How to setup, secure Compendia node

This guide is written by Bindie Validator

Step 1: Default node setup

# Add new super user
adduser <username>
usermod -aG sudo <username>
su <username>

# Navigate to HOME
cd ~

# Install Git
sudo apt update -y && sudo apt install git curl gnupg gnupg1 gnupg2 -y
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 23E7166788B63E1E (optional)

# Clone core-control
# For a testnet node, replace "-b main" with "-b develop"
git clone https://github.com/compendia/core-control -b main && cd core-control

# Install Core
# If you'd like core-control to set up everything, including a firewall:
./ccontrol.sh install core

Public Relay:

# Start relay
./ccontrol.sh start relay

Private Relay: (Used for Plugins/TBW scripts,…)

Open plugins config to enable Chameleon

nano ~/.config/compendia-core/<network>/plugins.js

Change config to permanently enable @alessiodf/core-chameleon

"@alessiodf/core-chameleon": {
    enabled: "ifDelegate", <-- Set to true
}

Open .env config to disable the Core and Wallet API

nano ~/.config/compendia-core/<network>/.env

Change .env config to disable the Core and Wallet API

CORE_API_DISABLED=false <-- Set to true

Start the relay

./ccontrol.sh start relay

Forger:

Open .env config to disable the Core and Wallet API

nano ~/.config/compendia-core/<network>/.env

Change .env config to disable the Core and Wallet API

CORE_API_DISABLED=false <-- Set to true
# Set secret
./ccontrol secret set <secret>

# Start core
./ccontrol.sh start core

Step 2: Add SSH login:

Open any terminal on the HOST machine and generate a new SSH Keypair

# save with VERY specific name (ex: id_rsa_compendia_mainnet_relay_01)	
ssh-keygen -t rsa -b 4096 -C "info about keypair"	

Open PuTTYgen:

  • Load the newly generated keypair
  • Export public key in $HOME/.ssh/putty/... folder with the same name
  • Export private key in $HOME/.ssh/putty/... folder with the same name and _priv suffix

Open Git Bash on the HOST machine (only Git Bash ships with ssh-copy-id for windows)

# Copy SSH the generated public key to remote server
ssh-copy-id -i $HOME/.ssh/<RSA_FILE_NAME>.pub <SERVER_USERNAME>@<SERVER_IP>

Open PuTTY:

  • In settings -> SSH -> Auth: load the $HOME/.ssh/putty/id_rsa_xxx.priv key
  • Log in!

Step 3: Disable root login (FIRST, VERIFY IF SSH WORKS!!)

# Open SSH config file
sudo nano /etc/ssh/sshd_config

Change the following items in the config file

KeyFromTo
Port22number between 49152 and 65535 (WRITE DOWN NUMBER!!)
LoginGraceTime2m30
PermitRootLoginyesno
PasswordAuthenticationyesno
ChallengeResponseAuthenticationyesno
UsePAMyesno
X11Forwardingyesno
MaxStartups10:30:602
# Restart SSH
sudo service ssh restart

# Adjust UFW to deny port 22
sudo ufw deny 22/tcp

# Adjust UFW to allow newly set port
sudo ufw allow <new_ssh_port>/tcp

Step 4: Verification

  • Open a new PuTTY instance (DO NOT CLOSE THE CURRENT SESSION IN CASE SSH CONFIGURATION FAILED!!!)
  • Load saved session
  • Adjust the SSH port
  • Save session
  • CONNECT!

(Optional) Step 5: Add Swapfile

# Add Swap space
sudo fallocate -l 2G /swapfile

# Adjust Swapfile permissions
sudo chmod 600 /swapfile

# Mark the file as Swap space
sudo mkswap /swapfile

# Enable the Swapfile
sudo swapon /swapfile

# Backup /etc/fstab in case something goes wrong
sudo cp /etc/fstab /etc/fstab.bak

# Make Swapfile permanent
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab

# Adjust swappiness
sudo sysctl vm.swappiness=10

# Adjust Cache Pressure settings
sudo sysctl vm.vfs_cache_pressure=50

# Persist swappiness and cache pressure on restart
sudo nano /etc/sysctl.conf

# Add lines to bottom of /etc/sysctl.conf file
vm.swappiness=10
vm.vfs_cache_pressure=50

Swap Verification Commands

# Verify the Swap file is enabled/configured
sudo swapon --show

# Verify Swap permissions (Should be: -rw-------)
ls -lh /swapfile

# Verify current swap
free -h

# Check disk space
df -h

# Check swappiness
cat /proc/sys/vm/swappiness

# Check Cache Pressure Settings
cat /proc/sys/vm/vfs_cache_pressure

(Optional) Step 6: Add Round Monitor plugin for Forgers

# cd into plugins folder
cd ~/compendia-core/plugins

# Clone repo
git clone https://github.com/alessiodf/round-monitor.git

# Install dependencies
cd round-monitor && yarn

# Add to plugins file
nano ~/.config/compendia-core/<network>/plugins.js

Add Round-Monitor Plugin to validator plugin config

...ANY OTHER PLUGIN (this one goes last)
    "@alessiodf/round-monitor": {
        "enabled": true
    }

Was this helpful?

4 / 0

Leave a Reply 0

Your email address will not be published. Required fields are marked *