The Self-Managed Lightning Bank
The biggest hurdle for Bitcoin Lightning users is often the sovereign self-management of their funds. Custody services like Wallet of Satoshi are ideal for getting started, but they are not self-managed solutions – we have to trust the provider. Running and managing your own Lightning node is not an option for most people. But what if a service provider could operate and manage the node while we still retain full control over our funds? This is exactly what the Phoenix Wallet from ACINQ now offers. And what if we could also set up a wallet and account system to provide a wallet for family and friends? This is where LNbits comes into play. LNbits effectively becomes your own Lightning Bank. But that’s not all – LNbits can do much more.
German Video Tutorial
1. Introduction
Even if Bitcoin Lightning is unlikely to ever be a technology managed directly and sovereignly by the majority of people, it will still play a central role in the development, spread, and adoption of Bitcoin. Lightning is expected to serve as a settlement layer for various custody services, sidechains, and other layers on Bitcoin. There will likely be combinations where Lightning acts as the link operated by specialists – especially due to rising on-chain fees and increasing market trends.
For now, the fees for opening and closing Lightning channels are affordable. The technology has matured quite well, and transactions via Lightning work remarkably well. Just a few years ago, running a Lightning node was reserved for true tech nerds, but today, well-developed software takes care of many background tasks, and there are even 1-click nodes available. Nevertheless, there remains the need to occasionally delve deeper when problems arise and to take care of backups.
Development has not stopped, and the company ACINQ has released the Phoenix Wallet. ACINQ uses the Lightning implementation „eclair,“ which is the third most popular implementation alongside LND and Core Lightning. ACINQ manages the Lightning node for you and takes care of all background tasks. The big advantage is that the wallet remains in the user’s custody. You get a 12-word seed and your own channel where outbound liquidity always belongs to you. The funds are therefore in self-custody, while the technology is managed in the background by ACINQ. Naturally, they charge fees for this service, but they are transparent and, in my opinion, fair: Fees overview.
Now we have the option of running an „own“ Lightning node with minimal effort. The node has a channel to the ACINQ servers, which act as your Lightning Service Provider (LSP). That’s all you need. ACINQ is well-connected, and now, with splicing, you can even increase or decrease the size of Lightning channels. For a fee, ACINQ also directly provides you with a 2 million Satoshis channel, which can last a while without adjustments. ACINQ takes care of managing the node and channel, but you hold the key to the wallet and thus control over the funds in the Lightning channel.
The Phoenix Wallet was initially available only as an app for Android and iOS, but it is now also available as a server service for Linux systems, opening up new possibilities. Since interaction with the daemon „Phoenixd“ is only possible via the command line (CLI) or an API (Application Programming Interface), direct use for the average user is rather impractical. In combination with LNbits, however, it becomes a powerful tool. LNbits is a wallet and account system with a graphical user interface that significantly simplifies usage. LNbits essentially consists of a database and numerous extensions that offer a remarkable range of features. LNbits requires a funding source, and here the Phoenix Wallet comes into play.
Hosting both applications together on a Virtual Private Server (VPS), which is hosted in the cloud and has direct internet access, combined with a domain pointing to the server, gives you your own Lightning Bank. You are now able to independently manage a complete Lightning wallet and account system – for yourself, your family, or even your friends. The costs are reasonable, at about 5 euros per month for the VPS and setup fees of around 30,000 Satoshis. If you already own a domain, you can usually set up a subdomain for free. Otherwise, there are additional costs of 5 to 15 euros per year for a domain, or you can use a free subdomain from, e.g., duckdns.org.
Thanks to the sophisticated Phoenix Wallet and the excellent user interface of LNbits, setting up and installing a Lightning Bank is no longer a daunting task. Check out my video and see for yourself. Some technical background is needed, but the installation is largely done through copy-paste, and setup is done via the LNbits user interface. Give it a try – it’s worth it!
