From 118523076b824acc664cf90a93b79778286e28fc Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 09:49:38 +0200 Subject: [PATCH 01/11] feat: add basic auth for external node --- defaults/main.yml | 5 +++++ templates/docker-compose.yaml.j2 | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index ad381f9..98f9615 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -62,6 +62,11 @@ enable_tls: false acme_email: "" domain_name: "" +# Enable basic auth for external node +enable_basic_auth: false +basic_auth_username: "" +basic_auth_secret: "" + # Force restore pg database force_pg_restore: false diff --git a/templates/docker-compose.yaml.j2 b/templates/docker-compose.yaml.j2 index cd9a9c4..eb0a8fd 100644 --- a/templates/docker-compose.yaml.j2 +++ b/templates/docker-compose.yaml.j2 @@ -69,6 +69,10 @@ services: - "traefik.http.routers.external_node_health.rule=PathPrefix(`/`)" - "traefik.http.routers.external_node_health.entrypoints=external_node_health" - "traefik.http.routers.external_node_health.service=external_node_health" +{% if enable_basic_auth %} + - "traefik.http.routers.external_node_main.middlewares=external_node_auth" + - "traefik.http.middlewares.external_node_auth.basicauth.users={{ basic_auth_username }}:{{ basic_auth_secret }}" +{% endif %} expose: - {{ rpc_http_port }} - {{ rpc_ws_port }} From e3f7fe3c87a1611822b4fa0902dd0645765fc5b7 Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 09:50:05 +0200 Subject: [PATCH 02/11] update doc --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index be5e312..8dcd88a 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,17 @@ postgres_arguments: We recommend using pgtune [online] or [self-hosted](https://github.com/le0pard/pgtune) version with with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware. +If you want to set basic auth for inbound requests, You can do it by configure next variables: +```yaml +# Enable basic auth for external node +enable_basic_auth: false +basic_auth_username: "" # basic auth username +basic_auth_secret: "" # basic auth secret +``` +Basic auth secret can be generated by next command: + +`echo $(htpasswd -nb ) | sed -e s/\\$/\\$\\$/g` + ## Step-by-step guide 1. Install ansible collection on your machine from where you will run ansible: From 950cbd4f7dc0307e4e37ff22fdbf4b35c1cd236f Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 09:53:03 +0200 Subject: [PATCH 03/11] update doc --- README.md | 3 +-- defaults/main.yml | 1 - templates/docker-compose.yaml.j2 | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8dcd88a..0f0de0e 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,7 @@ If you want to set basic auth for inbound requests, You can do it by configure n ```yaml # Enable basic auth for external node enable_basic_auth: false -basic_auth_username: "" # basic auth username -basic_auth_secret: "" # basic auth secret +basic_auth_secret: "" ``` Basic auth secret can be generated by next command: diff --git a/defaults/main.yml b/defaults/main.yml index 98f9615..3acd7b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -64,7 +64,6 @@ domain_name: "" # Enable basic auth for external node enable_basic_auth: false -basic_auth_username: "" basic_auth_secret: "" # Force restore pg database diff --git a/templates/docker-compose.yaml.j2 b/templates/docker-compose.yaml.j2 index eb0a8fd..0b7e276 100644 --- a/templates/docker-compose.yaml.j2 +++ b/templates/docker-compose.yaml.j2 @@ -71,7 +71,7 @@ services: - "traefik.http.routers.external_node_health.service=external_node_health" {% if enable_basic_auth %} - "traefik.http.routers.external_node_main.middlewares=external_node_auth" - - "traefik.http.middlewares.external_node_auth.basicauth.users={{ basic_auth_username }}:{{ basic_auth_secret }}" + - "traefik.http.middlewares.external_node_auth.basicauth.users={{ basic_auth_secret }}" {% endif %} expose: - {{ rpc_http_port }} From 1114c9a4c6b95ff4c9193c4c97f7b87cd322bc59 Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 09:55:10 +0200 Subject: [PATCH 04/11] update doc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f0de0e..d3a6695 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ If you want to set basic auth for inbound requests, You can do it by configure n ```yaml # Enable basic auth for external node enable_basic_auth: false -basic_auth_secret: "" +basic_auth_secret: "htpasswd-generated-secret" ``` Basic auth secret can be generated by next command: From bb74dfc55f2819b7ed363bdfe6533b894d57472c Mon Sep 17 00:00:00 2001 From: Igor Borodin Date: Thu, 7 Mar 2024 09:03:29 +0100 Subject: [PATCH 05/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d3a6695..7e5cd1b 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ postgres_arguments: We recommend using pgtune [online] or [self-hosted](https://github.com/le0pard/pgtune) version with with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware. -If you want to set basic auth for inbound requests, You can do it by configure next variables: +If you want to set basic auth for inbound requests, You can do it by configuring next variables: ```yaml # Enable basic auth for external node enable_basic_auth: false From 586fe6d4dc78a20c2d7b91c5119f70cced4cddf6 Mon Sep 17 00:00:00 2001 From: Igor Borodin Date: Thu, 7 Mar 2024 09:03:52 +0100 Subject: [PATCH 06/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7e5cd1b..f35ed03 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ We recommend using pgtune [online] or [self-hoste If you want to set basic auth for inbound requests, You can do it by configuring next variables: ```yaml # Enable basic auth for external node -enable_basic_auth: false +enable_basic_auth: true basic_auth_secret: "htpasswd-generated-secret" ``` Basic auth secret can be generated by next command: From 4f54d8a139818cd3f372beeb5eb115025e230e88 Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 10:12:20 +0200 Subject: [PATCH 07/11] update doc --- README.