Minimal install using Debian
I would like to thank Pierre for putting this guide together. It is very well written and easy to follow.
These instructions are for creating a ZEN securenode with a minimal Debian install.
By minimizing the OS, we are able to meet the 300 sec challenge and still use a $5/mo VPS with 1 CPU and 1GB RAM. Only the services that are absolutely necessary are installed using this method.
This guide is based on the excellent work from: @hairetikos, @blockoperations, and myself.
Step 1: Create a VPS on VULTR per the instructions from @hairetikos
This guide was adapted from @hairetikos' guide available here.
The only different thing is that rsyslog is not removed. It is important to maintain good logging capabilities. So instead of the line:
apt purge rsyslog systemd* -y && apt autoremove --purge -y && reboot
This guide uses:
apt purge systemd* -y && apt autoremove --purge -y && reboot
Step 2: Fortify the node and communications
- Install sudo:
apt –y install sudo
- During step 1, you should have created a user account (as opposed to root). For this tutorial, we will call that account “zenmaster”. Add the zenmaster account to sudo:
vi /etc/group
add zenmaster to sudo group
sudo:x:27:zenmaster
- Make sure your VM has the correct name:
cat /etc/hostname
- Edit your host file to make sure you have the correct IP address
vi /etc/hosts
Make sure you have your hostname (znode-pie2) and your FQDN (Fully Qualified Domain Name): znode-pie2.pnhl.trade next to the correct IP address assigned by VULTR. If you don’t have this done correctly, you will end up having a lot of problems getting your TLS certificate later on.
-
Change default sshd port:
vi /etc/ssh/sshd_config
Port 2221
You can pick any high port you want ( > 1024), although best to stay away from well-known ports like 3389. The purpose of changing the ssh port is to make it harder for automated scanners. -
Restart sshd:
/etc/init.d/ssh restart
-
Don’t close your existing window yet! Start a new putty session and make sure the ssh deamon is answering on the new port.
-
Stop ssh from accepting passwords and start enforcing certificate logins only (⇒ Please see separate tutorial - To be added)
-
Create a firewall in Vultr – this will reduce the load on the node from the constant scanning
a. Create the following rules. Note that for testnet the port is 19033/tcp. Once we move to mainnet, the firewall will need to be changed to 9033/tcp.
b. Name the firewall rule set – just give it any name you want
c. Click on “linked instances” and link it to your machine:
-
If not already done, make sure your DNS is set correctly with your domain provider. This will be a big issue later if not done correctly now.
-
Let’s install more packages that we will need later
sudo apt –y install git ufw build-essential pkg-config libc6-dev m4 g++-multilib autoconf libtool ncurses-dev unzip python zlib1g-dev wget bsdmainutils automake net-tools socat
-
We will now turn on the firewall on the VM itself in case the VULTR firewall ever fails
sudo ufw default allow outgoing
sudo ufw default deny incoming
sudo ufw allow 2221/tcp
sudo ufw limit 2221/tcp
sudo ufw allow http/tcp
sudo ufw allow https/tcp
sudo ufw allow 9033/tcp
sudo ufw allow 19033/tcp
sudo ufw logging on
sudo ufw enable
I am using port 2221 as an example. Adjust accordingly.
- I find that sudo times out too quickly. I would prefer to only be asked for my password once per hour.
sudo visudo
Change the line:
Defaults env_reset
To:
Defaults env_reset,timestamp_timeout=60
Step 3: Install Zencash
-
Clone the Zen repo:
mkdir zencash
cd zencash
git clone https://github.com/ZencashOfficial/zen.git
-
Compile zen
cd zen
./zcutil/build.sh -j$(nproc)
Given that we only have 1 CPU/1GB RAM (+ swap), be patient. Compiling zen is going to take a while (1+ hour) -
Zen parameters need to be downloaded
./zcutil/fetch-params.sh
-
For non-unix folks, this gets very confusing. Directories that start with “.” are hidden directories. In order to see them, you can use “ls –al”. By convention (and because Unix folks are old fashioned) applications are typically in regular directories but the configuration files are in hidden directories (very strange logic, but we are stuck with it).
-
Go to config directory and create the config file
cd ~/.zen
vi zen.conf
-
Enter the following info (change user and password to whatever you want)
addnode=zpool.blockoperations.com
addnode=zennodes.network
rpcuser=change me to whatever you want
rpcpassword=change me to whatever you want
rpcport=18231
rpcallowip=127.0.0.1
server=1
daemon=1
listen=1
txindex=1
logtimestamps=1
-
Start deamon and make sure the blockchain is downloading
cd ~/zencash/zen/src
./zend
./zen-cli getinfo
Be patient with this step, it needs to sync the entire blockchain -
Put zen in /usr/bin and start automatically
sudo cp zend /usr/bin/
sudo cp zen-cli /usr/bin/
crontab -e
At the bottom insert: @reboot /usr/bin/zend -
Get acme.sh script to request SSL cert
cd ~
mkdir acme
cd acme
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install
cd ~
sudo .acme.sh/acme.sh --issue --standalone -d <fully qualified domain name>
A few critical point for this last command: -
Do NOT issue this command as root, you must issue it as your normal user who owns the zend and zennodetacker processes. If you try to be a too smart for your own good sysadmin, the SSL certificate will go to the /root folder and you will end up with a ton of permission problems.
