[GUIDE] An edge node setup for multiple Mithril signers

[onyxstakepool]

Why

Addressing security concerns with the Mithril software setup outlined in issue 1586.

What

A quick setup guide for Mithril supporting multiple pools on a single isolated relay server.

OS: Ubuntu 22.04

(0) Configure and sync a Cardano mainnet relay in the folder /home/ubuntu/relay/ with database path /home/ubuntu/relay/db and socket path /home/ubuntu/relay/db/socket. Setup cardano-cli v8.9.0 in /home/ubuntu/.local/bin/cardano-cli. Copy kes.skey and node.cert to the folder /home/ubuntu/relay/1/.

(1) Install Mithril in /opt/mithril/

sudo mkdir -p /opt/mithril
sudo chown ubuntu /opt/mithril
sudo chgrp ubuntu /opt/mithril

cd /opt/mithril
wget https://github.com/input-output-hk/mithril/releases/download/2408.0/mithril-2408.0-linux-x64.tar.gz
tar -xzf mithril-2408.0-linux-x64.tar.gz
chmod 755 mithril-signer 
chmod 755 mithril-relay 
chmod 755 mithril-client 
chmod 755 mithril-aggregator 

sudo apt install libssl-dev

(2) Create environment file mithril-signer-1.env for systemd in /opt/mithril/.

KES_SECRET_KEY_PATH=/home/ubuntu/relay/1/kes.skey
OPERATIONAL_CERTIFICATE_PATH=/home/ubuntu/relay/1/node.cert
NETWORK=mainnet
AGGREGATOR_ENDPOINT=https://aggregator.release-mainnet.api.mithril.network/aggregator
RUN_INTERVAL=60000
DB_DIRECTORY=/home/ubuntu/relay/db
CARDANO_NODE_SOCKET_PATH=/home/ubuntu/relay/db/socket
CARDANO_CLI_PATH=/home/ubuntu/.local/bin/cardano-cli
DATA_STORES_DIRECTORY=/opt/mithril/stores-1
STORE_RETENTION_LIMIT=5
ERA_READER_ADAPTER_TYPE=cardano-chain
ERA_READER_ADAPTER_PARAMS={"address": "addr1qy72kwgm6kypyc5maw0h8mfagwag8wjnx6emgfnsnhqaml6gx7gg4tzplw9l32nsgclqax7stc4u6c5dn0ctljwscm2sqv0teg", "verification_key": "5b31312c3133342c3231352c37362c3134312c3232302c3131312c3135342c36332c3233302c3131342c31322c38372c37342c39342c3137322c3133322c32372c39362c3138362c3132362c3137382c31392c3131342c33302c3234332c36342c3134312c3131302c38332c38362c31395d"}

(3) Setup systemd for mithril-signer-1.service.

sudo bash -c 'cat > /etc/systemd/system/mithril-signer-1.service << EOF
[Unit]
Description=Mithril signer service 1
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=always
RestartSec=60
User=ubuntu
EnvironmentFile=/opt/mithril/mithril-signer-1.env
ExecStart=/opt/mithril/mithril-signer -vvv

[Install]
WantedBy=multi-user.target
EOF'

sudo systemctl start mithril-signer-1
sudo systemctl enable mithril-signer-1
systemctl status mithril-signer-1.service

(4) Verify Mithril registration and signature

wget https://mithril.network/doc/scripts/verify_signer_registration.sh
chmod +x verify_signer_registration.sh
wget https://mithril.network/doc/scripts/verify_signer_signature.sh
chmod +x verify_signer_signature.sh

Replace pool17xextu09ghdfcmsq83whq0a45geg83jxe4qt94sevu087tzdzkl with your pool id!

PARTY_ID=pool17xextu09ghdfcmsq83whq0a45geg83jxe4qt94sevu087tzdzkl AGGREGATOR_ENDPOINT=https://aggregator.release-mainnet.api.mithril.network/aggregator ./verify_signer_registration.sh
PARTY_ID=pool17xextu09ghdfcmsq83whq0a45geg83jxe4qt94sevu087tzdzkl AGGREGATOR_ENDPOINT=https://aggregator.release-mainnet.api.mithril.network/aggregator ./verify_signer_signature.sh

(5) Repeat steps (2) and (3) for every additional pool.

(a) Copy kes.skey and node.cert to the folder /home/ubuntu/relay/2/.
(b) Create environment file mithril-signer-2.env for systemd in /opt/mithril/.

KES_SECRET_KEY_PATH=/home/ubuntu/relay/2/kes.skey
OPERATIONAL_CERTIFICATE_PATH=/home/ubuntu/relay/2/node.cert
...
DATA_STORES_DIRECTORY=/opt/mithril/stores-2
...

(c) Setup systemd for mithril-signer-2.service.

sudo bash -c 'cat > /etc/systemd/system/mithril-signer-2.service << EOF
...
Description=Mithril signer service 2
...
EnvironmentFile=/opt/mithril/mithril-signer-2.env
...

sudo systemctl start mithril-signer-2
sudo systemctl enable mithril-signer-2
systemctl status mithril-signer-2.service

(d) Verify Mithril registration and signature for every additional pool id.