heri16/0-connect.sh

## 0-connect.sh
# Set public ip address of VPS
NODE_IP=103.90.238.200

# Setup modern TERM
infocmp -x xterm-ghostty | ssh "nonroot@${NODE_IP}" -- tic -x -
infocmp -x xterm-ghostty | ssh "nonroot@${NODE_IP}" -- sudo tic -x -

# Connect via ssh
ssh "nonroot@${NODE_IP}"

## 1-pre-setup.sh
# Configure secure DNS
sudo mkdir -p /etc/systemd/resolved.conf.d/
sudo tee /etc/systemd/resolved.conf.d/secure-dns.conf <<'EOF'
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSSEC=yes
DNSOverTLS=yes
EOF

# Enable secure DNS
systemd-analyze cat-config systemd/resolved.conf --no-pager
sudo systemctl restart systemd-resolved
resolvectl status --no-pager

# Check for IPv6 connectivity
curl -6 ifconfig.co

# If the above IPv6 connectivity check fails, setup a IPv6 tunnel, and set the broker's IP address here:
open https://manager.route64.org/tunnelbroker/
NODE_IP=$(curl -4 ifconfig.co 2> /dev/null)
BROKER_IP=103.170.116.130
ASSIGNED_PREFIX=2a11:6c7:f07:9d

# sudo ip tunnel add tb22916R64 mode gre remote $BROKER_IP local $NODE_IP ttl 255
# sudo ip link set tb22916R64 up
# sudo ip -6 addr add ${ASSIGNED_PREFIX}::2/64 dev tb22916R64
# sudo ip -6 route add default dev tb22916R64

sudo tee /etc/netplan/99-tunnel-brokers.yaml > /dev/null <<EOF
network:
  version: 2
  tunnels:
    tb22916R64:
      mode: gre
      local: ${NODE_IP}
      remote: ${BROKER_IP}
      ttl: 255
      addresses:
        - ${ASSIGNED_PREFIX}::2/64
      routes:
        - to: default
          via: "::"
EOF

sudo chmod 600 /etc/netplan/99-tunnel-brokers.yaml
sudo netplan generate
ls /run/systemd/network/
sudo netplan apply

sudo networkctl reconfigure tb22916R64
sudo networkctl status tb22916R64 --no-pager
ping -c 3 ${ASSIGNED_PREFIX}::1
curl -6 ifconfig.co

sudo apt update
sudo apt upgrade
sudo reboot

## 2-setup.sh
# Set the correct parameters below
NODE_COUNTRY_CODE="SG"
NODE_CITY="Singapore 🇸🇬"
DNS_HOSTNAME="sgp1.example.com"
CONTACT_EMAIL="...@icloud.com"

# Install mise.jdx.dev
[ -n "$ZSH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/zsh || curl --proto '=https' --tlsv1.2 https://mise.run/zsh | sh
[ -n "$BASH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/bash | bash
[ -n "$FISH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/fish | sh
exec -l $SHELL

# Test node's connectivity
mise use -g jq
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/test-nodes-pings.sh
chmod +x test-nodes-pings.sh
./test-nodes-pings.sh

# Install nginx
sudo apt install -y nginx certbot python3-certbot-nginx
sudo ufw disable

# Issue TLS cert
sudo certbot --nginx --non-interactive --agree-tos --redirect -m "$CONTACT_EMAIL" -d "$DNS_HOSTNAME"

# Disable default site
sudo unlink /etc/nginx/sites-enabled/default
sudo nginx -t && sudo systemctl restart nginx

# Stop & remove all remnant services
sudo systemctl stop nym-node
sudo rm /etc/systemd/system/nym-node.service
sudo systemctl stop nym-bridge
sudo rm /etc/systemd/system/nym-bridge.service
sudo rm -rf /root/.nym

# Download automated installer script
mise use -g python@latest
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/nym-node-cli.py
command -v python3 && sed -i '1s|^#!.*|#!/usr/bin/env python3|' ./nym-node-cli.py
chmod +x ./nym-node-cli.py

