.rmem_max = 16777216 -net.core.wmem_max = 16777216 -net.ipv4.tcp_rmem = 4096 87380 16777216 -net.ipv4.tcp_wmem = 4096 65536 16777216 -net.ipv4.udp_rmem_min = 16384 -net.ipv4.udp_wmem_min = 16384 -net.core.netdev_max_backlog = 262144 -net.ipv4.tcp_max_orphans = 262144 -net.ipv4.tcp_max_syn_backlog = 262144 -net.ipv4.tcp_tw_reuse = 1 -net.ipv4.tcp_max_tw_buckets = 2000000 -net.ipv4.ip_local_port_range = 16001 65530 -net.core.somaxconn = 20480 -net.ipv4.tcp_low_latency = 1 -net.ipv4.tcp_slow_start_after_idle = 0 -net.ipv4.tcp_mtu_probing = 1 -net.ipv4.tcp_fastopen = 3 -net.ipv4.tcp_limit_output_bytes = 131072 -``` - -Run below command to activate the changes, alternatively reboot the machine: - - -``` -sysctl -p /etc/sysctl.conf -``` - -### Change swapping behaviour - -If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: - -``` -vm.swappiness=1 -``` - -The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: - -``` -sysctl -p /etc/sysctl.conf -``` - -### Install `molly-guard` - -As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: - -``` -apt -y install molly-guard -``` +Switch to the `verus` user. Edit the `crontab` using `crontab -e` and add this to the appropriate place: -Check `/etc/molly-guard/rc` for more options. +```crontab +PATH=".:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/verus/bin" +@reboot cd /home/verus/.komodo/VRSC && /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` \ No newline at end of file diff --git a/Insight.md b/Insight.md new file mode 100644 index 0000000..049ab61 --- /dev/null +++ b/Insight.md @@ -0,0 +1,344 @@ +# Insight Explorer for Verus + +**NOTE:** For all downloads mentioned below you are encouraged use the [Verus Signature verification tool](https://verus.io/verify-signatures) or a local standalone Verus daemon to make sure the files are authentic and have not been tampered with. Additionally, the setup described below is in no way production ready but is meant to illustrate the general process only. **System hardening, firewalling, signature verification and other measures are outside of the scope of this guide. You will have to take care of it for yourself!** + +## Server + +A VPS with 8GB of RAM, anything from 60GB SSD storage and 2 CPU cores is the absolute minimum requirement. Start following the guide while logged in as `root`. + +## Operating System + +This guide tailored to and tested on `Debian 12 "bookworm"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. + +```bash +apt update +apt upgrade +apt install wget libgomp1 git python build-essential libzmq3-dev libzmq5 +``` +With the minimum memory requirement above, `dphys-swapfile` will be necessary. It will create a 2GB swap file per default, which is sufficient. In situations where more memory is available, installation of `dphys-swapfile` can be skipped altogether. + +```bash +apt install dphys-swapfile +``` + +## Verus Node + +Create a user account for the Verus node and switch to it. + +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Prepare the `~/bin` directory and add it to the users' `PATH`. + +```bash +mkdir ~/bin +echo export PATH=\"${PATH}:/home/verus/bin\" >> ~/.bashrc +``` + +Log out and back into the account to get the new `PATH` into the environment. + +```bash +exit +su - verus +``` + +Download the **latest** (`v1.2.12-1` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases). Unpack, move them into place and clean up like so: + +```bash +wget https://github.com/VerusCoin/VerusCoin/releases/download/v1.2.12-1/Verus-CLI-Linux-v1.2.12-1-amd64.tgz +tar xf Verus-CLI-Linux-v1.2.12-1-amd64.tgz; tar xf Verus-CLI-Linux-v1.2.12-1-amd64.tar.gz +mv verus-cli/{fetch-params,fetch-bootstrap,verusd,verus} ~/bin +rm -rf verus-cli Verus-CLI-Linux-v1.2.12-1-amd64.t* +``` + +Use the supplied script to download a copy of the `zcparams` data. Watch for and fix any occuring errors until you can be sure you successfully have gotten a complete `zcparams` copy. + +```bash +fetch-params +# ... a lot of output from wget and sadly no clear conclusion notice +``` + +Use the supplied script to download and unpack the latest bootstrap into the default data directory. Watch for and fix any occuring errors until you can be sure you successfully got, checksum-verified and unpacked the latest bootstrap into the default Verus data directory location. + +```bash +fetch-bootstrap +# ... some output +Enter blockchain data directory or leave blank for default: +Install bootstrap in /home/verus/.komodo/VRSC? ([1]Yes/[2]No)<1> +# ... some more output, then, ideally +Bootstrap successfully installed +``` + +Create (and where necessary, adapt) a `VRSC.conf` file that has the necessary additional settings for Insight (namely `zmqpubrawtx` and `zmqpubhashblock`). + +```bash +cat << EOF > ~/.komodo/VRSC/VRSC.conf +## +## verus insight node config +## + +# explorer doesn't need a wallet +disablewallet=1 + +# insight-related options +zmqpubrawtx=tcp://127.0.0.1:27487 +zmqpubhashblock=tcp://127.0.0.1:27487 + +# network options +listen=1 +port=27485 +maxconnections=1024 + +# rpc options +server=1 +rpcuser=verus +rpcpassword=OBVIOUSLY-EDIT-HERE +rpcport=27486 +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=64 +rpcworkqueue=256 + +# logging options +logtimestamps=1 +logips=1 + +# debug options +shrinkdebugfile=0 +debug=0 + +# checks +checklevel=4 +checkblocks=1440 + +# addnodes +addnode=157.90.113.198:27485 +addnode=136.243.31.96:27485 +addnode=95.217.1.76:27485 +addnode=45.79.111.201:27485 +addnode=45.79.237.198:27485 +addnode=66.228.59.168:27485 + +# EOF +EOF +``` + +A reasonably secure `rpcpassword` for the above config can be generated with the commands below. + +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 +``` + +Start `verusd` and follow the `debug.log` output to make sure `verusd` syncs to current height and otherwise comes up successfully. + +```bash +cd ~/.komodo/VRSC && verusd -daemon 1>/dev/null 2>&1 +tail -f debug.log +``` + +Now exit the `verus` account. + +```bash +exit +``` + +## NodeJS, Insight + +Create a user account to run `insight` from and switch to it. + +```bash +useradd -m -d /home/insight -s /bin/bash insight +su - insight +``` + +Prepare the `~/bin` directory and add it to the users' `PATH`. + +```bash +mkdir ~/bin +echo export PATH=\"${PATH}:/home/insight/bin\" >> ~/.bashrc +``` + +Install NodeJS v20 using `nvm.sh` like this: + +```bash +wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.3/install.sh | bash +``` + +To activate the changes, log out of and back into the `insight` account. + +```bash +exit +su - insight +``` + +Install and activate NodeJS v20. + +``` +nvm install 20 +nvm use 20 +``` + +Within the `insight` account scope, globally install `pm2` and `bitcore-node` as shown below. + +```bash +npm -g install pm2 git+https://github.com/VerusCoin/bitcore-node-komodo.git +``` + +Since we opted to use the newest NodeJS version the v0.4.3 insight API supports, we'll need to go a slightly different route than shown in other guides. Prepare a directory structure for Insight. + +```bash +cd ~ +mkdir -p ~/insight.VRSC/node_modules +``` + +Create a `package.json` file, this is used to integrate Insight with `pm2`. + +```bash +cat << EOF > ~/insight.VRSC/package.json +{ + "scripts": { + "start": "bitcore-node start" + }, + "description": "Verus Bitcore Node", + "repository": "https://github.com/VerusCoin/bitcore-node-komodo", + "license": "MIT", + "readme": "README.md", + "dependencies": { + "bitcore-lib-komodo": "git+https://github.com/VerusCoin/bitcore-lib-komodo.git", + "bitcore-node-komodo": "git+https://github.com/VerusCoin/bitcore-node-komodo.git", + "insight-api-komodo": "git+https://github.com/VerusCoin/insight-api-komodo.git", + "insight-ui-komodo": "git+https://github.com/VerusCoin/insight-ui-komodo.git" + } +} +EOF +``` + +Create a `bitcore-node.json` file, this is the Insight configuration file. + +```bash +cat << EOF > ~/insight.VRSC/bitcore-node.json +{ + "network": "mainnet", + "ip": "127.0.0.1", + "port": 3002, + "services": [ + "bitcoind", + "api", + "insight-ui-komodo", + "web" + ], + "servicesConfig": { + "bitcoind": { + "connect": [ + { + "rpchost": "127.0.0.1", + "rpcport": 27486, + "rpcuser": "verus", + "rpcpassword": "OBVIOUSLY-EDIT-HERE", + "zmqpubrawtx": "tcp://127.0.0.1:27487" + } + ] + }, + "api":{ + "disableRateLimiter": false, + "rateLimiterOptions": { + "whitelist": ["::ffff:127.0.0.1","127.0.0.1"], + "whitelistLimit": 500000, + "whitelistInterval": 3600000, + "blacklist": [], + "blacklistLimit": 0, + "blacklistInterval": 3600000, + "limit": 10, + "interval": 60000 + } + } + } +} +EOF +``` + +Enter the `node_modules` directory, clone the needed repositories and install the required submodules for the `insight-api-komodo` repository. + +```bash +cd ~/insight.VRSC/node_modules +git clone https://github.com/VerusCoin/insight-ui-komodo +git clone https://github.com/VerusCoin/insight-api-komodo ./api +cd api +npm install --production +``` + +Create a `blocked.json` file in the root of the `vrsc.insight` folder + +```bash +cat << EOF > ~/insight.VRSC/blocked.json +{ + "addresses": [ + "RTqQe58LSj2yr5CrwYFwcsAQ1edQwmrkUU" + ], + "reason": "These addresses cause daemon performance issues and are blocked from queries" +} +``` + +Now launch Insight using `pm2` and follow the log output to make sure Insight launches allright. + +```bash +cd ~/insight.VRSC +pm2 start --name insight.VRSC "npm start"; pm2 log insight.VRSC +``` + +A successful launch looks like this: + +```bash +0|insight.VRSC | [2020-12-29T14:59:28.178Z] info: Using config: /home/insight/insight.VRSC/bitcore-node.json +0|insight.VRSC | [2020-12-29T14:59:28.180Z] info: Using network: livenet +0|insight.VRSC | [2020-12-29T14:59:28.181Z] info: Starting bitcoind +0|insight.VRSC | [2020-12-29T14:59:28.247Z] info: Komodo Daemon Ready +0|insight.VRSC | [2020-12-29T14:59:28.248Z] info: Starting web +0|insight.VRSC | [2020-12-29T14:59:28.255Z] info: Starting insight-api-komodo +0|insight.VRSC | [2020-12-29T14:59:28.256Z] info: Starting insight-ui-komodo +0|insight.VRSC | [2020-12-29T14:59:28.256Z] info: Bitcore Node ready +0|insight.VRSC | [2020-12-29T14:59:28.738Z] warn: ZMQ connection delay: tcp://127.0.0.1:27487 +0|insight.VRSC | [2020-12-29T14:59:28.738Z] info: ZMQ connected to: tcp://127.0.0.1:27487 +0|insight.VRSC | [2020-12-29T15:00:08.416Z] info: Komodo Height: 1329705 Percentage: 100.00 +0|insight.VRSC | [2020-12-29T15:01:31.224Z] info: Komodo Height: 1329706 Percentage: 100.00 +``` + +Insight is now listening at http://127.0.0.1:3002. As mentioned in the beginning of this document, this is not a production ready setup but a proof of concept guide. In order to be able to reach the finished installation from the outside, you need to setup a webserver to proxy back and forth between the internet and the Insight deployment. For proper operation, the webserver does need to support `websocket` proxying. + +### Enable `logrotate` + +As `root` user, create a file called `/etc/logrotate.d/verus-insight` with these contents: + +``` +/home/verus/.komodo/VRSC/debug.log +/home/insight/.pm2/logs/insight.VRSC-out.log +/home/insight/.pm2/logs/insight.VRSC-error.log +{ + rotate 14 + daily + compress + delaycompress + copytruncate + missingok + notifempty +} +``` + +### Autostart using `cron` + +Switch to the `verus` user. Edit the `crontab` using `crontab -e` and add this to the appropriate place: + +```crontab +PATH=".:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/verus/bin" +@reboot cd /home/verus/.komodo/VRSC && /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` + +Switch to the `insight` user. Edit the `crontab` using `crontab -e` and add this to the appropriate place: + +```crontab +PATH=".:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/insight/bin:/home/insight/.nvm/versions/node/v9.11.2/bin" +@reboot cd /home/insight/insight.VRSC && pm2 start --name insight.VRSC "npm start" 1>/dev/null 2>&1 +``` +**NOTE:** with every NodeJS update, the last part of the `PATH` variable from the `insight` crontab may change since it has a version number in it. diff --git a/Iquidus.md b/Iquidus.md new file mode 100644 index 0000000..42dc67a --- /dev/null +++ b/Iquidus.md @@ -0,0 +1,251 @@ +# Iquidus Explorer for Verus + +**NOTE:** For all downloads mentioned below you are encouraged use the [Verus Signature verification tool](https://verus.io/verify-signatures) or a local standalone Verus daemon to make sure the files are authentic and have not been tampered with. Additionally, the setup described below is in no way production ready but is meant to illustrate the general process only. **System hardening, firewalling, signature verification and other measures are outside of the scope of this guide. You will have to take care of it for yourself!** + +## Server + +A VPS with 4GB of RAM, anything from 30GB SSD storage and 2 CPU cores is the absolute minimum requirement. Start following the guide while logged in as `root`. + +## Operating System + +This guide tailored to and tested on `Debian 10 "Buster"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. + +```bash +apt update +apt upgrade +apt install wget libgomp1 git python build-essential +``` + +Additionally, Iquidus requires a MongoDB backend. Please refer to [this](https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian/) document for MongoDB install instructions. + +With the minimum memory requirement above, `dphys-swapfile` will be necessary. It will create a 2GB swap file per default, which is sufficient. In situations where more memory is available, installation of `dphys-swapfile` can be skipped altogether. + +```bash +apt install dphys-swapfile +``` + +## Verus Node + +Create a user account for the Verus node and switch to it. + +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Prepare the `~/bin` directory and add it to the users' `PATH`. + +```bash +mkdir ~/bin +echo export PATH=\"${PATH}:/home/verus/bin\" >> ~/.bashrc +``` + +Log out and back into the account to get the new `PATH` into the environment. + +```bash +exit +su - verus +``` + +Download the **latest** (`v0.7.2-8` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases). Unpack, move them into place and clean up like so: + +```bash +wget https://github.com/VerusCoin/VerusCoin/releases/download/v0.7.2-6/Verus-CLI-Linux-v0.7.2-8-amd64.tgz +tar xf Verus-CLI-Linux-v0.7.2-8-amd64.tgz; tar xf Verus-CLI-Linux-v0.7.2-8-amd64.tar.gz +mv verus-cli/{fetch-params,fetch-bootstrap,verusd,verus} ~/bin +rm -rf verus-cli Verus-CLI-Linux-v0.7.2-8-amd64.t* +``` + +Use the supplied script to download a copy of the `zcparams` data. Watch for and fix any occuring errors until you can be sure you successfully have gotten a complete `zcparams` copy. + +```bash +fetch-params +# ... a lot of output from wget and sadly no clear conclusion notice +``` + +Use the supplied script to download and unpack the latest bootstrap into the default data directory. Watch for and fix any occuring errors until you can be sure you successfully got, checksum-verified and unpacked the latest bootstrap into the default Verus data directory location. + +```bash +fetch-bootstrap +# ... some output +Enter blockchain data directory or leave blank for default: +Install bootstrap in /home/verus/.komodo/VRSC? ([1]Yes/[2]No)<1> +# ... some more output, then, ideally +Bootstrap successfully installed +``` + +Create (and where necessary, adapt) a `VRSC.conf` file. + +```bash +cat << EOF > ~/.komodo/VRSC/VRSC.conf +## +## verus iquidus node config +## + +# explorer doesn't need a wallet +disablewallet=1 + +# network options +listen=1 +port=27485 +maxconnections=1024 + +# rpc options +server=1 +rpcuser=verus +rpcpassword=OBVIOUSLY-EDIT-HERE +rpcport=27486 +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=64 +rpcworkqueue=256 + +# logging options +logtimestamps=1 +logips=1 + +# debug options +shrinkdebugfile=0 +debug=0 + +# checks +checklevel=4 +checkblocks=1440 + +# addnodes +addnode=136.243.227.142:27485 +addnode=5.9.224.250:27485 +addnode=95.216.104.210:27485 +addnode=135.181.68.2:27485 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 + +# EOF +EOF +``` + +A reasonably secure `rpcpassword` for the above config can be generated with the commands below. + +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 +``` + +Start `verusd` and follow the `debug.log` output to make sure `verusd` syncs to current height and otherwise comes up successfully. + +```bash +cd ~/.komodo/VRSC && verusd -daemon 1>/dev/null 2>&1 +tail -f debug.log +``` + +Now exit the `verus` account. + +```bash +exit +``` + +## NodeJS + +Create a user account to run `iquidus` from and switch to it. Within this user account `nvm.sh` and ultimately `NodeJS` will be installed. + +```bash +useradd -m -d /home/iquidus -s /bin/bash iquidus +su - iquidus +``` + +Prepare the `~/bin` directory and add it to the users' `PATH`. + +```bash +mkdir ~/bin +echo export PATH=\"${PATH}:/home/iquidus/bin\" >> ~/.bashrc +``` + +Install NodeJS v9 using `nvm.sh` like this: + +```bash +wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash +``` + +To activate the changes, log out of and back into the `iquidus` account. + +```bash +exit +su - iquidus +``` + +Install and activate NodeJS v12. + +``` +nvm install 12 +nvm use 12 +``` + +Within the `iquidus` account scope, globally install `pm2` as shown below. + +```bash +npm -g install pm2 +``` + +## Iquidus Installation + +While still logged in as the `iquidus` user, clone the Iquidus repository. + +```bash +cd ~/ +git clone https://github.com/Oink70/explorer +``` + +See https://github.com/Oink70/explorer for the basic of install instructions of Iquidus. Read this document thoroughly, it contains information about the MongoDB backend, necessary steps for initial data import (also see right below) and keeping the explorer in sync with the Verus chain. + +**NOTE:** Before starting an init sync, in the resulting installed `node_modules`, we need to disable `json-bigint strict mode` in 3 places: + +```bash +node_modules/bitcoin-node-api/node_modules/bitcoin-core/coverage/src/parser.js.html:251 +node_modules/bitcoin-node-api/node_modules/bitcoin-core/dist/src/parser.js:27 +node_modules/bitcoin-core/dist/src/parser.js:27 +``` + +Each place has a representation of `strict: true` which needs to be changed to `strict: false` within the respective syntax limits. + +To setup Iquidus the way you like it, copy `settings.json.template` to `settings.json` and adapt where necessary. Launch the explorer using `pm2` and follow the log output to make sure Iquidus starts up allright. Ideally, Iquidus is now listening on the IP and Port you have configured. + +```bash +cd ~/explorer +pm2 start --name "explorer" "npm start"; pm2 log all +``` + +### Enable `logrotate` + +As `root` user, create a file called `/etc/logrotate.d/verus-iquidus` with these contents: + +``` +/home/verus/.komodo/VRSC/debug.log +/home/iquidus/.pm2/logs/explorer.VRSC-out.log +/home/iquidus/.pm2/logs/explorer.VRSC-error.log +{ + rotate 14 + daily + compress + delaycompress + copytruncate + missingok + notifempty +} +``` + +### Autostart using `cron` + +Switch to the `verus` user. Edit the `crontab` using `crontab -e` and add this to the appropriate place: + +```crontab +PATH=".:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/verus/bin" +@reboot cd /home/verus/.komodo/VRSC && /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` + +Switch to the `iquidus` user. Edit the `crontab` using `crontab -e` and add this to the appropriate place: + +```crontab +PATH=".:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/home/iquidus/bin:/home/iquidus/.nvm/versions/node/v12.20.0/bin" +@reboot cd /home/iquidus/explorer && pm2 start --name explorer "npm start" 1>/dev/null 2>&1 +``` + +**NOTE:** with every NodeJS update, the last part of the `PATH` variable from the `iquidus` crontab may change since it has a version number in it. diff --git a/README.md b/README.md index 38db2b1..178b538 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,12 @@ -# VerusCoin How-To Documents +# Verus How-To Documents - * [ElectrumX](ElectrumX.md) + * [Verusd-RPC](Verusd-RPC.md) + * [ElectrumX](ElectrumX.md) *soon to be deprecated* * [S-NOMP](S-NOMP.md) - - More guides to follow. + * [S-NOMP Alternate setup](S-NOMP-alternate-setup.md) + * [S-NOMP stratum server](S-NOMP-stratum-setup.md) + * [Iquidus](Iquidus.md) *soon to be deprecated* + * [Insight](Insight.md) + * [TOR-Wallet](TOR-Wallet.md) + * [Tails-Wallet](Tails-Wallet.md) + * [Verus Staking Node](VerusNode.md) diff --git a/S-NOMP-alternate-setup.md b/S-NOMP-alternate-setup.md new file mode 100644 index 0000000..5fc3299 --- /dev/null +++ b/S-NOMP-alternate-setup.md @@ -0,0 +1,754 @@ +# S-NOMP for Verus, alternate setup + +This alternate setup deviates from the standard setup on the following subjects: + - It installs and uses `keydb` as replacement for `redis`. `Keydb` is a faster and less memory intensive database, fully compatible with `redis`. + - It prepares the `keydb` database for use with additional stratum servers. + - It simplifies the Verus Daemon installation process by using an install script from https://github.com/Oink70/Verus-CLI-tools. + - Mentions `blocknotify.c` code to be compiled and used as alternative for the standard `api.js`. + - it includes `UFW firewall` instructions. + +Operating a mining pool requires you to know about systems administration, IT security, databases, software development, coin daemons and other more or less related stuff. Running a production pool can literally be more work than a full-time job. + +**NOTE:** When you are done please message `englal#8861` on the [Verus discord](https://discord.gg/VRKMP2S)) with your poolwallet IP so he can `addnode` it around his platform, which contributes to network stability. `Done` in this case means at least full setup procedure completed, pool running, a block was found and paid out. Thank you. + +A VPS with 8GB of RAM, anything above 30GB **SSD** storage and 1 CPU core which knows about AES-NI is the absolute minimum requirement. Generally, having more RAM is more important than having more CPU power here. Additionally, the hypervisor of your VPS _must_ pass through the original CPU designation from its host. See below for an example that will likely lead to trouble. + +```bash +lscpu|grep -i "model name" +Model name: QEMU Virtual CPU version 2.5+ +``` + +Basically, anything in there that is not a real CPU name _may_ cause NodeJS to behave funny despite the `Virtual CPU` having all necessary CPU flags. Be aware and ready to switch servers and/or hosting companies if need be. Start following the guide while logged in as `root`. + + +## Operating System + +This guide is tailored to and tested on `Debian 11 "Bullseye"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. + +```bash +echo "deb https://download.keydb.dev/open-source-dist $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/keydb.list +wget -O /etc/apt/trusted.gpg.d/keydb.gpg https://download.keydb.dev/open-source-dist/keyring.gpg +apt update +apt -y upgrade +apt -y install libgomp1 keydb git libboost-all-dev libsodium-dev build-essential +``` + +## Poolwallet + +Create a user for the poolwallet, switch to that account: + +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Download the **latest** Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases) and install them like so: + +```bash +mkdir ~/bin +cd ~/bin +wget https://raw.githubusercontent.com/Oink70/Verus-CLI-tools/main/auto-verus.sh +chmod +x auto-verus.sh +./auto-verus.sh +``` +When the script asks if this is a new installation, answer with `Y` (default). On `Enter blockchain data directory or leave blank for default:` press enter. On the question to install, answered with `1` (default). +If you installed the updates and prerequisites, the daemon will start in the background. +Check if it indeed started using `tail -f ~/.komodo/VRSC/debug.log` (`CTRL-C` to exit). + +Now, let's create the wallet export directory. + +```bash +mkdir ~/export +``` + +It's time to do the wallet config. A reasonably secure `rpcpassword` can be generated using this command: + +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 +``` + +Edit `~/.komodo/VRSC/VRSC.conf` and include the parameters listed below, adapt the ones that need adaption. + +```conf +## +## default recommended pool wallet config for verus/s-nomp +## see https://github.com/VerusCoin/VerusServicesSetup/blob/master/S-NOMP.md +## + +# network options +listen=1 +listenonion=0 +port=27485 +maxconnections=1024 + +# rpc options +server=1 +rpcport=27486 +rpcuser=verus +rpcpassword=rpcpassword +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=256 +rpcworkqueue=1024 + +## mining options +mint=1 +gen=1 +genproclimit=0 +minetolocalwallet=0 +# miningdistribution={"":0.05,"":0.95} + +# logging options +logtimestamps=1 +logips=1 + +# debug options +shrinkdebugfile=0 +debug=addrman +debug=alert +debug=bench +debug=coindb +debug=db +debug=estimatefee +#debug=http +debug=libevent +debug=lock +debug=mempool +#debug=net +debug=partitioncheck +debug=pow +debug=proxy +debug=prune +debug=rand +debug=reindex +#debug=rpc +debug=selectcoins +#debug=tor +#debug=zmq +#debug=zrpc +#debug=zrpcunsafe + +# miscellaneous options +banscore=64 +checkblocks=64 +checklevel=4 + +# wallet related +exportdir=/home/verus/export +spendzeroconfchange=0 +minetolocalwallet=0 +#mineraddress= + +# blocknotify +#blocknotify= + +# seednodes +seednode=157.90.113.198:27485 +seednode=157.90.155.113:27485 +seednode=95.217.1.76:27485 +seednode=45.79.111.201:27485 +seednode=45.79.237.198:27485 +seednode=172.104.48.148:27485 +seednode=66.228.59.168:27485 + +## addnodes +# vrsc0..1 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 +# ex0..2 +addnode=157.90.127.142:27485 +addnode=157.90.248.145:27485 +addnode=135.181.253.217:27485 +# iq0..2 +addnode=95.216.104.214:27485 +addnode=135.181.68.6:27485 +addnode=168.119.27.246:27485 +# lw0..2 +addnode=168.119.166.240:27485 +addnode=157.90.155.8:27485 +addnode=65.21.63.161:27485 + +# EOF +``` + +Afterwards, restart the verus daemon and let it sync the rest of the blockchain. We'll also watch the debug log for a moment: + +```bash +cd ~/.komodo/VRSC; verusd -daemon 1>/dev/null 2>&1; sleep 1; tail -f debug.log +``` + +Press `ctrl-c` to exit `tail` if it looks alright. To check the status and know when the initial sync has been completed, issue + +```bash +verus getinfo +``` + +When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are not on a fork. Edit the `crontab` using `crontab -e` and include the line below to autostart the poolwallet: + +```crontab +@reboot cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + +Create a `start-daemon` script: +```bash +cat << EOX >> /home/verus/bin/start-daemon +#!/bin/bash +cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +# EOF +EOX +chmod +x /home/verus/bin/start-daemon +``` +create a restart script `/home/verus/bin/restart-daemon`: +```bash +#!/bin/bash + +#Copyright Alex English April 2021 +#This script comes with no warranty whatsoever. Use at your own risk. + +#This script just blocks execution until verusd exits. Use it for performing actions in a script after intentionally stopping verusd, or use for alarming if verusd fails, etc. +#If there are multiple instances of verusd running, this will not detect any of them going down, it will only exit when there are NO running instances of verusd + +#passing any argument will make it run in verbose mode, telling you each time it checks + +/home/verus/bin/verus stop + +while ps -u "verus" x | grep "/home/verus/bin/verusd" | grep -v "grep"; do + sleep 2s +done + +count=$(/home/verus/bin/verus getconnectioncount) +case $count in + ''|*[!0-9]*) dstat=0 ;; + *) dstat=1 ;; +esac +if [[ "$dstat" == "0" ]]; then + cd /home/verus/.komodo/VRSC && /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +fi +#EOF +``` +and make it an executable: +```bash +chmod +x /home/verus/bin/restart-daemon +``` + + +## Keydb + +Switch back to the `root` account by typing `exit` or hitting `ctrl-d`. In your `/etc/keydb/keydb.conf` file, make sure it contains this (and none of it is commented out): + +```conf +bind * -::* +protected-mode no +port 6379 +unixsocket /var/run/keydb/keydb.sock +unixsocketperm 775 +appendonly yes +``` + +Set amount of connections to 1024 (or 65535 if you think you need it) instead of the standard 128: + +```bash +echo 'net.core.somaxconn = 1024' >> /etc/sysctl.conf +``` +And use the following command to activate it immediately +```bash +sysctl net.core.somaxconn=1024 +``` +**NOTE:** Be aware that you may have to install the POSIX module for numbers above 1024 (as pool user in the `~/s-nomp` directory: `npm install posix`). Check the pool log as soon as you start up. It will tell you if you need it. + + +Set the overcommit_memory feature to 1, to avoid loss of data in case of not enough memory: +```bash +echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf +``` +And use the following command to activate it immediately +```bash +sysctl vm.overcommit_memory=1 +``` + +Finally disable Transparent Huge Page: +```bash +nano /etc/default/grub.d/no_thp.cfg +``` +add this to the empty file: +```conf +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT transparent_hugepage=never" +``` +Update `GRUB` and reboot. +```bash +update-grub +reboot now +``` + +Wait for the reboot to finish and log back in as `root`. Set `keydb-server` to start at bootup and start it manually: + +```bash +systemctl enable keydb-server +systemctl start keydb-server +``` + +## Node.js + +Create a new user account to run the pool from. Switch to that user to setup `nvm.sh`: + + +```bash +useradd -m -d /home/pool -s /bin/bash pool +usermod -g pool redis +chown -R redis:pool /var/run/redis +su - pool +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash +``` + +Log out and back in to activate `nvm.sh` + +```bash +exit +su - pool +``` + +Now, install `NodeJS v10` via `nvm.sh` as well as `redis-commander` and [PM2](http://pm2.keymetrics.io) via `npm`. +**NOTE:** Node v11 or higher won't work. You _will_ have to use Node v10! +**NOTE:** PM2 v5.0.0 or higher won't work. You _will_ have to use PM2 v4.5.6! + +```bash +nvm install 10 +npm install -g pm2@4.5.6 +``` + +Because `nvm.sh` comes without it, we need to add one symlink into its bindir for our installed NodeJS. + +```bash +which node +/home/pool/.nvm/versions/node/v10.24.1/bin/node +``` + +Change to the resulting directory and create a symlink like below. + +```bash +cd /home/pool/.nvm/versions/node/v10.24.1/bin +ln -s node nodejs +exit +``` + +## S-NOMP + +Make sure you're in the `pool` account and clone the S-NOMP from our main repository: + +```bash +su - pool +git clone https://github.com/veruscoin/s-nomp +cd s-nomp +``` + +Next, install all dependencies using `npm`: + +```bash +npm ci +``` + +## Configuration Instructions + +Shielding is no longer required for mined Verus coins. We will need two public addresses for this. Switch to the `verus` user and generate the addresses: + +```bash +verus getnewaddress +verus getnewaddress +``` + +Next, we will dump the private keys of these addresses for safety reasons. For the transparent addresses, use + +```bash +verus dumpprivkey +verus dumpprivkey +``` + +**Save the data in an offline location, not on your computer!