fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands - CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround - CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check - NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere - MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates - LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference Co-authored-by: Cursor <cursoragent@cursor.com>
272 lines
9.1 KiB
Bash
Executable File
272 lines
9.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Reconfigure Vault Cluster to use ${NETWORK_192_168_11_0:-192.168.11.0}/24 instead of VLAN 160
|
|
# Assigns IPs from main network without VLAN tagging
|
|
|
|
set -euo pipefail
|
|
|
|
# Load IP configuration
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
|
|
source "${PROJECT_ROOT}/config/ip-addresses.conf" 2>/dev/null || true
|
|
|
|
|
|
# Colors
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m'
|
|
|
|
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
|
|
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
|
|
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
|
|
log_error() { echo -e "${RED}[✗]${NC} $1"; }
|
|
|
|
# Configuration
|
|
PROXMOX_HOST_1="${PROXMOX_HOST_1:-192.168.11.11}"
|
|
PROXMOX_HOST_2="${PROXMOX_HOST_2:-192.168.11.12}"
|
|
|
|
# New IP assignments (using ${NETWORK_192_168_11_0:-192.168.11.0}/24)
|
|
VAULT_NODE_1_VMID=8640
|
|
VAULT_NODE_1_IP="${IP_SERVICE_200:-${IP_SERVICE_200:-192.168.11.200}}"
|
|
VAULT_NODE_2_VMID=8641
|
|
VAULT_NODE_2_IP="${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-${IP_SERVICE_21:-192.168.11.21}}}}}5"
|
|
VAULT_NODE_3_VMID=8642
|
|
VAULT_NODE_3_IP="${IP_SERVICE_202:-${IP_SERVICE_202:-192.168.11.202}}"
|
|
|
|
GATEWAY="${NETWORK_GATEWAY:-192.168.11.1}"
|
|
|
|
echo "═══════════════════════════════════════════════════════════"
|
|
echo " Vault Cluster Network Reconfiguration"
|
|
echo "═══════════════════════════════════════════════════════════"
|
|
echo ""
|
|
log_info "Reconfiguring from VLAN 160 (10.160.0.x) to ${NETWORK_192_168_11_0:-192.168.11.0}/24"
|
|
echo ""
|
|
|
|
# Function to reconfigure container network
|
|
reconfigure_node() {
|
|
local vmid=$1
|
|
local new_ip=$2
|
|
local proxmox_host=$3
|
|
local hostname=$4
|
|
|
|
log_info "Reconfiguring Node $vmid ($hostname) to $new_ip..."
|
|
|
|
# Stop container
|
|
log_info "Stopping container $vmid..."
|
|
ssh root@"$proxmox_host" "pct stop $vmid" || log_warn "Container may already be stopped"
|
|
sleep 2
|
|
|
|
# Get current network config
|
|
CURRENT_NET=$(ssh root@"$proxmox_host" "pct config $vmid | grep '^net0:'")
|
|
log_info "Current network: $CURRENT_NET"
|
|
|
|
# Reconfigure network (remove VLAN tag, use ${NETWORK_192_168_11_0:-192.168.11.0}/24)
|
|
log_info "Updating network configuration..."
|
|
ssh root@"$proxmox_host" "pct set $vmid --net0 name=eth0,bridge=vmbr0,ip=$new_ip/24,gw=$GATEWAY" || {
|
|
log_error "Failed to update network configuration"
|
|
return 1
|
|
}
|
|
|
|
log_success "Network configuration updated for $vmid"
|
|
|
|
# Start container
|
|
log_info "Starting container $vmid..."
|
|
ssh root@"$proxmox_host" "pct start $vmid" || {
|
|
log_error "Failed to start container"
|
|
return 1
|
|
}
|
|
|
|
sleep 5
|
|
|
|
# Verify IP
|
|
ACTUAL_IP=$(ssh root@"$proxmox_host" "pct exec $vmid -- ip addr show eth0 | grep 'inet ' | awk '{print \$2}' | cut -d/ -f1")
|
|
if [ "$ACTUAL_IP" = "$new_ip" ]; then
|
|
log_success "IP verified: $new_ip"
|
|
else
|
|
log_warn "IP mismatch: expected $new_ip, got $ACTUAL_IP"
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
# Phase 1: Reconfigure Network
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "Phase 1: Reconfiguring Container Networks"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
reconfigure_node $VAULT_NODE_1_VMID $VAULT_NODE_1_IP $PROXMOX_HOST_1 "vault-phoenix-1"
|
|
reconfigure_node $VAULT_NODE_2_VMID $VAULT_NODE_2_IP $PROXMOX_HOST_2 "vault-phoenix-2"
|
|
reconfigure_node $VAULT_NODE_3_VMID $VAULT_NODE_3_IP $PROXMOX_HOST_1 "vault-phoenix-3"
|
|
|
|
echo ""
|
|
|
|
# Phase 2: Update Vault Configuration
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "Phase 2: Updating Vault Configuration Files"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Node 1
|
|
log_info "Updating Vault config for Node 1..."
