{"id":28416379,"url":"https://github.com/softstack/tezos-octez-node-and-baking-setup-guide","last_synced_at":"2025-06-26T18:31:59.255Z","repository":{"id":264771447,"uuid":"811437704","full_name":"softstack/tezos-octez-node-and-baking-setup-guide","owner":"softstack","description":"Tezos Octez node and baking setup @ OVH x softstack x Tezos","archived":false,"fork":false,"pushed_at":"2024-11-26T08:02:00.000Z","size":4472,"stargazers_count":16,"open_issues_count":0,"forks_count":10,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-06-26T03:41:03.684Z","etag":null,"topics":["baker","guide","node","octez","octez-client","ovh","setup","staking","tezos","validator","vps","vps-setup"],"latest_commit_sha":null,"homepage":"https://www.ovhcloud.com/en/case-studies/softstack/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc0-1.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/softstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-06T15:43:19.000Z","updated_at":"2025-05-22T19:41:15.000Z","dependencies_parsed_at":"2024-11-26T09:19:39.702Z","dependency_job_id":"08ad5bff-3151-4748-8224-5ff16fcb383a","html_url":"https://github.com/softstack/tezos-octez-node-and-baking-setup-guide","commit_stats":null,"previous_names":["softstack/tezos-octez-node-and-baking-setup-guide"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/softstack/tezos-octez-node-and-baking-setup-guide","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Ftezos-octez-node-and-baking-setup-guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Ftezos-octez-node-and-baking-setup-guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Ftezos-octez-node-and-baking-setup-guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Ftezos-octez-node-and-baking-setup-guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/softstack","download_url":"https://codeload.github.com/softstack/tezos-octez-node-and-baking-setup-guide/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/softstack%2Ftezos-octez-node-and-baking-setup-guide/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262122746,"owners_count":23262469,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["baker","guide","node","octez","octez-client","ovh","setup","staking","tezos","validator","vps","vps-setup"],"created_at":"2025-06-03T20:08:30.507Z","updated_at":"2025-06-26T18:31:59.210Z","avatar_url":"https://github.com/softstack.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"This project guides you through the process of setting up a Tezos validator node on a server from [OVH](https://www.ovh.com). Tezos is a self-amending blockchain network that incorporates a formal, on-chain mechanism for proposing, selecting, testing, and activating protocol upgrades.\n\nA Tezos validator node consists of several key components:\n\n- Tezos Node: The core component that connects to the Tezos network, synchronizes with the blockchain, and processes transactions and blocks.\n\n- Baker: A baker is responsible for creating and signing new blocks. It participates in the consensus mechanism by proposing blocks and validating blocks proposed by other bakers.\n\n- Accuser: The accuser monitors the network for any attempts at double-baking or double-endorsing, which are considered malicious activities. If detected, the accuser reports these actions, potentially resulting in the offending baker losing their stake.\n\n- Validator: In the context of Tezos, a validator combines the functions of a node, baker, and accuser. It fully participates in the network consensus, creates blocks, and helps maintain the integrity of the blockchain.\n\n\n# 1. Requirements\n\n## 1.1 Hardware Setup\n\n- High CPU performance for transaction processing\n- Sufficient memory to handle blockchain data and operations\n- Fast and reliable storage with SSD\n- Good network performance\n\nIn numbers:\n\n- 8 GB RAM\n- 2 CPU cores (better 4 vCPU)\n- Min. 256 GB SSD Drive\n- Linux (Docker optional)\n- Network min. 100 Mbps\n\nHistory types for a node:\n\n- **Rolling mode:** The most lightweight mode. It stores recent blocks with their current context.\n- **Full mode (default mode):** It also stores the content of every block since genesis so that it can handle requests about them, or even recompute the ledger state of every block of the chain.\n- **Archive mode:** Also stores the history of the context, allowing services like indexers to enquire about balances or staking rights from any past block.\n\nNetwork types:\n\n- Mainnet\n- Parisnet is the current testnet.\n- Ghostnet is a permanent testnet for devs or bakers.\n\nThe node is intended for baking with no need to store content of every previous block. This is why the history type can be in **rolling** mode. Network type must be **mainnet**.\n\n## 1.2 Buy OVH server\n\n1. Got to [ovh.com](https://www.ovh.com)\n\n- Select _Virtual Private Server_.\n\n![Step 1](/docs/img/1-choose_vps.png)\n\n2. Choose Comfort Server\n\n- **8GB** RAM\n- 4 vCPU\n- 160GB SSD NVMe\n- 1Gbps network connectivity\n\n![Step 2](/docs/img/2-choose_comfort.png)\n\n3. Configure VPS\n\n- Choose **Debian 12** as Operating System (Latest Ubuntu 24.04 had a lot of problems).\n\n![Step 3](/docs/img/3-configure_vps.png)\n\n- Choose datacentre\n\n![Step 4](/docs/img/4-choose_datacentre.png)\n\n4. Check order summary\n\n- Select **Payment up-front** to save costs.