** + +Now, switch to the `pool` account. First, copy `/home/pool/s-nomp/config_example.json` to `/home/pool/s-nomp/config.json`. Edit it to reflect the changes listed below. + + * Set both `host` and `stratumHost` to the external IP or DNS name of your server. + * Enable UNIX socket connections by setting `"socket": "/var/run/keydb/keydb.sock",`, `"password": ""` and removing the rest of the lines in the `"redis"` sections. **Do NOT rename the `redis` section names themselvews!!!** + +Now create a pool config. Copy `/home/pool/s-nomp/pool_configs/examples/vrsc.json` to `/home/pool/s-nomp/pool_configs/verus.json`. Edit it to reflect the changes listed below. + + * Set `enabled` to `true`. + * Set `coin` to `vrsc.json`. + * Set `address` to the first public address generated before. + * Set `tAddress` to the second public address generated before. + * Set `rewardRecipients` to your fee address and fee percentage. Remove `"": 0.2` if you want 0% fee. + * Set `paymentInterval` to `180` + * Set `minimumPayment` to `2`. + * Set `maxBlocksPerPayment` to `8`. + * Both `rewardRecipients` and `invalidAddress` are set to a Verus Foundation address per default, should you like to keep them intact. + * **Otherwise make sure you do not use an address from the poolwallet for either `rewardRecipients` or `invalidAddress`** + * Set `paymentInterval` (in Seconds) and `minimumPayment` (in VRSC) according to your planned scenario. + * There are 2 occurences of `user`, `password` and `port` each. Use the `rpcuser`, `rpcpassword` and `rpcport` values from `/home/verus/.komodo/VRSC/VRSC.conf`. + * Set `diff` to `131072`. + * Set `minDiff` to `16384`. + * Set `maxDiff` to `2147483648` + +Edit the file `~/s-nomp/coins/vrsc.json` to reflect the following setting: + * make sure `"requireShielding":false,` is set. + +We are almost done now. Using the command mentioned at the beginning of this document, check if the blockchain has finished syncing. If not, wait for it to complete before continuing. + +Now switch to the `verus` user, stop the wallet once more. + +```bash +verus stop +``` + +To determine the location of your `node` binary, switch to user `pool`, do this and record your result. We'll need it for the next step. + +```bash +which node +/home/pool/.nvm/versions/node/v8.17.0/bin/node +``` + +Switch back to user `verus` and edit `~/.komodo/VRSC/VRSC.conf` to enable the blocknotify command as seen below, using the location you just got from using `which node` before: + +```conf +blocknotify=/home/pool/.nvm/versions/node/v10.24.1/bin/node /home/pool/s-nomp/scripts/cli.js blocknotify verus %s +``` +also change in this setting (remove the `#` that is in front of it!!!), to reflect your own dee address and mining address you used in the s-Nomp config with their respective percentages: +```conf +miningdistribution={"FEE-ADDRESS":0.05,"":0.95} +``` + +*Alternative to running the blocknotify script through node*: +Compile (on any other machine) the `/home/pool/s-nomp/scripts/blocknotify.c` code, copy the binary to `/home/pool/s-nomp/scripts/blocknotify`, make executable using `chmod +x /home/pool/s-nomp/scripts/blocknotify` and use this line in your `VRSC.conf`: +```conf +blocknotify=/home/pool/s-nomp/scripts/blocknotify 127.0.0.1:17117 verus %s +``` +This configuration will shave of milliseconds off the time it takes your pool to be notified. + +Restart the wallet using the command already listed above. If you are not using `STDOUT`/`STDERR`-redirection, you will see errors about blocknotify. These are expected, because the pool is not running yet and thus the blocknotify script cannot complete successfully. + + +Switch to the `pool` user. Then start the pool using `pm2`: + +```bash +cd ~/s-nomp +pm2 start init.js --name pool +``` + +Use `pm2 log` to check for S-NOMP startup errors. + +If you completed all steps correctly, the web dashboard on your pool can be reached via port `8080` on the external IP or the DNS name of your server. + +### S-Nomp Autostart + +Edit your crontab using `crontab -e` and shove in this line at the bottom: + +```crontab +@reboot /bin/sleep 300 && cd /home/pool/s-nomp && /home/pool/.nvm/versions/node/v8.17.0/bin/pm2 start init.js --name pool +``` + +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + + +## Further considerations + +None of the topics below is strictly necessary, but most of them are recommended. + +### Enabling firewall + +As `root` user: +```bash +ufw allow from any to any port 22 comment "SSH access" +``` +If you want to limit the IPs that can access your server over SSH (eg, if you have a fixed IP address or use a SSH-jump server) replace the first `any` with the IP or ip-range. doublecheck this or you will lock yourself out! +```bash +ufw allow from any to any port 80,443 comment "Standard web ports" +ufw allow from any to any port 9999 comment "mining port(s)" +``` +add multiple mining ports by separating them by commas, analogue to the web ports. +```bash +ufw enable +``` +If you are also installing a separate `stratum server`, it will need a connection to the `keydb` database: +```bash +ufw allow from to any port 6379 comment "Stratum server database connection" +``` + +### Useful DNS resolvers + +Empty your `/etc/resolv.conf` and replace it with this: + +```conf +# google, https://developers.google.com/speed/public-dns/docs/using +nameserver 8.8.4.4 +nameserver 8.8.8.8 +nameserver 2001:4860:4860::8844 +nameserver 2001:4860:4860::8888 + +# verisign, https://publicdnsforum.verisign.com/discussion/13/verisign-public-dns-set-up-configuration-instructions +nameserver 64.6.64.6 +nameserver 64.6.65.6 +nameserver 2620:74:1b::1:1 +nameserver 2620:74:1c::2:2 + +# quad9, https://www.quad9.net/faq/ +nameserver 9.9.9.9 +nameserver 149.112.112.112 +nameserver 2620:fe::fe +nameserver 2620:fe::9 + +# cloudflare/apnic, https://1.1.1.1/de/ +nameserver 1.1.1.1 +nameserver 1.0.0.1 +nameserver 2606:4700:4700::1111 +nameserver 2606:4700:4700::1001 + +# opendns, https://use.opendns.com, https://www.opendns.com/about/innovations/ipv6/ +nameserver 208.67.222.222 +nameserver 208.67.220.220 +nameserver 2620:119:35::35 +nameserver 2620:119:53::53 + +# see 'man 5 resolv.conf' +options rotate timeout:1 attempts:5 +``` + + +### Improving SSH security + +If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't, go Google the comic, you might have missed a laugh there! + +As `root`, generate a proper `/etc/ssh/moduli` like this: + +```bash +ssh-keygen -G "/root/moduli.candidates" -b 4096 +mv /etc/ssh/moduli /etc/ssh/moduli.old +ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" +rm "/root/moduli.candidates" +``` + +Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: + +```bash +cd /etc/ssh +rm ssh_host_*key* +ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null +ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null +``` + +To finish, restart the ssh server: + +```bash +/etc/init.d/sshd restart +``` + +### Reverse-proxying S-NOMP behind `nginx` + +As `root`, install `nginx` and enable it on boot using these commands: + +```bash +apt -y install nginx +systemctl enable nginx +``` + +Create `/etc/nginx/blockuseragents.rules` with these contents: + +```conf +map $http_user_agent $blockedagent { +default 0; +~*malicious 1; +~*bot 1; +~*backdoor 1; +~*crawler 1; +~*bandit 1; +} +``` + +Edit `/etc/nginx/sites-available/default` to look like this: + +```conf +include /etc/nginx/blockuseragents.rules; +server { + if ($blockedagent) { + return 403; + } + if ($request_method !~ ^(GET|HEAD)$) { + return 444; + } + + listen 80 default_server; + listen [::]:80 default_server; + charset utf-8; + root /var/www/html; + index index.html index.htm index.nginx-debian.html; + + location / { + proxy_pass http://127.0.0.1:8080/; + proxy_set_header X-Real-IP $remote_addr; + } + + location /admin { + rewrite ^/.* /stats permanent; + } + +} +``` + +Restart `nginx`: + +```bash +systemctl restart nginx +``` + +Switch to the `pool` user, edit `/home/pool/s-nomp/config.json` to bind the web interface to `127.0.0.1:8080`: + +```conf +[...] +"website": { + "enabled": true, + "host": "127.0.0.1", + "port": 8080, +[...] + +``` + +Restart the pool: + +```bash +pm2 restart veruspool +``` + +If you've followed the above steps correctly, your pool's webdashboard is now proxied behind nginx. + +### Disable unused webdashboard pages + +Change to the `pool` account. Edit `/home/pool/s-nomp/libs/website.js` to have the `pageFiles` array look like below: + +```conf +var pageFiles = { + 'index.html': 'index', + 'home.html': '', + 'manual.html': 'manual', + 'stats.html': 'stats', + 'tbs.html': 'tbs', + 'workers.html': 'workers', + 'api.html': 'api', + 'miner_stats.html': 'miner_stats', + 'payments.html': 'payments' +} +``` + +### Link to the `payments` page + +Change to the `pool` user account. Edit `/home/pool/s-nomp/website/index.html` to include a new link at the right position, which is somewhere in between lines `30-70`: + +```html +
+[...] +
  • + +   + Payments + +
    • +[...] +
    +``` + +### Enable `logrotate` + +As `root` user, create a file called `/etc/logrotate.d/pool` with these contents: + +```conf +/home/verus/.komodo/VRSC/debug.log +/home/pool/.pm2/logs/pool-out.log +/home/pool/.pm2/logs/pool-error.log +{ + rotate 14 + daily + compress + delaycompress + copytruncate + missingok + notifempty +} +``` + +### Increase open files limit + +Add this to your `/etc/security/limits.conf`: + +```conf +* soft nofile 1048576 +* hard nofile 1048576 +``` + +Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place, which usually is a huge pain. Just reboot. + + +### Networking optimizations + +If your pool is expected to receive a lot of load, consider implementing below changes, all as `root`: + +Enable the `tcp_bbr` kernel module: + +```bash +modprobe tcp_bbr +echo tcp_bbr >> /etc/modules +``` + +Edit your `/etc/sysctl.conf` to include below settings: + +```conf +net.ipv4.tcp_congestion_control=bbr +net.core.rmem_default = 1048576 +net.core.wmem_default = 1048576 +net.core.rmem_max = 16777216 +net.core.wmem_max = 16777216 +net.ipv4.tcp_rmem = 4096 87380 16777216 +net.ipv4.tcp_wmem = 4096 65536 16777216 +net.ipv4.udp_rmem_min = 16384 +net.ipv4.udp_wmem_min = 16384 +net.core.netdev_max_backlog = 262144 +net.ipv4.tcp_max_orphans = 262144 +net.ipv4.tcp_max_syn_backlog = 262144 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_max_tw_buckets = 2000000 +net.ipv4.ip_local_port_range = 16001 65530 +net.core.somaxconn = 20480 +net.ipv4.tcp_low_latency = 1 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_fastopen = 3 +net.ipv4.tcp_limit_output_bytes = 131072 +``` + +Run below command to activate the changes, alternatively reboot the machine: + + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Change swapping behaviour + +If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: + +```conf +vm.swappiness=1 +``` + +The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Install `molly-guard` + +As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: + +```bash +apt -y install molly-guard +``` + +Check `/etc/molly-guard/rc` for more options. diff --git a/S-NOMP-stratum-setup.md b/S-NOMP-stratum-setup.md new file mode 100755 index 0000000..e24e61f --- /dev/null +++ b/S-NOMP-stratum-setup.md @@ -0,0 +1,620 @@ +# S-NOMP stratum for Verus. + +This alternate setup deviates from the standard setup on the following subjects: + - Apart from the deviations in the alternate setup, this instruction sets up a stratum server that connects to your existing S-NOMP installation. + +Operating a mining pool requires you to know about systems administration, IT security, databases, software development, coin daemons and other more or less related stuff. Running a production pool can literally be more work than a full-time job. + +A VPS with 8GB of RAM, anything above 30GB **SSD** storage and 1 CPU core which knows about AES-NI is the absolute minimum requirement. Generally, having more RAM is more important than having more CPU power here. Additionally, the hypervisor of your VPS _must_ pass through the original CPU designation from its host. See below for an example that will likely lead to trouble. + +```bash +lscpu|grep -i "model name" +Model name: QEMU Virtual CPU version 2.5+ +``` + +Basically, anything in there that is not a real CPU name _may_ cause NodeJS to behave funny despite the `Virtual CPU` having all necessary CPU flags. Be aware and ready to switch servers and/or hosting companies if need be. Start following the guide while logged in as `root`. + + +## Operating System + +This guide is tailored to and tested on `Debian 11 "Bullseye"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. + +```bash +echo "deb https://download.keydb.dev/open-source-dist $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/keydb.list +wget -O /etc/apt/trusted.gpg.d/keydb.gpg https://download.keydb.dev/open-source-dist/keyring.gpg +apt update +apt -y upgrade +apt -y install libgomp1 git libboost-all-dev libsodium-dev build-essential +``` + +## Poolwallet + +Create a user for the poolwallet, switch to that account: + +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Download the **latest** (`v0.9.3` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases), unpack, move them into place and clean up like so: + +```bash +mkdir ~/bin +cd ~/bin +wget https://raw.githubusercontent.com/Oink70/Verus-CLI-tools/main/auto-verus.sh +chmod +x auto-verus.sh +./auto-verus.sh +``` +When the script asks if this is a new installation, answer with `Y` (default). On `Enter blockchain data directory or leave blank for default:` press enter. On the question to install, answered with `1` (default). +If you installed the updates and prerequisites, the daemon will start in the background. +Check if it indeed started using `tail -f ~/.komodo/VRSC/debug.log` (`CTRL-C` to exit). + +Now, let's create the wallet export directory. + +```bash +mkdir ~/export +``` + +It's time to do the wallet config. A reasonably secure `rpcpassword` can be generated using this command: + +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 +``` + +Edit `~/.komodo/VRSC/VRSC.conf` and include the parameters listed below, adapt the ones that need adaption. + +```conf +## +## default recommended pool wallet config for verus/s-nomp +## see https://github.com/VerusCoin/VerusServicesSetup/blob/master/S-NOMP.md +## + +# network options +listen=1 +listenonion=0 +port=27485 +maxconnections=1024 + +# rpc options +server=1 +rpcport=27486 +rpcuser=verus +rpcpassword=rpcpassword +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=256 +rpcworkqueue=1024 + +## mining options +mint=1 +gen=1 +genproclimit=0 +minetolocalwallet=0 +# miningdistribution={"":0.05,"":0.95} + +# logging options +logtimestamps=1 +logips=1 + +# debug options +shrinkdebugfile=0 +debug=addrman +debug=alert +debug=bench +debug=coindb +debug=db +debug=estimatefee +#debug=http +debug=libevent +debug=lock +debug=mempool +#debug=net +debug=partitioncheck +debug=pow +debug=proxy +debug=prune +debug=rand +debug=reindex +#debug=rpc +debug=selectcoins +debug=tor +#debug=zmq +debug=zrpc +debug=zrpcunsafe + +# miscellaneous options +banscore=64 +checkblocks=64 +checklevel=4 + +# wallet related +exportdir=/home/verus/export +spendzeroconfchange=0 +minetolocalwallet=0 +#mineraddress= + +# blocknotify +#blocknotify= + +# seednodes +seednode=157.90.113.198:27485 +seednode=157.90.155.113:27485 +seednode=95.217.1.76:27485 +seednode=45.79.111.201:27485 +seednode=45.79.237.198:27485 +seednode=172.104.48.148:27485 +seednode=66.228.59.168:27485 +# old seednode +seednode=95.216.104.210:27485 + +## addnodes +# vrsc0..1 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 +# ex0..2 +addnode=157.90.127.142:27485 +addnode=157.90.248.145:27485 +addnode=135.181.253.217:27485 +# iq0..2 +addnode=95.216.104.214:27485 +addnode=135.181.68.6:27485 +addnode=168.119.27.246:27485 +# lw0..2 +addnode=168.119.166.240:27485 +addnode=157.90.155.8:27485 +addnode=65.21.63.161:27485 + +# EOF +``` + +Afterwards, restart the verus daemon and let it sync the rest of the blockchain. We'll also watch the debug log for a moment: + +```bash +cd ~/.komodo/VRSC; verusd -daemon 1>/dev/null 2>&1; sleep 1; tail -f debug.log +``` + +Press `ctrl-c` to exit `tail` if it looks alright. To check the status and know when the initial sync has been completed, issue + +```bash +verus getinfo +``` + +When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are not on a fork. Edit the `crontab` using `crontab -e` and include the line below to autostart the poolwallet: + +```crontab +@reboot cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + +Create a `start-daemon` script: +```bash +cat << EOX >> /home/verus/bin/start-daemon +#!