Simplified Rocketpool Node Setup
I’ve imagined my parents wanting to setup a node, and made this guide with that in mind. This guide is VERY EASY. I promise you can do this. The guide may seem long but most of it is in a simple copy-paste script. If you have any difficulties, the Rocketpool discord is very helpful. I recommend joining, it’s a great community! Joining is also a simple way to be notified of new releases.
I will be using the most commonly recommended hardware for staking, which is an Intel nuc8i5. For simplicities sake, I recommend using a nuc8i5 or better with a 2tb NVME drive, and 32gb of ram, as that’s what this guide was tested with. If you’d like to purchase new here are some links:
Installing the hard drive and ram modules
Flip your NUC over, and unscrew the 4 foot screws. Then slide the first ram module into place, and push down until it clicks. Do the same for the second. Then unscrew the NVME screw, install the drive, and screw it back in. Put the bottom cover on and screw the feet in and you’re done with the hardware. Easy!
We will be using Ubuntu 22.04.1 for this. On your main PC, go here and download the 64-bit PC (AMD64) desktop image. Once that’s done, go here and download Balena Etcher.
Setting up the Ubuntu USB stick
Install Balena etcher, insert a USB drive that you would like to use. Browse to the Ubuntu ISO for the first section, point it to your USB drive in the second section, and click Flash! WARNING: THE USB CONTENTS WILL BE DELETED.
Before going back to your NUC, lets also login/sign up for a Tailscale account, and install the windows app.
Go to tailscale.com and sign up for a Tailscale account. We’ll be using this as the first layer of security for our node. Then download the Tailscale app to your PC. Install it, and log the app in to your account.
Installing Ubuntu on the NUC
Now back to the NUC. Connect a monitor, keyboard, mouse, and ethernet cable to the NUC. First we will set the NUC to turn on automatically after power loss. Power up the NUC and hold the F2 key on your keyboard to enter the bios. Go to Advanced > Power > Secondary Power Settings. Set the option for After Power Failure to Power On. Press F10 save changes and exit BIOS.
When the NUC reboots, insert the USB stick, hold F10. In the menu that comes up, select your USB stick, then Ubuntu. Follow the prompts to install Ubuntu with default settings. Pick a secure password. After installing, remove the USB stick, restart, login, and click through the welcome and update dialogs.
These steps used to require bouncing back and forth between several pages in the Rocketpool docs, which was too intimidating for some. I have created a convenient bash script that will execute everything essential in the node setup guide. I have tested this on Ubuntu 22.04.1. Using this guide with other hardware or operating systems may result in issues, and I’d recommend reading the rocketpool docs instead if that’s the case.
Running the setup script
- On your NUC, right click on your desktop, and select “open in terminal.”
- If you want to just grab the script, you can run:
sudo snap install curl;curl -LRO https://raw.githubusercontent.com/fastcontract/rocketpool-setup-script/main/rp.sh;
- **OR** if for some reason you don’t trust blindly getting a script with curl, you can type
gedit rp.shand then copy and paste this script into the gedit window, and hit save, and close. Feel free to inspect it.
