How to build a self-sovereign website?

Introduction

I recently started a new #website, and decided I wanted to get some simple, out-of-the-box, self-sovereign #bitcoin on it.

It turns out there were quite a few steps involved, but mostly is actually out of the box.

So, I share with you, my first long-form #Nostr article, which aims to summarize the things you could use if you wanted to do the same, without actually building your own software.

This article runs through the following steps: Step 1: get a Bitcoin node Step 2: get website infrastructure Step 3: Configure your Bitcoin node Step 4: Configure your Bitcoin-based website

Before we dive in, a few small disclaimers:

“Do Your Own Research”
I am not responsible for any failures of your ability to follow these steps - take the guide as-is and on face value, and dive in where you need to. Starting points only. I will help where I can, you can always try to DM me!
Suggestion to talk to ChatGPT or Google about Lightning Network and Bitcoin basics (here’s a GPT created by yours truly for that purpose: Bitcoin Beacon GPT).
I am not affiliated with any of the sites, services and tools mentioned here. They are what I used and what worked “out of the box” while not giving up self-sovereignty.

I strongly recommend you consider donating to ALL developers in this guide or paying them for their products offered.

Go build it!

Step 1: get a Bitcoin node

Self-sovereignty requires a bitcoin node. If you depend on another person’s node, there is no final verification of blockchain data possible. Luckily, obtaining one is quite convenient nowadays, since several out-of-the-box boxes exist that you can buy, almost fully set-up.

Hardware

These do come at a cost. It may be more cost effective to find your own #hardware, whether it’s an old laptop, a Asus NUC mini-PC, or a self-built device. I only recommend having a RaspBerry Pi if it is one of the newer types with lots of RAM, otherwise your initial block download will take forever.

Also consider a 2TB disk size (at least) so you are safe for a while to come. Soon, 1TB will not be sufficient to store the bitcoin blockchain data without pruning (remember, we’re self-sovereign, this is the best data storage you invest in).

This article does not intend to be a catch all article with many details about hardware, so please DYOR about the details and if you want out-of-the-box, I recommend start9.com StartOne

Software

This is easier. I wholeheartedly recommend (again) Start9’s StartOS. Here’s a DIY link if you’re doing this on your own hardware and aren’t buying their excellent hardware offer. I did this, and it was quite convenient. The main difficulty I had was that I required a ethernet connection to my box during the install, since WiFi is not set-up until afterwards. This was not obvious because, well, I had a big box and had to carry that downstairs to my router. I also connected a screen, mouse and keyboard to make it all work. Nothing I couldn’t overcome. Again, if you are worried - just buy the box.

Step 2: configure your Bitcoin node

Installing all apps on your node

The package I have consists of:

Bitcoin Core - Not sure why this is here, but I do see about a 4MB download happening every 10’ so I guess it is doing something. Seriously people, DYOR.
LND - it runs Lightning Network on your node, thus allowing you to connect to other lightning network nodes and set-up channels to receive payments onto.
Ride the Lightning - your management tool so you can send and receive payments.
Nostr Wallet Connect by Alby - amazing tool that provided the secret sauce to make payments to your website easy. Extra benefit: you can Zap directly from your own node, with any mobile or web client connected through NWC !
Optional (but not really): BTCPayServer if you want to run any form of commerce on your website - I assume you got here to stack some sats, and this is the tool for making it easy for your customers to pay you.
Optional (but not really): Mempool instance so you can check all your transactions without leaking metadata <– THIS IS WHY YOU RUN A NODE, ANON!

All these things are 1-click installs, 2-click configuration, and possibly a few more to get set-up properly. This is why you go through the pain of making the Start9 setup work (or pay them, and it is literally going to work after unpacking the box…)

Get inbound liquidity

NOTE: Securing Your Node and Website
Ensuring the security of your self-sovereign setup is critical. Start by implementing regular backups of your node, wallet, and website, ideally using encrypted external storage solutions. Monitor your node’s activity to ensure it’s functioning securely, and consider setting up additional authentication measures, such as multi-signature wallets or hardware wallets for larger amounts. Additionally, to safeguard your server from unauthorized access, set up a firewall, limit SSH access to specific IPs, and enable 2FA on all related services. Tools like Fail2ban can help protect against brute-force attacks, and keeping all software up to date is essential for preventing vulnerabilities. Always store your private keys and recovery phrases securely and offline.

