shards: enable native websocket port

Signed-off-by: Alexis Pentori <alexis@status.im>
2023-12-14 10:06:00 +01:00 · 2023-12-14 10:06:00 +01:00 · 85894a4713
parent c4b1eaf9ea
commit 85894a4713
6 changed files with 44 additions and 5 deletions
--- a/ansible/group_vars/boot.yml
+++ b/ansible/group_vars/boot.yml
@ -28,7 +28,7 @@ nim_waku_p2p_tcp_port: 30303
 nim_waku_metrics_port: 8008
 nim_waku_disc_v5_port: 9000
 nim_waku_rpc_tcp_port: 8545
-
+nim_waku_websock_port: 443
 # Limits
 nim_waku_p2p_max_connections: 300

@ -44,19 +44,33 @@ nim_waku_dns_disc_url: '{{ nim_waku_dns_disc_url_map[stage] }}'
 # Enable WebSockets via Websockify
 nim_waku_websockify_enabled: false

-# Enable websockets in Waku
-nim_waku_websocket_enabled: false
+# Websockets
+nim_waku_websocket_enabled: true
+nim_waku_websocket_secure_enabled: true
+nim_waku_websocket_domain: '{{ dns_entry }}'
+nim_waku_websocket_ssl_dir: '/etc/letsencrypt'
+nim_waku_websocket_ssl_cert: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/fullchain.pem'
+nim_waku_websocket_ssl_key: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/privkey.pem'

 # Consul Service
 nim_waku_consul_success_before_passing: 5
 nim_waku_consul_failures_before_warning: 2
 nim_waku_consul_failures_before_critical: 20

+# LetsEncrypt via Certbot
+certbot_docker_enabled: true
+certbot_admin_email: 'devops@status.im'
+certbot_containers_to_stop: ['websockify']
+certbot_certs:
+  - domains: [ '{{ nim_waku_websocket_domain }}' ]
+
 # Open LibP2P Ports
 open_ports_default_comment: '{{ nim_waku_cont_name }}'
 open_ports_default_chain: 'SERVICES'
 open_ports_default_protocol: 'tcp'
 open_ports_list:
+  - { port: '80', comment: 'Certbot verification' }
  - { port: '{{ nim_waku_p2p_tcp_port }}' }
  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
+  - { port: '{{ nim_waku_websock_port }}' }
--- a/ansible/group_vars/store.yml
+++ b/ansible/group_vars/store.yml
@ -28,6 +28,7 @@ nim_waku_p2p_tcp_port: 30303
 nim_waku_metrics_port: 8008
 nim_waku_disc_v5_port: 9000
 nim_waku_rpc_tcp_port: 8545
+nim_waku_websock_port: 443

 # Limits
 nim_waku_p2p_max_connections: 300
@ -48,19 +49,33 @@ nim_waku_dns_disc_url: '{{ nim_waku_dns_disc_url_map[stage] }}'
 # Enable WebSockets via Websockify
 nim_waku_websockify_enabled: false

-# Enable websockets in Waku
-nim_waku_websocket_enabled: false
+# Websockets
+nim_waku_websocket_enabled: true
+nim_waku_websocket_secure_enabled: true
+nim_waku_websocket_domain: '{{ dns_entry }}'
+nim_waku_websocket_ssl_dir: '/etc/letsencrypt'
+nim_waku_websocket_ssl_cert: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/fullchain.pem'
+nim_waku_websocket_ssl_key: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/privkey.pem'

 # Consul Service
 nim_waku_consul_success_before_passing: 5
 nim_waku_consul_failures_before_warning: 2
 nim_waku_consul_failures_before_critical: 20

+# LetsEncrypt via Certbot
+certbot_docker_enabled: true
+certbot_admin_email: 'devops@status.im'
+certbot_containers_to_stop: ['websockify']
+certbot_certs:
+  - domains: [ '{{ nim_waku_websocket_domain }}' ]
+
 # Open LibP2P Ports
 open_ports_default_comment: '{{ nim_waku_cont_name }}'
 open_ports_default_chain: 'SERVICES'
 open_ports_default_protocol: 'tcp'
 open_ports_list:
+  - { port: '80', comment: 'Certbot verification' }
  - { port: '{{ nim_waku_p2p_tcp_port }}' }
  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }
+  - { port: '{{ nim_waku_websock_port }}' }
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -16,6 +16,7 @@
  roles:
        - { role: open-ports,       tags: open-ports }
        - { role: swap-file,        tags: swap-file  }
+        - { role: certbot,          tags: certbot    }
        - { role: nim-waku,         tags: nim-waku   }

 - name: Configure Waku Storage DB Nodes
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -28,6 +28,11 @@
  version: 304caa5d6af127042186380168e39d315cbb61a4
  scm: git

+- name: infra-role-certbot
+  src: git@github.com:status-im/infra-role-certbot.git
+  version: 41e768fe2e9212366c6a33aa8c2e30d0b2832e80
+  scm: git
+
 - name: infra-role-postgres-ha
  src: git@github.com:status-im/infra-role-postgres-ha.git
  version: c647a9f57deb791f1be724fe768be7bc9bf64921
--- a/hosts_boot.tf
+++ b/hosts_boot.tf
@ -19,6 +19,8 @@ module "boot" {
  /* firewall */
  open_tcp_ports = [
    "30303", /* p2p main */
+    "443",   /* websocket */
+    "80",    /* certbot */
  ]
  open_udp_ports = [
    "9000", /* discovery v5 */
--- a/hosts_store.tf
+++ b/hosts_store.tf
@ -19,6 +19,8 @@ module "store" {
  /* firewall */
  open_tcp_ports = [
    "30303", /* p2p main */
+    "443",   /* websocket */
+    "80",    /* certbot */
  ]
  open_udp_ports = [
    "9000", /* discovery v5 */