cs224/README.md

## README.md

      
    Raw
  

              README.md
            
          
    This gist is part of Nym Mixnet & dVPN: A Node Operator's Guide (2026).
Quick notes:

The main entrypoint is docker-compose.yaml, which builds nymvpn-debian.dockerfile.
secrets.env is an example; put your real mnemonic there and keep it private.
The state and config live under ./config/nymvpn1/ (mapped to /etc/nym and /var/lib/nym-vpnd).

Build helpers:

TAG_DATE=$(date +%Y%m%d) docker compose build
TAG_DATE=$(date +%Y%m%d) docker compose build --no-cache


## docker-compose.yaml
########################### EXTENSION FIELDS
# Helps eliminate repetition of sections.
# Keys common to the core services that we want to automatically restart on failure.
x-common-keys-core: &common-keys-core
  restart: on-failure

# docker compose up -d
# docker compose config
# docker compose pull --quiet --parallel ssserver1 sslocal1

name: nymvpn
services:
  nymvpn1:
    build:
      context: .
      dockerfile: nymvpn-debian.dockerfile
      network: host
      args:
        HTTP_PROXY: ${HTTP_PROXY:-}
        HTTPS_PROXY: ${HTTPS_PROXY:-}
        http_proxy: ${HTTP_PROXY:-}
        https_proxy: ${HTTPS_PROXY:-}
    image: nymvpn-debian:latest
    <<: *common-keys-core
    command: ["/bin/bash", "-c", "supervisord -c /etc/supervisor/supervisord.conf && sleep 5 && /usr/bin/nym-vpnc lan set allow && ( [ -f /var/lib/nym-vpnd/mainnet/mnemonic.json ] || [ -f /var/lib/nym-vpnd/mainnet/access_code.json ] || ( /usr/bin/nym-vpnc account set \"$$MNEMONIC_SECRET\" ) ) && /usr/bin/nym-vpnc tunnel set --two-hop on && /usr/bin/nym-vpnc gateway set --entry-country AT --exit-id 2BuMSfMW3zpeAjKXyKLhmY4QW1DXurrtSPEJ6CjX3SEh && /usr/bin/nym-vpnc connect --wait && tail -f /var/log/vpnd.log"]
    ports:
      # Local SOCKS5 entry point (mapped from sslocal).
      - 127.0.0.1:1090:1080
    devices:
      - /dev/net/tun
    cap_add:
      - NET_ADMIN
    volumes:
      - ./config/nymvpn1/etc:/etc/nym
      - ./config/nymvpn1/lib:/var/lib/nym-vpnd
      - ./config/nymvpn1/logs:/var/log
    env_file:
      - secrets.env
  ssserver1:
    <<: *common-keys-core
    image: ghcr.io/shadowsocks/ssserver-rust:latest
    # Local-only relay; "none" encryption is intentional here because it never leaves the container network.
    command: ssserver -v -s 127.0.0.1:8388 -k hello-kitty -m none
    network_mode: service:nymvpn1
    depends_on: ["nymvpn1"]
  sslocal1:
    <<: *common-keys-core
    image: ghcr.io/shadowsocks/sslocal-rust:latest
    # Binds to 0.0.0.0 inside the container, but the host port is loopback-only (see 127.0.0.1 mapping above).
    command: sslocal -b 0.0.0.0:1080 -s 127.0.0.1:8388 -k hello-kitty -m none
    network_mode: service:nymvpn1
    depends_on:
      - ssserver1

## nymvpn-debian.dockerfile
# Use Debian Bookworm as the base image
FROM debian:bookworm-slim

LABEL maintainer="me <me@me.me>"
LABEL name="nymvpn-debian"
LABEL version="latest"

# Install needed packages.
RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    lsb-release \
    apt-transport-https \
    ca-certificates \
    wget \
    curl \
    gnupg \
    procps \
    iproute2 \
    net-tools \
    tini \
    supervisor \
  && rm -rf /var/lib/apt/lists/*

