Enhancement: Script and documentation that enhances security of newly setup IPFS Nodes using IPFS Podcast Node Installer

[CaffeinatedDNB]

Platform: Hosted VPS (Virtual Private Server)
Reference OS: Ubuntu Server 20.04.5 (As of Sep 2022)

Also tested on: Debian 11 (Sep 2022)

No issues. 😎

Goals:

• Make it easier to deploy a more secure IPFS Node installation for those wanting to extend their skills into Ubuntu Linux server administration on a VPS or VM at home by taking care of the setup of apps/services including Fail2Ban and others

• Provide concise documentation for the would-be IPFS Node admin to have a new instance up and running in about 10-20 minutes time with limited knowledge and/or interaction. Code documentation provides insight as to what each step is doing.

• Contribute in expanding available IPFS nodes around the world by providing the information to ease the installation process as the documentation is lacking in details in my experience. Particularly for those with some technical background but not much in the way of Linux Server administration.

Example: Often, installation procedures I have come across have the IPFS daemon running as root, which is not a good idea from a security perspective and also not necessary.

[CaffeinatedDNB]

Copyright (C) 2022 CaffeinatedDNB (github)

The programs generated and documentation provided are
distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU General Public License for more details.
You should have received a copy of the GNU General Public
License along with this program. If not,
see https://www.gnu.org/licenses/gpl-3.0.html.

-- End of Licensing Information ---

Please take the time to read through the installation file to familiarize yourself with the processes involved. Once you've done that, get some IPFS nodes up and running!! 😎

IPFS-Node-Installation.txt

LICENSE.txt

As part of the process, it makes use of the following installation script as provided by the author.

For information on it, see: https://github.com/Cameron-IPFSPodcasting/podcastnode-Python

[Cameron-IPFSPodcasting]

Looks really good.

Good catch with the IPFS init script on startup. I left that up to the cron script since it will restart IPFS if/when it crashes (on first-run, cron will start IPFS), but your method is much cleaner.

I'll try it on a fresh Ubuntu/Debian box to test it out. Then add a link to the /RunNode page.

Thanks again!

[Cameron-IPFSPodcasting]

Do you want to add the file and submit as a pull request, so you get the "github credit"?

Otherwise, I can create the file in the root directory.

[Cameron-IPFSPodcasting]

I may be doing something wrong, but I found I had to add "sudo" to all the system commands starting with adduser ipfs.

# Take a wild guess what this next step does.  :-)  

sudo adduser ipfs

# This adds the newly created user to the sudo group to allow admin related functions if needed 
# Which it will be when the script triggers the installation of IPFS

sudo usermod -aG sudo ipfs

...etc. to the end of the file.

Then I ran into issues with cat << EOF and single quotes when trying to sudo bash -c 'cat << EOF with words like we're and didn't between the EOF's. My bash skills are limited when it comes to nested quoting (& single quoting).

[Cameron-IPFSPodcasting]

Made changes to add "sudo" where needed and published the script.
https://github.com/Cameron-IPFSPodcasting/podcastnode-Python/blob/main/IPFS-Node-Installation.sh

Also created a web page to explain usage.
https://ipfspodcasting.net/RunNode/Hosted

If you find any issues, please submit a change and/or let me know. - Thanks for contributing.

Cameron

[CaffeinatedDNB]

😂 I tested it extensively across various VPS instances running Ubuntu Server 20.04.5. 😎

You can revert the script to the original without issue. 😊

I had put the following comment in the script:

"#Work to do under root first"

So that requires that the user already be running as root.

Since you mentioned about limited VPS experience, all new instances always log you in as root.

In your case, spin up a new VM and this time, switch to root using "sudo su" (of course) 😎 and try the script process again.

[CaffeinatedDNB]

As for the "GitHub credit", it's all good. You can place in your root directory. Thanks for asking. 😎

I'll check out the /Hosted page as soon as I can.

[CaffeinatedDNB]

Just gave my original script a spin on a new Debian 11 VPS instance. It worked nicely as it did on Ubuntu Server 20.04.5. 😎

As you've already experienced, adding sudo, sudo bash -c, etc cause all kinds of issues. 😆

Requested modifications to the /Hosting page on your site.

• Upload the original script before users start downloading your modified version with the "sudo" entries. 😄

• Add the following comments:

Tested on new VPS instances of Debian 11 and Ubuntu Server 20.04.5 LTS

It creates a user called "ipfs" with sudo privileges so the IPFS daemon doesn't run as root.

When IPFS node is up and running, always switch to "ipfs" user when you SSH in to work with the IPFS install.

Use: "su - ipfs" (For clarification: that's "su [space] - [space] ipfs" and then press ENTER key)

Caveats:

• IF you're running it on your own VM hypervisor (VirtualBox, VMWare, KVM, etc.), please make sure to type in "sudo su" and press ENTER to run the script from a root shell.

• Depending on how you install Ubuntu 20.04.x, you should run the following command from a root shell BEFORE running the the script:

add-apt-repository universe

That way, Fail2Ban and required packages don't fail to install.

During testing, there were times that the "ipfs.io" site was having issues (beyond our control) and the IPFS installation failed. No worries. When you get back to your shell prompt, simply re-run the script (it also states as much at the end of the installation process.) 😎

--

Thank you @Cameron-IPFSPodcasting !!

[Cameron-IPFSPodcasting]

Reverted to the original.

Suorcd already submit some improvements. https://github.com/Cameron-IPFSPodcasting/podcastnode-Python/pull/2/files

Will start again tomorrow.

[Cameron-IPFSPodcasting]

Requested modifications to the /Hosting page on your site.

Upload the original script before users start downloading your modified version with the "sudo" entries. smile

Add the following comments:

Tested on new VPS instances of Debian 11 and Ubuntu Server 20.04.5 LTS

It creates a user called "ipfs" with sudo privileges so the IPFS daemon doesn't run as root.

When IPFS node is up and running, always switch to "ipfs" user when you SSH in to work with the IPFS install.

Use: "su - ipfs" (For clarification: that's "su [space] - [space] ipfs" and then press ENTER key)

I wanted to keep the web page simple (k.i.s.s.) so put these notes/instructions in your updated script.

Updated the website to simply say "you must run as root (sudo su)" and to read the script for more details.

Also updated and released the new script).