finish deploy and bond

Author: serinko

ansible/nym-node/playbooks/group_vars/all.yml

@@ -10,23 +10,25 @@ ansible_ssh_private_key_file: ~/.ssh/<SSH_KEY>
 
 cli_url: "https://github.com/nymtech/nym/releases/download/nym-binaries-{{ nym_version }}/nym-cli"
 tunnel_manager_url: "https://github.com/nymtech/nym/raw/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh"
-quic_bridge_deployment_url: "https://github.com/nymtech/nym/blob/develop/scripts/nym-node-setup/quic_bridge_deployment.sh"
-
-operator_name: "<OPERATOR_NAME>"
-
-main_domain: "<DOMAIN>"
+quic_bridge_deployment_url: "https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/quic_bridge_deployment.sh"
 
 # NOTE: These values will be used globally unless overwritten per node in inventory/all
-
 ansible_user: root
 email: "<EMAIL>"
-website: "<WEBSITE>""
-description: "<NODE_PUBLIC_DESCRIPTION>"
-moniker: "<MONIKER>"
-description: "<DESCRIPTION>"
+website: "<WEBSITE>"    # it will be used in the description.toml
+description: "<NODE_PUBLIC_DESCRIPTION>" # or define per node in inventory/all
+
+# NOTE: 
+# Set these vars if you want them globally for all nodes
+# Per node in inventory/all will overwrite these global ones:
+hostname: ""            # this is a fallback, keep it and setup hostname per node in inventory/all
+# moniker: "<MONIKER>"
 # mode: <MODE>                            # entry-gateway/exit-gateway/mixnode 
 # wireguard_enabled: <WIREGUARD_ENABLED>  # true/false
 
+# NOTE: Possible vars to incule on landing page, etc.
+# operator_name: "<OPERATOR_NAME>"
+
 packages:
   - tmux
   - speedtest-cli
@@ -39,6 +41,5 @@ packages:
   - neovim
   - ca-certificates
   - jq
-  - curl
   - wget
   - ufw

ansible/nym-node/playbooks/inventory/all

@@ -6,7 +6,7 @@
 #
 # node1 ansible_host=<YOUR_SERVER_IP> ansible_user=<USER> hostname=<HOSTNAME> location=<LOCATION> email=<EMAIL> mode=<MODE> wireguard_enabled=<true/false> moniker=<MONIKER> description=<DESCRIPTION>>
 #
-# anything setup globaly can be removed from here 
+# anything setup globaly can be overwritten  
 # if provided here, it overwrites the global setting per node
 # 
 # example exit + wireguard gateway:
@@ -18,6 +18,4 @@
 # NOTE:
 # 
 # all examples above don't have defined user, email nor description as we use the definition from group_vars/main.yml without an attempt of overwriting it
-# all examples above don't have moniker defined as there is a function in /templates/description.toml.j2 deriving it from the hostname 
-
-
+# all examples above don't have moniker defined as there is a function in /templates/description.toml.j2 deriving it from the hostname

ansible/nym-node/roles/base/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: Set hostname
   hostname:
     name: "{{ hostname }}"
+  when: hostname is defined and hostname | length > 0
 
 - name: Install aptitude 
   apt:

ansible/nym-node/roles/nginx/tasks/templates/nginx-site.conf.j2

@@ -1,6 +1,7 @@
 server {
     listen 80;
     listen [::]:80;
+
     server_name {{ hostname }};
 
     location / {

ansible/nym-node/roles/nginx/tasks/templates/wss-config.conf.j2

@@ -1,6 +1,6 @@
 server {
-    listen 9001 ssl;
-    listen [::]:9001 ssl;
+    listen 9001 ssl http2;
+    listen [::]:9001 ssl http2;
 
     server_name {{ hostname }};
 
@@ -10,7 +10,7 @@ server {
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
+    error_log  /var/log/nginx/error.log;
 
     location /favicon.ico {
         return 204;
@@ -19,10 +19,10 @@ server {
     }
 
     location / {
-        add_header 'Access-Control-Allow-Origin' '*';
-        add_header 'Access-Control-Allow-Credentials' 'true';
-        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD';
-        add_header 'Access-Control-Allow-Headers' '*';
+        add_header 'Access-Control-Allow-Origin' '*' always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, HEAD' always;
+        add_header 'Access-Control-Allow-Headers' '*' always;
 
