0xtr on Nostr: This guide will walk you through setting up your own Strfry Nostr relay on a ...

This guide will walk you through setting up your own Strfry Nostr relay on a Debian/Ubuntu server and making it accessible exclusively as a TOR hidden service. By the end, you’ll have a privacy-focused relay that operates entirely within the TOR network, enhancing both your privacy and that of your users.

Table of Contents

1. Prerequisites
2. Initial Server Setup
3. Installing Strfry Nostr Relay
4. Configuring Your Relay
5. Setting Up TOR
6. Making Your Relay Available on TOR
7. Testing Your Setup]
8. Maintenance and Security
9. Troubleshooting

Prerequisites

• A Debian or Ubuntu server
• Basic familiarity with command line operations (most steps are explained in detail)
• Root or sudo access to your server

Initial Server Setup

First, let’s make sure your server is properly set up and secured.

Update Your System

Connect to your server via SSH and update your system:

sudo apt update
sudo apt upgrade -y

Set Up a Basic Firewall

Install and configure a basic firewall:

sudo apt install ufw -y
sudo ufw allow ssh
sudo ufw enable

This allows SSH connections while blocking other ports for security.

Installing Strfry Nostr Relay

This guide includes the full range of steps needed to build and set up Strfry. It’s simply based on the current version of the DEPLOYMENT.md document in the Strfry GitHub repository. If the build/setup process is changed in the repo, this document could get outdated. If so, please report to me that something is outdated and check for updated steps here.

Install Dependencies

First, let’s install the necessary dependencies. Each package serves a specific purpose in building and running Strfry:

sudo apt install -y git build-essential libyaml-perl libtemplate-perl libregexp-grammars-perl libssl-dev zlib1g-dev liblmdb-dev libflatbuffers-dev libsecp256k1-dev libzstd-dev

Here’s why each dependency is needed:

Basic Development Tools:

• git: Version control system used to clone the Strfry repository and manage code updates
• build-essential: Meta-package that includes compilers (gcc, g++), make, and other essential build tools

Perl Dependencies (used for Strfry’s build scripts):

• libyaml-perl: Perl interface to parse YAML configuration files
• libtemplate-perl: Template processing system used during the build process
• libregexp-grammars-perl: Advanced regular expression handling for Perl scripts

Core Libraries for Strfry:

• libssl-dev: Development files for OpenSSL, used for secure connections and cryptographic operations
• zlib1g-dev: Compression library that Strfry uses to reduce data size
• liblmdb-dev: Lightning Memory-Mapped Database library, which Strfry uses for its high-performance database backend
• libflatbuffers-dev: Memory-efficient serialization library for structured data
• libsecp256k1-dev: Optimized C library for EC operations on curve secp256k1, essential for Nostr’s cryptographic signatures
• libzstd-dev: Fast real-time compression algorithm for efficient data storage and transmission

Clone and Build Strfry

Clone the Strfry repository:

git clone https://github.com/hoytech/strfry.git
cd strfry

Build Strfry:

git submodule update --init
make setup-golpe
make -j2  # This uses 2 CPU cores. Adjust based on your server (e.g., -j4 for 4 cores)

This build process will take several minutes, especially on servers with limited CPU resources, so go get a coffee and post some great memes on nostr in the meantime.

Install Strfry

Install the Strfry binary to your system path:

sudo cp strfry /usr/local/bin

This makes the strfry command available system-wide, allowing it to be executed from any directory and by any user with the appropriate permissions.

Configuring Your Relay

Create Strfry User

Create a dedicated user for running Strfry. This enhances security by isolating the relay process:

sudo useradd -M -s /usr/sbin/nologin strfry

The -M flag prevents creating a home directory, and -s /usr/sbin/nologin prevents anyone from logging in as this user. This is a security best practice for service accounts.

Create Data Directory

Create a directory for Strfry’s data:

sudo mkdir /var/lib/strfry
sudo chown strfry:strfry /var/lib/strfry
sudo chmod 755 /var/lib/strfry

This creates a dedicated directory for Strfry’s database and sets the appropriate permissions so that only the strfry user can write to it.

