# Migrating to Node Pilot

#### Objectives

* **Legacy Decommissioning**: Securely extract your validator's digital identity from any manual setup.
* **Infrastructure Automation**: Use Cloud-Config to deploy a hardened server in under 60 seconds.
* **Node Pilot Migration**: Restore your identity and resume validation with the streamlined `cpilot` CLI.

#### Prerequisites

* **Hetzner Account:** Verified and active.
* **Legacy Records:** Have your P12 passphrase and alias ready.
* **SSH Tools:**
  * **MacOS/Linux:** Terminal app.
  * **Windows:** [PuTTY](https://www.putty.org/) (for SSH) and [WinSCP](https://winscp.net/eng/download.php) (for file backup).

***

### 🔍 Phase 0: Identity Extraction (Legacy Server)

*Before shutting down your old environment, you must gather your node’s baseline data.*

**1. Log into your Legacy Server** Connect to your old server using your standard method (Terminal or PuTTY).

**2. Record Baseline Identity** Run these commands to ensure you can verify the migration later:

* **Node ID**: Run `sudo nodectl nodeid`. (Select **intnet-l0** profile).
* **DAG Address**: Run `sudo nodectl dag`. (Select **intnet-l0** profile).
* **Action**: Copy these strings into a secure note. This is your "Original ID".

**3. Retrieve your Public SSH Key** Run the command: `cat ~/.ssh/authorized_keys`

* **Action**: Copy the output string (starting with `ssh-rsa`). You will need this for the new server.

**4. Download your Keystore** You must save your `.p12` file to your local computer before destroying this server.

📘 [**Guide: How to Backup/Restore a P12 KeyStore**](https://docs.constellationnetwork.io/run-a-node/validator-node-guides/operational-guides/backup-restore-a-p12-keystore)

**⚠️ Critical Warning:** Do not proceed to Phase 1 until you have verified that the `.p12` file is safely on your local computer. If you delete your server without this file, your node identity is lost forever.

***

### 🏗️ Phase 1: Infrastructure Setup

**1. Account Setup** Log in to [console.hetzner.com/projects](https://console.hetzner.com/projects) and create a **New Project** (e.g., `Intnet-Cpilot`).

**2. Create a Firewall** Navigate to **Firewalls > Create Firewall** and add these **Inbound Rules**:

* **SSH**: TCP | Port 22 | Source: **Your Local IP**.
* **L0**: TCP | Port 9000-9001 | Source: **Any IPv4** & **Any IPv6**.
* **L1**: TCP | Port 9010-9011 | Source: **Any IPv4** & **Any IPv6**.

**3. Provision Server** Click **Add Server** and select:

* **Location**: Falkenstein or Helsinki.
* **Image**: Ubuntu 24.04.
* **Type**: CPX42 (Recommended).
* **Networking**: Public IPv4 + Your Firewall.
* **Cloud Config**: Paste the script below, replacing the placeholder `YOUR_PUBLIC_SSH_KEY_STRING_HERE` with your **Public SSH Key** from Phase 0.

```yaml
#cloud-config
users:
  - name: nodeadmin
    groups: users, admin
    sudo: ALL=(ALL) NOPASSWD:ALL
    shell: /bin/bash
    ssh_authorized_keys:
      - YOUR_PUBLIC_SSH_KEY_STRING_HERE
package_update: true
package_upgrade: true
write_files:
  - path: /etc/ssh/sshd_config.d/ssh-hardening.conf
    content: |
      PermitRootLogin no
      PasswordAuthentication no
      KbdInteractiveAuthentication no
      ChallengeResponseAuthentication no
      MaxAuthTries 2
      AllowTcpForwarding no
      X11Forwarding no
      AllowAgentForwarding no
      AuthorizedKeysFile .ssh/authorized_keys
      AllowUsers nodeadmin
```

#### ⚙️ Phase 2: System Setup

{% tabs %}
{% tab title="MacOS / Linux" %}
**1. Initial Access**

* Open your **Terminal**.
* Run the connection command (replace `<NEW_IP>` with your new server's IP address):

  ```bash
  ssh nodeadmin@<NEW_IP> -i ~/.ssh/id_rsa
  ```

**2. User Security (Optional)**

* If you wish to set a password for `nodeadmin`, run:

  ```bash
  sudo passwd nodeadmin && echo "nodeadmin ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/nodeadmin
  ```

{% endtab %}

{% tab title="Windows" %}
**1. Initial Access**

* Open **PuTTY**.
* **Host Name:** Enter your **New VPS IP**.
* **Auth:** Select your Private Key (`.ppk`) under *Connection > SSH > Auth > Credentials*.
* Click **Open** and log in as `nodeadmin`.

