├── README.md ├── README.tmpl.md ├── doc-utils └── generate-markdown.js ├── init ├── bitcoind.service ├── btc-rpc-explorer.service ├── eps.service ├── lightningd.service └── spark-wallet.service ├── lightning-backup.md ├── misc └── sysctl.conf ├── package.json └── scripts ├── install-bitcoin.sh ├── install-btc-rpc-explorer.sh ├── install-clightning.sh ├── install-electrum.sh ├── install-eps.sh ├── install-spark.sh └── lightning-backup.sh /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Setting up a full Bitcoin Lightning node and wallet 5 | ### A step-by-step guide for setting up the perfect Bitcoin box on Ubuntu. Including: 6 | * [Preparing the environment](https://github.com/bitembassy/home-node/blob/master/README.md#preparing-the-environment) 7 | * Services: 8 | * [Tor](https://github.com/bitembassy/home-node/blob/master/README.md#tor) 9 | * [Bitcoin Core](https://github.com/bitembassy/home-node/blob/master/README.md#bitcoin-core) 10 | * [Block Explorer (btc-rpc-explorer)](https://github.com/bitembassy/home-node/blob/master/README.md#btc-rpc-explorer) 11 | * [Electrum Wallet](https://github.com/bitembassy/home-node/blob/master/README.md#electrum-wallet) 12 | * [Electrum Personal Server](https://github.com/bitembassy/home-node/blob/master/README.md#electrum-personal-server) 13 | * -- [Take a break to sync](https://github.com/bitembassy/home-node/blob/master/README.md#take-a-break-to-sync) -- 14 | * [Lightning node (c-lightning)](https://github.com/bitembassy/home-node/blob/master/README.md#c-lightning) 15 | * [Spark Lightning wallet](https://github.com/bitembassy/home-node/blob/master/README.md#spark-wallet) 16 | * [Adding to startup](https://github.com/bitembassy/home-node/blob/master/README.md#startup-services) 17 | * [LAN access](https://github.com/bitembassy/home-node/blob/master/README.md#lan-access) 18 | * [Tor Hidden Services for remote access](https://github.com/bitembassy/home-node/blob/master/README.md#tor-hidden-services) 19 | * [Updating software](https://github.com/bitembassy/home-node/blob/master/README.md#updating-software) 20 | 21 | > Note: a dedicated, always-online computer and a fresh Ubuntu 18.04 install are recommended. Some of the settings may interfere with existing software. 22 | 23 | The accompanying slides are available here: [part 1](https://docs.google.com/presentation/d/1GTCn0uj1EWIMeppk4o0BVdwhx--jbjQDPlrIf2oaXjQ/edit?usp=sharing), 24 | [part 2](https://docs.google.com/presentation/d/19J1qxgRFJk7flsCle6dfbwKRF0rDQMrze5DpXdhFxdU/edit). 25 | 26 | ## Preparing the environment 27 | 28 | ### Updates 29 | ```bash 30 | # Fetch the list of available updates, upgrade current 31 | sudo apt update && 32 | sudo apt upgrade -y && 33 | sudo apt autoremove -y 34 | ``` 35 | 36 | ### Security 37 | ```bash 38 | # Setup firewall 39 | sudo ufw enable && 40 | sudo ufw allow from 127.0.0.1 to any && 41 | 42 | # Secure shared memory 43 | echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" | sudo tee -a /etc/fstab 44 | ``` 45 | 46 | Edit `/etc/sysctl.conf` 47 | ```bash 48 | sudo gedit /etc/sysctl.conf 49 | ``` 50 | Copy [this](https://github.com/bitembassy/home-node/raw/master/misc/sysctl.conf), paste at the bottom and save. 51 | 52 | 53 | ### Common dependencies 54 | 55 | ```bash 56 | sudo apt install -y nodejs npm git && 57 | 58 | # Install global npm packages to ~/.npm-global (prevents permission headaches, see https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally) 59 | mkdir ~/.npm-global && npm config set prefix '~/.npm-global' && 60 | echo 'export PATH=~/.npm-global/bin:$PATH' | tee -a ~/.profile ~/.bashrc && source ~/.profile 61 | ``` 62 | 63 | ### PGP keyservers 64 | 65 | At the time of writing, the default gpg keyservers appears to be unavailable. 66 | They can be changed to Ubuntu's keyservers with: 67 | 68 | ```bash 69 | echo 'keyserver hkp://keyserver.ubuntu.com' | tee -a ~/.gnupg/gpg.conf 70 | ``` 71 | 72 | ### Developer signing keys 73 | 74 | Add the public keys of the developers whose software we'll be using. 75 | This is required for later verifying their signatures. 76 | 77 | > Please verify these keys first! Some places to start looking: 78 | > 79 | > - https://bitcoincore.org/en/download/ 80 | > - https://github.com/spesmilo/electrum/tree/master/pubkeys 81 | > - https://keybase.io/rusty 82 | > - https://tailsjoin.github.io/ 83 | > - https://github.com/shesek/spark-wallet#code-signing--reproducible-builds 84 | > - https://keybase.io/danjanosik 85 | 86 | 87 | ```bash 88 | # Wladimir J. van der Laan (Bitcoin Core binary release signing key) 89 | gpg --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964 && 90 | 91 | # Thomas Voegtlin (Electrum maintainer) 92 | gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 && 93 | 94 | # Rusty Russell (Bitcoin Core contributor and c-lightning maintainer) 95 | gpg --recv-keys 15EE8D6CAB0E7F0CF999BFCBD9200E6CD1ADB8F1 && 96 | 97 | # Chris Belcher (Electrum Personal Server and JoinMarket maintainer) 98 | gpg --recv-keys 0A8B038F5E10CC2789BFCFFFEF734EA677F31129 && 99 | 100 | # Nadav Ivgi (Spark, Lightning Charge, Esplora) 101 | gpg --recv-keys FCF19B67866562F08A43AAD681F6104CD0F150FC && 102 | 103 | # Dan Janosik (btc-rpc-explorer maintainer) 104 | gpg --recv-keys F579929B39B119CC7B0BB71FB326ACF51F317B69 105 | ``` 106 | 107 | ## Tor 108 | 109 | To install Tor as a system service: 110 | 111 | ```bash 112 | sudo apt install -y tor 113 | ``` 114 | 115 | Tor will automatically start running as a background service. 116 | 117 | To install the Tor Browser Bundle: 118 | 119 | ```bash 120 | sudo apt install -y torbrowser-launcher && 121 | 122 | # Fix for https://bugs.python.org/issue20087, necessary for torbrowser-launcher < 0.3 123 | sudo update-locale LANG=en_US.UTF-8 && source /etc/default/locale 124 | ``` 125 | 126 | You can start the tor browser with `torbrowser-launcher` from the command line, 127 | or using the launcher (due to the locale bug, this only works after a logout & login) 128 | 129 | ## Bitcoin Core 130 | 131 | ### Installing 132 | ```bash 133 | # Create dir for installation files 134 | mkdir -p ~/bitcoin-installation && cd ~/bitcoin-installation && rm -rf * && 135 | 136 | # Download binaries 137 | wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/bitcoin-0.17.1-x86_64-linux-gnu.tar.gz && 138 | 139 | # Download signature 140 | wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/SHA256SUMS.asc && 141 | 142 | # Verify signature - should see "Good signature from Wladimir J. van der Laan (Bitcoin Core binary release signing key) " 143 | gpg --verify SHA256SUMS.asc && 144 | 145 | # Verify the binary matches the signed hash in SHA256SUMS.asc - should see "bitcoin-0.17.1-x86_64-linux-gnu.tar.gz: OK" 146 | grep bitcoin-0.17.1-x86_64-linux-gnu.tar.gz SHA256SUMS.asc | sha256sum -c - && 147 | 148 | # Unpack binaries 149 | tar xvf bitcoin-0.17.1-x86_64-linux-gnu.tar.gz && 150 | 151 | # Install binaries system-wide (requires password) 152 | sudo cp bitcoin-0.17.1/bin/* /usr/bin 153 | ``` 154 | 155 | 163 | 164 | ### Configuring 165 | Create and edit `bitcoin.conf` 166 | 167 | ```bash 168 | mkdir -p ~/.bitcoin && 169 | gedit ~/.bitcoin/bitcoin.conf 170 | ``` 171 | Add the following and save: 172 | ```bash 173 | server=1 174 | 175 | # Connect via Tor, comment if you prefer to connect directly 176 | proxy=127.0.0.1:9050 177 | 178 | # No incoming connections (requires port forwarding or an hidden service) 179 | nolisten=1 180 | 181 | # For faster sync, set according to available memory. For example, with 8GB memory, something like dbcache=5000 might make sense. Check total memory with `free -m`. 182 | # For reduced memory usage, this can be tuned down or removed once the initial sync is complete. The default is 300 (mb). 183 | dbcache=1000 184 | 185 | # Optional extended transaction index (takes more space, required for btc-rpc-explorer) 186 | txindex=1 187 | 188 | # Reduce storage requirements (won't work with btc-rpc-explorer) 189 | # prune=50000 # ~6 months, 50GB 190 | 191 | # Reduce bandwidth requirements (node won't show unconfirmed transactions) 192 | # blocksonly=1 193 | ``` 194 | 195 | Also see [jlopp's bitcoin core config generator](https://jlopp.github.io/bitcoin-core-config-generator/). 