Deploy DBIS RTGS first-slice sidecars

scripts/deployment/create-dbis-rtgs-sidecar-lxcs.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Create the three DBIS RTGS first-slice sidecar LXCs on r630-02.
+# Usage:
+#   ./scripts/deployment/create-dbis-rtgs-sidecar-lxcs.sh [--dry-run]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
+
+HOST="${PROXMOX_HOST_R630_02:-${PROXMOX_R630_02:-192.168.11.12}}"
+NETWORK="${NETWORK:-vmbr0}"
+GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
+DNS="${DNS_PRIMARY:-1.1.1.1}"
+STORAGE="${RTGS_SIDECAR_STORAGE:-thin3}"
+TEMPLATE="${TEMPLATE_UBUNTU_24:-local:vztmpl/ubuntu-24.04-standard_24.04-1_amd64.tar.zst}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+SIDEcars=(
+  "5802 rtgs-scsm-1 192.168.11.89 4096 2 24"
+  "5803 rtgs-funds-1 192.168.11.90 4096 2 24"
+  "5804 rtgs-xau-1 192.168.11.92 4096 2 24"
+)
+
+resolve_template() {
+  if ssh $SSH_OPTS "root@$HOST" "pveam list local 2>/dev/null | grep -q 'ubuntu-24.04-standard'" 2>/dev/null; then
+    echo "local:vztmpl/ubuntu-24.04-standard_24.04-1_amd64.tar.zst"
+  elif ssh $SSH_OPTS "root@$HOST" "pveam list local 2>/dev/null | grep -q 'ubuntu-22.04-standard'" 2>/dev/null; then
+    echo "local:vztmpl/ubuntu-22.04-standard_22.04-1_amd64.tar.zst"
+  else
+    echo "$TEMPLATE"
+  fi
+}
+
+TEMPLATE="$(resolve_template)"
+
+echo "=== DBIS RTGS first-slice sidecar LXCs ==="
+echo "Host: $HOST"
+echo "Storage: $STORAGE"
+echo "Template: $TEMPLATE"
+echo
+
+for spec in "${SIDEcars[@]}"; do
+  read -r VMID HOSTNAME IP MEMORY CORES ROOTFS_GB <<<"$spec"
+  if ssh $SSH_OPTS "root@$HOST" "pct status $VMID >/dev/null 2>&1"; then
+    echo "CT $VMID already exists on $HOST; skipping create."
+    continue
+  fi
+
+  CREATE_CMD="pct create $VMID $TEMPLATE \
+    --hostname $HOSTNAME \
+    --memory $MEMORY \
+    --cores $CORES \
+    --rootfs $STORAGE:${ROOTFS_GB} \
+    --net0 name=eth0,bridge=$NETWORK,ip=$IP/24,gw=$GATEWAY \
+    --features nesting=1,keyctl=1 \
+    --nameserver $DNS \
+    --onboot 1 \
+    --start 1 \
+    --unprivileged 0 \
+    --description 'DBIS RTGS first-slice sidecar LXC ($HOSTNAME)'"
+
+  if $DRY_RUN; then
+    echo "[DRY-RUN] $CREATE_CMD"
+    echo
+    continue
+  fi
+
+  echo "Creating CT $VMID ($HOSTNAME, $IP)..."
+  ssh $SSH_OPTS "root@$HOST" "$CREATE_CMD"
+done
+
+echo "Done."

scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh

@@ -0,0 +1,233 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy the three selected DBIS RTGS first-slice sidecars to their LXC targets.
