Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Update
- Consider updating the versions in `WalletWasabi.Helpers.Constants`. If the versions are updated, make sure the Client Release is already available before updating the backend.
- ```sh
- sudo apt-get update && cd ~/WalletWasabi && git pull && cd ~/WalletWasabi/WalletWasabi.Backend && dotnet restore && cd ~
- # Check if rounds are not in critical phase
- https://wasabiwallet.io/api/v4/btc/ChaumianCoinJoin/states
- # Stop
- sudo service nginx stop
- sudo systemctl stop walletwasabi.service
- sudo killall tor
- bitcoin-cli stop
- # Status checks
- echo -n 'Tor: '; systemctl is-active tor; echo -n 'Wasabi: '; systemctl is-active walletwasabi; echo -n 'Bitcoind: '; ps -C bitcoind >/dev/null && echo "active" || echo "incative";
- # Upgrade and reboot
- sudo apt-get upgrade -y && sudo apt-get autoremove -y
- sudo reboot
- set DOTNET_CLI_TELEMETRY_OPTOUT=1
- # Start Bitcoind
- bitcoind
- bitcoin-cli getblockchaininfo
- # Start Tor
- tor
- # Start Nginx
- sudo service nginx start
- # Start Wasabi
- rm -rf WalletWasabi/WalletWasabi.Backend/bin && dotnet publish ~/WalletWasabi/WalletWasabi.Backend --configuration Release --self-contained false
- sudo systemctl start walletwasabi.service
- echo -n 'Tor: '; systemctl is-active tor; echo -n 'Wasabi: '; systemctl is-active walletwasabi; echo -n 'Bitcoind: '; ps -C bitcoind >/dev/null && echo "active" || echo "incative";
- tail -200 /home/user/.walletwasabi/backend/Logs.txt
- # Advanced status checks
- systemctl status nginx
- systemctl status walletwasabi
- systemctl status tor
- pgrep -ilfa bitcoin
- ```
- # 1. Create Remote Server
- ## Name
- WalletWasabi.Backend.[TestNet/Main]
- ## Image
- Ubuntu 20.04 x64
- ## Region
- Mostly anywhere is fine, except the US or China.
- ## Size
- https://bitcoin.org/en/full-node#minimum-requirements
- [4GB Standard/32GB Standard]
- # 2. Setup Server
- https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04
- ## SSH in as Root
- Putty (Copypaste with Ctrl+Insert and Shift+Insert)
- https://www.digitalocean.com/community/tutorials/how-to-use-ssh-keys-with-putty-on-digitalocean-droplets-windows-users
- Make sure the new user's SSH pubkey added to ~/.ssh/authorized_keys on the server as well.
- ### Create a New User and Grant Administrative Privileges
- ```sh
- adduser user
- usermod -aG sudo user
- ```
- ### Increase the number of files limit
- By default a process can keep open up to 4096 files. Increase that limit for the `user` user as follows:
- ```sh
- pico /etc/security/limits.conf
- ```
- ```
- # Wasabi backend
- # Wasabi runs with the user called user
- user soft nofile 16384
- user hard nofile 16384
- # End of Wasabi backend
- ```
- # Setup Firewall
- https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04
- ```sh
- ufw allow OpenSSH
- ufw enable
- ```
- > As the firewall is currently blocking all connections except for SSH, if you install and configure additional services, you will need to adjust the firewall settings to allow acceptable traffic in. You can learn some common UFW operations in this guide.
- > https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
- ## Enable External Access for User
- ```sh
- rsync --archive --chown=user:user ~/.ssh /home/user
- ```
- ## Update Ubuntu
- ```sh
- sudo apt-get update && sudo apt-get dist-upgrade -y
- ```
- # 3. Install .NET SDK
- https://docs.microsoft.com/en-us/dotnet/core/install/linux-ubuntu
- Opt out of the telemetry:
- ```sh
- export DOTNET_CLI_TELEMETRY_OPTOUT=1
- ```
- # 4. Install Tor
- ```sh
- sudo apt-get install tor
- pgrep -ilfa tor
- sudo killall tor
- ```
- ### Update Tor
- ```sh
- sudo apt update
- apt list --upgradable | grep tor
- sudo apt install --only-upgrade tor
- ```
- Create torrc:
- ```sh
- mkdir ~/.walletwasabi
- sudo pico /etc/tor/torrc
- ```
- ```sh
- Log notice file /home/user/.walletwasabi/notices.log
- HiddenServiceDir /home/user/.hidden_service_v3
- HiddenServiceVersion 3
- HiddenServicePort 80 127.0.0.1:37127
- RunAsDaemon 1
- # ---MAKE TOR FASTER---
- # Need to disable for HiddenServiceNonAnonymousMode
- SOCKSPort 0
- # Need to enable for HiddenServiceSingleHopMode
- HiddenServiceNonAnonymousMode 1
- # This option makes every hidden service instance hosted by a tor
- # instance a Single Onion Service. One-hop circuits make Single Onion
- # servers easily locatable, but clients remain location-anonymous.
