From 86604067f7da70693268cf2f385ac960c2fdd5b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Soko=C5=82owski?= <jakub@status.im>
Date: Thu, 3 Jun 2021 11:05:42 +0200
Subject: [PATCH] add initial setup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakub Sokołowski <jakub@status.im>
---
 README.md          | 33 +++++++++++++++++++++++++++++++++
 defaults/main.yml  | 42 ++++++++++++++++++++++++++++++++++++++++++
 tasks/check.yml    | 12 ++++++++++++
 tasks/checks.yml   | 13 +++++++++++++
 tasks/firewall.yml | 18 ++++++++++++++++++
 tasks/main.yml     |  4 ++++
 tasks/service.yml  | 32 ++++++++++++++++++++++++++++++++
 7 files changed, 154 insertions(+)
 create mode 100644 README.md
 create mode 100644 defaults/main.yml
 create mode 100644 tasks/check.yml
 create mode 100644 tasks/checks.yml
 create mode 100644 tasks/firewall.yml
 create mode 100644 tasks/main.yml
 create mode 100644 tasks/service.yml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f7a65d1
--- /dev/null
+++ b/README.md
@@ -0,0 +1,33 @@
+# Description
+
+This role provisions a [Nimbus](https://nimbus.team/) installation that can act as an ETH2 network bootstrap node.
+
+# Ports
+
+The service exposes three ports by default:
+
+* `9000` - LibP2P peering port. Must __ALWAYS__ be public.
+* `9200` - JSON RPC port. Must __NEVER__ be public.
+* `9900` - Prometheus metrics port. Should not be public.
+
+# Configuration
+
+Minimum configuration would include.
+```yaml
+beacon_node_network: 'testnet0'
+# Infura Web Sockets URLs
+beacon_node_web3_urls: ['wss://mainnet.infura.io/ws/v3/123qwe123qwe123qwe']
+```
+The order of Web Socket URLs matters. First is the default, the rest are fallbacks.
+
+It might be useful to increase the log verbosity level:
+```yaml
+beacon_node_log_level: DEBUG
+```
+
+# Management
+
+The containers are managed using [WinSW](https://github.com/winsw/winsw).
+```
+TODO
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..2d41994
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,42 @@
+---
+# shared testnet name: medalla, toledo, pyrmont, etc.
+beacon_node_network: 'medalla'
+beacon_node_service_name: 'beacon-node-{{ beacon_node_network }}'
+beacon_node_service_path: 'C:\Users\{{ beacon_node_user }}\{{ beacon_node_service_name }}'
+
+beacon_node_log_level: 'INFO'
+beacon_node_data_folder: 'shared_{{ beacon_node_network }}_0'
+beacon_node_subscribe_all: false
+beacon_node_doppelganger_detection: true
+
+# For validation
+beacon_node_valid_network_names: ["toledo", "pyrmont", "prater", "mainnet", "steklo", "nocturne"]
+
+# Subfolders for separate read-only mounting
+beacon_node_secrets_path: '{{ beacon_node_service_path }}/data/{{ beacon_node_data_folder }}/secrets'
+
+# connectivity settings
+beacon_node_discovery_port: 9000
+beacon_node_listening_port: 9000
+beacon_node_public_address: '{{ ansible_host }}'
+beacon_node_max_peers: 160
+
+# metrics
+beacon_node_metrics_port: 9200
+
+# rpc / administrative
+beacon_node_rpc_port: 9900
+
+# resource limits, mem in MB
+beacon_node_mem_limit: '{{ (ansible_memtotal_mb * 0.5) | int }}'
+beacon_node_mem_reserve: '{{ (ansible_memtotal_mb * 0.4) | int }}'
+
+# Consul service definition settings
+beacon_node_consul_service_name: 'beacon-node'
+beacon_node_consul_service_file_name: '{{ beacon_node_consul_service_name | replace("-", "_") }}'
+beacon_node_consul_metrics_service_name: '{{ beacon_node_consul_service_name }}-metrics'
+
+# WebSocket RPC URLs, Goerli for testnets
+beacon_node_web3_urls: ['wss://goerli.infura.io/ws/v3/6224f3c792cc443fafb64e70a98f871e']
+
+beacon_node_slashing_db_kind: 'v2'
diff --git a/tasks/check.yml b/tasks/check.yml
new file mode 100644
index 0000000..bac4c8e
--- /dev/null
+++ b/tasks/check.yml
@@ -0,0 +1,12 @@
+---
+- name: Verify web3 URLs are provided
+  assert:
+    that: '{{ beacon_node_web3_urls|length > 0 }}'
+    quiet: true
+    fail_msg: |
+      Providing Web3 URLs is required to sync with Eth1 chain!