# Begin installation, follow instructions, and make sure no red-colored lines emitted
sudo ./nym-node-cli.py install --hostname "$DNS_HOSTNAME" --moniker "mixnet.id | ${NODE_CITY}" --description "High-IOPS server on the most well-peered ASN connection in the country, with Global AnyCast DNS infrastructure." --wireguard-enabled true --location "$NODE_COUNTRY_CODE" --mode exit-gateway --email "$CONTACT_EMAIL"

# Take note of this output:
# ******************************************
# * * * C O N G R A T U L A T I O N ! * * *
# Your Nym node is registered to Nym network
# Wait until the end of epoch for the change
# to propagate (max 60 min)

# Then you can see your node at:
# https://explorer.nym.spectredao.net/nodes/<NODE_IDENT_KEY>
# ******************************************

# Set the node identity key
NODE_IDENT_KEY="0jvQQQyQHjHRsZjBwR5WWW8RqtvBwChzpcsp18G6nYYY"

# Open node monitoring sites
open https://explorer.nym.spectredao.net/nodes/$NODE_IDENT_KEY
open https://harbourmaster.nymtech.net/gateway/$NODE_IDENT_KEY
open https://nym.com/explorer/nym-node/$NODE_IDENT_KEY

## 3-post-setup.sh
# Set the correct parameters below
NODE_IDENT_KEY="0jvQQQyQHjHRsZjBwR5WWW8RqtvBwChzpcsp18G6nYYY"
DNS_HOSTNAME="sgp1.example.com"
CONTACT_EMAIL="...@icloud.com"

# Check node's status
sudo networkctl status tb22916R64 --no-pager
sudo systemctl status nym-bridge --no-pager
sudo systemctl status nym-node --no-pager
sudo systemctl status nginx --no-pager

# Check node's config
sudo head -n72 /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo grep -E 'hostname|announce_wss_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml

# Check DNS records of node
getent ahostsv4 ${DNS_HOSTNAME} | uniq
getent ahostsv6 ${DNS_HOSTNAME} | uniq

# Check that node's API is accessible
curl -L http://${DNS_HOSTNAME}:8080/api/v1/swagger/#/
curl -L http://${DNS_HOSTNAME}/api/v1/swagger/#/
curl https://${DNS_HOSTNAME}/api/v1/swagger/#/
curl https://${DNS_HOSTNAME}/api/v1/roles 2> /dev/null | jq .

# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers

# Save firewall rules to persist across reboots
sudo apt install -y netfilter-persistent iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent reload
sudo systemctl enable netfilter-persistent

# Change website value to `nym-exit.example.com`
sudo nano /root/.nym/nym-nodes/default-nym-node/data/description.toml
sudo systemctl restart nym-node

# Change email value to your email address
sudo sed -i "s|<YOUR_EMAIL_ADDRESS>|${CONTACT_EMAIL}|g" /var/www/${DNS_HOSTNAME}/index.html
curl https://${DNS_HOSTNAME} 2> /dev/null | grep '<meta.*contact:email'

# Check node's info
curl https://${DNS_HOSTNAME}/api/v1/description 2> /dev/null | jq .
curl https://${DNS_HOSTNAME}/api/v1/system-info 2> /dev/null | jq .
echo 'Node ID:' \
$(curl -s https://validator.nymtech.net/api/v1/nym-nodes/described \
| jq --arg key "$NODE_IDENT_KEY" '.data[] | select(.description.host_information.keys.ed25519==$key) | .node_id')

# Check for nginx configuration warnings
sudo nginx -t

# Fix `http2 on;` nginx warning
sudo ls /etc/nginx/sites-available
sudo sed -i '/^[[:space:]]*listen 9001 ssl http2;/ { N; s|^[[:space:]]*listen 9001 ssl http2;\n[[:space:]]*listen \[::\]:9001 ssl http2;|    listen 9001 ssl;\n    listen [::]:9001 ssl;\n    http2 on;| }' /etc/nginx/sites-available/wss-config-nym
cat /etc/nginx/sites-available/wss-config-nym