- HiddenServiceSingleHopMode 1
- ```
- Enable firewall:
- ```sh
- sudo ufw allow 80
- ```
- Start Tor and verify it is properly running:
- ```sh
- tor
- pgrep -ilfa tor
- ```
- **Backup the generated private key!**
- # 5. Install, Configure and Synchronize bitcoind (Bitcoin Knots)
- https://bitcoinknots.org/
- ```sh
- sudo add-apt-repository ppa:luke-jr/bitcoinknots
- sudo apt-get update
- sudo apt-get install bitcoind
- mkdir ~/.bitcoin
- pico ~/.bitcoin/bitcoin.conf
- ```
- ```sh
- testnet=[0/1]
- [main/test].rpcworkqueue=256
- [main/test].rpcthreads=8
- [main/test].txindex=1
- [main/test].daemon=1
- [main/test].server=1
- [main/test].rpcuser=bitcoinuser
- [main/test].rpcpassword=password
- [main/test].whitebind=127.0.0.1:[8333/18333]
- [main/test].mempoolreplacement=fee,optin # Only valid for Bitcoin Knots - https://github.com/MetacoSA/NBitcoin/pull/884#issuecomment-663620290
- #[main/test].debug=rpc # in some cases it could be good to uncomment this line.
- ```
- https://bitcoincore.org/en/releases/0.17.0/
- https://medium.com/@loopring/how-to-run-lighting-btc-node-and-start-mining-b55c4bab8ad
- https://github.com/MrChrisJ/fullnode/issues/18
- ```sh
- sudo ufw allow ssh
- sudo ufw allow [8333/18333]
- bitcoind
- bitcoin-cli getblockcount
- bitcoin-cli stop
- bitcoind
- ```
- ### Upgrade Knots
- ```sh
- bitcoin-cli stop
- sudo apt-get update && sudo apt install --only-upgrade bitcoind
- bitcoind --version
- bitcoin-cli getblockchaininfo
- ```
- # 6. Publish, Configure and Run WalletWasabi.Backend
- ```sh
- git clone https://github.com/zkSNACKs/WalletWasabi.git
- cd WalletWasabi
- dotnet restore
- dotnet build
- dotnet publish WalletWasabi.Backend --configuration Release --self-contained false
- cd ..
- ```
- https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-2.0&tabs=aspnetcore2x
- ```sh
- sudo pico /etc/systemd/system/walletwasabi.service
- ```
- ```sh
- [Unit]
- Description=WalletWasabi Backend API
- [Service]
- WorkingDirectory=/home/user/WalletWasabi/WalletWasabi.Backend/bin/Release/net6.0/publish
- ExecStart=/usr/bin/dotnet /home/user/WalletWasabi/WalletWasabi.Backend/bin/Release/net6.0/publish/WalletWasabi.Backend.dll
- Restart=always
- RestartSec=10 # Restart service after 10 seconds if dotnet service crashes
- SyslogIdentifier=walletwasabi-backend
- User=user
- Environment=DOTNET_PRINT_TELEMETRY_MESSAGE=false
- [Install]
- WantedBy=multi-user.target
- ```
- ```sh
- sudo systemctl enable walletwasabi.service
- sudo systemctl start walletwasabi.service
- systemctl status walletwasabi.service
- tail -10000 .walletwasabi/backend/Logs.txt
- pico .walletwasabi/backend/Config.json
- pico .walletwasabi/backend/CcjRoundConfig.json
- sudo systemctl start walletwasabi.service
- tail -10000 .walletwasabi/backend/Logs.txt
- ```
- ## Tor
- ```sh
- tor
- pgrep -ilfa tor
- ```
- Review the tor activity using the logs stored in the linux journal:
- ```sh
- sudo journalctl -u tor@default
- ```
- ## Load balance and server performance
- Check load avarages
- ```sh
- uptime
- ```
- Check the number of CPU-s
- ```sh
- nproc
- ```
- Load average numbers are in order according to the average time-window in the last - 1, 5, 15 minutes. Zero means no load, 1 means 100% load - however, average loads are added up among the number of CPUs. So as far as the load average is not bigger than the number of CPUs, there shouldn't be any performance issues.