\n\n![Step 5](/docs/img/5-choose_billing_cycle.png)\n\n5. Complete payment process\n\n![Step 6](/docs/img/6-complete_payment_process.png)\n\n## 2. Server Setup and Security\n\n### 2.1 Login to server\n\n```bash\nssh debian@server.public.ip.address\n```\n\n### 2.2 Create new user with sudo privileges\n\nThis creates a new user named tezos, sets the password and adds tezos user to sudo group:\n\n```bash\nsudo useradd -m -s /bin/bash tezos\nsudo passwd tezos\nsudo usermod -aG sudo tezos\n```\n\n### 2.3 Disable SSH password Authentication and Use SSH Keys only\n\nThe basic rules of hardening SSH are:\n\n- No password for SSH access (use private key)\n- Don't allow root to SSH (the appropriate users should SSH in, then su or sudo)\n- Use sudo for users so commands are logged\n- Log unauthorized login attempts (and consider software to block/ban users who try to access your server too many times, like fail2ban)\n- Lock down SSH to only the ip range your require (if you feel like it)\n\n1. Create a new ssh key locally.\n\n```bash\nssh-keygen -t ed25519 -f ~/.ssh/my_custom_key_name -C \"comment or label for this key\"\n```\n\n2. Transfer the public key to your remote node. Update keyname.pub appropriately.\n\n```bash\nssh-copy-id -i $HOME/.ssh/keyname.pub debian@server.public.ip.address\n```\n\n3. Login with your new user.\n\n```bash\nssh tezos@server.public.ip.address\n```\n\n4. Disable root login and password based login. \n\nOpen the SSH configuration file in a text editor:\n\n```bash\nsudo nano /etc/ssh/sshd_config\n```\n\n5. Update the following lines:\n\n```\nChallengeResponseAuthentication no\nPasswordAuthentication no\nPermitRootLogin prohibit-password\nPermitEmptyPasswords no\n```\n\n6. Validate the syntax of your new SSH configuration.\n\n```bash\nsudo sshd -t\n```\n\n7. If no errors with the syntax validation, restart the SSH process.\n\n```bash\nsudo systemctl restart sshd\n```\n\n### 2.4 Update your system\n\n1. Update and upgrade packages:\n\n```bash\nsudo apt update -y \u0026\u0026 sudo apt dist-upgrade -y\nsudo apt autoremove\nsudo apt autoclean\n```\n\n2. Enable automatic updates:\n\n```bash\nsudo apt install unattended-upgrades \nsudo dpkg-reconfigure -plow unattended-upgrades\n```\n\n### 2.5 Disable root account\n\n1. To disable the root account:\n\n```bash\nsudo passwd -l root\n```\n\n2. To re-enable the account if needed:\n\n```bash\nsudo passwd -u root\n```\n\n### 2.6 Secure Shared Memory\n\n1. Edit /etc/fstab:\n\n```bash\nsudo nano /etc/fstab\n```\n\n2. Insert the following line to the bottom of the file:\n\n```\ntmpfs    /run/shm    tmpfs    ro,noexec,nosuid    0 0\n```\n\n3. Reboot the node:\n\n```bash\nsudo reboot\n```\n\n4. Check the changes:\n\n```bash\nmount | grep /run/shm\n```\n\n## 2.7 Install Fail2ban\nFail2ban is an intrusion-prevention system that monitors log files and searches for particular patterns that correspond to a failed login attempt. If a certain number of failed logins are detected from a specific IP address (within a specified amount of time), fail2ban blocks access from that IP address.\n\n```bash\nsudo apt-get install fail2ban -y\n```\n\nEdit a config file that monitors SSH logins.\n\n```bash\nsudo nano /etc/fail2ban/jail.local\n```\n\nAdd the following lines to the bottom of the file.\n**Note**: Whitelisting IP address tip: The ignoreip parameter accepts IP addresses, IP ranges or DNS hosts that you can specify to be allowed to connect. This is where you want to specify your local machine, local IP range or local domain, separated by spaces.\n\n```ini\n[sshd]\nenabled = true\nport = 22\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 3\n# whitelisted IP addresses\n# ignoreip = \u003clist of whitelisted IP address, your local daily laptop/pc\u003e\n```\n\nSave/close file.\nRestart fail2ban for settings to take effect.\n\n```bash\nsudo systemctl restart fail2ban\n```\n\n## 2.8 Configure your Firewall\n\nThe standard UFW firewall can be used to control network access to your node. With any new installation, ufw is disabled by default. Enable it with the following settings.\n\n1. Install UFW\n\n```bash\nsudo apt install ufw\n```\n\n2. Set default policies\n\n```bash\nsudo ufw default deny incoming\nsudo ufw default allow outgoing\n```\n\n3. Allow SSH access (adjust port if you've changed the default SSH port)\n\n```bash\nsudo ufw allow ssh\n```\n\n4. Allow Tezos node P2P and RPC connections\n\n```bash\nsudo ufw allow 9732/tcp  # P2P port for Tezos\nsudo ufw allow 8732/tcp  # RPC port for Tezos\n```\n\n5. Allow additional ports for monitoring (if needed)\n\n```bash\nsudo ufw allow 2020/tcp  # Pyrometer dashboard\nsudo ufw allow 9091/tcp  # Metrics port\n```\n\n6. Enable firewall\n\n```bash\nsudo ufw enable\n```\n\n7. Check status\n\n```bash\nsudo ufw status verbose\n```\n\n8. (Optional) Enable UFW logging\n\n```bash\nsudo ufw logging on\n```\n\nNote:\n- The Tezos node needs port 9732 open for P2P connections to communicate with other nodes.\n- Ports 8732 and 8733 are for RPC, which should only be accessible from your IP for security.\n\nAlways ensure your firewall rules are as restrictive as possible while still allowing necessary functionality.\n\n\n## 2.9 Verify Listening Ports\n\nIf you want to maintain a secure server, you should validate the listening network ports every once in a while. This will provide you essential information about your network.\n\n```bash\nsudo ss -tulpn or sudo netstat -tulpn\n```\n\n## 2.10 Time Sync Check\n\nRun the following command.