Horizen Secure Node Deployment Made Easy: Complete Step by Step Guide

According to the official project website, Horizen technology offers an additional security feature such as end-to-end encryption when it comes to inter-node communications. It significantly lowers the chance of exposure and blocking of a particular node, making the network more reliable and secure. The Horizen network needs this type of nodes to protect the ecosystem and maintain decentralization.

This guide will take you through a series of steps, which will allow you to deploy a Secure Node. But before you start any activities, please get familiar with the ‘Requirements and Rewards Eligibility’ section on the official Horizen Confluence wiki.

Step 1: Check Hardware Requirements

We recommend running your node on the VPS server so that you can meet the overall uptime requirements, described on the official Horizen wiki. At the moment of writing this material, the Horizen blockchain size takes roughly 24 GB of storage space, so consider using the VPS with 2 GB of RAM, 2 GB of swap and at least 30 GB SSD.

For the node deployment we used Ubuntu 18.04 LTS, and in case you decide to use another Linux distribution for node operations note that CLI commands may differ slightly from one distribution to another. So let’s begin.

Step 2: Actual Deployment Process

Add a new user on your server by entering the following command:

useradd -m -s /bin/bash -G adm,systemd-journal,sudo zen && passwd zen

Log in using credentials we have just created.

After that, we have to set up a proper full DNS name configuration. Please note, that you have to use here your own domain name.

echo "export FQDN=zen.example.com" >> $HOME/.bashrc

Then create an A record in the admin panel of your DNS registrar which will be pointing to an IP address of the server. Moreover, this record will be used later for SSL Certificates as well as tracking software.

Add a repository for certbot:

sudo add-apt-repository ppa:certbot/certbot -y

Update and install available software packages by entering the following commands:

sudo apt-get update
sudo apt-get upgrade

Install all required utilities for node deployment, as well as dependencies for zend daemon compilation from source code.

sudo apt-get install build-essential pkg-config libc6-dev m4 g++-multilib 

   autoconf libtool ncurses-dev unzip git python 

   zlib1g-dev bsdmainutils automake curl 

   software-properties-common apt-transport-https 

   lsb-release dirmngr pwgen git jq ufw curl aria2 

   certbot

Download the source code of the Secure Node from the official Horizen repository on Github.

git clone https://github.com/ZencashOfficial/zen.git

Then run the build.sh using all CPU cores.

cd zen
./zcutil/build.sh -j$(nproc)

Fetch key parameters (This command will download approximately 2GB to the directory ~/.zcash-params)

./zcutil/fetch-params.sh

Run the zend daemon after installation, it will create a default config file.

./src/zend

We’ll append the following parameters to the default config file(add your server IP to “externalip” field)

cat <<EOF >> ~/.zen/zen.conf
rpcuser=$(pwgen -s 32 1)
rpcpassword=$(pwgen -s 64 1)
rpcport=18231
rpcallowip=127.0.0.1
rpcworkqueue=512
server=1
daemon=1
listen=1
txindex=1
logtimestamps=1
externalip=
port=9033
EOF

Afterwards, you have to run the zend daemon which should automatically sync with the blockchain.

./src/zend

Please note, that the current block height is approximately at 600,000 blocks, so the syncing time can last more than 12 hours. (For your information, we downloaded 10k blocks in 14 minutes.)

You can check the current sync status by running the following command:

./src/zen-cli getinfo

and

./src/zen-cli getnetworkinfo

If you want to get descriptive information regarding all the daemon activities, then you can refer to the debug.log file.

During this process, you will have time to configure SSH, certifies and firewall.

We advise reading the following comprehensive guide on securing the SSH daemon, and also consider reading the Ubuntu 18.04 guide too.

If you read carefully you will be able to configure key-based authentication and disable password-based and root logins.

Lets configure the firewall using UFW ( Note, the UFW may clear IPtables rules)

Run the following commands using sudo:

ufw default allow outgoing
ufw default deny incoming
ufw allow ssh/tcp
ufw limit ssh/tcp
ufw allow http/tcp comment "Certbot"
ufw allow https/tcp comment "Certbot"
ufw allow 9033/tcp comment "Zend daemon"
ufw logging on
ufw enable

Now let’s check the firewall status:

ufw status

Check if the UFW starts on boot, and if it doesn’t – enable it.

sudo systemctl status ufw
sudo systemctl enable ufw

Now get a certificate from Let’s Encrypt:

sudo certbot certonly -n --agree-tos --register-unsafely-without-email --standalone -d $FQDN

After that copy the root CA:

sudo cp /etc/letsencrypt/live/$FQDN/chain.pem /usr/local/share/ca-certificates/chain.crt

Update the certificate store with the root CA copied in the previous step:

sudo update-ca-certificates

Add the certificate and key locations to zen.conf:

echo "tlscertpath=/etc/letsencrypt/live/$FQDN/cert.pem" >> ~/.zen/zen.conf
echo "tlskeypath=/etc/letsencrypt/live/$FQDN/privkey.pem" >> ~/.zen/zen.conf

Modify group ownership and permissions to allow the sudo group access the certificate and the private key.

sudo chown -R root:sudo /etc/letsencrypt/
sudo chmod -R 750 /etc/letsencrypt/

Now stop and start the zend daemon so that it can start using the new configuration, the certificate and the private key.

ps aux | grep zend
kill pid_number_returned_above
./src/zend

Check if the certificate is installed and configured correctly.

./src/zen-cli getnetworkinfo

Verify if ‘true’ statement is returned in this row – “tls_cert_verified”: true.

You can get more details on certificates types here.

While configuring and testing everything you can stop the zend daemon simply by running kill pid command, where pid is the number of the zend process. You may also consider configuring systemd unit files, as shown in ‘Configure Services’ and ‘Configure Certificate Renewal’ sections on the Horizen Confluence page.

Next, we need to get at least 42.05 ZEN, and install the Sphere or Arisen wallet software so that you can start managing stakes.

Our team has used an AppImage of the Sphere wallet, that can be downloaded from the Github.

Consider buying ZEN on exchanges listed on official site – https://www.horizen.global/exchanges/

Also, there is an option to get completely FREE ZEN using faucet paying out up to 60000 Satoshis every 20 hours.

Now you have to install Node.js LTS ( Current version of LTS is 10.16 and it comes with npm 6.9.0).

curl -sL https://deb.nodesource.com/setup_10.x | sudo -E bash -
sudo apt-get install -y nodejs

After the Node.js installation, clone the Node Tracker software:

cd ~/ && git clone https://github.com/ZencashOfficial/nodetracker.git

Next, install the Node Tracker with npm.

cd nodetracker && npm install

Configure the tracker by running the setup process (node setup.js), for this action you have to go through the following steps:

1. Enter node type (Secure Node or Super Node)
2. Stake t_address (the t_address that will contain 42 or 500 ZEN)
3. Email address – to receive alerts in case of downtimes or other events related to your node
4. Fully-Qualified Domain Name (FQDN)
5. IP address version (ipv4, or ipv6)
6. Region code (choose NA, or EU), defaults to your node’s nearest region
7. Optional node category – alphanumeric (used to help categorize nodes)

Check the status of your node on the website that tracks node activities by entering the FQDN.

Moreover, use to view your transactions you can use the Horizen Explorer or the Sphere application.

In case you run into any issues with setting up the Horizen node, you can always get help in the official English or Russian speaking Telegram and Discord channels.

***

Follow news and updates from Everstake by subscribing to the newsletter on our website and join the discussion on our social channels through the links below.
Website: everstake.one
Twitter: @Everstake_pool
Telegram: @Everstake_chat
Facebook: fb.me/everstake.one
Reddit: /r/Everstake/
Medium: medium.com/everstake