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;

ansible/nym-node/roles/nym/defaults/main.yml

@@ -1,19 +1,41 @@
-- name: Configure UFW rules
-  ufw:
-    rule: allow
-    port: "{{ item.port }}"
-    proto: "{{ item.proto }}"
-  loop:
-    - { port: 22, proto: tcp }
-    - { port: 80, proto: tcp }
-    - { port: 443, proto: tcp }
-    - { port: 1789, proto: tcp }
-    - { port: 1790, proto: tcp }
-    - { port: 8080, proto: tcp }
-    - { port: 9000, proto: tcp }
-    - { port: 9001, proto: tcp }
-    - { port: 51822, proto: udp }
-
-- name: Enable UFW
-  ufw:
-    state: enabled
+---
+# Where binaries live
+nym_install_dir: /root/nym-binaries
+
+# nym-node run arguments (defaults, can be overridden per host/group)
+mode: "gateway"                          # maps to --mode
+http_bind_address: "0.0.0.0:8080"        # maps to --http-bind-address
+mixnet_bind_address: "0.0.0.0:1789"      # maps to --mixnet-bind-address
+location: "unknown"                      # maps to --location
+
+# WireGuard boolean
+wireguard_enabled: "{{ wireguard_enabled | default(false) | bool }}"
+
+# Landing page base dir, hostname is appended in the task
+landing_page_assets_base_dir: "/var/www"
+
+# Flag toggles
+accept_operator_terms: true              # controls --accept-operator-terms-and-conditions
+nym_write_flag: true                     # controls -w
+nym_init_only_flag: true                 # controls --init-only
+wss_port: 9001                           # controlls --announce-wss-port
+
+# Optional: extra flags if you want to append more later
+nym_extra_flags: ""
+
+# CLI URL (nym_version can be set elsewhere / via GitHub API)
+nym_cli_url: "https://github.com/nymtech/nym/releases/download/{{ nym_version }}/nym-cli"
+
+# UFW
+nym_ufw_enable: true
+
+nym_ufw_rules:
+  - { port: 22,    proto: tcp }
+  - { port: 80,    proto: tcp }
+  - { port: 443,   proto: tcp }
+  - { port: 1789,  proto: tcp }
+  - { port: 1790,  proto: tcp }
+  - { port: 8080,  proto: tcp }
+  - { port: 9000,  proto: tcp }
+  - { port: 9001,  proto: tcp }
+  - { port: 51822, proto: udp }

ansible/nym-node/roles/nym/tasks/config.yml

@@ -0,0 +1,38 @@
+---
+# Useful when the host is behind a NAT
+- name: Fetch the public IP address
+  command: "curl -4 canhazip.com"
+  register: ipv4
+  changed_when: false
+  failed_when: false
+
+- name: Set public IP address
+  set_fact:
+    public_ip: "{{ ipv4.stdout | default(ansible_default_ipv4.address) }}"
+
+- name: Initialize nym node
+  # Delete the part from --hostname onward if you run  mode=mixnode only
+  command:
+    cmd: >
+      {{ nym_install_dir }}/nym-node run
+      --mode {{ mode }}
+      --public-ips {{ public_ip }}
+      --http-bind-address {{ http_bind_address }}
+      --mixnet-bind-address {{ mixnet_bind_address }}
+      --location {{ location }}
+      {% if accept_operator_terms %}--accept-operator-terms-and-conditions{% endif %}
+
+      {{ nym_extra_flags }}
+
+      --hostname {{ hostname }}
+      --wireguard-enabled {{ wireguard_enabled }}
+      --landing-page-assets-path {{ landing_page_assets_base_dir }}/{{ hostname }}/
+      {% if nym_write_flag %}-w{% endif %}
+      {% if nym_init_only_flag %}--init-only{% endif %}
+      --announce-wss-port {{ wss_port }}
+
+
+- name: Update nym description
+  template:
+    src: description.toml.j2
+    dest: /root/.nym/nym-nodes/default-nym-node/data/description.toml

ansible/nym-node/roles/nym/tasks/firewall.yml

@@ -0,0 +1,25 @@
+- name: Configure UFW rules
+  ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+    comment: "{{ item.comment | default(omit) }}"
+  loop: "{{ nym_ufw_rules }}"
+  loop_control:
+    label: "{{ item.port }}/{{ item.proto }}"
+  when:
+    - nym_ufw_enable
+    - item.when | default(true)
+
+- name: Allow bandwidth/topup rule inside WG tunnel
+  command: >
+    ufw allow in on nymwg to any port 51830 proto tcp comment 'bandwidth queries/topup'
+  when:
+    - nym_ufw_enable
+    - (wireguard_enabled | bool)
+
+- name: Enable UFW
+  ufw:
+    state: enabled
+  when:
+    nym_ufw_enable