\n\n```bash\ntimedatectl \n```\n\n✅ Check if NTP Service is active.\n✅ Check if Local time, Time zone, and Universal time are all correct.\n✅ If NTP Service is not active, run:\n\n```bash\nsudo timedatectl set-ntp on \nsudo timedatectl set-ntp true\n\nsudo timedatectl set-timezone Europe/Berlin\n```\n\nIf you see error message Failed to set ntp: NTP not supported, you may need to install chrony or ntp package.\n\n\u003e**Note** by default, VMs may disable NTP so you may need to find a work-around for your environment.\n\n\n# 3. Tezos Node Setup\n\n## 3.1 Setup tezos node with Debian\n\n\n1. Update and install packages.\n\n```bash\nsudo apt update \u0026\u0026 sudo apt upgrade\nsudo apt install libev4 libhidapi-libusb0 curl net-tools\n```\n\n2. Install octez packages.\n\n**Important**: Install in this order! Also there is a difference between using sudo in every command or using \"sudo su\" and then performing the statements. Keep that in mind.\n\n```bash\ncurl -o octez-node.deb https://pkgbeta.tzinit.org/debian-12/octez-node_20.1-1_amd64.deb\ncurl -o octez-client.deb https://pkgbeta.tzinit.org/debian-12/octez-client_20.1-1_amd64.deb\ncurl -o octez-baker.deb https://pkgbeta.tzinit.org/debian-12/octez-baker_20.1-1_amd64.deb\n\nsudo dpkg -i octez-node.deb\nsudo dpkg -i octez-client.deb\nsudo dpkg -i octez-baker.deb\nsudo apt-get install -f\n\n/etc/octez/node.conf\n\nsudo chown -R root:root /var/tezos\nsudo mkdir -p /var/log/tezos\nsudo chown -R root:root /var/log/tezos\nsudo chmod +x /usr/local/bin/octez-node\n```\n\n3. Initialise configuration.\n\n```bash\noctez-node config init --data-dir /var/tezos/.tezos-node \\\n    --network=mainnet \\\n    --history-mode=rolling \\\n    --net-addr=\"[::]:9732\" \\\n    --rpc-addr=\"127.0.0.1:8732\" \\\n    --rpc-addr=\"0.0.0.0:8733\" \\\n    --connections=20 \\\n    --metrics-addr=\"127.0.0.1:9091\"\n```\n\nIf you want to update the configuration use:\n\n```bash\noctez-node config update --data-dir ...\n```\n\nShow configuration (Editing this manually did break it multiple times):\n\n```bash\ncat /var/tezos/.tezos-node/config.json\noctez-node config show --config-file /var/tezos/.tezos-node/config.json\n```\n\n(Optional, did not work that well) - Allow only allowed peers:\n\n```bash\noctez-node config update --data-dir /var/tezos/.tezos-node \\\n    --peer=\u003ctrusted_peer_ip\u003e  \\\n    --private-mode \\\n    --external-rpc-add=ADDR:PORT\n    --config-file=FILE\n```\n\n\n## 3.2 Get snapshot\n\n1. Get and import the snapshot.\n\n```bash\nwget -O /tmp/snap https://snapshots.eu.tzinit.org/mainnet/rolling\noctez-node snapshot import /tmp/snap --data-dir /var/tezos/.tezos-node --no-check\n```\n\nOutput:\n\n![Snapshot import Output](/docs/img/snapshot-import-output.png)\n\nIf you get an error that the directory is invalid perform this:\n\n```bash\nmv /var/tezos/.tezos-node/config.json /tmp/tezos_config_backup.json\nrm -rf /var/tezos/.tezos-node/*\nmv /tmp/tezos_config_backup.json /var/tezos/.tezos-node/config.json\n```\n\n2. After importing the context from the snapshot delete tmp folder.\n\n```bash\nrm /tmp/snap\n```\n\n## 3.3 Create systemd service for octez node\n\nAs root, start the node using systemctl. The enable command will ensure that the node starts on boot.\nSince we need to expose the RPC endpoint to the outside add another rpc-addr with `0.0.0.0:8733`.\n\n1. Create systemd service file for the node.\n\n```bash\nsudo nano /etc/systemd/system/octez-node.service\n```\n\n2. Add this.\n\n```ini\n[Unit]\nDescription=Tezos Node\nWants=network-online.target\nAfter=network-online.target\n\n[Service]\nType=simple\nUser=root\nGroup=root\nExecStart=/usr/bin/octez-node run --data-dir /var/tezos/.tezos-node --rpc-addr 0.0.0.0:8733 --rpc-addr 127.0.0.1:8732 --log-output /var/log/tezos/node.log --metrics-addr=127.0.0.1:9091\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\nRequiredBy=tezos-baker.service tezos-accuser.service\n```\n\n**NOTE**: To not overwrite the config values instead of this above use flag --config-file /var/tezos/.tezos-node/config.json in ExecStart\n\n3. After any changes in systemd file, start or restart.\n\n```bash\n#Option 1\nsudo systemctl daemon-reload\nsystemctl enable octez-node.service\nsystemctl start octez-node.service\n\n#Option 2\nsudo systemctl restart octez-node.service\n```\n\n4. Check the status of the systemd service.\n\n```bash\nsudo systemctl status octez-node.service\n```\n\n![Status octez node systemd service](docs/img/status-octez-node-service.png)\n\nYou can now view the progress of the node in the log file. It will sync with the network and fill the gap from the point that the snapshot was taken to the current block. Then you will have a working Tezos node.\n\n5. Always see the logs for more information.\n\n```bash\nsudo tail -f /var/log/tezos/node.log\njournalctl -f -u octez-node.service -b\n```\n\n6. Check node synchronisation.\n\n```bash\noctez-client bootstrapped\n```\n\n![Octez Node bootstrapped status output](docs/img/bootstrapped-sync-status.png)\n\n\nFurther Resources: [Tezos Node Setup](https://chrispinnock.com/tezos/node/)\n\n\n## 3.4 Tezos Client Setup\n\n1. Set base directory and configuration for tezos client.