196 | 197 | 206 | 207 | ### Running 208 | ```bash 209 | bitcoind 210 | ``` 211 | 212 | To test bitcoind is running: 213 | ```bash 214 | bitcoin-cli getblockchaininfo 215 | ``` 216 | 217 | ## btc-rpc-explorer 218 | 219 | ### Installing 220 | ```bash 221 | # Cleanup previous source code files (if any) 222 | rm -rf ~/btc-rpc-explorer && 223 | 224 | # Download source 225 | git clone https://github.com/janoside/btc-rpc-explorer ~/btc-rpc-explorer && cd ~/btc-rpc-explorer && 226 | git checkout 1ca6f54b93a56d942a90f3e0072265c9df3b9e6c && 227 | 228 | # Verify signature - should see "Good signature from Dan Janosik " 229 | git verify-commit HEAD && 230 | 231 | # Install user-wide 232 | npm install -g 233 | ``` 234 | 235 | ### Configuring 236 | 237 | Create and edit `~/.config/btc-rpc-explorer.env`, add the following line to enable password protection: 238 | 239 | ```bash 240 | BTCEXP_BASIC_AUTH_PASSWORD=mySecretPassword 241 | ``` 242 | 243 | > Note: don't forget to change `mySecretPassword` to your own password. 244 | > You can set the password to anything, it will be required to access the explorer. 245 | 246 | Refer to the [btc-rpc-explorer docs](https://github.com/janoside/btc-rpc-explorer) for the full list of options. 247 | 248 | ### Running 249 | ```bash 250 | btc-rpc-explorer 251 | ``` 252 | 253 | Then open http://localhost:3002/node-status and login with an empty username and your `superSecretPassword`. 254 | 255 | ## Electrum Wallet 256 | 257 | ### Installing 258 | 259 | ```bash 260 | # Install dependencies 261 | sudo apt install -y python3-setuptools python3-pyqt5 python3-pip && 262 | 263 | # Create dir for installation files 264 | mkdir -p ~/electrum-installation && cd ~/electrum-installation && rm -rf * && 265 | 266 | # Download source 267 | wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz && 268 | 269 | # Download signature 270 | wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz.asc && 271 | 272 | # Verify signature - should see "Good signature from Thomas Voegtlin (https://electrum.org) " 273 | gpg --verify Electrum-3.3.4.tar.gz.asc Electrum-3.3.4.tar.gz && 274 | 275 | # Unpack 276 | tar xvf Electrum-3.3.4.tar.gz && cd Electrum-3.3.4 && 277 | 278 | # Install dependencies 279 | pip3 install .[fast] && 280 | 281 | # Install system-wide (requires sudo password) 282 | sudo ./setup.py install 283 | ``` 284 | 285 | ### Configuring 286 | ``` 287 | # Connect to local EPS server only 288 | electrum setconfig server 127.0.0.1:50002:s && 289 | electrum setconfig oneserver true 290 | ``` 291 | 292 | ### Running 293 | Electrum can now be opened from the launcher or using the command line with `electrum`. 294 | 295 | > Note: You may now open Electrum and configure a wallet, but it won't connect to a server until EPS is configured (next step) and `bitcoind` is synced. 296 | 297 | ## Electrum Personal Server 298 | 299 | ### Installing 300 | ```bash 301 | # Cleanup previous source code files (if any) 302 | rm -rf ~/eps && 303 | 304 | # Download source 305 | git clone https://github.com/chris-belcher/electrum-personal-server.git ~/eps && cd ~/eps && 306 | 307 | # Checkout v0.1.6 (latest stable) 308 | git checkout eps-v0.1.6 && 309 | 310 | # Verify signature - should see 'Good signature from "Chris Belcher "' 311 | git verify-commit HEAD && 312 | 313 | # Install user-wide 314 | pip3 install --user . 315 | ``` 316 | 317 | ### Configuring 318 | 319 | Copy the sample configuration file as `config.cfg` and edit it: 320 | ``` 321 | cp ~/eps/config.cfg_sample ~/eps/config.cfg && 322 | gedit ~/eps/config.cfg 323 | ``` 324 | 325 | Find your Master Public Key in electrum wallet (Wallet > Information) and add it to `config.cfg` under `[master-public-keys]` as a new line with `{wallet_name}={master_pubkey}`. 326 | `wallet_name` can be anything. For example: 327 | 328 | ```bash 329 | mywallet=zpub6rFR7y4Q2AijBEqTUquhVz398htDFrtymD9xYYfG1m4wAcvPhXNfE3EfH1r1ADqtfSdVCToUG868RvUUkgDKf31mGDtKsAYz2oz2AGutZYs 330 | ``` 331 | 332 | 333 | Save `config.cfg` 334 | 335 | ### Running 336 | ```bash 337 | electrum-personal-server ~/eps/config.cfg 338 | ``` 339 | 340 | When running for the first time, EPS will import the addresses and quit. You should start it again. 341 | 342 | If you're importing an existing wallet with historical transactions, a rescan will be required: `electrum-personal-server-rescan ~/eps/config.cfg` 343 | 344 | > Note: Electrum Wallet will only connect to Electrum Personal Server once bitcoind is synced. 345 | 346 | ## Take a break to sync 347 | Now is a good time to sit back and wait for all the Bitcoin blocks to download before continuing to the Lightning part. It will take quite a while. You can follow the progress on the terminal with `bitcoin-cli getblockchaininfo` or with btc-rpc-explorer on http://localhost:3002/node-status 348 | 349 | Meanwhile you may want to [setup startup services for bitcoind, btc-rpc-explorer and eps](https://github.com/bitembassy/home-node/blob/master/README.md#stage-1-bitcoin-eps-btc-rpc-explorer) and test a restart. 350 | 351 | You may also continue to setting up remote access to btc-rpc-explorer and EPS from your [local network](https://github.com/bitembassy/home-node/blob/master/README.md#lan-access), or from anywhere using [Tor Hidden Services](https://github.com/bitembassy/home-node/blob/master/README.md#tor-hidden-services). 352 | 353 | Once the sync is complete, Electrum wallet should connect to EPS (a green circle on the bottom-right) and we can continue to the Lightning part! 354 | 355 | ## c-lightning 356 | 357 | ### Installing 358 | ```bash 359 | # Install dependencies 360 | sudo apt install -y autoconf automake build-essential libtool libgmp-dev libsqlite3-dev net-tools zlib1g-dev && 361 | 362 | # Cleanup previous source code files (if any) 363 | rm -rf ~/lightning && 364 | 365 | # Download source 366 | (git clone https://github.com/ElementsProject/lightning ~/lightning || git -C ~/lightning fetch) && 367 | 368 | # Checkout latest stable 369 | cd ~/lightning && git checkout v0.7.0 && 370 | 371 | # Verify signature - should see: Good signature from "Rusty Russell " 372 | git verify-tag v0.7.0 && 373 | 374 | # Build 375 | ./configure && make && 376 | 377 | # Install system-wide (requires sudo password) 378 | sudo make install 379 | ``` 380 | ### Configuring 381 | Create and edit `~/.lightning/config` 382 | 383 | ```bash 384 | mkdir -p ~/.lightning && 385 | gedit ~/.lightning/config 386 | ``` 387 | Add the following and save: 388 | ```bash 389 | # default network is testnet,"bitcoin" means mainnet 390 | network=bitcoin 391 | 392 | # connect via Tor, comment to connect directly 393 | # might be wise to turn-off during initial sync 394 | proxy=127.0.0.1:9050 395 | 396 | # Peers won't be able to initiate the opening of new channels with this node (the node will initiate instead). To allow that, a static IP or a Tor hidden service must be configured. 397 | autolisten=false 398 | 399 | # uncomment to set your own (public) alias. By default a random one is chosen. 400 | # for privacy reasons, it is recommended not to set a custom alias. 401 | #alias=MyPublicNodeAlias 402 | ``` 403 | ### Running 404 | ```bash 405 | lightningd --log-level=debug 406 | ``` 407 | To test c-lightning is running: 408 | ```bash 409 | lightning-cli getinfo 410 | ``` 411 | ### Backup 412 | There are two important files to backup: 413 | 414 | `~/.lightning/hsm_secret` must be backed up once. 415 | `~/.lightning/lightningd.sqlite3` must be backed up regulary. 416 | 417 | Instructions for setting up backups [are available here](https://github.com/bitembassy/home-node/blob/master/lightning-backup.md), including optional encrypted cloud backups to Keybase. 