+# Usage:
+#   ./scripts/deployment/deploy-dbis-rtgs-first-slice-sidecars.sh [--dry-run]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+SCSM_JAR="/home/intlc/projects/HYBX_Sidecars/mifos-fineract-sidecar/scsm-app/target/scsm-app-1.0.0-SNAPSHOT.jar"
+FUNDS_JAR="/home/intlc/projects/HYBX_Sidecars/server-funds-sidecar/funds-app/target/funds-app-1.0.0-SNAPSHOT.jar"
+XAU_JAR="/home/intlc/projects/HYBX_Sidecars/off-ledger-2-on-ledger-sidecar/target/off-ledger-2-on-ledger-sidecar-0.1.0-SNAPSHOT.jar"
+
+SCSM_FINERACT_BASE_URL="${SCSM_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+SCSM_FINERACT_TENANT="${SCSM_FINERACT_TENANT:-omnl}"
+SCSM_FINERACT_USERNAME="${SCSM_FINERACT_USERNAME:-}"
+SCSM_FINERACT_PASSWORD="${SCSM_FINERACT_PASSWORD:-}"
+
+FUNDS_FINERACT_BASE_URL="${FUNDS_FINERACT_BASE_URL:-http://192.168.11.85:8080/fineract-provider/api/v1}"
+
+XAU_FINERACT_BASE_URL="${XAU_FINERACT_BASE_URL:-http://192.168.11.85:8080}"
+XAU_FEED_URL="${XAU_FEED_URL:-}"
+XAU_STUB_PRICE="${XAU_STUB_PRICE:-2000}"
+
+DRY_RUN=false
+if [[ "${1:-}" == "--dry-run" ]]; then
+  DRY_RUN=true
+fi
+
+TARGETS="${TARGETS:-scsm,funds,xau}"
+
+require_file() {
+  local path="$1"
+  if [[ ! -f "$path" ]]; then
+    echo "Missing required artifact: $path" >&2
+    exit 1
+  fi
+}
+
+require_file "$SCSM_JAR"
+require_file "$FUNDS_JAR"
+require_file "$XAU_JAR"
+
+run_remote() {
+  local vmid="$1"
+  local cmd="$2"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] $cmd"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc $(printf '%q' "$cmd")"
+  fi
+}
+
+target_enabled() {
+  local want="$1"
+  [[ ",$TARGETS," == *",$want,"* ]]
+}
+
+wait_for_health() {
+  local vmid="$1"
+  local url="$2"
+  local out_file="$3"
+  local attempts="${4:-20}"
+  local sleep_seconds="${5:-2}"
+  local cmd="for i in \$(seq 1 $attempts); do if curl -sf \"$url\" > \"$out_file\"; then cat \"$out_file\"; exit 0; fi; sleep $sleep_seconds; done; exit 7"
+  run_remote "$vmid" "$cmd"
+}
+
+push_file() {
+  local vmid="$1"
+  local src="$2"
+  local dest="$3"
+  if $DRY_RUN; then
+    echo "[DRY-RUN][CT $vmid] copy $src -> $dest"
+  else
+    ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- mkdir -p $(dirname "$dest")"
+    ssh $SSH_OPTS "root@$HOST" "cat > /tmp/$(basename "$dest")" < "$src"
+    ssh $SSH_OPTS "root@$HOST" "pct push $vmid /tmp/$(basename "$dest") $dest >/dev/null && rm -f /tmp/$(basename "$dest")"
+  fi
+}
+
+setup_base_runtime() {
+  local vmid="$1"
+  run_remote "$vmid" "export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openjdk-21-jre-headless redis-server curl ca-certificates"
+  run_remote "$vmid" "systemctl enable redis-server --now"
+}
+
+deploy_scsm() {
+  local vmid=5802
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$SCSM_JAR" "/opt/dbis-rtgs/scsm/scsm-app.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/scsm/scsm;DB_CLOSE_ON_EXIT=FALSE
+DB_USER=sa
+DB_PASSWORD=
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=localhost:9092
+FINERACT_BASE_URL=${SCSM_FINERACT_BASE_URL}
+FINERACT_TENANT=${SCSM_FINERACT_TENANT}
+FINERACT_USERNAME=${SCSM_FINERACT_USERNAME}
+FINERACT_PASSWORD=${SCSM_FINERACT_PASSWORD}
+FINERACT_OFFICE_ID=1
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/scsm.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS SCSM sidecar
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/scsm
+EnvironmentFile=/etc/dbis-rtgs/scsm.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/scsm/scsm-app.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-scsm.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/scsm /opt/dbis-rtgs/scsm /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-scsm --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/scsm-health.json"
+}
+
+deploy_funds() {
+  local vmid=5803