\n\n```bash\nsudo mkdir -p /root/.tezos-client\nsudo chown -R $(whoami):$(whoami) /root/.tezos-client\noctez-client --base-dir /root/.tezos-client config init\noctez-client --base-dir /root/.tezos-client --endpoint http://localhost:8732 config update\noctez-client --base-dir /root/.tezos-client rpc get /chains/main/blocks/head\n```\n\n## 3.5 Allow local connection\n\nTo perform the commands to setup the ledger as remote signer on your local machine, the RPC endpoint must be accessible. \n\n1. Check first if the node is fully synced.\n\n```bash\noctez-client bootstrapped\n```\n\n2. Update node config to allow access to monitoring status to outside via acl filters. (Otherwise this Error will appear: The server doesn't authorize this endpoint (ACL filtering))\n\n```bash\noctez-node config update   \\\n--data-dir /var/tezos/.tezos-node   \\\n--network=mainnet   \\\n--history-mode=rolling   \\\n--net-addr=\"[::]:9732\"   \\\n--rpc-addr=\"127.0.0.1:8732\"   \\\n--rpc-addr=\"0.0.0.0:8733\"   \\\n--connections=20   \\\n--metrics-addr=\"127.0.0.1:9091\" \\\n--rpc-acl=[{address=\"0.0.0.0:8733\",blacklist=[]}]\n```\n\n3. Allow TCP access to your IP address via server settings.\n\n\n\n# 4. Keys\n\nIn the Tezos blockchain there are two type of keys we use in our setup:\n\n- **Delegate** key: This key is the main key of a baker, used for managing funds and staking (delegation). This key controls the funds and is critical for the ownership of the staking balance.\n\n- **Consensus** Key: This is a separate key used for signing consensus operations like baking and endorsing blocks. It is a more specialized key used solely for participating in the consensus process.\n\nFor enhanced security, we use a **Ledger** hardware wallet to protect the delegate key, ensuring that the main funds are kept safe from unauthorized access while keeping the consensus key flexible for baking operations.\n\nWe will create a consensus key on the server, where the Tezos node and baker are running. This enhances security by separating the key used for baking and consensus operations from the main funds key (delegate key). Additionally, this allows consensus key *rotation* without affecting the delegate key and even if the consensus key is compromised, the main funds controlled by the delegate key remain secure. \n\n## 4.1 Create consensus key \n\n1. On the server create the consensus key and show the Secret.\n\n```bash\noctez-client gen keys vpsconsensus\noctez-client show address vpsconsensus -S\n```\n\nOutput:\n```\nHash: tz1hq....\nPublic Key: edpkv9....\nSecret Key: encrypted:edesk....\n```\n\n2. Save password\n\nApart from saving the password in your preferred secure place store it on the server for later use in the baker.\n\n```bash\necho \"\u003cPW\u003e\" \u003e ~/.tezos-client/pw\n```\n\n\n# 5. Local Ledger Setup\n\n## 5.1 Install octez client\n\nPerform these steps on your local computer where you connect the Ledger.\n\n**Note**: Make sure to allow connections from your IP address to your server!\n\n1. Install brew if not already done.\n\n```bash\n/bin/bash -c \"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)\"\n\nbrew tap serokell/tezos-packaging-stable https://github.com/serokell/tezos-packaging-stable.git\n\nbrew install tezos-client\n```\n\n2. Verify that the Octez client is installed by running this command.\n\n```bash\noctez-client --version\n```\n\n3. Get the RPC node endpoint. \u003cPublic-IP\u003e is the servers IPv4 DNS address.\n\n```bash\ntelnet \u003cPublic-IP\u003e 8733\ncurl http://\u003cPublic-IP\u003e:8733/chains/main/blocks/head/header\n```\n\n4. Try this to check if node is running.\n\nReturns info about the latest block header:\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 bootstrapped\ncurl -s http://\u003cPublic-IP\u003e:8733/chains/main/blocks/head/header\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 rpc get /chains/main/blocks/head/hash\n```\n\n5. Configure and set rpc node as endpoint.\n\n```bash\noctez-client config init\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 config update\n```\n\n(Additional debug): Test which ports are listening on your server:\n\n```bash\nsudo netstat -tulnp | grep LISTEN\nsudo netstat -tulnp | grep :8732\nsudo netstat -tulnp | grep octez-node\n```\n\n\nAfter this is finished keep the ledger connected because we will locally create the delegate key, move to the server and create a consensus key for the baking process. Then locally again, import that key and register the consensus key together with that delegate key.\n\n\n## 5.2 Register as a delegate\n\n1. Connect and unlock your Ledger to your computer.\n2. On Ledger Live:\n\nActivate Developer Mode in Experimental Settings. \n\n![Ledger Live Developer Mode](./docs/img/LedgerLive_DeveloperMode.png)\n\nInstall Tezos Wallet and Tezos Baker app.\n\n![Ledger Live Tezos Baker Mode](./docs/img/LedgerLive_TezosApps.png)\n\n3. Open the Tezos wallet app on the device (Must be open for all Ledger operations!)\n\n4. Import the consensus key **locally**.\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 import secret key local_vpsconsensus encrypted:edesk1...\n```\n\n5. List connected ledgers to get the path\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 list connected ledgers\n```\n\nOutput looks like this:\n\n```\nFound a Tezos Wallet 3.0.4 (git-description:\n\"stax_1.5.0_3.0.3_sdk_edba017dd479c0adeb115ee1cece6303d03c1610-60-g6e4b8ef1\")\napplication running on Ledger Nano S Plus at [DevSrvsID:4294973661].