418 | 419 | ## Spark Wallet 420 | 421 | ### Installing 422 | ```bash 423 | # Create dir for installation files 424 | mkdir -p ~/spark-installation && cd ~/spark-installation && rm -rf * && 425 | 426 | # Download npm package 427 | wget https://github.com/shesek/spark-wallet/releases/download/v0.2.4/spark-wallet-0.2.4-npm.tgz && 428 | 429 | # Download signature 430 | wget https://github.com/shesek/spark-wallet/releases/download/v0.2.4/SHA256SUMS.asc && 431 | 432 | # Verify signature - should show "Good signature from Nadav Ivgi " 433 | gpg --verify SHA256SUMS.asc && 434 | 435 | # Verify the downloaded binary matches the signed hash in SHA256SUMS.asc 436 | grep spark-wallet-0.2.4-npm.tgz SHA256SUMS.asc | sha256sum -c - && 437 | 438 | # Install user-wide 439 | npm install -g spark-wallet-0.2.4-npm.tgz 440 | ``` 441 | 442 | ### Configuring 443 | 444 | The default configuration options should work out-of-the-box. 445 | You may set custom config options in `~/.spark-wallet/config`. 446 | 447 | To set custom login credentials instead of the randomly generated ones, add a line with `login=myUsername:myPassword`. 448 | 449 | Refer to the [spark docs](https://github.com/shesek/spark-wallet) for the full list of options. 450 | 451 | ### Running 452 | ```bash 453 | spark-wallet --pairing-url 454 | ``` 455 | 456 | Spark will automatically generate random credentials and save them to `~/.spark-wallet/cookie`. 457 | 458 | The `--pairing-url` option will print the pairing url, which includes your wallet access key. You can open this URL to access your wallet. 459 | It will look like that: `http://localhost:9737/?access-key=[...]`. 460 | 461 | You may also use `--pairing-qr` to print a qr with the pairing url (useful for mobile access). 462 | 463 | 464 | ## Startup services 465 | 466 | > Note: If you already have the services running from the terminal, stop them before starting the systemd service. 467 | 468 | ### Stage 1: Bitcoin, EPS, btc-rpc-explorer 469 | 470 | ```bash 471 | # Download home-node repo 472 | git clone https://github.com/bitembassy/home-node ~/home-node && cd ~/home-node && 473 | 474 | # Verify signature - should see "Good signature from Nadav Ivgi " 475 | git verify-commit HEAD && 476 | 477 | # Copy service init files 478 | sudo cp init/{bitcoind,eps,btc-rpc-explorer}.service /etc/systemd/system/ && 479 | 480 | # Reload systemd, enable services, start them 481 | sudo systemctl daemon-reload && 482 | sudo systemctl start bitcoind && sudo systemctl enable bitcoind && 483 | sudo systemctl start eps && sudo systemctl enable eps && 484 | sudo systemctl start btc-rpc-explorer && sudo systemctl enable btc-rpc-explorer 485 | ``` 486 | 487 | ### Stage 2: Lightning, Spark 488 | ```bash 489 | # Copy service init files 490 | sudo cp ~/home-node/init/{lightningd,spark-wallet}.service /etc/systemd/system/ && 491 | 492 | # Reload systemd, enable services, start them 493 | sudo systemctl daemon-reload && 494 | sudo systemctl start lightningd && sudo systemctl enable lightningd && 495 | sudo systemctl start spark-wallet && sudo systemctl enable spark-wallet 496 | ``` 497 | 498 | ### Controlling services 499 | 500 | - Start: `sudo systemctl start ` 501 | - Restart: `sudo systemctl restart ` 502 | - Stop: `sudo systemctl stop ` 503 | - Status: `sudo systemctl status ` 504 | 505 | The services names are: `bitcoind`,`lightningd`,`btc-rpc-explorer`,`eps` and `spark-wallet` 506 | 507 | ## LAN access 508 | 509 | To connect to EPS, Spark and btc-rpc-explorer over the local network 510 | you will need to configure the services to bind on `0.0.0.0` and add a firewall rule allowing local connections. 511 | 512 | ### Configuring the services 513 | 514 | - To configure EPS: open `~/eps/config.cfg` and under `[electrum-server]` change `host=127.0.0.1` to `host=0.0.0.0`. 515 | 516 | - To configure Spark: open `~/.spark-wallet/config` and add a new line with `host=0.0.0.0`. 517 | 518 | - To configure btc-rpc-explorer: open `~/.config/btc-rpc-explorer.env` and add a new line with `BTCEXP_HOST=0.0.0.0`. 519 | 520 | You can configure all three using the following commands: 521 | 522 | ```bash 523 | awk 'in_section&&/^host =/{$3="0.0.0.0"} /[electrum-server]/{in_section=1} 1' ~/eps/config.cfg > ~/eps/config.cfg.new && mv ~/eps/config.cfg.new ~/eps/config.cfg && 524 | mkdir -p ~/.spark-wallet && echo host=0.0.0.0 | tee -a ~/.spark-wallet/config && 525 | echo BTCEPX_HOST=0.0.0.0 | tee -a ~/.config/btc-rpc-explorer.env 526 | ``` 527 | 528 | Restart the services for the changes to take effect: 529 | 530 | ```bash 531 | sudo systemctl restart eps && sudo systemctl restart spark-wallet && sudo systemctl restart btc-rpc-explorer 532 | ``` 533 | 534 | ### Firewall rules 535 | 536 | You will need to add a firewall rule allowing access from your local network IP address range. 537 | For example, if your IP range is `192.168.1.x`, run: 538 | 539 | ```bash 540 | sudo ufw allow from 192.168.1.0/24 to any port 50002,3002,9737,22 proto tcp 541 | ``` 542 | 543 | The following script can be used to try and automatically detect your network IP range and add a 544 | matching firewall rule: 545 | 546 | ```bash 547 | ips=($(ip -4 -o -f inet addr show | grep 'scope global dynamic' | tr -s ' ' | cut -d' ' -f4)) && 548 | if [ ${#ips[@]} -ne 1 ]; then echo "multiple networks found, cannot determine IP address"; \ 549 | else (set -x; sudo ufw allow from ${ips[0]} to any port 50002,3002,9737,22 proto tcp); fi 550 | ``` 551 | 552 | > Note: You may want to define a Static DHCP Lease on your router for your node, so the IP won't change and local clients can find it. 553 | 554 | ## SSH access (optional) 555 | 556 | ```bash 557 | sudo apt install -y openssh-server && 558 | 559 | # disable root login, disable password auth 560 | sudo sed -i 's/^PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config && 561 | sudo sed -i 's/^PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config && 562 | sudo service ssh reload 563 | 564 | # TODO: set nonstandard SSH port? instructions for setting up keys? 565 | ``` 566 | 567 | To ensure SSH access availability, you may want to accept SSH connections from all sources with `sudo ufw allow ssh`. 568 | This is less secure than white-listing source IPs, but may be considered acceptable for the SSH daemon. 569 | 570 | ## Tor Hidden Services 571 | 572 | Edit `/etc/tor/torrc`, add: 573 | 574 | ``` 575 | HiddenServiceDir /var/lib/tor/hidden_service/ 576 | HiddenServiceVersion 3 577 | HiddenServicePort 50002 127.0.0.1:50002 578 | HiddenServicePort 3002 127.0.0.1:3002 579 | HiddenServicePort 9737 127.0.0.1:9737 580 | HiddenServicePort 9090 127.0.0.1:9090 581 | HiddenServicePort 22 127.0.0.1:22 582 | ``` 583 | 584 | Then restart with: `sudo service tor restart` 585 | 586 | To get your `.onion` hostname: `sudo cat /var/lib/tor/hidden_service/hostname` 587 | 588 | To make Spark aware of its `.onion` address, edit `~/.spark-wallet/config` and add a line with: `public-url=http://[your-host-name].onion:9737/` 589 | 590 | This can be done automatically with: ```echo public-url=http://`sudo cat /var/lib/tor/hidden_service/hostname`:9737/ | tee -a ~/.spark-wallet/config``` 591 | 592 | Your onion server exposes the following services: 593 | 594 | - Port `50002`: Electrum Personal Server 595 | - Port `9737`: Spark Wallet 596 | - Port `3002`: btc-rpc-explorer 597 | - Port `9090`: Cockpit 598 | - Port `22`: SSH server 599 | 600 | For example, to access btc-rpc-explorer, open `[your-host-name].onion:3002` on any Tor Browser. 601 | 602 | 603 | ## Updating software 604 | 605 | You can update the installed software by re-running the installation scripts. 