2. Prerequisites
You need two things: a domain or subdomain and a Virtual Private Server (VPS). If you already have a domain, you can easily set up a new DNS entry for the subdomain on your hosting provider’s website, which points to the IP address of the VPS. If you do not have a domain, you can either get a paid one from any hosting provider or use a free subdomain, for example from duckdns.org. The domain and VPS provider do not need to be the same; many web hosting providers also offer VPS. Here, I have explained the setup of a VPS with Digital Ocean, but you can use any provider you like. The server requirements are minimal: at least 1 CPU, 1 GB RAM, 25 GB SSD, and 1 GB transfer. As the operating system, I recommend Ubuntu 22.04 LTS, which I have extensively tested.
3. Setting Up and Securing the Server
Recommendation: To stay organized and always have your data handy, create a text file and store it in a secure location since it will contain sensitive information. Here is a possible template:
Your Domain: subdomain.yourdomain.com VPS IP address: yourIPaddress Login "root" user: ssh root@yourIPaddress / password: your1strongpassword Login "blitzbank" user: ssh blitzbank@yourIPaddress / password: your2strongpassword Phoenix Wallet Seed: the twelve words .. Super User Name: SuperUser / password: your3strongpassword Super User Account: https://subdomain.yourdomain.com/wallet?usr=33bfc.. Start User Account: https://subdomain.yourdomain.com/wallet?usr=d486f..
Open the terminal window on your PC or laptop for the command line. On Windows, enter ‚cmd‘ in the start menu; on Linux systems, press ‚Ctrl-Alt-T‘ or search for ‚Terminal‘ on macOS and follow the instructions. You only need to enter your individual data, such as the IP address or domain, in a few places and once check the version during the Phoenix installation and adjust if necessary. Everything else can be used as it is.
ssh root@yourIPaddress
Update/Upgrade Ubuntu OS
apt update && apt dist-upgrade -y
-> You might need to press Enter
.
ufw (Firewall)
apt install ufw ufw default deny incoming ufw default allow outgoing ufw allow 22 comment 'OpenSSH' ufw allow 80 comment 'Standard Webserver' ufw allow 443 comment 'SSL Webserver' ufw enable ufw status
-> Press y
once, then Enter
to activate the firewall.
fail2ban (Protection against brute force attacks)
apt install fail2ban -y systemctl enable fail2ban systemctl start fail2ban systemctl status fail2ban
-> Confirm twice with Enter
.
swapfile (Virtual RAM for overflow)
fallocate -l 2G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile swapon -s sudo nano /etc/fstab
To enable swapfile autostart, add the following line at the end:
/swapfile swap swap defaults 0 0
-> Save and close with CTRL+X -> Y -> Enter
.
Check swapfile installation:
htop
-> Top left: Swp[ 0K/2.00G]
-> Exit with F10
Creating a Dedicated User
For added security, we will create a new user with which we will log in in the future. This user also has „root“ privileges but will have to re-enter their password repeatedly. This offers more security, better traceability, and protection against human error.
adduser blitzbank
-> Set password, data entry is optional.
usermod -aG sudo blitzbank
-> Grant root privileges to the user.
Edit the OpenSSH server configuration file.
sudo nano /etc/ssh/sshd_config
Add:
AllowUsers blitzbank
-> CTRL+X -> Y -> Enter
Note: If you want to continue accessing the VPS as the „root“ user, you need to add an additional line with AllowUsers root
in the configuration file. Otherwise, when attempting to log in as „root,“ you will receive the error message „Permission denied, please try again.“ After five failed attempts, access will be completely blocked for 10 minutes, as Fail2ban will block all connections.
Now power off the VPS to create a backup and restart everything:
systemctl poweroff
-> To create a backup of your VPS as a snapshot, you’ll likely find a corresponding feature on your VPS hosting provider’s website. This will create a complete image of your hard disk or VPS. You can restore this image at any time to bring the server back to a previous state. Afterward, restart the server via the website, and from now on, always log in with the new user.
ssh blitzbank@yourIPaddress
4. The Phoenix Wallet
Installing Phoenix
Note: First, check whether your VPS already has the unzip
program installed. Use this command:
which unzip
-> If unzip
is installed, you will see the path /usr/bin/unzip
. If it is not installed, install it with sudo apt install unzip
.
