@ 0xtr

This guide will walk you through setting up your own Strfry Nostr relay on a Debian/Ubuntu server and making it accessible exclusively as a TOR hidden service. By the end, you'll have a privacy-focused relay that operates entirely within the TOR network, enhancing both your privacy and that of your users.

Table of Contents

1. Prerequisites
2. Initial Server Setup
3. Installing Strfry Nostr Relay
4. Configuring Your Relay
5. Setting Up TOR
6. Making Your Relay Available on TOR
7. Testing Your Setup]
8. Maintenance and Security
9. Troubleshooting

Prerequisites

• A Debian or Ubuntu server
• Basic familiarity with command line operations (most steps are explained in detail)
• Root or sudo access to your server

Initial Server Setup

First, let's make sure your server is properly set up and secured.

Update Your System

Connect to your server via SSH and update your system:

bash sudo apt update sudo apt upgrade -y

Set Up a Basic Firewall

Install and configure a basic firewall:

bash sudo apt install ufw -y sudo ufw allow ssh sudo ufw enable

This allows SSH connections while blocking other ports for security.

Installing Strfry Nostr Relay

This guide includes the full range of steps needed to build and set up Strfry. It's simply based on the current version of the DEPLOYMENT.md document in the Strfry GitHub repository. If the build/setup process is changed in the repo, this document could get outdated. If so, please report to me that something is outdated and check for updated steps here.

Install Dependencies

First, let's install the necessary dependencies. Each package serves a specific purpose in building and running Strfry:

bash sudo apt install -y git build-essential libyaml-perl libtemplate-perl libregexp-grammars-perl libssl-dev zlib1g-dev liblmdb-dev libflatbuffers-dev libsecp256k1-dev libzstd-dev

Here's why each dependency is needed:

Basic Development Tools: - git: Version control system used to clone the Strfry repository and manage code updates - build-essential: Meta-package that includes compilers (gcc, g++), make, and other essential build tools

Perl Dependencies (used for Strfry's build scripts): - libyaml-perl: Perl interface to parse YAML configuration files - libtemplate-perl: Template processing system used during the build process - libregexp-grammars-perl: Advanced regular expression handling for Perl scripts

Core Libraries for Strfry: - libssl-dev: Development files for OpenSSL, used for secure connections and cryptographic operations - zlib1g-dev: Compression library that Strfry uses to reduce data size - liblmdb-dev: Lightning Memory-Mapped Database library, which Strfry uses for its high-performance database backend - libflatbuffers-dev: Memory-efficient serialization library for structured data - libsecp256k1-dev: Optimized C library for EC operations on curve secp256k1, essential for Nostr's cryptographic signatures - libzstd-dev: Fast real-time compression algorithm for efficient data storage and transmission

Clone and Build Strfry

Clone the Strfry repository:

bash git clone https://github.com/hoytech/strfry.git cd strfry

Build Strfry:

bash git submodule update --init make setup-golpe make -j2 # This uses 2 CPU cores. Adjust based on your server (e.g., -j4 for 4 cores)

This build process will take several minutes, especially on servers with limited CPU resources, so go get a coffee and post some great memes on nostr in the meantime.

Install Strfry

Install the Strfry binary to your system path:

bash sudo cp strfry /usr/local/bin

This makes the strfry command available system-wide, allowing it to be executed from any directory and by any user with the appropriate permissions.

Configuring Your Relay

Create Strfry User

Create a dedicated user for running Strfry. This enhances security by isolating the relay process:

bash sudo useradd -M -s /usr/sbin/nologin strfry

The -M flag prevents creating a home directory, and -s /usr/sbin/nologin prevents anyone from logging in as this user. This is a security best practice for service accounts.

Create Data Directory

Create a directory for Strfry's data:

bash sudo mkdir /var/lib/strfry sudo chown strfry:strfry /var/lib/strfry sudo chmod 755 /var/lib/strfry

This creates a dedicated directory for Strfry's database and sets the appropriate permissions so that only the strfry user can write to it.

