shift-cluster

#!/bin/bash

##################s###################################################
#    Make sure to run the setup described in the README.md first!    #
######################################################################

init_data() {
    reply=`curl -s https://install.shiftproject.com/testnet`
    bits=(`echo $reply | cut -d " " -f 1-`)

    phoenix_ipfs_hash=${bits[1]}
    phoenix_shasum=${bits[2]}
    ipfs_ipfs_hash=${bits[4]}
    ipfs_shasum=${bits[5]}
    bootstrap_peers=${bits[7]}
    blockchain_peers=${bits[9]}
    phoenix_secret=${bits[11]}
    swarm_key="${bits[13]}\n${bits[14]}\n${bits[15]}"

    if [ "$phoenix_secret" == "" ]; then
        echo "Unable to fetch phoenix data"
        exit 1
    fi
}

check_hash() {
    file_hash=`shasum $1 | cut -d " " -f1`
    if [ "$file_hash" != "$2" ] ; then
        echo "false"
        return
    fi

    echo "true"
}

check_hash_and_exit() {
    if [ "$(check_hash $1 $2)" == "false" ] ; then
        echo "HASH for $1 does not match expected hash!"
        exit 1
    fi
}

# Downloads the latest IPFS binaries from the Shift IPFS cluster – inception
install_binaries() {
    mkdir -p ~/bin
    echo "Downloading latest binaries…"

    # hash does not match
    if [ "$(check_hash ~/bin/ipfs $ipfs_shasum)" == "false" ] ; then
        echo "Downloading latest IPFS…"
        wget -O ~/bin/ipfs-new https://phoenix-test.shiftnrg.org/ipfs/$ipfs_ipfs_hash
        chmod +x ~/bin/ipfs-new
        check_hash_and_exit ~/bin/ipfs-new $ipfs_shasum
        mv ~/bin/ipfs-new ~/bin/ipfs
    fi

    if [ "$(check_hash ~/bin/phoenix-cluster $phoenix_shasum)" == "false" ] ; then
        echo "Downloading latest phoenix cluster…"
        wget -O ~/bin/phoenix-cluster-new https://phoenix-test.shiftnrg.org/ipfs/$phoenix_ipfs_hash
        chmod +x ~/bin/phoenix-cluster-new
        check_hash_and_exit ~/bin/phoenix-cluster-new $phoenix_shasum
        mv ~/bin/phoenix-cluster-new ~/bin/phoenix-cluster
    fi

    echo "Done"
}

# Sets up a self-signed certificate for https
install_certificate() {
    sudo openssl genrsa -out shift.key 2048
    sudo openssl req -nodes -newkey rsa:2048 -key shift.key -out shift.csr -subj "/C=NL/O=Shift/CN=shiftnrg.org"
    sudo openssl x509 -req -days 365 -in shift.csr -signkey shift.key -out shift.crt
    sudo bash -c 'cat shift.crt shift.key > /etc/ssl/private/shift.pem'
    rm -f shift.key shift.csr shift.crt
}

# @todo pull the HAProxy config from somewhere else – maybe IPFS?
update_haproxy_config() {
    # Configure HAProxy
    sudo rm /etc/haproxy/haproxy.cfg

    conf="global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend https-in
    bind *:443 ssl crt /etc/ssl/private/shift.pem
    bind *:80
    mode http
    # Add CORS headers when Origin header is present
    capture request header origin len 128
    http-response add-header Access-Control-Allow-Origin %[capture.req.hdr(0)] if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Methods:\ GET,\ HEAD,\ OPTIONS,\ POST,\ PUT  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Credentials:\ true  if { capture.req.hdr(0) -m found }
    rspadd Access-Control-Allow-Headers:\ Origin,\ Accept,\ X-Requested-With,\ Content-Type,\ Access-Control-Request-Method,\ Access-Control-Request-Headers,\ Authorization  if { capture.req.hdr(0) -m found }

    acl is_cluster_api_path path_beg /pin /stats /peers
    acl is_api_path path_beg /api/v0/ls /api/v0/add /api/v0/cat /api/v0/object/links /api/v0/object/patch/add-link /api/v0/object/patch/rm-link /api/v0/key/gen /api/v0/key/list /api/v0/name/publish /api/v0/name/resolve /api/v0/ping /api/v0/version /api/v0/swarm/peers /api/v0/swarm/addrs/local /api/v0/stats/bw /api/v0/stats/repo /api/v0/stats/
    use_backend phoenix_cluster_api if is_cluster_api_path
    use_backend ipfs_api if is_api_path
    default_backend ipfs

backend ipfs_api
    mode http
    http-request del-header Origin
    http-request del-header Referer
    http-response add-header Server ipfs_api
    server api 127.0.0.1:5001

backend phoenix_cluster_api
    mode http
    acl is_options method OPTIONS
    http-request set-method GET if is_options
    http-response add-header Server phoenix_cluster_api
    server api 127.0.0.1:2473

backend ipfs
    mode http
    balance roundrobin
    option forwardfor
    option httpchk GET / HTTP/1.1\\\r\\\nHost:localhost
    server ipfs 127.0.0.1:8080
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }"

