<![CDATA[COMPILADOS NOSTR]]> https://compilados.npub.pro/tag/i2p/ https://compilados.npub.pro/tag/i2p/rss/ episodic Wed, 23 Apr 2025 01:57:53 GMT Wed, 23 Apr 2025 01:57:53 GMT <![CDATA[COMPILADOS NOSTR]]> https://compilados.npub.pro/tag/i2p/ https://pfp.nostr.build/d04bb7baa476bbb67c4b0bb02e676d0fb8cd20b809f6956ed68d2adc647b91b1.jpg <![CDATA[🛡️ Running a Secure Lightning Node on Raspberry Pi 5]]> Wed, 23 Apr 2025 01:57:53 GMT https://compilados.npub.pro/post/1745372780948/ https://compilados.npub.pro/post/1745372780948/ naddr1qqxnzde5x5enwv3h8qcrjdpcqgsrl7kr5my9n6423nwaktrsq2nwzzenal4e95p9k9826mu294jkv4crqsqqqa28hzgv35 Bitcoin naddr1qqxnzde5x5enwv3h8qcrjdpcqgsrl7kr5my9n6423nwaktrsq2nwzzenal4e95p9k9826mu294jkv4crqsqqqa28hzgv35 npub18lav8fkgt8424rxamvk8qq4xuy9n8mltjtgztv2w44hc5tt9vets0hcfsz 🔧 Infrastructure Overview
  • Hardware: Raspberry Pi 5 with PCIe NVMe HAT and 2TB NVMe SSD
  • Filesystem: ZFS with separate datasets for each service
  • Networking: Docker bridge networks for service segmentation
  • Privacy: Tor and I2P routing for anonymous communication
  • Public Access: Cloudflare Tunnel to securely expose LNbits

📊 Architecture Diagram

Architecture Diagram

🛠️ Setup Steps

1. Prepare the System

  • Install Raspberry Pi OS (64-bit)
  • Set up ZFS on the NVMe disk
  • Create a ZFS dataset for each service (e.g., bitcoin, lnd, rtl, lnbits, tor-data)
  • Install Docker and Docker Compose

2. Create Shared Docker Network and Privacy Layers

Create a shared Docker bridge network:

docker network create \
  --driver=bridge \
  --subnet=192.168.100.0/24 \
  bitcoin-net

Note: Connect bitcoind, lnd, rtl, internal lnbits, tor, and i2p to this bitcoin-net network.

Tor

  • Run Tor in a container
  • Configure it to expose LND's gRPC and REST ports via hidden services:
    HiddenServicePort 10009 192.168.100.31:10009
HiddenServicePort 8080  192.168.100.31:8080
  • Set correct permissions:
    sudo chown -R 102:102 /zfs/datasets/tor-data

I2P

  • Run I2P in a container with SAM and SOCKS proxies
  • Update bitcoin.conf:
    i2psam=192.168.100.20:7656
i2pacceptincoming=1

3. Set Up Bitcoin Core

  • Create a bitcoin.conf with Tor/I2P/proxy settings and ZMQ enabled
  • Sync the blockchain in a container using its ZFS dataset

4. Set Up LND

  • Configure lnd.conf to connect to bitcoind and use Tor:
    [Bitcoind]
bitcoind.rpchost=bitcoin:8332
bitcoind.rpcuser=bitcoin
bitcoind.rpcpass=very-hard-password
bitcoind.zmqpubrawblock=tcp://bitcoin:28332
bitcoind.zmqpubrawtx=tcp://bitcoin:28333

[Application Options]
externalip=xxxxxxxx.onion
  • Don’t expose gRPC or REST ports publicly
  • Mount the ZFS dataset at /root/.lnd
  • Optionally enable Watchtower

5. Set Up RTL

  • Mount RTL-Config.json and data volumes
  • Expose RTL's web interface locally:
    ports:
  - "3000:3000"

6. Set Up Internal LNbits

  • Connect the LNbits container to bitcoin-net
  • Mount the data directory and LND cert/macaroons (read-only)
  • Expose the LNbits UI on the local network:
    ports:
  - "5000:5000"
  • In the web UI, configure the funding source to point to the LND REST .onion address and paste the hex macaroon
  • Create and fund a wallet, and copy its Admin Key for external use

7. Set Up External LNbits + Cloudflare Tunnel

  • Run another LNbits container on a separate Docker network
  • Access the internal LNbits via the host IP and port 5000
  • Use the Admin Key from the internal wallet to configure funding
  • In the Cloudflare Zero Trust dashboard:
    • Create a tunnel
    • Select Docker, copy the --token command
    • Add to Docker Compose:
      command: tunnel --no-autoupdate run --token eyJ...your_token...

💾 Backup Strategy

  • Bitcoin Core: hourly ZFS snapshots, retained for 6 hours
  • Other Services: hourly snapshots with remote .tar.gz backups
    • Retention: 7d hourly, 30d daily, 12mo weekly, monthly forever
  • Back up ZFS snapshots to avoid inconsistencies

🔐 Security Isolation Benefits

This architecture isolates services by scope and function:

  • Internal traffic stays on bitcoin-net
  • Sensitive APIs (gRPC, REST) are reachable only via Tor
  • Public access is controlled by Cloudflare Tunnel

Extra Security: Host the public LNbits on a separate machine (e.g., hardened VPS) with strict firewall rules:

  • Allow only Cloudflare egress
  • Allow ingress from your local IP
  • Allow outbound access to internal LNbits (port 5000)

Use WireGuard VPN to secure the connection between external and internal LNbits:

  • Ensures encrypted communication
  • Restricts access to authenticated VPN peers
  • Keeps the internal interface isolated from the public internet

✅ Final Notes

  • Internal services communicate over bitcoin-net
  • LND interfaces are accessed via Tor only
  • LNbits and RTL UIs are locally accessible
  • Cloudflare Tunnel secures external access to LNbits

Monitor system health using monit, watchtower, or Prometheus.