/bin/bash +cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +# EOF +EOX +chmod +x /home/verus/bin/start-daemon +``` +create a restart script `restart-daemon`: +```bash +#!/bin/bash + +#Copyright Alex English April 2021 +#This script comes with no warranty whatsoever. Use at your own risk. + +#This script just blocks execution until verusd exits. Use it for performing actions in a script after intentionally stopping verusd, or use for alarming if verusd fails, etc. +#If there are multiple instances of verusd running, this will not detect any of them going down, it will only exit when there are NO running instances of verusd + +#passing any argument will make it run in verbose mode, telling you each time it checks + +/home/verus/bin/verus stop + +while ps -u "verus" x | grep "/home/verus/bin/verusd" | grep -v "grep"; do + sleep 2s +done + +count=$(/home/verus/bin/verus getconnectioncount) +case $count in + ''|*[!0-9]*) dstat=0 ;; + *) dstat=1 ;; +esac +if [[ "$dstat" == "0" ]]; then + cd /home/verus/.komodo/VRSC && /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +fi +#EOF +``` +Make executable with: +```bash +chmod +x /home/verus/bin/restart-daemon +``` + +## Server performance settings + +Set amount of connections to 1024 (or 65535 if you think you need it) instead of the standard 128: + +```bash +echo 'net.core.somaxconn = 1024' >> /etc/sysctl.conf +``` +And use the following command to activate it immediately +```bash +sysctl net.core.somaxconn=1024 +``` +**NOTE:** Be aware that you may have to install the POSIX module (as pool user in the `~/s-nomp` directory: `npm install posix`) + + +Set the overcommit_memory feature to 1, to avoid loss of data in case of not enough memory: +```bash +echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf +``` +And use the following command to activate it immediately +```bash +sysctl vm.overcommit_memory=1 +``` + +Finally disable Transparent Huge Page: +```bash +nano /etc/default/grub.d/no_thp.cfg +``` +add this to the empty file: +```conf +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT transparent_hugepage=never" +``` +Update `GRUB` and reboot. +```bash +update-grub +shutdown -r now +``` +Wait for the reboot to finish and log back in as `root`. + +## Node.js + +Create a new user account to run the pool from. Switch to that user to setup `nvm.sh`: + + +```bash +useradd -m -d /home/pool -s /bin/bash pool +usermod -g pool redis +chown -R redis:pool /var/run/redis +su - pool +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash +``` + +Log out and back in to activate `nvm.sh` + +```bash +exit +su - pool +``` + +Now, install `NodeJS v10` via `nvm.sh` as well as `redis-commander` and [PM2](http://pm2.keymetrics.io) via `npm`. +**NOTE:** Node v11 or higher won't work. You _will_ have to use Node v10! +**NOTE:** PM2 v5.0.0 or higher won't work. You _will_ have to use PM2 v4.5.6! + +```bash +nvm install 10 +npm install -g pm2@4.5.6 +``` + +Because `nvm.sh` comes without it, we need to add one symlink into its bindir for our installed NodeJS. + +```bash +which node +/home/pool/.nvm/versions/node/v10.24.1/bin/node +``` + +Change to the resulting directory and create a symlink like below. + +```bash +cd /home/pool/.nvm/versions/node/v10.24.1/bin +ln -s node nodejs +exit +``` + +## S-NOMP + +Make sure you're in the `pool` account and clone the S-NOMP from our main repository: + +```bash +su - pool +git clone https://github.com/veruscoin/s-nomp +cd s-nomp +``` + +Next, install all dependencies using `npm`: + +```bash +npm ci +``` + +## Configuration Instructions + +First of all, copy the following files from your running S-NOMP pool server and place them in the identical folders on this (stratum) server +* `/home/pool/s-nomp/config.json` +* `/home/pool/s-nomp/coins/vrsc.json` +* `/home/pool/s-nomp/pool_configs/verus.json` +* optional if you use the `blocknotify` binary: `/home/pool/s-nomp/scripts/blocknotify` + +Now, switch to the `pool` account. First, check if the access rights to `/home/pool/s-nomp/config.json` are `pool:pool`. +Then edit the file to reflect the changes listed below. Obviously fill in the correct IP for your S-NOMP server. +* ` "website": {` +* ` "enabled": false,` +* ... +* `"defaultPoolConfigs": {` +* ... +* ` "redis": {` +* ` "_socket": "/var/run/keydb/keydb.sock",` +* ` "host": "",` +* ` "port": 6379,` +* ` "password": ""` +* ... +* `"redis": {` +* ` "_socket": "/var/run/keydb/keydb.sock",` +* ` "host": "",` +* ` "port": 6379,` +* ` "password": ""` + +Check if the access rights to `/home/pool/s-nomp/coins/vrsc.json` are `pool:pool`. + +Check if the access rights to `/home/pool/s-nomp/pool_configs/verus.json` are `pool:pool`. +Then edit the file to reflect the changes listed below. +* In `PaymentProcessing`, change `"enabled": true,` into `"enabled": false,` +* There are 2 occurences of `user`, `password`, `host` and `port` each. Use the `rpcuser`, `rpcpassword` and `rpcport` values + +We are almost done now. Using the command mentioned at the beginning of this document, check if the blockchain has finished syncing. If not, wait for it to complete before continuing. + +Now switch to the `verus` user, stop the wallet once more. + +```bash +verus stop +``` + +To determine the location of your `node` binary, switch to user `pool`, do this and record your result. We'll need it for the next step. + +```bash +which node +/home/pool/.nvm/versions/node/v10.24.1/bin/node +``` + +Switch back to user `verus` and edit `~/.komodo/VRSC/VRSC.conf` to enable the blocknotify command as seen below, using the location you just got from using `which node` before: + +```conf +blocknotify=/home/pool/.nvm/versions/node/v10.24.1/bin/node /home/pool/s-nomp/scripts/cli.js blocknotify verus %s +``` +also change in this setting (remove the `#` that is in front of it!!!), to reflect your own dee address and mining address you used in the s-Nomp config with their respective percentages: +```conf +miningdistribution={"FEE-ADDRESS":0.05,"":0.95} +``` + +*Alternative to running the blocknotify script through node*: +Compile (on any other machine) the `/home/pool/s-nomp/scripts/blocknotify.c` code, copy the binary to `/home/pool/s-nomp/scripts/blocknotify`, make executable using `chmod +x /home/pool/s-nomp/scripts/blocknotify` and use this line in your `VRSC.conf`: +```conf +blocknotify=/home/pool/s-nomp/scripts/blocknotify 127.0.0.1:17117 verus %s +``` +This configuration will shave of milliseconds off the time it takes your pool to be notified. + +Restart the wallet using the command already listed above. If you are not using `STDOUT`/`STDERR`-redirection, you will see errors about blocknotify. These are expected, because the pool is not running yet and thus the blocknotify script cannot complete successfully. + +## Required S-NOMP pool changes +These settings require you to log into the Pool server itself. Don't get confused and do it on the stratum server or you will be troubleshooting the issues for quite some time. + +* open port 6379 for **your stratum IP(s) only** +* verify and adjust if needed the `/etc/keydb/keydb.conf`or `/etc/redis/redis.conf` to include: +* `bind 127.0.0.1 ::1 ` (Obviously put in your pools public IP, **without** the `<` and `>`) +* `port 6379` +* after saving the changes, you should restart Redis/Keydb. In order to do that you will have to stop the pool, restart the database and start the pool back up. This will result in a (short) interruption for your miners. It's polite to warn your miners in advance that maintenance will take place and mining will be interrupted. (Consider doing this during a scheduled maintenance window that includes a server restart) + +## Starting the stratum + +Switch to the `pool` user. Then start the pool using `pm2`: + +```bash +cd ~/s-nomp +pm2 start init.js --name pool +``` + +Use `pm2 log` to check for S-NOMP startup errors. + +**warning**: if you have SSL enabled on your public pool, you either need the SSL certificates in the same location on your stratum server or disable any SSL ports in the `/home/pool/s-nomp/pool_configs/verus.json` file + + +### S-Nomp Autostart + +Edit your crontab using `crontab -e` and shove in this line at the bottom: + +```crontab +@reboot /bin/sleep 300 && cd /home/pool/s-nomp && /usr/bin/pm2 start init.js --name veruspool +``` + +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + + +## Further considerations + +None of the topics below is strictly necessary, but most of them are recommended. + +### Enabling firewall + +As `root` user: +```bash +ufw allow from any to any port 22 comment "SSH access" +``` +If you want to limit the IPs that can access your server over SSH (eg, if you have a fixed IP address or use a SSH-jump server) replace the first `any` with the IP or ip-range. doublecheck this or you will lock yourself out! +```bash +ufw allow from any to any port 80,443 comment "Standard web ports" +ufw allow from any to any port 9999 comment "mining port(s)" +``` +add multiple mining ports by separating them by commas, analogue to the web ports. +```bash +ufw enable +``` +If you are also installing a separate `stratum server`, it will need a connection to the `keydb` database: +```bash +ufw allow from to any port 6379 comment "Stratum server database connection" +``` + +### Useful DNS resolvers + +Empty your `/etc/resolv.conf` and replace it with this: + +```conf +# google, https://developers.google.com/speed/public-dns/docs/using +nameserver 8.8.4.4 +nameserver 8.8.8.8 +nameserver 2001:4860:4860::8844 +nameserver 2001:4860:4860::8888 + +# verisign, https://publicdnsforum.verisign.com/discussion/13/verisign-public-dns-set-up-configuration-instructions +nameserver 64.6.64.6 +nameserver 64.6.65.6 +nameserver 2620:74:1b::1:1 +nameserver 2620:74:1c::2:2 + +# quad9, https://www.quad9.net/faq/ +nameserver 9.9.9.9 +nameserver 149.112.112.112 +nameserver 2620:fe::fe +nameserver 2620:fe::9 + +# cloudflare/apnic, https://1.1.1.1/de/ +nameserver 1.1.1.1 +nameserver 1.0.0.1 +nameserver 2606:4700:4700::1111 +nameserver 2606:4700:4700::1001 + +# opendns, https://use.opendns.com, https://www.opendns.com/about/innovations/ipv6/ +nameserver 208.67.222.222 +nameserver 208.67.220.220 +nameserver 2620:119:35::35 +nameserver 2620:119:53::53 + +# see 'man 5 resolv.conf' +options rotate timeout:1 attempts:5 +``` + + +### Improving SSH security + +If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't, go Google the comic, you might have missed a laugh there! + +As `root`, generate a proper `/etc/ssh/moduli` like this: + +```bash +ssh-keygen -G "/root/moduli.candidates" -b 4096 +mv /etc/ssh/moduli /etc/ssh/moduli.old +ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" +rm "/root/moduli.candidates" +``` + +Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: + +```bash +cd /etc/ssh +rm ssh_host_*key* +ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null +ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null +``` + +To finish, restart the ssh server: + +```bash +/etc/init.d/sshd restart +``` + +### Enable `logrotate` + +As `root` user, create a file called `/etc/logrotate.d/veruspool` with these contents: + +```conf +/home/verus/.komodo/VRSC/debug.log +/home/pool/.pm2/logs/pool-out.log +/home/pool/.pm2/logs/pool-error.log +{ + rotate 14 + daily + compress + delaycompress + copytruncate + missingok + notifempty +} +``` + +### Increase open files limit + +Add this to your `/etc/security/limits.conf`: + +```conf +* soft nofile 1048576 +* hard nofile 1048576 +``` + +Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place, which usually is a huge pain. Just reboot. + + +### Networking optimizations + +If your pool is expected to receive a lot of load, consider implementing below changes, all as `root`: + +Enable the `tcp_bbr` kernel module: + +```bash +modprobe tcp_bbr +echo tcp_bbr >> /etc/modules +``` + +Edit your `/etc/sysctl.conf` to include below settings: + +```conf +net.ipv4.tcp_congestion_control=bbr +net.core.rmem_default = 1048576 +net.core.wmem_default = 1048576 +net.core.rmem_max = 16777216 +net.core.wmem_max = 16777216 +net.ipv4.tcp_rmem = 4096 87380 16777216 +net.ipv4.tcp_wmem = 4096 65536 16777216 +net.ipv4.udp_rmem_min = 16384 +net.ipv4.udp_wmem_min = 16384 +net.core.netdev_max_backlog = 262144 +net.ipv4.tcp_max_orphans = 262144 +net.ipv4.tcp_max_syn_backlog = 262144 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_max_tw_buckets = 2000000 +net.ipv4.ip_local_port_range = 16001 65530 +net.core.somaxconn = 20480 +net.ipv4.tcp_low_latency = 1 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_fastopen = 3 +net.ipv4.tcp_limit_output_bytes = 131072 +``` + +Run below command to activate the changes, alternatively reboot the machine: + + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Change swapping behaviour + +If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: + +```conf +vm.swappiness=1 +``` + +The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Install `molly-guard` + +As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: + +```bash +apt -y install molly-guard +``` + +Check `/etc/molly-guard/rc` for more options. diff --git a/S-NOMP.md b/S-NOMP.md index 020d08f..c1ea67a 100644 --- a/S-NOMP.md +++ b/S-NOMP.md @@ -1,359 +1,492 @@ -# S-NOMP for VerusCoin +# S-NOMP for Verus -## Server +Operating a mining pool requires you to know about systems administration, IT security, databases, software development, coin daemons and other more or less related stuff. Running a production pool can literally be more work than a full-time