Quick start — spin up a node on baremetal

This is the fastest path to a live testnet node (chain-id 473374) on a baremetal or cloud host. It runs the clients as containers via the repo's from-source/deploy/ artifacts, driven by bootstrap.sh.

Full per-role detail, hardware specs, and the firewall live in the node-operator guides. This page is the 10-minute happy path.

Prerequisites (short)

• A Linux host with Docker Engine + Compose v2, an NVMe volume mounted at your data dir, NTP enabled, and a public/static IP. Full list: Prerequisites.
• The published testnet bundle (eth-genesis.json + spec.toml + kzg-trusted-setup.json) — a URL or a local dir from the genesis ceremony.

1. Get the artifacts

git clone https://github.com/foreseerco/block-l1-evm-mainnet krypton
cd krypton/l1/from-source/deploy
cp .env.example .env

2. Configure .env

Set at least MONIKER, EXT_IP (your public IP), the peers (EL_BOOTNODES, CL_SEEDS), and the role. The file ships with per-role presets — uncomment the block for your role:

# rpc / full node (the default): serves eth_getProof, RPC behind a VPN
KRYPTON_ROLE=rpc
PAYLOAD_BUILDER=false
RPC_HOST=10.8.0.5            # a VPN/WireGuard address, never a public IP

# validator (uncomment instead): signs blocks
# KRYPTON_ROLE=validator
# PAYLOAD_BUILDER=true
# CL_PERSISTENT_PEERS=node1@ip:26656,node2@ip:26656

Images default to the testnet tags (ghcr.io/foreseerco/krypton-beacond:v1.3.9-473374, krypton-bera-reth:v1.3.3) — pin by @sha256 digest for production.

3. Bring it up

# Install the bundle, generate the Engine JWT, sanity-check keys, and `docker compose up -d`:
# A remote bundle MUST be https and is verified against BUNDLE_SHA256 before extraction.
BUNDLE_URL=https://…/krypton-testnet-bundle.tar.gz BUNDLE_SHA256=<sha256> ./bootstrap.sh
#   …or from a local genesis dir:  BUNDLE_DIR=/path/to/genesis/out ./bootstrap.sh

bootstrap.sh is idempotent. It (1) makes the data/network dirs, (2) installs the bundle (asserting chainId == 473374), (3) generates the JWT if absent, (4) checks the validator key, (5) reminds you about the firewall, and (6) docker compose up -d.

4. Run it as a service (recommended)

sudo mkdir -p /opt/krypton/deploy
sudo cp docker-compose.yml .env nftables.conf /opt/krypton/deploy/
sudo cp krypton-node.service /etc/systemd/system/
sudo systemctl daemon-reload && sudo systemctl enable --now krypton-node

Apply the firewall (nftables.conf): only 30303/tcp+udp + 26656/tcp open to the world; SSH to your admin CIDR; RPC/engine stay private. See Ports & firewall.

5. Verify it's live

cast chain-id      --rpc-url http://127.0.0.1:8545         # 473374
cast block-number  --rpc-url http://127.0.0.1:8545         # climbing
curl -s http://127.0.0.1:26657/status | jq '.result.sync_info'   # catching_up → false

Next steps

• Validator? Do not run a raw key in production — set up threshold signing (Horcrux) and secrets (Vault/KMS), and read the Validator guide (the double-sign hazard is real).
• Public RPC / explorer? See RPC node and the explorer.
• Observability: wire up Prometheus + Grafana.
• Kubernetes instead of Compose? See the Helm chart.

Prefer no Docker? There's a native baremetal systemd install that runs beacond + bera-reth as hardened systemd services with no container runtime — same flags, ports, and bundle.