Created
May 20, 2023 10:17
-
-
Save poupas/c2dd572a0cec6f280c379b5dab7e7866 to your computer and use it in GitHub Desktop.
Single Vouch+Dirk with Rocket Pool
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -xeu | |
CA_DAYS=3650 | |
create_cert() { | |
local name="$1" | |
local days="$2" | |
if [ -d "${name}/certs" ]; then | |
echo "${name}/certs already exists" | |
exit 1 | |
fi | |
mkdir -p "${name}/certs" | |
pushd "${name}/certs" | |
cat << EOF >"openssl.cnf" | |
authorityKeyIdentifier=keyid,issuer | |
basicConstraints=CA:FALSE | |
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment | |
subjectAltName = @alt_names | |
[alt_names] | |
DNS.1 = ${name} | |
EOF | |
# Create ECDSA certificate | |
openssl ecparam -name prime256v1 -genkey -noout -out "${name}.key" | |
openssl req -new -key "${name}.key" -out "${name}.csr" -subj "/CN=${name}" | |
openssl x509 -req -in "${name}.csr" -CA ../../ca/ca.crt -CAkey ../../ca/ca.key \ | |
-CAcreateserial -out "${name}.crt" -days "${days}" -sha256 -extfile openssl.cnf | |
cp ../../ca/ca.crt "ca.crt" | |
# Cleanup | |
rm "${name}.csr" | |
rm openssl.cnf | |
popd | |
} | |
if [ ! -d "ca" ]; then | |
# Create ECDSA CA | |
mkdir -p ca | |
pushd ca | |
openssl ecparam -name prime256v1 -genkey -noout -out ca.key | |
openssl req -x509 -new -nodes -key ca.key -sha256 -days "${CA_DAYS}" \ | |
-subj "/CN=ca" -out ca.crt | |
popd | |
fi | |
# Create certs | |
create_cert "dirk" "${CA_DAYS}" | |
create_cert "vouch" "${CA_DAYS}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# log-level is the global log level for Dirk logging. | |
log-level: debug | |
server: | |
# id should be randomly chosen 8-digit numeric ID; it must be unique across all of your Dirk instances. | |
id: 1 | |
# name is the name of your server, as specified in its SSL certificate. | |
name: dirk | |
# listen-address is the interface and port on which Dirk will listen for requests; change 127.0.0.1 | |
# to 0.0.0.0 to listen on all network interfaces. | |
listen-address: 0.0.0.0:13141 | |
rules: | |
# admin-ips is a list of IP addresses from which requests for voluntary exists will be accepted. | |
admin-ips: [ 127.0.0.1 ] | |
# storage-path is the path where information created by the slashing protection system is stored. | |
storage-path: /data/protection | |
certificates: | |
# server-cert is the majordomo URL to the server's certificate. | |
server-cert: file:///config/certs/dirk.crt | |
# server-key is the majordomo URL to the server's key. | |
server-key: file:///config/certs/dirk.key | |
# ca-cert is the certificate of the CA that issued the client certificates. If not present Dirk will use | |
# the standard CA certificates supplied with the server. | |
ca-cert: file:///config/certs/ca.crt | |
# stores is a list of locations and types of Ethereum 2 stores. If no stores are supplied Dirk will use the | |
# default filesystem store. | |
stores: | |
- name: Local | |
type: filesystem | |
location: /data/wallets | |
metrics: | |
# listen-address is where Dirk's Prometheus server will present. If this value is not present then Dirk | |
# will not gather metrics. | |
listen-address: 0.0.0.0:8081 | |
peers: | |
# These are the IDs and addresses of the peers with which Dirk can communicate for distributed key generation. | |
# At a minimum it must include this instance. | |
1: dirk:13141 | |
unlocker: | |
# account-passphrases is a list of passphrases that can be used to unlock wallets. Each entry is a majordomo URL. | |
account-passphrases: | |
- file:///config/account-passphrase.txt | |
process: | |
# generation-passphrase is the passphrase used to encrypt newly-generated accounts. It is a majordomo URL. | |
generation-passphrase: file:///config/account-passphrase.txt | |
permissions: | |
# This permission allows vouch the ability to carry out all operations on accounts in all wallets. | |
vouch: | |
.*: All |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.4" | |
services: | |
vouch: | |
container_name: rocketpool_vouch | |
image: attestant/vouch:1.7.5 | |
restart: unless-stopped | |
command: | |
- --base-dir=/config | |
volumes: | |
- ./vouch/config:/config:ro | |
networks: | |
- net | |
dirk: | |
container_name: rocketpool_dirk | |
image: attestant/dirk:1.1.0 | |
restart: unless-stopped | |
command: | |
- --base-dir=/config | |
volumes: | |
- ./dirk/config:/config:ro | |
- ./dirk/data:/data | |
networks: | |
- net | |
create-wallet: | |
profiles: | |
- tools | |
image: wealdtech/ethdo | |
volumes: | |