job. -A VPS with 4GB of RAM, anything above 20GB SSD storage and 2 CPU cores is the absolute minimum requirement. Start following the guide while logged in as `root`. +**NOTE:** When you are done please message `englal#8861` on the [Verus discord](https://discord.gg/VRKMP2S)) with your poolwallet IP so he can `addnode` it around his platform, which contributes to network stability. `Done` in this case means at least full setup procedure completed, pool running, a block was found and paid out. Thank you. + +A VPS with 4GB of RAM, anything above 20GB **SSD** storage and 1 CPU core which knows about AES-NI is the absolute minimum requirement. Generally, having more RAM is more important than having more CPU power here. Additionally, the hypervisor of your VPS _must_ pass through the original CPU designation from its host. See below for an example that will likely lead to trouble. + +```bash +lscpu|grep -i "model name" +Model name: QEMU Virtual CPU version 2.5+ +``` + +Basically, anything in there that is not a real CPU name _may_ cause NodeJS to behave funny despite the `Virtual CPU` having all necessary CPU flags. Be aware and ready to switch servers and/or hosting companies if need be. Start following the guide while logged in as `root`. ## Operating System -This guide tailored to and tested on `Debian 9 "Stretch"`. Before starting, please install the latest updates: +This guide is tailored to and tested on `Debian 10 "Buster"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. -``` +```bash apt update apt -y upgrade +apt -y install libgomp1 redis-server git libboost-all-dev libsodium-dev build-essential ``` ## Poolwallet -The packages required in order to compile a VerusCoin wallet can be installed like this: +Create a user for the poolwallet, switch to that account: +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus ``` -apt -y install build-essential git pkg-config libc6-dev m4 g++-multilib autoconf \ - libtool ncurses-dev unzip git python python-zmq zlib1g-dev wget \ - libcurl4-openssl-dev bsdmainutils automake curl -``` - -Create a useraccount for the wallet. Switch to that account. +DDownload the **latest** (`v0.7.2-6` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases). Unpack, move them into place and clean up like so: -``` -useradd -m -d /home/veruscoin -s /bin/bash veruscoin -su - veruscoin +```bash +wget https://github.com/VerusCoin/VerusCoin/releases/download/v0.7.2-8/Verus-CLI-Linux-v0.7.2-8-amd64.tgz +tar xf Verus-CLI-Linux-v0.7.2-8-amd64.tgz; tar xf Verus-CLI-Linux-v0.7.2-8-amd64.tar.gz +mv verus-cli/{fetch-params,fetch-bootstrap,verusd,verus} ~/bin +rm -rf verus-cli Verus-CLI-Linux-v0.7.2-8-amd64.t* ``` -Now, clone the source tree and build the binaries: +Use the supplied script to download a copy of the `zcparams` data. Watch for and fix any occuring errors until you can be sure you successfully have gotten a complete `zcparams` copy. -``` -git clone https://github.com/VerusCoin/VerusCoin -cd VerusCoin -./zcutil/fetch-params.sh -./zcutil/build.sh -j$(nproc) +```bash +fetch-params +# ... a lot of output from wget and sadly no clear conclusion notice ``` -After that is done, create a `~/bin` directory and copy over the binaries. Strip the debug symbols. +Use the supplied script to download and unpack the latest bootstrap into the default data directory. Watch for and fix any occuring errors until you can be sure you successfully got, checksum-verified and unpacked the latest bootstrap into the default Verus data directory location. -``` -mkdir ~/bin -cp src/komodod src/komodo-cli src/komodo-tx ~/bin -strip ~/bin/komodo* +```bash +fetch-bootstrap +# ... some output +Enter blockchain data directory or leave blank for default: +Install bootstrap in /home/verus/.komodo/VRSC? ([1]Yes/[2]No)<1> +# ... some more output, then, ideally +Bootstrap successfully installed ``` -Start the VerusCoin daemon so we have a default configuration file: +Now, let's create the data and wallet export directory. Then, get the bootstrap and unpack it there. -``` -komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 \ --ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 \ --ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 \ --addnode=185.64.105.111 -daemon +```bash +mkdir ~/export ``` -It will produce a lot of output, so probably open another console window or exit/reopen the current one. Let the daemon run for a few seconds and stop it again: +It's time to do the wallet config. A reasonably secure `rpcpassword` can be generated using this command: -``` -komodo-cli -ac_name=VRSC stop +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 ``` -Edit the resulting `~/.komodo/VRSC/VRSC.conf` to include the parameters listed below, adapt the ones that need to be adapted. -A resonably secure `rpcpassword` can be generated using this command: -`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`. +Create `~/.komodo/VRSC/VRSC.conf` and include the parameters listed below, adapt the ones that need adaption. -``` -server=1 +```conf +## +## default recommended pool wallet config for verus/s-nomp +## see https://github.com/VerusCoin/VerusServicesSetup/blob/master/S-NOMP.md +## + +# network options listen=1 listenonion=0 -maxconnections=256 +port=27485 +maxconnections=1024 -# logging related options +# rpc options +server=1 +rpcport=27486 +rpcuser=verus +rpcpassword=rpcpassword +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=256 +rpcworkqueue=1024 + +## mining options +mint=1 +gen=1 +genproclimit=0 +minetolocalwallet=0 +# miningdistribution={"":0.05,"":0.95} + +# logging options logtimestamps=1 logips=1 -shrinkdebugfile=0 -# how many blocks to check on startup +# debug options +shrinkdebugfile=0 +debug=addrman +debug=alert +debug=bench +debug=coindb +debug=db +debug=estimatefee +#debug=http +debug=libevent +debug=lock +debug=mempool +#debug=net +debug=partitioncheck +debug=pow +debug=proxy +debug=prune +debug=rand +debug=reindex +#debug=rpc +debug=selectcoins +debug=tor +#debug=zmq +debug=zrpc +debug=zrpcunsafe + +# miscellaneous options +banscore=64 checkblocks=64 +checklevel=4 -# indexing options -txindex=1 -addressindex=1 -timestampindex=1 -spentindex=1 - -# make sure ipv4 & ipv6 is used -bind= -bind= - -# rpc settings -rpcuser=veruscoin -rpcpassword= -rpcport=27486 -rpcthreads=256 -rpcworkqueue=1024 -rpcbind=127.0.0.1 -rpcallowip=127.0.0.1 - -# where to store exported data -exportdir=/home/veruscoin/export +# wallet related +exportdir=/home/verus/export +spendzeroconfchange=0 # blocknotify -blocknotify=/usr/bin/node /home/s-nomp/s-nomp/scripts/cli.js blocknotify verus %s +#blocknotify= -# if a peer jacks up more than 25 times in a row, ban it -banscore=25 +# seednodes +seednode=157.90.113.198:27485 +seednode=157.90.155.113:27485 +seednode=95.217.1.76:27485 +seednode=45.79.111.201:27485 +seednode=45.79.237.198:27485 +seednode=172.104.48.148:27485 +seednode=66.228.59.168:27485 +# old seednode +seednode=95.216.104.210:27485 -# stake if possible, although it's probably not helping much -gen=1 -genproclimit=0 +## addnodes +# vrsc0..1 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 +# ex0..2 +addnode=157.90.127.142:27485 +addnode=157.90.248.145:27485 +addnode=135.181.253.217:27485 +# iq0..2 +addnode=95.216.104.214:27485 +addnode=135.181.68.6:27485 +addnode=168.119.27.246:27485 +# lw0..2 +addnode=168.119.166.240:27485 +addnode=157.90.155.8:27485 +addnode=65.21.63.161:27485 -# addnodes -seednode=185.25.48.236:27485 -addnode=185.25.48.236:27487 -seednode=185.64.105.111:27485 -addnode=185.64.105.111:27487 -seednode=185.25.48.72:27485 -seednode=185.25.48.72:27487 +# EOF ``` -Afterwards, start the daemon again and let it sync the blockchain: +Afterwards, start the verus daemon and let it sync the rest of the blockchain. We'll also watch the debug log for a moment: -``` -komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 \ --ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 \ --ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 \ --addnode=185.64.105.111 -daemon +```bash +cd ~/.komodo/VRSC; verusd -daemon 1>/dev/null 2>&1; sleep 1; tail -f debug.log ``` -To check the status and know when the initial sync has been completed, issue +Press `ctrl-c` to exit `tail` if it looks alright. To check the status and know when the initial sync has been completed, issue +```bash +verus getinfo ``` -komodo-cli -ac_name=VRSC getinfo + +When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are not on a fork. Edit the `crontab` using `crontab -e` and include the line below to autostart the poolwallet: + +```crontab +@reboot cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 ``` -When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are in fact not on a fork. While we wait for this to happen, lets continue. +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) -## Redis +## Redis -Switch back to the `root` account by typing `exit` or hitting `CTRL-D`. Install Redis using `apt -y install redis-server`. In your `/etc/redis/redis.conf` file, make sure it contains this (and none of it is commented out): +Switch back to the `root` account by typing `exit` or hitting `ctrl-d`. In your `/etc/redis/redis.conf` file, make sure it contains this (and none of it is commented out): -``` +```conf +unixsocket /var/run/redis/redis.sock +unixsocketperm 775 bind 127.0.0.1 appendonly yes ``` -Set `redis-server` to start at bootup and start it manually: +Set amount of connections to 1024 (or 65535 if you think you need it) instead of the standard 128: +```bash +echo 'net.core.somaxconn = 1024' >> /etc/sysctl.conf ``` -update-rc.d redis-server enable -/etc/init.d/redis start +And use the following command to activate it immediately +```bash +sysctl net.core.somaxconn=1024 ``` +**NOTE:** Be aware that you may have to install the POSIX module (as pool user in the `~/s-nomp` directory: `npm install posix`) -## Node.js - -Still as `root`, install Node.js v8 like this: +Set the overcommit_memory feature to 1, to avoid loss of data in case of not enough memory: +```bash +echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf ``` -curl -sL https://deb.nodesource.com/setup_8.x | bash - -apt -y install nodejs - +And use the following command to activate it immediately +```bash +sysctl vm.overcommit_memory=1 ``` -We will use [PM2](http://pm2.keymetrics.io) to manage NodeJS processes. Install it globally: - +Finally disable Transparent Huge Page: +```bash +nano /etc/default/grub.d/no_thp.cfg ``` -npm -g install pm2 +add this to the empty file: +```conf +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT transparent_hugepage=never" +``` +Update `GRUB` and reboot. +```bash +update-grub +shutdown -r now ``` -## S-NOMP - -S-NOMP and some of its dependencies will need additional packages in order to be built successfully: +Wait for the reboot to finish and log back in as `root`. Set `redis-server` to start at bootup and start it manually: -``` -apt -y install libboost-all-dev libsodium-dev +```bash +update-rc.d redis-server enable +/etc/init.d/redis-server start ``` -Create a new user account to run S-NOMP from. Switch to that user and clone S-NOMP from miketouts repository: +## Node.js -``` -useradd -m -d /home/s-nomp -s /bin/bash s-nomp -su - s-nomp -git clone https://github.com/miketout/s-nomp -``` +Create a new user account to run the pool from. Switch to that user to setup `nvm.sh`: -In `package.json`, change the `stratum-pool` dependency to `git+https://github.com/miketout/node-stratum-pool.git`. Next, install all dependencies using `npm`: -``` -npm update -npm install +```bash +useradd -m -d /home/pool -s /bin/bash pool +usermod -g pool redis +chown -R redis:pool /var/run/redis +su - pool +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash ``` -Per default, S-NOMP will display `Sol` as the hashrate measuring unit. VerusCoin uses `H`, so lets change it: +Log out and back in to activate `nvm.sh` -``` -cd ~/s-nomp -perl -p -i -e 's/Sol\/s/H\/s/g' libs/stats.js website/pages/stats.html website/static/stats.js website/static/miner_stats.js +```bash +exit +su - pool ``` -In the web dashboard of the pool there is a 'Pool Luck' display which gives a rough estimate of how much time will pass between found blocks. To improve the accuracy of this number, change the value of `_blocktime` in line `584` of `libs/stats.js` to be closer to the actual block target of VerusCoin: +Now, install `NodeJS v10` via `nvm.sh` as well as `redis-commander` and [PM2](http://pm2.keymetrics.io) via `npm`. +**NOTE:** Node v11 or higher won't work. You _will_ have to use Node v10! +**NOTE:** PM2 v5.0.0 or higher won't work. You _will_ have to use PM2 v4.5.6! -``` -cd ~/s-nomp -perl -p -i -e 's/_blocktime = 160/_blocktime = 55/g' libs/stats.js +```bash +nvm install 10 +npm install -g pm2@4.5.6 ``` -Edit the `coins/vrsc.json` to look like below. **NOTE:** including the `burnFees` parameter is the crucial key part here. +Because `nvm.sh` comes without it, we need to add one symlink into its bindir for our installed NodeJS. -``` -{ - "name": "verus", - "symbol": "vrsc", - "algorithm": "verushash", - "txfee": 0.0005, - "requireShielding": true, - "burnFees": true, - - "explorer": { - "txURL": "https://explorer.veruscoin.io/tx/", - "blockURL": "https://explorer.veruscoin.io/block/", - "_comment_explorer": "This is the coin's explorer full base url for transaction and blocks i.e. (https://explorer.coin.com/tx/). The pool will automatically add the transaction id or block id at the end." - } -} +```bash +which node +/home/pool/.nvm/versions/node/v10.24.1/bin/node ``` -Locate the `verushash` module directory. It either is `/home/s-nomp/node_modules/verushash` or `/home/s-nomp/node_modules/stratum_pool/node_modules/verushash`. In this directory, create a file called `index.json` containing this: +Change to the resulting directory and create a symlink like below. -``` -module.exports = require('bindings')('verushash.node'); +```bash +cd /home/pool/.nvm/versions/node/v10.24.1/bin +ln -s node nodejs +exit ``` -## Configuration Instructions +## S-NOMP -Shielding is required for mined VerusCoins. We will need 2 public and a z-address for this. Switch to the `veruscoin` user and generate the addresses: +Make sure you're in the `pool` account and clone the S-NOMP from our main repository: -``` -komodo-cli -ac_name=VRSC getnewaddress -komodo-cli -ac_name=VRSC getnewaddress -komodo-cli -ac_name=VRSC z_getnewaddress +```bash +su - pool +git clone https://github.com/veruscoin/s-nomp +cd s-nomp ``` -Next, we will dump the private keys of these addresses for safety reasons. For the public addresses, use +Next, install all dependencies using `npm`: +```bash +npm ci ``` -komodo-cli -ac_name=VRSC dumpprivkey -``` -For the z-address, use +## Configuration Instructions + +Shielding is no longer required for mined Verus coins. We will need two public addresses for this. Switch to the `veruscoin` user and generate the addresses: +```bash +verus getnewaddress +verus getnewaddress ``` -komodo-cli -ac_name=VRSC z_exportkey + +Next, we will dump the private keys of these addresses for safety reasons. For the transparent addresses, use + +```bash +verus dumpprivkey +verus dumpprivkey ``` **Save the data in an offline location, not on your computer!