576 lines
13 KiB
Plaintext
576 lines
13 KiB
Plaintext
# Instalar servidor Duniter en Ubuntu Server 22.04
|
|
|
|
Duniter es el software de servidor que permite tener un nodo para la Moneda Libre G1
|
|
|
|
## Requerimientos previos
|
|
|
|
1] Un VPS con al menos 2 Cores y 3 de RAM, recomendamos 4 Cores y 4 de RAM con una IP pública asignada.
|
|
2] Un dominio o subdominio apuntando a la IP pública del VPS.
|
|
|
|
Para este ejemplo usaremos:
|
|
|
|
```
|
|
fania.g1server.net
|
|
```
|
|
|
|
Que ya apunta a la IP de nuestro VPS
|
|
|
|
```
|
|
host fania.g1server.net
|
|
fania.g1server.net has address 202.61.238.152
|
|
```
|
|
|
|
Es mejor que deshabilites el acceso por contraseña en el servidor y accedas solo con certificados.
|
|
|
|
Creamos el certificado:
|
|
|
|
```
|
|
ssh-keygen -t ed25519
|
|
```
|
|
|
|
Debes de ver:
|
|
|
|
```
|
|
Generating public/private ed25519 key pair.
|
|
Enter file in which to save the key (/home/mau/.ssh/id_ed25519):
|
|
Enter passphrase (empty for no passphrase):
|
|
Enter same passphrase again:
|
|
Your identification has been saved in /home/mau/.ssh/id_ed25519
|
|
Your public key has been saved in /home/mau/.ssh/id_ed25519.pub
|
|
The key fingerprint is:
|
|
SHA256:TH7DcxneA2yr7qR6sL9/cePDMKPvAE9zKLx0spUk2c0 mau@oficina
|
|
The key's randomart image is:
|
|
+--[ED25519 256]--+
|
|
| |
|
|
| o + |
|
|
| + o E |
|
|
| = + = * |
|
|
| S % * o |
|
|
| .. % B= o. |
|
|
| oo =. O . |
|
|
| . .+... + |
|
|
| .+++++o . |
|
|
+----[SHA256]-----+
|
|
```
|
|
|
|
Y lo copiamos al servidor:
|
|
|
|
```
|
|
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p22 root@202.61.238.152
|
|
```
|
|
|
|
Al conectar ya no solicita la contraseña. Todo el proceso se realiza como "root".
|
|
|
|
```
|
|
ssh -p22 root@202.61.238.152
|
|
```
|
|
|
|
El servidor debe estar al día e instalamos "unzip".
|
|
|
|
```
|
|
apt update
|
|
apt upgrade
|
|
apt install unzip
|
|
```
|
|
|
|
Establece tu hostname.
|
|
|
|
```
|
|
hostnamectl set-hostname fania.g1server.net
|
|
```
|
|
|
|
Edita el archivo "hosts".
|
|
|
|
```
|
|
vim /etc/hosts
|
|
```
|
|
|
|
El contenido del archivo "hosts" puede variar, tómalo solo como ejemplo:
|
|
|
|
```
|
|
127.0.0.1 localhost
|
|
127.0.1.1 fania.g1server.net fania
|
|
|
|
# The following lines are desirable for IPv6 capable hosts
|
|
::1 ip6-localhost ip6-loopback
|
|
fe00::0 ip6-localnet
|
|
ff00::0 ip6-mcastprefix
|
|
ff02::1 ip6-allnodes
|
|
ff02::2 ip6-allrouters
|
|
202.61.238.152 fania.g1server.net fania
|
|
```
|
|
|
|
Los locales de tu server establecemos en los que quieras, inglés esta bien en la mayoría de los casos.
|
|
|
|
```
|
|
localectl set-locale LANG=en_US.UTF-8 LANGUAGE="en_US:en"
|
|
```
|
|
|
|
Agrégalos a las variables de entorno.
|
|
|
|
```
|
|
vim /etc/environment
|
|
```
|
|
|
|
Añades al final de acuerdo a tus locales.
|
|
|
|
```
|
|
LANG=en_US.UTF-8
|
|
LC_ALL=en_US.UTF-8
|
|
```
|
|
|
|
Y los reconfiguras.
|
|
|
|
```
|
|
dpkg-reconfigure locales
|
|
```
|
|
|
|
Establecer un mejor prompt, esto es opcional.
|
|
|
|
```
|
|
vim .bashrc
|
|
```
|
|
|
|
Agregas al final
|
|
|
|
```
|
|
PS1="┌─[\e[0;32m\H\e[m][\e[1;31m\u\e[m]->{\[\e[34;1m\]\w\[\e[0;1m\]}\n└──> \[\e[0m\]"
|
|
```
|
|
|
|
Recargas para ver el cambio
|
|
|
|
```
|
|
source .bashrc
|
|
```
|
|
|
|
Instalamos certbot
|
|
|
|
```
|
|
apt install certbot
|
|
```
|
|
|
|
Y nos registramos, reemplaza EMAIL por un correo válido.
|
|
|
|
```
|
|
certbot register --agree-tos -m EMAIL
|
|
```
|
|
|
|
Solicitamos el certificado para nuestro subdominio
|
|
|
|
```
|
|
certbot certonly --standalone --preferred-challenges http-01 -d fania.g1server.net
|
|
```
|
|
|
|
Asegurate de guardar las rutas completas de los certificados, las usaremos más adelante.
|
|
|
|
```
|
|
Saving debug log to /var/log/letsencrypt/letsencrypt.log
|
|
Requesting a certificate for fania.g1server.net
|
|
|
|
Successfully received certificate.
|
|
Certificate is saved at: /etc/letsencrypt/live/fania.g1server.net/fullchain.pem
|
|
Key is saved at: /etc/letsencrypt/live/fania.g1server.net/privkey.pem
|
|
This certificate expires on 2022-08-17.
|
|
These files will be updated when the certificate renews.
|
|
Certbot has set up a scheduled task to automatically renew this certificate in the background.
|
|
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.
|
|
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
If you like Certbot, please consider supporting our work by:
|
|
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
|
|
* Donating to EFF: https://eff.org/donate-le
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
|
```
|
|
|
|
## Descargar, instalar y configurar Duniter
|
|
|
|
Descargamos
|
|
|
|
```
|
|
wget https://git.duniter.org/nodes/typescript/duniter/-/releases/v1.8.6/downloads/binaries/duniter-server-v1.8.6-linux-x64.deb
|
|
```
|
|
|
|
Instalamos
|
|
|
|
```
|
|
dpkg -i duniter-server-v1.8.6-linux-x64.deb
|
|
|
|
Selecting previously unselected package duniter.
|
|
(Reading database ... 109598 files and directories currently installed.)
|
|
Preparing to unpack duniter-server-v1.8.5-linux-x64.deb ...
|
|
Unpacking duniter (1.8.6) ...
|
|
Setting up duniter (1.8.6) ...
|
|
```
|
|
|
|
Iniciamos el servicio.
|
|
|
|
```
|
|
systemctl start duniter
|
|
```
|
|
|
|
Es necesario usar "sudo" para estos comando, para que se ejecuten con el usuario "duniter".
|
|
|
|
Te voy mostrando el resultado de los comandos para que vayas verificando que todo va bien.
|
|
|
|
```
|
|
sudo -u duniter duniter config
|
|
|
|
2022-05-19T22:49:34+02:00 - debug: Plugging file system...
|
|
2022-05-19T22:49:34+02:00 - debug: Loading conf...
|
|
2022-05-19T22:49:34+02:00 - debug: Configuration saved.
|
|
```
|
|
|
|
Este paso solo es necesario si; quieres usar tus claves de acceso a tu monedero o si eres miembro de la red de confianza con lo cual puedes crear moneda en tu nodo.
|
|
|
|
```
|
|
sudo -u duniter duniter wizard key
|
|
```
|
|
|
|
Configuramos la red. En el parámetro Remote IPv4, es importante seleccionar la IP pública de tu VPS.
|
|
|
|
```
|
|
sudo -u duniter duniter wizard network
|
|
|
|
2022-05-19T22:52:05+02:00 - debug: Plugging file system...
|
|
2022-05-19T22:52:05+02:00 - debug: Loading conf...
|
|
2022-05-19T22:52:05+02:00 - debug: Configuration saved.
|
|
? IPv4 interface lo 127.0.0.1
|
|
? IPv6 interface None
|
|
? Port 10901
|
|
? Remote IPv4 eth0 202.61.238.152
|
|
? Remote port 443
|
|
? Does this server has a DNS name? Yes
|
|
? DNS name: fania.g1server.net
|
|
2022-05-19T22:54:39+02:00 - debug: Configuration saved.
|
|
```
|
|
|
|
Configuramos el protocolo BMAS.
|
|
|
|
```
|
|
sudo -u duniter duniter config --addep "BMAS fania.g1server.net 443"
|
|
|
|
2022-05-19T22:56:08+02:00 - debug: Plugging file system...
|
|
2022-05-19T22:56:08+02:00 - debug: Loading conf...
|
|
2022-05-19T22:56:08+02:00 - debug: Configuration saved.
|
|
```
|
|
|
|
Configuramos el protocolo "ws2p".
|
|
|
|
```
|
|
sudo -u duniter duniter config --ws2p-public --ws2p-noupnp --ws2p-port 20901 --ws2p-host 127.0.0.1 --ws2p-remote-port 443 --ws2p-remote-host fania.g1server.net --ws2p-remote-path "/ws2p"
|
|
|
|
2022-05-19T22:57:04+02:00 - debug: Plugging file system...
|
|
2022-05-19T22:57:04+02:00 - debug: Loading conf...
|
|
2022-05-19T22:57:04+02:00 - debug: Configuration saved.
|
|
```
|
|
|
|
Detenemos el servicio.
|
|
|
|
```
|
|
systemctl stop duniter
|
|
```
|
|
|
|
Para sincronizar nuestro nodo. "CUIDADO" esto puede llevarse de 1 a 3 horas dependiendo de la velocidad de tu VPS, de tu conexión, de la disponibilidad de los nodos y otros factores de la red.
|
|
|
|
```
|
|
sudo -u duniter duniter sync g1.duniter.org:443
|
|
|
|
Progress:
|
|
|
|
Milestones: [||||||||||||||||||||] 100 %
|
|
Download: [||||||||||||||||||||] 100 %
|
|
Apply: [||||||||||||||||||||] 100 %
|
|
Sandbox: [ ] 0 %
|
|
Peers: [||||||||||||||||||||] 100 %
|
|
|
|
Status: Peer AFv1D5xA7FCdHCTA1bqfQ3PWvwEM16Gw67QJ37obGnsv
|
|
All done in 5352.642 seconds.
|
|
```
|
|
|
|
Iniciamos de nuevo el nodo.
|
|
|
|
```
|
|
systemctl start duniter
|
|
```
|
|
|
|
|
|
## Instalar y configurar el servidor web
|
|
|
|
Instalamos.
|
|
|
|
```
|
|
apt install nginx
|
|
```
|
|
|
|
Configuramos.
|
|
|
|
```
|
|
vim /etc/nginx/nginx.conf
|
|
```
|
|
|
|
Con el contenido.
|
|
|
|
```
|
|
user www-data;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 20480;
|
|
pid /run/nginx.pid;
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
events {
|
|
worker_connections 5120;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
server_tokens off;
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
include /etc/nginx/sites-enabled/*.conf;
|
|
|
|
disable_symlinks off;
|
|
|
|
}
|
|
```
|
|
|
|
### Configuramos los archivos para HTTPS
|
|
|
|
Generamos el archivo ssl-dhparams.pem
|
|
|
|
```
|
|
openssl dhparam -dsaparam -out /etc/letsencrypt/ssl-dhparams.pem 4096
|
|
```
|
|
|
|
Editamos el archivo:
|
|
|
|
```
|
|
vim /etc/letsencrypt/options-ssl-nginx.conf
|
|
```
|
|
|
|
Con el contenido.
|
|
|
|
```
|
|
ssl_session_cache shared:le_nginx_SSL:10m;
|
|
ssl_session_timeout 1440m;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA38";
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; preload";
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Permissions-Policy interest-cohort=();
|
|
```
|
|
|
|
Editamos el archivo:
|
|
|
|
```
|
|
vim /etc/letsencrypt/certbot.conf
|
|
```
|
|
|
|
Con el contenido. Aquí van las rutas completas a los certificados creados previamente.
|
|
|
|
```
|
|
ssl_certificate /etc/letsencrypt/live/fania.g1server.net/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/fania.g1server.net/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
```
|
|
|
|
Editamos el archivo:
|
|
|
|
```
|
|
vim /etc/nginx/sites-available/fania.g1server.net.conf
|
|
```
|
|
|
|
Con el contenido:
|
|
|
|
```
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name fania.g1server.net;
|
|
|
|
include /etc/letsencrypt/certbot.conf;
|
|
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
server_tokens off;
|
|
|
|
access_log /var/log/nginx/duniter.access.log;
|
|
error_log /var/log/nginx/duniter.error.log;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:10901;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
}
|
|
|
|
location /ws2p {
|
|
proxy_pass http://127.0.0.1:20901;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
}
|
|
```
|
|
|
|
Creamos el vínculo simbólico:
|
|
|
|
```
|
|
ln -s /etc/nginx/sites-available/fania.g1server.net.conf /etc/nginx/sites-enabled/
|
|
```
|
|
|
|
Borramos el servidor predeterminado.
