proxmox/scripts/fix-validator-permissioning-toml.sh

#!/usr/bin/env bash
# Fix validator node lists: deploy BOTH static-nodes.json and permissions-nodes.toml.
# Besu expects TOML for permissions-nodes-config-file (not permissioned-nodes.json).
# Static-nodes = bootstrap peers; permissions-nodes = allowlist. Both are essential.
#
# Run from repo root. Requires SSH to r630-01 (192.168.11.11) and r630-03 (192.168.11.13).

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"

[ -f config/ip-addresses.conf ] && source config/ip-addresses.conf 2>/dev/null || true
[ -f scripts/lib/load-project-env.sh ] && source scripts/lib/load-project-env.sh 2>/dev/null || true

SOURCE_TOML="$PROJECT_ROOT/config/besu-node-lists/permissions-nodes.toml"
SOURCE_STATIC="$PROJECT_ROOT/config/besu-node-lists/static-nodes.json"
if [ ! -f "$SOURCE_TOML" ]; then
  echo "Missing $SOURCE_TOML"
  exit 1
fi
if [ ! -f "$SOURCE_STATIC" ]; then
  echo "Missing $SOURCE_STATIC"
  exit 1
fi

R630_01="${PROXMOX_HOST_R630_01:-${PROXMOX_R630_01:-192.168.11.11}}"
SSH_USER="${PROXMOX_SSH_USER:-root}"
PERM_PATH="/var/lib/besu/permissions"
CONFIG_GLOB="/etc/besu/config-validator.toml"

validator_host() {
  local vmid="$1"
  if type get_host_for_vmid >/dev/null 2>&1; then
    get_host_for_vmid "$vmid"
  elif [[ "$vmid" -le 1002 ]]; then
    echo "$R630_01"
  else
    echo "${PROXMOX_HOST_ML110:-192.168.11.10}"
  fi
}

validator_ip() {
  local vmid="$1"
  case "$vmid" in
    1000) echo "${IP_VALIDATOR_0:-192.168.11.100}" ;;
    1001) echo "${IP_VALIDATOR_1:-192.168.11.101}" ;;
    1002) echo "${IP_VALIDATOR_2:-192.168.11.102}" ;;
    1003) echo "${IP_VALIDATOR_3:-192.168.11.103}" ;;
    1004) echo "${IP_VALIDATOR_4:-192.168.11.104}" ;;
    *) return 1 ;;
  esac
}

VALIDATORS=(
  "1000:$(validator_host 1000)"
  "1001:$(validator_host 1001)"
  "1002:$(validator_host 1002)"
  "1003:$(validator_host 1003)"
  "1004:$(validator_host 1004)"
)

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_ok() { echo -e "${GREEN}[✓]${NC} $1"; }
log_err() { echo -e "${RED}[✗]${NC} $1"; }

echo ""
echo "=== Fix validator node lists (static-nodes + permissions-nodes) ==="
echo "  Both are essential: static-nodes = bootstrap peers, permissions-nodes = allowlist."
echo ""

# Copy both files to each host once
for host in $(printf '%s\n' "${VALIDATORS[@]}" | cut -d: -f2 | sort -u); do
  log_info "Copying static-nodes.json and permissions-nodes.toml to $host"
  scp -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SOURCE_STATIC" "$SOURCE_TOML" "$SSH_USER@$host:/tmp/" 2>/dev/null || { log_err "scp to $host failed"; exit 1; }
  log_ok "  Copied"
done

FAILED=0
for entry in "${VALIDATORS[@]}"; do
  IFS=: read -r vmid host <<< "$entry"
  validator_ip="$(validator_ip "$vmid")" || {
    log_err "  could not determine validator IP for VMID $vmid"
    ((FAILED++)) || true
    continue
  }
  log_info "VMID $vmid @ $host"

  status=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "pct status $vmid 2>/dev/null" | awk '{print $2}' || echo "unknown")
  if [ "$status" != "running" ]; then
    log_info "  Skip (not running)"
    continue
  fi

  # Push static-nodes.json to /var/lib/besu/ and permissions-nodes.toml to permissions/
  STATIC_PATH="/var/lib/besu/static-nodes.json"
  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "pct push $vmid /tmp/static-nodes.json ${STATIC_PATH} && pct push $vmid /tmp/permissions-nodes.toml ${PERM_PATH}/permissions-nodes.toml" 2>/dev/null; then
    log_err "  pct push failed"
    ((FAILED++)) || true
    continue
  fi

  # Point config to TOML (not JSON) and ensure static-nodes-file and permissions path are set
  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "pct exec $vmid -- bash -c '
    for f in /etc/besu/config-validator.toml /config/config-validator.toml; do
      [ -f \"\$f\" ] || continue
      sed -i \"s|permissioned-nodes\\.json|permissions-nodes.toml|g\" \"\$f\"
      sed -i \"s|\"/var/lib/besu/permissions/permissioned-nodes.json\"|\"/var/lib/besu/permissions/permissions-nodes.toml\"|g\" \"\$f\"
      sed -i \"s|^static-nodes-file=.*|static-nodes-file=\\\"/var/lib/besu/static-nodes.json\\\"|\" \"\$f\"
      sed -i \"s|^permissions-nodes-config-file=.*|permissions-nodes-config-file=\\\"/var/lib/besu/permissions/permissions-nodes.toml\\\"|\" \"\$f\"
      sed -i \"s|^p2p-host=.*|p2p-host=\\\"${validator_ip}\\\"|\" \"\$f\"
      sed -i \"s|^sync-mode=.*|sync-mode=\\\"FULL\\\"|\" \"\$f\"
      grep -q \"static-nodes-file\" \"\$f\" || echo \"static-nodes-file=\\\"/var/lib/besu/static-nodes.json\\\"\" >> \"\$f\"
      grep -q \"permissions-nodes-config-file\" \"\$f\" || echo \"permissions-nodes-config-file=\\\"/var/lib/besu/permissions/permissions-nodes.toml\\\"\" >> \"\$f\"
      grep -q \"^p2p-host=\" \"\$f\" || echo \"p2p-host=\\\"${validator_ip}\\\"\" >> \"\$f\"
      grep -q \"^sync-mode=\" \"\$f\" || echo \"sync-mode=\\\"FULL\\\"\" >> \"\$f\"
      break
    done
  '" 2>/dev/null; then
    log_err "  sed config failed"
    ((FAILED++)) || true
    continue
  fi

  ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "pct exec $vmid -- chown besu:besu ${STATIC_PATH} ${PERM_PATH}/permissions-nodes.toml 2>/dev/null || pct exec $vmid -- chown root:root ${STATIC_PATH} ${PERM_PATH}/permissions-nodes.toml" 2>/dev/null || true

  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "pct exec $vmid -- bash -lc '
    timeout 30 systemctl restart besu-validator || {
      systemctl kill -s SIGKILL besu-validator || true
      sleep 2
      systemctl reset-failed besu-validator || true
      systemctl start besu-validator
    }
  '" 2>/dev/null; then
    log_err "  restart failed"
    ((FAILED++)) || true
    continue
  fi
  log_ok "  static-nodes + permissions-nodes deployed, config updated, restarted"
  echo ""
done

# Cleanup host /tmp
for host in $(printf '%s\n' "${VALIDATORS[@]}" | cut -d: -f2 | sort -u); do
  ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SSH_USER@$host" "rm -f /tmp/permissions-nodes.toml /tmp/static-nodes.json" 2>/dev/null || true
done

echo "=== Summary ==="
if [ "$FAILED" -eq 0 ]; then
  log_ok "All validators updated. Wait 1–2 min then: bash scripts/monitoring/monitor-blockchain-health.sh"
  exit 0
else
  log_err "$FAILED validator(s) failed."
  exit 1
fi