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$FUNDS_JAR" "/opt/dbis-rtgs/funds/funds-app.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+DB_URL=jdbc:h2:file:/var/lib/dbis-rtgs/funds/funds;DB_CLOSE_ON_EXIT=FALSE
+DB_USER=sa
+DB_PASSWORD=
+REDIS_HOST=127.0.0.1
+REDIS_PORT=6379
+KAFKA_BOOTSTRAP_SERVERS=localhost:9092
+FINERACT_BASE_URL=${FUNDS_FINERACT_BASE_URL}
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/funds.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS server-funds sidecar
+After=network-online.target redis-server.service
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/funds
+EnvironmentFile=/etc/dbis-rtgs/funds.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/funds/funds-app.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-funds.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /var/lib/dbis-rtgs/funds /opt/dbis-rtgs/funds /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-funds --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/funds-health.json"
+}
+
+deploy_xau() {
+  local vmid=5804
+  setup_base_runtime "$vmid"
+  push_file "$vmid" "$XAU_JAR" "/opt/dbis-rtgs/xau/off-ledger-2-on-ledger-sidecar.jar"
+  local envfile unit
+  envfile="$(mktemp)"
+  cat > "$envfile" <<EOF
+SERVER_PORT=8080
+FINERACT_BASE_URL=${XAU_FINERACT_BASE_URL}
+XAU_FEED_URL=${XAU_FEED_URL}
+XAU_STUB_PRICE=${XAU_STUB_PRICE}
+EOF
+  push_file "$vmid" "$envfile" "/etc/dbis-rtgs/xau.env"
+  rm -f "$envfile"
+  unit="$(mktemp)"
+  cat > "$unit" <<'EOF'
+[Unit]
+Description=DBIS RTGS XAU conversion sidecar
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=root
+WorkingDirectory=/opt/dbis-rtgs/xau
+EnvironmentFile=/etc/dbis-rtgs/xau.env
+ExecStart=/usr/bin/java -jar /opt/dbis-rtgs/xau/off-ledger-2-on-ledger-sidecar.jar
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  push_file "$vmid" "$unit" "/etc/systemd/system/dbis-rtgs-xau.service"
+  rm -f "$unit"
+  run_remote "$vmid" "mkdir -p /opt/dbis-rtgs/xau /etc/dbis-rtgs && systemctl daemon-reload && systemctl enable dbis-rtgs-xau --now"
+  wait_for_health "$vmid" "http://127.0.0.1:8080/actuator/health" "/tmp/xau-health.json"
+}
+
+echo "=== Deploy DBIS RTGS first-slice sidecars ==="
+echo "Host: $HOST"
+echo
+
+if target_enabled scsm; then
+  deploy_scsm
+fi
+if target_enabled funds; then
+  deploy_funds
+fi
+if target_enabled xau; then
+  deploy_xau
+fi
+
+echo
+echo "Done."

scripts/verify/check-dbis-rtgs-first-slice.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Verify the deployed DBIS RTGS first-slice sidecars on Proxmox VE.
+
+HOST="${PROXMOX_HOST_R630_02:-192.168.11.12}"
+SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=15 -o StrictHostKeyChecking=accept-new"
+
+check_ct() {
+  local vmid="$1"
+  local hostname="$2"
+  local service="$3"
+
+  echo "=== CT $vmid ($hostname) ==="
+  ssh $SSH_OPTS "root@$HOST" "pct status $vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active redis-server'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'systemctl is-active $service'"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -sf http://127.0.0.1:8080/actuator/health'"
+  echo
+}
+
+echo "=== DBIS RTGS first-slice runtime check ==="
+echo "Host: $HOST"
+echo
+
+check_ct 5802 rtgs-scsm-1 dbis-rtgs-scsm
+check_ct 5803 rtgs-funds-1 dbis-rtgs-funds
+check_ct 5804 rtgs-xau-1 dbis-rtgs-xau
+
+echo "=== Fineract reachability from sidecars ==="
+for vmid in 5802 5803 5804; do
+  printf 'CT %s -> ' "$vmid"
+  ssh $SSH_OPTS "root@$HOST" "pct exec $vmid -- bash -lc 'curl -s -o /tmp/fineract.out -w \"%{http_code}\" http://192.168.11.85:8080/fineract-provider/api/v1/offices'"
+  echo
+done
+
+echo
+echo "Interpretation:"
+echo "- 200 means unauthenticated route unexpectedly open or credentials baked into proxy"
+echo "- 400/401 means HTTP reachability exists, but authenticated tenant flow is not yet frozen"