+      Verify that the 'beacon_node_web3_urls' variable is set.
+
+- name: Verify network name
+  assert:
+    that: '{{ beacon_node_network in beacon_node_valid_network_names }}'
diff --git a/tasks/checks.yml b/tasks/checks.yml
new file mode 100644
index 0000000..9689aa5
--- /dev/null
+++ b/tasks/checks.yml
@@ -0,0 +1,13 @@
+---
+- name: Verify web3 URLs are provided
+  assert:
+    that: '{{ beacon_node_web3_urls|length > 0 }}'
+    quiet: true
+    fail_msg: |
+      Providing Web3 URLs is required to sync with Eth1 chain!
+      Verify that the 'beacon_node_web3_urls' variable is set.
+
+- name: Verify network name
+  assert:
+    that: '{{ beacon_node_network in beacon_node_valid_network_names }}'
+
diff --git a/tasks/firewall.yml b/tasks/firewall.yml
new file mode 100644
index 0000000..307adec
--- /dev/null
+++ b/tasks/firewall.yml
@@ -0,0 +1,18 @@
+---
+- name: 'Enable ports for: {{ beacon_node_service_name }}'
+  win_firewall_rule:
+    name: '{{ beacon_node_service_name }}-{{ rule.protocol }}'
+    description: 'Nimbus Eth2 Beacon Node ports'
+    action: 'allow'
+    direction: 'in'
+    state: 'present'
+    enabled: true
+    protocol: '{{ rule.protocol }}'
+    localport: '{{ rule.port }}'
+  with_items:
+    - { protocol: 'tcp', port: '{{ beacon_node_listening_port }}' }
+    - { protocol: 'udp', port: '{{ beacon_node_discovery_port }}' }
+  loop_control:
+    loop_var: rule
+  notify:
+    - Save iptables rules
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..b6b1eac
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- import_tasks: checks.yml
+- import_tasks: service.yml
+- import_tasks: firewall.yml
diff --git a/tasks/service.yml b/tasks/service.yml
new file mode 100644
index 0000000..0b3e42e
--- /dev/null
+++ b/tasks/service.yml
@@ -0,0 +1,32 @@
+---
+- name: Create windows service
+  include_role: name=infra-role-winsw
+  vars:
+    winsw_service_id: 'beacon-node'
+    winsw_service_name: TODO
+    winsw_service_description: 'Service managed by WinSW'
+    winsw_service_user: TODO
+    winsw_service_exe_url: TODO
+    winsw_service_arguments: >
+      --network={{ beacon_node_network }}
+      --data-dir='/data/{{ beacon_node_data_folder }}'
+      {% for url in beacon_node_web3_urls | mandatory %}
+      --web3-url={{ url | mandatory }}
+      {% endfor %}
+      --nat=extip:{{ beacon_node_public_address }}
+      --log-level={{ beacon_node_log_level }}
+      --tcp-port={{ beacon_node_listening_port }}
+      --udp-port={{ beacon_node_discovery_port }}
+      --max-peers={{ beacon_node_max_peers }}
+      --netkey-file=/{{ beacon_node_netkey_cont_path }}
+      --slashing-db-kind={{ beacon_node_slashing_db_kind }}
+      --insecure-netkey-password=true
+      --subscribe-all-subnets={{ beacon_node_subscribe_all | to_json }}
+      --doppelganger-detection={{ beacon_node_doppelganger_detection | to_json }}
+      --rpc
+      --rpc-address=0.0.0.0
+      --rpc-port={{ beacon_node_rpc_port }}
+      --metrics
+      --metrics-address=0.0.0.0
+      --metrics-port={{ beacon_node_metrics_port }}
+