    echo "$conf" | sudo tee -a /etc/haproxy/haproxy.cfg > /dev/null
}

# Installs HAProxy and the HAProxy config for routing requests to IPFS
install_haproxy() {
    sudo add-apt-repository -y ppa:vbernat/haproxy-1.7
    sudo apt update
    sudo apt install -y haproxy
    update_haproxy_config
}

update_phoenix_config() {
    mkdir -p ~/.phoenix

    conf="{
    \"PhoenixPort\": 3473,
    \"APIPort\": 2473,
    \"Debug\": false,
    \"Secret\": \"$phoenix_secret\",
    \"BlockchainPeers\": [$blockchain_peers],
    \"Replication\": 3,
    \"PingFailuresBeforeRemoval\": 10000
}"

    mv ~/.phoenix/config.json ~/.phoenix/config-old.json
    echo "$conf" | tee -a ~/.phoenix/config.json > /dev/null
}

update_swarm_key() {
    rm -f ~/.ipfs/swarm.key
    echo -e $swarm_key | sudo tee -a ~/.ipfs/swarm.key > /dev/null
}

update_ipfs_config() {
    # Reduce the number of connections to 500-600 (default is 600-900)
    tmp=$(mktemp)
    jq '.Bootstrap = [] | .Swarm.ConnMgr.LowWater = 500 | .Swarm.ConnMgr.HighWater = 600' ~/.ipfs/config > "$tmp" && mv "$tmp" ~/.ipfs/config
}

initialize_ipfs() {
    ipfs init
    tmp=$(mktemp)
    update_swarm_key

    update_ipfs_config
    update_phoenix_config
    user=`whoami`
    sudo chown $user:$user ~/.ipfs
    sudo chown $user:$user ~/.phoenix
}

# Installs what is necessary to run a storage node
# @todo support different operating systems (linux only now)
install() {
    cd ~/
    init_data
    install_binaries
    initialize_ipfs
    install_certificate
    install_haproxy
    echo "SHIFT cluster successfully installed"
}

update_phoenix_secret() {
    tmp=$(mktemp)
    jq ".Secret = \"$phoenix_secret\"" ~/.phoenix/config.json > "$tmp" && mv "$tmp" ~/.phoenix/config.json
}

update() {
    stop
    cd ~/bin
    init_data
    update_swarm_key
    update_ipfs_config
    update_phoenix_secret
    install_binaries
}

remove() {
    read -rp "Are you sure you want to remove? This will delete all content pinned in IPFS. [y/n] "

    [[ ${REPLY,,} =~ ^(c|cancel)$ ]] && { echo "Selected Cancel"; exit 1; }

    if [[ ${REPLY,,} =~ ^(y|yes)$ ]]; then
        stop
        rm ~/bin/ipfs
        rm ~/bin/phoenix-cluster
        sudo apt-get -y remove haproxy
        sudo rm /etc/ssl/private/shift.pem
        rm -rf ~/.ipfs
        rm -rf ~/.phoenix
        echo "SHIFT cluster successfully removed"
    fi
}

check_port_and_fail() {
    netstat -tlnp 2>/dev/null | grep ":$1\s" -q
    if [ $? -eq 0 ] ; then
        echo "Unable to start: port $1 is in use by another process. Make sure to stop Apache or Nginx"
        exit 1
    fi
}

start() {
    check_port_and_fail 80
    check_port_and_fail 443
    init_data
    mkdir -p ~/logs
    sudo /etc/init.d/haproxy restart
    nohup ipfs daemon --enable-pubsub-experiment > ~/logs/ipfs.log 2>&1 &
    sleep 2
    nohup phoenix-cluster --bootstrap=$bootstrap_peers --config=$HOME/.phoenix/config.json start > ~/logs/phoenix-cluster.log 2>&1 &

    echo "Waiting 5 seconds..."
    sleep 5

    netstat -tlnp 2>/dev/null | grep 2473 -q
    if [ $? -ne 0 ] ; then
        echo "Phoenix failed to start!"
        echo ""
        echo "Log output from ~/logs/phoenix-cluster.log:"
        tail -n 20 ~/logs/phoenix-cluster.log
        exit 1
    fi

    echo "SHIFT cluster started"
}

stop() {
    sudo /etc/init.d/haproxy stop
    pkill -HUP -f ipfs
    pkill -f phoenix-cluster
    echo "SHIFT cluster stopped"
}

# Checks if IPFS is running
#
# @todo make sure it is actually serving traffic
check() {
    netstat -tlnp 2>/dev/null | grep 8080 -q
    if [ $? -eq 0 ] ; then
        echo "✓ IPFS is running"
    else
        echo "✘ IPFS is not running"
    fi

    netstat -tlnp 2>/dev/null | grep 2473 -q
    if [ $? -eq 0 ] ; then
        echo "✓ PHOENIX is running"
    else
        echo "✘ PHOENIX is not running"
    fi
}

case $1 in
    "install")
      install
    ;;
    "update")
      update
    ;;
    "remove")
      remove
    ;;
    "start")
      start
    ;;
    "stop")
      stop
    ;;
    "restart")
      stop
      start
    ;;
    "check")
      check
    ;;
    *)
    echo "Available options: install, update, remove, start, stop, restart, check"
    echo "Usage: ./shift-cluster install"
    exit 1
    ;;
esac