@@ -25,6 +25,7 @@ entrypointIp=
|
||||
publicNetwork=
|
||||
netBasename=
|
||||
sshPrivateKey=
|
||||
letsEncryptDomainName=
|
||||
externalNodeSshKey=
|
||||
sshOptions=()
|
||||
fullnodeIpList=()
|
||||
|
25
net/gce.sh
25
net/gce.sh
@@ -67,6 +67,7 @@ externalNodes=false
|
||||
failOnValidatorBootupFailure=true
|
||||
|
||||
publicNetwork=false
|
||||
letsEncryptDomainName=
|
||||
enableGpu=false
|
||||
customAddress=
|
||||
zones=()
|
||||
@@ -122,6 +123,9 @@ Manage testnet instances
|
||||
* For EC2, [address] is the "allocation ID" of the desired
|
||||
Elastic IP.
|
||||
-d [disk-type] - Specify a boot disk type (default None) Use pd-ssd to get ssd on GCE.
|
||||
--letsencrypt [dns name] - Attempt to generate a TLS certificate using this
|
||||
DNS name (useful only when the -a and -P options
|
||||
are also provided)
|
||||
|
||||
config-specific options:
|
||||
-P - Use public network IP addresses (default: $publicNetwork)
|
||||
@@ -136,14 +140,28 @@ EOF
|
||||
exit $exitcode
|
||||
}
|
||||
|
||||
|
||||
command=$1
|
||||
[[ -n $command ]] || usage
|
||||
shift
|
||||
[[ $command = create || $command = config || $command = info || $command = delete ]] ||
|
||||
usage "Invalid command: $command"
|
||||
|
||||
while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
|
||||
shortArgs=()
|
||||
while [[ -n $1 ]]; do
|
||||
if [[ ${1:0:2} = -- ]]; then
|
||||
if [[ $1 = --letsencrypt ]]; then
|
||||
letsEncryptDomainName="$2"
|
||||
shift 2
|
||||
else
|
||||
usage "Unknown long option: $1"
|
||||
fi
|
||||
else
|
||||
shortArgs+=("$1")
|
||||
shift
|
||||
fi
|
||||
done
|
||||
|
||||
while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt "${shortArgs[@]}"; do
|
||||
case $opt in
|
||||
h | \?)
|
||||
usage
|
||||
@@ -199,7 +217,6 @@ while getopts "h?p:Pn:c:r:z:gG:a:d:uxf" opt; do
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift $((OPTIND - 1))
|
||||
|
||||
[[ ${#zones[@]} -gt 0 ]] || zones+=("$(cloud_DefaultZone)")
|
||||
|
||||
@@ -328,6 +345,7 @@ prepareInstancesAndWriteConfigFile() {
|
||||
netBasename=$prefix
|
||||
publicNetwork=$publicNetwork
|
||||
sshPrivateKey=$sshPrivateKey
|
||||
letsEncryptDomainName=$letsEncryptDomainName
|
||||
EOF
|
||||
fi
|
||||
touch "$geoipConfigFile"
|
||||
@@ -598,6 +616,7 @@ $(
|
||||
disable-background-upgrades.sh \
|
||||
create-solana-user.sh \
|
||||
add-solana-user-authorized_keys.sh \
|
||||
install-certbot.sh \
|
||||
install-earlyoom.sh \
|
||||
install-libssl-compatability.sh \
|
||||
install-nodejs.sh \
|
||||
|
17
net/net.sh
17
net/net.sh
@@ -372,6 +372,23 @@ startNode() {
|
||||
(
|
||||
set -x
|
||||
startCommon "$ipAddress"
|
||||
|
||||
if [[ $nodeType = blockstreamer ]] && [[ -n $letsEncryptDomainName ]]; then
|
||||
#
|
||||
# Create/renew TLS certificate
|
||||
#
|
||||
declare localArchive=~/letsencrypt-"$letsEncryptDomainName".tgz
|
||||
if [[ -r "$localArchive" ]]; then
|
||||
timeout 30s scp "${sshOptions[@]}" "$localArchive" "$ipAddress:letsencrypt.tgz"
|
||||
fi
|
||||
ssh "${sshOptions[@]}" -n "$ipAddress" \
|
||||
"sudo -H /certbot-restore.sh $letsEncryptDomainName maintainers@solana.com"
|
||||
rm -f letsencrypt.tgz
|
||||
timeout 30s scp "${sshOptions[@]}" "$ipAddress:/letsencrypt.tgz" letsencrypt.tgz
|
||||
test -s letsencrypt.tgz # Ensure non-empty before overwriting $localArchive
|
||||
cp letsencrypt.tgz "$localArchive"
|
||||
fi
|
||||
|
||||
ssh "${sshOptions[@]}" -n "$ipAddress" \
|
||||
"./solana/net/remote/remote-node.sh \
|
||||
$deployMethod \
|
||||
|
@@ -223,6 +223,13 @@ local|tar)
|
||||
if [[ -z $stakeNodesInGenesisBlock ]]; then
|
||||
./multinode-demo/drone.sh > drone.log 2>&1 &
|
||||
fi
|
||||
|
||||
# Grab the TLS cert generated by /certbot-restore.sh
|
||||
if [[ -f /.cert.pem ]]; then
|
||||
sudo install -o $UID -m 400 /.cert.pem /.key.pem .