** -Now, switch to the `s-nomp` account. First, copy `~/s-nomp/config_example.json` to `~/s-nomp/config.json`. Edit it to reflect the changes listed below. +Now, switch to the `pool` account. First, copy `/home/pool/s-nomp/config_example.json` to `/home/pool/s-nomp/config.json`. Edit it to reflect the changes listed below. - * Under `clustering`, set `enabled` to `false`, **otherwise [PM2](http://pm2.keymetrics.io) fails to work.** - * Set `stratumHost` to the external IP or DNS name of your server. + * Set both `host` and `stratumHost` to the external IP or DNS name of your server. + * Enable UNIX socket connections by setting `"socket": "/var/run/redis/redis.sock",`, `"password": ""` and removing the rest of the lines in the `"redis"` section -Note that [PM2](http://pm2.keymetrics.io) will take care of `clustering` by itself. Now create a pool config. Copy `~/s-nomp/pool_configs/examples/kmd.json` to `~/s-nomp/pool_configs/vrsc.json`. Edit it to reflect the changes listed below. +Now create a pool config. Copy `/home/pool/s-nomp/pool_configs/examples/vrsc.json` to `/home/pool/s-nomp/pool_configs/vrsc.json`. Edit it to reflect the changes listed below. * Set `enabled` to `true`. * Set `coin` to `vrsc.json`. - * Set `address` to one of the public addresses generated before. - * Set `zAddress` to the z-address generated before. - * Use the remaining public address for `tAddress` + * Set `address` to the first public address generated before. + * Set `tAddress` to the second public address generated before. + * Set `rewardRecipients` to your fee address and fee percentage. Remove `"": 0.2` if you want 0% fee. * Set `paymentInterval` to `180` * Set `minimumPayment` to `2`. * Set `maxBlocksPerPayment` to `8`. - * There are 2 occurences of `user`, `password` and `port` each. Use the `rpcuser`, `rpcpassword` and `rpcport` values from `/home/veruscoin/.komodo/VRSC/VRSC.conf`. + * Both `rewardRecipients` and `invalidAddress` are set to a Verus Foundation address per default, should you like to keep them intact. + * **Otherwise make sure you do not use an address from the poolwallet for either `rewardRecipients` or `invalidAddress`** + * Set `paymentInterval` (in Seconds) and `minimumPayment` (in VRSC) according to your planned scenario. + * There are 2 occurences of `user`, `password` and `port` each. Use the `rpcuser`, `rpcpassword` and `rpcport` values from `/home/verus/.komodo/VRSC/VRSC.conf`. * Set `diff` to `131072`. * Set `minDiff` to `16384`. * Set `maxDiff` to `2147483648` -We are almost done now. Using the command mentioned at the beginning of this document, check if the blockchain has finished syncing. If not, wait for it to complete before continuing. +Edit the file `~/s-nomp/coins/vrsc.json` to reflect the following setting: + * make sure `"requireShielding":false,` is set. -Now switch to the `veruscoin` user, stop the wallet once more. +We are almost done now. Using the command mentioned at the beginning of this document, check if the blockchain has finished syncing. If not, wait for it to complete before continuing. +Now switch to the `verus` user, stop the wallet once more. + +```bash +verus stop ``` -komodo-cli -ac_name=VRSC stop + +To determine the location of your `node` binary, switch to user `pool`, do this and record your result. We'll need it for the next step. + +```bash +which node +/home/pool/.nvm/versions/node/v10.24.1/bin/node ``` -Edit `~/.komodo/VRSC/VRSC.conf` and add the blocknotify command below. +Switch back to user `verus` and edit `~/.komodo/VRSC/VRSC.conf` to enable the blocknotify command as seen below, using the location you just got from using `which node` before: +```conf +blocknotify=/home/pool/.nvm/versions/node/v10.24.1/bin/node /home/pool/s-nomp/scripts/cli.js blocknotify verus %s ``` -blocknotify=/usr/bin/node /home/s-nomp/s-nomp/scripts/cli.js blocknotify verus %s +also change in this setting (remove the `#` that is in front of it!!!), to reflect your own dee address and mining address you used in the s-Nomp config with their respective percentages: +```conf +miningdistribution={"FEE-ADDRESS":0.05,"":0.95} ``` - -Restart the wallet using the command already listed above. If you are not using `STDOUT`/`STDERR`-redirection, you will see errors about blocknotify. These are expected, because the pool is not running yet and thus the blocknotify script cannot complete successfully. +Restart the wallet using the command already listed above. If you are not using `STDOUT`/`STDERR`-redirection, you will see errors about blocknotify. These are expected, because the pool is not running yet and thus the blocknotify script cannot complete successfully. -Switch to the `s-nomp` user. Then start the pool using `pm2`: +Switch to the `pool` user. Then start the pool using `pm2`: -``` +```bash cd ~/s-nomp -pm2 start init.js --name s-nomp +pm2 start init.js --name veruspool ``` -Use `pm2 log` to check for S-NOMP startup errors. +Use `pm2 log` to check for S-NOMP startup errors. If you completed all steps correctly, the web dashboard on your pool can be reached via port `8080` on the external IP or the DNS name of your server. +### S-Nomp Autostart + +Edit your crontab using `crontab -e` and shove in this line at the bottom: + +```crontab +@reboot /bin/sleep 300 && cd /home/pool/s-nomp && /usr/bin/pm2 start init.js --name veruspool +``` + +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + + ## Further considerations None of the topics below is strictly necessary, but most of them are recommended. +### Useful DNS resolvers + +Empty your `/etc/resolv.conf` and replace it with this: + +```conf +# google, https://developers.google.com/speed/public-dns/docs/using +nameserver 8.8.4.4 +nameserver 8.8.8.8 +nameserver 2001:4860:4860::8844 +nameserver 2001:4860:4860::8888 + +# verisign, https://publicdnsforum.verisign.com/discussion/13/verisign-public-dns-set-up-configuration-instructions +nameserver 64.6.64.6 +nameserver 64.6.65.6 +nameserver 2620:74:1b::1:1 +nameserver 2620:74:1c::2:2 + +# quad9, https://www.quad9.net/faq/ +nameserver 9.9.9.9 +nameserver 149.112.112.112 +nameserver 2620:fe::fe +nameserver 2620:fe::9 + +# cloudflare/apnic, https://1.1.1.1/de/ +nameserver 1.1.1.1 +nameserver 1.0.0.1 +nameserver 2606:4700:4700::1111 +nameserver 2606:4700:4700::1001 + +# opendns, https://use.opendns.com, https://www.opendns.com/about/innovations/ipv6/ +nameserver 208.67.222.222 +nameserver 208.67.220.220 +nameserver 2620:119:35::35 +nameserver 2620:119:53::53 + +# see 'man 5 resolv.conf' +options rotate timeout:1 attempts:5 +``` + +Thank you. + ### Improving SSH security -If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't go google the comic, you might have missed a laugh there! +If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't, go Google the comic, you might have missed a laugh there! As `root`, generate a proper `/etc/ssh/moduli` like this: -``` +```bash ssh-keygen -G "/root/moduli.candidates" -b 4096 mv /etc/ssh/moduli /etc/ssh/moduli.old ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" rm "/root/moduli.candidates" ``` -Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: +Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: -``` +```bash cd /etc/ssh rm ssh_host_*key* ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null ``` -To finish, restart the ssh server: +To finish, restart the ssh server: -``` +```bash /etc/init.d/sshd restart ``` -### Putting the pool behind some CDN - -You should consider putting the webdashboard of your pool behind some CDN. A free CloudFlare account and any domain provider that allows changing the NS records of your domain will work. If you use a DNS name to point to your stratum ip, make sure to disable proxying for it! - ### Reverse-proxying S-NOMP behind `nginx` -As `root`, install `nginx` and enable it on boot using these commands: +As `root`, install `nginx` and enable it on boot using these commands: -``` +```bash apt -y install nginx update-rc.d enable nginx ``` -Create `/etc/nginx/blockuseragents.rules` with these contents: +Create `/etc/nginx/blockuseragents.rules` with these contents: -``` +```conf map $http_user_agent $blockedagent { default 0; ~*malicious 1; @@ -364,15 +497,15 @@ default 0; } ``` -Edit `/etc/nginx/sites-available/default` to look like this: +Edit `/etc/nginx/sites-available/default` to look like this: -``` +```conf include /etc/nginx/blockuseragents.rules; server { if ($blockedagent) { return 403; } - if ($request_method !~ ^(GET|HEAD|POST)$) { + if ($request_method !~ ^(GET|HEAD)$) { return 444; } @@ -394,15 +527,15 @@ server { } ``` -Restart `nginx`: +Restart `nginx`: -``` +```bash /etc/init.d/nginx restart ``` -Switch to the `s-nomp` user, edit `/home/s-nomp/s-nomp/config.json` to bind the web interface to `127.0.0.1:8080`: +Switch to the `pool` user, edit `/home/pool/s-nomp/config.json` to bind the web interface to `127.0.0.1:8080`: -``` +```conf [...] "website": { "enabled": true, @@ -412,19 +545,19 @@ Switch to the `s-nomp` user, edit `/home/s-nomp/s-nomp/config.json` to bind the ``` -Restart the pool: +Restart the pool: -``` -pm2 restart s-nomp +```bash +pm2 restart veruspool ``` If you've followed the above steps correctly, your pool's webdashboard is now proxied behind nginx. ### Disable unused webdashboard pages -Change to the `s-nomp` account. Edit `/home/s-nomp/libs/website.js` to have the `pageFiles` array look like below: +Change to the `pool` account. Edit `/home/pool/s-nomp/libs/website.js` to have the `pageFiles` array look like below: -``` +```conf var pageFiles = { 'index.html': 'index', 'home.html': '', @@ -440,9 +573,9 @@ var pageFiles = { ### Link to the `payments` page -Change to the `s-nomp` user account. Edit `/home/s-nomp/website/index.html` to include a new link at the right position, which is somewhere in between lines `30-70`: +Change to the `pool` user account. Edit `/home/pool/website/index.html` to include a new link at the right position, which is somewhere in between lines `30-70`: -``` +```html
    [...]
  • @@ -455,14 +588,14 @@ Change to the `s-nomp` user account. Edit `/home/s-nomp/website/index.html` to i
    • ``` -### Enable `logrotate` +### Enable `logrotate` -As `root` user, create a file called `/etc/logrotate.d/pool` with these contents: +As `root` user, create a file called `/etc/logrotate.d/veruspool` with these contents: -``` -/home/veruscoin/.komodo/VRSC/debug.log -/home/s-nomp/.pm2/logs/veruspool-out.log -/home/s-nomp/.pm2/logs/veruspool-error.log +```conf +/home/verus/.komodo/VRSC/debug.log +/home/pool/.pm2/logs/veruspool-out.log +/home/pool/.pm2/logs/veruspool-error.log { rotate 14 daily @@ -474,78 +607,32 @@ As `root` user, create a file called `/etc/logrotate.d/pool` with these contents } ``` -### Autostart using `cron` - -Switch to the `veruscoin` user. Edit the `crontab` using `crontab -e` and include the lines below: - -``` -@reboot /home/veruscoin/bin/komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 -ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 -ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 -addnode=185.64.105.111 -daemon 1>/dev/null 2>&1 -``` - -Switch to the `s-nomp` user. Edit the `crontab` using `crontab -e` and include the line below: - -``` -@reboot /bin/sleep 60 && cd /home/s-nomp/s-nomp && /usr/bin/pm2 start init.js --name s-nomp -``` - -### Simplify wallet usage - -Switch to the `veruscoin` user. Create a file called `/home/veruscoin/bin/veruscoind` that looks like this: - -``` -#!/bin/bash -OLDPWD="$(pwd)" -cd /home/veruscoin/.komodo/VRSC -/home/veruscoin/bin/komodod -ac_name=VRSC -ac_algo=verushash -ac_cc=1 -ac_veruspos=50 -ac_supply=0 -ac_eras=3 -ac_reward=0,38400000000,2400000000 -ac_halving=1,43200,1051920 -ac_decay=100000000,0,0 -ac_end=10080,226080,0 -ac_timelockgte=19200000000 -ac_timeunlockfrom=129600 -ac_timeunlockto=1180800 -addnode=185.25.48.236 -addnode=185.64.105.111 ${@} -cd "${OLDPWD}" -``` - -Create another file called `/home/veruscoin/bin/veruscoin-cli` that looks like this: - -``` -#!/bin/bash -/home/veruscoin/bin/komodo-cli -ac_name=VRSC ${@} -``` - -Make both files executable: - -``` -chmod +x /home/veruscoin/bin/veruscoin* -``` - -From now on, any time you would have to use the huge `komodod` or `komodo-cli` commands, you can just use them as shown below: - -``` -veruscoind -daemon 1>/dev/null 2>&1 -veruscoin-cli addnode 1.2.3.4 onetry -``` - ### Increase open files limit -Add this to your `/etc/security/limits.conf`: +Add this to your `/etc/security/limits.conf`: -``` +```conf * soft nofile 1048576 * hard nofile 1048576 ``` -Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place. +Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place, which usually is a huge pain. Just reboot. ### Networking optimizations If your pool is expected to receive a lot of load, consider implementing below changes, all as `root`: -Enable the `tcp_bbr` kernel module: +Enable the `tcp_bbr` kernel module: -``` +```bash modprobe tcp_bbr echo tcp_bbr >> /etc/modules ``` -Edit your `/etc/sysctl.conf` to include below settings: +Edit your `/etc/sysctl.conf` to include below settings: -``` +```conf net.ipv4.tcp_congestion_control=bbr net.core.rmem_default = 1048576 net.core.wmem_default = 1048576 @@ -569,42 +656,32 @@ net.ipv4.tcp_fastopen = 3 net.ipv4.tcp_limit_output_bytes = 131072 ``` -Run below command to activate the changes, alternatively reboot the machine: +Run below command to activate the changes, alternatively reboot the machine: -``` +```bash sysctl -p /etc/sysctl.conf ``` ### Change swapping behaviour -If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: +If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: -``` +```conf vm.swappiness=1 ``` -The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: +The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: -``` +```bash sysctl -p /etc/sysctl.conf ``` -### Install `redis-commander` - -As `root`, install `redis-commander` like this: - -``` -npm -g install redis-commander -``` - -Consult `redis-commander --help` for more information. - ### Install `molly-guard` -As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: +As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: -``` +```bash apt -y install molly-guard ``` diff --git a/TOR-Wallet.md b/TOR-Wallet.md new file mode 100644 index 0000000..5aad62d --- /dev/null +++ b/TOR-Wallet.md @@ -0,0 +1,101 @@ +# Running a VerusCoin Native Wallet (or Full Node) within TOR, properly + +First things first, as of writing this (`2019-02-18`), there does not seem to be a way to use Agama via or within TOR properly if you expect privacy. +Also, this guide only exists because it isn't just about adding `listenonion=1` to your config :-) + +The Hidden Service part of this guide (`listenonion=1` in the Verus daemon config) may not be necessary, but it will benefit the general availability of VerusCoin within the TOR network at no privacy expense on the users end. + +**Please, for your own safety, do not take this guide as the full and only truth. Do your own research. Think of this guide as a helper only. Explaining all possible TOR client setups clearly is beyond the scope of this guide. For example, DNS resolving is only roughly mentioned below!