# Disable weaker ciphers and curve groups
sudo sed -i '/^[[:space:]]*ssl_dhparam \/etc\/letsencrypt\/ssl-dhparams\.pem;/a\
\
    # Disable weaker ciphers and groups. See: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false\
    ssl_conf_command CipherString ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;\
    ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;\
    ssl_conf_command Curves x25519:prime256v1:secp384r1;' /etc/nginx/sites-available/wss-config-nym
cat /etc/nginx/sites-available/wss-config-nym

# Enable HSTS to get A+ score on https://www.ssllabs.com/ssltest/
sudo sed -i '/proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;/a\
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;' /etc/nginx/sites-available/${DNS_HOSTNAME}
cat /etc/nginx/sites-available/${DNS_HOSTNAME}

# Check for nginx configuration warnings & restart nginx
sudo ls /etc/nginx/sites-enabled
sudo nginx -t && sudo systemctl restart nginx


# Download automated network testing script
curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh
chmod +x ./network-tunnel-manager.sh

# Check node's network config
sudo ./network-tunnel-manager.sh --help
sudo ./network-tunnel-manager.sh check_ip_routing
sudo ./network-tunnel-manager.sh check_ipv6_ipv4_forwarding
sudo ./network-tunnel-manager.sh check_nym_wg_tun
sudo ./network-tunnel-manager.sh check_nymtun_iptables
sudo resolvectl dns --no-pager
sudo networkctl list --no-pager
sudo networkctl status -n0 --no-pager

# Run automated network testing script
sudo ./network-tunnel-manager.sh joke_through_the_mixnet
sudo ./network-tunnel-manager.sh joke_through_wg_tunnel
sudo ./network-tunnel-manager.sh exit_policy_test_connectivity
sudo ./network-tunnel-manager.sh exit_policy_tests

# Check node's IPv6 address
sudo ./network-tunnel-manager.sh fetch_and_display_ipv6
curl -6 -s ifconfig.co

# Check that DNS record matches node's IPv6 address
DNS_IP="$(getent ahostsv6 ${DNS_HOSTNAME} | awk '$2=="STREAM" {print $1}' | uniq)"
[ "$DNS_IP" == "$(curl -6 -s ifconfig.co)" ] && echo "GOOD MATCH" || echo "BAD dns-record: ${DNS_IP}"

# Change QUIC port to udp/443
sudo sed -i 's/:4443/:443/g' /etc/nym/bridges.toml
sudo sed -i 's/:4443/:443/g' /etc/nym/client_bridge_params.json
sudo netfilter-persistent save
# sudo iptables-save | sudo tee /etc/iptables/rules.v4
# sudo ip6tables-save | sudo tee /etc/iptables/rules.v6
sudo sed -i 's/-m udp --dport 4443/-m udp --dport 443/g' /etc/iptables/rules.v4
sudo sed -i 's/-m udp --dport 4443/-m udp --dport 443/g' /etc/iptables/rules.v6
# sudo cat /etc/iptables/rules.v4 | sudo iptables-restore
# sudo cat /etc/iptables/rules.v6 | sudo ip6tables-restore
sudo netfilter-persistent reload
sudo systemctl enable netfilter-persistent
sudo systemctl restart nym-bridge
sudo systemctl restart nym-node

# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers

# Reboot
sudo reboot

## 4-dpi-hardening.sh
# Set the correct parameters below
DNS_HOSTNAME="sgp1.example.com"

# Overwrite `/etc/nginx/sites-available/$DNS_HOSTNAME` with this file
sudo tee /etc/nginx/sites-available/$DNS_HOSTNAME <<EOF
map \$http_upgrade \$route {
    ""       @static;        # empty header → static
    default  @ws_backend;    # anything else → WebSocket
}

map \$sent_http_content_type \$hsts_header {
    "~*text/html" "max-age=63072000; includeSubDomains; preload";
    default "";
}

map \$sent_http_content_type \$expect_ct_header {
    "~*text/html" "max-age=86400, enforce";
    default "";
}

