nim-waku: setup nodes

ansible/group_vars/all.yml

@@ -11,3 +11,6 @@ bootstrap__consul_certs_client_key: '{{lookup("bitwarden", "consul/certs",
 bootstrap__sshguard_whitelist_extra: ['{{lookup("bitwarden", "sshguard/whitelist", field="jakubgs-home")}}']
 # Wireguard
 wireguard_consul_acl_token: '{{lookup("bitwarden", "consul/acl-tokens", field="wireguard")}}'
+
+# TODO: cleanup after certbot role fixed
+certbot_services_to_stop: []

ansible/group_vars/waku.yml

@@ -0,0 +1,85 @@
+---
+
+# Tag dependent on fleet: test
+  # TODO: change to waku with CI on
+nim_waku_cont_tag: 'deploy-wakuv2-{{ stage }}'
+nim_waku_cont_name: 'nim-waku'
+nim_waku_log_level: 'debug'
+nim_waku_protocols_enabled: ['relay', 'filter', 'lightpush', 'peer-exchange']
+nim_waku_disc_v5_enabled: true
+nim_waku_dns4_domain_name: '{{ dns_entry }}'
+nim_waku_node_key: '{{lookup("bitwarden", "fleets/waku/"+stage+"/nodekeys", field=hostname)}}'
+
+# Subscribe to all shards
+nim_waku_pubsub_topics:
+  - '/waku/2/rs/1/0'
+  - '/waku/2/rs/1/1'
+  - '/waku/2/rs/1/2'
+  - '/waku/2/rs/1/3'
+  - '/waku/2/rs/1/4'
+  - '/waku/2/rs/1/5'
+  - '/waku/2/rs/1/6'
+  - '/waku/2/rs/1/7'
+
+# Ports
+nim_waku_p2p_tcp_port: 30303
+nim_waku_metrics_port: 8008
+nim_waku_disc_v5_port: 9000
+nim_waku_websock_port: 8000
+nim_waku_rpc_tcp_port: 8545
+
+# Limits
+nim_waku_p2p_max_connections: 300
+
+# Store
+nim_waku_store_message_retention_policy: 'time:2592000' # 30 days
+
+# DNS Discovery
+nim_waku_dns_disc_enabled: false
+#nim_waku_dns_disc_url: TODO launch the fleet with DNS disc disabled, construct and publish the tree and then update config
+
+# Enable WebSockets via Websockify
+nim_waku_websockify_enabled: false
+
+# Enable websockets in Waku
+# Could run into the issue of overflowing ENR might have to disable this.
+nim_waku_websocket_enabled: true 
+nim_waku_websocket_secure_enabled: true
+nim_waku_websocket_domain: '{{ dns_entry }}'
+nim_waku_websocket_ssl_dir: '/etc/letsencrypt'
+nim_waku_websocket_ssl_cert: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/fullchain.pem'
+nim_waku_websocket_ssl_key: '/etc/letsencrypt/live/{{ nim_waku_websocket_domain }}/privkey.pem'
+
+# Waku rln-relay parameters
+nim_waku_rln_relay_dynamic: true
+nim_waku_rln_relay_eth_contract_address: '0xF471d71E9b1455bBF4b85d475afb9BB0954A29c4'
+nim_waku_rln_relay_eth_client_address: 'ws://linux-01.ih-eu-mda1.nimbus.sepolia.wg:9557'
+nim_waku_rln_relay_tree_path: '/data/rln_relay_tree'
+
+# Consul Service
+nim_waku_consul_success_before_passing: 5
+nim_waku_consul_failures_before_warning: 2
+nim_waku_consul_failures_before_critical: 20
+
+# LetsEncrypt via Certbot
+certbot_docker_enabled: true
+certbot_admin_email: 'devops@status.im'
+certbot_containers_to_stop: ['{{ nim_waku_cont_name }}']
+certbot_certs:
+  - domains: [ '{{ nim_waku_websockify_domain }}' ]
+
+# Connection limits
+conn_limit_comment: 'WebSocket conn limit'
+conn_limit_limit: 20
+conn_limit_dport: '{{ nim_waku_websock_port }}'
+
+# Open LibP2P Ports
+open_ports_default_comment: '{{ nim_waku_cont_name }}'
+open_ports_default_chain: 'SERVICES'
+open_ports_default_protocol: 'tcp'
+open_ports_list:
+  - { port: '{{ nim_waku_p2p_tcp_port }}' }
+  - { port: '{{ nim_waku_disc_v5_port }}', protocol: 'udp' }
+  - { port: '{{ nim_waku_websock_port }}' }
+  - { port: '80', comment: 'Certbot verification' }
+  - { port: '{{ nim_waku_metrics_port }}', chain: 'VPN', ipset: 'metrics.hq' }

ansible/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Verify Ansible versions
+  hosts: all
+  tags: always
+  become: false
+  run_once: true
+  gather_facts: false
+  tasks:
+    - local_action: command ./versioncheck.py
+      changed_when: false
+
+- name: Configure Waku Nodes
+  hosts:
+    - waku
+  roles:
+    - { role: open-ports, tags: open-ports }
+    - { role: swap-file,  tags: swap-file  }
+    # TODO: check with Waku team if still needed:
+    # - { role: conn-limit, tags: conn-limit }
+    - { role: certbot,    tags: certbot    }
+    - { role: nim-waku,   tags: nim-waku   }