\n\nTo use keys at BIP32 path m/44'/1729'/0'/0' (default Tezos key path), use one\nof:\n  octez-client import secret key ledger_softstack \"ledger://front-chameleon-impossible-horse/ed25519/0h/0h\"\n  octez-client import secret key ledger_softstack \"ledger://front-chameleon-impossible-horse/secp256k1/0h/0h\"\n  octez-client import secret key ledger_softstack \"ledger://front-chameleon-impossible-horse/P-256/0h/0h\"\n  octez-client import secret key ledger_softstack \"ledger://front-chameleon-impossible-horse/bip25519/0h/0h\"\n```\n\n6. IMPORTANT! Check your tezos wallet address in Ledger Live\n\nOpen your account where your tezos funds are and check how the wallet address starts: Either tz1, tz2 or tz3.\nDepending on this, choose the correct  command with the right cryptographic signing algorithm.\n\n- **ed25519** for **tz1...** addresses\n- **bip25519** for **tz1...** addresses as well. Newer addition to tezos.\n- **secp256k1** for **tz2...** addresses: This is less common but still regularly used.\n- **P-256** for **tz3...** addresses: This is the least common of the three original address types.\n\nFor us, since we had a `tz1...` address we used below command:\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 import secret key ledger_softstack_delegate_key \"ledger://front-chameleon-impossible-horse/ed25519/0h/0h\"\n```\n\nThis also imports the secret key with alias `ledger_softstack_delegate_key`. \n\n7. Validate the public key hash on your connected ledger.\n\n8. Register delegate with below command on your computer.\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 \\\nregister key ledger_softstack_delegate_key as delegate \n```\n\nThis shows that the funds from the connected wallet was used to register as delegate key and the kms consensus key is used for baking processes. \n\n9. Stake your funds. \u003cAMOUNT\u003e must be at least 6000tz. Keep a few in your wallet for other operations.\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 stake \u003cAMOUNT\u003e for ledger_softstack_delegate_key\n```\n\nNow check if the balance of the wallet has these gas fees subtracted with next command: Check funds and baker rights\n\n\n10. Set consensus key\n\n```bash\noctez-client --endpoint http://\u003cPublic-IP\u003e:8733 set consensus key for ledger_softstack_delegate_key to local_vpsconsensus\n```\n\nOutput:\n\n````\nWarning:\n        This is NOT the Tezos Mainnet.\n        Do NOT use your fundraiser keys on this network.\nNode is bootstrapped.\nEstimated gas: 169.046 units (will add 100 for safety)\nEstimated storage: no bytes added\nEnter password for encrypted key:\nOperation successfully injected in the node.\nOperation hash is 'owr9KJW2N87f1389ahUHAUWHbuaaHngsTAT8qqvwsDaiYicLDn7EYcSoKfw'\nWaiting for the operation to be included...\nOperation found in block: BMcLB82aihsd82aADWHyYojPHqavoHKc575J1qSdBrFx3GZfcrpvQM29wD (pass: 3, offset: 1)\nThis sequence of operations was run:\n  Manager signed operations:\n...\n````\n\n\n\n\n\n# 6. Setup Baker \n\n## 6.1 Creating a Dynamic Baker Start Script\n\nCreating a persistent baker using these [instructions](https://opentezos.com/node-baking/baking/persistent-baker/) from opentezos. Since the Tezos protocol changes every few months, we need to create a custom script to dynamically fetch the current protocol and start the baker accordingly.\n\nThis guide provides instructions for setting up a Tezos baker on a Debian-based system using systemd.\n\n1. Create a new file for the baker start script:\n\n```bash\nsudo nano /usr/local/bin/tezos-baker-start\n```\n\n2. Add the following content to the file:\n\n```bash\n#!/bin/bash\n\n# Get the current protocol\nPROTOCOL=$(octez-client rpc get /chains/main/blocks/head/metadata | jq -r .protocol | sed -E 's/^(Pt|Ps)(.{6}).*/\\1\\2/')\necho \"$(date): Current protocol is $PROTOCOL\" \u003e\u003e /var/log/tezos/baker_protocol.log\n\n# Start the baker with the current protocol\nexec /usr/bin/octez-baker-$PROTOCOL --mode client --base-dir /root/.tezos-client --endpoint http://127.0.0.1:8732 --password-filename /root/.tezos-client/pw run with local node /var/tezos/.tezos-node vpsconsensus --liquidity-baking-toggle-vote pass\n```\n\n3. Make the script executable:\n\n```bash\nsudo chmod +x /usr/local/bin/tezos-baker-start\n```\n\n\n## 6.2 Configuring the Baker Service\n\n1. Edit the baker service file:\n\n```bash\nsudo nano /etc/systemd/system/octez-baker.service\n```\n\n2. Add the following content to the file:\n\n```ini\n[Unit]\nDescription=Tezos baker Service\nDocumentation=http://tezos.gitlab.io/\nAfter=network-online.target octez-node.service\nWants=network-online.target\nRequires=octez-node.service\n\n[Service]\nUser=root\nGroup=root\nEnvironment=\"TEZOS_LOG=* -\u003e debug\"\nExecStart=/usr/local/bin/tezos-baker-start\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n```\n\n## 6.3 Starting and Managing the Baker Service\n\n1. Stop the existing baker service (if running):\n\n```bash\nsudo systemctl stop octez-baker.service\n```\n\n2. Reload the systemd daemon to recognize the changes:\n\n```bash\nsudo systemctl daemon-reload\n```\n\n3. Enable the baker service to start on boot:\n\n```bash\nsudo systemctl enable octez-baker.service\n```\n\n4. Start the baker service:\n\n```bash\nsudo systemctl start octez-baker.service\n```\n\n5. Restart the baker service (if needed):\n\n```bash\nsudo systemctl restart octez-baker.service\n```\n\n6. Check the status of the baker service:\n\n```bash\nsudo systemctl status octez-baker.service\n```\n\n7. To monitor the baker's activity, you can use the following commands:\n\n```bash\njournalctl -f -u octez-baker.service -b\njournalctl -f -u octez-baker.service -b \u003e /var/log/baker-logs/16-09-24.log\njournalctl --unit=octez-baker.service --since \"1 days ago\" --until \"now\" \u003e /var/log/baker-logs/$(date +%d-%m-%y).log\n```\n\n**Hint**:\nSince you always need to perform all of these commands at once, copy them from here:\n\n```bash\nsudo systemctl stop octez-baker.service\nsudo systemctl daemon-reload\nsudo systemctl enable octez-baker.service\nsudo systemctl start octez-baker.service\njournalctl -f -u octez-baker.service -b\n```\n\n8. Success! If you see below output in the baker logs you have a successfully running baker.