ansible/nym-node/roles/nym/tasks/install.yml

@@ -0,0 +1,34 @@
+---
+- name: Create nym directory
+  file:
+    path: "{{ nym_install_dir }}"
+    state: directory
+    mode: "0755"
+
+- name: Get latest Nym release metadata
+  uri:
+    url: https://api.github.com/repos/nymtech/nym/releases/latest
+    return_content: yes
+  register: latest_release
+  when: nym_version is not defined or nym_version == 'latest'
+
+- name: Set nym_version from GitHub API
+  set_fact:
+    nym_version: "{{ latest_release.json.tag_name }}"
+  when: nym_version is not defined or nym_version == 'latest'
+
+- name: Set binary URL
+  set_fact:
+    binary_url: "https://github.com/nymtech/nym/releases/download/{{ nym_version }}/nym-node"
+
+- name: Download nym-node binary
+  get_url:
+    url: "{{ binary_url }}"
+    dest: "{{ nym_install_dir }}/nym-node"
+    mode: "0755"
+
+- name: Download nym-cli binary
+  get_url:
+    url: "{{ nym_cli_url }}"
+    dest: "{{ nym_install_dir }}/nym-cli"
+    mode: "0755"

ansible/nym-node/roles/nym/tasks/main.yml

@@ -1,70 +1,12 @@
-- name: Create nym directory
-  file:
-    path: "/root/nym-binaries"
-    state: directory
-    mode: "0755"
+---
+- name: Install Nym binaries
+  import_tasks: install.yml
 
-- name: Get latest Nym release metadata
-  uri:
-    url: https://api.github.com/repos/nymtech/nym/releases/latest
-    return_content: yes
-  register: latest_release
-  when: nym_version is not defined
+- name: Configure Nym node
+  import_tasks: config.yml
 
-- name: Set nym_version from GitHub API
-  set_fact:
-    nym_version: "{{ latest_release.json.tag_name }}"
-  when: nym_version is not defined
+- name: Configure firewall for Nym
+  import_tasks: firewall.yml
 
-- name: Generate binary_url from version
-  set_fact:
-    binary_url: "https://github.com/nymtech/nym/releases/download/{{ nym_version }}/nym-node"
-
-- name: Download nym-node binary
-  get_url:
-    url: "{{ binary_url }}"
-    dest: "/root/nym-binaries/nym-node"
-    mode: "0755"
-
-- name: Download nym-cli binary
-  get_url:
-    url: "{{ cli_url }}"
-    dest: "/root/nym-binaries/nym-cli"
-    mode: "0755"
-
-- name: Template systemd service
-  tags: systemctl
-  template:
-    src: nym-node.service.j2
-    dest: /etc/systemd/system/nym-node.service
-
-# Useful when the host is behind a NAT
-- name: Fetch the public IP address
-  command: "curl -4 canhazip.com"
-  register: ipv4
-  changed_when: false
-
-- name: Show IP address
-  debug:
-    msg: "{{ ipv4.stdout }}"
-
-- name: Set public IP address based on curl result
-  set_fact:
-    public_ip: "{{ ipv4.stdout if ipv4.rc == 0 else ansible_default_ipv4.address }}"
-
-- name: Initialize nym node
-  command:
-    cmd: "/root/nym-binaries/nym-node run --mode {{ mode }} --public-ips {{ public_ip }} --hostname {{ hostname }} --http-bind-address 0.0.0.0:8080 --mixnet-bind-address 0.0.0.0:1789 --location {{ location }} --accept-operator-terms-and-conditions --wireguard-enabled {{ wireguard_enabled }} --landing-page-assets-path /var/www/{{ hostname }}/ -w  --init-only"
-
-- name: Update nym description
-  template:
-    src: description.toml.j2
-    dest: /root/.nym/nym-nodes/default-nym-node/data/description.toml
-
-- name: Enable and start nym service
-  tags: systemctl
-  systemd:
-    name: nym-node
-    enabled: yes
-    state: started
-    daemon_reload: yes
+- name: Configure and start Nym service
+  import_tasks: service.yml