Hardware
- Reliable x86/ARM SBC or server‑grade hardware with ECC (when possible).
- SSD (NVMe) sized for multi‑year growth; avoid SD cards for full nodes.
- UPS and surge protection; label power circuits and network ports.
Networking
- Static DHCP reservations; dedicated VLAN for node services.
- Hardened firewall with only required ports; restrict SSH via keys.
- Optional Tor for privacy; dual‑homed for resilience.
System security
- Minimal OS; auto‑updates for security patches; audit sudoers.
- Separate user for services; secrets in a password manager or HSM.
- Log integrity and remote syslog shipping.
Backups
- Configuration and wallet (if any) backed up with versioned, encrypted storage.
- Document restore steps; test on staging periodically.
Monitoring & alerts
- Node sync, mempool health, peer count, disk/CPU/RAM, and service status.
- Webhook delivery logs, retries, and latency via Bitcoin Flux.
- Alerting to on‑call with escalation policy.
Upgrades & maintenance
- Pin versions and read release notes; stage upgrades in non‑prod first.
- Maintenance windows with back‑out plan; verify services after.
- Track config drift in version control; standardize images.
Disaster recovery
- Document RTO/RPO; keep a cold spare or VM image ready.
- Regular restore tests; retain a “last known good” snapshot.