** + +## Prerequisites + +This guide assumes you're on a Debian-ish system. If you're not on Debian (or Devuan) itself, some details may be different, but the key concepts stay the same. + +To start, we need to install `tor`. We'll also install `tor-arm` to get some overview. + +``` +sudo apt update +sudo apt -y upgrade +sudo apt -y install tor tor-arm +``` + +## Setup TOR + +For further information about the TOR options mentioned in this paragraph, see: + +``` +man tor +``` + +Remember the last, bold-printed paragraph of the introduction? Good. + +Put this into your `/etc/tor/torrc`: + +``` +DisableDebuggerAttachment 0 +ClientOnly 1 +SOCKSPort 9050 +SOCKSPolicy accept 127.0.0.0/8 +SOCKSPolicy reject *:* +ControlPort 9051 +``` + +If any way possible, compile a list of 'trusted' TOR nodes. Use the `StrictNodes 1` and `EntryNodes [...]` options. Setup `DNSPort` to be `53` and overwrite your `/etc/resolv.conf` with `nameserver 127.0.0.1`. But be careful, screwing this up may lock you out of your server, if you're working on a remote machine. +Change to your `/var/lib/tor` directory. We'll do 2 things to make `tor-arm` complain less. + +``` +cd /var/lib/tor +sudo -u debian-tor mkdir .arm +sudo -u debian-tor ln -s /etc/tor/torrc .arm/ +``` + +`tor-arm` will give you quite a bit of insight into the state of your TOR client. To run it, do this: + +``` +sudo -u debian-tor arm +``` + +See it's manpage for details: + +``` +man arm +``` + +Now, restart your TOR client. + +``` +sudo /etc/init.d/tor restart +``` + +## Setup the Verus wallet + +To allow your wallet to setup a hidden service by itself, you have to add the user account from which the wallet is running to the `debian-tor` group like so: + +``` +sudo gpasswd -a VERUSCOINUSERNAME debian-tor +``` + +These lines have to go into your `~/.komodo/VRSC/VRSC.conf`. Some may be there already, change them to below values. + +``` +listen=0 +listenonion=1 +onlynet=onion +bind=127.0.0.1:27485 +proxy=127.0.0.1:9050 +onion=127.0.0.1:9050 +``` + +**Most important, remove any `bind=` statement that contains anything else than your loopback IP!!!** + +Now restart your wallet. + +`tail -f` on the `debug.log` file to make sure your wallet does connect somewhere and gets p2p updates. + +You should backup the `~/.komodo/VRSC/onion_private_key` file along with your `VRSC.conf` and `wallet.dat`, as it is (obviously) the private key to your onion hostname. + +## Conclusion + +**Again, i cannot stress this enough. DO NOT TRUST THIS GUIDE ALONE to establish your privacy regarding VerusCoin connections. Read about [TOR](https://www.torproject.org).** However, if you did follow the above steps correctly, all your VerusCoin related peer-to-peer traffic should now not only go through the tor network, but be properly untraceable as long as you are using zero knowledge-transactions correctly. + +Probably, if privacy is a must-have for you, you may want to learn about [Tails OS](https://tails.boum.org/) if you haven't already. diff --git a/Tails-Wallet.md b/Tails-Wallet.md new file mode 100644 index 0000000..633071a --- /dev/null +++ b/Tails-Wallet.md @@ -0,0 +1,185 @@ +# Running a VerusCoin Wallet on Tails + +This document describes a way to run a VerusCoin native wallet from within [Tails](https://tails.boum.org). Sadly, because Tails relies on TOR for anonymous networking, Agama isn't going to work, thus it will be a native commandline wallet. + +**Please, for your own safety, do not take this guide as the full and only truth. Do your own research. Think of this guide as a helper only. Explaining all possible Tails options clearly is beyond the scope of this guide.** + +## Prerequisites + +Get a USB stick, at least 32GB in size, preferrably USB3. Follow [this guide](https://tails.boum.org/install/) to install the most recent release of Tails onto that USB stick. + +To be able to complete this guide as well as anytime you want to use your VerusCoin wallet, you will have to set an [administration password](https://tails.boum.org/administration_password/) for Tails. Also, you need a `persistent volume` which is set to store at least `Personal Data` and `Dotfiles`. + +## Build/obtain VerusCoin binaries + +For now, `build.sh` sometimes fails via TOR. Appearantly, some download servers of opensource projects do not like TOR exit nodes. **What a shame.** However, that leaves us with 2 options: + +1. Download and use premade binaries from [veruscoin.io](https://veruscoin.io) +2. Build the binaries on another system and copy them into your Tails instance. + +For reference, here's a quick cheatsheet for building on Debian-ish systems: + +``` +sudo apt update +sudo apt -y install build-essential git pkg-config libc6-dev m4 g++-multilib autoconf \ + libtool ncurses-dev unzip git python python-zmq zlib1g-dev wget \ + libcurl4-openssl-dev bsdmainutils automake curl +git clone https://github.com/veruscoin/veruscoin +cd veruscoin +./zcutil/build.sh -j$(nproc) +strip src/verusd src/verus +``` + +Copy over these files: +``` +veruscoin/src/verusd +veruscoin/src/verus +veruscoin/zcutil/fetch-params.sh +``` + +**NOTE: Should you choose option 1, use the preinstalled `GtkHash` tool to verify the checksums of your download.** + +## Integrate wallet into Tails + +Execute below steps in order to integrate the wallet into your Tails installation. + +1. Create persistent `bin` dir and add it to path. + +``` +mkdir /live/persistence/TailsData_unlocked/dotfiles/bin +cp ~/.bashrc /live/persistence/TailsData_unlocked/dotfiles +``` + +Edit `/live/persistence/TailsData_unlocked/dotfiles/.bashrc` with your favourite text editor, put this at the end: + +``` +PATH=${PATH}:/home/amnesia/bin +export PATH +``` + +Copy over `verusd`, `verus` and `fetch-params.sh` to `/live/persistence/TailsData_unlocked/dotfiles/bin` and make sure all files are `chmod +x`. + +2. Create custom `veruscoin-cli` and `veruscoind` scripts + +These custom scripts are necessary because we have to set another data directory and need to fiddle with `iptables` before we can use the daemon. Feel free to name the scripts whatever you want, tho. + +**`veruscoin-cli`** + +Copy this into `/live/persistence/TailsData_unlocked/dotfiles/bin/veruscoin-cli`: +``` +#!/bin/bash + +${HOME}/bin/verus \ + -datadir=${HOME}/Persistent/VerusCoin \ + "$@" +``` + +Afterwards, `chmod +x /live/persistence/TailsData_unlocked/dotfiles/bin/veruscoin-cli` to make it executeable. + +**`veruscoind`** + +*When run, this will ask for your Tails administration password multiple times in order to check/set `iptables` rules. This is necessary in order to allow any communication from and to the wallet at all.* + +Copy this into `/live/persistence/TailsData_unlocked/dotfiles/bin/veruscoind`: +``` +#!/bin/bash -x + +# save current working dir for later +OLDPWD="$(pwd)" + +# determine configured rpcport (or use default value) +# then open port in firewall +RPCPORT=$(/bin/cat ${HOME}/Persistent/VerusCoin/VRSC.conf | /bin/grep rpcport | /usr/bin/cut -f2 -d=) +if [ -z "${RPCPORT}" ] || [ "${RPCPORT}" -neq "${RPCPORT}" ] > /dev/null 2>&1; then + RPCPORT=27486 +fi + +# check if port is already opened, open if not +PORTCHECK=$(/usr/bin/sudo /sbin/iptables -L | /bin/grep ${RPCPORT}) +if [ -z "${PORTCHECK}" ]; then + /usr/bin/sudo /sbin/iptables -I OUTPUT -o lo -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport ${RPCPORT} -j ACCEPT +fi + +# change working dir to verus datadir +cd ${HOME}/Persistent/VerusCoin + +# start veruscoin +${HOME}/bin/verusd \ + -datadir=${HOME}/Persistent/VerusCoin \ + -printtoconsole=1 \ + "${@}" + +# return to old working dir +cd "${OLDPWD}" +``` + +Afterwards, `chmod +x /live/persistence/TailsData_unlocked/dotfiles/bin/veruscoind` to make it executable. + +3. Download `zcash-params` and move to `dotfiles` directory + +If you downloaded the binaries from [veruscoin.io](https://veruscoin.io), adapt below to `fetch-params` instead of `fetch-params.sh`. + +``` +cd ~ +/live/persistence/TailsData_unlocked/dotfiles/bin/fetch-params.sh +mv ~/.zcash-params /live/persistence/TailsData_unlocked/dotfiles +``` + +4. Create and prepare data directory + +**NOTE: Use the preinstalled `GtkHash` tool to verify checksums of the bootstrap download.** + +``` +mkdir -p ${HOME}/Persistent/VerusCoin/export; cd ${HOME}/Persistent/VerusCoin +wget http://bootstrapslc3ttl.onion/veruscoin/VRSC-bootstrap.tar.gz +wget http://bootstrapslc3ttl.onion/veruscoin/VRSC-bootstrap.tar.gz.md5sum +wget http://bootstrapslc3ttl.onion/veruscoin/VRSC-bootstrap.tar.gz.sha256sum +tar zxf VRSC-bootstrap.tar.gz +``` + +5. Create VRSC.conf + +``` +cat <${HOME}/Persistent/VerusCoin/VRSC.conf +listen=0 +listenonion=0 +port=27485 +proxy=127.0.0.1:9050 +onlynet=onion + +txindex=1 + +logtimestamps=1 +logips=1 +shrinkdebugfile=1 + +exportdir=${HOME}/Persistent/VerusCoin/export + +server=1 +rpcport=27486 +rpcuser=veruscoin-${RANDOM}-$(whoami) +rpcpassword=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=1 +rpcworkqueue=4 + +addnode=qxgvbauwyxshhp46.onion:27485 +addnode=ndy4q5hqvgrq3moe.onion:27485 +addnode=av3hnhrk5hhojvd2.onion:27485 +addnode=qi65jg5qdfczziyl.onion:27485 +EOF +``` + +6. Reboot Tails + +This is necessary to get the changes to your `persistent volume` into the running system. Remember to set an [administration password](https://tails.boum.org/administration_password/) for Tails again after reboot. + +7. Start VerusCoin + +``` +veruscoind -daemon 1>/dev/null 2>&1 +tail -f ~/Persistent/VerusCoin/debug.log +``` + +*Congratulations, you have reached the end of this howto guide.* diff --git a/VerusNode.md b/VerusNode.md new file mode 100644 index 0000000..d189fc1 --- /dev/null +++ b/VerusNode.md @@ -0,0 +1,273 @@ +# Verus Node with staking wallet + +## Server + +A VPS with 4GB of RAM, anything above 50GB SSD storage and 2 CPU cores that are able to handle AES-NI is the absolute minimum requirement. Start following the guide while logged in as `root`. + + +## Operating System + +This guide tailored to and tested on `Debian 9 "Stretch"`. Before starting, please install the latest updates: + +``` +apt update +apt -y upgrade +``` + +## wallet + +The packages required in order to compile a VerusCoin wallet can be installed like this: + +``` +apt -y install build-essential git pkg-config libc6-dev m4 g++-multilib autoconf \ + libtool ncurses-dev unzip git python python-zmq zlib1g-dev wget \ + libcurl4-openssl-dev bsdmainutils automake curl +``` + + +Create a useraccount for the wallet. Switch to that account. + +``` +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Now, clone the source tree and build the binaries: + +``` +git clone https://github.com/VerusCoin/VerusCoin +cd VerusCoin +./zcutil/fetch-params.sh +./zcutil/build.sh -j$(nproc) +``` + +After that is done, create a `~/bin` directory and copy over the binaries. Strip the debug symbols. + +``` +mkdir ~/bin +cp src/verusd src/verus src/verus-tx ~/bin +strip ~/bin/verus* +``` + +Now, lets create the data directory. Then, get the bootstrap and unpack it there. + +``` +mkdir -p ~/.komodo/VRSC +cd ~/.komodo/VRSC +wget https://bootstrap.veruscoin.io/VRSC-bootstrap.tar.gz +tar xf VRSC-bootstrap.tar.gz +rm VRSC-bootstrap.tar.gz +``` + +Create `~/.komodo/VRSC/VRSC.conf` and include the parameters listed below, adapt the ones that need adaption. +A resonably secure `rpcpassword` can be generated using this command: +`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1`. + +``` +server=1 +listen=1 +listenonion=0 +maxconnections=256 + +# logging related options +logtimestamps=1 +logips=1 +shrinkdebugfile=0 + +# how many blocks to check on startup +checkblocks=64 + +# indexing options +txindex=1 +addressindex=1 +timestampindex=1 +spentindex=1 + +# make sure ipv4 & ipv6 is used +bind=0.0.0.0 +bind=:: + +# rpc settings +rpcuser=veruscoin +rpcpassword=your-secret-veruscoin-rpc-password +rpcport=27486 +rpcthreads=256 +rpcworkqueue=1024 +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 + +# if a peer jacks up more than 25 times in a row, ban it +banscore=25 + +# stake if possible, although it's probably not helping much +mint=1 + +# seednodes +seednode=66.228.59.168:27485 +seednode=172.104.48.148:27485 +seednode=45.79.237.198:27485 +seednode=45.79.111.201:27485 +seednode=95.217.1.76:27485 +seednode=157.90.155.113:27485 +seednode=157.90.113.198:27485 +seednode=95.216.104.210:27487 + +# addnodes (Insight explorers) +addnode=157.90.127.142:27485 +addnode=157.90.248.145:27485 +addnode=135.181.253.217:27485 + +# addnodes (Iquidus explorers) +addnode=95.216.104.214:27485 +addnode=135.181.68.6:27485 +addnode=168.119.27.246:27485 + +# addnodes (ElectrumX servers) +addnode=168.119.166.240:27485 +addnode=157.90.155.8:27485 +addnode=65.21.63.161:27485 + +# addnodes (pools) +## Oink#3612 / pool.veruscoin.io +addnode=136.243.227.137:27485 +addnode=162.55.8.164:27485 +## Dudezmobi Staking Pool +addnode=152.32.95.164:27485 +## Quipacorn#5205 / verus.farm +addnode=82.59.55.162:27485 +## Uncharted#3880 / verus.aninterestinghole.xyz +addnode=136.56.61.241:27485 +## / verus.quick-pool.io +addnode=164.128.166.226:27485 +## / verus.wattpool.net +addnode=144.217.83.45:27485 +## CiscoTech#7806 / vrsc.ciscotech.dk +addnode=188.183.103.90:27485 +## Quipacorn#5205 / verus.farm +addnode=162.55.59.82:27485 + +``` + +Afterwards, start the daemon again and let it sync the blockchain: + +``` +verusd -daemon +``` + +To check the status and know when the initial sync has been completed, issue + +``` +verus getinfo +``` + +When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are in fact not on a fork. While we wait for this to happen, lets continue. + +## Configuration Instructions + +Shielding is no longer required for mined / staked VerusCoins. We will need a public but don't need a z-address, but make one anyway for this. Switch to the `verus` user and generate the addresses: + +``` +verus getnewaddress +verus z_getnewaddress +``` + +Next, we will dump the private keys of these addresses for safety reasons. +For the public address, use + +``` +verus dumpprivkey +``` + +For the z-address, use + +``` +verus z_exportkey +``` + +## Further considerations + +None of the topics below is strictly necessary, but most of them are recommended. + +### Improving SSH security + +If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't go google the comic, you might have missed a laugh there! + +As `root`, generate a proper `/etc/ssh/moduli` like this: + +``` +ssh-keygen -G "/root/moduli.candidates" -b 4096 +mv /etc/ssh/moduli /etc/ssh/moduli.old +ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" +rm "/root/moduli.candidates" +``` + +Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: + +``` +cd /etc/ssh +rm ssh_host_*key* +ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null +ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null +``` + +To finish, restart the ssh server: + +``` +/etc/init.d/sshd restart +``` + +### Autostart using `cron` + +Switch to the `verus` user. Edit the `crontab` using `crontab -e` and include the lines below: + +``` +@reboot /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` + +### Increase open files limit + +Add this to your `/etc/security/limits.conf`: + +``` +* soft nofile 1048576 +* hard nofile 1048576 +``` + +Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place. + + +### Change swapping behaviour + +If your system has a lot of RAM, you can change the swapping behavior to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: + +``` +vm.swappiness=1 +``` + +The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: + +``` +sysctl -p /etc/sysctl.conf +``` + +### Install `molly-guard` + +As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: + +``` +apt -y install molly-guard +``` + +Check `/etc/molly-guard/rc` for