Configure Strfry

Copy the sample configuration file:

sudo cp strfry.conf /etc/strfry.conf

Edit the configuration file:

sudo nano /etc/strfry.conf

Modify the database path:

# Find this line:
db = "./strfry-db/"

# Change it to:
db = "/var/lib/strfry/"

Check your system’s hard limit for file descriptors:

ulimit -Hn

Update the nofiles setting in your configuration to match this value (or set to 0):

# Add or modify this line in the config (example if your limit is 524288):
nofiles = 524288

The nofiles setting determines how many open files Strfry can have simultaneously. Setting it to your system’s hard limit (or 0 to use the system default) helps prevent “too many open files” errors if your relay becomes popular.

You might also want to customize your relay’s information in the config file. Look for the info section and update it with your relay’s name, description, and other details.

Set ownership of the configuration file:

sudo chown strfry:strfry /etc/strfry.conf

Create Systemd Service

Create a systemd service file for managing Strfry:

sudo nano /etc/systemd/system/strfry.service

Add the following content:

[Unit]
Description=strfry relay service

[Service]
User=strfry
ExecStart=/usr/local/bin/strfry relay
Restart=on-failure
RestartSec=5
ProtectHome=yes
NoNewPrivileges=yes
ProtectSystem=full
LimitCORE=1000000000

[Install]
WantedBy=multi-user.target

This systemd service configuration:

• Runs Strfry as the dedicated strfry user
• Automatically restarts the service if it fails
• Implements security measures like ProtectHome and NoNewPrivileges
• Sets resource limits appropriate for a relay

Enable and start the service:

sudo systemctl enable strfry.service
sudo systemctl start strfry

Check the service status:

sudo systemctl status strfry

Verify Relay is Running

Test that your relay is running locally:

curl localhost:7777

You should see a message indicating that the Strfry relay is running. This confirms that Strfry is properly installed and configured before we proceed to set up TOR.

Setting Up TOR

Now let’s make your relay accessible as a TOR hidden service.

Install TOR

Install TOR from the package repositories:

sudo apt install -y tor

This installs the TOR daemon that will create and manage your hidden service.

Configure TOR

Edit the TOR configuration file:

sudo nano /etc/tor/torrc

Scroll down to wherever you see a commented out part like this:

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

Under those lines, add the following lines to set up a hidden service for your relay:

HiddenServiceDir /var/lib/tor/strfry-relay/
HiddenServicePort 80 127.0.0.1:7777

This configuration:

• Creates a hidden service directory at /var/lib/tor/strfry-relay/
• Maps port 80 on your .onion address to port 7777 on your local machine
• Keeps all traffic encrypted within the TOR network

Create the directory for your hidden service:

sudo mkdir -p /var/lib/tor/strfry-relay/
sudo chown debian-tor:debian-tor /var/lib/tor/strfry-relay/
sudo chmod 700 /var/lib/tor/strfry-relay/

The strict permissions (700) are crucial for security as they ensure only the debian-tor user can access the directory containing your hidden service private keys.

Restart TOR to apply changes:

sudo systemctl restart tor

Making Your Relay Available on TOR

Get Your Onion Address

After restarting TOR, you can find your onion address:

sudo cat /var/lib/tor/strfry-relay/hostname

This will output something like abcdefghijklmnopqrstuvwxyz234567.onion, which is your relay’s unique .onion address. This is what you’ll share with others to access your relay.

Understanding Onion Addresses

The .onion address is a special-format hostname that is automatically generated based on your hidden service’s private key.

Your users will need to use this address with the WebSocket protocol prefix to connect: ws://youronionaddress.onion

Testing Your Setup

Test with a Nostr Client

The best way to test your relay is with an actual Nostr client that supports TOR:

1. Open your TOR browser
2. Go to your favorite client, either on clearnet or an onion service.
   • Check out this list of nostr clients available over TOR.
3. Add your relay URL: ws://youronionaddress.onion to your relay list
4. Try posting a note and see if it appears on your relay
   • In some nostr clients, you can also click on a relay to get information about it like the relay name and description you set earlier in the stryfry config. If you’re able to see the correct values for the name and the description, you were able to connect to the relay.
   • Some nostr clients also gives you a status on what relays a note was posted to, this could also give you an indication that your relay works as expected.

Note that not all Nostr clients support TOR connections natively. Some may require additional configuration or use of TOR Browser. E.g. most mobile apps would most likely require a TOR proxy app running in the background (some have TOR support built in too).

Maintenance and Security

Regular Updates

Keep your system, TOR, and relay updated:

# Update system
sudo apt update
sudo apt upgrade -y

# Update Strfry
cd ~/strfry
git pull
git submodule update
make -j2
sudo cp strfry /usr/local/bin
sudo systemctl restart strfry

# Verify TOR is still running properly
sudo systemctl status tor

Regular updates are crucial for security, especially for TOR which may have security-critical updates.

Database Management

Strfry has built-in database management tools. Check the Strfry documentation for specific commands related to database maintenance, such as managing event retention and performing backups.

Monitoring Logs

To monitor your Strfry logs:

sudo journalctl -u strfry -f

To check TOR logs:

sudo journalctl -u tor -f

Monitoring logs helps you identify potential issues and understand how your relay is being used.

Backup

This is not a best practices guide on how to do backups. Preferably, backups should be stored either offline or on a different machine than your relay server. This is just a simple way on how to do it on the same server.

# Stop the relay temporarily
sudo systemctl stop strfry

# Backup the database
sudo cp -r /var/lib/strfry /path/to/backup/location

# Restart the relay
sudo systemctl start strfry

Back up your TOR hidden service private key. The private key is particularly sensitive as it defines your .onion address - losing it means losing your address permanently. If you do a backup of this, ensure that is stored in a safe place where no one else has access to it.

sudo cp /var/lib/tor/strfry-relay/hs_ed25519_secret_key /path/to/secure/backup/location

Troubleshooting

Relay Not Starting

If your relay doesn’t start:

# Check logs
sudo journalctl -u strfry -e

# Verify configuration
cat /etc/strfry.conf

# Check permissions
ls -la /var/lib/strfry

Common issues include:

• Incorrect configuration format
• Permission problems with the data directory
• Port already in use (another service using port 7777)
• Issues with setting the nofiles limit (setting it too big)

TOR Hidden Service Not Working

If your TOR hidden service is not accessible:

# Check TOR logs
sudo journalctl -u tor -e

# Verify TOR is running
sudo systemctl status tor

# Check onion address
sudo cat /var/lib/tor/strfry-relay/hostname

# Verify TOR configuration
sudo cat /etc/tor/torrc

Common TOR issues include:

• Incorrect directory permissions
• TOR service not running
• Incorrect port mapping in torrc

Testing Connectivity

If you’re having trouble connecting to your service:

# Verify Strfry is listening locally
sudo ss -tulpn | grep 7777

# Check that TOR is properly running
sudo systemctl status tor

# Test the local connection directly
curl --include --no-buffer localhost:7777

---

Privacy and Security Considerations

Running a Nostr relay as a TOR hidden service provides several important privacy benefits:

1. Network Privacy: Traffic to your relay is encrypted and routed through the TOR network, making it difficult to determine who is connecting to your relay.

2. Server Anonymity: The physical location and IP address of your server are concealed, providing protection against denial-of-service attacks and other targeting.

3. Censorship Resistance: TOR hidden services are more resilient against censorship attempts, as they don’t rely on the regular DNS system and can’t be easily blocked.

4. User Privacy: Users connecting to your relay through TOR enjoy enhanced privacy, as their connections are also encrypted and anonymized.

However, there are some important considerations:

• TOR connections are typically slower than regular internet connections
• Not all Nostr clients support TOR connections natively
• Running a hidden service increases the importance of keeping your server secure

---

Congratulations! You now have a Strfry Nostr relay running as a TOR hidden service. This setup provides a resilient, privacy-focused, and censorship-resistant communication channel that helps strengthen the Nostr network.

For further customization and advanced configuration options, refer to the Strfry documentation.

Consider sharing your relay’s .onion address with the Nostr community to help grow the privacy-focused segment of the network!

If you plan on providing a relay service that the public can use (either for free or paid for), consider adding it to this list. Only add it if you plan to run a stable and available relay.