|
|
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- bash" << CONFIG_EOF
|
|
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
|
|
ui = true
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
cluster_address = "$VAULT_NODE_1_IP:8201"
|
|
tls_disable = 1
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/opt/vault/data"
|
|
node_id = "vault-phoenix-1"
|
|
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
|
|
}
|
|
}
|
|
|
|
api_addr = "http://$VAULT_NODE_1_IP:8200"
|
|
cluster_addr = "http://$VAULT_NODE_1_IP:8201"
|
|
|
|
log_level = "INFO"
|
|
log_file = "/var/log/vault/vault.log"
|
|
log_rotate_duration = "24h"
|
|
log_rotate_max_files = 30
|
|
VAULT_CONFIG
|
|
CONFIG_EOF
|
|
log_success "Node 1 configuration updated"
|
|
|
|
# Node 2
|
|
log_info "Updating Vault config for Node 2..."
|
|
ssh root@"$PROXMOX_HOST_2" "pct exec $VAULT_NODE_2_VMID -- bash" << CONFIG_EOF
|
|
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
|
|
ui = true
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
cluster_address = "$VAULT_NODE_2_IP:8201"
|
|
tls_disable = 1
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/opt/vault/data"
|
|
node_id = "vault-phoenix-2"
|
|
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
|
|
}
|
|
}
|
|
|
|
api_addr = "http://$VAULT_NODE_2_IP:8200"
|
|
cluster_addr = "http://$VAULT_NODE_2_IP:8201"
|
|
|
|
log_level = "INFO"
|
|
log_file = "/var/log/vault/vault.log"
|
|
log_rotate_duration = "24h"
|
|
log_rotate_max_files = 30
|
|
VAULT_CONFIG
|
|
CONFIG_EOF
|
|
log_success "Node 2 configuration updated"
|
|
|
|
# Node 3
|
|
log_info "Updating Vault config for Node 3..."
|
|
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_3_VMID -- bash" << CONFIG_EOF
|
|
cat > /etc/vault.d/vault.hcl << VAULT_CONFIG
|
|
ui = true
|
|
disable_mlock = true
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
cluster_address = "$VAULT_NODE_3_IP:8201"
|
|
tls_disable = 1
|
|
}
|
|
|
|
storage "raft" {
|
|
path = "/opt/vault/data"
|
|
node_id = "vault-phoenix-3"
|
|
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_1_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_2_IP:8200"
|
|
}
|
|
retry_join {
|
|
leader_api_addr = "http://$VAULT_NODE_3_IP:8200"
|
|
}
|
|
}
|
|
|
|
api_addr = "http://$VAULT_NODE_3_IP:8200"
|
|
cluster_addr = "http://$VAULT_NODE_3_IP:8201"
|
|
|
|
log_level = "INFO"
|
|
log_file = "/var/log/vault/vault.log"
|
|
log_rotate_duration = "24h"
|
|
log_rotate_max_files = 30
|
|
VAULT_CONFIG
|
|
CONFIG_EOF
|
|
log_success "Node 3 configuration updated"
|
|
|
|
echo ""
|
|
|
|
# Phase 3: Restart Vault Services
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "Phase 3: Restarting Vault Services"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
log_info "Restarting Vault on all nodes..."
|
|
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- systemctl restart vault" && log_success "Node 1 restarted"
|
|
ssh root@"$PROXMOX_HOST_2" "pct exec $VAULT_NODE_2_VMID -- systemctl restart vault" && log_success "Node 2 restarted"
|
|
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_3_VMID -- systemctl restart vault" && log_success "Node 3 restarted"
|
|
|
|
sleep 10
|
|
|
|
echo ""
|
|
|
|
# Phase 4: Verify Cluster
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "Phase 4: Verifying Cluster Status"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
log_info "Checking cluster status..."
|
|
ssh root@"$PROXMOX_HOST_1" "pct exec $VAULT_NODE_1_VMID -- bash -c 'export VAULT_ADDR=http://127.0.0.1:8200 && vault status'" || log_warn "Could not get status"
|
|
|
|
echo ""
|
|
|
|
# Summary
|
|
echo "═══════════════════════════════════════════════════════════"
|
|
echo " Reconfiguration Summary"
|
|
echo "═══════════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
log_success "Network reconfiguration complete!"
|
|
log_info "New IP assignments:"
|
|
log_info " Node 1 (vault-phoenix-1): $VAULT_NODE_1_IP"
|
|
log_info " Node 2 (vault-phoenix-2): $VAULT_NODE_2_IP"
|
|
log_info " Node 3 (vault-phoenix-3): $VAULT_NODE_3_IP"
|
|
echo ""
|
|
log_warn "Note: Nodes may need to be unsealed after restart"
|
|
log_info "Unseal keys are stored in: .secure/vault-credentials/"
|
|
|
|
echo ""
|