This guide walks through compiling Ocrch from source on a Linux server and running it as a managed systemd service. No prior Rust experience is required.
Prerequisites
Section titled “Prerequisites”- A Linux server running a systemd-based distribution (Ubuntu 22.04+, Debian 12+, Fedora 40+, etc.)
sudo/ root access- PostgreSQL 14+ running and accessible (local or remote)
- Git installed (
sudo apt install gitor equivalent)
Deploy
Section titled “Deploy”Install Rust
Rust is installed with the official
rustuptoolchain manager. This installs the compiler (rustc) and the build tool (cargo) into your home directory without needing root.Terminal window curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | shFollow the on-screen prompts and choose the default installation (
1). When it finishes, load the new environment variables into your current shell:Terminal window source "$HOME/.cargo/env"Verify the installation:
Terminal window rustc --version # e.g. rustc 1.87.0cargo --version # e.g. cargo 1.87.0Install System Dependencies
The build requires a C linker and OpenSSL headers.
Terminal window sudo apt updatesudo apt install -y build-essential pkg-config libssl-devTerminal window sudo dnf install -y gcc pkg-config openssl-develTerminal window sudo pacman -S --needed base-devel openssl pkg-configClone the Repository
Terminal window git clone https://github.com/haruki-nikaidou/open-crypto-checkout.gitcd open-crypto-checkoutBuild the Binary
Use
cargo build --releaseto compile an optimised release binary. The--binflag tells Cargo to build only the server binary (not the SDK or core library separately).Terminal window cargo build --release --bin ocrch-serverThis produces the binary at
target/release/ocrch-server. The binary is statically linked where possible and has no runtime Rust dependencies. Copy it to a system-wide location:Terminal window sudo cp target/release/ocrch-server /usr/local/bin/ocrch-serversudo chmod +x /usr/local/bin/ocrch-server
Configure
Section titled “Configure”Create a Dedicated System User
Running the server as a dedicated unprivileged user limits the blast radius if anything goes wrong.
Terminal window sudo useradd --system --no-create-home --shell /usr/sbin/nologin ocrchSet Up the Config Directory
Terminal window sudo mkdir -p /etc/ocrchsudo cp ocrch-config.example.toml /etc/ocrch/ocrch-config.tomlsudo chown -R ocrch:ocrch /etc/ocrchsudo chmod 640 /etc/ocrch/ocrch-config.tomlNow edit the config file:
Terminal window sudo nano /etc/ocrch/ocrch-config.tomlAt minimum you must fill in:
admin.secret— a strong admin password (the server will Argon2-hash it on first run)merchant.secret— your HMAC signing keymerchant.allowed_origins— your checkout frontend URL(s)[[wallets]]— your wallet addresses[api_keys]— your Etherscan and/or Tronscan API keys
See the Configuration guide for the full reference.
Set Up the Database
Run migrations before starting the service for the first time. The
--migrateflag tells the server to apply all pending database migrations and then exit if no other work is needed — but when used with--listenit applies migrations then starts normally. The simplest approach is a one-off migrate run:Terminal window DATABASE_URL="postgres://user:pass@localhost/ocrch" \ocrch-server -c /etc/ocrch/ocrch-config.toml --migrateThe server will apply the migrations, then start listening. Stop it with
Ctrl+Conce it prints a "listening" log line — the database is now set up.
