What's the notification system that has to be in place for this? How do I make sure I go through every single block, 6 below the tip. Do I need some kind of record to keep track of the blocks that I've processed?
You always need to design the system to work without notifications (e.g. sometimes you might miss one). So they're kind of always an added luxury. It's pretty easy to build a robust system with no notifications at all (e.g. just poll "getbestblock" every N seconds).
You don't really *need* a notification system. The since you *have* to already cover the case where you miss notifications (i.e. downtime or w/e), the notification system is just a little luxury to speed things up.
Also, what if I want my users to know that their transaction is seen by my system all the way from mempool to 6 confirmations? Should I be catching transactions in any way?
Maybe walletnotify or zmq?
What I've done is scan the mempool (hardest) and top blocks to find deposits, and put it in the database was `credited=false` and then only when it gets N depth, set `credited=true` while crediting them. If you want to get fancy, you should also support *uncrediting* deposits (e.g. in the case of reorgs) which makes it safe to reasonably safe to accept deposits with very small amount of confirmations.
Having a withdraw only core means to have a core with a few addresses that I can top up at any time and simply use sendtoaddress rpc? How can I possibly improve the privacy of this? Any way to make withdrawal transactions more anonymous for customer's security?
If you want way better privacy properties, use a core wallet for both deposits and withdrawals. Bitcoin Core's coinselection however is really not designed for this usecase, so you'll end up paying a lot more in fees than the 2-wallet approach (since you can consolidate from receive-wallet to send-wallet with super tiny fees) but you'll require less float.
Are there any rules of thumb when working with walletnotify and blocknotify? Having an express instance running to process curls from it feels reeeeally awkward...
I'd recommend adding them as a luxury later on. You need to make sure your system works without notifications (i.e. incase it misses one). So you can start with polling every 10 seconds or something, and then use notifications to speed it up.
Any recommendations on how to control the bitcoin core? Should there be more than one core running simultaneously? Should there be a program that bitcoind can be run behind? Any research or guides on this topic?
Core has an rpc api you can use