|
||||
ls -l .cert.pem .key.pem
|
||||
fi
|
||||
|
||||
export BLOCKEXPLORER_GEOIP_WHITELIST=$PWD/net/config/geoip.yml
|
||||
npm install @solana/blockexplorer@1
|
||||
npx solana-blockexplorer > blockexplorer.log 2>&1 &
|
||||
|
@@ -81,7 +81,7 @@
|
||||
"FromPort": 3001,
|
||||
"IpRanges": [
|
||||
{
|
||||
"Description": "blockexplorer API port",
|
||||
"Description": "blockexplorer http API port",
|
||||
"CidrIp": "0.0.0.0/0"
|
||||
}
|
||||
],
|
||||
@@ -91,7 +91,26 @@
|
||||
"Ipv6Ranges": [
|
||||
{
|
||||
"CidrIpv6": "::/0",
|
||||
"Description": "blockexplorer API port"
|
||||
"Description": "blockexplorer http API port"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"PrefixListIds": [],
|
||||
"FromPort": 3443,
|
||||
"IpRanges": [
|
||||
{
|
||||
"Description": "blockexplorer https API port",
|
||||
"CidrIp": "0.0.0.0/0"
|
||||
}
|
||||
],
|
||||
"ToPort": 3443,
|
||||
"IpProtocol": "tcp",
|
||||
"UserIdGroupPairs": [],
|
||||
"Ipv6Ranges": [
|
||||
{
|
||||
"CidrIpv6": "::/0",
|
||||
"Description": "blockexplorer https API port"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
51
net/scripts/install-certbot.sh
Executable file
51
net/scripts/install-certbot.sh
Executable file
@@ -0,0 +1,51 @@
|
||||
#!/usr/bin/env bash
|
||||
set -ex
|
||||
|
||||
[[ $(uname) = Linux ]] || exit 1
|
||||
[[ $USER = root ]] || exit 1
|
||||
|
||||
add-apt-repository --yes ppa:certbot/certbot
|
||||
apt-get --assume-yes install certbot
|
||||
|
||||
cat > /certbot-restore.sh <<'EOF'
|
||||
#!/usr/bin/env bash
|
||||
set -e
|
||||
|
||||
domain=$1
|
||||
email=$2
|
||||
|
||||
if [[ $USER != root ]]; then
|
||||
echo "Run as root"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -f /.cert.pem ]]; then
|
||||
echo "Certificate already initialized"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
set -x
|
||||
if [[ -r letsencrypt.tgz ]]; then
|
||||
tar -C / -zxf letsencrypt.tgz
|
||||
fi
|
||||
|
||||
cd /
|
||||
rm -f letsencrypt.tgz
|
||||
|
||||
maybeDryRun=
|
||||
# Uncomment during testing to avoid hitting LetsEncrypt API limits while iterating
|
||||
#maybeDryRun="--dry-run"
|
||||
|
||||
certbot certonly --standalone -d "$domain" --email "$email" --agree-tos -n $maybeDryRun
|
||||
|
||||
tar zcf letsencrypt.tgz /etc/letsencrypt
|
||||
ls -l letsencrypt.tgz
|
||||
|
||||
# Copy certificates to / for easy access without knowing the value of "$domain"
|
||||
rm -f /.key.pem /.cert.pem
|
||||
cp /etc/letsencrypt/live/$domain/privkey.pem /.key.pem
|
||||
cp /etc/letsencrypt/live/$domain/cert.pem /.cert.pem
|
||||
|
||||
EOF
|
||||
|
||||
chmod +x /certbot-restore.sh
|
Reference in New Issue
Block a user