\n\nRun `journalctl -f -u octez-baker.service -b`:\n\n\n````\nreceived 1 attestations (power: 127) (total voting power: 3790, 70\nattestations)\nreceived 1 attestations (power: 12) (total voting power: 3802, 71\nattestations)\nquorum reached (voting power: 4756, 72 attestations)\nautomaton step: current phase awaiting attestations, event\nquorum reached with 72 attestations for BMBKoDiQY52KDLKdnZ9tUVGLMCF5fPqKtu3MofrKoceak1X8hY5 at round 0\nfound an elected block at level 6813872, round 0... checking baking rights\nnext potential slot for level 6813873 is at round 3006 at\n2025-06-29T05:53:45-00:00 for\nvpsconsensus (tz1hq2SUp3jJa8uYa8xyZzAyfSb3rgG8GEHQ)\non behalf of tz1SaRa7u2dnoJGKrWW8Qimjk5NwHC5E71A6\nwaiting 7.657s until end of round 0 at 2024-10-10T12:36:30-00:00\n````\n\nAlso check the `Rewards`, `Schedule` and `Consensus Key` Tabs on a tezos explorer like tzstats, or tzkt.io. Add your delegate key.\n\n````\nhttps://tzkt.io/\u003cDELEGATE_KEY\u003e/schedule\n````\n\n# 7. Setup Node and Baker restart if they fail\n\n1. Install Postmark.\n\nsudo apt-get install python3-pip\npip3 install postmark\n\n2. Create a shell script.\n\n```bash\nsudo nano /usr/local/bin/tezos-node-monitor.sh\n```\n\n3. Add contents from [Failsafe email script](./docs/files/failsafe_email.sh) script.\n\n4. Make executable.\n\n```bash\nsudo chmod +x /usr/local/bin/tezos-node-monitor.sh\n```\n\n5. Add systemd service.\n\n```bash\nsudo nano /etc/systemd/system/tezos-monitor.service\n```\n\n```ini\n[Unit]\nDescription=Tezos Node Monitor\nAfter=network.target\n\n[Service]\nExecStart=/usr/local/bin/tezos-node-monitor.sh\nRestart=always\nUser=root\n\n[Install]\nWantedBy=multi-user.target\n```\n\n6. Reload systemd, enable and start the service.\n\n```bash\nsudo systemctl daemon-reload\nsudo systemctl enable tezos-monitor.service\nsudo systemctl start tezos-monitor.service\n```\n\nRestart service:\n\n```bash\nsudo systemctl restart tezos-monitor.service\n```\n\nSee status and logs:\n\n```bash\nsudo systemctl status tezos-monitor.service\njournalctl -f -u tezos-monitor.service -b\ntail -f /var/log/tezos-monitor.log\n```\n\n# 8. Setup accuser\n\nThe accuser detects that a baker does not create two competing blocks at the same level nor attest multiple blocks. If an accusation is correct, the accuser gets part of the bakers reward.\n\n1. Create a new file for the accuser start script:\n\n```bash\nsudo nano /usr/local/bin/tezos-accuser-start\n```\n\n2. Add the following content to the file:\n\n```bash\n#!/bin/bash\n\n# Get the current protocol\nPROTOCOL=$(octez-client rpc get /chains/main/blocks/head/metadata | jq -r .protocol | sed -E 's/^(Pt|Ps)(.{6}).*/\\1\\2/')\n\n# Start the accuser with the current protocol\nexec /usr/bin/octez-accuser-$PROTOCOL --endpoint http://127.0.0.1:8732 run\n```\n\n3. Make the script executable:\n\n```bash\nsudo chmod +x /usr/local/bin/tezos-accuser-start\n```\n\n## 8.1 Configuring the Accuser Service\n\n4. Create the accuser service file:\n\n```bash\nsudo nano /etc/systemd/system/octez-accuser.service\n```\n\n5. Add the following content to the file:\n\n```ini\n[Unit]\nDescription=Tezos Accuser Service\nDocumentation=http://tezos.gitlab.io/\nAfter=network-online.target octez-node.service\nWants=network-online.target\nRequires=octez-node.service\n\n[Service]\nUser=root\nGroup=root\nEnvironment=\"TEZOS_LOG=* -\u003e debug\"\nExecStart=/usr/local/bin/tezos-accuser-start\nRestart=on-failure\n\n[Install]\nWantedBy=multi-user.target\n```\n\n## 8.2 Starting and Managing the Accuser Service\n\n6. Reload the systemd daemon to recognize the new service:\n\n```bash\nsudo systemctl daemon-reload\n```\n\n7. Enable the accuser service to start on boot:\n\n```bash\nsudo systemctl enable octez-accuser.service\n```\n\n8. Start the accuser service:\n\n```bash\nsudo systemctl start octez-accuser.service\n```\n\n9. Check the status of the accuser service:\n\n```bash\nsudo systemctl status octez-accuser.service\n```\n\n10. If you need to restart the accuser service:\n\n```bash\nsudo systemctl restart octez-accuser.service\n```\n\n11. To view the accuser logs:\n\n```bash\njournalctl -f -u octez-accuser.service\n```\n\n\n# 9. Monitoring\n\n## 9.1 Option 1: Using cli commands for monitoring\n\nGet PID for processes\n\n```bash\npgrep -f octez-node\n9218 \n9243 (validator)\n16736 baker\n```\n\n```bash\npidstat -u -r -p 9218,9243,16736 60 \u003e /var/log/log_all_octez_instances.csv \u0026\n16795\n```\n\nTrack network every min\n\n```bash\nsar -n DEV 60 1 \u003e /var/log/sar_network.csv \u0026\nnohup sar -n DEV 60 \u003e /var/log/network_usage.log 2\u003e\u00261 \u0026\n10136\n```\n\nResults:\n    This usage is relatively low.