606 | You can copy the commands from this README, or fetch and run them from git using: 607 | 608 | ```bash 609 | # Download home-node repo 610 | git clone https://github.com/bitembassy/home-node ~/home-node && cd ~/home-node && 611 | 612 | # Verify signature - should see "Good signature from Nadav Ivgi " 613 | git verify-commit HEAD && 614 | 615 | # To update bitcoin core 616 | ./scripts/install-bitcoin.sh && 617 | 618 | # To update c-lightning 619 | ./scripts/install-clightning.sh && 620 | 621 | # To update electrum 622 | ./scripts/install-electrum.sh && 623 | 624 | # To update electrum personal server 625 | ./scripts/install-eps.sh && 626 | 627 | # To update spark wallet 628 | ./scripts/install-spark.sh && 629 | 630 | # To update btc-rpc-explorer 631 | ./scripts/install-btc-rpc-explorer.sh 632 | ``` 633 | -------------------------------------------------------------------------------- /README.tmpl.md: -------------------------------------------------------------------------------- 1 | # Setting up a full Bitcoin Lightning node and wallet 2 | ### A step-by-step guide for setting up the perfect Bitcoin box on Ubuntu. Including: 3 | * [Preparing the environment](https://github.com/bitembassy/home-node/blob/master/README.md#preparing-the-environment) 4 | * Services: 5 | * [Tor](https://github.com/bitembassy/home-node/blob/master/README.md#tor) 6 | * [Bitcoin Core](https://github.com/bitembassy/home-node/blob/master/README.md#bitcoin-core) 7 | * [Block Explorer (btc-rpc-explorer)](https://github.com/bitembassy/home-node/blob/master/README.md#btc-rpc-explorer) 8 | * [Electrum Wallet](https://github.com/bitembassy/home-node/blob/master/README.md#electrum-wallet) 9 | * [Electrum Personal Server](https://github.com/bitembassy/home-node/blob/master/README.md#electrum-personal-server) 10 | * -- [Take a break to sync](https://github.com/bitembassy/home-node/blob/master/README.md#take-a-break-to-sync) -- 11 | * [Lightning node (c-lightning)](https://github.com/bitembassy/home-node/blob/master/README.md#c-lightning) 12 | * [Spark Lightning wallet](https://github.com/bitembassy/home-node/blob/master/README.md#spark-wallet) 13 | * [Adding to startup](https://github.com/bitembassy/home-node/blob/master/README.md#startup-services) 14 | * [LAN access](https://github.com/bitembassy/home-node/blob/master/README.md#lan-access) 15 | * [Tor Hidden Services for remote access](https://github.com/bitembassy/home-node/blob/master/README.md#tor-hidden-services) 16 | * [Updating software](https://github.com/bitembassy/home-node/blob/master/README.md#updating-software) 17 | 18 | > Note: a dedicated, always-online computer and a fresh Ubuntu 18.04 install are recommended. Some of the settings may interfere with existing software. 19 | 20 | The accompanying slides are available here: [part 1](https://docs.google.com/presentation/d/1GTCn0uj1EWIMeppk4o0BVdwhx--jbjQDPlrIf2oaXjQ/edit?usp=sharing), 21 | [part 2](https://docs.google.com/presentation/d/19J1qxgRFJk7flsCle6dfbwKRF0rDQMrze5DpXdhFxdU/edit). 22 | 23 | ## Preparing the environment 24 | 25 | ### Updates 26 | ```bash 27 | # Fetch the list of available updates, upgrade current 28 | sudo apt update && 29 | sudo apt upgrade -y && 30 | sudo apt autoremove -y 31 | ``` 32 | 33 | ### Security 34 | ```bash 35 | # Setup firewall 36 | sudo ufw enable && 37 | sudo ufw allow from 127.0.0.1 to any && 38 | 39 | # Secure shared memory 40 | echo "tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0" | sudo tee -a /etc/fstab 41 | ``` 42 | 43 | Edit `/etc/sysctl.conf` 44 | ```bash 45 | sudo gedit /etc/sysctl.conf 46 | ``` 47 | Copy [this](https://github.com/bitembassy/home-node/raw/master/misc/sysctl.conf), paste at the bottom and save. 48 | 49 | 50 | ### Common dependencies 51 | 52 | ```bash 53 | sudo apt install -y nodejs npm git && 54 | 55 | # Install global npm packages to ~/.npm-global (prevents permission headaches, see https://docs.npmjs.com/resolving-eacces-permissions-errors-when-installing-packages-globally) 56 | mkdir ~/.npm-global && npm config set prefix '~/.npm-global' && 57 | echo 'export PATH=~/.npm-global/bin:$PATH' | tee -a ~/.profile ~/.bashrc && source ~/.profile 58 | ``` 59 | 60 | ### PGP keyservers 61 | 62 | At the time of writing, the default gpg keyservers appears to be unavailable. 63 | They can be changed to Ubuntu's keyservers with: 64 | 65 | ```bash 66 | echo 'keyserver hkp://keyserver.ubuntu.com' | tee -a ~/.gnupg/gpg.conf 67 | ``` 68 | 69 | ### Developer signing keys 70 | 71 | Add the public keys of the developers whose software we'll be using. 72 | This is required for later verifying their signatures. 73 | 74 | > Please verify these keys first! Some places to start looking: 75 | > 76 | > - https://bitcoincore.org/en/download/ 77 | > - https://github.com/spesmilo/electrum/tree/master/pubkeys 78 | > - https://keybase.io/rusty 79 | > - https://tailsjoin.github.io/ 80 | > - https://github.com/shesek/spark-wallet#code-signing--reproducible-builds 81 | > - https://keybase.io/danjanosik 82 | 83 | 84 | ```bash 85 | # Wladimir J. van der Laan (Bitcoin Core binary release signing key) 86 | gpg --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964 && 87 | 88 | # Thomas Voegtlin (Electrum maintainer) 89 | gpg --recv-keys 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6 && 90 | 91 | # Rusty Russell (Bitcoin Core contributor and c-lightning maintainer) 92 | gpg --recv-keys 15EE8D6CAB0E7F0CF999BFCBD9200E6CD1ADB8F1 && 93 | 94 | # Chris Belcher (Electrum Personal Server and JoinMarket maintainer) 95 | gpg --recv-keys 0A8B038F5E10CC2789BFCFFFEF734EA677F31129 && 96 | 97 | # Nadav Ivgi (Spark, Lightning Charge, Esplora) 98 | gpg --recv-keys FCF19B67866562F08A43AAD681F6104CD0F150FC && 99 | 100 | # Dan Janosik (btc-rpc-explorer maintainer) 101 | gpg --recv-keys F579929B39B119CC7B0BB71FB326ACF51F317B69 102 | ``` 103 | 104 | ## Tor 105 | 106 | To install Tor as a system service: 107 | 108 | ```bash 109 | sudo apt install -y tor 110 | ``` 111 | 112 | Tor will automatically start running as a background service. 113 | 114 | To install the Tor Browser Bundle: 115 | 116 | ```bash 117 | sudo apt install -y torbrowser-launcher && 118 | 119 | # Fix for https://bugs.python.org/issue20087, necessary for torbrowser-launcher < 0.3 120 | sudo update-locale LANG=en_US.UTF-8 && source /etc/default/locale 121 | ``` 122 | 123 | You can start the tor browser with `torbrowser-launcher` from the command line, 124 | or using the launcher (due to the locale bug, this only works after a logout & login) 125 | 126 | ## Bitcoin Core 127 | 128 | ### Installing 129 | ```bash 130 | {{include scripts/install-bitcoin.sh}} 131 | ``` 132 | 133 | 141 | 142 | ### Configuring 143 | Create and edit `bitcoin.conf` 144 | 145 | ```bash 146 | mkdir -p ~/.bitcoin && 147 | gedit ~/.bitcoin/bitcoin.conf 148 | ``` 149 | Add the following and save: 150 | ```bash 151 | server=1 152 | 153 | # Connect via Tor, comment if you prefer to connect directly 154 | proxy=127.0.0.1:9050 155 | 156 | # No incoming connections (requires port forwarding or an hidden service) 157 | nolisten=1 158 | 159 | # For faster sync, set according to available memory. For example, with 8GB memory, something like dbcache=5000 might make sense. Check total memory with `free -m`. 160 | # For reduced memory usage, this can be tuned down or removed once the initial sync is complete. The default is 300 (mb). 161 | dbcache=1000 162 | 163 | # Optional extended transaction index (takes more space, required for btc-rpc-explorer) 164 | txindex=1 165 | 166 | # Reduce storage requirements (won't work with btc-rpc-explorer) 167 | # prune=50000 # ~6 months, 50GB 168 | 169 | # Reduce bandwidth requirements (node won't show unconfirmed transactions) 170 | # blocksonly=1 171 | ``` 172 | 173 | Also see [jlopp's bitcoin core config generator](https://jlopp.github.io/bitcoin-core-config-generator/). 174 | 175 | 184 | 185 | ### Running 186 | ```bash 187 | bitcoind 188 | ``` 189 | 190 | To test bitcoind is running: 191 | ```bash 192 | bitcoin-cli getblockchaininfo 193 | ``` 194 | 195 | ## btc-rpc-explorer 196 | 197 | ### Installing 198 | ```bash 199 | {{include scripts/install-btc-rpc-explorer.sh}} 200 | ``` 201 | 202 | ### Configuring 203 | 204 | Create and edit `~/.config/btc-rpc-explorer.env`, add the following line to enable password protection: 205 | 206 | ```bash 207 | BTCEXP_BASIC_AUTH_PASSWORD=mySecretPassword 208 | ``` 209 | 210 | > Note: don't forget to change `mySecretPassword` to your own password. 211 | > You can set the password to anything, it will be required to access the explorer. 212 | 213 | Refer to the [btc-rpc-explorer docs](https://github.com/janoside/btc-rpc-explorer) for the full list of options. 214 | 215 | ### Running 216 | ```bash 217 | btc-rpc-explorer 218 | ``` 219 | 220 | Then open http://localhost:3002/node-status and login with an empty username and your `superSecretPassword`. 