checkpoint - pre-postgres ssl.

ansible/build-node-bin.yaml

@@ -0,0 +1,19 @@
+---
+- name: Check out go-obscuro if node_binary_stat.stat.exists is false
+  ansible.builtin.git:
+    repo: https://github.com/obscuronet/go-obscuro.git
+    dest: ./go-obscuro
+    version: "{{ node_version }}"
+
+- name: Ensure Go dependencies are fetched
+  ansible.builtin.command: >
+    /usr/local/go/bin/go build
+  args:
+    chdir: ./go-obscuro/go/node/cmd
+
+- name: Copy node binary to current directory
+  ansible.builtin.copy:
+    src: ./go-obscuro/go/node/cmd/cmd
+    dest: ./start-node
+    remote_src: true
+    mode: '0755'

ansible/files/network_vars.yml

@@ -3,8 +3,9 @@ ten_network: "sepolia"
 loki_metrics_uri: "https://metrics.ten.xyz:3443/loki/api/v1/push"
 loki_username: "ten"
 loki_password: "ten"
-enclave_docker_build_tag: "testnetobscuronet.azurecr.io/obscuronet/enclave:v0.27.0"
-host_docker_build_tag: "testnetobscuronet.azurecr.io/obscuronet/host:v0.27.0"
+node_version: "v0.27.0"
+enclave_docker_build_tag: "testnetobscuronet.azurecr.io/obscuronet/enclave:{{ node_version }}"
+host_docker_build_tag: "testnetobscuronet.azurecr.io/obscuronet/host:{{ node_version }}"
 l2_batch_interval: "1s"
 l2_max_batch_interval: "1s"
 l2_rollup_interval: "15m"

ansible/files/node.env.example

@@ -4,4 +4,4 @@ HOST_PUBLIC_P2P_ADDR=<externally resolvable IP or DNS name>
 HOST_P2P_PORT=<port for above HOST_PUBLIC_P2P_ADDR>
 L1_WS_URL=<ws to l1 node, i.e. geth or infura>
 LOG_LEVEL=<logging depth>
-POSTGRES_DB_HOST=<your postgres instance if using external>
+POSTGRES_DB_HOST=<your postgres instance if using external> # ONLY EXTERNAL

ansible/files/postgres_install.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Install docker-compose from script if not already installed
+if ! command -v docker-compose &> /dev/null; then
+  echo "docker-compose not found. Installing..."
+  curl -SL https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
+  sudo chmod +x /usr/local/bin/docker-compose
+fi
+
+# Define network name
+NETWORK_NAME="node_network"
+
+# Check if the network exists
+if ! docker network ls | grep -q "$NETWORK_NAME"; then
+  echo "Network $NETWORK_NAME does not exist. Creating it..."
+  docker network create "$NETWORK_NAME"
+else
+  echo "Network $NETWORK_NAME already exists."
+fi
+
+# Clean up
+docker stop obscuronode-postgres
+docker rm obscuronode-postgres
+rm -rf ./postgres
+
+# Create necessary directories
+mkdir -p ./postgres/certs
+mkdir -p ./postgres/initdb
+
+# Generate SSL certificates
+openssl req -new -newkey rsa:2048 -nodes -keyout ./postgres/certs/server.key -out ./postgres/certs/server.csr -subj "/CN=localhost"
+openssl x509 -req -days 365 -in ./postgres/certs/server.csr -signkey ./postgres/certs/server.key -out ./postgres/certs/server.crt
+
+# Create Dockerfile
+cat <<EOL > ./postgres/Dockerfile
+FROM postgres:latest
+
+COPY ./certs/server.crt /var/lib/postgresql/server.crt
+COPY ./certs/server.key /var/lib/postgresql/server.key
+
+RUN chown postgres:postgres /var/lib/postgresql/server.crt /var/lib/postgresql/server.key \\
+    && chmod 600 /var/lib/postgresql/server.crt /var/lib/postgresql/server.key
+
+# Configure PostgreSQL to use SSL
+RUN echo "ssl = on" >> /usr/share/postgresql/postgresql.conf \\
+    && echo "ssl_cert_file = '/var/lib/postgresql/server.crt'" >> /usr/share/postgresql/postgresql.conf \\
+    && echo "ssl_key_file = '/var/lib/postgresql/server.key'" >> /usr/share/postgresql/postgresql.conf
+EOL
+
+# Create docker-compose.yml
+cat <<EOL > ./docker-compose.yml
+version: '3.8'  # Specify the version of docker-compose
+
+services:
+  postgres:
+    build: ./postgres
+    container_name: obscuronode-postgres
+    environment:
+      POSTGRES_PASSWORD: pass
+    ports:
+      - "5432:5432"
+    networks:
+      - node_network
+
+networks:
+  node_network:
+    external: true
+EOL
+
+# Build and run the Docker Compose setup
+docker-compose -p obscuronode-postgres up --build -d

