poupas/create-certs.sh

## create-certs.sh
#!/usr/bin/env bash

set -xeu

CA_DAYS=3650


create_cert() {
    local name="$1"
    local days="$2"

    if [ -d "${name}/certs" ]; then
        echo "${name}/certs already exists"
        exit 1
    fi

    mkdir -p "${name}/certs"
    pushd "${name}/certs"

    cat << EOF >"openssl.cnf"
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = ${name}
EOF

    # Create ECDSA certificate
    openssl ecparam -name prime256v1 -genkey -noout -out "${name}.key"
    openssl req -new -key "${name}.key" -out "${name}.csr" -subj "/CN=${name}"
    openssl x509 -req -in "${name}.csr" -CA ../../ca/ca.crt -CAkey ../../ca/ca.key \
        -CAcreateserial -out "${name}.crt" -days "${days}" -sha256 -extfile openssl.cnf
    cp ../../ca/ca.crt "ca.crt"

    # Cleanup
    rm "${name}.csr"
    rm openssl.cnf
    popd

}

if [ ! -d "ca" ]; then
    # Create ECDSA CA
    mkdir -p ca
    pushd ca
    openssl ecparam -name prime256v1 -genkey -noout -out ca.key
    openssl req -x509 -new -nodes -key ca.key -sha256 -days "${CA_DAYS}" \
     -subj "/CN=ca" -out ca.crt
    popd
fi

# Create certs
create_cert "dirk" "${CA_DAYS}"
create_cert "vouch" "${CA_DAYS}"

## dirk.yml
# log-level is the global log level for Dirk logging.
log-level: debug

server:
  # id should be randomly chosen 8-digit numeric ID; it must be unique across all of your Dirk instances.
  id: 1
  # name is the name of your server, as specified in its SSL certificate.
  name: dirk
  # listen-address is the interface and port on which Dirk will listen for requests; change 127.0.0.1
  # to 0.0.0.0 to listen on all network interfaces.
  listen-address: 0.0.0.0:13141
  rules:
    # admin-ips is a list of IP addresses from which requests for voluntary exists will be accepted.
    admin-ips: [ 127.0.0.1 ]
# storage-path is the path where information created by the slashing protection system is stored.
storage-path: /data/protection
certificates:
  # server-cert is the majordomo URL to the server's certificate.
  server-cert: file:///config/certs/dirk.crt
  # server-key is the majordomo URL to the server's key.
  server-key: file:///config/certs/dirk.key
  # ca-cert is the certificate of the CA that issued the client certificates.  If not present Dirk will use
  # the standard CA certificates supplied with the server.
  ca-cert: file:///config/certs/ca.crt
# stores is a list of locations and types of Ethereum 2 stores.  If no stores are supplied Dirk will use the
# default filesystem store.
stores:
- name: Local
  type: filesystem
  location: /data/wallets
metrics:
  # listen-address is where Dirk's Prometheus server will present.  If this value is not present then Dirk
  # will not gather metrics.
  listen-address: 0.0.0.0:8081
peers:
  # These are the IDs and addresses of the peers with which Dirk can communicate for distributed key generation.
  # At a minimum it must include this instance.
  1: dirk:13141
unlocker:
  # account-passphrases is a list of passphrases that can be used to unlock wallets.  Each entry is a majordomo URL.
  account-passphrases:
    - file:///config/account-passphrase.txt
process:
  # generation-passphrase is the passphrase used to encrypt newly-generated accounts.  It is a majordomo URL.
  generation-passphrase: file:///config/account-passphrase.txt
permissions:
  # This permission allows vouch the ability to carry out all operations on accounts in all wallets.
  vouch:
    .*: All

## docker-compose.yml
version: "3.4"

services:
  vouch:
    container_name: rocketpool_vouch
    image: attestant/vouch:1.7.5
    restart: unless-stopped
    command:
      - --base-dir=/config
    volumes:
      - ./vouch/config:/config:ro
    networks:
      - net
  dirk:
    container_name: rocketpool_dirk
    image: attestant/dirk:1.1.0
    restart: unless-stopped
    command:
      - --base-dir=/config
    volumes:
      - ./dirk/config:/config:ro
      - ./dirk/data:/data
    networks:
      - net

