mirror of
https://github.com/matter-labs/ansible-en-role.git
synced 2025-12-06 10:59:56 +00:00
Compare commits
14 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 46cd390d3d | |||
| 9fff909803 | |||
| 873119a54c | |||
| 3e46648470 | |||
| 86c976e375 | |||
| 831de81f98 | |||
| 7cd995dfb5 | |||
| 4f54d8a139 | |||
| 586fe6d4dc | |||
| bb74dfc55f | |||
| 1114c9a4c6 | |||
| 950cbd4f7d | |||
| e3f7fe3c87 | |||
| 118523076b |
27
README.md
27
README.md
@ -1,6 +1,6 @@
|
||||
# ansible-en-role
|
||||
|
||||
Ansible role to deploy and configure zkSync Era External Node, including DB isntance setup on the same machine, Traefik as reverse proxy, and Prometheus monitoring (PostgreSQL exporter, Node exporter, cAdvisor, Traefik, External Node native metrics, and VictoriaMetrics vmagent to scrape all of them).
|
||||
Ansible role to deploy and configure zkSync Era External Node, including DB instance setup on the same machine, Traefik as reverse proxy, and Prometheus monitoring (PostgreSQL exporter, Node exporter, cAdvisor, Traefik, External Node native metrics, and VictoriaMetrics vmagent to scrape all of them).
|
||||
|
||||
Make sure to configure Prometheus remote write endpoint to send metrics to centralized metrics storage.
|
||||
|
||||
@ -14,7 +14,7 @@ This role has been tested on:
|
||||
|
||||
## Usage
|
||||
|
||||
This role contains variables which has to be set:
|
||||
Minimal required variables that has to be set:
|
||||
|
||||
```yaml
|
||||
database_name: ""
|
||||
@ -40,7 +40,7 @@ prometheus_remote_write_auth_password: "password"
|
||||
prometheus_remote_write_common_label: "matterlabs"
|
||||
```
|
||||
|
||||
This role also has option to secure your server and allow traffic only from specified IP address in case if you want
|
||||
This role also has the option to secure your server and allow traffic only from specified IP address in case if you want
|
||||
to use some load balancer in front of your node, while not having fancy cloud security groups at your disposal:
|
||||
|
||||
```yaml
|
||||
@ -54,7 +54,7 @@ iptables_packages:
|
||||
loadbalancer_ip: "1.2.3.4"
|
||||
```
|
||||
|
||||
In most of cases, you'd want to change PostgreSQL parameters (we recommend to use <https://pgtune.leopard.in.ua/> with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg:
|
||||
In most cases, you'd want to change PostgreSQL parameters (we recommend to use <https://pgtune.leopard.in.ua/> with "Online transaction processing system" preset as sane defaults), so you can do it using `postgres_arguments` variable, eg:
|
||||
|
||||
```yaml
|
||||
postgres_arguments:
|
||||
@ -66,21 +66,30 @@ postgres_arguments:
|
||||
- -c
|
||||
```
|
||||
|
||||
We recommend using pgtune [online]<https://pgtune.leopard.in.ua/> or [self-hosted](https://github.com/le0pard/pgtune) version with with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware.
|
||||
We recommend using pgtune [online]<https://pgtune.leopard.in.ua/> or [self-hosted](https://github.com/le0pard/pgtune) version with "Online transaction processing system" preset as a good starting point for generating optimal config for your hardware.
|
||||
|
||||
If you want to use basic auth for inbound requests, you have to change next variables:
|
||||
```yaml
|
||||
# Enable basic auth for external node
|
||||
enable_basic_auth: true
|
||||
basic_auth_secret: "htpasswd-generated-secret"
|
||||
```
|
||||
Basic auth secret can be generated by `htpasswd` and `sed` for interpolation:
|
||||
```echo $(htpasswd -nb <username> <password>) | sed -e s/\\$/\\$\\$/g```
|
||||
|
||||
## Step-by-step guide
|
||||
|
||||
1. Install ansible collection on your machine from where you will run ansible:
|
||||
1. Install the ansible collection on your machine from where you will run ansible:
|
||||
`ansible-galaxy collection install community.general`
|
||||
|
||||
2. Prepare latest database backup on your host. you can download it from our [public GCS bucket](https://storage.googleapis.com/zksync-era-mainnet-external-node-backups/external_node_latest.pgdump).
|
||||
2. Prepare the latest database backup on your host. you can download it from our [public GCS bucket](https://storage.googleapis.com/zksync-era-mainnet-external-node-backups/external_node_latest.pgdump).
|
||||
you should place it to `{{ storage_directory }}/pg_backups` directory. By default, `{{ storage_directory }}` is `/usr/src/en`
|
||||
|
||||
3. **OPTIONAL**: If you already have external-node, you can copy tree directory to new host. Copy external-node database tree to `{{ storage_directory }}/db`.
|
||||
|
||||
**Keep in mind, tree should be older than PostgreSQL database backup.**
|
||||
**Keep in mind, external-node tree should be older than PostgreSQL database backup.**
|
||||
|
||||
4. Run ansible-playbook using this role. We recommend to encrypt next variables with ansible-vault or some another way:
|
||||
4. Run ansible-playbook using this role. We recommend encrypting next variables with ansible-vault or some another way:
|
||||
|
||||
```
|
||||
database_username
|
||||
|
||||
@ -62,6 +62,10 @@ enable_tls: false
|
||||
acme_email: ""
|
||||
domain_name: ""
|
||||
|
||||
# Enable basic auth for external node
|
||||
enable_basic_auth: false
|
||||
basic_auth_secret: ""
|
||||
|
||||
# Force restore pg database
|
||||
force_pg_restore: false
|
||||
|
||||
|
||||
@ -69,6 +69,10 @@ services:
|
||||
- "traefik.http.routers.external_node_health.rule=PathPrefix(`/`)"
|
||||
- "traefik.http.routers.external_node_health.entrypoints=external_node_health"
|
||||
- "traefik.http.routers.external_node_health.service=external_node_health"
|
||||
{% if enable_basic_auth %}
|
||||
- "traefik.http.routers.external_node_main.middlewares=external_node_auth"
|
||||
- "traefik.http.middlewares.external_node_auth.basicauth.users={{ basic_auth_secret }}"
|
||||
{% endif %}
|
||||
expose:
|
||||
- {{ rpc_http_port }}
|
||||
- {{ rpc_ws_port }}
|
||||
|
||||
Reference in New Issue
Block a user