ansible/node-install.yaml

@@ -0,0 +1,96 @@
+---
+- name: Create directory /home/obscuro
+  ansible.builtin.file:
+    path: /home/obscuro
+    state: directory
+    mode: '0755'
+
+- name: Create directory /home/obscuro/promtail
+  ansible.builtin.file:
+    path: /home/obscuro/promtail
+    state: directory
+    mode: '0755'
+
+- name: Create promtail-config.yaml
+  vars:
+    hostname: "{{ host_id }}-{{ environment }}-external"
+  ansible.builtin.copy:
+    dest: /home/obscuro/promtail/promtail-config.yaml
+    mode: '0644'
+    content: |
+      server:
+        http_listen_port: 9080
+        grpc_listen_port: 0
+
+      positions:
+        filename: /tmp/positions.yaml
+
+      clients:
+        - url: "{{ loki_metrics_uri }}"
+          batchwait: 3s
+          batchsize: 1048576
+          tls_config:
+            insecure_skip_verify: true
+          basic_auth:
+            username: "{{ loki_username }}"
+            password: "{{ loki_password }}"
+
+      scrape_configs:
+      - job_name: flog_scrape
+        docker_sd_configs:
+          - host: unix:///var/run/docker.sock
+            refresh_interval: 5s
+        relabel_configs:
+          - source_labels: ["__meta_docker_container_name"]
+            regex: "/(.*)"
+            target_label: "container"
+          - source_labels: ["__meta_docker_container_log_stream"]
+            target_label: "logstream"
+          - source_labels: ["__meta_docker_container_label_logging_jobname"]
+            target_label: "job"
+          - replacement: "{{ hostname }}"
+            target_label: "node_name"
+
+- name: Run promtail container
+  community.docker.docker_container:
+    name: promtail
+    image: grafana/promtail:latest
+    state: started
+    restart_policy: always
+    network_mode: node_network
+    env:
+      HOSTNAME: "{{ hostname }}"
+    volumes:
+      - /var/log:/var/log
+      - /home/obscuro/promtail:/etc/promtail
+      - /var/lib/docker/containers:/var/lib/docker/containers:ro
+      - /var/run/docker.sock:/var/run/docker.sock
+    command: >
+      -config.file=/etc/promtail/promtail-config.yaml
+      -config.expand-env=true
+
+- name: Run go-ten node
+  ansible.builtin.command: >
+    ./start-node
+    -is_genesis=false
+    -node_type=validator
+    -is_sgx_enabled=true
+    -host_id={{ host_id }}
+    -l1_ws_url={{ l1_ws_url }}
+    -management_contract_addr={{ management_contract_addr }}
+    -message_bus_contract_addr={{ message_bus_contract_addr }}
+    -l1_start={{ l1_start_hash }}
+    -private_key={{ private_key }}
+    -sequencer_addr={{ sequencer_addr }}
+    -host_public_p2p_addr={{ host_public_p2p_addr }}
+    -host_p2p_port=10000
+    -enclave_docker_image={{ enclave_docker_build_tag }}
+    -host_docker_image={{ host_docker_build_tag }}
+    -is_debug_namespace_enabled=true
+    -log_level={{ log_level }}
+    -batch_interval={{ l2_batch_interval }}
+    -max_batch_interval={{ l2_max_batch_interval }}
+    -rollup_interval={{ l2_rollup_interval }}
+    -l1_chain_id={{ l1_chain_id }}
+    -postgres_db_host={{ postgres_db_host }}
+    start

ansible/postgres-install.yaml

@@ -0,0 +1,126 @@
+---
+- name: Check if docker-compose is installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/docker-compose
+  register: docker_compose_stat
+
+- name: Download docker-compose and make executable
+  ansible.builtin.get_url:
+    url: https://github.com/docker/compose/releases/download/v2.29.6/docker-compose-linux-x86_64
+    dest: /usr/local/bin/docker-compose
+    mode: '0755'
+  when: not docker_compose_stat.stat.exists
+
+- name: Check if Docker network exists
+  ansible.builtin.shell: |
+    docker network ls --filter name=node_network --format "{{ '{{' }}.Name{{ '}}' }}"
+  register: docker_network_check
+  changed_when: false
+
+- name: Create Docker network if it does not exist
+  ansible.builtin.shell: |
+    docker network create --driver bridge node_network
+  when: docker_network_check.stdout != "node_network"
+
+- name: Create docker-compose.yml
+  ansible.builtin.copy:
+    dest: ./docker-compose.yml
+    mode: '0644'
+    content: |
+      version: '3.8'
+
+      services:
+        postgres:
+          build: ./postgres
+          container_name: obscuronode-postgres
+          environment:
+            POSTGRES_PASSWORD: pass
+          ports:
+            - "5432:5432"
+          networks:
+            - node_network
+
+      networks:
+        node_network:
+          external: true
+
+- name: Stop and remove old Postgres container
+  ansible.builtin.shell: |
+    docker stop obscuronode-postgres || true && docker rm obscuronode-postgres || true
+
+- name: Remove old PostgreSQL directory
+  ansible.builtin.file:
+    path: ./postgres
+    state: absent
+
+- name: Create necessary directories for PostgreSQL setup
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - ./postgres/certs
+    - ./postgres/initdb
+
+- name: Install openssl
+  ansible.builtin.package:
+    name:
+      - openssl
+      - libssl-dev
+    state: present
+
+- name: Generate SSL private key
+  community.crypto.openssl_privatekey:
+    path: ./postgres/certs/server.key
+    size: 2048
+
+- name: Generate SSL CSR
+  community.crypto.openssl_csr:
+    path: ./postgres/certs/server.csr
+    privatekey_path: ./postgres/certs/server.key
+    common_name: localhost
+
+- name: Generate SSL certificate
+  community.crypto.x509_certificate:
+    path: ./postgres/certs/server.crt
+    csr_path: ./postgres/certs/server.csr
+    privatekey_path: ./postgres/certs/server.key
+    provider: selfsigned
+    selfsigned_notAfter: "99991231235959Z"  # Set to a far future date
+
+- name: Create Dockerfile for PostgreSQL
+  ansible.builtin.copy:
+    dest: ./postgres/Dockerfile
+    mode: '0644'
+    content: |
+      FROM postgres:latest
+
+      COPY ./certs/server.crt /var/lib/postgresql/server.crt
+      COPY ./certs/server.key /var/lib/postgresql/server.key
+
+      RUN chown postgres:postgres /var/lib/postgresql/server.crt /var/lib/postgresql/server.key \
+          && chmod 600 /var/lib/postgresql/server.crt /var/lib/postgresql/server.key
+
+      RUN echo "ssl = on" >> /usr/share/postgresql/postgresql.conf \
+          && echo "ssl_cert_file = '/var/lib/postgresql/server.crt'" >> /usr/share/postgresql/postgresql.conf \
+          && echo "ssl_key_file = '/var/lib/postgresql/server.key'" >> /usr/share/postgresql/postgresql.conf
+
+- name: Run Docker Compose with custom path
+  ansible.builtin.command: docker-compose up --build -d
+  become: true
+
+- name: Set postgres_db_host based on docker container and port
+  ansible.builtin.set_fact:
+    postgres_db_host: "postgres://postgres:pass@obscuronode-postgres:5432/"
+
+- name: Install psql
+  ansible.builtin.package:
+    name:
+      - postgresql-client
+    state: present
+
+- name: Test postgres with psql
+  ansible.builtin.command: >
+    psql "postgres://postgres:pass@0.0.0.0:5432/postgres" -c 'SELECT 1'
+  register: psql_test
+  failed_when: psql_test.rc != 0