- For interactive monitoring you can use:
- ```sh
- htop
- ```
- # 8. Setup Nginx
- https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-2.0&tabs=aspnetcore2x#install-nginx
- Only setup Nginx if you want to expose the autogenerated website to the clearnet.
- Enable firewall:
- ```sh
- sudo ufw allow http
- sudo ufw allow https
- ```
- ```sh
- sudo apt-get install nginx -y
- sudo service nginx start
- ```
- Verify the browser displays the default landing page for Nginx.
- The landing page is reachable at `http://<server_IP_address>/index.nginx-debian.html`
- ```sh
- sudo pico /etc/nginx/sites-available/default
- ```
- Fill out the first server's name with the server's IP and domain, and remove the unneeded domains and the second server. (Note that I use `wasabiwallet.co` for testnet.)
- ```
- server {
- listen 80;
- listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name [InsertServerIPHere] wasabiwallet.net www.wasabiwallet.net wasabiwallet.org www.wasabiwallet.org wasabiwallet.info www.wasabiwallet.info wasabiwallet.co www.wasabiwallet.co zerolink.info www.zerolink.info hiddenwallet.org www.hiddenwallet.org;
- location / {
- sub_filter '<head>' '<head><meta name="robots" content="noindex, nofollow" />';
- sub_filter_once on;
- proxy_pass http://localhost:37127;
- }
- }
- server {
- listen 80;
- listen [::]:80;
- listen 443 ssl;
- listen [::]:443 ssl;
- server_name wasabiwallet.io www.wasabiwallet.io;
- location / {
- proxy_pass http://localhost:37127;
- }
- }
- ```
- ```sh
- sudo nginx -t
- sudo nginx -s reload
- ```
- Setup https, redirect to https when asks. This will modify the above config file, but oh well.
- ```sh
- sudo certbot -d wasabiwallet.io -d www.wasabiwallet.io -d wasabiwallet.net -d www.wasabiwallet.net -d wasabiwallet.org -d www.wasabiwallet.org -d wasabiwallet.info -d www.wasabiwallet.info -d wasabiwallet.co -d www.wasabiwallet.co -d zerolink.info -d www.zerolink.info -d hiddenwallet.org -d www.hiddenwallet.org
- ```
- certbot will not properly redirect www, so it must be setup by hand, one by one.
- Duplicate all entries like this by adding a `www.`:
- ```
- server {
- if ($host = wasabiwallet.co) {
- return 301 https://$host$request_uri;
- }
- }
- ```
- Add `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;` and `server_tokens off;` to every HTTPS `server` block.
- ```sh
- sudo nginx -t
- sudo nginx -s reload
- ```
- After accessing the website finalize preload in https://hstspreload.org/
- # Check If Everything Works
- TestNet: http://testwnp3fugjln6vh5vpj7mvq3lkqqwjj3c2aafyu7laxz42kgwh2rad.onion/swagger/
- Main: http://wasabiukrxmkdgve5kynjztuovbg43uxcbcxn6y2okcrsg7gb6jdmbad.onion/swagger/
- GET fees
- http://www.wasabiwallet.io/
- # Check Statuses
- ```sh
- tail -f ~/.bitcoin/debug.log
- tail -10000 .walletwasabi/backend/Logs.txt
- du -bsh .walletwasabi/backend/IndexBuilderService/*
- ```
- # Specify Your ExtPubKey
- Take your ExtPubKey from Wasabi. Never receive money to that wallet's external keypath.
- ```sh
- pico ~/.walletwasabi/backend/CcjRoundConfig.json
- ```
- Add your extpub to the `CoordinatorExtPubKey`.
- # Additional (optional) Settings
- ## Rolling Bitcoin Knots node debug logs
- The following command line adds a configuration file to let logrotate service know
- how to rotate the bitcoin debug logs.
- ```sh
- sudo tee -a /etc/logrotate.d/bitcoin <<EOS
- /home/user/.bitcoin/debug.log
- {
- su user user
- rotate 5
- copytruncate
- daily
- missingok
- notifempty
- compress
- delaycompress
- sharedscripts
- }
- EOS
- ```
- **Note:** In test server replace the first line by the following one `/home/user/.bitcoin/testnet3/debug.log`
- ## Welcome Banner
- The following command line adds a welcome banner indicating the ssh logged user that he is in the production server.
- ```sh
- sudo pico /etc/motd
- ```
- ```
- ****************************************************************************
- *** Attention! Wasabi PRODUCTION server ***
- ****************************************************************************
- ```
- ## Prompt
- Additionally to the welcome banner it could be good to know in which server we are all the time and to see clearly which branch is checked out, in this case update the prompt as follow:
- ```sh
- pico ~/.bashrc
- ```
- Replace the line:
- ```sh
- PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
- ```
- by this one:
- ```sh
- PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:(PROD):\[\033[01;34m\]\w\[\033[01;31m\]$(parse_git_branch)\[\033[00m\]\$ '
- ```
- Additionally add the following function before:
- ```sh
- parse_git_branch() {
- git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/(\1)/'
- }
- ```
- **Note:** In the test server replace the word **PROD** by **TEST**
- ## Let's Encrypt
- [Let’s Encrypt](https://letsencrypt.org/about/) is a free, automated, and open certificate authority (CA), run for the public’s benefit.
- It is renewed automatically by certbot which is an agent software installed on both backends. A newly created or renewed certificates are valid for 90 days and the renewal process should start automatically (`cronjob`) if the certificate will expire in less than 30 days.
- You can list the certificates with:
- `sudo certbot certificates`
- Check all of the certificates that you’ve obtained and tries to renew any that will expire in less than 30 days (this should be automatic):
- `sudo certbot renew`
- !Be aware that after 5 failures you will be suspended for an hour - for debugging use `certbot renew --dry-run`.
- Detailed instuctions about configuration [here](https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx).
- ## Accessing Software Logs
- You can read the log file with the `tail -1000 ~/.walletwasabi/backend/Logs.txt`. However these logs aren't kept around forever. In order to access a longer timeframe use `sudo tail -1000 /var/log/syslog | grep "walletwasabi-backend"` and `sudo tail -1000 /var/log/syslog.1 | grep "walletwasabi-backend"`.
- ## Setup Cloudflare Anti-DDoS for clearnet website
- Properly implemented DDoS mitigation is what keeps websites online during an attack.
- We use Cloudflare to mitigate a DDoS attack by detecting, responding, routing and adapting to it.
- ### Create a Cloudflare account
- 1. Visit https://dash.cloudflare.com/sign-up
- 2. Enter Email address and Password
- 3. Click `Create Account`
- ### Add a domain to Cloudflare
- 1. Log in to your Cloudflare account
- 2. Click on `Add site` from the top navigation bar
- 3. Enter your website’s root domain and then click `Add Site`.
- For example, if your website is `https://www.wasabiwallet.co`, type `wasabiwallet.co`
- 4. Cloudflare will automatically identify your DNS records
- 5. Click `Next`
- 6. Select a plan level (the `Free` package is enough, as it contains DDoS attack mitigation and Global Content Delivery Network services)
- 7. Click `Confirm` in the Confirm Plan window that appears
- 8. Review whether all DNS records were identified in the DNS query results window
- 9. Click `Continue`
- 10. Copy the 2 Cloudflare nameservers displayed and click `Continue`
- ### Replace default nameservers with Cloudflare ones
- 1. Log in to your registrar (eg. Godaddy)
- 2. Make sure your registrar has disabled DNSSEC for your domain
- 3. Replace the current/default nameserver records in your registrar account with the information you copied from Cloudflare
- 4. Wait some hours (max 24) while your registrar updates your nameservers and the DNS propagates
- You will receive an email when your site is active on Cloudflare
- ## DEBUG
- - Find PID `ps aufx | grep 'WalletWasabi.Backend`
- - Creating a core dump: `dotnet dump collect -p 21600`
- - Cound threads for dotnet process `pstree -tpl 21600 | wc -l` usually around 109
Add Comment
Please, Sign In to add comment