Version Check: Verify the latest version and adjust accordingly: https://github.com/ACINQ/phoenixd/releases
mkdir phoenixd cd phoenixd wget https://github.com/ACINQ/phoenixd/releases/download/v0.4.2/phoenix-0.4.2-linux-x64.zip unzip -j phoenix-0.4.2-linux-x64.zip ./phoenixd
You will first be asked if you understand that you are responsible for the wallet and that you must secure the 12 seed words well. Confirm with: I understand
.
Next, you will be asked if you understand the automatic liquidity management. More information on this topic can be found here. In short, Phoenix manages everything for you. You can immediately receive your first Satoshis. However, a certain threshold must be crossed for a channel with 2 million Satoshis to be opened for you. This threshold is about 30,000 Satoshis, which covers the on-chain and setup fees. Confirm again with: I understand
.
Finally, press the Enter key once more to start the Phoenix server. You will then see the initial information, such as your nodeid
. End the process for now with CTRL+C
.
Phoenix Wallet 12-Word Seed
cat ~/.phoenix/seed.dat ; echo
Important: Secure the 12 words well! This is your insurance to restore the wallet whenever needed. You don’t need a backup of the Lightning channel, as Phoenix or the ACINQ server takes care of that for you.
Phoenix Autostart Service
Call up the phoenixd.service file:
sudo nano /etc/systemd/system/phoenixd.service
Fill the file with:
[Unit] Description=phoenixd After=network.target [Service] ExecStart=/home/blitzbank/phoenixd/phoenixd WorkingDirectory=/home/blitzbank/phoenixd User=blitzbank Restart=always TimeoutSec=120 RestartSec=30 [Install] WantedBy=multi-user.target
-> CTRL+X -> Y -> Enter
sudo systemctl enable phoenixd sudo systemctl start phoenixd sudo systemctl status phoenixd
The Phoenix Wallet is now running in the background and will always start automatically. 🐦🔥
5. The LNbits Server
Setting Up Prerequisites
curl -sSL https://install.python-poetry.org | python3 - echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc source ~/.bashrc
Installing LNbits
cd ~ git clone https://github.com/lnbits/lnbits.git cd lnbits git checkout main poetry install --only main cp .env.example .env poetry run lnbits
The server should now be successfully started:
..
-> SUCCESS | ✔️ Backend VoidWallet connected and with a balance of 0 msat.
..
The VoidWallet
is an empty wallet or virtual wallet that LNbits automatically creates when no valid funding source is present. The LNbits server can still be operated, but the wallet cannot be used. Transactions are not possible as there is no Lightning Wallet behind it. We will configure the settings for the Phoenix Wallet shortly, but for now, press CTRL+C
to stop the process.
LNbits Autostart Service
Call up the lnbits.service file:
sudo nano /etc/systemd/system/lnbits.service
Fill the file with:
[Unit] Description=LNbits Wants=phoenixd.service [Service] ExecStartPre=/bin/sleep 2 WorkingDirectory=/home/blitzbank/lnbits ExecStart=/home/blitzbank/.local/bin/poetry run lnbits User=blitzbank Restart=always TimeoutSec=60 RestartSec=30 Environment=PYTHONUNBUFFERED=1 [Install] WantedBy=multi-user.target
-> CTRL+X -> Y -> Enter
sudo systemctl enable lnbits sudo systemctl start lnbits sudo systemctl status lnbits
-> CTRL+C
From now on, LNbits will start automatically at each server start and run in the background. ⚙️
6. The Caddy Web Server
Important: Make sure that you point the DNS addresses (A and AAAA) of your subdomain/domain to the IP address of your Virtual Private Server at your domain provider, so requests via the domain are directed to the VPS. If you do not have a domain yet, you can get a free subdomain from duckdns.org. I have written something about this under point 7.11.
