proxmox/scripts/fix-validator-permissioning-toml.sh

#!/usr/bin/env bash
# Fix validator node lists: deploy BOTH static-nodes.json and permissions-nodes.toml.
# Besu expects TOML for permissions-nodes-config-file (not permissioned-nodes.json).
# Static-nodes = bootstrap peers; permissions-nodes = allowlist. Both are essential.
#
# Run from repo root. Requires SSH to r630-01 (192.168.11.11) and ml110 (192.168.11.10).

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROJECT_ROOT"

[ -f config/ip-addresses.conf ] && source config/ip-addresses.conf 2>/dev/null || true

SOURCE_TOML="$PROJECT_ROOT/config/besu-node-lists/permissions-nodes.toml"
SOURCE_STATIC="$PROJECT_ROOT/config/besu-node-lists/static-nodes.json"
if [ ! -f "$SOURCE_TOML" ]; then
  echo "Missing $SOURCE_TOML"
  exit 1
fi
if [ ! -f "$SOURCE_STATIC" ]; then
  echo "Missing $SOURCE_STATIC"
  exit 1
fi

R630_01="${PROXMOX_R630_01:-192.168.11.11}"
ML110="${PROXMOX_ML110:-192.168.11.10}"
USER="${PROXMOX_USER:-root}"
PERM_PATH="/var/lib/besu/permissions"
CONFIG_GLOB="/etc/besu/config-validator.toml"

VALIDATORS=(
  "1000:$R630_01"
  "1001:$R630_01"
  "1002:$R630_01"
  "1003:$ML110"
  "1004:$ML110"
)

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_ok() { echo -e "${GREEN}[✓]${NC} $1"; }
log_err() { echo -e "${RED}[✗]${NC} $1"; }

echo ""
echo "=== Fix validator node lists (static-nodes + permissions-nodes) ==="
echo "  Both are essential: static-nodes = bootstrap peers, permissions-nodes = allowlist."
echo ""

# Copy both files to each host once
for host in "$R630_01" "$ML110"; do
  log_info "Copying static-nodes.json and permissions-nodes.toml to $host"
  scp -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$SOURCE_STATIC" "$SOURCE_TOML" "$USER@$host:/tmp/" 2>/dev/null || { log_err "scp to $host failed"; exit 1; }
  log_ok "  Copied"
done

FAILED=0
for entry in "${VALIDATORS[@]}"; do
  IFS=: read -r vmid host <<< "$entry"
  log_info "VMID $vmid @ $host"

  status=$(ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "pct status $vmid 2>/dev/null" | awk '{print $2}' || echo "unknown")
  if [ "$status" != "running" ]; then
    log_info "  Skip (not running)"
    continue
  fi

  # Push static-nodes.json to /var/lib/besu/ and permissions-nodes.toml to permissions/
  STATIC_PATH="/var/lib/besu/static-nodes.json"
  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "pct push $vmid /tmp/static-nodes.json ${STATIC_PATH} && pct push $vmid /tmp/permissions-nodes.toml ${PERM_PATH}/permissions-nodes.toml" 2>/dev/null; then
    log_err "  pct push failed"
    ((FAILED++)) || true
    continue
  fi

  # Point config to TOML (not JSON) and ensure static-nodes-file and permissions path are set
  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "pct exec $vmid -- bash -c '
    for f in /etc/besu/config-validator.toml /config/config-validator.toml; do
      [ -f \"\$f\" ] || continue
      sed -i \"s|permissioned-nodes\\.json|permissions-nodes.toml|g\" \"\$f\"
      sed -i \"s|\"/var/lib/besu/permissions/permissioned-nodes.json\"|\"/var/lib/besu/permissions/permissions-nodes.toml\"|g\" \"\$f\"
      sed -i \"s|^static-nodes-file=.*|static-nodes-file=\\\"/var/lib/besu/static-nodes.json\\\"|\" \"\$f\"
      sed -i \"s|^permissions-nodes-config-file=.*|permissions-nodes-config-file=\\\"/var/lib/besu/permissions/permissions-nodes.toml\\\"|\" \"\$f\"
      grep -q \"static-nodes-file\" \"\$f\" || echo \"static-nodes-file=\\\"/var/lib/besu/static-nodes.json\\\"\" >> \"\$f\"
      grep -q \"permissions-nodes-config-file\" \"\$f\" || echo \"permissions-nodes-config-file=\\\"/var/lib/besu/permissions/permissions-nodes.toml\\\"\" >> \"\$f\"
      break
    done
  '" 2>/dev/null; then
    log_err "  sed config failed"
    ((FAILED++)) || true
    continue
  fi

  ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "pct exec $vmid -- chown besu:besu ${STATIC_PATH} ${PERM_PATH}/permissions-nodes.toml 2>/dev/null || pct exec $vmid -- chown root:root ${STATIC_PATH} ${PERM_PATH}/permissions-nodes.toml" 2>/dev/null || true

  if ! ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "pct exec $vmid -- systemctl restart besu-validator" 2>/dev/null; then
    log_err "  restart failed"
    ((FAILED++)) || true
    continue
  fi
  log_ok "  static-nodes + permissions-nodes deployed, config updated, restarted"
  echo ""
done

# Cleanup host /tmp
for host in "$R630_01" "$ML110"; do
  ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no "$USER@$host" "rm -f /tmp/permissions-nodes.toml /tmp/static-nodes.json" 2>/dev/null || true
done

echo "=== Summary ==="
if [ "$FAILED" -eq 0 ]; then
  log_ok "All validators updated. Wait 1–2 min then: bash scripts/monitoring/monitor-blockchain-health.sh"
  exit 0
else
  log_err "$FAILED validator(s) failed."
  exit 1
fi