221 | 222 | ## Electrum Wallet 223 | 224 | ### Installing 225 | 226 | ```bash 227 | {{include scripts/install-electrum.sh}} 228 | ``` 229 | 230 | ### Configuring 231 | ``` 232 | # Connect to local EPS server only 233 | electrum setconfig server 127.0.0.1:50002:s && 234 | electrum setconfig oneserver true 235 | ``` 236 | 237 | ### Running 238 | Electrum can now be opened from the launcher or using the command line with `electrum`. 239 | 240 | > Note: You may now open Electrum and configure a wallet, but it won't connect to a server until EPS is configured (next step) and `bitcoind` is synced. 241 | 242 | ## Electrum Personal Server 243 | 244 | ### Installing 245 | ```bash 246 | {{include scripts/install-eps.sh}} 247 | ``` 248 | 249 | ### Configuring 250 | 251 | Copy the sample configuration file as `config.cfg` and edit it: 252 | ``` 253 | cp ~/eps/config.cfg_sample ~/eps/config.cfg && 254 | gedit ~/eps/config.cfg 255 | ``` 256 | 257 | Find your Master Public Key in electrum wallet (Wallet > Information) and add it to `config.cfg` under `[master-public-keys]` as a new line with `{wallet_name}={master_pubkey}`. 258 | `wallet_name` can be anything. For example: 259 | 260 | ```bash 261 | mywallet=zpub6rFR7y4Q2AijBEqTUquhVz398htDFrtymD9xYYfG1m4wAcvPhXNfE3EfH1r1ADqtfSdVCToUG868RvUUkgDKf31mGDtKsAYz2oz2AGutZYs 262 | ``` 263 | 264 | 265 | Save `config.cfg` 266 | 267 | ### Running 268 | ```bash 269 | electrum-personal-server ~/eps/config.cfg 270 | ``` 271 | 272 | When running for the first time, EPS will import the addresses and quit. You should start it again. 273 | 274 | If you're importing an existing wallet with historical transactions, a rescan will be required: `electrum-personal-server-rescan ~/eps/config.cfg` 275 | 276 | > Note: Electrum Wallet will only connect to Electrum Personal Server once bitcoind is synced. 277 | 278 | ## Take a break to sync 279 | Now is a good time to sit back and wait for all the Bitcoin blocks to download before continuing to the Lightning part. It will take quite a while. You can follow the progress on the terminal with `bitcoin-cli getblockchaininfo` or with btc-rpc-explorer on http://localhost:3002/node-status 280 | 281 | Meanwhile you may want to [setup startup services for bitcoind, btc-rpc-explorer and eps](https://github.com/bitembassy/home-node/blob/master/README.md#stage-1-bitcoin-eps-btc-rpc-explorer) and test a restart. 282 | 283 | You may also continue to setting up remote access to btc-rpc-explorer and EPS from your [local network](https://github.com/bitembassy/home-node/blob/master/README.md#lan-access), or from anywhere using [Tor Hidden Services](https://github.com/bitembassy/home-node/blob/master/README.md#tor-hidden-services). 284 | 285 | Once the sync is complete, Electrum wallet should connect to EPS (a green circle on the bottom-right) and we can continue to the Lightning part! 286 | 287 | ## c-lightning 288 | 289 | ### Installing 290 | ```bash 291 | {{include scripts/install-clightning.sh}} 292 | ``` 293 | ### Configuring 294 | Create and edit `~/.lightning/config` 295 | 296 | ```bash 297 | mkdir -p ~/.lightning && 298 | gedit ~/.lightning/config 299 | ``` 300 | Add the following and save: 301 | ```bash 302 | # default network is testnet,"bitcoin" means mainnet 303 | network=bitcoin 304 | 305 | # connect via Tor, comment to connect directly 306 | # might be wise to turn-off during initial sync 307 | proxy=127.0.0.1:9050 308 | 309 | # Peers won't be able to initiate the opening of new channels with this node (the node will initiate instead). To allow that, a static IP or a Tor hidden service must be configured. 310 | autolisten=false 311 | 312 | # uncomment to set your own (public) alias. By default a random one is chosen. 313 | # for privacy reasons, it is recommended not to set a custom alias. 314 | #alias=MyPublicNodeAlias 315 | ``` 316 | ### Running 317 | ```bash 318 | lightningd --log-level=debug 319 | ``` 320 | To test c-lightning is running: 321 | ```bash 322 | lightning-cli getinfo 323 | ``` 324 | ### Backup 325 | There are two important files to backup: 326 | 327 | `~/.lightning/hsm_secret` must be backed up once. 328 | `~/.lightning/lightningd.sqlite3` must be backed up regulary. 329 | 330 | Instructions for setting up backups [are available here](https://github.com/bitembassy/home-node/blob/master/lightning-backup.md), including optional encrypted cloud backups to Keybase. 331 | 332 | ## Spark Wallet 333 | 334 | ### Installing 335 | ```bash 336 | {{include scripts/install-spark.sh}} 337 | ``` 338 | 339 | ### Configuring 340 | 341 | The default configuration options should work out-of-the-box. 342 | You may set custom config options in `~/.spark-wallet/config`. 343 | 344 | To set custom login credentials instead of the randomly generated ones, add a line with `login=myUsername:myPassword`. 345 | 346 | Refer to the [spark docs](https://github.com/shesek/spark-wallet) for the full list of options. 347 | 348 | ### Running 349 | ```bash 350 | spark-wallet --pairing-url 351 | ``` 352 | 353 | Spark will automatically generate random credentials and save them to `~/.spark-wallet/cookie`. 354 | 355 | The `--pairing-url` option will print the pairing url, which includes your wallet access key. You can open this URL to access your wallet. 356 | It will look like that: `http://localhost:9737/?access-key=[...]`. 357 | 358 | You may also use `--pairing-qr` to print a qr with the pairing url (useful for mobile access). 359 | 360 | 361 | ## Startup services 362 | 363 | > Note: If you already have the services running from the terminal, stop them before starting the systemd service. 364 | 365 | ### Stage 1: Bitcoin, EPS, btc-rpc-explorer 366 | 367 | ```bash 368 | # Download home-node repo 369 | git clone https://github.com/bitembassy/home-node ~/home-node && cd ~/home-node && 370 | 371 | # Verify signature - should see "Good signature from Nadav Ivgi " 372 | git verify-commit HEAD && 373 | 374 | # Copy service init files 375 | sudo cp init/{bitcoind,eps,btc-rpc-explorer}.service /etc/systemd/system/ && 376 | 377 | # Reload systemd, enable services, start them 378 | sudo systemctl daemon-reload && 379 | sudo systemctl start bitcoind && sudo systemctl enable bitcoind && 380 | sudo systemctl start eps && sudo systemctl enable eps && 381 | sudo systemctl start btc-rpc-explorer && sudo systemctl enable btc-rpc-explorer 382 | ``` 383 | 384 | ### Stage 2: Lightning, Spark 385 | ```bash 386 | # Copy service init files 387 | sudo cp ~/home-node/init/{lightningd,spark-wallet}.service /etc/systemd/system/ && 388 | 389 | # Reload systemd, enable services, start them 390 | sudo systemctl daemon-reload && 391 | sudo systemctl start lightningd && sudo systemctl enable lightningd && 392 | sudo systemctl start spark-wallet && sudo systemctl enable spark-wallet 393 | ``` 394 | 395 | ### Controlling services 396 | 397 | - Start: `sudo systemctl start ` 398 | - Restart: `sudo systemctl restart ` 399 | - Stop: `sudo systemctl stop ` 400 | - Status: `sudo systemctl status ` 401 | 402 | The services names are: `bitcoind`,`lightningd`,`btc-rpc-explorer`,`eps` and `spark-wallet` 403 | 404 | ## LAN access 405 | 406 | To connect to EPS, Spark and btc-rpc-explorer over the local network 407 | you will need to configure the services to bind on `0.0.0.0` and add a firewall rule allowing local connections. 408 | 409 | ### Configuring the services 410 | 411 | - To configure EPS: open `~/eps/config.cfg` and under `[electrum-server]` change `host=127.0.0.1` to `host=0.0.0.0`. 412 | 413 | - To configure Spark: open `~/.spark-wallet/config` and add a new line with `host=0.0.0.0`. 414 | 415 | - To configure btc-rpc-explorer: open `~/.config/btc-rpc-explorer.env` and add a new line with `BTCEXP_HOST=0.0.0.0`. 416 | 417 | You can configure all three using the following commands: 418 | 419 | ```bash 420 | awk 'in_section&&/^host =/{$3="0.0.0.0"} /[electrum-server]/{in_section=1} 1' ~/eps/config.cfg > ~/eps/config.cfg.new && mv ~/eps/config.cfg.new ~/eps/config.cfg && 421 | mkdir -p ~/.spark-wallet && echo host=0.0.0.0 | tee -a ~/.spark-wallet/config && 422 | echo BTCEPX_HOST=0.0.0.0 | tee -a ~/.config/btc-rpc-explorer.env 423 | ``` 424 | 425 | Restart the services for the changes to take effect: 426 | 427 | ```bash 428 | sudo systemctl restart eps && sudo systemctl restart spark-wallet && sudo systemctl restart btc-rpc-explorer 429 | ``` 430 | 431 | ### Firewall rules 432 | 433 | You will need to add a firewall rule allowing access from your local network IP address range. 