map \$sent_http_content_type \$x_xss_protection_header {
    "~*text/html" "0";
    default "";
}

map \$sent_http_content_type \$csp_header {
    "~*text/html" "sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox; upgrade-insecure-requests; base-uri 'none'; frame-ancestors 'none'; default-src blob: data: 'self'; font-src 'none'; style-src 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; script-src 'self' 'sha256-tIPFFuERfdUkWGR9Qbo82JM2MTTGCpWpBX2S6aBCTbw=';";
    default "";
}

map \$sent_http_content_type \$permissions_policy_header {
    "~*text/html" "cross-origin-isolated=(self), autoplay=*, fullscreen=*, picture-in-picture=*, web-share=*, clipboard-write=*, accelerometer=(), ambient-light-sensor=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=(), sync-xhr=()";
    default "";
}

server {

    server_name ${DNS_HOSTNAME};

    # Add basic security headers. See: https://securityheaders.com
    add_header 'X-Frame-Options' 'DENY' always;
    add_header 'Referrer-Policy' 'strict-origin' always;
    add_header 'Cross-Origin-Resource-Policy' 'same-origin' always;
    add_header 'Cross-Origin-Opener-Policy' 'same-origin' always;
    add_header 'X-Content-Type-Options' 'nosniff' always;

    # Add strict security headers which forces browsers to use HTTPS
    add_header 'Strict-Transport-Security' '\$hsts_header' always;
    add_header 'Expect-CT' '\$expect_ct_header' always;
    add_header 'X-XSS-Protection' '\$x_xss_protection_header' always;
    add_header 'Content-Security-Policy' '\$csp_header' always;
    add_header 'Permissions-Policy' '\$permissions_policy_header' always;

    location = /index.html {
        root /var/www/${DNS_HOSTNAME};
        access_log     off;
    }

    location = /favicon.ico {
        return 204;
        access_log     off;
        log_not_found  off;
    }

    location /api {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header Host \$host;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }

    location / {
        try_files @ \$route;
    }

    location @static {
        index index.html;

        # First attempt to serve request as file, then
        # as directory index, then fall back to displaying a 404.
        try_files \$uri \$uri/ =404;
    }

    location @ws_backend {
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
        add_header 'Access-Control-Allow-Headers' '*' always;

        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-For \$remote_addr;

        proxy_pass http://localhost:9000;
        proxy_intercept_errors on;
    }

    http2 on;
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/${DNS_HOSTNAME}/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/${DNS_HOSTNAME}/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # Disable weaker ciphers and groups. See: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false
    ssl_conf_command CipherString ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
    ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
    ssl_conf_command Curves x25519:prime256v1:secp384r1;

}
server {
    listen 80;
    listen [::]:80;

    server_name ${DNS_HOSTNAME};

    location / {
        try_files @_ \$route;
    }

    location @static {
        if (\$host = ${DNS_HOSTNAME}) {
            return 301 https://\$host\$request_uri;
        } # managed by Certbot

        return 404; # managed by Certbot
    }

    location @ws_backend {
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
        add_header 'Access-Control-Allow-Headers' '*' always;

        proxy_http_version 1.1;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-For \$remote_addr;

        proxy_pass http://localhost:9000;
        proxy_intercept_errors on;
    }
}
EOF

# Test websocket port
mise use -g websocat
echo | websocat -n ws://${DNS_HOSTNAME}:9000/ && echo "Port 9000 (ws): OK"

# Reload nginx configuration:
sudo unlink /etc/nginx/sites-enabled/wss-config-nym
sudo nginx -t && sudo systemctl reload nginx
echo | websocat -n ws://${DNS_HOSTNAME}/ && echo "Port 80 (ws): OK"
echo | websocat -n wss://${DNS_HOSTNAME}/ && echo "Port 443 (wss): OK"

# Change announce_ws_port and announce_wss_port:
sudo sed -i 's/^\(announce_ws_port[[:space:]]*=[[:space:]]*\)[0-9]\+/\180/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo sed -i 's/^\(announce_wss_port[[:space:]]*=[[:space:]]*\)[0-9]\+/\1443/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo grep -E 'hostname|announce_ws_port|announce_wss_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo systemctl restart nym-node