more options. + +### Enable `ufw` firewall +First setup the required ports for access. +If you configured your SSH access to another port (not a bad idea), change the port accordingly. +If you don't need SSH access, don't run the `SSH port` line. +If you do not want your node to accept incoming connections, do not run the `Verus P2P port` line. +```bash +ufw allow from any to any port 22 comment "SSH port" +ufw allow from any to any port 27485 proto tcp comment "Verus P2P port" +ufw enable +``` +If you are connected through a SSH connection, do not disconnect until you have verified with a new connection that you can still make a connection to your node. diff --git a/Verusd-RPC.md b/Verusd-RPC.md new file mode 100755 index 0000000..85c19ee --- /dev/null +++ b/Verusd-RPC.md @@ -0,0 +1,505 @@ +# Verusd-RPC + +Operating a Lite Wallet server, like Verusd-RPC, requires you to know about systems administration, IT security, databases, software development, coin daemons and other more or less related stuff. Maintaining it can literally be more work than a full-time job + +A VPS with 8GB of RAM, anything above 40GB **SSD** storage and 2 CPU cores which knows about AES-NI is the absolute minimum requirement. Generally, having more RAM is more important than having more CPU power here. Additionally, the hypervisor of your VPS _must_ pass through the original CPU designation from its host. See below for an example that will likely lead to trouble. + +```bash +lscpu|grep -i "model name" +Model name: QEMU Virtual CPU version 2.5+ +``` + +Basically, anything in there that is not a real CPU name _may_ cause NodeJS to behave funny despite the `Virtual CPU` having all necessary CPU flags. Be aware and ready to switch servers and/or hosting companies if need be. Start following the guide while logged in as `root`. + +## Operating System + +This guide is tailored to and tested on `Debian 11 "Bullseye"` but should probably also work on Debian-ish derivatives like `Devuan` or `Ubuntu` and others. Before starting, please install the latest updates and prerequisites. + +```bash +apt update +apt -y upgrade +apt -y install libgomp1 git libboost-all-dev libsodium-dev build-essential +``` + +## Verus Daemon + +Create a user for the Verus daemon, switch to that account: + +```bash +useradd -m -d /home/verus -s /bin/bash verus +su - verus +``` + +Download the **latest** (`v0.9.6-1` used in this example) Verus binaries from the [GitHub Releases Page](https://github.com/VerusCoin/VerusCoin/releases). Unpack, move them into place and clean up like so: + +```bash +mkdir ~/bin +cd ~/bin +wget https://github.com/VerusCoin/VerusCoin/releases/download/v0.9.6-1/Verus-CLI-Linux-v0.9.6-1-x86_64.tgz +tar xf Verus-CLI-Linux-v0.9.6-1-x86_64.tgz; tar xf Verus-CLI-Linux-v0.9.6-1-x86_64.tar.gz +mv verus-cli/{fetch-params,fetch-bootstrap,verusd,verus} ~/bin +rm -rf verus-cli Verus-CLI-Linux-v0.9.6-1-x86_64.t* +``` + +Use the supplied script to download a copy of the `zcparams` data. Watch for and fix any occuring errors until you can be sure you successfully have gotten a complete `zcparams` copy. + +```bash +fetch-params +# ... a lot of output from wget and sadly no clear conclusion notice +``` + +Since this node will be running with all indexes enabled, it will need to be synchronized from genesis. Bootstrapping is not an option! + +Now, let's create the data and wallet export directory. Then, get the bootstrap and unpack it there. + +```bash +mkdir ~/.komodo +mkdir ~/.komodo/VRSC +mkdir ~/export +``` + +It's time to do the wallet config. A reasonably secure `rpcpassword` can be generated using this command: + +```bash +cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1 +``` + +Create `~/.komodo/VRSC/VRSC.conf` and include the parameters listed below, adapt the ones that need adaption. +```conf +## + +# network options +listen=1 +listenonion=0 +port=27485 +maxconnections=1024 + +# rpc options +server=1 +rpcport=27486 +rpcuser=verus +rpcpassword=rpcpassword +rpcbind=127.0.0.1 +rpcallowip=127.0.0.1 +rpcthreads=256 +rpcworkqueue=1024 + +# Verusd-RPC doesn't need a wallet +disablewallet=1 + +# indexing options: +insightexplorer=1 +idindex=1 +txindex=1 +addressindex=1 +timestampindex=1 +spentindex=1 + +# logging options +logtimestamps=1 +logips=1 + +# miscellaneous options +banscore=64 +checkblocks=64 +checklevel=4 + +# seednodes +seednode=157.90.113.198:27485 +seednode=157.90.155.113:27485 +seednode=95.217.1.76:27485 +seednode=45.79.111.201:27485 +seednode=45.79.237.198:27485 +seednode=172.104.48.148:27485 +seednode=66.228.59.168:27485 + +## addnodes +# vrsc0..1 +addnode=185.25.48.236:27485 +addnode=185.64.105.111:27485 +# ex0..2 +addnode=157.90.127.142:27485 +addnode=157.90.248.145:27485 +addnode=135.181.253.217:27485 +# iq0..2 +addnode=95.216.104.214:27485 +addnode=135.181.68.6:27485 +addnode=168.119.27.246:27485 +# lw0..2 +addnode=168.119.166.240:27485 +addnode=157.90.155.8:27485 +addnode=65.21.63.161:27485 + +# EOF +``` + +Afterwards, start the verus daemon and let it sync the blockchain. as noted before, the indexes require a full synchronization from genesis, so this make take many hours. We'll also watch the debug log for a moment: + +```bash +cd ~/.komodo/VRSC; verusd -daemon 1>/dev/null 2>&1; sleep 1; tail -f debug.log +``` + +Press `ctrl-c` to exit `tail` if it looks alright. To check the status and know when the initial sync has been completed, issue + +```bash +verus getinfo +``` +When it has synced up to height, the `blocks` and `longestchain` values will be at par. Additionally, you should verify against [the explorer](https://explorer.veruscoin.io) that you are not on a fork. Edit the `crontab` using `crontab -e` and include the line below to autostart the wallet: + +```crontab +@reboot cd /home/verus/.komodo/VRSC; /home/verus/bin/verusd -daemon 1>/dev/null 2>&1 +``` + +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + + +## Node.js + +Create a new user account to run the pool from. Switch to that user to setup `nvm.sh`: + +Instal `nvm`. As root user, do: +```bash +useradd -m -d /home/verusd-rpc -s /bin/bash verusd-rpc +su - verusd-rpc +curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash +exit +``` +Optional, but recommended: + Test that `nvm` is installed: + ```bash + su - verusd-rpc + nvm -v + exit + ``` + If this does not give you the version you installed (`0.39.3` in this case), `nvm` was **not** (properly) installed. + If it did return the proper answer, you can continue. + +install `node` and `pm2`: +```bash +su - verusd-rpc +nvm install 18 +npm install -g pm2 +``` +Because `nvm.sh` comes without it, we need to add one symlink into its bindir for our installed NodeJS. + +```bash +which node +/home/verusd-rpc/.nvm/versions/node/v18.14.0/bin/node +``` + +Change to the resulting directory and create a symlink like below. + +```bash +cd /home/verusd-rpc/.nvm/versions/node/v18.14.0/bin/ +ln -s node nodejs +``` + +## verusd-rpc + +(still in the `verusd-rpc` account, home directory) clone the *verusd-rpc* code: +```bash +git clone https://github.com/VerusCoin/bitcoind-rpc.git verusd-rpc +``` + +```bash +cd ~/verusd-rpc +npm update +npm install +``` +Set up the environment file with the proper parameters in the `~/verusd-rpc` directory: +``` +touch .env +nano .env +``` +put the following data in and update with the specifics of your verusd daemon: +``` +RPCPORT= +RPCPASSWORD= +RPCUSER= +RPCIP=127.0.0.1 +NODEPORT=8000 +``` +Exit and save on the way out. + + note: by default it will use the local node (RPCIP=127.0.0.1), but if desired you can configure (both *VERUSD-RPC* and your verusd node) to communicate over the internet. + Unless you have strict security protocols in place (firewall hole to only allow a specific IP, tunnelling between the two systems) this is not advisable from a security perspective. + + note2: `NODEPORT` can be altered to whatever available port you wish to use. Make sure the firewall is open for that port. + + +Optional, but recommended: + testrun `Verusd-RPC` with node: + ```bash + node httpserver.js + ``` + Now locally test the functionality in a 2nd terminal on the same system (doesn't matter what user account): + ```bash + curl --data-binary '{"jsonrpc": "1.0", "id":"curltest", "method": "getinfo", "params": [] }' -H 'content-type: text/plain;' http://127.0.0.1:8000/ + ``` + You should get a json reply with the `getinfo` you would also get if you run `verus -chain= getinfo` + +Running `Verusd-RPC` for production: +```bash +cd /home/verusd-rpc/verusd-rpc +pm2 start httpserver.js --name Verusd-RPC +``` + +### Verusd-RPC Autostart + +Edit your crontab using `crontab -e` and shove in this line at the bottom: + +```crontab +@reboot /bin/sleep 300 && cd /home/verusd-rpc/verusd-rpc && /home/verusd-rpc/.nvm/versions/node/v18.14.0/bin/pm2 start httpserver.js --name verusd-rpc +``` + +**HINT:** if you can't stand `vi`, do `EDITOR=nano crontab -e` ;-) + +## Further considerations + +None of the topics below is strictly necessary, but most of them are recommended. + +### Enabling firewall + +As `root` user: +```bash +ufw allow from any to any port 22 comment "SSH access" +``` +If you want to limit the IPs that can access your server over SSH (eg, if you have a fixed IP address or use a SSH-jump server) replace the first `any` with the IP or ip-range. doublecheck this or you will lock yourself out! +```bash +ufw allow from any to any port 80,443 comment "Standard web ports" +``` +add multiple mining ports by separating them by commas, analogue to the web ports. +```bash +ufw enable +``` +If you are not going to use `NGINX` to proxy: +```bash +ufw allow from any to any port xxxx comment "verusd-rpc () API port" +``` + + +### Useful DNS resolvers + +Empty your `/etc/resolv.conf` and replace it with this: + +```conf +# google, https://developers.google.com/speed/public-dns/docs/using +nameserver 8.8.4.4 +nameserver 8.8.8.8 +nameserver 2001:4860:4860::8844 +nameserver 2001:4860:4860::8888 + +# verisign, https://publicdnsforum.verisign.com/discussion/13/verisign-public-dns-set-up-configuration-instructions +nameserver 64.6.64.6 +nameserver 64.6.65.6 +nameserver 2620:74:1b::1:1 +nameserver 2620:74:1c::2:2 + +# quad9, https://www.quad9.net/faq/ +nameserver 9.9.9.9 +nameserver 149.112.112.112 +nameserver 2620:fe::fe +nameserver 2620:fe::9 + +# cloudflare/apnic, https://1.1.1.1/de/ +nameserver 1.1.1.1 +nameserver 1.0.0.1 +nameserver 2606:4700:4700::1111 +nameserver 2606:4700:4700::1001 + +# opendns, https://use.opendns.com, https://www.opendns.com/about/innovations/ipv6/ +nameserver 208.67.222.222 +nameserver 208.67.220.220 +nameserver 2620:119:35::35 +nameserver 2620:119:53::53 + +# see 'man 5 resolv.conf' +options rotate timeout:1 attempts:5 +``` + +### Improving SSH security + +If you remember the good old `rand=4; // chosen by fair dice roll` comic, you're probably doing this anyways. If you don't, go Google the comic, you might have missed a laugh there! + +As `root`, generate a proper `/etc/ssh/moduli` like this: + +```bash +ssh-keygen -G "/root/moduli.candidates" -b 4096 +mv /etc/ssh/moduli /etc/ssh/moduli.old +ssh-keygen -T /etc/ssh/moduli -f "/root/module.candidates" +rm "/root/moduli.candidates" +``` + +Add the recommended changes from [CiperLi.st](https://cipherli.st) to `/etc/ssh/sshd_config`, also make sure that `PermitRootLogin` is at least set to `without-password`. Then remove and re-generate your host keys like this: + +```bash +cd /etc/ssh +rm ssh_host_*key* +ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null +ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null +``` + +To finish, restart the ssh server: + +```bash +/etc/init.d/sshd restart +``` + +### Reverse-proxying `verusd-rpc` behind `nginx` + +As `root`, install `nginx` and enable it on boot using these commands: + +```bash +apt -y install nginx +update-rc.d enable nginx +``` + +Create `/etc/nginx/blockuseragents.rules` with these contents: + +```conf +map $http_user_agent $blockedagent { +default 0; +~*malicious 1; +~*bot 1; +~*backdoor 1; +~*crawler 1; +~*bandit 1; +} +``` + +Edit `/etc/nginx/sites-available/default` to look like this: + +```conf +include /etc/nginx/blockuseragents.rules; +server { + if ($blockedagent) { + return 403; + } + if ($request_method !~ ^(GET|HEAD)$) { + return 444; + } + + listen 80 default_server; + listen [::]:80 default_server; + charset utf-8; + root /var/www/html; + index index.html index.htm index.nginx-debian.html; + + location / { + proxy_pass http://127.0.0.1:8000/; + proxy_set_header X-Real-IP $remote_addr; + } + + location /admin { + rewrite ^/.* /stats permanent; + } + +} +``` + +Restart `nginx`: + +```bash +/etc/init.d/nginx restart +``` + +If you've followed the above steps correctly, your `verusd-rpc` is now proxied behind nginx. + +### Enable `logrotate` + +As `root` user, create a file called `/etc/logrotate.d/verusd-rpc` with these contents: + +```conf +/home/verus/.komodo/VRSC/debug.log +/home/verusd-rpc/.pm2/logs/verusd-rpc-out.log +/home/verusd-rpc/.pm2/logs/verusd-rpc-error.log +{ + rotate 14 + daily + compress + delaycompress + copytruncate + missingok + notifempty +} +``` + +### Increase open files limit + +Add this to your `/etc/security/limits.conf`: + +```conf +* soft nofile 1048576 +* hard nofile 1048576 +``` + +Reboot to activate the changes. Alternatively you can make sure all running processes are restarted from within a shell that has been launched _after_ the above changes were put in place, which usually is a huge pain. Just reboot. + + +### Networking optimizations + +If your pool is expected to receive a lot of load, consider implementing below changes, all as `root`: + +Enable the `tcp_bbr` kernel module: + +```bash +modprobe tcp_bbr +echo tcp_bbr >> /etc/modules +``` + +Edit your `/etc/sysctl.conf` to include below settings: + +```conf +net.ipv4.tcp_congestion_control=bbr +net.core.rmem_default = 1048576 +net.core.wmem_default = 1048576 +net.core.rmem_max = 16777216 +net.core.wmem_max = 16777216 +net.ipv4.tcp_rmem = 4096 87380 16777216 +net.ipv4.tcp_wmem = 4096 65536 16777216 +net.ipv4.udp_rmem_min = 16384 +net.ipv4.udp_wmem_min = 16384 +net.core.netdev_max_backlog = 262144 +net.ipv4.tcp_max_orphans = 262144 +net.ipv4.tcp_max_syn_backlog = 262144 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_max_tw_buckets = 2000000 +net.ipv4.ip_local_port_range = 16001 65530 +net.core.somaxconn = 20480 +net.ipv4.tcp_low_latency = 1 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_mtu_probing = 1 +net.ipv4.tcp_fastopen = 3 +net.ipv4.tcp_limit_output_bytes = 131072 +``` + +Run below command to activate the changes, alternatively reboot the machine: + + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Change swapping behaviour + +If your system has a lot of RAM, you can change the swapping behaviour to only swap when necessary. Edit `/etc/sysctl.conf` to include this setting: + +```conf +vm.swappiness=1 +``` + +The range is `1-100`. The *lower* the number, the *later* the system will start swapping stuff out. Run below command to activate the change, alternatively reboot the machine: + +```bash +sysctl -p /etc/sysctl.conf +``` + +### Install `molly-guard` + +As a last sanity check before reboots, `molly-guard` will prompt you for the hostname of the system you're about to reboot. Install it like this: + +```bash +apt -y install molly-guard +``` + +Check `/etc/molly-guard/rc` for more options.