The Watchtower
Seed nodes, configuration, systemd and monitoring
The trail climbs through a forest of ancient oaks. As you ascend, the trees grow sparser and the wind stronger. At the summit of the hill stands a tower of grey stone, massive and solitary. No flag, no sign. Just a lantern burning at its top, visible for leagues around.
A man with white hair greets you at the door. His eyes are tired but sharp - the eyes of someone who never truly sleeps.
"I am the Watcher. My tower watches over the network day and night. When a traveler publishes their chronicles, it is I who keep them accessible for those who seek them. Without the watchtowers, the free chronicles would be like messages in bottles - cast into the ocean, hoping someone finds them."
He leads you inside, where dozens of luminous crystals float in a circle, each pulsing gently.
"Each crystal is a project I watch over. Today, you will learn to build your own tower."
Architecture of a seed node
In the Radicle network, not all participants are equal in terms of availability. When you turn off your laptop, your projects are no longer accessible to others. That is where seed nodes come in.
The role of a seed in the P2P network
A seed node is a computer that stays permanently connected to the Radicle network. Its role:
- Availability: it keeps a copy of the projects it follows, even when the authors are offline
- Discovery: it helps new peers find projects and other peers
- Relay: it transmits updates between peers that are not directly connected
# Without seed node:
Alice (online) <--> Bob (online) OK!
Alice (offline) <--> Bob (online) Bob can't access Alice's project
# With seed node:
Alice (offline)
|
v (Alice published before going offline)
Seed Node (always online) <--> Bob (online) Bob accesses the project!Peer vs Seed - what's the difference?
| Characteristic | Peer (regular node) | Seed (seed node) |
|---|---|---|
| Connectivity | Intermittent (laptop, desktop) | Permanent (24/7 server) |
| IP address | Often dynamic, behind NAT | Fixed, publicly accessible |
| Role | Works on its projects | Replicates and serves others' projects |
| Resources | Uses what it has | Dedicated, sufficient storage and bandwidth |
A seed node is optional but strongly recommended for any serious project. It's like a lighthouse for sailors - the network works without one, but it's much more reliable with.
Prerequisites for a seed node
To set up a seed node, you need a machine that is permanently connected. Here are the options:
The server
- VPS (Virtual Private Server): the most common solution. Providers like Hetzner, OVH, Scaleway or DigitalOcean offer VPS starting at 3-5 euros per month
- Raspberry Pi: a small computer at home, connected to your router. Economical but requires a static IP or dynamic DNS
- Dedicated server: for ambitious projects with lots of traffic
Minimum configuration
- OS: Linux (Debian, Ubuntu, Fedora) - recommended
- RAM: 512 MB minimum, 1 GB recommended
- Disk: 10 GB minimum (depends on number of tracked projects)
- Network: public IP, port 8776 accessible
Tip: For this exercise, you don't need a real server. We will do everything locally on your machine to understand the mechanics.
Install radicle-node
The Radicle node is included in the rad installation you did in the previous quest. The component that runs the node is called radicle-node.
# If rad is already installed, the node is available
rad node --help
# Otherwise, install Radicle (see Quest 21)
curl -sSf https://radicle.xyz/install | shVerify components
# Verify all components are present
rad --version
rad node --version
# The binaries are located in:
ls ~/.radicle/bin/
# radicle-node rad ...
Node configuration
Your Radicle node's configuration file is located in ~/.radicle/config.json. This is where you define the behavior of your watchtower.
The configuration file
# Display current configuration
rad config
# The file is located here:
cat ~/.radicle/config.jsonHere are the important parameters:
{
"node": {
"alias": "my-watchtower",
"listen": ["0.0.0.0:8776"],
"peers": {
"type": "dynamic"
},
"connect": [],
"externalAddresses": ["my-server.example.com:8776"],
"policy": "allow",
"scope": "all"
}
}Parameter details
| Parameter | Description |
|---|---|
alias | A readable name for your node (visible to peers) |
listen | Listen address and port. 0.0.0.0:8776 listens on all interfaces |
externalAddresses | The public address of your node (IP or domain) |
policy | allow (accept connections) or block (deny by default) |
scope | all (replicate everything) or followed (only tracked projects) |
Policies: track and block
Policies control which projects your node agrees to replicate:
# Track a specific project (replicate it on your node)
rad track rad:z2e7RaGkMUjH3dMhiKd5dm2E3pCXA
# Stop tracking a project
rad untrack rad:z2e7RaGkMUjH3dMhiKd5dm2E3pCXANote: There is no rad block command. Blocking projects is configured via the policy in the ~/.radicle/config.json file. Use "policy": "block" to deny by default, then explicitly allow the projects you want to follow with rad track.
Advice: For a personal seed node, use scope: "followed" and only follow projects that interest you. A public seed can use scope: "all", but watch your disk space.
Open the firewall
For other peers to connect to your node, port 8776 (TCP) must be accessible from outside.
With UFW (Ubuntu / Debian)
# Open port 8776
sudo ufw allow 8776/tcp
# Check the rules
sudo ufw statusWith firewalld (Fedora / RHEL)
# Open port 8776
sudo firewall-cmd --add-port=8776/tcp --permanent
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-portsWith iptables (advanced)
# Open port 8776
sudo iptables -A INPUT -p tcp --dport 8776 -j ACCEPTPort 8776 is the default port for the Radicle protocol. It's the equivalent of port 22 for SSH or port 443 for HTTPS. If your node is behind a router (Raspberry Pi at home), also remember to configure port forwarding on your router.