NOTE: Securing Your Node and Website

Ensuring the security of your self-sovereign setup is critical. Start by implementing regular backups of your node, wallet, and website, ideally using encrypted external storage solutions. Monitor your node’s activity to ensure it’s functioning securely, and consider setting up additional authentication measures, such as multi-signature wallets or hardware wallets for larger amounts. Additionally, to safeguard your server from unauthorized access, set up a firewall, limit SSH access to specific IPs, and enable 2FA on all related services. Tools like Fail2ban can help protect against brute-force attacks, and keeping all software up to date is essential for preventing vulnerabilities. Always store your private keys and recovery phrases securely and offline.

Deposit bitcoin to your own wallet (use RTL to generate an address). I recommend in the order of 1M sats for any UTXO depending on your willingness to take risks - this is a hot wallet even though security is very good by default.

First, go to Mempool and check out a few Lightning nodes with high connectivity (= high channel count, high capacity) to connect to. Open a few channels to them with (some) capacity from your 1M sats. Public channels. FYI: you are now ready to start zapping on a mobile client for #Nostr, e.g. #Amethyst on Android or #Damus on iOS - or #Primal on either - or if you’re on the web, #YakiHonne and #Nostrudel are my go-to clients.

Second, go to Amboss Magma, connect with your node (or use Alby’s excellent Firefox Extension that you can easily hook up to your node and connect through “WebLN”). You need to sign a message, it can be done in RTL.

Third, set-up at least 1 paid inbound channel pending your liquidity needs after the website gets up and running and you are actually selling anything.

Step 3: get website infrastructure

I will admit we can not be truly independent if we want to be out of the box. Especially webhosting is something not recommended from a home server, for multiple reasons (security being one), even if StartOS could probably do it on your node.

Domain name

There are many sources here, you should pick something. I used GoDaddy but there are no rules, just costs, convenience, … the usual trade-offs. GoDaddy has a convenient URL searcher and comes with recommendations and clear pricing, with nice discounts for the first year (your project may be doomed to crash prior to that…

Hosting

I did find the hosting options at GoDaddy quite expensive. So I just registered with AWS for an EC2 instance. In the Amazon Free Tier you basically get a free linux box with a public facing domain during a year. Another nicety about AWS is that you can very easily upgrade your hosting needs with them, compute, memory, disk, … and services.

Host configuration

This costs significant time per this method, and is not for the faint of heart. One-click installs would include having this all done by a hosting provider.

WordPress installation

WordPress is an all-in-one website building tool that requires an extremely low acumen of CSS, HTML or databases. It all gets pre-configured and pre-setup while having a host of tools and systems available to support pretty much any feature a modern website would want. Disclaimer; there is definately NOT enough #Nostr content yet.

Here, I do go into some bits and pieces regarding the bitcoin side of things on WordPress. However I don’t know what you want on your website, so I recommend you dive into the details on what’s possible on WordPress regarding generall web functionality yourself as I consider it out of scope for this article.

One step in being self-sovereign is hosting your own WordPress - even if on a third party host - so that you fully control it and are sure nobody else can access the MySQL databases, configurations, …

Luckily, this is very easy on an AWS instance. Wordpress can be simply installed as a package, and configuration is literally going to /wp-admin and setting things up. At that point it becomes click-click, write content, launch.

You can opt for a Docker-based installation as well, so WordPress has all dependencies satisfied. However, this comes at the risk of misconfiguration of the persistant volumes, and thus wiping your entire install at a Docker crash - not recommended.

Make sure you set the owner / group (chown) for the wordpress installation folder structure to nginx:nginx (see next subsection) and the file properties (chmod) to 644.

Web server

I had a lot of fights with Nginx since I needed a reverse proxy functionality for a docker application the server was also running, plus having the system Nginx serving up the wordpress site.

