Running a node means babysitting releases: spotting a new version, downloading, verifying, swapping the binary, restarting, and hoping it comes back up. I wrote a small, self-contained tool that does all of that on a schedule and is built so it can’t leave a node down. Sharing it here in case it’s useful to other operators.
Install (run as root):
curl -fsSL https://raw.githubusercontent.com/vvmmaann/nym-node-autoupdate/main/nym-node-autoupdate.sh -o nym-node-autoupdate.sh && sudo bash nym-node-autoupdate.sh
What it does
- Installs a systemd timer that checks hourly and updates only when a new STABLE release is out (skips pre-releases).
- Auto-detects your role (mixnode / entry / exit gateway) and shows you what it found before touching anything — nothing to configure by hand.
- Updates
nym-nodeon every role; on gateways it also updates the QUIC bridge and the exit-tunnel iptables rules (network-tunnel-manager).
Why it won’t break your node
nym-nodeis SHA-256 verified and refuses to install without a checksum.- After each swap it health-checks the service and auto-rolls-back if it doesn’t come back up.
- Firewall changes are snapshotted and reverted if the tunnel stops passing traffic.
Handy
- Read-only check anytime (no root):
./nym-node-autoupdate.sh check - Opt out of any part via
/etc/nym-node-autoupdate.conf - Remove:
sudo nym-node-autoupdate.sh uninstall
Trust model (stated plainly)
The QUIC bridge and the tunnel-manager script ship no upstream checksum, so those steps trust GitHub + the nym org — same as updating them by hand. nym-node itself is checksum-gated. Set NTM_ENABLED=0 to skip the firewall part.
I’m running it on my 4 nodes (2 gateways + 2 mixnodes). Feedback and PRs welcome.