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index f35ed03..c7c56d0 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ iptables_packages: loadbalancer_ip: "1.2.3.4" ``` -In most of cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg: +In most of a cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg: ```yaml postgres_arguments: @@ -66,17 +66,16 @@ postgres_arguments: - -c ``` -We recommend using pgtune [online] or [self-hosted](https://github.com/le0pard/pgtune) version with with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware. +We recommend using pgtune [online] or [self-hosted](https://github.com/le0pard/pgtune) version with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware. -If you want to set basic auth for inbound requests, You can do it by configuring next variables: +If you want to use basic auth for inbound requests, you have to change next variables: ```yaml # Enable basic auth for external node enable_basic_auth: true basic_auth_secret: "htpasswd-generated-secret" ``` -Basic auth secret can be generated by next command: - -`echo $(htpasswd -nb ) | sed -e s/\\$/\\$\\$/g` +Basic auth secret can be generated by `htpasswd` and `sed` for interpolation: +```echo $(htpasswd -nb ) | sed -e s/\\$/\\$\\$/g``` ## Step-by-step guide From 7cd995dfb57d907ef0a1530046d588abe0df8e3f Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 10:20:27 +0200 Subject: [PATCH 08/11] update doc --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index c7c56d0..8841a32 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # ansible-en-role -Ansible role to deploy and configure zkSync Era External Node, including DB isntance setup on the same machine, Traefik as reverse proxy, and Prometheus monitoring (PostgreSQL exporter, Node exporter, cAdvisor, Traefik, External Node native metrics, and VictoriaMetrics vmagent to scrape all of them). +Ansible role to deploy and configure zkSync Era External Node, including DB instance setup on the same machine, Traefik as reverse proxy, and Prometheus monitoring (PostgreSQL exporter, Node exporter, cAdvisor, Traefik, External Node native metrics, and VictoriaMetrics vmagent to scrape all of them). Make sure to configure Prometheus remote write endpoint to send metrics to centralized metrics storage. @@ -14,7 +14,7 @@ This role has been tested on: ## Usage -This role contains variables which has to be set: +This role contains variables that have to be set: ```yaml database_name: "" @@ -40,7 +40,7 @@ prometheus_remote_write_auth_password: "password" prometheus_remote_write_common_label: "matterlabs" ``` -This role also has option to secure your server and allow traffic only from specified IP address in case if you want +This role also has the option to secure your server and allow traffic only from specified IP address in case if you want to use some load balancer in front of your node, while not having fancy cloud security groups at your disposal: ```yaml @@ -54,7 +54,7 @@ iptables_packages: loadbalancer_ip: "1.2.3.4" ``` -In most of a cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg: +In most of a cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as valid defaults), so you can do it using `postgres_arguments` variable, eg: ```yaml postgres_arguments: @@ -79,17 +79,17 @@ Basic auth secret can be generated by `htpasswd` and `sed` for interpolation: ## Step-by-step guide -1. Install ansible collection on your machine from where you will run ansible: +1. Install the ansible collection on your machine from where you will run ansible: `ansible-galaxy collection install community.general` -2. Prepare latest database backup on your host. you can download it from our [public GCS bucket](https://storage.googleapis.com/zksync-era-mainnet-external-node-backups/external_node_latest.pgdump). +2. Prepare the latest database backup on your host. you can download it from our [public GCS bucket](https://storage.googleapis.com/zksync-era-mainnet-external-node-backups/external_node_latest.pgdump). you should place it to `{{ storage_directory }}/pg_backups` directory. By default, `{{ storage_directory }}` is `/usr/src/en` 3. **OPTIONAL**: If you already have external-node, you can copy tree directory to new host. Copy external-node database tree to `{{ storage_directory }}/db`. **Keep in mind, tree should be older than PostgreSQL database backup.** -4. Run ansible-playbook using this role. We recommend to encrypt next variables with ansible-vault or some another way: +4. Run ansible-playbook using this role. We recommend encrypting next variables with ansible-vault or some another way: ``` database_username From 831de81f98092a5f182d1160d01a4bf2fd9ffa84 Mon Sep 17 00:00:00 2001 From: otani Date: Thu, 7 Mar 2024 10:21:24 +0200 Subject: [PATCH 09/11] update doc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8841a32..0620415 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ you should place it to `{{ storage_directory }}/pg_backups` directory. By defaul 3. **OPTIONAL**: If you already have external-node, you can copy tree directory to new host. Copy external-node database tree to `{{ storage_directory }}/db`. -**Keep in mind, tree should be older than PostgreSQL database backup.** +**Keep in mind, external-node tree should be older than PostgreSQL database backup.** 4. Run ansible-playbook using this role. We recommend encrypting next variables with ansible-vault or some another way: From 873119a54c5a7c6e5e51ad897496a7ceb47b2683 Mon Sep 17 00:00:00 2001 From: Igor Borodin Date: Thu, 7 Mar 2024 09:35:05 +0100 Subject: [PATCH 10/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7a35b9c..0f52d29 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ iptables_packages: loadbalancer_ip: "1.2.3.4" ``` -In most of a cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as valid defaults), so you can do it using `postgres_arguments` variable, eg: +In most cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as valid defaults), so you can do it using `postgres_arguments` variable, eg: ```yaml postgres_arguments: From 9fff909803f28ff42aff1777e79236b707d35767 Mon Sep 17 00:00:00 2001 From: Igor Borodin Date: Thu, 7 Mar 2024 09:35:33 +0100 Subject: [PATCH 11/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0f52d29..83dd780 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ iptables_packages: loadbalancer_ip: "1.2.3.4" ``` -In most cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as valid defaults), so you can do it using `postgres_arguments` variable, eg: +In most cases, you'd want to change PostgreSQL parameters (we recommend to use with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg: ```yaml postgres_arguments: