This document describes how to setup a Tezos node and delegate baking rights to it. It involves configuring two instances:
- Node: Public vps instance that interacts with the tezos network and runs
tezos-node,tezos-baker,tezos-endorserandtezos-accuser. - Signer: Private instance on your home network that contains the baker keys and authorizes baking requests via
tezos-signer.
This guide assumes you have already created two instances running Ubuntu 18.04.
Add Inbound TCP/UDP port 9732 for the tezos node to communicate with other nodes on the network.
For additional security, limit SSH access to your IP address.
Add Inbound TCP port 7732 (or a different unregistered TCP port) for the Node to make signing requests.
For additional security, limit SSH access to your IP address.
Create a new user for managing each instance. For the remainder of this tutorial I'll refer to the Node user as tznode and the Signer user as tzsigner but you can name them anything you'd like.
$ sudo adduser tznode
$ sudo adduser tznode sudo
$ sudo su
$ mkdir /home/tznode/.ssh
$ cp ~/.ssh/authorized_keys /home/tznode/.ssh/
$ chown -R tznode:tznode /home/tznode/.ssh/
Log out and back in as the new user:
$ ssh tznode@ipaddress
$ sudo adduser tzsigner
$ sudo adduser tzsigner sudo
$ sudo su
$ mkdir /home/tzsigner/.ssh
$ cp ~/.ssh/authorized_keys /home/tzsigner/.ssh/
$ chown -R tzsigner:tzsigner /home/tzsigner/.ssh/
Log out and back in as the new user:
$ ssh tzsigner@ipaddress
$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install fail2ban
$ sudo apt-get install build-essential git m4 unzip rsync curl libev-dev libgmp-dev pkg-config libhidapi-dev
$ wget http://security.ubuntu.com/ubuntu/pool/universe/b/bubblewrap/bubblewrap_0.2.1-1_amd64.deb
$ sudo dpkg -i ./bubblewrap_0.2.1-1_amd64.deb
$ sh <(curl -sL https://raw.githubusercontent.com/ocaml/opam/master/shell/install.sh)
$ opam init --comp=4.06.1
$ eval $(opam env)
$ opam switch 4.06.1
$ opam update
$ opam update
$ opam switch 4.06.1
$ eval $(opam env)
$ git clone -b mainnet https://gitlab.com/tezos/tezos.git
$ cd tezos
$ make build-deps
$ eval $(opam env)
$ make
$ git pull
$ git checkout mainnet
$ eval $(opam env)
$ make
$ ./tezos-signer gen keys <baker_account>
where baker_account is the new alias of your baker account.
$ cat ~/.tezos-signer/public_key_hashs
[ { "name": "baker_account", "value": "tz1abc..." } ]
$ ./tezos-signer launch socket signer -a ipaddress -p port
where ipaddress is the ip and port is the port specified in the firewall settings.
$ ./tezos-client import secret key <baker_account> tcp://ipaddress:port/tz1abc...
Generate an authentication key (this should not be confused with your baker key):
$ ./tezos-client gen keys <client>
$ cat ~/.tezos-client/public_keys
[
...
{ "name": "client",
"value":
"unencrypted:edpk123456789" } ]
where client is the new alias of your client auth key.
Import the auth key:
$ ./tezos-signer add authorized key edpk123456789 --name <client>
You can now use the --require-authentication flag when initializing tezos-signer:
$ ./tezos-signer --require-authentication launch socket signer -a ipaddress -p port
Generate an identity and add a default configuration file for tezos-node:
$ ./tezos-node identity generate
$ sudo vim /home/tznode/.tezos-node/config.json
Add the following configuration defaults:
{
"rpc": {
"listen-addr": "127.0.0.1:8732"
},
"p2p": {
"listen-addr": "[::]:9732"
}
}
$ sudo vim /etc/systemd/system/tezos-node.service
# The Tezos Node service (part of systemd)
# file: /etc/systemd/system/tezos-node.service
[Unit]
Description = Tezos Node Service
Documentation = https://gitlab.com/tezos/tezos
Wants = network-online.target
After = network-online.target
[Service]
User = tznode
Group = tznode
WorkingDirectory= /home/tznode/
ExecStart = /home/tznode/tezos/tezos-node run --connections 10
ExecStartPost = /bin/sleep 5
Restart = always
RestartSec = 600
TimeoutSec = 10
[Install]
WantedBy = multi-user.target
RequiredBy = tezos-baker.service tezos-endorser.service tezos-accuser.service
$ sudo vim /etc/systemd/system/tezos-baker.service
# The Tezos Baker service (part of systemd)
# file: /etc/systemd/system/tezos-baker.service
[Unit]
Description = Tezos Baker Service
Wants = network-online.target
BindsTo = tezos-node.service
After = tezos-node.service
[Service]
User = tznode
Group = tznode
WorkingDirectory= /home/tznode/
ExecStartPre = /bin/sleep 1
ExecStart = /home/tznode/tezos/tezos-baker-002-PsYLVpVv -R tcp://ipaddress:port/tz1...123 run with local node /home/tznode/.tezos-node baker
ExecStartPost = /bin/sleep 5
Restart = always
RestartSec = 600
TimeoutSec = 10
[Install]
WantedBy = multi-user.target
$ sudo vim /etc/systemd/system/tezos-endorser.service
# The Tezos Endorser service (part of systemd)
# file: /etc/systemd/system/tezos-endorser.service
[Unit]
Description = Tezos Endorser Service
Wants = network-online.target
BindsTo = tezos-node.service
After = tezos-node.service
[Service]
User = tznode
Group = tznode
WorkingDirectory= /home/tznode/
ExecStartPre = /bin/sleep 1
ExecStart = /home/tznode/tezos/tezos-endorser-002-PsYLVpVv -R tcp://ipaddress:port/tz1...123 run baker
ExecStartPost = /bin/sleep 5
Restart = always
RestartSec = 600
TimeoutSec = 10
[Install]
WantedBy = multi-user.target
$ sudo vim /etc/systemd/system/tezos-accuser.service
# The Tezos Accuser service (part of systemd)
# file: /etc/systemd/system/tezos-accuser.service
[Unit]
Description = Tezos Accuser Service
Wants = network-online.target
BindsTo = tezos-node.service
After = tezos-node.service
[Service]
User = tznode
Group = tznode
WorkingDirectory= /home/tznode/
ExecStartPre = /bin/sleep 1
ExecStart = /home/tznode/tezos/tezos-accuser-002-PsYLVpVv run
ExecStartPost = /bin/sleep 5
Restart = always
RestartSec = 600
TimeoutSec = 10
[Install]
WantedBy = multi-user.target
$ sudo vim /etc/systemd/system/tezos-accuser.service
# The Tezos Signer service (part of systemd)
# file: /etc/systemd/system/tezos-signer.service
[Unit]
Description = Tezos Signer Service
Wants = network-online.target
BindsTo = tezos-node.service
After = tezos-node.service
[Service]
User = tzsigner
Group = tzsigner
WorkingDirectory= /home/tzsigner/
ExecStartPre = /bin/sleep 1
ExecStart = /home/tzsigner/tezos/tezos-signer --require-authentication launch socket signer -a ipaddress -p 7732
ExecStartPost = /bin/sleep 5
Restart = always
RestartSec = 600
TimeoutSec = 10
[Install]
WantedBy = multi-user.target
$ sudo systemctl enable tezos-node
$ sudo systemctl enable tezos-baker
$ sudo systemctl enable tezos-endorser
$ sudo systemctl enable tezos-accuser
$ sudo systemctl enable tezos-signer
$ sudo systemctl start tezos-node
$ sudo systemctl start tezos-baker
$ sudo systemctl start tezos-endorser
$ sudo systemctl start tezos-accuser
$ sudo systemctl start tezos-signer
$ sudo systemctl status tezos-node
$ sudo systemctl status tezos-baker
$ sudo systemctl status tezos-endorser
$ sudo systemctl status tezos-accuser
$ sudo systemctl status tezos-signer
$ sudo journalctl -f -u tezos-node
$ sudo journalctl -f -u tezos-baker
$ sudo journalctl -f -u tezos-endorser
$ sudo journalctl -f -u tezos-accuser
$ sudo journalctl -f -u tezos-signer
If changes are made to systemd services you must reload and restart them:
$ sudo systemctl daemon-reload
$ sudo systemctl restart tezos-node
$ ./tezos-client import fundraiser secret key <fundraiser_account>
where fundraiser_account is the new alias of your fundraiser account.
If you haven't activated your fundraiser account do so now:
$ ./tezos-client activate fundraiser account <fundraiser_account> with <activation key>
where activation key is the activation key generated from the verification site.
You must keep a balance in your baker account to cover security deposits; that number is 8.25% divided by % of total staked tokens on the network (~ 40% at the time of writing). So the amount of funds in the baker account should account for ~ 20% of total staked funds.
$ ./tezos-client transfer <amount> from <fundraiser_account> to <baker_account>
$ ./tezos-client get balance for <baker_account>
$ ./tezos-client get balance for <fundraiser_account>
$ ./tezos-client register key <baker_account> as delegate
$ ./tezos-client originate account <fundraiser_delegate> for <fundraiser_account> transferring <amount> from <fundraiser_account> --delegate <baker_account> --delegatable
where fundraiser_delegate is the new alias of your fundraiser delegation account.
Verify delegation was successful:
$ ./tezos-client get manager for <fundraiser_delegate>
$ ./tezos-client get delegate for <fundraiser_delegate>
$ ./tezos-client list known contracts
Backing up and removing the <fundraiser_account> secret key from the node allows us to store our staked funds offline. Open secret_keys, remove the <fundraiser_account> entry and store it in a safe place!
$ sudo vim ~/.tezos-client/secret_keys
The entry to remove (and backup!) will look like this:
{ "name": "fundraiser_account",
"value":
"unencrypted:edsk..." },
Verify fund transfers are disabled (this should throw an error):
$ ./tezos-client transfer 1 from <fundraiser_account> to <baker_account>
Many different resources were consumed while writing this guide; their authors deserve all the high fives. The following articles are excellent reads if you'd like to further understand what's happening under the hood:
- https://github.com/tezoscommunity/FAQ/blob/master/Compile_Betanet.md
- https://gist.github.com/dakk/bdf6efe42ae920acc660b20080a506dd
- https://tezos.gitlab.io/alphanet/api/cli-commands.html
- https://tezos.gitlab.io/alphanet/introduction/various.html#signer
- https://github.com/maxtez-raspbaker/tezos-rpi3/wiki/%5Bs-1%5D-Simple-instructions-to-bake-and-keep-(most-of)-your-tezzies-offline
- https://github.com/maxtez-raspbaker/tezos-rpi3/wiki/%5Bs-2%5D-Learn-how-to-use-the-tezos-signer-program-with-a-tcp-port-or-a-unix-socket
- https://github.com/etomknudsen/tezos-baking
- https://tezex.info/bakings
- https://medium.com/tezos/its-a-baker-s-life-for-me-c214971201e1
- Monitoring scripts: https://github.com/gaia/tezos-monitoring
Hello,
Your material is brilliant. What do I have to change to make node and signer work on the same VPS?