Monero Node on Debian

Here is how i’ve run a Monero Node on Debian. First i’ve decided to run the node on Debian Testing because the package is already made and up to date. Second i’ve used a small machine that is not able to perform well with the full blockchain on, that’s why i’ll be using the “pruned blockchain”. If you can, use the full blockchain mode. And finally i’m sorry but i’m not sure that my config is the best one, some elements might be suboptimal or incorrect or not fully secured, do your own research before doing a project like this one.

That being said, here is what i’ve done:

• Install Monero on Debian testing :

Add the testing repo to my debian config
sudo echo "deb https://deb.debian.org/debian testing main" >> /etc/apt/sources.list
sudo apt update
sudo apt install monero

• Create group and user monero

sudo addgroup --system monero
sudo adduser --system --home /var/lib/monero --ingroup monero --disabled-login monero

• Create the directories required for the log, config, execution

sudo mkdir /var/run/monero
sudo mkdir /var/log/monero
sudo mkdir /etc/monero
sudo chown monero:monero /var/run/monero
sudo chown monero:monero /var/log/monero
sudo chown -R monero:monero /etc/monero

• Generate SSL Keys for secure connection:

monero-gen-ssl-cert --certificate-filename monero.cert --private-key-filename monero-priv.key
sudo mv monero.cert /etc/monero/
sudo mv monero-priv.key /etc/monero/
sudo chown -R monero:monero /etc/monero

• Download the monero blockchain to get a faster node start

wget https://downloads.getmonero.org/blockchain.raw

• Create the config file:

/etc/monero/monerod.conf

# Data directory (blockchain db and indices)
data-dir=/var/lib/monero/.bitmonero

#Enable blockchain prune mode
prune-blockchain=1
sync-pruned-blocks=1
# Log file
log-file=/var/log/monero/monerod.log
log-level=0                    # Minimal logs, WILL NOT log peer
#log-level=1                    # Diagnostic log level
#log-level=4                    # Max verbose


# P2P configuration
p2p-bind-ip=0.0.0.0            # Bind to all interfaces (the default)
p2p-bind-port=18080            # Bind to default port

# Enable ipv6
p2p-use-ipv6=1
rpc-use-ipv6=1

# RPC configuration
#public-node=1
## Local RPC admin config
rpc-bind-ip=127.0.0.1           # Bind to to local interface
rpc-bind-ipv6-address=::1
rpc-bind-port=18081

## External RPC config
no-igd=1                       # Disable UPnP port mapping
confirm-external-bind=1        # Open node (confirm)
#restricted-rpc=1               # Prevent unsafe RPC calls
rpc-ssl=enabled        # Use TLS if client wallet supports it (Default); A new certificate will be regenerated every restart
rpc-ssl-private-key=/etc/monero/monero-priv.key
rpc-ssl-certificate=/etc/monero/monero.cert

# RPC open node
public-node=1                  # Advertise to other users they can use this node for connecting their wallets
rpc-restricted-bind-ip=0.0.0.0 # Bind to all interfaces (the Open Node)
rpc-restricted-bind-ipv6-address=::
rpc-restricted-bind-port=18089 # Bind to a new RESTRICTED port (the Open Node)

# ZMQ configuration
no-zmq=1

# Block known-malicious nodes from a DNSBL
enable-dns-blocklist=1

# Slow but reliable db writes

db-sync-mode=safe

# Emergency checkpoints set by MoneroPulse operators will be enforced to workaround potential consensus bugs
# Check https://getmonero.dev/infrastructure/monero-pulse/ for explanation and trade-offs
enforce-dns-checkpointing=1

out-peers=64              # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
in-peers=1024             # The default is unlimited; we prefer to put a cap on this

limit-rate-up=500000     # 1048576 kB/s == 1GB/s; a raise from default 2048 kB/s; contribute more to p2p network
limit-rate-down=500000   # 1048576 kB/s == 1GB/s; a raise from default 8192 kB/s; allow for faster initial sync

• Create a systemd config file for the node

#/etc/systemd/system/monerod.service
Unit]
Description=Monero Node
After=network-online.target

[Service]
Type=forking
PIDFile=/run/monero/monerod.pid
RemainAfterExit=yes
ExecStart=/usr/bin/monerod --detach --config-file=/etc/monero/monerod.conf --pidfile /run/monero/monerod.pid
ExecStartPost=/bin/sleep 0.1
#ExecStart=/usr/bin/monerod --config-file /etc/monerod.conf --non-interactive --pidfile /run/monero/monerod.pid

ExecStop=monerod exit
Restart=on-failure
RestartSec=30

# Run as monero:monero
User=monero
Group=monero
RuntimeDirectory=monero

StandardOutput=journal
StandardError=journal

# /var/log/monero
LogsDirectory=monero
LogsDirectoryMode=0710

# /var/lib/monero
StateDirectory=monero
StateDirectoryMode=0710

# /etc/monero
ConfigurationDirectory=monero
ConfigurationDirectoryMode=0710

# Hardening measures
####################

# Provide a private /tmp and /var/tmp.
PrivateTmp=true

# Mount /usr, /boot/ and /etc read-only for the process.
ProtectSystem=full

# Deny access to /home, /root and /run/user
ProtectHome=true

# Disallow the process and all of its children to gain
# new privileges through execve().
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

• Enable Monerod via systemd

sudo systemctl daemon-reload
systemctl enable monerod

• The basic commands that i now use with the Monero Node:

Start: systemctl start monero
Stop: systemctl stop monerod
Status: monerod status
Logs: nano /var/log/monero/monerod.log

My sources of informations :

• How to run a node with systemd
• How to run a full node
• Interacting with the monero node