# Change `mixnet.announce_port` and `verloc.announce_port`:
sudo awk '
/^\[mixnet\]/ { section="mixnet" }
/^\[verloc\]/ { section="verloc" }
/^announce_port[[:space:]]*=/ {
  if (section=="mixnet")  { print "announce_port = 8443  ";   next }
  if (section=="verloc")  { print "announce_port = 995  "; next }
}
{ print }
' /root/.nym/nym-nodes/default-nym-node/config/config.toml | sudo tee /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
sudo grep -E 'announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
sudo chown --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
sudo chmod --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
sudo mv "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" "/root/.nym/nym-nodes/default-nym-node/config/config.toml"

# Update node's firewall rules to open `mixnet.announce_port` and `verloc.announce_port`
IPV4="$(curl -4 -s ifconfig.co)"
IPV6="$(curl -6 -s ifconfig.co)"
sudo netfilter-persistent reload
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 8443 -j REDIRECT --to-ports 1789
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 8443 -j REDIRECT --to-ports 1789
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 995 -j REDIRECT --to-ports 1790
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 995 -j REDIRECT --to-ports 1790
sudo netfilter-persistent save

# Update node's firewall rules to close port 9000 and port 9001
sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v4
sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v6
sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v4
sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v6
sudo netfilter-persistent reload

# Create temporary backup port redirections to keep good uptime scores
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9000 -j REDIRECT --to-ports 80
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9000 -j REDIRECT --to-ports 80
sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9001 -j REDIRECT --to-ports 443
sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9001 -j REDIRECT --to-ports 443

# Check node's firewall rules
sudo iptables -L ufw-user-input -v -n --line-numbers
sudo ip6tables -L ufw6-user-input -v -n --line-numbers
sudo iptables -t nat -L PREROUTING -v -n --line-numbers
sudo ip6tables -t nat -L PREROUTING -v -n --line-numbers

# Restart nym-node service
sudo grep -E 'announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
sudo systemctl restart nym-node
	# Set public ip address of VPS
	NODE_IP=103.90.238.200

	# Setup modern TERM
	infocmp -x xterm-ghostty \| ssh "nonroot@${NODE_IP}" -- tic -x -
	infocmp -x xterm-ghostty \| ssh "nonroot@${NODE_IP}" -- sudo tic -x -

	# Connect via ssh
	ssh "nonroot@${NODE_IP}"
	# Configure secure DNS
	sudo mkdir -p /etc/systemd/resolved.conf.d/
	sudo tee /etc/systemd/resolved.conf.d/secure-dns.conf <<'EOF'
	[Resolve]
	DNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
	FallbackDNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
	DNSSEC=yes
	DNSOverTLS=yes
	EOF

	# Enable secure DNS
	systemd-analyze cat-config systemd/resolved.conf --no-pager
	sudo systemctl restart systemd-resolved
	resolvectl status --no-pager

	# Check for IPv6 connectivity
	curl -6 ifconfig.co

	# If the above IPv6 connectivity check fails, setup a IPv6 tunnel, and set the broker's IP address here:
	open https://manager.route64.org/tunnelbroker/
	NODE_IP=$(curl -4 ifconfig.co 2> /dev/null)
	BROKER_IP=103.170.116.130
	ASSIGNED_PREFIX=2a11:6c7:f07:9d