-
You must have the complete name of your node. Remember one of the first points: your /etc/hosts file and DNS entries must be correct.
-
<fully qualified domain name>
means for example: znode-pie2.pnhl.trade or znode.blockoperations.io (not just the name znode-pie2 or znode) -
You may need to copy the certs from the root directory. You can do that by running the following commands:
sudo cp /root/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer /home/<USERNAME>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer
sudo cp /root/<fully qualified domain name>/<fully qualified domain name>.key /home/<USERNAME>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.key
-
Add the ssl cert path to zen.conf
vi ~/.zen/zen.conf
Add the line (with the correct name for your node):
tlscertpath=/home/<username>/.acme.sh/<fully qualified domain name>/<fully qualified domain name>.cer
tlskeypath=/home/<username>/<fully qualified domain name>/<fully qualified domain name>.key
Note: Replace<fully qualified domain name>
with your node.domainname -
Letsencrypt is not a trusted registrar by default. We need to change that:
sudo mkdir /usr/share/ca-certificates/letsencrypt/
sudo cp /home/<username>/.acme.sh/<fully qualified domain name>/ca.cer /usr/share/ca-certificates/letsencrypt/ca.crt
Note: Replace<fully qualified domain name>
with your node.domainname
sudo dpkg-reconfigure ca-certificates
Notice that on the second command, we are changing the name of ca.cer to ca.crt, that’s very important!
Use the spacebar to add an asterisk to the first entry for letsencrypt. Then, hit tab to get to “ok”. Then press enter.
-
A few final steps
cd ~/zencash/zen/src
./zen-cli stop
sudo cp zend /usr/bin
sudo cp zen-cli /usr/bin
zend
-
Test the installation
cd ~
zen-cli getnetworkinfo
-
Make a test connection
mainnet:
openssl s_client –connect <fully qualified domain name>:9033
testnet:
openssl s_client –connect <fully qualified domain name>:19033
Note: Replace<fully qualified domain name>
with your node.domainname
Step 4: Install Secure node tracker
This section is based on https://github.com/adumaine/secnodetracker
However, due to the limited OS installation, a few things have been changed.
-
Install NPM and Node.js
sudo apt –y install curl
curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
sudo apt –y install nodejs
-
Install zecurenodetracker
cd ~/zencash
git clone https://github.com/ZencashOfficial/secnodetracker.git
Head into the secnodetracker directory with
cd secnodetracker
next run
npm install
-
Send 42 ZEN (or test ZEN – ZNT if still on testnet) from your wallet to a T address in your wallet (not to the VPS). This will be your staking address.
-
Create a private address on the securenode
zen-cli z_getnewaddress
-
If you forget that address, you can get it will the command
zen-cli z_listaddresses
-
Send five transactions of 0.2 ZEN (or ZNT in testnet) to the private address
For an excellent explanation of why five transactions, see: https://www.zen-solutions.io/interesting-issue-found-in-alpha-testing/ -
You can monitor your balance on the private address with this command
zen-cli z_gettotalbalance
-
We need to setup the tracker now
node setup.js
Question 1: you staking address from your wallet from #3 (that’s the one with the 42 ZEN)
Question 2: any email address you would like to receive notifications
Question 3: the full name of your node (in my case znode-pie2.pnhl.trade)
Question 4: Are you using IPv4 or IPv6 – for most people the answer is 4
Question 5: your region – most likely auto detected by the script -
We want to make sure that the securenodetracker runs all the time. There are many ways to do this, but we will us PM2.
-
Install PM2
sudo npm install pm2 -g
pm2 start app.js –-name securenodetracker
-
To monitor the logs
pm2 logs securenodetracker
-
To see the status
pm2 status securenodetracker
-
To stop the tracker
pm2 stop securenodetracker
-
To automatically start after reboot
Still working on that. The command “pm2 startup” doesn’t work due to the lack of systemd. Other options have so far failed me. Will update this guide once I find a good solution. I am open to suggestions.
Check out the tracking website for your node:
North America: https://securenodes.na.zensystem.io/
Europe: https://securenodes.eu.zensystem.io/
Southeast Asia: https://securenodes.sea.zensystem.io/
You are done, Congrats!
If you find this blog useful, and if you would like to keep it up and running, donations are always appreciated to any of the following addresses:
ZEN: znYjefe2QBfm9HEWfAtpwiBHMHTXwePs48C
ZEC: t1YZxjMEmPPLx1kFVp2zcWRBC4zrmRc71eZ
BTC: 14D1emX2xDeh3zA2myrhCmaWf1ZKAn1QzS
ETH: Ae491f4493F8d051ac23cE0d4aa2B524504eCb84