FIPS - Workshop
Release page:
https://github.com/jmcorgan/fips/releases/tag/v0.3.0
Linux (deb)
1) Download latest release
wget https://github.com/jmcorgan/fips/releases/download/v0.3.0/fips_0.3.0_arm64.deb
2) Install
apk install fips_0.3.0_arm64.deb
4) Configure
sudo vi /etc/fips/fips.yaml
# FIPS Node Configuration
node:
identity:
# By default, a new ephemeral keypair is generated on each start.
# Uncomment persistent to keep the same identity across restarts;
# on first start a keypair is saved to fips.key/fips.pub next to
# this config file (mode 0600/0644).
# persistent: true
#
# Or set an explicit key (overrides persistent):
# nsec: "nsec1..."
discovery:
# Optional Nostr-mediated overlay endpoint discovery.
nostr:
enabled: true
policy: open # disabled | configured_only | open
open_discovery_max_pending: 64 # caps queued open-discovery retries
app: "fips-overlay-v1"
advertise: true
advert_relays:
- "wss://relay.damus.io"
- "wss://nos.lol"
- "wss://offchain.pub"
dm_relays:
- "wss://relay.damus.io"
- "wss://nos.lol"
- "wss://offchain.pub"
# # Optional override. If omitted, FIPS uses the built-in STUN list.
# # Built-in relay/STUN defaults are best-effort and should be
# # overridden by operators for production use.
# stun_servers:
# - "stun:stun.l.google.com:19302"
# - "stun:stun.cloudflare.com:3478"
# - "stun:global.stun.twilio.com:3478"
tun:
enabled: true
name: fips0
mtu: 1280
dns:
enabled: true
# bind_addr defaults to "::1" (IPv6 loopback). The shipped
# fips-dns-setup script configures systemd-resolved with a global
# /etc/systemd/resolved.conf.d/fips.conf drop-in pointing at
# [::1]:5354.
#
# Set "::" to expose the responder to mesh peers as well (e.g. for
# gateway hosts that resolve .fips on behalf of LAN clients). The
# mesh-interface filter in src/upper/dns.rs will still defend
# /etc/fips/hosts aliases from cross-mesh enumeration.
# bind_addr: "::1"
port: 5354
transports:
udp:
bind_addr: "0.0.0.0:2121"
# advertise_on_nostr: true
# public: false # false => advertise udp:nat; true => advertise bound host:port
# accept_connections: true # default; refuse inbound msg1 when false
# outbound_only: false # true => bind ephemeral, no listener on a
# # known port. Forces advertise_on_nostr=false
# # and accept_connections=false. Pure-client
# # posture; bind_addr is ignored.
tcp:
# Accepts inbound connections. No static outbound peers.
bind_addr: "0.0.0.0:8443"
# advertise_on_nostr: true
# Ethernet transport — uncomment and set your interface name.
ethernet:
interface: "eth0"
discovery: true
announce: true
auto_connect: true
accept_connections: true
# Bluetooth Low Energy transport — requires BlueZ and the 'ble' feature.
# ble:
# adapter: "hci0"
# mtu: 2048
# advertise: true
# scan: true
# auto_connect: true
# accept_connections: true
# Outbound LAN gateway. Allows non-FIPS hosts on the LAN to reach
# mesh destinations via DNS-allocated virtual IPs and kernel NAT.
# Requires: IPv6 forwarding enabled, fips daemon running with DNS.
# gateway:
# enabled: true
# pool: "fd01::/112"
# lan_interface: "eth0"
# dns:
# listen: "[::1]:5353"
# # upstream must match the daemon's dns.bind_addr above. The
# # default "[::1]:5354" matches the daemon's default. If you set
# # the daemon to bind on a wildcard ("::") or specific address,
# # update upstream to match — explicit ::1 sockets do not accept
# # v4 traffic.
# upstream: "[::1]:5354"
# ttl: 60
# pool_grace_period: 60
# conntrack:
# tcp_established: 432000
# udp_timeout: 30
# udp_assured: 180
# icmp_timeout: 30
peers: []
# Static peers for bootstrapping (UDP or TCP):
# - npub: "npub1qmc3cvfz0yu2hx96nq3gp55zdan2qclealn7xshgr448d3nh6lks7zel98"
# alias: "gateway"
# via_nostr: true
# addresses:
# - transport: udp
# addr: "test-us01.fips.network:2121" # IP or hostname (e.g., "peer.example.com:2121")
# - transport: udp
# addr: "nat" # Use node.discovery.nostr for Nostr/STUN hole punching
# connect_policy: auto_connect
3) Start the service
sudo systemctl start fips / sudo systemctl restart fips
5) Monitor
Logs
sudo journalctl -u fips -n 100 --no-pager
TUI (fipstop)
sudo fipstop
opens TUI to monitor your FIPS node activity
MacOS (from source)
1) Clone
git clone https://github.com/jmcorgan/fips.git
cd fips
2) Build
make -C packaging pkg
sudo installer -pkg deploy/fips-*-macos-*.pkg -target /
3) Configure
sudo nano /usr/local/etc/fips/fips.yaml
set to:
node:
identity:
persistent: true
discovery:
nostr:
enabled: true
policy: open
open_discovery_max_pending: 64
app: fips-overlay-v1
advertise: true
advert_relays:
- wss://relay.damus.io
- wss://nos.lol
- wss://offchain.pub
dm_relays:
- wss://relay.damus.io
- wss://nos.lol
- wss://offchain.pub
tun:
enabled: true
name: fips0
mtu: 1280
dns:
enabled: true
port: 5354
transports:
udp:
bind_addr: 0.0.0.0:2121
public: false
tcp:
bind_addr: 0.0.0.0:8443
ethernet:
interface: en0
discovery: true
announce: true
auto_connect: true
accept_connections: true
peers: []
4) (Re)start
sudo launchctl kickstart -k system/com.fips.daemon
5) HOTFIX - DNS config
The latest release doesn’t properly configure the dns server to ipv6, fixed in next release. For now:
sudo tee /etc/resolver/fips > /dev/null <<'EOF'
nameserver ::1
port 5354
EOF
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
Verify:
scutil --dns | grep -A4 'domain.*fips'
ping6 -c 2 npub<your-npub>.fips
6) Monitor
Logs
sudo tail -f /usr/local/var/log/fips/fips.log
TUI (fipstop)
sudo fipstop
opens TUI to monitor your FIPS node activity
Troubleshooting
Not finding peers
set node.discovery.nostr.policy to configured_only and
try configuring peers manually to our bootstrap nodes:
peers:
- npub: "npub1260n42s06vzc7796w0fh3ny7zcpw6tlk4gq3940gmfrzl5c9pv2s3657q8"
alias: "test-de01"
connect_policy: auto_connect
addresses:
- transport: udp
addr: "217.160.76.169:2121"
- npub: "npub17lpmzulpc98d8ff727k6e98atxn3phzupzsqqwe54ytduym747ws4tw5zm"
alias: "test-es01"
connect_policy: auto_connect
addresses:
- transport: udp
addr: "82.223.139.182:2121"
- npub: "npub1u0z26dc4qeneu5rvwvmpfhtwh3522ed6rlgxr9jarrfnjrc6ew4qxjysrs"
alias: "test-uk01"
connect_policy: auto_connect
addresses:
- transport: udp
addr: "88.208.241.33:2121"
- npub: "npub1qmc3cvfz0yu2hx96nq3gp55zdan2qclealn7xshgr448d3nh6lks7zel98"
alias: "test-us01"
connect_policy: auto_connect
addresses:
- transport: tcp
addr: "217.77.8.91:443"
- transport: udp
addr: "217.77.8.91:2121"
- npub: "npub10yffd020a4ag8zcy75f9pruq3rnghvvhd5hphl9s62zgp35s560qrksp9u"
alias: "test-us02"
connect_policy: auto_connect
addresses:
- transport: tcp
addr: "23.182.128.74:443"
- transport: udp
addr: "23.182.128.74:2121"
- npub: "npub136yqae6na688fs75g95ppps3lxe07fvxefj77938zf47uhm6074sxw8ctm"
alias: "test-us03"
connect_policy: auto_connect
addresses:
- transport: udp
addr: "54.183.70.180:2121"
- transport: tcp
addr: "54.183.70.180:443"
# Uncomment only if you have a Tor SOCKS5 transport configured locally
# - transport: tor
# addr: "7c5mtyo5mk477t7l4mg56xs4wcnt4zrsqtjampijy532ggxgdg42gcyd.onion:443"
- npub: "npub1gd7ye2qp2lphhzx75fynnjzaxx4dqanddecet0wtt5ss5ek8h9ps62wdkf"
alias: "test-us04"
connect_policy: auto_connect
addresses:
- transport: udp
addr: "74.208.245.160:2121"
Ping not working
On macOS the ping command is ipv4 only. use ping6 instead
ping6 npub1q4th2mnqdu34x0zz7f889fgjxx55h6lzpr4nulglp9y0txhwk0ssexaf2q.fips
Write a comment