434 | For example, if your IP range is `192.168.1.x`, run: 435 | 436 | ```bash 437 | sudo ufw allow from 192.168.1.0/24 to any port 50002,3002,9737,22 proto tcp 438 | ``` 439 | 440 | The following script can be used to try and automatically detect your network IP range and add a 441 | matching firewall rule: 442 | 443 | ```bash 444 | ips=($(ip -4 -o -f inet addr show | grep 'scope global dynamic' | tr -s ' ' | cut -d' ' -f4)) && 445 | if [ ${#ips[@]} -ne 1 ]; then echo "multiple networks found, cannot determine IP address"; \ 446 | else (set -x; sudo ufw allow from ${ips[0]} to any port 50002,3002,9737,22 proto tcp); fi 447 | ``` 448 | 449 | > Note: You may want to define a Static DHCP Lease on your router for your node, so the IP won't change and local clients can find it. 450 | 451 | ## SSH access (optional) 452 | 453 | ```bash 454 | sudo apt install -y openssh-server && 455 | 456 | # disable root login, disable password auth 457 | sudo sed -i 's/^PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config && 458 | sudo sed -i 's/^PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config && 459 | sudo service ssh reload 460 | 461 | # TODO: set nonstandard SSH port? instructions for setting up keys? 462 | ``` 463 | 464 | To ensure SSH access availability, you may want to accept SSH connections from all sources with `sudo ufw allow ssh`. 465 | This is less secure than white-listing source IPs, but may be considered acceptable for the SSH daemon. 466 | 467 | ## Tor Hidden Services 468 | 469 | Edit `/etc/tor/torrc`, add: 470 | 471 | ``` 472 | HiddenServiceDir /var/lib/tor/hidden_service/ 473 | HiddenServiceVersion 3 474 | HiddenServicePort 50002 127.0.0.1:50002 475 | HiddenServicePort 3002 127.0.0.1:3002 476 | HiddenServicePort 9737 127.0.0.1:9737 477 | HiddenServicePort 9090 127.0.0.1:9090 478 | HiddenServicePort 22 127.0.0.1:22 479 | ``` 480 | 481 | Then restart with: `sudo service tor restart` 482 | 483 | To get your `.onion` hostname: `sudo cat /var/lib/tor/hidden_service/hostname` 484 | 485 | To make Spark aware of its `.onion` address, edit `~/.spark-wallet/config` and add a line with: `public-url=http://[your-host-name].onion:9737/` 486 | 487 | This can be done automatically with: ```echo public-url=http://`sudo cat /var/lib/tor/hidden_service/hostname`:9737/ | tee -a ~/.spark-wallet/config``` 488 | 489 | Your onion server exposes the following services: 490 | 491 | - Port `50002`: Electrum Personal Server 492 | - Port `9737`: Spark Wallet 493 | - Port `3002`: btc-rpc-explorer 494 | - Port `9090`: Cockpit 495 | - Port `22`: SSH server 496 | 497 | For example, to access btc-rpc-explorer, open `[your-host-name].onion:3002` on any Tor Browser. 498 | 499 | 500 | ## Updating software 501 | 502 | You can update the installed software by re-running the installation scripts. 503 | You can copy the commands from this README, or fetch and run them from git using: 504 | 505 | ```bash 506 | # Download home-node repo 507 | git clone https://github.com/bitembassy/home-node ~/home-node && cd ~/home-node && 508 | 509 | # Verify signature - should see "Good signature from Nadav Ivgi " 510 | git verify-commit HEAD && 511 | 512 | # To update bitcoin core 513 | ./scripts/install-bitcoin.sh && 514 | 515 | # To update c-lightning 516 | ./scripts/install-clightning.sh && 517 | 518 | # To update electrum 519 | ./scripts/install-electrum.sh && 520 | 521 | # To update electrum personal server 522 | ./scripts/install-eps.sh && 523 | 524 | # To update spark wallet 525 | ./scripts/install-spark.sh && 526 | 527 | # To update btc-rpc-explorer 528 | ./scripts/install-btc-rpc-explorer.sh 529 | ``` 530 | -------------------------------------------------------------------------------- /doc-utils/generate-markdown.js: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env node 2 | 3 | const fs = require('fs') 4 | 5 | const includeFile = path => 6 | fs.readFileSync(path).toString() 7 | .replace(/^#!.*/, '').trim() 8 | .trim() 9 | 10 | const tmplText = fs.readFileSync('/dev/stdin').toString() 11 | , generated = tmplText.replace(/\{\{include ([^}]+)\}\}/g, (_, path, opt) => includeFile(path, opt)) 12 | 13 | console.log('\n\n') 14 | process.stdout.write(generated) 15 | -------------------------------------------------------------------------------- /init/bitcoind.service: -------------------------------------------------------------------------------- 1 | # It is not recommended to modify this file in-place, because it will 2 | # be overwritten during package upgrades. If you want to add further 3 | # options or overwrite existing ones then use 4 | # $ systemctl edit bitcoind.service 5 | # See "man systemd.service" for details. 6 | 7 | # Note that almost all daemon options could be specified in 8 | # /home/bitcoin/.bitcoin/bitcoin.conf 9 | 10 | [Unit] 11 | Description=Bitcoin daemon 12 | After=network.target 13 | 14 | [Service] 15 | ExecStart=/usr/bin/bitcoind -daemon -conf=/home/satoshi/.bitcoin/bitcoin.conf -pid=/run/bitcoind/bitcoind.pid 16 | # Creates /run/bitcoind owned by bitcoin 17 | RuntimeDirectory=bitcoind 18 | User=satoshi 19 | Type=forking 20 | PIDFile=/run/bitcoind/bitcoind.pid 21 | Restart=on-failure 22 | 23 | # Hardening measures 24 | #################### 25 | 26 | # Provide a private /tmp and /var/tmp. 27 | PrivateTmp=true 28 | 29 | # Mount /usr, /boot/ and /etc read-only for the process. 30 | ProtectSystem=full 31 | 32 | # Disallow the process and all of its children to gain 33 | # new privileges through execve(). 34 | NoNewPrivileges=true 35 | 36 | # Use a new /dev namespace only populated with API pseudo devices 37 | # such as /dev/null, /dev/zero and /dev/random. 38 | PrivateDevices=true 39 | 40 | # Deny the creation of writable and executable memory mappings. 41 | MemoryDenyWriteExecute=true 42 | 43 | [Install] 44 | WantedBy=multi-user.target 45 | -------------------------------------------------------------------------------- /init/btc-rpc-explorer.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=btc-rpc-explorer 3 | After=bitcoind.service 4 | Requires=bitcoind.service 5 | 6 | [Service] 7 | EnvironmentFile=-/home/satoshi/btc-rpc-explorer.conf 8 | ExecStart=/home/satoshi/.npm-global/bin/btc-rpc-explorer 9 | 10 | RuntimeDirectory=btc-rpc-explorer 11 | PIDFile=/run/btc-rpc-explorer/explorer.pid 12 | User=satoshi 13 | Group=satoshi 14 | 15 | Type=simple 16 | KillMode=process 17 | Restart=on-failure 18 | RestartSec=60 19 | 20 | # Hardening measures 21 | #################### 22 | 23 | # Provide a private /tmp and /var/tmp. 24 | PrivateTmp=true 25 | 26 | # Mount /usr, /boot/ and /etc read-only for the process. 27 | ProtectSystem=full 28 | 29 | # Disallow the process and all of its children to gain 30 | # new privileges through execve(). 31 | NoNewPrivileges=true 32 | 33 | # Use a new /dev namespace only populated with API pseudo devices 34 | # such as /dev/null, /dev/zero and /dev/random. 35 | PrivateDevices=true 36 | 37 | [Install] 38 | WantedBy=bitcoind.service 39 | -------------------------------------------------------------------------------- /init/eps.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Electrum Personal Server 3 | After=bitcoind.service 4 | Requires=bitcoind.service 5 | 6 | [Service] 7 | ExecStart=/home/satoshi/.local/bin/electrum-personal-server /home/satoshi/eps/config.cfg 8 | 9 | RuntimeDirectory=eps 10 | PIDFile=/run/eps/eps.pid 11 | User=satoshi 12 | Group=satoshi 13 | 14 | Type=simple 15 | KillMode=process 16 | Restart=on-failure 17 | RestartSec=60 18 | 19 | # Hardening measures 20 | #################### 21 | 22 | # Provide a private /tmp and /var/tmp. 23 | PrivateTmp=true 24 | 25 | # Mount /usr, /boot/ and /etc read-only for the process. 26 | ProtectSystem=full 27 | 28 | # Disallow the process and all of its children to gain 29 | # new privileges through execve(). 