doen

flake.nix

@@ -61,6 +61,8 @@
     let
       email = "dzmitry@lahoda.pro";
       domain = "ggchain.technology";
+      org = "ggchaindev";
+      region = "eu-west-1";
       # can use envvars override to allow run non shared "cloud" for tests
       age-pub = "age1a8k02z579lr0qr79pjhlneffjw3dvy3a8j5r4fw3zlphd6cyaf5qukkat5";
 
@@ -275,23 +277,22 @@
             '';
           };
 
-          tf-apply-testnet = pkgs.writeShellApplication rec {
-            name = "tf-apply-testnet";
+          # need to generalize for generic TF_VAR consumption
+          mkTerraformRun = tfname: config: pkgs.writeShellApplication rec {
+            name = "tf-${tfname}";
             runtimeInputs = cloud-tools;
             text = ''
               # send variables to terraform
-              TF_VAR_DOMAIN_NAME=ggchain.technology
-              TF_VAR_VALIDATOR_NAME=ggchaindev
-              TF_VAR_NODE_IMAGE=""
-              TF_VAR_AWS_REGION="eu-west-1"
+              TF_VAR_DOMAIN_NAME=${domain}
+              TF_VAR_VALIDATOR_NAME=${org}
+              TF_VAR_AWS_REGION=${region}
               export TF_VAR_DOMAIN_NAME
               export TF_VAR_VALIDATOR_NAME
-              export TF_VAR_NODE_IMAGE
               export TF_VAR_AWS_REGION
 
-              cd ./terraform/testnet  
+              cd ./terraform/${tfname}  
               # generate terraform input from nix
-              cp --force ${tf-config-testnet} config-testnet.tf.json
+              cp --force ${config} config-${tfname}.tf.json
             
               # silly check to avoid providers rechek all the time (nixified version would be more robust)
               if [[ ! -d .terraform/providers ]]; then
@@ -300,34 +301,36 @@
             
               # decrypt secret state (should run only on CI eventually for safety)
               # if there is encrypted state, decrypt it
-              if [[ -f terraform-testnet.tfstate.sops ]]; then
+              if [[ -f terraform-${tfname}.tfstate.sops ]]; then
                 # uses age, so can use any of many providers (including aws)
                 echo "decrypting state"
-                sops --decrypt --age ${age-pub} terraform-testnet.tfstate.sops > terraform-testnet.tfstate
+                sops --decrypt --age ${age-pub} terraform-${tfname}.tfstate.sops > terraform-${tfname}.tfstate
                 # testing that we can finally reencrypt          
-                sops --encrypt --age ${age-pub} terraform-testnet.tfstate > terraform-testnet.tfstate.sops   
+                sops --encrypt --age ${age-pub} terraform-${tfname}.tfstate > terraform-${tfname}.tfstate.sops   
               fi
             
               # so we can store part of changes before exit
               set +o errexit
               # apply state to cloud, eventually should manually approve in CI
-              terraform apply "$@" # for example -auto-approve
+              terraform apply "$@" # for example `-- apply -auto-approve`
               TERRAFORM_RESULT=$?
               set -o errexit
               
               # encrypt update state back and push it (later in CI special job)
               echo "encrypting current state"
-              sops --encrypt --age ${age-pub} terraform-testnet.tfstate > terraform-testnet.tfstate.sops
+              sops --encrypt --age ${age-pub} terraform-${tfname}.tfstate > terraform-${tfname}.tfstate.sops
 
-              if [[ -f terraform-testnet.tfstate.backup ]]; then 
+              if [[ -f terraform-${tfname}.tfstate.backup ]]; then 
                 echo "encrypting backup state"
-                sops --encrypt --age ${age-pub} terraform-testnet.tfstate.backup > terraform-testnet.tfstate.backup.sops
+                sops --encrypt --age ${age-pub} terraform-${tfname}.tfstate.backup > terraform-${tfname}.tfstate.backup.sops
               fi
               
               exit $TERRAFORM_RESULT
             '';
           };
 
+          tf-testnet = mkTerraformRun "testnet" tf-config-testnet;
+
 
           tf-config = terranix.lib.terranixConfiguration {
             inherit system;
@@ -342,7 +345,7 @@
         rec {
 
           packages = flake-utils.lib.flattenTree {
-            inherit golden-gate-runtime golden-gate-node single-fast multi-fast tf-config tf-apply tf-apply-testnet lint node-image;
+            inherit golden-gate-runtime golden-gate-node single-fast multi-fast tf-config tf-apply tf-testnet lint node-image;
             subkey = pkgs.subkey;
             node = golden-gate-node;
             runtime = golden-gate-runtime;
@@ -364,7 +367,16 @@
                 # should read from tfstate here to avoid cp paste of name       
                 NIX_SSHOPTS="-i ./terraform/testnet/id_rsa.pem"         
                 export NIX_SSHOPTS
-                nixos-rebuild switch --fast --flake .#node-test-a  --target-host root@ec2-18-202-222-11.eu-west-1.compute.amazonaws.com
+                # first run will be slow, so can consider variouse optimization later
+                nixos-rebuild switch --fast --flake .#node-test-a  --target-host root@ec2-3-250-195-70.eu-west-1.compute.amazonaws.com
+              '';
+            };
+            deploy-test-node-b = pkgs.writeShellApplication rec {
+              name = "deploy-test-node-b";
+              text = ''
+                NIX_SSHOPTS="-i ./terraform/testnet/id_rsa.pem"         
+                export NIX_SSHOPTS
+                nixos-rebuild switch --fast --flake .#node-test-b  --target-host root@ec2-54-247-61-116.eu-west-1.compute.amazonaws.com
               '';
             };
 
@@ -495,7 +507,7 @@
                 security = {
                   acme = {
                     defaults.email = email;
-                      acceptTerms = true;
+                    acceptTerms = true;
                   };
                 };
                 environment.systemPackages = [ pkgs.golden-gate-node ];
@@ -515,6 +527,70 @@
               })
             ];
           };
+
+          node-test-b = nixpkgs.lib.nixosSystem {
+            inherit system;
+            modules = [
+              {
+                nixpkgs.overlays = [
+                  (_: _: {
+                    golden-gate-node = pkgs.golden-gate-node;
+                  })
+                ];
+              }
+              ./flake/web3nix-module.nix
+              ./flake/nixos-amazon.nix
+            ]
+            ++ [
+              ({ ... }: {
+                web3nix.admin.email = email;
+                services.nginx.virtualHosts = {
+                  "node-b.${domain}" = {
+                    addSSL = true;
+                    enableACME = true;
+                    root = "/var/www/default";
+                    # just stub for root page, can route to any usefull info or landing
+                    locations."/" = {
+                      root = pkgs.runCommand "testdir" { } ''
+                        mkdir "$out"
+                        echo "here could be golden gate pwa" > "$out/index.html"
+                      '';
+                    };
+                    locations."/substrate/client" = {
+                      # any all to external servers is routed to node
+                      proxyPass = "http://127.0.0.1:${builtins.toString 9944}";
+                      proxyWebsockets = true;
+                    };
+                  };
+                };
+                security = {
+                  acme = {
+                    defaults.email = email;
+                    acceptTerms = true;
+                  };
+                };
+                environment.systemPackages = [ pkgs.golden-gate-node ];
+                systemd.services.golden-gate-node =
+                  let
+                    # should mount really libp2p nodes to  
+                    cli = " --unsafe-ws-external --unsafe-rpc-external --rpc-cors=all --rpc-external --ws-external --blocks-pruning archive --bob --chain=testnet --bootnodes=/ip4/3.250.195.70/tcp/30333/p2p/12D3KooWMJNFTgi6kbSwC5FoSDCtTkVm26n2MnQiRnhvoTRW4Cip";
+                  in
+                  {
+                    wantedBy = [ "multi-user.target" ];
+                    after = [ "network.target" ];
+                    description = "substrate-node";
+                    serviceConfig = {
+                      Type = "simple";
+                      User = "root";
+                      # yeah, tune each unsafe on release
+                      ExecStart = "${pkgs.lib.meta.getExe pkgs.golden-gate-node} ${cli}";
+                      Restart = "always";
+                    };
+                  };
+
+              })
+            ];
+          };
         };
     };
 }

flake/terraform-testnet.nix

@@ -16,14 +16,10 @@ let
 in
 rec {
   variable = {
-
     # for PD.js and Metamask connection
     DOMAIN_NAME = {
       type = "string";
     };
-    NODE_IMAGE = {
-      type = "string";
-    };
 
     AWS_REGION = {
       type = "string";

terraform/testnet/config-testnet.tf.json

@@ -236,9 +236,6 @@
     "DOMAIN_NAME": {
       "type": "string"
     },
-    "NODE_IMAGE": {
-      "type": "string"
-    },
     "VALIDATOR_NAME": {
       "description": "should be more than 3 but less then 12 symbols, only lower case letters",
       "type": "string"