Start and monitor the node
Start the node
# Start the Radicle node
rad node start
# The node starts and connects to the network
# You will see connection messages to peersCheck the status
# Node status
rad node status
# Displays:
# Node is running
# Listening on 0.0.0.0:8776
# Connected peers: 3
# Tracked repos: 5Stop the node
# Stop gracefully
rad node stopTrack projects
A seed node is only useful if it replicates projects. Here's how to manage tracked projects:
# Track a project by its identifier
rad track rad:z2e7RaGkMUjH3dMhiKd5dm2E3pCXA
# List tracked / known projects
rad inspect
# Stop tracking a project
rad untrack rad:z2e7RaGkMUjH3dMhiKd5dm2E3pCXAWhen you track a project, your node:
- Downloads all project data (code, patches, issues)
- Automatically synchronizes when updates arrive
- Serves this data to other peers who request it
Monitoring and diagnostics
Node logs
# View logs in real time
rad node logs
# Filter logs by level
rad node logs --level info
rad node logs --level debugTip: Logs are also available directly in the file ~/.radicle/node.log. You can view them with tail -f ~/.radicle/node.log without going through rad.
Common diagnostics
# Check connectivity
rad node status
# View connected peers
rad node peers
# Test connection to a specific peer
rad node connect <node-id>@<address>:8776Common problems
| Symptom | Probable cause | Solution |
|---|---|---|
| 0 connected peers | Firewall blocked or port closed | Check UFW/firewalld, port forwarding |
| Node won't start | No identity created | Run rad auth first |
| Slow synchronization | Few peers on the network | Add known seeds in connect |
| Disk space full | Too many tracked projects | Use rad untrack on unnecessary projects |
systemd service - a persistent seed
For a seed node to run permanently (even after a server reboot), you need to configure it as a systemd service.
Create the service file
# Create the systemd service file
sudo nano /etc/systemd/system/radicle-node.serviceFile contents:
[Unit]
Description=Radicle Node
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
User=radicle
ExecStart=/home/radicle/.radicle/bin/radicle-node
Restart=on-failure
RestartSec=5
Environment=RADICLE_HOME=/home/radicle/.radicle
[Install]
WantedBy=multi-user.targetEnable and start the service
# Reload systemd configuration
sudo systemctl daemon-reload
# Enable the service at boot
sudo systemctl enable radicle-node
# Start the service
sudo systemctl start radicle-node
# Check the status
sudo systemctl status radicle-nodeManage the service
# View service logs
sudo journalctl -u radicle-node -f
# Restart the service
sudo systemctl restart radicle-node
# Stop the service
sudo systemctl stop radicle-nodeBest practice: Create a dedicated radicle user for the service, rather than running it under root. This is a basic security principle: each service has its own user with minimal permissions.
# Create a dedicated user
sudo useradd -m -s /bin/bash radicle
# Log in as radicle to initialize
sudo -u radicle bash
curl -sSf https://radicle.xyz/install | sh
rad auth
exitHands-on exercise - Launch a local node
In this exercise, you will configure and launch a Radicle node on your own machine. No VPS needed - we simulate seed behavior locally.
Step 1 - Check prerequisites
# Verify rad is installed and you have an identity
rad --version
rad self
# If you don't have an identity, create one
rad authStep 2 - Examine the configuration
# Display your current configuration
rad config
# Note the parameters: listen, policy, scopeStep 3 - Start the node
# Launch the node
rad node start
# Verify it's running
rad node statusStep 4 - Track a project
# If you created a project in Quest 21, note its RID
# Otherwise, create one quickly:
mkdir test-seed && cd test-seed
git init -b main
echo "test" > file.txt
git add file.txt
git commit -m "test"
rad init
# Note the displayed RID
# In another terminal, track this project
rad track rad:<your-project-rid>Step 5 - Observe the logs
# Watch what the node is doing
rad node logs
# You should see connection and replication messagesStep 6 - Stop gracefully
# Stop the node
rad node stop
# Verify it's stopped
rad node statusGoing further: If you have access to a VPS, you can reproduce this exercise on a real server and create the systemd service. Your seed will then be accessible 24/7 by all peers on the Radicle network.
Command summary
| Command | Description |
|---|---|
rad node start | Start the Radicle node |
rad node stop | Stop the node |
rad node status | Display node state (peers, projects) |
rad node logs | View node logs in real time |
rad node peers | List connected peers |
rad node connect | Manually connect to a peer |
rad track | Track (replicate) a project |
rad untrack | Stop tracking a project |
rad config | Display the node configuration |
systemctl start radicle-node | Start the systemd service |
systemctl status radicle-node | Check the service status |
journalctl -u radicle-node | Read the service logs |
The Watcher approaches his tower's window. From up there, the network of paths connecting the free villages is clearly visible - winding lines traced by generations of travelers.
"Your tower is ready. Perhaps it will only watch over your own projects for now. But one day, other travelers will find it, and they will be grateful it was there."
He hands you an ancient map, covered in symbols representing other towers, other nodes, other peers scattered across the kingdom.
"You have the tools and you have your tower. There is one last thing left to learn: how to forge connections with other travelers. For a tower alone in the mist serves no purpose - it is the network that makes the strength."