nimbus.mainnet: add two public Beacon API endpoints

These nodes are intended for testing by Community. https://ethereum.github.io/beacon-APIs/ https://github.com/status-im/infra-nimbus/issues/66 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2021-10-04 13:42:33 +02:00 · 2021-10-04 13:42:33 +02:00 · 5f06c39644
parent 4ec73066ba
commit 5f06c39644
9 changed files with 87 additions and 2 deletions
--- a/ansible/host_vars/metal-01.he-eu-hel1.nimbus.mainnet.yml
+++ b/ansible/host_vars/metal-01.he-eu-hel1.nimbus.mainnet.yml
@ -0,0 +1,7 @@
+---
+# Communityu test REST API endpoint.
+beacon_node_rest_address: '0.0.0.0'
+
+# WARNING: This will change if number of nodes changes.
+redirect_ports:
+  - { src: 80, dst: 9304, comment: 'Test Beacon API (80->9304/tcp)' }
--- a/ansible/host_vars/metal-02.he-eu-hel1.nimbus.mainnet.yml
+++ b/ansible/host_vars/metal-02.he-eu-hel1.nimbus.mainnet.yml
@ -0,0 +1,7 @@
+---
+# Communityu test REST API endpoint.
+beacon_node_rest_address: '0.0.0.0'
+
+# WARNING: This will change if number of nodes changes.
+redirect_ports:
+  - { src: 80, dst: 9302, comment: 'Test Beacon API (80->9302/tcp)' }
--- a/ansible/mainnet.yml
+++ b/ansible/mainnet.yml
@ -23,6 +23,7 @@
  become: true
  hosts: nimbus-mainnet-metal
  roles:
+    - { role: redirect-ports,               tags: [ redirect-ports ] }
    - { role: get-geth-web3-urls,           tags: [ get-geth-web3-urls ] }
  tasks:
    - include_role: name=infra-role-beacon-node-linux
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -16,7 +16,7 @@

 - name: infra-role-bootstrap-linux
  src: git@github.com:status-im/infra-role-bootstrap-linux.git
-  version: 1c3598d71f948763d327e6bb81a5f9a3cdf5c063
+  version: 2468bfb373dd071a7ab7a068cdcc59472fd76a05
  scm: git

 - name: infra-role-bootstrap-windows
--- a/ansible/roles/redirect-ports/README.md
+++ b/ansible/roles/redirect-ports/README.md
@ -0,0 +1,20 @@
+# Description
+
+This role configures port redirects using [iptables](https://linux.die.net/man/8/iptables).
+
+# Configuration
+
+You can redirect multiple ports:
+```yaml
+redirect_ports:
+  - { src:  80, dst: 8080, comment: 'XYZ Service HTTP' }
+  - { src: 443, dst: 8443, comment: 'XYZ Service HTTPS' }
+```
+All configured ports are opened in the `SERVICES` chain and redirected using `PREROUTING` chain in the `nat` table:
+```
+ > sudo iptables -L PREROUTING -t nat   
+Chain PREROUTING (policy ACCEPT)
+target     prot opt source               destination         
+REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:http  /* XYZ Service HTTP */ redir ports 8080
+REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https /* XYZ Service HTTPS */ redir ports 8443
+```
--- a/ansible/roles/redirect-ports/defaults/main.yml
+++ b/ansible/roles/redirect-ports/defaults/main.yml
@ -0,0 +1,3 @@
+---
+redirect_ports: []
+#  - { src: 80, dst: 8080 }
--- a/ansible/roles/redirect-ports/handlers/main.yml
+++ b/ansible/roles/redirect-ports/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: Save iptables rules
+  shell: iptables-save > /etc/iptables/rules.v4
--- a/ansible/roles/redirect-ports/tasks/main.yml
+++ b/ansible/roles/redirect-ports/tasks/main.yml
@ -0,0 +1,28 @@
+---
+- name: 'Enable redirected {{ item.dst }} port'
+  iptables:
+    comment: '{{ item.comment | default("Open {{ item.dst }}") }}'
+    chain: 'SERVICES'
+    jump: 'ACCEPT'
+    source: '0.0.0.0/0'
+    protocol: '{{ item.protocol | default("tcp") }}'
+    destination_port: '{{ item.dst | string | mandatory }}'
+  with_items: '{{ redirect_ports }}'
+  notify:
+    - Save iptables rules
+    
+- name: 'Redirect {{ item.src }} to {{ item.dst }}'
+  iptables:
+    comment: '{{ item.comment | default("Redirect {{ item.src }} to {{ item.dst }}") }}'
+    table: 'nat'
+    chain: 'PREROUTING'
+    jump: 'REDIRECT'
+    action: insert
+    protocol: '{{ item.protocol | default("tcp") }}'
+    match: '{{ item.protocol | default("tcp") }}'
+    destination_port: '{{ item.src | string | mandatory }}'
+    to_ports: '{{ item.dst | string | mandatory }}'
+    in_interface: '{{ ansible_default_ipv4.interface }}'
+  with_items: '{{ redirect_ports }}'
+  notify:
+    - Save iptables rules
--- a/mainnet.tf
+++ b/mainnet.tf
@ -21,6 +21,23 @@ module "nimbus_nodes_mainnet_hetzner" {
  ]
 }

+/* Community test REST API endpoints. */
+resource "cloudflare_record" "unstable_mainnet_beacon_api" {
+  zone_id = local.zones["nimbus.team"]
+  name    = "unstable.mainnet.beacon-api"
+  value   = module.nimbus_nodes_mainnet_hetzner.public_ips[0]
+  type    = "A"
+  proxied = false
+}
+
+resource "cloudflare_record" "testing_mainnet_beacon_api" {
+  zone_id = local.zones["nimbus.team"]
+  name    = "testing.mainnet.beacon-api"
+  value   = module.nimbus_nodes_mainnet_hetzner.public_ips[1]
+  type    = "A"
+  proxied = false
+}
+
 /* WARNING: These are bootnodes and losing their IPs and private keys would be bad. */
 module "nimbus_nodes_mainnet_stable_small" {
  source = "github.com/status-im/infra-tf-amazon-web-services"
@ -48,4 +65,3 @@ module "nimbus_nodes_mainnet_stable_small" {
  secgroup_id  = module.nimbus_network.secgroup.id
  keypair_name = aws_key_pair.jakubgs.key_name
 }
-