Relay Wizard is a CLI tool that helps you bootstrap a Nostr relay.
The program will automate the following steps:
- Install necessary dependencies
- Set up a firewall
- Configure nginx
- Obtain a TLS certificate for HTTPS
- Install the relay software
- Set up a systemd service for your relay
To install a relay, spin up a new Debian server, hook up a domain name, and run the following command:
curl -sL https://relaywizard.com/install.sh | bashIf you prefer to manually verify the authenticity of the Relay Wizard binary before running it, then you can follow along with the verification process described here. This will minimize the possibility of the binary being compromised. To perform the verification you'll need to have gnupg and curl installed which are most likely already installed on your system, but if not here's how to install them on some operating systems:
sudo pacman -S gnupgsudo apt install -y gnupgsudo pacman -S curlsudo apt install -y curlNow you need to import the public key that signed the manifest file which you can do by running the following command:
curl https://keybase.io/nodetec/pgp_keys.asc | gpg --importYou're now ready to verify the manifest file. You will need to have the rwz-x.x.x-manifest.sha512sum and the rwz-x.x.x-manifest.sha512sum.asc files in the same directory as the Relay Wizard binary you downloaded where the x.x.x is replaced by whatever version of rwz you're verifying.
To verify the manifest file run the following command:
gpg --verify rwz-x.x.x-manifest.sha512sum.ascHere's the command to run for the latest version of rwz:
gpg --verify rwz-0.2.0-manifest.sha512sum.ascYou should see output similar to the following if the verification was successful:
gpg: assuming signed data in 'rwz-0.2.0-manifest.sha512sum'
gpg: Signature made Mon Sep 16 21:07:19 2024 EDT
gpg: using RSA key 252F57B9DCD920EBF14E6151A8841CC4D10CC288
gpg: Good signature from "NODE-TEC Devs <[email protected]>" [unknown]
gpg: aka "[jpeg image of size 5143]" [unknown]
Primary key fingerprint: 04BD 8C20 598F A5FD DE19 BECD 8F24 69F7 1314 FAD7
Subkey fingerprint: 252F 57B9 DCD9 20EB F14E 6151 A884 1CC4 D10C C288Unless you tell GnuPG to trust the key, you'll see a warning similar to the following:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.This warning means that the key is not certified by another third party authority. If the downloaded file was a fake, then the signature verification process would fail and you would be warned that the fingerprints don't match.
When you get a warning like this it's also good practice to check the key against other sources, e.g., the NODE-TEC Keybase or the NODE-TEC GitHub.
You have now verified the signature of the manifest file which ensures the integrity and authenticity of the file but not of the binary.
To verify the binary you'll need to recompute the SHA512 hash of the file, compare it with the corresponding hash in the manifest file, and ensure they match exactly which you can do by running the following command:
sha512sum --check rwz-x.x.x-manifest.sha512sumHere's the command to run for the latest version of rwz:
sha512sum --check rwz-0.2.0-manifest.sha512sumIf the verification was successful you should see the output similar to the following:
rwz-0.2.0-x86_64-linux-gnu.tar.gz: OKBy completing the above steps you will have successfully verified the integrity of the binary.
If you want to learn more about how to setup a relay from scratch, check out Relay Runner.
If you just want to know enough to get started, read the following sections to get a server, hook up a domain name and setup remote access:
from here you should be able to run the installation command above and get started.
If you want to contribute consider adding a new package manager and testing the script out on another Linux Distro. You can also look into adding support for more relay implementations.