Installing Caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy
-> Test the web server in your internet browser with: http://yourIPaddress
. Note: Does not work with every browser.
Configuring the Caddyfile
sudo nano /etc/caddy/Caddyfile
Attention: Replace yourdomain.com
with your domain at three places.
yourdomain.com { handle /api/v1/payments/sse* { reverse_proxy 0.0.0.0:5000 { header_up X-Forwarded-Host yourdomain.com transport http { keepalive off compression off } } } reverse_proxy 0.0.0.0:5000 { header_up X-Forwarded-Host yourdomain.com } }
-> CTRL+X -> Y -> Enter
sudo systemctl reload caddy
After a short delay, Caddy should have received all the necessary certificates, and you can check the web server in your internet browser. Simply type yourdomain.com
, and your LNbits server should be displayed. 🎉 You now have a public HTTPS website, encrypted via TLS. Caddy will automatically handle certificate renewal for you. You can test the certificate using a service like ssllabs.com. Just enter your domain and click submit.
Here are two useful commands to check the status and logs of the Caddy Server:
sudo systemctl status caddy sudo journalctl -u caddy -f --since "2 hour ago"
7. Setting Up the Bank
Activate LNbits Admin User Interface (UI) / Super User Account
sudo nano ~/lnbits/.env
Change the following line (around line 12) from false
to true
:
LNBITS_ADMIN_UI=true
-> CTRL+X -> Y -> Enter
sudo systemctl restart lnbits
Now access your LNbits server again. You should see the page yourdomain.com/first_install
. There, you need to set a Username
and a Password
for the Superuser.
Next, click „LNbits Wallet“ at the top left, and then on the right click „Export to Phone with QR Code“. Below the QR code, you will see the COPY WALLET URL
button. Copy the URL and save it securely, as this is your access to the Super User Account
that has all administrator rights.
Note: If you accidentally skip the first_install
page during setup or cannot access it, you can get the wallet ID for the Super User via the following command:
cat ~/lnbits/data/.super_user ; echo
This will display the wallet or account ID as a string, e.g.: 01544859c4644397b826e4106ef20ccb
. With this, you can log in under Login with user ID
. You will see that it is the Super User Account
displayed at the top left. To better identify it, rename the wallet accordingly. Simply click on the wallet on the left, and you will see Rename Wallet
on the right. Rename the wallet to SuperUser
.
To confirm that it is the Super User Account
, you will see it displayed at the top left. To better identify it, rename the wallet accordingly. Click on the wallet on the left, and you will see the option Rename Wallet
on the right. Rename the wallet to SuperUser
.
Recommendation: Log out via the My Account option in the top right and use the Super User Account
only in an incognito browser window in the future. This provides you with a bit more security, and you can have two accounts open simultaneously, as all other users use the regular browser window. Use the wallet and extensions of the Super User Account
only for administrative purposes. For all other purposes, you can create normal user accounts.
Link Phoenix and LNbits
Your LNbits is already running but currently has the VoidWallet
assigned, which is a dummy wallet. You need to enter the Phoenix Wallet credentials in LNbits to give LNbits access to the wallet.
Display Phoenix Wallet API
cat ~/.phoenix/phoenix.conf ; echo
The string behind http-password=
is your API key, which you will need shortly.
