# Ethereum Deb Repository Open, secure, easy and standardized way how to run Ethereum software on Debian based distributions. ## Motivation Ethereum ecosystem contains a lot of useful software which enables user to fully embrace Ethereum network in trustless manner. Foundation of this lays on client implementations which should be easy to run by anybody. On top of Eth1 clients, users might want to run more software from the ecosystem like Eth2 beacon and validator nodes, L2 software, monitoring tools, etc. Manual installation and configuration of this kind of Ethereum tool stack is not an easy task, especially with focus on security and stability. It is not impossible, but comes with trade offs like: * Time, education and confidence to do it * Potential security and stability issues caused by misconfiguration * Security risks stemming from failure to verify the software properly * It gets repetitive if one has to do it for multiple times There are solutions on operating system level. It comes with package manager, service configuration management which can be used to handle Ethereum software stack. Most of the software in OS runs in background as service, operates various tasks and user even doesn't have to be aware of that. Ethereum software could behave the same way too. All important software in one place like this can help with incentivization to run own node and support client variety on the network. This kind of repository can be utilized by users, developers, businesses or service providers since it can provide easy to use, secure and stable infrastructure. ## Design, Requirements Idea of this repository is developed in accordance with Unix philosophy. Each piece of software is playing own role and can be easily altered. With this design, repository achieves composability and compartmentalization. ### Composability Core of this approach is composability of `deb` packages. Services separated into own packages allow: * Easier management * Both on developer and user side * Better security * Smaller attack surface, avoiding redundant software * Fast response to vulnerabilities * Altering packages * Ability to swap different implementations of same function Packages also enable utilizing dependencies and recommendations. Higher level packages require lower packages as dependency, e.g. eth2 client depends on eth1 client which includes all its dependencies, etc. Recommendations can be used for creating a default setup. All packages should install software as compliant with Linux File System Hierarchy Standard. ### Packages Parts of Ethereum software are contained in various types of packages. User flow can start with just installing service package which then depends/recommends packages containing binary, configuration, system service, OS native dependencies, etc. Installing one base package therefore does not represent only software itself but its functionality within the system and stack. Each is like a piece of puzzle in the whole tool stack. Building complex deb packages like this manually would be overwhelming and potentially introduce vulnerabilities. Most of automation can be solve with tools like [debcrafter](https://github.com/Kixunil/debcrafter/). Types of packages include: * Binary packages * Contains executable which can be run * Recommends default service packages * Service packages * Handles system service and configuration * Depends on binary and configuration packages * Comes with own user with minimal privileges * Configuration packages * Handles configuration of software * Installing one package can trigger change of config in different software Example of basic client packages: ![](https://storage.googleapis.com/ethereum-hackmd/upload_ed55dc7a868296a6865e378c6dac2712.png) ### Security Repository can utilize systemd security features and system users and groups to achieve security by isolation. Automatic configuration will prevent potentially vulnerable misconfiguration. This is achieved under assumptions: * Each service has unique user * Users have minimal privileges limited to software running under them * One compromised service therefore cannot access others data * Using `no_new_privs` can prevent even attack with vulnerabilities in sudo * Systemd security * Security hardening on service level enables additional tweaks * Flags for managing privileges, protecting directories, parts of the system * Example https://github.com/GrapheneOS/AttestationServer/blob/master/attestation.service * Secure RPC exposing * Automation of secure endpoint exposure with possible configuration * Filtering, balancing, proxy protection * Dshacle and Nginx/HAProxy setup with * Tor for exposing on onion service * Nginx and certbot for clearnet exposure with https Security and system compartmentalization achieved by this setup would set a high security standard for automatically deployed stacks. ### Included software MVP should contain at least basic node setup with Eth1 and Eth2 client. Complete list of software in the stack could look like this: * Execution clients * Go-ethereum * OpenEthereum * Nethermind * Besu * Erigon * Consensus clients * Lighthouse * Prysm * Teku * Nimbus * Lodestar * Monitoring * Prometheus * InfluxDB * Grafana * Exposing API * Nginx * Tor * Dshackle * HAProxy * Certbot * Ecosystem software, Developer tools, Layer 2, Sidechains, etc * Optimism, Arbitrum ZKsync, Loopring, Raiden nodes, tooling * Other ecosystem tools, e.g. IPFS, Tornado relayer * Point of sale system, e.g. xpayserver * Block explorer, e.g. Alethio Lite Explorer, Otterscan * etc Source to this repository should be openly published and open for contributions so various ecosystem players can contribute their software. Repository should be compatible and officially supported on major Debian based systems, currently Debian Buster, Ubuntu 20.04. ## User story Resulting UX will allow user to install Ethereum software without worrying about dependencies, manual configuration or verification. Few examples: * `apt install geth-mainnet-full` will install all dependent software, go-ethereum client, setup default full node mainnet config and start it as a service so user is ready to use it * `apt install lighthouse` will install all dependencies - libraries and eth1 client, setup default configuration and user is ready to use it * `apt install openethereum prysm grafana` will install and setup OE eth1 client, Prysm eth2 client, Grafana monitoring with all dependencies, configuration they require, post install script uploads dashboard to Grafana and user can just use all these tools preconfigured * `systemctl stop besu` will safely stop Besu client * `dpkg-reconfigure geth` allows changing optional configuration of package ## Current alternatives Some of the proposed software offers own Debian repositories. However these do not provide composability with other applications and there is no single repo which would contain all important applications. Dappnode and similar based on Docker are limited to its usage and security. Deb repo provides deeper integration into OS and its management tools, standard approaches and security.