- ./dirk/config:/config:ro | |
- ./dirk/data:/data | |
entrypoint: | |
- /bin/bash | |
- -c | |
command: | |
- set -eu | |
&& /app/ethdo wallet create | |
--base-dir=/data/wallets | |
--type non-deterministic | |
--wallet Wallet | |
&& echo "Wallet created successfully" | |
import-account: | |
profiles: | |
- tools | |
image: wealdtech/ethdo | |
volumes: | |
- ./dirk/config:/config:ro | |
- ./dirk/data:/data | |
entrypoint: | |
- /bin/bash | |
- -c | |
environment: | |
- KEYSTORE | |
- KEYSTORE_PASS | |
- ACCOUNT_ID | |
command: | |
- set -eu | |
&& { [ "$${KEYSTORE}x" != "x" ] || { echo "Please set KEYSTORE"; exit 1; } } | |
&& { [ "$${KEYSTORE_PASS}x" != "x" ] || { echo "Please set KEYSTORE_PASS"; exit 1; } } | |
&& { [ "$${ACCOUNT_ID}x" != "x" ] || { echo "Please set ACCOUNT_ID"; exit 1; } } | |
&& /app/ethdo | |
account | |
import | |
--debug | |
--base-dir=/data/wallets | |
--account "Wallet/$${ACCOUNT_ID}" | |
--passphrase "$(cat /config/account-passphrase.txt)" | |
--keystore "$${KEYSTORE}" | |
--keystore-passphrase "$${KEYSTORE_PASS}" | |
&& echo "Account $${ACCOUNT_ID} ($${KEYSTORE}) imported successfully" | |
verify-account: | |
profiles: | |
- tools | |
image: wealdtech/ethdo | |
volumes: | |
- ./vouch/config:/config:ro | |
networks: | |
- net | |
entrypoint: | |
- /bin/bash | |
- -c | |
command: | |
- set -eu | |
&& /app/ethdo | |
account | |
info | |
--remote dirk:13141 | |
--server-ca-cert /config/certs/ca.crt | |
--client-cert /config/certs/vouch.crt | |
--client-key /config/certs/vouch.key | |
--account Wallet/val-0 | |
--verbose | |
networks: | |
net: | |
name: rocketpool_net | |
external: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"version": 2, | |
"fee_recipient": "0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7", | |
"gas_limit": "30000000", | |
"relays": { | |
"https://builder-relay-goerli.flashbots.net": { | |
"public_key": "0xafa4c6985aa049fb79dd37010438cfebeb0f2bd42b115b89dd678dab0670c1de38da0c4e9138c9290a398ecd9a0b3110" | |
}, | |
"https://builder-relay-goerli.blocknative.com": { | |
"public_key": "0x8f7b17a74569b7a57e9bdafd2e159380759f5dc3ccbd4bf600414147e8c4e1dc6ebada83c0139ac15850eb6c975e82d0" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -eux | |
KEYPATH="./keys" | |
SRC_KEYPATH="${HOME}/.rocketpool/data/validators/lighthouse" | |
PUBKEY="${1:-x}" | |
ACCOUNT_ID="${2:-x}" | |
if [ "${PUBKEY}" = "x" ] || [ "${ACCOUNT_ID}" = "x" ]; then | |
echo "usage: $0 PUBKEY ACCOUNT_ID" | |
echo "example $0 0xdeadbeef val-0" | |
exit 1 | |
fi | |
mkdir -p "${KEYPATH}/secrets" "${KEYPATH}/validators" | |
sudo mv "${SRC_KEYPATH}/secrets/${PUBKEY}" "${KEYPATH}"/secrets | |
sudo mv "${SRC_KEYPATH}/validators/${PUBKEY}" "${KEYPATH}"/validators | |
KEYSTORE=$(sudo cat ${KEYPATH}/validators/${PUBKEY}/voting-keystore.json) | |
KEYSTORE_PASS=$(sudo cat ${KEYPATH}/secrets/${PUBKEY}) | |
export ACCOUNT_ID KEYSTORE KEYSTORE_PASS | |
docker compose run --rm import-account |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# log-level is the global log level for Vouch logging. | |
log-level: debug | |
beacon-node-addresses: | |
- eth2:5052 | |
- https://remote-beacon-node.example.com | |
metrics: | |
prometheus: | |
# log-level is the log level for this module, over-riding the global level. | |
log-level: warn | |
# listen-address is the address on which prometheus listens for metrics requests. | |
listen-address: 0.0.0.0:8081 | |
graffiti: | |
static: | |
value: RP-XV 1.9.3 | |
# scheduler handles the scheduling of Vouch's operations. | |
scheduler: | |
style: advanced | |
accountmanager: | |
dirk: | |
endpoints: | |
- dirk:13141 | |
client-cert: file:///config/certs/vouch.crt | |
client-key: file:///config/certs/vouch.key | |
ca-cert: file:///config/certs/ca.crt | |
accounts: | |
- Wallet | |
submitter: | |
style: multinode | |
strategies: | |
beaconblockproposal: | |
style: first | |
blindedbeaconblockproposal: | |
style: first | |
attestationdata: | |
style: best | |
aggregateattestation: | |
style: best | |
synccommitteecontribution: | |
style: best | |
# blockrelay provides information about working with local execution clients and remote relays for block proposals. | |
# Configuration information for this section can be found in the execution layer documentation. | |
blockrelay: | |
fallback-fee-recipient: '0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7' | |
config: | |
url: 'file:///config/exec-config.json' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment