-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0eb67fb
commit 23aa998
Showing
19 changed files
with
214 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
name: Lotus Mainnet | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
paths: | ||
- 'terraform/**' | ||
- 'ansible/**' | ||
push: | ||
branches: | ||
- main | ||
paths: | ||
- 'terraform/**' | ||
- 'ansible/**' | ||
workflow_dispatch: | ||
|
||
jobs: | ||
deploy-lotus-calibnet: | ||
name: Deploy | ||
runs-on: ubuntu-latest | ||
permissions: write-all | ||
steps: | ||
- name: Checkout the code | ||
uses: actions/checkout@v3 | ||
|
||
# Using Custom Composite action in ./composite-action/terraform folder | ||
- name: Composite Action for Deploying Terraform Resources | ||
uses: ./composite-action/terraform | ||
with: | ||
do_token: ${{ secrets.DO_TOKEN }} | ||
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }} | ||
working_directory: terraform/lotus-mainnet | ||
environment: Lotus Mainnet | ||
new_relic_account_id: ${{ secrets.NEW_RELIC_ACCOUNT_ID }} | ||
nr_license_key: ${{ secrets.NR_LICENSE_KEY }} | ||
new_relic_api_key: ${{ secrets.NEW_RELIC_API_KEY }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
terraform { | ||
required_version = ">= 1.2" | ||
|
||
backend "s3" { | ||
bucket = "forest-iac" | ||
key = "lotus-mainnet/terraform.tfstate" | ||
region = "us-west-1" | ||
endpoint = "fra1.digitaloceanspaces.com" | ||
skip_credentials_validation = true | ||
skip_metadata_api_check = true | ||
} | ||
} | ||
|
||
module "lotus-mainnet" { | ||
source = "../modules/filecoin_node" | ||
|
||
do_token = var.do_token | ||
name = "lotus" | ||
region = "fra1" | ||
image = "docker-20-04" | ||
size = "s-4vcpu-8gb" | ||
source_addresses = ["0.0.0.0/0", "::/0"] | ||
attach_volume = true | ||
destination_addresses = ["0.0.0.0/0", "::/0"] | ||
volume_name = "lotus-mainnet-volume" | ||
initial_filesystem_type = "ext4" | ||
volume_size = "1000" | ||
chain = "mainnet" | ||
project = "Forest-DEV" | ||
fw_name = "mainnet-calibnet-fw" | ||
script = "lotus.sh" | ||
NR_LICENSE_KEY = var.NR_LICENSE_KEY | ||
NEW_RELIC_API_KEY = var.NEW_RELIC_API_KEY | ||
NEW_RELIC_ACCOUNT_ID = var.NEW_RELIC_ACCOUNT_ID | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
|
||
variable "do_token" { | ||
description = "Token for authentication." | ||
type = string | ||
} | ||
|
||
variable "NR_LICENSE_KEY" { | ||
description = "New Relic Access Token" | ||
type = string | ||
} | ||
|
||
variable "NEW_RELIC_API_KEY" { | ||
description = "New Relic API KEY" | ||
type = string | ||
} | ||
|
||
variable "NEW_RELIC_ACCOUNT_ID" { | ||
description = "The New Relic Account ID" | ||
type = string | ||
} |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
#!/bin/bash | ||
|
||
# This bash script is used to initialize a Lotus Mainnet or Calibnet Droplet. | ||
# It starts the chain (either mainnet or calibnet) as specified in the terraform script. | ||
# The script also runs Watchtower to keep the Lotus Docker images up-to-date, | ||
# and sets up the New Relic agent for system monitoring. | ||
|
||
# The script employs Terraform's templating engine, which uses variables defined in terraform.tfvars. | ||
# Thus, the $${VARIABLES} used here are for the template engine, not BASH. | ||
|
||
set -euxo pipefail | ||
|
||
# Create a new user with a home directory, no password (SSH login only), and no gecos info. | ||
adduser --disabled-password --gecos "" "${NEW_USER}" | ||
|
||
# Set up SSH for the new user. | ||
mkdir --parents -- "/home/${NEW_USER}/.ssh" | ||
chown "${NEW_USER}:${NEW_USER}" "/home/${NEW_USER}/.ssh" | ||
chmod 0700 "/home/${NEW_USER}/.ssh" | ||
|
||
# Inherit authorized_keys from root, if they exist, to allow the same key-based access for the new user. | ||
if [ -f "/root/.ssh/authorized_keys" ]; then | ||
: Allowing those with root ssh keys to log in as "${NEW_USER}" | ||
cp /root/.ssh/authorized_keys "/home/${NEW_USER}/.ssh/authorized_keys" | ||
chown "${NEW_USER}:${NEW_USER}" "/home/${NEW_USER}/.ssh/authorized_keys" | ||
chmod 0600 "/home/${NEW_USER}/.ssh/authorized_keys" | ||
fi | ||
|
||
# Restrict SSH access to the new user only. preventing root user from accessing the system via SSH. | ||
echo "AllowUsers ${NEW_USER}" >> /etc/ssh/sshd_config | ||
systemctl restart sshd | ||
|
||
# Enable passwordless sudo for the new user. This allows the user to run sudo commands without being prompted for a password. | ||
echo "${NEW_USER} ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/"${NEW_USER}" | ||
|
||
# Add new user to "docker" group so they can run docker commands | ||
usermod --append --groups docker "${NEW_USER}" | ||
|
||
# Set up the directory where the lotus container will store its data. | ||
mkdir --parents -- "/home/${NEW_USER}/lotus_data" | ||
|
||
# If a volume name is defined, mount the volume to the lotus_data directory. | ||
if [ -n "${VOLUME_NAME}" ]; then | ||
# discard: notify the volume to free blocks (useful for SSDs) | ||
# defaults: default mount options, including rw | ||
# noatime: don't preserve file access times | ||
: mounting volume at the lotus_data directory | ||
mount --options discard,defaults,noatime /dev/disk/by-id/scsi-0DO_Volume_"${DISK_ID_VOLUME_NAME}" "/home/${NEW_USER}/lotus_data" | ||
fi | ||
|
||
# Change the ownership of the lotus_data directory to the created user. | ||
chown --recursive "${NEW_USER}":"${NEW_USER}" "/home/${NEW_USER}/lotus_data" | ||
|
||
IMAGETAG="stable" | ||
|
||
if [ "${CHAIN}" != "mainnet" ]; then | ||
IMAGETAG="stable-calibnet" | ||
fi | ||
|
||
sudo --user="${NEW_USER}" -- docker network create lotus | ||
|
||
# Run the Lotus Docker container as the created user. | ||
sudo --user="${NEW_USER}" -- \ | ||
docker run \ | ||
--detach \ | ||
--network=lotus \ | ||
--name=lotus-"${CHAIN}" \ | ||
--volume=parameters:/var/tmp/filecoin-proof-parameters \ | ||
--volume=/home/"${NEW_USER}"/lotus_data:/var/lib/lotus \ | ||
--publish=1234:1234 \ | ||
--restart=always \ | ||
filecoin/lotus-all-in-one:"$IMAGETAG" lotus daemon \ | ||
--import-snapshot https://snapshots."${CHAIN}".filops.net/minimal/latest.zst | ||
|
||
# It monitors running Docker containers and watches for changes to the images that those containers were originally started from. | ||
# If Watchtower detects that an image has changed, it will automatically restart the container using the new image. | ||
# Run the Watchtower Docker container as created user. | ||
sudo --user="${NEW_USER}" -- \ | ||
docker run \ | ||
--detach \ | ||
--network=lotus \ | ||
--name=watchtower \ | ||
--volume=/var/run/docker.sock:/var/run/docker.sock \ | ||
--restart=unless-stopped \ | ||
containrrr/watchtower \ | ||
--include-stopped --revive-stopped --stop-timeout 120s --interval 600 | ||
|
||
# Set-up New Relic Agent For logs collection and Infrastruture Metrics | ||
curl -Ls https://download.newrelic.com/install/newrelic-cli/scripts/install.sh | bash && \ | ||
sudo NEW_RELIC_API_KEY="${NEW_RELIC_API_KEY}" \ | ||
NEW_RELIC_ACCOUNT_ID="${NEW_RELIC_ACCOUNT_ID}" \ | ||
NEW_RELIC_REGION="${NEW_RELIC_REGION}" \ | ||
/usr/local/bin/newrelic install -y | ||
|
||
# Adds custom display name and host-name to the New Relic config. | ||
cat << EOF >> /etc/newrelic-infra.yml | ||
display_name: lotus-${CHAIN} | ||
override_hostname_short: lotus-${CHAIN} | ||
EOF | ||
sudo systemctl restart newrelic-infra |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
terraform/modules/forest_node/user-data.sh → terraform/modules/filecoin_node/user-data.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters