Girino Vey! on Nostr: 🛡️ Running a Secure Lightning Node on Raspberry Pi 5 This guide explains how to ...

🛡️ Running a Secure Lightning Node on Raspberry Pi 5

This guide explains how to build a secure, privacy-respecting Bitcoin and Lightning Network node on a Raspberry Pi 5. Using Docker, ZFS, Tor, I2P, and Cloudflare Tunnel, you’ll achieve strong isolation, encrypted communication, and controlled public access.

quoting
naddr1qv…2d9f

🔧 Infrastructure Overview

• Hardware: Raspberry Pi 5 with PCIe NVMe HAT and 2TB NVMe SSD
• Filesystem: ZFS with separate datasets for each service
• Networking: Docker bridge networks for service segmentation
• Privacy: Tor and I2P routing for anonymous communication
• Public Access: Cloudflare Tunnel to securely expose LNbits

📊 Architecture Diagram

🛠️ Setup Steps

1. Prepare the System

• Install Raspberry Pi OS (64-bit)
• Set up ZFS on the NVMe disk
• Create a ZFS dataset for each service (e.g., bitcoin, lnd, rtl, lnbits, tor-data)
• Install Docker and Docker Compose

2. Create Shared Docker Network and Privacy Layers

Create a shared Docker bridge network:

docker network create \
  --driver=bridge \
  --subnet=192.168.100.0/24 \
  bitcoin-net

Note: Connect bitcoind, lnd, rtl, internal lnbits, tor, and i2p to this bitcoin-net network.

Tor

• Run Tor in a container
• Configure it to expose LND’s gRPC and REST ports via hidden services:

  
  HiddenServicePort 10009 192.168.100.31:10009
  HiddenServicePort 8080  192.168.100.31:8080
  

• Set correct permissions:

  
  sudo chown -R 102:102 /zfs/datasets/tor-data
  

I2P

• Run I2P in a container with SAM and SOCKS proxies
• Update bitcoin.conf:

  
  i2psam=192.168.100.20:7656
  i2pacceptincoming=1
  

3. Set Up Bitcoin Core

• Create a bitcoin.conf with Tor/I2P/proxy settings and ZMQ enabled
• Sync the blockchain in a container using its ZFS dataset

4. Set Up LND

• Configure lnd.conf to connect to bitcoind and use Tor: “`ini [Bitcoind] bitcoind.rpchost=bitcoin:8332 bitcoind.rpcuser=bitcoin bitcoind.rpcpass=very-hard-password bitcoind.zmqpubrawblock=tcp://bitcoin:28332 bitcoind.zmqpubrawtx=tcp://bitcoin:28333

[Application Options] externalip=xxxxxxxx.onion

- Don’t expose gRPC or REST ports publicly
- Mount the ZFS dataset at `/root/.lnd`
- Optionally enable Watchtower

### 5. Set Up RTL

- Mount `RTL-Config.json` and data volumes
- Expose RTL's web interface locally:
  ```yaml
  ports:
    - "3000:3000"

6. Set Up Internal LNbits

• Connect the LNbits container to bitcoin-net
• Mount the data directory and LND cert/macaroons (read-only)
• Expose the LNbits UI on the local network: “`yaml ports:
  • “5000:5000”
  ”`
• In the web UI, configure the funding source to point to the LND REST .onion address and paste the hex macaroon
• Create and fund a wallet, and copy its Admin Key for external use

7. Set Up External LNbits + Cloudflare Tunnel

• Run another LNbits container on a separate Docker network
• Access the internal LNbits via the host IP and port 5000
• Use the Admin Key from the internal wallet to configure funding
• In the Cloudflare Zero Trust dashboard:
  • Create a tunnel
  • Select Docker, copy the --token command
  • Add to Docker Compose:

  command: tunnel --no-autoupdate run --token eyJ...your_token...
  

💾 Backup Strategy

• Bitcoin Core: hourly ZFS snapshots, retained for 6 hours
• Other Services: hourly snapshots with remote .tar.gz backups
  • Retention: 7d hourly, 30d daily, 12mo weekly, monthly forever
• Back up ZFS snapshots to avoid inconsistencies

🔐 Security Isolation Benefits

This architecture isolates services by scope and function:

• Internal traffic stays on bitcoin-net
• Sensitive APIs (gRPC, REST) are reachable only via Tor
• Public access is controlled by Cloudflare Tunnel

Extra Security: Host the public LNbits on a separate machine (e.g., hardened VPS) with strict firewall rules:

• Allow only Cloudflare egress
• Allow ingress from your local IP
• Allow outbound access to internal LNbits (port 5000)

Use WireGuard VPN to secure the connection between external and internal LNbits:

• Ensures encrypted communication
• Restricts access to authenticated VPN peers
• Keeps the internal interface isolated from the public internet

✅ Final Notes

• Internal services communicate over bitcoin-net
• LND interfaces are accessed via Tor only
• LNbits and RTL UIs are locally accessible
• Cloudflare Tunnel secures external access to LNbits

Monitor system health using monit, watchtower, or Prometheus.

Create all configuration files manually (bitcoin.conf, lnd.conf, RTL-Config.json), and keep credentials secure. Test every component locally before exposing it externally.

⚡