Create all configuration files manually (bitcoin.conf, lnd.conf, RTL-Config.json), and keep credentials secure. Test every component locally before exposing it externally.

]]> 🔧 Infrastructure Overview
  • Hardware: Raspberry Pi 5 with PCIe NVMe HAT and 2TB NVMe SSD
  • Filesystem: ZFS with separate datasets for each service
  • Networking: Docker bridge networks for service segmentation
  • Privacy: Tor and I2P routing for anonymous communication
  • Public Access: Cloudflare Tunnel to securely expose LNbits

📊 Architecture Diagram

Architecture Diagram

🛠️ Setup Steps

1. Prepare the System

  • Install Raspberry Pi OS (64-bit)
  • Set up ZFS on the NVMe disk
  • Create a ZFS dataset for each service (e.g., bitcoin, lnd, rtl, lnbits, tor-data)
  • Install Docker and Docker Compose

2. Create Shared Docker Network and Privacy Layers

Create a shared Docker bridge network:

docker network create \
  --driver=bridge \
  --subnet=192.168.100.0/24 \
  bitcoin-net

Note: Connect bitcoind, lnd, rtl, internal lnbits, tor, and i2p to this bitcoin-net network.

Tor

  • Run Tor in a container
  • Configure it to expose LND's gRPC and REST ports via hidden services:
    HiddenServicePort 10009 192.168.100.31:10009
HiddenServicePort 8080  192.168.100.31:8080
  • Set correct permissions:
    sudo chown -R 102:102 /zfs/datasets/tor-data

I2P

  • Run I2P in a container with SAM and SOCKS proxies
  • Update bitcoin.conf:
    i2psam=192.168.100.20:7656
i2pacceptincoming=1

3. Set Up Bitcoin Core

  • Create a bitcoin.conf with Tor/I2P/proxy settings and ZMQ enabled
  • Sync the blockchain in a container using its ZFS dataset

4. Set Up LND

  • Configure lnd.conf to connect to bitcoind and use Tor:
    [Bitcoind]
bitcoind.rpchost=bitcoin:8332
bitcoind.rpcuser=bitcoin
bitcoind.rpcpass=very-hard-password
bitcoind.zmqpubrawblock=tcp://bitcoin:28332
bitcoind.zmqpubrawtx=tcp://bitcoin:28333

[Application Options]
externalip=xxxxxxxx.onion
  • Don’t expose gRPC or REST ports publicly
  • Mount the ZFS dataset at /root/.lnd
  • Optionally enable Watchtower

5. Set Up RTL

  • Mount RTL-Config.json and data volumes
  • Expose RTL's web interface locally:
    ports:
  - "3000:3000"

6. Set Up Internal LNbits

  • Connect the LNbits container to bitcoin-net
  • Mount the data directory and LND cert/macaroons (read-only)
  • Expose the LNbits UI on the local network:
    ports:
  - "5000:5000"
  • In the web UI, configure the funding source to point to the LND REST .onion address and paste the hex macaroon
  • Create and fund a wallet, and copy its Admin Key for external use

7. Set Up External LNbits + Cloudflare Tunnel

  • Run another LNbits container on a separate Docker network
  • Access the internal LNbits via the host IP and port 5000
  • Use the Admin Key from the internal wallet to configure funding
  • In the Cloudflare Zero Trust dashboard:
    • Create a tunnel
    • Select Docker, copy the --token command
    • Add to Docker Compose:
      command: tunnel --no-autoupdate run --token eyJ...your_token...

💾 Backup Strategy

  • Bitcoin Core: hourly ZFS snapshots, retained for 6 hours
  • Other Services: hourly snapshots with remote .tar.gz backups
    • Retention: 7d hourly, 30d daily, 12mo weekly, monthly forever
  • Back up ZFS snapshots to avoid inconsistencies

🔐 Security Isolation Benefits

This architecture isolates services by scope and function:

  • Internal traffic stays on bitcoin-net
  • Sensitive APIs (gRPC, REST) are reachable only via Tor
  • Public access is controlled by Cloudflare Tunnel

Extra Security: Host the public LNbits on a separate machine (e.g., hardened VPS) with strict firewall rules:

  • Allow only Cloudflare egress
  • Allow ingress from your local IP
  • Allow outbound access to internal LNbits (port 5000)

Use WireGuard VPN to secure the connection between external and internal LNbits:

  • Ensures encrypted communication
  • Restricts access to authenticated VPN peers
  • Keeps the internal interface isolated from the public internet

✅ Final Notes

  • Internal services communicate over bitcoin-net
  • LND interfaces are accessed via Tor only
  • LNbits and RTL UIs are locally accessible
  • Cloudflare Tunnel secures external access to LNbits

Monitor system health using monit, watchtower, or Prometheus.

Create all configuration files manually (bitcoin.conf, lnd.conf, RTL-Config.json), and keep credentials secure. Test every component locally before exposing it externally.

]]>