geth

by tinybike
3 deployments · 2 still active · last rev. 12 days ago

Installs geth (go-ethereum) and starts its initial sync (using "fast" syncmode). After the initial sync is complete, you can start geth using:

systemctl start geth

By default, geth is configured as a light server with publicly-accessible HTTP- and WS-RPC endpoints. This script also installs nginx, which maps / to the default HTTP-RPC endpoint (127.0.0.1:8545) and /ws to the default WS-RPC endpoint (127.0.0.1:8546).

Note: this script disables root ssh login.

Compatible with: Ubuntu 18.04 LTS
						#!/bin/bash
#<UDF name="USERNAME" label="Username">
#<UDF name="USERPASSWORD" label="Password">
#<UDF name="USERPUBKEY" label="User SSH public key" default="">
#<UDF name="HOSTNAME" label="Hostname" default="">

set -e

if [ ! -z "$HOSTNAME" ]; then
  hostnamectl set-hostname $HOSTNAME
  echo "127.0.0.1   $HOSTNAME" >> /etc/hosts
fi

adduser --system --group --home /var/lib/geth geth

# Set up user account
adduser $USERNAME --disabled-password --gecos ""
echo "$USERNAME:$USERPASSWORD" | chpasswd
adduser $USERNAME sudo

# If user provided an SSH public key, whitelist it, disable SSH password authentication, and allow passwordless sudo
if [ ! -z "$USERPUBKEY" ]; then
  mkdir -p /home/$USERNAME/.ssh
  echo "$USERPUBKEY" >> /home/$USERNAME/.ssh/authorized_keys
  chown -R "$USERNAME":"$USERNAME" /home/$USERNAME/.ssh
  chmod 600 /home/$USERNAME/.ssh/authorized_keys
  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
  echo "$USERNAME ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
fi

# Disable root SSH access
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

# Only allow SSH over IPv4
echo 'AddressFamily inet' | tee -a /etc/ssh/sshd_config

# Set IPv4 iptables rules
iptables --flush
iptables --delete-chain
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 30303 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 30303 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --dport 30304 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 30303 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp --dport 30303 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp --dport 30304 -m state --state NEW -j ACCEPT
# Uncomment for Linode Longview
# iptables -A INPUT -s 96.126.119.66 -m state --state NEW -j ACCEPT
# Uncomment for Linode NodeBalancer
# iptables -A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Set IPv6 iptables rules
ip6tables --flush
ip6tables --delete-chain
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT ! -i lo -s ::1/128 -j REJECT
ip6tables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 30303 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p tcp --dport 30303 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -p udp --dport 30304 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 30303 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p tcp --dport 30303 -m state --state NEW -j ACCEPT
ip6tables -A OUTPUT -p udp --dport 30304 -m state --state NEW -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
apt-get -y install iptables-persistent

# Set up unattended upgrades
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
apt-get -y install unattended-upgrades

systemctl restart ssh

apt-get -y install ntp
timedatectl set-ntp true

# Install geth, nginx, nodejs
apt-get -y install software-properties-common
add-apt-repository -y ppa:ethereum/ethereum
add-apt-repository -y ppa:nginx/stable
curl -sL https://deb.nodesource.com/setup_8.x | bash -
apt-get update
apt-get -y install geth nginx nodejs

# Add geth HTTP and websocket RPC endpoints to nginx:
#  /   -> localhost:8545
#  /ws -> localhost:8546
cat >/etc/nginx/sites-available/default <<EOL
server {
  listen              80 default_server;

  location / {
    rewrite /(.*) /\$1  break;
    proxy_pass http://localhost:8545;
  }

  location /ws {
    rewrite /ws/(.*) /\$1  break;
    proxy_pass http://localhost:8546;
    proxy_http_version 1.1;
    proxy_set_header Upgrade \$http_upgrade;
    proxy_set_header Connection "Upgrade";
  }
}
EOL

systemctl start nginx

/usr/bin/npm install -g ethup

# Geth service file with support for HTTP RPC, websocket RPC, and light clients
cat >/etc/systemd/system/geth.service <<EOL
[Unit]
Description=geth
After=network.target

[Service]
Type=simple
User=geth
Group=geth
Environment=HOME=/var/lib/geth
ExecStart=/usr/bin/geth --datadir /var/lib/geth/.ethereum --cache 2048 --lightserv 75 --lightpeers 200 --maxpeers 250 --rpc --rpcport 8545 --rpcapi "eth,net,web3" --rpccorsdomain "*" --ws --wsport 8546 --wsorigins "*" --wsapi "eth,net,web3"
KillMode=process
KillSignal=SIGINT
TimeoutStopSec=90
Restart=on-failure
RestartSec=10s

[Install]
WantedBy=multi-user.target
EOL

# Permissive system reboot (note: does not persist after reboot!)
chmod 777 /dev/initctl

# Geth service file for initial sync (auto-reboot after sync is complete)
cat >/etc/systemd/system/gethinitialsync.service <<EOL
[Unit]
Description=geth
After=network.target

[Service]
Type=oneshot
User=geth
Group=geth
Environment=HOME=/var/lib/geth
ExecStart=/usr/bin/ethup -c "/usr/bin/geth --datadir /var/lib/geth/.ethereum --cache 2048 --syncmode fast"
ExecStopPost=/sbin/reboot
KillMode=process
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target
EOL

systemctl enable gethinitialsync
systemctl enable geth
systemctl start gethinitialsync
systemctl disable gethinitialsync