#!/bin/bash
#this script basically just executes the commands outlined here:
#https://docs.rocketpool.net/guides/node/local/prepare-pc.html
#https://docs.rocketpool.net/guides/node/securing-your-node.html#assumptions-in-this-guide
#https://docs.rocketpool.net/guides/node/docker.html#downloading-the-rocket-pool-cli
#with the addition of tailscale for extra security
#this has been tested on a clean install of Ubuntu 22.04.1 on an intel nuc8i5
#it also adds 3 helpful aliases to the users bashrc file and asks if the user would like to use it to install rocketpool
GREEN='\033[0;36m'
RED='\033[0;31m'
PURP='\033[0;35m'
NC='\033[0m' # No Color
DIVIDER='###############################'
set -e
set -o pipefail
fail() {
MESSAGE=$1
>&2 echo -e "\n${RED}**ERROR**\n$MESSAGE${NC}"
exit 1
}
echo -e "${GREEN}${DIVIDER}\nupdating all installed software\nthis may take some time on a fresh install\n${DIVIDER}${NC}";
sudo apt update && sudo apt -y dist-upgrade && sudo apt -y autoremove;echo -e "${GREEN}${DIVIDER}\ninstalling SSH server\n${DIVIDER}${NC}";
sudo apt install -y openssh-server net-tools || fail "openssh-server or net-tools install step failure.";echo -e "${GREEN}${DIVIDER}\ngenerating SSH key file.\nPICK A SECURE PASSWORD for key\nit will be copied to your Documents\nfor use in putty.\n${DIVIDER}${RED}";
read -p "Enter the email you would like to use for the SSH key and hit Enter. " EMAIL
echo -e "${NC}";
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "${EMAIL}" || fail "ssh-keygen has failed.";
sudo mv ~/.ssh/id_ed25519 ~/Documents/key.ppk || fail "failed to move private key to Documents";
sudo chmod 777 ~/Documents/key.ppk;
sudo cp ~/.ssh/id_ed25519.pub ~/.ssh/authorized_keys || fail "failed to add public key to authorized_keys.";echo -e "${GREEN}${DIVIDER}\nThis will now pause for you to copy the SSH private key to a usb drive.\n${DIVIDER}${NC}";
echo -e "${RED}";
read -p "Press ENTER to open the location of your private SSH key and copy or move it to another location. KEEP IT SAFE.";
echo -e "${GREEN}";
nautilus --browser ~/Documents &>/dev/null&
while true; do
read -p "Have you copied your SSH key (y/n)?" yn
case $yn in
[Yy]* ) echo -e "${RED}Deleting private key${GREEN}";rm -rf ~/Documents/key.ppk || fail "Failed to remove SSH private key. Check your Documents folder.";
break;;
* ) echo -e "${RED}Please copy or move it, as it will be deleted after confirming.${GREEN}";;
esac
done;
echo -e "${GREEN}${DIVIDER}\ninstalling google 2 factor authentication\n${DIVIDER}${NC}";
sudo apt install -y libpam-google-authenticator || fail "google authenticator install step failure.";echo -e "${GREEN}${DIVIDER}\ninstalling tailscale\n${DIVIDER}${NC}";
sudo apt install -y curl || fail "failed to install curl.";
curl -fsSL https://tailscale.com/install.sh | sh;echo -e "${GREEN}${DIVIDER}\nactivating tailscale\nctrl click this link\nand login to continue\n${DIVIDER}${NC}";
sudo tailscale up || fail "tailscale launch failure.";echo -e "${GREEN}${DIVIDER}\ngenerating google 2fa\nscan the qr code into your 2fa app\nand keep the backup codes\nsomeplace safe.\n${DIVIDER}${NC}";
google-authenticator -t -f -d -r 3 -R 30 -w 3 || fail "google authenticator launch failure.";
echo -e "${RED}";
read -p "Press ENTER once you have scanned the QR code with your 2fa app and backed up the scratch codes. You may need to resize the window or use the secret key if your resolution is too small.";
echo -e "${NC}";
sudo sed -i '33,34s/PermitRootLogin yes/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config || fail "sshd_config file modification failure.";
sudo sed -i '41,42s/#AuthorizedKeysFile/AuthorizedKeysFile/' /etc/ssh/sshd_config || fail "sshd_config file modification failure.";
sudo sed -i '57,58s/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config || fail "sshd_config file modification failure.";sudo sed -i '62s/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/' /etc/ssh/sshd_config || fail "sshd_config file modification failure.";
sudo sed -i '63s/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/' /etc/ssh/sshd_config || fail "sshd_config file modification failure.";
sudo tee -a /etc/ssh/sshd_config<<<"AuthenticationMethods publickey,keyboard-interactive" || fail "sshd_config file modification failure.";
sudo tee -a /etc/pam.d/sshd<<<"auth required pam_google_authenticator.so" || fail "pam.d/sshd file modification failure.";
