when generating genesis from puppeth, remove the outer "genesis" key to parse with geth init;

cat testz.json | jq .genesis > testz_inner.json

genesis needed for both validator and reader

geth --datadir <foo> init testz_inner.json

--

invoke validator:

./build/bin/geth --datadir /root/data --verbosity=5 --mine --password=/root/pass --unlock 0 --nodiscover --nat=extip:159.65.112.244

--

invoke reader:

 ./build/bin/geth --datadir /root/data-reader --verbosity=3 --http.addr=0.0.0.0 --http --http.api eth,net --http.vhosts=*

--

For less noise limit who can connect to p2p.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  159.65.112.244       anywhere             tcp dpt:30304
ACCEPT     tcp  --  159.65.112.244       anywhere             tcp dpt:30303
DROP       tcp  --  anywhere             anywhere             tcp dpt:30303
DROP       tcp  --  anywhere             anywhere             tcp dpt:30304

---