Run as a Service
Section titled “Run as a Service”Create the systemd Unit File
Create a service unit at
/etc/systemd/system/ocrch.service:Terminal window sudo nano /etc/systemd/system/ocrch.servicePaste the following, adjusting
DATABASE_URLfor your PostgreSQL setup:[Unit]Description=Open Crypto Checkout ServerDocumentation=https://github.com/haruki-nikaidou/open-crypto-checkoutAfter=network-online.target postgresql.serviceWants=network-online.target[Service]Type=simpleUser=ocrchGroup=ocrch# Database connection string — keep this secretEnvironment="DATABASE_URL=postgres://ocrch:yourpassword@localhost:5432/ocrch"# Adjust log level as needed: error | warn | info | debug | traceEnvironment="RUST_LOG=info,sqlx=warn"ExecStart=/usr/local/bin/ocrch-server \--config /etc/ocrch/ocrch-config.toml \--listen 127.0.0.1:8080 \--migrateRestart=on-failureRestartSec=5s# Harden the serviceNoNewPrivileges=yesProtectSystem=strictProtectHome=yesReadWritePaths=/etc/ocrchPrivateTmp=yes[Install]WantedBy=multi-user.targetKey points:
--listen 127.0.0.1:8080binds only to localhost. A reverse proxy (Nginx, Caddy) should handle public HTTPS traffic.--migrateis included so the service automatically applies any new database migrations on upgrade.ReadWritePaths=/etc/ocrchis required because the server rewrites the config file when it first hashes the admin secret.
Enable and Start the Service
Terminal window # Reload systemd so it picks up the new unit filesudo systemctl daemon-reload# Enable the service to start on bootsudo systemctl enable ocrch# Start it nowsudo systemctl start ocrchCheck that it is running:
Terminal window sudo systemctl status ocrchYou should see
Active: active (running). View live logs:Terminal window sudo journalctl -u ocrch -fVerify the health endpoint:
Terminal window curl http://127.0.0.1:8080/health# {"status":"ok","version":"0.1.0"}
Set Up a Reverse Proxy
Section titled “Set Up a Reverse Proxy”The server listens on 127.0.0.1:8080 and does not handle TLS. Use a reverse proxy to expose it over HTTPS.
Install Caddy and add to /etc/caddy/Caddyfile:
checkout-api.example.com { reverse_proxy 127.0.0.1:8080}Caddy handles TLS certificates automatically. Restart: sudo systemctl reload caddy.
server { listen 443 ssl; server_name checkout-api.example.com;
ssl_certificate /etc/letsencrypt/live/checkout-api.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/checkout-api.example.com/privkey.pem;
location / { proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; # Required for WebSocket support on /api/v1/user/orders/{id}/ws proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; }}Restart: sudo systemctl reload nginx.
Upgrading
Section titled “Upgrading”To upgrade to a new version:
Pull the latest code
Terminal window cd open-crypto-checkoutgit pullRebuild the binary
Terminal window cargo build --release --bin ocrch-serverReplace the binary and restart
Terminal window sudo systemctl stop ocrchsudo cp target/release/ocrch-server /usr/local/bin/ocrch-serversudo systemctl start ocrchThe
--migrateflag in the unit file means any new database migrations are applied automatically on startup.
Useful Service Commands
Section titled “Useful Service Commands”| Command | Description |
|---|---|
sudo systemctl start ocrch | Start the service |
sudo systemctl stop ocrch | Stop the service |
sudo systemctl restart ocrch | Restart the service |
sudo systemctl status ocrch | Show current status |
sudo systemctl enable ocrch | Start automatically on boot |
sudo systemctl disable ocrch | Remove from boot |
sudo journalctl -u ocrch -f | Follow live logs |
sudo journalctl -u ocrch --since "1 hour ago" | Show recent logs |
sudo kill -HUP $(systemctl show -p MainPID --value ocrch) | Hot-reload config |
Troubleshooting
Section titled “Troubleshooting”Service fails to start — "could not connect to database"
Check that DATABASE_URL in the unit file is correct and that PostgreSQL is reachable from the server:
psql "postgres://ocrch:yourpassword@localhost:5432/ocrch" -c "SELECT 1;"Service fails to start — "No such file or directory"
Verify the binary path: which ocrch-server or ls -l /usr/local/bin/ocrch-server.
Config changes are not taking effect
Send SIGHUP to hot-reload without restarting (see table above), or run sudo systemctl restart ocrch for a full restart.
Build fails with "linker 'cc' not found"
You are missing build-essential / gcc. Re-run the Step 2 system dependency install for your distro.