Anyway. If you don’t need any of that - most likely you don’t - just run nginx and set-up the config file to a port 443 (SSL / HTTPS) connection and ensure you redirect regular HTTP traffic on port 80 to the HTTPS. Use Let’sEncrypt with certbot on the Amazon instance to get certifications for your domain. After setting it up, check that automatic renewals for the certificates are also set-up: sudo certbot renew --dry-run

If not, add a cron item on your AWS instance (sudo crontab -e) and add the following line to restart nginx after every renewal: 0 */12 * * * certbot renew --quiet && systemctl reload nginx

Ensure you forward the ports 80 and 443 on your DNS records for the domain to the public-facing IP from the AWS instance.

Pro Tip: You can review rate limiting from Amazon, but it comes at a cost. Alternative, just configure your nginx to do rate limiting for you, here is a reference code snippet to set it up for the relevant server blocks in your nginx configuration:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {
    location / {
        limit_req zone=one burst=5;
        ...
    }
}

Forwarding the BTCPayServer .onion address through to clearnet through your AWS instance

Disclaimer
This section assumes a moderate understanding of Tor, Nginx, and reverse proxies. For more in-depth tutorials on these topics, we recommend reviewing external resources such as the Tor Project Documentation and the Nginx Reverse Proxy Guide. As setting up reverse proxies and Tor for a Bitcoin node can be complex, these instructions are not exhaustive, and configurations may differ based on your hosting environment. Please ensure to consult these resources for further detail and troubleshooting .

Disclaimer

This section assumes a moderate understanding of Tor, Nginx, and reverse proxies. For more in-depth tutorials on these topics, we recommend reviewing external resources such as the Tor Project Documentation and the Nginx Reverse Proxy Guide. As setting up reverse proxies and Tor for a Bitcoin node can be complex, these instructions are not exhaustive, and configurations may differ based on your hosting environment. Please ensure to consult these resources for further detail and troubleshooting .

Annoyingly, but also purposefully, the average bitcoin node does not expose anything to public clearnet besides on local LAN. Instead, it exposes public interfaces on Tor which you need the exact address for to access (=high entropy).

However, for your BTCPayServer instance to connect to your website, you need to be able to connect to it from that website. This is where a so-called reverse proxy once again needs to save us. To make matters worse, you don’t have Tor by default on AWS machines (on my EC2 instance it ran Amazon Linux 2023) so we need to build from source. I suggest you ask instructions to ChatGPT; Pro-Tip: Copy-paste parts of these notes and let him explain exactly what you need to do!

You could set a subdomain e.g. btcpay.yoursite.com to be accessible for your .onion redirect on the AWS instance. Here is an example configuration snippet:

server {
    listen 443 ssl;
    server_name btcpay.yoursite.com;

    location / {
        proxy_pass http://127.0.0.1:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
}

Step 4: configure your Bitcoin-based website

Finally, we come to the cool part. What can we do with all these things?

So, on WordPress, I recommend the following plugins:

Alby’s LN Publisher - it seems they need to test it on the latest WordPress version - but this tool worked for me. It connects to your NWC instance on the node and implements easy paywalls.
BTCPay For Woocommerce V2 - to connect to your store and creating that flawless interface for your customers.
WooCommerce

Getting BTCPay for WooCommerce set-up is detailed in this guide.

Importance of Backups

Backups are a critical part of any self-sovereign setup, especially when handling sensitive data such as your Bitcoin node and website. Without proper backups, any unexpected hardware failure, software corruption, or cyberattack could result in permanent loss of data, including your wallet, transactions, and important website configurations.

For your Bitcoin node, regular backups of wallet.dat and Lightning Network channel states are essential to prevent loss of funds or access to your Bitcoin. In the case of your website, especially a self-hosted WordPress site, backups of both the database and the files (such as plugins, themes, and media uploads) will safeguard your content and configurations.

Though creating an automated backup strategy is beyond the scope of this guide, it is highly recommended that you:

Set up regular, automated backups for both your Bitcoin node and website.
Encrypt your backups to ensure that sensitive information remains secure.
Store backups offsite or on external media to mitigate risks from local hardware failures.

Investing time in a robust backup solution will protect your self-sovereignty, ensuring that even in the event of failure, your node, funds, and website can be restored.

That’s all for now, folks. There surely will be issues you run into. Let me know through a DM, or ask away below - me or like-minded individuals (probably a few on #nostr more expert than me) can help out!