	# sudo ip tunnel add tb22916R64 mode gre remote $BROKER_IP local $NODE_IP ttl 255
	# sudo ip link set tb22916R64 up
	# sudo ip -6 addr add ${ASSIGNED_PREFIX}::2/64 dev tb22916R64
	# sudo ip -6 route add default dev tb22916R64

	sudo tee /etc/netplan/99-tunnel-brokers.yaml > /dev/null <<EOF
	network:
	version: 2
	tunnels:
	tb22916R64:
	mode: gre
	local: ${NODE_IP}
	remote: ${BROKER_IP}
	ttl: 255
	addresses:
	- ${ASSIGNED_PREFIX}::2/64
	routes:
	- to: default
	via: "::"
	EOF

	sudo chmod 600 /etc/netplan/99-tunnel-brokers.yaml
	sudo netplan generate
	ls /run/systemd/network/
	sudo netplan apply

	sudo networkctl reconfigure tb22916R64
	sudo networkctl status tb22916R64 --no-pager
	ping -c 3 ${ASSIGNED_PREFIX}::1
	curl -6 ifconfig.co

	sudo apt update
	sudo apt upgrade
	sudo reboot
	# Set the correct parameters below
	NODE_COUNTRY_CODE="SG"
	NODE_CITY="Singapore 🇸🇬"
	DNS_HOSTNAME="sgp1.example.com"
	CONTACT_EMAIL="...@icloud.com"

	# Install mise.jdx.dev
	[ -n "$ZSH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/zsh \|\| curl --proto '=https' --tlsv1.2 https://mise.run/zsh \| sh
	[ -n "$BASH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/bash \| bash
	[ -n "$FISH_VERSION" ] && curl --proto '=https' --tlsv1.3 https://mise.run/fish \| sh
	exec -l $SHELL

	# Test node's connectivity
	mise use -g jq
	curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/test-nodes-pings.sh
	chmod +x test-nodes-pings.sh
	./test-nodes-pings.sh

	# Install nginx
	sudo apt install -y nginx certbot python3-certbot-nginx
	sudo ufw disable

	# Issue TLS cert
	sudo certbot --nginx --non-interactive --agree-tos --redirect -m "$CONTACT_EMAIL" -d "$DNS_HOSTNAME"

	# Disable default site
	sudo unlink /etc/nginx/sites-enabled/default
	sudo nginx -t && sudo systemctl restart nginx

	# Stop & remove all remnant services
	sudo systemctl stop nym-node
	sudo rm /etc/systemd/system/nym-node.service
	sudo systemctl stop nym-bridge
	sudo rm /etc/systemd/system/nym-bridge.service
	sudo rm -rf /root/.nym

	# Download automated installer script
	mise use -g python@latest
	curl -O --proto '=https' --tlsv1.3 https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/nym-node-cli.py
	command -v python3 && sed -i '1s\|^#!.*\|#!/usr/bin/env python3\|' ./nym-node-cli.py
	chmod +x ./nym-node-cli.py

	# Begin installation, follow instructions, and make sure no red-colored lines emitted
	sudo ./nym-node-cli.py install --hostname "$DNS_HOSTNAME" --moniker "mixnet.id \| ${NODE_CITY}" --description "High-IOPS server on the most well-peered ASN connection in the country, with Global AnyCast DNS infrastructure." --wireguard-enabled true --location "$NODE_COUNTRY_CODE" --mode exit-gateway --email "$CONTACT_EMAIL"

	# Take note of this output:
	# ******************************************
	# * * * C O N G R A T U L A T I O N ! * * *
	# Your Nym node is registered to Nym network
	# Wait until the end of epoch for the change
	# to propagate (max 60 min)

	# Then you can see your node at:
	# https://explorer.nym.spectredao.net/nodes/<NODE_IDENT_KEY>
	# ******************************************

	# Set the node identity key
	NODE_IDENT_KEY="0jvQQQyQHjHRsZjBwR5WWW8RqtvBwChzpcsp18G6nYYY"

	# Open node monitoring sites
	open https://explorer.nym.spectredao.net/nodes/$NODE_IDENT_KEY
	open https://harbourmaster.nymtech.net/gateway/$NODE_IDENT_KEY
	open https://nym.com/explorer/nym-node/$NODE_IDENT_KEY
	# Set the correct parameters below
	DNS_HOSTNAME="sgp1.example.com"