30 | NoNewPrivileges=true 31 | 32 | # Use a new /dev namespace only populated with API pseudo devices 33 | # such as /dev/null, /dev/zero and /dev/random. 34 | PrivateDevices=true 35 | 36 | # Deny the creation of writable and executable memory mappings. 37 | MemoryDenyWriteExecute=true 38 | 39 | [Install] 40 | WantedBy=bitcoind.service 41 | -------------------------------------------------------------------------------- /init/lightningd.service: -------------------------------------------------------------------------------- 1 | # It is not recommended to modify this file in-place, because it will 2 | # be overwritten during package upgrades. If you want to add further 3 | # options or overwrite existing ones then use 4 | # $ systemctl edit lightningd.service 5 | # See "man systemd.service" for details. 6 | 7 | # Note that almost all daemon options could be specified in 8 | # /home/bitcoin/.lightning/config 9 | 10 | [Unit] 11 | Description=C-Lightning daemon 12 | Requires=bitcoind.service 13 | After=bitcoind.service 14 | 15 | [Service] 16 | ExecStart=/usr/local/bin/lightningd --daemon --conf /home/satoshi/.lightning/config --pid-file=/run/lightningd/lightningd.pid 17 | 18 | # Creates /run/lightningd owned by bitcoin 19 | RuntimeDirectory=lightningd 20 | 21 | User=satoshi 22 | Group=satoshi 23 | Type=forking 24 | PIDFile=/run/lightningd/lightningd.pid 25 | Restart=on-failure 26 | 27 | # Hardening measures 28 | #################### 29 | 30 | # Provide a private /tmp and /var/tmp. 31 | PrivateTmp=true 32 | 33 | # Mount /usr, /boot/ and /etc read-only for the process. 34 | ProtectSystem=full 35 | 36 | # Disallow the process and all of its children to gain 37 | # new privileges through execve(). 38 | NoNewPrivileges=true 39 | 40 | # Use a new /dev namespace only populated with API pseudo devices 41 | # such as /dev/null, /dev/zero and /dev/random. 42 | PrivateDevices=true 43 | 44 | # Deny the creation of writable and executable memory mappings. 45 | MemoryDenyWriteExecute=true 46 | 47 | [Install] 48 | WantedBy=bitcoind.service 49 | -------------------------------------------------------------------------------- /init/spark-wallet.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Spark Lightning Wallet 3 | Requires=lightningd.service 4 | After=lightningd.service 5 | 6 | [Service] 7 | User=satoshi 8 | Group=satoshi 9 | Restart=on-failure 10 | 11 | ExecStart=/home/satoshi/.npm-global/bin/spark-wallet 12 | 13 | SyslogIdentifier=spark-wallet 14 | PIDFile=/var/run/spark-wallet.pid 15 | StandardInput=null 16 | StandardOutput=syslog 17 | StandardError=syslog 18 | 19 | # Hardening measures 20 | PrivateTmp=true 21 | ProtectSystem=full 22 | NoNewPrivileges=true 23 | PrivateDevices=true 24 | 25 | [Install] 26 | WantedBy=lightningd.service 27 | -------------------------------------------------------------------------------- /lightning-backup.md: -------------------------------------------------------------------------------- 1 | ## Backup hsm_secret 2 | The `~/.lightning/hsm_secret` file holds keys required to access on-chain funds. 3 | Make sure you keep a secure copy of it. Unlike the database a one-time backup is enough. 4 | 5 | ## Backup the c-lightning database 6 | The c-lightning database should be backed up regularly as an up-to-date copy of it is required in order to recover channel funds in case of a data loss. 7 | 8 | > Warning: DO NOT TRY TO RESTORE A DATABASE BACKUP YOURSELF! Using an out-of-date database as-is may lead to loss of funds. The restore process is out of scope here and currently requires expert help. 9 | 10 | ### Create a backup script 11 | 12 | Install sqlite 13 | ```bash 14 | sudo apt install -y sqlite3 15 | ``` 16 | 17 | Fetch the `lightning-backup.sh` script: 18 | 19 | ```bash 20 | wget -O ~/unverified-lightning-backup.sh https://raw.githubusercontent.com/bitembassy/home-node/master/scripts/lightning-backup.sh && 21 | echo "0e09c0de0647fe092edcec5598f50f19f082dc172048b900d7fc531a492855ae $HOME/unverified-lightning-backup.sh" | sha256sum -c && 22 | mv ~/unverified-lightning-backup.sh ~/lightning-backup.sh && 23 | chmod +x ~/lightning-backup.sh 24 | ``` 25 | 26 | You can change the directory backups will be saved to by editing `~/lightning-backup.sh` and changing `BACKUP_DIR` 27 | (defaults to `~/backups`). 28 | 29 | > Note: You probably want to use at least a different media for `BACKUP_DIR`. For cloud backups use encryption as the database content is sensitive. See our [Keybase backup instructions](https://github.com/bitembassy/home-node/blob/master/lightning-backup.md#encrypted-cloud-backup-with-keybase) for an example of such. 30 | 31 | ### Set an hourly cronjob to run the script 32 | Open crontab editor with: 33 | ``` 34 | crontab -e 35 | ``` 36 | Add the following line at the bottom and save. 37 | ``` 38 | @hourly ~/lightning-backup.sh 39 | ``` 40 | 41 | ## Encrypted cloud backup with Keybase 42 | > Note: we are using Keybase (which is relatively new) for encrypted cloud backups. Make sure you feel comfortable with that. You may begin by installing the [app on your phone / laptop](https://keybase.io/download) and creating an account. This will make it easier to login the node by scanning a QR. You will be asked to write a recovery paper-key. Make sure you have it so you don't lose access to the backups. 43 | 44 | ### Install Keybase 45 | ``` 46 | # Create dir for installation files 47 | mkdir ~/keybase-installation && cd ~/keybase-installation && 48 | 49 | # Download packdge 50 | wget https://prerelease.keybase.io/keybase_amd64.deb && 51 | # Download signature 52 | wget https://prerelease.keybase.io/keybase_amd64.deb.sig && 53 | 54 | # Add signing key 55 | gpg --recv-keys 222B85B0F90BE2D24CFEB93F47484E50656D16C7 && 56 | # Verify signature - should see: Good signature from "Keybase.io Code Signing (v1) " 57 | gpg --verify keybase_amd64.deb.sig keybase_amd64.deb && 58 | 59 | # Install system-wide (requires sudo) 60 | sudo apt install -y ./keybase_amd64.deb && 61 | 62 | # Start service 63 | run_keybase && 64 | 65 | # Cleanup installation files 66 | rm -rf ~/keybase-installation && cd ~ 67 | ``` 68 | 69 | The Keybase app can now be opened from the launcher. 70 | 71 | ### Login and add this computer as a new device 72 | You may login using the UI (run Keybase from the launcher) or using the command-line. 73 | Assuming you already have the app installed on your phone and an account configured: 74 | 75 | Using the UI, press login, enter your Keybase user name, select your phone from the list of existing devices, select a name for this computer. A QR should be displayed. 76 | 77 | Or using the command-line: `keybase login` and follow similar steps to get the pairing QR in the terminal. 78 | 79 | On your phone, open the Keybase app, in the menu select `Devices`, select `Add New Computer` and scan the QR. 80 | 81 | If you don't have an account on another device, you may create a new one instead of login. 82 | 83 | ### Set Keybase `private` folder as the backup destination 84 | 85 | Create a directory for your lightning backups: 86 | 87 | ```bash 88 | mkdir /keybase/private/[YOUR KEYBASE USER NAME]/lightning-backup 89 | ``` 90 | 91 | Edit the [script from previous step](https://github.com/bitembassy/home-node/blob/master/lightning-backup.md#create-a-backup-script), 92 | change `BACKUP_DIR` to: `/keybase/private/[YOUR KEYBASE USER NAME]/lightning-backup`. 93 | 94 | Note: don't forget to replace `[YOUR KEYBASE USER NAME]` with your user name. 95 | 96 | 97 | ### Backup hsm_secret to Keybase 98 | 99 | The `~/.lightning/hsm_secret` file must be backed up, but just once. If you have a safer way to keep a copy, you may skip this step. 100 | 101 | Otherwise, run the following so it's backed up to your `private` Keybase folder together with the lightning database. 