RUN wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_1.0.1_amd64.deb -O /tmp/nym-repo-setup_1.0.1_amd64.deb
RUN dpkg -i /tmp/nym-repo-setup_1.0.1_amd64.deb
RUN apt-get update \
  && apt-get install -y nym-vpnc nym-vpnd \
  && rm -rf /var/lib/apt/lists/* \
  && rm -f /tmp/nym-repo-setup_1.0.1_amd64.deb

# https://nym.com/docs/developers/nymvpncli
# Configurations are stored in /etc/nym. State stored between runs (keys, mnemonic, etc) are stored in /var/lib/nym-vpnd

VOLUME ["/etc/nym", "/var/lib/nym-vpnd", "/var/log"]

COPY supervisord.conf /etc/supervisor/supervisord.conf
# COPY nym-vpnd /usr/bin/nym-vpnd

ENTRYPOINT ["/usr/bin/tini", "--"]
CMD ["/bin/bash", "-c", "supervisord -c /etc/supervisor/supervisord.conf && sleep 5 && /usr/bin/nym-vpnc lan set allow && ( [ -f /var/lib/nym-vpnd/mainnet/mnemonic.json ] || [ -f /var/lib/nym-vpnd/mainnet/access_code.json ] || ( /usr/bin/nym-vpnc account set \"$$MNEMONIC_SECRET\" ) ) && /usr/bin/nym-vpnc tunnel set --two-hop on && /usr/bin/nym-vpnc gateway set --entry-country AT --exit-id 2BuMSfMW3zpeAjKXyKLhmY4QW1DXurrtSPEJ6CjX3SEh && /usr/bin/nym-vpnc connect --wait && tail -f /var/log/vpnd.log"]

## secrets.env
# Set your NymVPN account mnemonic here (space-separated words).
# Keep this file out of version control in real deployments.
MNEMONIC_SECRET=...

## supervisord.conf
[supervisord]
nodaemon=false
logfile=/var/log/supervisord.log ;
pidfile=/var/run/supervisord.pid ;

[program:vpnd]
command=/usr/bin/nym-vpnd
autostart=true
autorestart=true
stdout_logfile=/var/log/vpnd.log
stderr_logfile=/var/log/vpnd.err
stdout_logfile_maxbytes=0      ; Disables log rotation
stderr_logfile_maxbytes=0      ; Disables log rotation
stdout_logfile_backups=0       ; Disables backup of the logs
stderr_logfile_backups=0       ; Disables backup of the logs
	########################### EXTENSION FIELDS
	# Helps eliminate repetition of sections.
	# Keys common to the core services that we want to automatically restart on failure.
	x-common-keys-core: &common-keys-core
	restart: on-failure

	# docker compose up -d
	# docker compose config
	# docker compose pull --quiet --parallel ssserver1 sslocal1

	name: nymvpn
	services:
	nymvpn1:
	build:
	context: .
	dockerfile: nymvpn-debian.dockerfile
	network: host
	args:
	HTTP_PROXY: ${HTTP_PROXY:-}
	HTTPS_PROXY: ${HTTPS_PROXY:-}
	http_proxy: ${HTTP_PROXY:-}
	https_proxy: ${HTTPS_PROXY:-}
	image: nymvpn-debian:latest
	<<: *common-keys-core
	command: ["/bin/bash", "-c", "supervisord -c /etc/supervisor/supervisord.conf && sleep 5 && /usr/bin/nym-vpnc lan set allow && ( [ -f /var/lib/nym-vpnd/mainnet/mnemonic.json ] \|\| [ -f /var/lib/nym-vpnd/mainnet/access_code.json ] \|\| ( /usr/bin/nym-vpnc account set \"$$MNEMONIC_SECRET\" ) ) && /usr/bin/nym-vpnc tunnel set --two-hop on && /usr/bin/nym-vpnc gateway set --entry-country AT --exit-id 2BuMSfMW3zpeAjKXyKLhmY4QW1DXurrtSPEJ6CjX3SEh && /usr/bin/nym-vpnc connect --wait && tail -f /var/log/vpnd.log"]
	ports:
	# Local SOCKS5 entry point (mapped from sslocal).
	- 127.0.0.1:1090:1080
	devices:
	- /dev/net/tun
	cap_add:
	- NET_ADMIN
	volumes:
	- ./config/nymvpn1/etc:/etc/nym
	- ./config/nymvpn1/lib:/var/lib/nym-vpnd
	- ./config/nymvpn1/logs:/var/log
	env_file:
	- secrets.env
	ssserver1:
	<<: *common-keys-core
	image: ghcr.io/shadowsocks/ssserver-rust:latest
	# Local-only relay; "none" encryption is intentional here because it never leaves the container network.
	command: ssserver -v -s 127.0.0.1:8388 -k hello-kitty -m none
	network_mode: service:nymvpn1
	depends_on: ["nymvpn1"]
	sslocal1:
	<<: *common-keys-core
	image: ghcr.io/shadowsocks/sslocal-rust:latest
	# Binds to 0.0.0.0 inside the container, but the host port is loopback-only (see 127.0.0.1 mapping above).
	command: sslocal -b 0.0.0.0:1080 -s 127.0.0.1:8388 -k hello-kitty -m none
	network_mode: service:nymvpn1
	depends_on:
	- ssserver1
	# Use Debian Bookworm as the base image
	FROM debian:bookworm-slim