\n    89.52 KB/s received ≈ 0.7 Mbps\n    54.91 KB/s sent ≈ 0.4 Mbps\n\n\nRun in batch mode for continuous tracking (run every min)\n\n```bash\nglances --export csv --export-csv-file /var/log/glances.csv -B 60 --disable-plugin load,help,diskio,fs \u0026\n15787\n```\n\n![Glances output](/docs/files/Monitoring/glances_screenshot.png)\n\nSee background jobs\n\n```bash\njobs\nkill \u003cPID\u003e\n```\n\nFind packages:\n\n```bash\nwhich octez-client\n```\n\n### 9.1.1 Monitoring results\n\nOctez node on average uses 60% (2.3Gi) of Memory(4Gi)... If the baker gets added this may not be enough.\n\nCPU Usage:\n\n- The octez-node process (PID 9218) consistently uses between 7.82% and 10.68% CPU, with slight variations over time.\n\n- The second octez-node process (PID 9243) uses significantly less CPU, ranging from 0.70% to 2.32%.\n\n- The octez-baker-PtP process (PID 16736) uses between 0.78% and 1.08% CPU.\n\nMemory Usage:\n\n- The octez-node process (PID 9218) has a consistent memory usage of around 26.44% of total memory.\n  \n- The second octez-node process (PID 9243) uses around 23.35% of memory.\n\n- The octez-baker-PtP process (PID 16736) uses about 5.35% of memory, with a slight increase to 5.37% towards the end.\n\n## 9.2 Tezos node monitoring with Pyrometer\n\n### 9.2.1 Install pyrometer\n\nResources: \n- [Pyrometer Gitlab Steps](https://gitlab.com/tezos-kiln/pyrometer)\n\n\nInstall node\n\n```bash\napt-get install -y curl\ncurl -fsSL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh\nbash nodesource_setup.sh\napt-get install -y nodejs\nnode -v\n```\n\nDownload latest .deb from [Pyrometer releases](https://gitlab.com/tezos-kiln/pyrometer/-/releases). Rename version accordingly\n\n```bash\nwget -O pyrometer_0.10.1_all.deb https://gitlab.com/tezos-kiln/pyrometer/-/package_files/134721719/download\nsudo dpkg -i pyrometer_0.10.1_all.deb\n```\n\nEdit pyrometer settings in `/etc/pyrometer.toml`\n\n```bash\nsudo nano /etc/pyrometer.toml\n```\n\nAdd these settings:\n\n```toml\n[baker_monitor]\nbakers = [\"tz1...\"]\nrpc = \"http://localhost:8732\"\n\n[node_monitor]\nnodes = [  \"http://127.0.0.1:8732\" ]\n\n[ui]\nshow_system_info = true\n\n[email]\nenabled = true\nhost = \"smtp.postmarkapp.com\"\nport = 587\nprotocol = \"PLAIN\"\nto = [ \"MY_EMAIL\" ]\nfrom = \"Tezos Node Pyrometer \u003cEMAIL_DOMAIN\u003e\"\nusername = \"\u003cPOSTMARK API TOKEN\u003e\"\npassword = \"\u003cPOSTMARK API TOKEN\u003e\"\nemoji = true\nshort_address = true\nexclude = [ ]\n```\n\nIf you want to get email notifications create an account at [postmark](https://postmarkapp.com/) and put in the \u003cPOSTMARK API TOKEN\u003e for both username and password.\n\nThe systemd for pyrometer can be found in `/lib/systemd/system/pyrometer.service`\n\nAfter editing the pyrometer.toml, restart and check logs\n\n```bash\nsudo systemctl restart pyrometer\njournalctl -u pyrometer -f\n```\n\n\n### 9.2.1 Pyrometer notifications event types\n\n    🤒 baker unhealthy\n    baker missed baker_monitor:missed_threshold events in a row\n\n    💪 baker recovered\n    baker successfully baked or endorsed after being unhealthy\n\n    😡 missed bake\n    baker was scheduled to produce a block at this level, but failed to\n    do so\n\n    😾 missed baking bonus\n    baker proposed a block payload, but failed to actually produce the\n    block itself, another baker did that and received the bonus\n\n    🥖 baked\n    baker produced a block as scheduled per baking rights\n\n    ✂️️️️ double baked\n    baker produced two different blocks in the same round, baker's\n    deposit will be slashed as punishment\n\n    😕 missed endorsement\n    baker missed an endosement\n\n    ‼️️ double endorsed\n    baker endorsed two different blocks in the same round\n\n    ‼️️ double pre-endorsed\n    baker pre-endorsed two different blocks in the same round\n\n    🐌 node behind\n    a monitored node is not synchronized with the blockchain, is at a\n    lower block level then the other nodes in the network\n\n    💫 node synced\n    a monitored node has caught up with the blockchain after falling behind\n\n    🤔 low peers\n    a monitored node has fewer than node_monitor:low_peer_count\n    peers\n\n    🤝 low peers resolved\n    a monitored node connected to a sufficient number of\n    node_monitor:low_peer_count peers\n\n    😴 deactivated\n    baker has been deactivated\n\n    😪 deactivation risk\n    baker is at risk of deactivation (baker stopped participating and\n    will be deactivated once previously calculated baking right run out)\n\n    ⚠️ rpc error\n    an error occurred while communicating with Tezos node RPC interface\n\n\n### 9.2.2 Pyrometer dashboard\n\nVisit `http://\u003cPublic-IP\u003e:2020` to see the Pyrometer dashboard.\n\n![Pyrometer Dashboard](./docs/img/Pyrometer_Dashboard.png)\n\n### 9.2.3 Other monitoring tools\n\nGrafana prometheus with a premade dashboard : [https://gitlab.com/nomadic-labs/grafazos](https://gitlab.com/nomadic-labs/grafazos)\n\n# 10. Maintenance \n\n## 10.1 Regular System Maintenance\n\n1. Update Debian OS:\n   - Run `sudo apt update \u0026\u0026 sudo apt upgrade` at least monthly.\n   - Reboot the system after significant updates.\n\n2. Monitor and manage disk space:\n   - Regularly check available disk space with `df -h`.\n   - Set up log rotation for Tezos node logs if not already configured.\n   - Consider pruning old blockchain data if using full or archive node modes.\n\n3. Check system resource usage:\n   - Monitor CPU, RAM, and network usage periodically.