	# Overwrite `/etc/nginx/sites-available/$DNS_HOSTNAME` with this file
	sudo tee /etc/nginx/sites-available/$DNS_HOSTNAME <<EOF
	map \$http_upgrade \$route {
	"" @static; # empty header → static
	default @ws_backend; # anything else → WebSocket
	}

	map \$sent_http_content_type \$hsts_header {
	"~*text/html" "max-age=63072000; includeSubDomains; preload";
	default "";
	}

	map \$sent_http_content_type \$expect_ct_header {
	"~*text/html" "max-age=86400, enforce";
	default "";
	}

	map \$sent_http_content_type \$x_xss_protection_header {
	"~*text/html" "0";
	default "";
	}

	map \$sent_http_content_type \$csp_header {
	"~*text/html" "sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox; upgrade-insecure-requests; base-uri 'none'; frame-ancestors 'none'; default-src blob: data: 'self'; font-src 'none'; style-src 'self' 'unsafe-inline'; style-src-attr 'unsafe-inline'; script-src 'self' 'sha256-tIPFFuERfdUkWGR9Qbo82JM2MTTGCpWpBX2S6aBCTbw=';";
	default "";
	}

	map \$sent_http_content_type \$permissions_policy_header {
	"~text/html" "cross-origin-isolated=(self), autoplay=, fullscreen=, picture-in-picture=, web-share=, clipboard-write=, accelerometer=(), ambient-light-sensor=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), screen-wake-lock=(), serial=(), usb=(), xr-spatial-tracking=(), sync-xhr=()";
	default "";
	}

	server {

	server_name ${DNS_HOSTNAME};

	# Add basic security headers. See: https://securityheaders.com
	add_header 'X-Frame-Options' 'DENY' always;
	add_header 'Referrer-Policy' 'strict-origin' always;
	add_header 'Cross-Origin-Resource-Policy' 'same-origin' always;
	add_header 'Cross-Origin-Opener-Policy' 'same-origin' always;
	add_header 'X-Content-Type-Options' 'nosniff' always;

	# Add strict security headers which forces browsers to use HTTPS
	add_header 'Strict-Transport-Security' '\$hsts_header' always;
	add_header 'Expect-CT' '\$expect_ct_header' always;
	add_header 'X-XSS-Protection' '\$x_xss_protection_header' always;
	add_header 'Content-Security-Policy' '\$csp_header' always;
	add_header 'Permissions-Policy' '\$permissions_policy_header' always;

	location = /index.html {
	root /var/www/${DNS_HOSTNAME};
	access_log off;
	}

	location = /favicon.ico {
	return 204;
	access_log off;
	log_not_found off;
	}

	location /api {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header X-Real-IP \$remote_addr;
	proxy_set_header Host \$host;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	}

	location / {
	try_files @ \$route;
	}

	location @static {
	index index.html;

	# First attempt to serve request as file, then
	# as directory index, then fall back to displaying a 404.
	try_files \$uri \$uri/ =404;
	}

	location @ws_backend {
	add_header 'Access-Control-Allow-Origin' '*' always;
	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
	add_header 'Access-Control-Allow-Headers' '*' always;

	proxy_http_version 1.1;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_set_header X-Forwarded-For \$remote_addr;

	proxy_pass http://localhost:9000;
	proxy_intercept_errors on;
	}

	http2 on;
	listen [::]:443 ssl ipv6only=on; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/${DNS_HOSTNAME}/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/${DNS_HOSTNAME}/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	# Disable weaker ciphers and groups. See: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&ocsp=false
	ssl_conf_command CipherString ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
	ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
	ssl_conf_command Curves x25519:prime256v1:secp384r1;

