Universa node: server configuration

The server should already satisfy the requirements (hardware/OS) specified on Node Owner Central.

Required packages

Latest PostgreSQL repository

Configure PostgreSQL 10 apt sources as described here.

Mandatory packages

Install mandatory packages needed for Universa node launch/maintenance.

apt-get install apache2-utils build-essential check-postgres curl dirmngr git haveged libpam-systemd libpq-dev libssl-dev lsb-release netfilter-persistent nginx-light postgresql postgresql-client pgtop rsync ruby sudo wget vim hdparm net-tools

Java

Install webupd8.org Oracle Java packages for Debian:

su -
echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
echo "deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee -a /etc/apt/sources.list.d/webupd8team-java.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer oracle-java8-set-default binfmt-support
exit

Open the /etc/java-8-oracle/security/java.security file in a text editor. Change the line: securerandom.source=file:/dev/random to: securerandom.source=file:/dev/urandom Save your change and exit the text editor. See details here

Recommended packages, but not mandatory:

  • cryptsetup – to protect private keys and other sensitive data in LUKS encrypted partition, or even full PostgreSQL data.
  • certbot – to get free ssl certificates for Nginx http server

Nginx

See conf files in attached nginx.tgz, real domain mentioned as template #{domain}.

Every external node should use its personal domain, we highly recommend to use CloudFlare for protect node, https and so on. To encrypt traffic between CloudFlare and node we recommend “Let’s Encrypt” free SSL certificates – install certbot package for this purpose.

Unpack example files from archive and place them to /etc/nginx, change domain name everywhere, edit the SSL certificate paths, generate dhparam, make symlink and reload nginx.

ln -s /etc/nginx/sites-available/universa_node /etc/nginx/sites-enabled
openssl dhparam -out /etc/nginx/dhparam.pem 4096
nginx -t && nginx -s reload

Obtaining an SSL certificate with certbot

When configuring your node to use free Let‘s Encrypt SSL certificates, you should take the following precaution:

Before you’ve received the first SSL certificate for your host, you can’t actually use 8443 ssl line in your Nginx conf file (because there is no certificate yet), so just comment it out for now.

Edit command and get certificates with:

certbot certonly -d #{domain} --webroot -w /var/www/letsencrypt

After successful execution, uncomment the SSL-related section in your Nginx file and reload Nginx again (service nginx reload).

Extra configuration

PostgreSQL

After you’ve installed the packages, create the user for Universa with some custom password and database you wish.

CREATE USER universa PASSWORD '<PASSWORD>';
CREATE DATABASE universa_node WITH OWNER=universa;

Add the following line to the pg_hba.conf; alter it in case if you’ve changed the user name/database name:

local    universa_node   universa       md5

Tuning postgresql.conf

Enable more simultaneous connections in /etc/postgresql/10/main/postgresql.conf:

max_connections = 500

Also, configure the memory-related settings, depending on your server RAM and disk type, so you have to change the numbers (refer to http://pgtune.leopard.in.ua/ and PostgreSQL documentation):

shared_buffers = 196MB 
work_mem = 64MB
maintenance_work_mem = 256MB
max_wal_size = 8GB

Restart server:

systemctl restart postgresql.service

Prepare dedicated user for service

Add user deploy for node, please use exactly this name:

useradd -m -s /bin/bash deploy

Enable systemd log view:

usermod -a -G systemd-journal deploy 

Enable systemd service for user:

loginctl enable-linger deploy 

Prepare authorized_keys file and add attached public SSH keys to it as deploy user (your system can use file authorized_keys2 instead).

mkdir -m 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Generate SSH keypair for deploy user:

ssh-keygen

If you have multiple nodes you have to generate this key once and then copy it to other nodes.

... TO BE CONTINUED.