\n   - Use tools like `top`, `htop`, or your configured monitoring solution.\n\n## 10.2 Tezos-specific Maintenance\n\n4. Update Tezos software:\n   - Check for new Tezos releases every 1-2 months.\n   - Update octez-node, octez-client, and octez-baker when new versions are available.\n   - Test updates on a testnet node before applying to mainnet.\n\n5. Monitor Tezos protocol upgrades:\n   - Stay informed about upcoming protocol upgrades (every few months).\n   - Ensure your node is compatible with new protocols before they activate.\n   - Update your baker and accuser scripts to use the new protocol after activation.\n\n6. Check node synchronization:\n   - Regularly verify that your node is fully synced with the network.\n   - Use `octez-client bootstrapped` to check sync status.\n\n7. Monitor baking and endorsing performance:\n   - Regularly check if you're missing any baking or endorsing slots.\n   - Investigate and resolve any missed opportunities promptly.\n\n8. Review and optimize baker configuration:\n   - Periodically review your baker settings for optimal performance.\n   - Adjust liquidity baking strategy if needed.\n\n## 10.3 Security Maintenance\n\n9. Update firewall rules:\n   - Ensure only necessary ports are open.\n\n10. Rotate access keys and update passwords:\n    - Regularly update SSH keys used to access the server.\n    - If using password authentication anywhere, change passwords periodically.\n\n11. Review system logs:\n    - Check for any suspicious activities or error patterns in system logs.\n    - Pay special attention to authentication logs (`/var/log/auth.log`).\n\n12. Update SSL certificates:\n    - If using SSL for RPC endpoints, ensure certificates are renewed before expiry.\n\n## 10.4 Monitoring and Alerting\n\n13. Check and update monitoring tools:\n    - Ensure Pyrometer or other monitoring solutions are up-to-date and functioning.\n    - Review and adjust alert thresholds if necessary.\n\n14. Test alerting system:\n    - Periodically test that your alerting system (email, SMS, etc.) is working correctly.\n\n## 10.5 Backup and Recovery\n\n15. Perform regular backups:\n    - Backup important configuration files and keys.\n    - Consider periodic snapshots of the whole server.\n\n16. Test recovery procedures:\n    - Occasionally test restoring from backups to ensure they're valid and the process works.\n\n## 10.6 Network and Performance Optimization\n\n17. Review and optimize network connections:\n    - Check the number and quality of peer connections.\n    - Optimize if necessary for better network performance.\n\n18. Perform periodic performance tuning:\n    - Review and adjust system parameters for optimal Tezos node performance.\n    - This might include tweaking open file limits, network buffer sizes, etc.\n\n## 10.7 Documentation and Knowledge Base\n\n19. Update documentation:\n    - Keep your setup and maintenance documentation up-to-date.\n    - Document any changes made during maintenance for future reference.\n\n20. Stay informed:\n    - Follow Tezos community updates, forums, and official announcements.\n    - Participate in discussions about network upgrades and best practices.\n\n## 10.8 Financial and Regulatory Compliance\n\n21. Review staking rewards and costs:\n    - Periodically review your baking rewards and associated costs.\n    - Adjust your strategy if necessary for optimal returns.\n\n22. Stay compliant with regulations:\n    - Keep abreast of any regulatory changes affecting cryptocurrency staking in your jurisdiction.\n    - Ensure compliance with tax reporting requirements for staking rewards.\n\nImplement a routine schedule for these maintenance tasks, with some performed weekly, others monthly, and some quarterly or bi-annually as appropriate. Regular maintenance will help ensure the longevity, security, and efficiency of your Tezos validator node.\n\n\n# 11. Updating octez version\n\nAs of November 2024, v21.0 is released and all nodes need to update to that protocol manually by following below steps. Read the [release statement](https://tezos.gitlab.io/releases/version-21.html) for more information.\n\n\n1. Stop the baker and node\n```bash\nsudo su\nsystemctl stop octez-baker.service\nsystemctl stop octez-node.service\n````\n\n2. Upgrade storage\n```bash\noctez-node upgrade storage --data-dir /var/tezos/.tezos-node\n#Output: Nov 26 07:54:22.840: node data dir is up-to-date\n```\n\n3. Restart node\n```bash\nsudo systemctl daemon-reload\nsystemctl start octez-node.service\nsudo systemctl status octez-node.service\n# Wait a minute or two for the node to start before starting the baker\n```\n\n4. Restart baker\n\n```bash\nsystemctl start octez-baker.service\nsudo systemctl status octez-baker.service\n# Output: Baker 20.1 (1a991a03) for PsParisCZo7K started.\n````\n\n5. Check logs if everything works\n```bash\njournalctl -f -u octez-node.service -b\njournalctl -f -u octez-baker.service -b\n```\n\n# Congratulations\n\nYou have successfully setup your Tezos validator node on OVH server.\n\nIf any questions arise feel free to contact us at [softstack.io](https://softstack.io/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftstack%2Ftezos-octez-node-and-baking-setup-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsoftstack%2Ftezos-octez-node-and-baking-setup-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsoftstack%2Ftezos-octez-node-and-baking-setup-guide/lists"}