	}
	server {
	listen 80;
	listen [::]:80;

	server_name ${DNS_HOSTNAME};

	location / {
	try_files @_ \$route;
	}

	location @static {
	if (\$host = ${DNS_HOSTNAME}) {
	return 301 https://\$host\$request_uri;
	} # managed by Certbot

	return 404; # managed by Certbot
	}

	location @ws_backend {
	add_header 'Access-Control-Allow-Origin' '*' always;
	add_header 'Access-Control-Allow-Credentials' 'true' always;
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
	add_header 'Access-Control-Allow-Headers' '*' always;

	proxy_http_version 1.1;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_set_header X-Forwarded-For \$remote_addr;

	proxy_pass http://localhost:9000;
	proxy_intercept_errors on;
	}
	}
	EOF

	# Test websocket port
	mise use -g websocat
	echo \| websocat -n ws://${DNS_HOSTNAME}:9000/ && echo "Port 9000 (ws): OK"

	# Reload nginx configuration:
	sudo unlink /etc/nginx/sites-enabled/wss-config-nym
	sudo nginx -t && sudo systemctl reload nginx
	echo \| websocat -n ws://${DNS_HOSTNAME}/ && echo "Port 80 (ws): OK"
	echo \| websocat -n wss://${DNS_HOSTNAME}/ && echo "Port 443 (wss): OK"

	# Change announce_ws_port and announce_wss_port:
	sudo sed -i 's/^\(announce_ws_port[[:space:]]=[[:space:]]\)[0-9]\+/\180/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
	sudo sed -i 's/^\(announce_wss_port[[:space:]]=[[:space:]]\)[0-9]\+/\1443/' /root/.nym/nym-nodes/default-nym-node/config/config.toml
	sudo grep -E 'hostname\|announce_ws_port\|announce_wss_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
	sudo systemctl restart nym-node

	# Change `mixnet.announce_port` and `verloc.announce_port`:
	sudo awk '
	/^\[mixnet\]/ { section="mixnet" }
	/^\[verloc\]/ { section="verloc" }
	/^announce_port[[:space:]]*=/ {
	if (section=="mixnet") { print "announce_port = 8443 "; next }
	if (section=="verloc") { print "announce_port = 995 "; next }
	}
	{ print }
	' /root/.nym/nym-nodes/default-nym-node/config/config.toml \| sudo tee /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
	sudo grep -E 'announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml.save
	sudo chown --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
	sudo chmod --reference="/root/.nym/nym-nodes/default-nym-node/config/config.toml" "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" && \
	sudo mv "/root/.nym/nym-nodes/default-nym-node/config/config.toml.save" "/root/.nym/nym-nodes/default-nym-node/config/config.toml"

	# Update node's firewall rules to open `mixnet.announce_port` and `verloc.announce_port`
	IPV4="$(curl -4 -s ifconfig.co)"
	IPV6="$(curl -6 -s ifconfig.co)"
	sudo netfilter-persistent reload
	sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 8443 -j REDIRECT --to-ports 1789
	sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 8443 -j REDIRECT --to-ports 1789
	sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 995 -j REDIRECT --to-ports 1790
	sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 995 -j REDIRECT --to-ports 1790
	sudo netfilter-persistent save

	# Update node's firewall rules to close port 9000 and port 9001
	sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v4
	sudo sed -i 's/-m tcp --dport 9000/-m tcp --dport 8888/g' /etc/iptables/rules.v6
	sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v4
	sudo sed -i 's/-m tcp --dport 9001/-m tcp --dport 8443/g' /etc/iptables/rules.v6
	sudo netfilter-persistent reload

	# Create temporary backup port redirections to keep good uptime scores
	sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9000 -j REDIRECT --to-ports 80
	sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9000 -j REDIRECT --to-ports 80
	sudo iptables -t nat -A PREROUTING -d "$IPV4" -p tcp --dport 9001 -j REDIRECT --to-ports 443
	sudo ip6tables -t nat -A PREROUTING -d "$IPV6" -p tcp --dport 9001 -j REDIRECT --to-ports 443

	# Check node's firewall rules
	sudo iptables -L ufw-user-input -v -n --line-numbers
	sudo ip6tables -L ufw6-user-input -v -n --line-numbers
	sudo iptables -t nat -L PREROUTING -v -n --line-numbers
	sudo ip6tables -t nat -L PREROUTING -v -n --line-numbers

	# Restart nym-node service
	sudo grep -E 'announce_port' /root/.nym/nym-nodes/default-nym-node/config/config.toml
	sudo systemctl restart nym-node