102 | 103 | Note: you need to replace `[YOUR KEYBASE USER NAME]` with your user name. 104 | 105 | ``` 106 | cp ~/.lightning/hsm_secret /keybase/private/[YOUR KEYBASE USER NAME]/lightning-backup/hsm_secret 107 | ``` 108 | -------------------------------------------------------------------------------- /misc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # IP Spoofing protection 2 | net.ipv4.conf.all.rp_filter = 1 3 | net.ipv4.conf.default.rp_filter = 1 4 | 5 | # Ignore ICMP broadcast requests 6 | net.ipv4.icmp_echo_ignore_broadcasts = 1 7 | 8 | # Disable source packet routing 9 | net.ipv4.conf.all.accept_source_route = 0 10 | net.ipv6.conf.all.accept_source_route = 0 11 | net.ipv4.conf.default.accept_source_route = 0 12 | net.ipv6.conf.default.accept_source_route = 0 13 | 14 | # Ignore send redirects 15 | net.ipv4.conf.all.send_redirects = 0 16 | net.ipv4.conf.default.send_redirects = 0 17 | 18 | # Block SYN attacks 19 | net.ipv4.tcp_syncookies = 1 20 | net.ipv4.tcp_max_syn_backlog = 2048 21 | net.ipv4.tcp_synack_retries = 2 22 | net.ipv4.tcp_syn_retries = 5 23 | 24 | # Log Martians 25 | net.ipv4.conf.all.log_martians = 1 26 | net.ipv4.icmp_ignore_bogus_error_responses = 1 27 | 28 | # Ignore ICMP redirects 29 | net.ipv4.conf.all.accept_redirects = 0 30 | net.ipv6.conf.all.accept_redirects = 0 31 | net.ipv4.conf.default.accept_redirects = 0 32 | net.ipv6.conf.default.accept_redirects = 0 33 | 34 | # Ignore Directed pings 35 | net.ipv4.icmp_echo_ignore_all = 1 36 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "home-node-utils", 3 | "version": "0.1.0", 4 | "author": "Bitcoin Embassy TLV", 5 | "license": "MIT", 6 | "scripts": { 7 | "build-markdown": "./doc-utils/generate-markdown.js < README.tmpl.md > README.md" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /scripts/install-bitcoin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create dir for installation files 4 | mkdir -p ~/bitcoin-installation && cd ~/bitcoin-installation && rm -rf * && 5 | 6 | # Download binaries 7 | wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/bitcoin-0.17.1-x86_64-linux-gnu.tar.gz && 8 | 9 | # Download signature 10 | wget https://bitcoincore.org/bin/bitcoin-core-0.17.1/SHA256SUMS.asc && 11 | 12 | # Verify signature - should see "Good signature from Wladimir J. van der Laan (Bitcoin Core binary release signing key) " 13 | gpg --verify SHA256SUMS.asc && 14 | 15 | # Verify the binary matches the signed hash in SHA256SUMS.asc - should see "bitcoin-0.17.1-x86_64-linux-gnu.tar.gz: OK" 16 | grep bitcoin-0.17.1-x86_64-linux-gnu.tar.gz SHA256SUMS.asc | sha256sum -c - && 17 | 18 | # Unpack binaries 19 | tar xvf bitcoin-0.17.1-x86_64-linux-gnu.tar.gz && 20 | 21 | # Install binaries system-wide (requires password) 22 | sudo cp bitcoin-0.17.1/bin/* /usr/bin 23 | -------------------------------------------------------------------------------- /scripts/install-btc-rpc-explorer.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Cleanup previous source code files (if any) 4 | rm -rf ~/btc-rpc-explorer && 5 | 6 | # Download source 7 | git clone https://github.com/janoside/btc-rpc-explorer ~/btc-rpc-explorer && cd ~/btc-rpc-explorer && 8 | git checkout 1ca6f54b93a56d942a90f3e0072265c9df3b9e6c && 9 | 10 | # Verify signature - should see "Good signature from Dan Janosik " 11 | git verify-commit HEAD && 12 | 13 | # Install user-wide 14 | npm install -g 15 | -------------------------------------------------------------------------------- /scripts/install-clightning.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Install dependencies 4 | sudo apt install -y autoconf automake build-essential libtool libgmp-dev libsqlite3-dev net-tools zlib1g-dev && 5 | 6 | # Cleanup previous source code files (if any) 7 | rm -rf ~/lightning && 8 | 9 | # Download source 10 | (git clone https://github.com/ElementsProject/lightning ~/lightning || git -C ~/lightning fetch) && 11 | 12 | # Checkout latest stable 13 | cd ~/lightning && git checkout v0.7.0 && 14 | 15 | # Verify signature - should see: Good signature from "Rusty Russell " 16 | git verify-tag v0.7.0 && 17 | 18 | # Build 19 | ./configure && make && 20 | 21 | # Install system-wide (requires sudo password) 22 | sudo make install 23 | -------------------------------------------------------------------------------- /scripts/install-electrum.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Install dependencies 4 | sudo apt install -y python3-setuptools python3-pyqt5 python3-pip && 5 | 6 | # Create dir for installation files 7 | mkdir -p ~/electrum-installation && cd ~/electrum-installation && rm -rf * && 8 | 9 | # Download source 10 | wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz && 11 | 12 | # Download signature 13 | wget https://download.electrum.org/3.3.4/Electrum-3.3.4.tar.gz.asc && 14 | 15 | # Verify signature - should see "Good signature from Thomas Voegtlin (https://electrum.org) " 16 | gpg --verify Electrum-3.3.4.tar.gz.asc Electrum-3.3.4.tar.gz && 17 | 18 | # Unpack 19 | tar xvf Electrum-3.3.4.tar.gz && cd Electrum-3.3.4 && 20 | 21 | # Install dependencies 22 | pip3 install .[fast] && 23 | 24 | # Install system-wide (requires sudo password) 25 | sudo ./setup.py install 26 | -------------------------------------------------------------------------------- /scripts/install-eps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Cleanup previous source code files (if any) 4 | rm -rf ~/eps && 5 | 6 | # Download source 7 | git clone https://github.com/chris-belcher/electrum-personal-server.git ~/eps && cd ~/eps && 8 | 9 | # Checkout v0.1.6 (latest stable) 10 | git checkout eps-v0.1.6 && 11 | 12 | # Verify signature - should see 'Good signature from "Chris Belcher "' 13 | git verify-commit HEAD && 14 | 15 | # Install user-wide 16 | pip3 install --user . 17 | -------------------------------------------------------------------------------- /scripts/install-spark.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Create dir for installation files 4 | mkdir -p ~/spark-installation && cd ~/spark-installation && rm -rf * && 5 | 6 | # Download npm package 7 | wget https://github.com/shesek/spark-wallet/releases/download/v0.2.4/spark-wallet-0.2.4-npm.tgz && 8 | 9 | # Download signature 10 | wget https://github.com/shesek/spark-wallet/releases/download/v0.2.4/SHA256SUMS.asc && 11 | 12 | # Verify signature - should show "Good signature from Nadav Ivgi " 13 | gpg --verify SHA256SUMS.asc && 14 | 15 | # Verify the downloaded binary matches the signed hash in SHA256SUMS.asc 16 | grep spark-wallet-0.2.4-npm.tgz SHA256SUMS.asc | sha256sum -c - && 17 | 18 | # Install user-wide 19 | npm install -g spark-wallet-0.2.4-npm.tgz 20 | -------------------------------------------------------------------------------- /scripts/lightning-backup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # !! WARNING !! 4 | # 5 | # Recovering lightning channel state is currently unsupported by the lightning 6 | # node software and is considered dangerous. Recovering from an outdated backup 7 | # could lead to LOSS of funds. DO NOT attempt to restore this backup on your own. 8 | # Please seek expert help before doing anything. These might be good places to start: 9 | # 10 | # - IRC: #c-lightning at Freenode (https://webchat.freenode.net/?channels=c-lightning) 11 | # - The c-lightning issue tracker on GitHub (https://github.com/ElementsProject/lightning/issues) 12 | # - The Tel-Aviv Bitcoin Embassy (https://www.bitembassy.org/, https://www.facebook.com/bitcoin.embassy.tlv/) 13 | # 14 | # !! WARNING !! 15 | 16 | set -xeo pipefail 17 | 18 | KEEP_DAYS=7 19 | KEEP_WEEKS=7 20 | DB_PATH=$HOME/.lightning/lightningd.sqlite3 21 | BACKUP_DIR=$HOME/backups 22 | 23 | copy_sqlite() { 24 | sqlite3 $1 ".backup '$2.TMP'" 25 | sqlite3 $2.TMP VACUUM 26 | gzip $2.TMP 27 | mv $2.TMP.gz $2.gz 28 | } 29 | 30 | mkdir -p $BACKUP_DIR 31 | copy_sqlite $DB_PATH $BACKUP_DIR/latest.lightningd.sqlite3 32 | cp $BACKUP_DIR/latest.lightningd.sqlite3.gz $BACKUP_DIR/daily.`date +%Y-%m-%d`.lightningd.sqlite3.gz 33 | cp $BACKUP_DIR/latest.lightningd.sqlite3.gz $BACKUP_DIR/weekly.`date +%Y-%U`.lightningd.sqlite3.gz 34 | 35 | ls -t $BACKUP_DIR/daily.* | tail -n +$((KEEP_DAYS+1)) | xargs -r rm 36 | ls -t $BACKUP_DIR/weekly.* | tail -n +$((KEEP_WEEKS+1)) | xargs -r rm 37 | 38 | egrep '^# ' $0 > $BACKUP_DIR/00-SEEK-EXPERT-HELP---DO-NOT-RESTORE-ON-YOUR-OWN 39 | --------------------------------------------------------------------------------