Enter Phoenix API Key in LNbits
Open the Superuser account and go to Server
/ Funding Source
. Click on Void Wallet
and set it to Phoenixd
. Replace PHOENIX_KEY
with the Phoenix API key. The endpoint can remain unchanged. Then click SAVE
and subsequently RESTART SERVER
. If you do not receive an error message, you have successfully linked the Phoenix Wallet as the funding source to your LNbits server. 🏆
Feel free to check this again with the LNbits log files:
sudo journalctl -u lnbits -f --since "2 hour ago"
-> SUCCESS | ✔️ Backend PhoenixdWallet connected and with a balance of 0 msat. 🔥
-> CTRL+C
Restart the Entire VPS Once
sudo systemctl reboot
-> Wait a moment and then log in again: ssh blitzbank@yourIPaddress
Funding the Bank
Now you need to initiate the opening of a Lightning channel with an initial payment. Open an incognito browser window and log in with the SuperUser
. Copy the string that you saved earlier into the browser’s address bar and press ENTER. Your Super User Account
should appear. Here you can fund the Phoenix Wallet so that ACINQ (Phoenix) opens a Lightning channel for you. Click on CREATE INVOICE
. Enter “100,000 Satoshis” under Amount and “funding” under Memo, then confirm with CREATE INVOICE
. The Lightning invoice will be displayed as a QR code. Scan it with your Lightning Wallet and pay the invoice. That’s it! You now have a „self-managed Lightning⚡Bank“
Phoenix handles everything else in the background and opens a 2,000,000-Satoshi Lightning channel that is „dual funded“. The channel has both inbound and outbound liquidity. This means you can use it to send (outbound) and also receive (inbound) payments. From the 100,000 Satoshis you paid, Phoenix uses around 30,000 Satoshis for channel opening fees (on-chain fees), service setup fees, and providing inbound liquidity. Phoenix binds funds in the channel for you, so you have inbound liquidity without needing to adjust the channel yourself.
Now you can create a new user in parallel to the SuperUser. Access your Lightning⚡Bank via the normal browser and create a new wallet named „Start“ using Create New Wallet
. On the right, you will find the option Export to Phone with QR Code, and below the QR code, the button COPY WALLET URL
. You should store this URL securely. For better organization in the database, click on My Account at the top right and give the account a username. An account/user can contain multiple wallets. You can access your account through the URL link or the user ID directly above it. To return to the overview, click on the „Start“ wallet on the left.
Would You Like to Check the Status of the Lightning Channel?
~/phoenixd/phoenix-cli listchannels | grep "txId"
-> Copy the txId
and display it on mempool.space.
Further Information About Your Channel Balance
~/phoenixd/phoenix-cli getinfo
-> balanceSat
, inboundLiquiditySat
, and capacitySat
Info: The balanceSat
should be identical to the Node Balance
displayed in the Superuser account under Server / Funding
.
8. Done
Congratulations, you now have your own self-custodial Bitcoin Lightning⚡Bank! You have a fully functional wallet and account system with numerous extensions in the frontend, as well as a self-custodial funding source in the backend. With LNbits, you have also gained a powerful tool to fully harness the potential of Lightning. LNbits offers a variety of extensions, enabling you to create static paylinks, Lightning addresses, vouchers, paywalls, split payments, point of sale terminals (PoS), BitcoinSwitch, and much more. You are now in control; you are self-sovereign in terms of Lightning technology and can provide a trusted environment for friends and family.
There is still much to say about Phoenix Wallet and LNbits. However, I would like to conclude this tutorial here for now. The basics have been laid, the Lightning⚡Bank is fully functional, and you can test it extensively. You can find my demo server related to this tutorial here: blitzbank.ereignishorizont.xyz. It is equipped with a small selection of extensions. The wallet size is limited to a maximum of 10,000 Satoshis, as it is only a demonstration.
If you are looking for more information, check the appendix. There you will also find a link to another page with tips, tricks, and further information about the Lightning⚡Bank.
Thank you very much for your attention.
Stay Humble & Stack Sats
Axel
9. Appendix
Acknowledgment and Reference 🧡
Thanks to Yvette and Daniel for their work, on which I could build.
Yvette on Github: github.com/arbadacarbaYK
Daniel’s blog: danielpcostas.dev
Additional Resources 📚
Phoenix Server: https://phoenix.acinq.co/server
LNbits Server: ereignishorizont.xyz/lnbits-server
LNbits docs: docs.lnbits.org
Tips, Tricks, and Extras for the Lightning⚡Bank
See page: Lightning⚡Bank – Extras
Created with Love 🧡 – Block 870210/ 872470
– Lightning ⚡ (er)leben –
Value 4 Value
axelhamburch@ereignishorizont.xyz