sudo sed -i '4s/@include common-auth/# @include common-auth/' /etc/pam.d/sshd || fail "pam.d/sshd file modification failure.";echo -e "${GREEN}${DIVIDER}\nactivating automatic security updates\n${DIVIDER}${NC}";
sudo apt install -y unattended-upgrades update-notifier-common || fail "unattended upgrade installation failure.";
sudo tee /etc/apt/apt.conf.d/20auto-upgrades <<<"APT::Periodic::Update-Package-Lists \"1\";
APT::Periodic::Unattended-Upgrade \"1\";
APT::Periodic::AutocleanInterval \"7\";
Unattended-Upgrade::Remove-Unused-Dependencies \"true\";
Unattended-Upgrade::Remove-New-Unused-Dependencies \"true\";
Unattended-Upgrade::Automatic-Reboot \"true\";
Unattended-Upgrade::Automatic-Reboot-Time \"02:00\";"
sudo systemctl restart unattended-upgrades || fail "failed to restart unattended upgrades.";echo -e "${GREEN}${DIVIDER}\nsetting up the UFW firewall\n${DIVIDER}${NC}";
sudo ufw default deny incoming comment 'Deny all incoming traffic' || fail "failed to set ufw firewall rule.";
sudo ufw default allow outgoing || fail "failed to set ufw firewall rule.";
sudo ufw allow "22/tcp" comment 'Allow SSH' || fail "failed to set ufw firewall rule.";
sudo ufw allow in on tailscale0 || fail "failed to set ufw firewall rule.";
sudo ufw allow 41641/udp || fail "failed to set ufw firewall rule.";
sudo ufw allow 30303/tcp comment 'Execution client port, standardized by Rocket Pool' || fail "failed to set ufw firewall rule.";
sudo ufw allow 30303/udp comment 'Execution client port, standardized by Rocket Pool' || fail "failed to set ufw firewall rule.";
sudo ufw allow 9001/tcp comment 'Consensus client port, standardized by Rocket Pool' || fail "failed to set ufw firewall rule.";
sudo ufw allow 9001/udp comment 'Consensus client port, standardized by Rocket Pool' || fail "failed to set ufw firewall rule.";
sudo ufw allow 18550 comment 'mev port' || fail "failed to set ufw firewall rule.";
sudo ufw enable || fail "failed to enable ufw firewall.";echo -e "${GREEN}${DIVIDER}\ninstalling fail2ban bruteforce protection for SSH\n${DIVIDER}${NC}";
sudo apt install -y fail2ban || fail "failed to install fail2ban.";
sudo tee /etc/fail2ban/jail.d/ssh.local <<<"[sshd]
enabled = true
banaction = ufw
port = 22
filter = sshd
logpath = %(sshd_log)s
maxretry = 10"
sudo systemctl restart fail2ban || fail "failed to start fail2ban.";
sudo systemctl restart sshd || fail "failed to restart sshd.";echo -e "${GREEN}${DIVIDER}\nsecuring your node complete!\nadding some helpful aliases\n${DIVIDER}${NC}";
sudo echo "alias osupdate='sudo apt update && sudo apt -y dist-upgrade && sudo apt -y autoremove'" >> ~/.bashrc || fail "failed to add osupdate alias.";
sudo echo "alias rpupdate='rocketpool service stop && sudo apt update && sudo apt -y dist-upgrade && sudo apt -y autoremove && sudo wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-amd64 -O ~/bin/rocketpool && rocketpool service install -d && rocketpool service start'" >> ~/.bashrc || fail "failed to add rpupdate alias.";
sudo echo "alias rpstatus='echo \"###########################\";rocketpool node status;echo \"###########################\";rocketpool node sync;echo \"###########################\";rocketpool service status;echo \"###########################\";rocketpool service version;echo \"###########################\";rocketpool minipool status'" >> ~/.bashrc || fail "failed to add rpstatus alias.";
sudo echo "alias claim='rocketpool node claim-rewards'" >> ~/.bashrc || fail "failed to add claim alias.";
source ~/.bashrc || fail "failed to source bashrc.";echo -e "\naliases installed.\nyou can type ${GREEN}osupdate${NC} in a terminal to update all software\nor type ${GREEN}rpupdate${NC} to just update rocketpool\nor type ${GREEN}rpstatus${NC} to get information about your node\nor type ${GREEN}claim${NC} when you want to claim your rocketpool rewards\n${GREEN}";echo -e "${DIVIDER}\ninstalling rocketpool\n${DIVIDER}${NC}";
sudo mkdir -p ~/bin || fail "failed to make bin dir.";
sudo wget https://github.com/rocket-pool/smartnode-install/releases/latest/download/rocketpool-cli-linux-amd64 -O ~/bin/rocketpool || fail "failed to get rocketpool install files.";
sudo chmod +x ~/bin/rocketpool;
source ~/.profile;
rocketpool service install -y || fail "failed to install rocketpool.";
echo -e "${PURP}${DIVIDER}\nrocketpool has been installed!\nyou can now restart this machine, disconnect your monitor, and connect through ssh.\n${DIVIDER}";
- then type
bash rp.sh - enter your password, hit enter, and it will execute each step, updating you along the way, asking for confirmations.
The first input prompt you’ll get to is for the SSH key. Enter your email address and pick a secure password. The key will be moved to your Documents folder for convenience. Copy this key to a usb stick to transfer to your windows machine. You won’t be able to access the machine without it.
Next, Tailscale will be installed. It will prompt you to click a URL to log your machine in. Ctrl+clickthe URL and log in to Tailscale.
Once complete, the node will be added to your Tailscale account, and installation will continue.
Next, google authenticator 2 factor authentication will be enabled. A QR code will pop up and the script will pause. Input this QR code into your favorite 2fa app and write down the scratch codes just in case you need them. Once the QR code is in your app, hit enter to continue.
The final step the script will execute is installing Rocketpool. Congrats! The hard part is complete. You’re officially a NERD. Tell your friends. You can now restart and unplug everything but the power and network cables, the rest can be done through SSH.
Your node is now protected behind several different authentications. I will show you how to remotely login to the node. You will have to remote in occasionally to install updates, or to re-stake RPL rewards.
On your non-node pc, verify that Tailscale is connected (4 white dots):
We will be using Putty to SSH in to the node. Download the putty windows installer from here. Once installed, we will need to convert our key file. Search for puttygen and launch it.
We will now convert our SSH key into something putty can read. Load your key from the NUC. Enter your password. Set the key type to Ed25519 and click save private key to save it to your PC. We will use this new private key with putty.
Now you can launch putty and load that generated key up. Open putty, copy and paste your node IP from Tailscale into putty, navigate to SSH then AUTH on the left side and load your key. Then go back to the session tab, give it a name, save it, and click open. Then enter your username, password, and 2fa code and you’re in!
I know this sounds like a lot of steps to login. I KNOW. But your machine is secured behind several different layers. To access your node or Grafana, someone would have to access your Tailscale. THEN steal your private key. THEN figure out the password to the private key. THEN they’d have to steal your 2fa. They can’t bruteforce these methods since we’ve enabled bruteforce protection.
That’s it for the node setup. Now, in that terminal, you can type rocketpool service config to setup Rocketpool and start staking.
You’ll be greeted by a beautiful terminal user interface (TUI for short). This is what you’ll be using from here on. Hit tab to change fields, and enter to confirm a choice.
The TUI will guide you through either staking on main net (using REAL eth) or staking on the test net. Congrats - getting to the TUI is the hard part! To change config values in the future, just type rocketpool service config again.
One final thing you should do is login to your internet router control panel, and forward the ports 30303 and 9001 to your node. This isn’t 100% required, but will result in a lower peer-connection count if not done. If you find you’re missing attestations, this is probably the reason.
On your node you can type ifconfigto get it’s IP address to enter into your router. Unfortunately since there are thousands of different router control panels out there, I can’t guide you through forwarding step by step. You should search for port forward instructions for your specific model router. You can do it, I believe in you!
Remember, your goal is to aim for 100% uptime for this machine, however, slight hiccups will happen and aren’t the end of the world. Keep your machine safe. Don’t tell others about it. I hope you have good fortune with many block proposals.
Disclaimer: I am not responsible for any lost, stolen, or slashed eth or funds. This guide represents the current best security practices for running a node, but it depends on you keeping your keyfiles and passwords safe, secure, and strong.