	LABEL maintainer="me <me@me.me>"
	LABEL name="nymvpn-debian"
	LABEL version="latest"

	# Install needed packages.
	RUN apt-get update \
	&& apt-get install -y --no-install-recommends \
	lsb-release \
	apt-transport-https \
	ca-certificates \
	wget \
	curl \
	gnupg \
	procps \
	iproute2 \
	net-tools \
	tini \
	supervisor \
	&& rm -rf /var/lib/apt/lists/*

	RUN wget https://apt.nymtech.net/pool/main/n/nym-repo-setup/nym-repo-setup_1.0.1_amd64.deb -O /tmp/nym-repo-setup_1.0.1_amd64.deb
	RUN dpkg -i /tmp/nym-repo-setup_1.0.1_amd64.deb
	RUN apt-get update \
	&& apt-get install -y nym-vpnc nym-vpnd \
	&& rm -rf /var/lib/apt/lists/* \
	&& rm -f /tmp/nym-repo-setup_1.0.1_amd64.deb

	# https://nym.com/docs/developers/nymvpncli
	# Configurations are stored in /etc/nym. State stored between runs (keys, mnemonic, etc) are stored in /var/lib/nym-vpnd

	VOLUME ["/etc/nym", "/var/lib/nym-vpnd", "/var/log"]

	COPY supervisord.conf /etc/supervisor/supervisord.conf
	# COPY nym-vpnd /usr/bin/nym-vpnd

	ENTRYPOINT ["/usr/bin/tini", "--"]
	CMD ["/bin/bash", "-c", "supervisord -c /etc/supervisor/supervisord.conf && sleep 5 && /usr/bin/nym-vpnc lan set allow && ( [ -f /var/lib/nym-vpnd/mainnet/mnemonic.json ] \|\| [ -f /var/lib/nym-vpnd/mainnet/access_code.json ] \|\| ( /usr/bin/nym-vpnc account set \"$$MNEMONIC_SECRET\" ) ) && /usr/bin/nym-vpnc tunnel set --two-hop on && /usr/bin/nym-vpnc gateway set --entry-country AT --exit-id 2BuMSfMW3zpeAjKXyKLhmY4QW1DXurrtSPEJ6CjX3SEh && /usr/bin/nym-vpnc connect --wait && tail -f /var/log/vpnd.log"]
	# Set your NymVPN account mnemonic here (space-separated words).
	# Keep this file out of version control in real deployments.
	MNEMONIC_SECRET=...
	[supervisord]
	nodaemon=false
	logfile=/var/log/supervisord.log ;
	pidfile=/var/run/supervisord.pid ;

	[program:vpnd]
	command=/usr/bin/nym-vpnd
	autostart=true
	autorestart=true
	stdout_logfile=/var/log/vpnd.log
	stderr_logfile=/var/log/vpnd.err
	stdout_logfile_maxbytes=0 ; Disables log rotation
	stderr_logfile_maxbytes=0 ; Disables log rotation
	stdout_logfile_backups=0 ; Disables backup of the logs
	stderr_logfile_backups=0 ; Disables backup of the logs