**2. User Security (Optional)**

* If you wish to set a password for `nodeadmin`, run:

  ```bash
  sudo passwd nodeadmin && echo "nodeadmin ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/nodeadmin
  ```

{% endtab %}
{% endtabs %}

#### 📦 Phase 3: Node Pilot Installation

{% tabs %}
{% tab title="MacOS / Linux" %}
**1. Install Node Pilot**

* Run the installer:

MainNet:

```bash
curl -fsSL https://github.com/Constellation-Labs/node-pilot/releases/download/v0.8.0/install.sh -o install-node-pilot.sh; source install-node-pilot.sh
```

Or Integration Net:

```bash
curl -fSSL https://github.com/Constellation-Labs/node-pilot/releases/download/v.0.14.0-integrationnet/install.sh -o install-node-pilot.sh; bash install-node-pilot.sh
```

**2. Permissions Refresh**

* When prompted, type **`y`** to exit.
* **Log back in** using the command from Phase 2.

**3. Upload Identity**

* Open a **new Terminal tab** (Command + T).
* Run the copy command to upload your `.p12` file:

  ```bash
  scp -i ~/.ssh/id_rsa ~/Desktop/<YOUR_FILE_NAME>.p12 nodeadmin@<NEW_IP>:/home/nodeadmin/
  ```

**4. Initialize cpilot**

* Return to the **original terminal tab**.
* **⚠️ Critical:** Ensure any **VPNs are switched OFF**.
* Run `cpilot` and follow the prompts:
  * **Network**: Press **Enter** for "Hypergraph".
  * **IP Address**: Press **Enter** for "Use detected IP address".
  * **Network Type**: Select **Integrationnet** and press **Enter**.
  * **Layers**: Press **`a`** to select both **gl0** and **gl1**.
  * **Memory**: Assign **15** GB.
  * **Identity**: Choose **Import an existing key file** and provide your P12 details.
  * **Final Confirmation**: Press **`y`** for all remaining prompts to finish the setup.
    {% endtab %}

{% tab title="Windows" %}
**1. Install Node Pilot**

* Paste this command into PuTTY:

  ```bash
  curl -fSSL https://github.com/Constellation-Labs/node-pilot/releases/download/v.0.14.0-integrationnet/install.sh -o install-node-pilot.sh; bash install-node-pilot.sh
  ```

**2. Permissions Refresh**

* When prompted, type **`y`** to exit.
* **Log back in** via PuTTY.

**3. Upload Identity (WinSCP)**

* Open **WinSCP**.
* **Login:** Enter your VPS IP, username `nodeadmin`, and select your `.ppk` key.
* **Transfer:** Drag and drop your `.p12` file from your PC (Left) to the Server folder `/home/nodeadmin/` (Right).

**4. Initialize cpilot**

* Return to **PuTTY**.
* **⚠️ Critical:** Ensure any **VPNs are switched OFF**.
* Run `cpilot` and follow the prompts:
  * **Network**: Press **Enter** for "Hypergraph".
  * **IP Address**: Press **Enter** for "Use detected IP address".
  * **Network Type**: Select **Integrationnet** and press **Enter**.
  * **Layers**: Press **`a`** to select both **gl0** and **gl1**.
  * **Memory**: Assign **15** GB.
  * **Identity**: Choose **Import an existing key file** and provide your P12 details.
  * **Final Confirmation**: Press **`y`** for all remaining prompts to finish the setup.
    {% endtab %}
    {% endtabs %}

### ✅ Phase 4: Verification

*This verification step is identical for all users.*

**1. Check Health**

* Run `cpilot` to view the live dashboard.

**2. Join State**

* Verify that **Node State** for both layers transitions to **Ready** (Green).

**3. Confirm ID**

* Run `cpilot node-id` and confirm it matches the **Original ID** you recorded in Phase 0.