|
|
|
|
```
|
|
rm /etc/nginx/sites-enabled/default
|
|
```
|
|
|
|
Probamos la configuración
|
|
|
|
```
|
|
nginx -t
|
|
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
|
|
nginx: configuration file /etc/nginx/nginx.conf test is successful
|
|
```
|
|
|
|
### Para tener acceso a la versión web del nodo.
|
|
|
|
Para no editar el archivo original del servicio, creamos un segundo archivo.
|
|
|
|
Creamos el directorio.
|
|
|
|
```
|
|
mkdir -p /etc/systemd/system/duniter.service.d/
|
|
```
|
|
|
|
Editamos el archivo.
|
|
|
|
```
|
|
vim /etc/systemd/system/duniter.service.d/10-web.conf
|
|
```
|
|
|
|
Con este contenido.
|
|
|
|
```
|
|
[Service]
|
|
Environment="DUNITER_WEB=web"
|
|
```
|
|
|
|
Recargamos la configuración
|
|
|
|
```
|
|
systemctl daemon-reload
|
|
```
|
|
|
|
Reiniciamos el servicio.
|
|
|
|
```
|
|
systemctl restart duniter
|
|
```
|
|
|
|
Lo activamos para que inicie al arrancar el servidor.
|
|
|
|
```
|
|
systemctl enable duniter
|
|
```
|
|
|
|
|
|
## Comprobando
|
|
|
|
Instalamos la herramienta.
|
|
|
|
```
|
|
apt install net-tools
|
|
```
|
|
|
|
Verificamos los puertos abiertos.
|
|
|
|
```
|
|
netstat -plnt
|
|
|
|
Active Internet connections (only servers)
|
|
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
|
|
tcp 0 0 127.0.0.1:10901 0.0.0.0:* LISTEN 1330/duniter_defaul
|
|
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 757/sshd: /usr/sbin
|
|
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 568/systemd-resolve
|
|
tcp 0 0 127.0.0.1:20901 0.0.0.0:* LISTEN 1330/duniter_defaul
|
|
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1274/nginx: master
|
|
tcp 0 0 127.0.0.1:9220 0.0.0.0:* LISTEN 1330/duniter_defaul
|
|
tcp6 0 0 :::22 :::* LISTEN 757/sshd: /usr/sbin
|
|
```
|
|
|
|
Si accedes a tu dominio, debes de devolver un json.
|
|
|
|
```
|
|
{
|
|
"duniter": {
|
|
"software": "duniter",
|
|
"version": "1.8.6",
|
|
"forkWindowSize": 100
|
|
}
|
|
}
|
|
```
|
|
|
|
Dado que activamos la interfaz web, pero no esta configurado el acceso en nginx, puedes acceder desde tu maquina redireccionando los puertos.
|
|
|
|
```
|
|
ssh -L 9220:127.0.0.1:9220 -p22 root@fania.g1server.net
|
|
```
|
|
|
|
Una vez conectado, entra desde tu navegador a:
|
|
|
|
```
|
|
http://127.0.0.1:9220
|
|
```
|
|
|
|
Si vez la interfaz web de tu nodo, felicidades, ya deberías verlo listado en el cliente Cesium.
|
|
|
|
|
|
## Recomendaciones finales
|
|
|
|
Siempre activa el firewall y deja abiertos solo los puertos necesarios. Cambia el puerto predeterminado SSH. Agrega un nuevo usuario con derechos de administrador y deshabilita el acceso a root.
|
|
|
|
```
|
|
ufw allow ssh
|
|
ufw allow http
|
|
ufw allow https
|
|
ufw allow 10901/tcp
|
|
ufw allow 20901/tcp
|
|
|
|
ufw enable
|
|
```
|
|
|
|
Siempre puedes revisar el archivo de configuración en:
|
|
|
|
```
|
|
/var/lib/duniter/.config/duniter/duniter_default/conf.json
|
|
```
|
|
|
|
Gracias por ayudar a ampliar la red G1.
|
|
|
|
Si este manual te ha sido útil, puedes hacer tu "aprecio" a:
|
|
|
|
```
|
|
A5DdXxCKPw3QKWVdDVs7CzkNugNUW1sHu5zDJFWxCU2h
|
|
```
|
|
|
|
Gracias
|