Merge pull request #27 from matter-labs/ya-zkd-1817-upgrade-external-nodes-on-hetzner4

feat: Add traefik configuration for consensus TCP port, open it in firewall

tasks/firewall.yml

@@ -49,6 +49,14 @@
     source: "{{ loadbalancer_ip | mandatory }}"
     jump: ACCEPT
 
+- name: Allow consensus port traffic from any IP
+  when: enable_consensus
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ consensus_port }}"
+    jump: ACCEPT
+
 - name: Set default policy to DROP
   ansible.builtin.iptables:
     chain: INPUT

tasks/provision.yml

@@ -38,7 +38,7 @@
   when: vars[item] == ""
   with_items: "{{ en_required_variables }}"
 
-- name: Copy main configs
+- name: Create main configs
   ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
@@ -51,7 +51,7 @@
     - src: "templates/postgres.env.j2"
       dest: "{{ configuration_directory }}/postgres.env"
 
-- name: Copy restore script
+- name: Create restore script
   register: restore_dump_script
   ansible.builtin.template:
     src: 'templates/restore_dump.sh.j2'
@@ -64,7 +64,7 @@
   when: enable_monitoring and ( vars[item] == "" )
   with_items: "{{ monitoring_required_variables }}"
 
-- name: Copy monitoring configs
+- name: Create monitoring configs
   when: enable_monitoring
   ansible.builtin.template:
     src: '{{ item.src }}'
@@ -76,7 +76,7 @@
     - src: "templates/vmagent-config.yml.j2"
       dest: "{{ configuration_directory }}/vmagent-config.yml"
 
-- name: Copy main configs
+- name: Create consensus config
   when: enable_consensus
   ansible.builtin.template:
     src: "templates/consensus_config.yaml.j2"
@@ -88,7 +88,7 @@
   ansible.builtin.copy:
     src: "{{ consensus_secrets_file }}"
     dest: "{{ configuration_directory }}/consensus_secrets.yaml"
-    decrypt: yes
+    decrypt: true
     mode: '0600'
 
 - name: Run docker-compose without monitoring

templates/docker-compose.yaml.j2

@@ -8,10 +8,13 @@ services:
       - "--log.level=INFO"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
+      - "--entryPoints.web.address=:80"
-      - "--entrypoints.external_node_health.address=:3080"
+      - "--entryPoints.external_node_health.address=:3080"
+{% if enable_consensus %}
+      - "--entryPoints.external_node_consensus.address=:{{ consensus_port }}"
+{% endif %}
 {% if enable_tls %}
-      - "--entrypoints.websecure.address=:443"
+      - "--entryPoints.websecure.address=:443"
       - "--certificatesresolvers.en_resolver.acme.tlschallenge=true"
       - "--certificatesresolvers.en_resolver.acme.storage=/letsencrypt/acme.json"
       - "--certificatesresolvers.myresolver.acme.email={{ acme_email }}"
@@ -76,6 +79,11 @@ services:
 {% if enable_basic_auth %}
       - "traefik.http.routers.external_node_main.middlewares=external_node_auth"
       - "traefik.http.middlewares.external_node_auth.basicauth.users={{ basic_auth_secret }}"
+{% endif %}
+{% if enable_consensus %}
+      - "traefik.tcp.services.external_node_consensus.loadbalancer.server.port={{ consensus_port }}"
+      - "traefik.tcp.routers.external_node_consensus.entrypoints=external_node_consensus"
+      - "traefik.tcp.routers.external_node_consensus.service=external_node_consensus"
 {% endif %}
     expose:
       - {{ rpc_http_port }}
@@ -101,7 +109,7 @@ services:
       RUST_LOG: {{ rust_log }}
 {% if enable_consensus %}
       EN_CONSENSUS_CONFIG_PATH: /etc/consensus_config.yaml
-      EN_CONSENSUS_SECRETS_PATH: /run/secrets/consensus_secrets.yaml
+      EN_CONSENSUS_SECRETS_PATH: /run/secrets/consensus_secrets
 {% endif %}
     healthcheck:
       test: [ "CMD", "curl", "-f", "http://localhost:{{ healthcheck_port }}/health" ]
@@ -112,7 +120,7 @@ services:
     volumes:
       - "{{ storage_directory }}/db:/db"
 {% if enable_consensus %}
-      - "consensus_config.yaml:/etc/consensus_config.yaml"
+      - "{{ configuration_directory }}/consensus_config.yaml:/etc/consensus_config.yaml"
 {% endif %}
     env_file:
       - "external_node.env"