Project

General

Profile

Setup server for node deployment

WARNING: this page is obsolete; refer to KB: Node Owner Central for the latest information.

Any changes should go to the KB: Node Owner Central as well.

Prerequisites

Recommended hardware: RAM 32+ Gb, SSD RAID 10 - 200+ Gb, Intel Xeon CPU (more cores, GHz and disk io speed are better)

Required operating system: Debian Linux stable/stretch 9.3+ amd64. No other Linux distro allowed, older or testing/unstable Debian also disallowed.

Install PostgreSQL 10 apt sources as described here.

apt-get install apache2-utils build-essential check-postgres curl dirmngr git haveged libpam-systemd libpq-dev libssl-dev lsb-release netfilter-persistent nginx-light postgresql postgresql-client pgtop rsync ruby sudo wget vim hdparm net-tools

Install webupd8.org Oracle java packages for Debian:

DISCONTINUED

su -
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer oracle-java8-set-default binfmt-support
exit

Open the /etc/java-8-oracle/security/java.security file in a text editor. Change the line:
securerandom.source=file:/dev/random
to read:
securerandom.source=file:/dev/urandom
Save your change and exit the text editor. See details here

Recommended packages, but not mandatory:

cryptsetup - to protect private keys and other sensitive data in LUKS encrypted partition, or even full PostgreSQL data.
certbot - to get free ssl certificates for Nginx http server

Nginx

See conf files in attached nginx.tgz, real domain mentioned as template #{domain}
External node should use its own domain, we highly recommend to use CloudFlare for protect node, https and so on.
To encrypt traffic between CloudFlare and node we recommend Let's encrypt free ssl certificates, install certbot package for this purpose.

Unpack example files from archive and place them to /etc/nginx, change domain name everywhere, edit ssl certificate paths, generate dhparam, make symlink and reload nginx.

# ln -s /etc/nginx/sites-available/universa_node /etc/nginx/sites-enabled
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
# nginx -t && nginx -s reload

Using certbot for Let's Encrypt certificates

Before receiving ssl certificates you can't use host with 8443 ssl in Nginx conf file, just comment it out for now.
Edit command and get certificates with:

certbot certonly -d #{domain} --webroot -w /var/www/letsencrypt

After successful run uncomment ssl section and reload Nginx again.

PostrgreSQL

Install packages then create user with password and database.

CREATE USER universa PASSWORD '<PASSWORD>';
CREATE DATABASE universa_node WITH OWNER=universa;

Add to file pg_hba.conf line, change it in case of changed names:

local    universa_node   universa       md5

Change in postgresql.conf at least:

max_connections = 500

Next block depends of your server RAM and disk type, so you have to change the numbers (refer to http://pgtune.leopard.in.ua/ and PostgreSQL docs):

shared_buffers = 196MB 
work_mem = 64MB
maintenance_work_mem = 256MB
max_wal_size = 8GB
# SSD
random_page_cost = 1.1
effective_io_concurrency = 200

Restart server:

# systemctl restart postgresql.service

Prepare dedicated user for service

Add user 'deploy' for node, please use exactly this name:

# useradd -m -s /bin/bash deploy

Enable systemd log view:

# usermod -a -G systemd-journal deploy

Enable systemd service for user:

# loginctl enable-linger deploy

Prepare 'authorized_keys' and add attached public ssh keys to it as 'deploy' user
your system can use file 'authorized_keys2' instead

$ mkdir -m 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

Generate ssh keypair for deploy user:

$ ssh-keygen

If you have mutliple nodes you have to generate this key once and then copy it to other nodes.

Firewall and open ports

The following ports must be open:

tcp 22 or other non standard port used for sshd                                                                                                                       
tcp 80                                                                                                                      
tcp 8080                                                                                                                      
tcp 8443                                                                                                                      
tcp 2052                                                                                                                      
tcp 2082                                                                                                                      
udp 2700

Result data that must be provided to us

  1. IPv4 address.
  2. Domain you have chosen and configured for nginx
  3. PostgreSQL password, database name, user and connection port.
  4. SSHD port number if non standard.
  5. SSH public key for deploy user, located in file /home/deploy/.ssh/id_rsa.pub

We will check the compliance before deploying new node.