Configure Strfry

Copy the sample configuration file:

bash sudo cp strfry.conf /etc/strfry.conf

Edit the configuration file:

bash sudo nano /etc/strfry.conf

Modify the database path:

```

Find this line:

db = "./strfry-db/"

Change it to:

db = "/var/lib/strfry/" ```

Check your system's hard limit for file descriptors:

bash ulimit -Hn

Update the nofiles setting in your configuration to match this value (or set to 0):

```

Add or modify this line in the config (example if your limit is 524288):

nofiles = 524288 ```

The nofiles setting determines how many open files Strfry can have simultaneously. Setting it to your system's hard limit (or 0 to use the system default) helps prevent "too many open files" errors if your relay becomes popular.

You might also want to customize your relay's information in the config file. Look for the info section and update it with your relay's name, description, and other details.

Set ownership of the configuration file:

bash sudo chown strfry:strfry /etc/strfry.conf

Create Systemd Service

Create a systemd service file for managing Strfry:

bash sudo nano /etc/systemd/system/strfry.service

Add the following content:

```ini [Unit] Description=strfry relay service

[Service] User=strfry ExecStart=/usr/local/bin/strfry relay Restart=on-failure RestartSec=5 ProtectHome=yes NoNewPrivileges=yes ProtectSystem=full LimitCORE=1000000000

[Install] WantedBy=multi-user.target ```

This systemd service configuration: - Runs Strfry as the dedicated strfry user - Automatically restarts the service if it fails - Implements security measures like ProtectHome and NoNewPrivileges - Sets resource limits appropriate for a relay

Enable and start the service:

bash sudo systemctl enable strfry.service sudo systemctl start strfry

Check the service status:

bash sudo systemctl status strfry

Verify Relay is Running

Test that your relay is running locally:

bash curl localhost:7777

You should see a message indicating that the Strfry relay is running. This confirms that Strfry is properly installed and configured before we proceed to set up TOR.

Setting Up TOR

Now let's make your relay accessible as a TOR hidden service.

Install TOR

Install TOR from the package repositories:

bash sudo apt install -y tor

This installs the TOR daemon that will create and manage your hidden service.

Configure TOR

Edit the TOR configuration file:

bash sudo nano /etc/tor/torrc

Scroll down to wherever you see a commented out part like this: ```

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:80

```

Under those lines, add the following lines to set up a hidden service for your relay:

HiddenServiceDir /var/lib/tor/strfry-relay/ HiddenServicePort 80 127.0.0.1:7777

This configuration: - Creates a hidden service directory at /var/lib/tor/strfry-relay/ - Maps port 80 on your .onion address to port 7777 on your local machine - Keeps all traffic encrypted within the TOR network

Create the directory for your hidden service:

bash sudo mkdir -p /var/lib/tor/strfry-relay/ sudo chown debian-tor:debian-tor /var/lib/tor/strfry-relay/ sudo chmod 700 /var/lib/tor/strfry-relay/

The strict permissions (700) are crucial for security as they ensure only the debian-tor user can access the directory containing your hidden service private keys.

Restart TOR to apply changes:

bash sudo systemctl restart tor

Making Your Relay Available on TOR

Get Your Onion Address

After restarting TOR, you can find your onion address:

bash sudo cat /var/lib/tor/strfry-relay/hostname

This will output something like abcdefghijklmnopqrstuvwxyz234567.onion, which is your relay's unique .onion address. This is what you'll share with others to access your relay.

Understanding Onion Addresses

The .onion address is a special-format hostname that is automatically generated based on your hidden service's private key.

Your users will need to use this address with the WebSocket protocol prefix to connect: ws://youronionaddress.onion

Testing Your Setup

Test with a Nostr Client

The best way to test your relay is with an actual Nostr client that supports TOR:

1. Open your TOR browser
2. Go to your favorite client, either on clearnet or an onion service.
   • Check out this list of nostr clients available over TOR.
3. Add your relay URL: ws://youronionaddress.onion to your relay list
4. Try posting a note and see if it appears on your relay
   • In some nostr clients, you can also click on a relay to get information about it like the relay name and description you set earlier in the stryfry config. If you're able to see the correct values for the name and the description, you were able to connect to the relay.
   • Some nostr clients also gives you a status on what relays a note was posted to, this could also give you an indication that your relay works as expected.

Note that not all Nostr clients support TOR connections natively. Some may require additional configuration or use of TOR Browser. E.g. most mobile apps would most likely require a TOR proxy app running in the background (some have TOR support built in too).

Maintenance and Security

Regular Updates

Keep your system, TOR, and relay updated:

```bash

Update system

sudo apt update sudo apt upgrade -y

Update Strfry

cd ~/strfry git pull git submodule update make -j2 sudo cp strfry /usr/local/bin sudo systemctl restart strfry

Verify TOR is still running properly

sudo systemctl status tor ```

Regular updates are crucial for security, especially for TOR which may have security-critical updates.

Database Management

Strfry has built-in database management tools. Check the Strfry documentation for specific commands related to database maintenance, such as managing event retention and performing backups.

Monitoring Logs

To monitor your Strfry logs:

bash sudo journalctl -u strfry -f

To check TOR logs:

bash sudo journalctl -u tor -f

Monitoring logs helps you identify potential issues and understand how your relay is being used.

Backup

This is not a best practices guide on how to do backups. Preferably, backups should be stored either offline or on a different machine than your relay server. This is just a simple way on how to do it on the same server.

```bash

Stop the relay temporarily

sudo systemctl stop strfry

Backup the database

sudo cp -r /var/lib/strfry /path/to/backup/location

Restart the relay

sudo systemctl start strfry ```

Back up your TOR hidden service private key. The private key is particularly sensitive as it defines your .onion address - losing it means losing your address permanently. If you do a backup of this, ensure that is stored in a safe place where no one else has access to it.

bash sudo cp /var/lib/tor/strfry-relay/hs_ed25519_secret_key /path/to/secure/backup/location

Troubleshooting

Relay Not Starting

If your relay doesn't start:

```bash

Check logs

sudo journalctl -u strfry -e

Verify configuration

cat /etc/strfry.conf

Check permissions

ls -la /var/lib/strfry ```

Common issues include: - Incorrect configuration format - Permission problems with the data directory - Port already in use (another service using port 7777) - Issues with setting the nofiles limit (setting it too big)

TOR Hidden Service Not Working

If your TOR hidden service is not accessible:

```bash

Check TOR logs

sudo journalctl -u tor -e

Verify TOR is running

sudo systemctl status tor

Check onion address

sudo cat /var/lib/tor/strfry-relay/hostname

Verify TOR configuration

sudo cat /etc/tor/torrc ```

Common TOR issues include: - Incorrect directory permissions - TOR service not running - Incorrect port mapping in torrc

Testing Connectivity

If you're having trouble connecting to your service:

```bash

Verify Strfry is listening locally

sudo ss -tulpn | grep 7777

Check that TOR is properly running

sudo systemctl status tor

Test the local connection directly

curl --include --no-buffer localhost:7777 ```

---

Privacy and Security Considerations

Running a Nostr relay as a TOR hidden service provides several important privacy benefits:

1. Network Privacy: Traffic to your relay is encrypted and routed through the TOR network, making it difficult to determine who is connecting to your relay.

2. Server Anonymity: The physical location and IP address of your server are concealed, providing protection against denial-of-service attacks and other targeting.

3. Censorship Resistance: TOR hidden services are more resilient against censorship attempts, as they don't rely on the regular DNS system and can't be easily blocked.

4. User Privacy: Users connecting to your relay through TOR enjoy enhanced privacy, as their connections are also encrypted and anonymized.

However, there are some important considerations:

• TOR connections are typically slower than regular internet connections
• Not all Nostr clients support TOR connections natively
• Running a hidden service increases the importance of keeping your server secure

---

Congratulations! You now have a Strfry Nostr relay running as a TOR hidden service. This setup provides a resilient, privacy-focused, and censorship-resistant communication channel that helps strengthen the Nostr network.

For further customization and advanced configuration options, refer to the Strfry documentation.

Consider sharing your relay's .onion address with the Nostr community to help grow the privacy-focused segment of the network!

If you plan on providing a relay service that the public can use (either for free or paid for), consider adding it to this list. Only add it if you plan to run a stable and available relay.