  create-wallet:
    profiles:
      - tools
    image: wealdtech/ethdo
    volumes:
      - ./dirk/config:/config:ro
      - ./dirk/data:/data
    entrypoint:
      - /bin/bash
      - -c
    command:
      - set -eu
        && /app/ethdo wallet create
          --base-dir=/data/wallets
          --type non-deterministic
          --wallet Wallet
        && echo "Wallet created successfully"
  import-account:
    profiles:
      - tools
    image: wealdtech/ethdo
    volumes:
      - ./dirk/config:/config:ro
      - ./dirk/data:/data
    entrypoint:
      - /bin/bash
      - -c
    environment:
      - KEYSTORE
      - KEYSTORE_PASS
      - ACCOUNT_ID
    command:
      - set -eu
        && { [ "$${KEYSTORE}x" != "x" ] || { echo "Please set KEYSTORE"; exit 1; } }
        && { [ "$${KEYSTORE_PASS}x" != "x" ] || { echo "Please set KEYSTORE_PASS"; exit 1; } }
        && { [ "$${ACCOUNT_ID}x" != "x" ] || { echo "Please set ACCOUNT_ID"; exit 1; } }
        && /app/ethdo
          account
          import
          --debug
          --base-dir=/data/wallets
          --account "Wallet/$${ACCOUNT_ID}"
          --passphrase "$(cat /config/account-passphrase.txt)"
          --keystore "$${KEYSTORE}"
          --keystore-passphrase "$${KEYSTORE_PASS}"
        && echo "Account $${ACCOUNT_ID} ($${KEYSTORE}) imported successfully"
  verify-account:
    profiles:
      - tools
    image: wealdtech/ethdo
    volumes:
      - ./vouch/config:/config:ro
    networks:
      - net
    entrypoint:
      - /bin/bash
      - -c
    command:
      - set -eu
        && /app/ethdo
          account
          info
          --remote dirk:13141
          --server-ca-cert /config/certs/ca.crt
          --client-cert /config/certs/vouch.crt
          --client-key /config/certs/vouch.key
          --account Wallet/val-0
          --verbose

networks:
  net:
    name: rocketpool_net
    external: true

## exec-config.json
{
  "version": 2,
  "fee_recipient": "0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7",
  "gas_limit": "30000000",
  "relays": {
    "https://builder-relay-goerli.flashbots.net": {
      "public_key": "0xafa4c6985aa049fb79dd37010438cfebeb0f2bd42b115b89dd678dab0670c1de38da0c4e9138c9290a398ecd9a0b3110"
    },
    "https://builder-relay-goerli.blocknative.com": {
      "public_key": "0x8f7b17a74569b7a57e9bdafd2e159380759f5dc3ccbd4bf600414147e8c4e1dc6ebada83c0139ac15850eb6c975e82d0"
    }
  }
}

## import-key.sh
#!/bin/sh

set -eux

KEYPATH="./keys"
SRC_KEYPATH="${HOME}/.rocketpool/data/validators/lighthouse"

PUBKEY="${1:-x}"
ACCOUNT_ID="${2:-x}"

if [ "${PUBKEY}" = "x" ] || [ "${ACCOUNT_ID}" = "x" ]; then
	echo "usage: $0 PUBKEY ACCOUNT_ID"
	echo "example $0 0xdeadbeef val-0"
	exit 1
fi

mkdir -p "${KEYPATH}/secrets" "${KEYPATH}/validators"

sudo mv "${SRC_KEYPATH}/secrets/${PUBKEY}" "${KEYPATH}"/secrets
sudo mv "${SRC_KEYPATH}/validators/${PUBKEY}" "${KEYPATH}"/validators

KEYSTORE=$(sudo cat ${KEYPATH}/validators/${PUBKEY}/voting-keystore.json)
KEYSTORE_PASS=$(sudo cat ${KEYPATH}/secrets/${PUBKEY})

export ACCOUNT_ID KEYSTORE KEYSTORE_PASS

docker compose run --rm import-account

## vouch.yml
# log-level is the global log level for Vouch logging.
log-level: debug

beacon-node-addresses:
  - eth2:5052
  - https://remote-beacon-node.example.com

metrics:
  prometheus:
    # log-level is the log level for this module, over-riding the global level.
    log-level: warn
    # listen-address is the address on which prometheus listens for metrics requests.
    listen-address: 0.0.0.0:8081

graffiti:
  static:
    value: RP-XV 1.9.3

# scheduler handles the scheduling of Vouch's operations.
scheduler:
  style: advanced

accountmanager:
  dirk:
    endpoints:
      - dirk:13141
    client-cert: file:///config/certs/vouch.crt
    client-key: file:///config/certs/vouch.key
    ca-cert: file:///config/certs/ca.crt
    accounts:
      - Wallet

submitter:
  style: multinode

strategies:
  beaconblockproposal:
    style: first
  blindedbeaconblockproposal:
    style: first
  attestationdata:
    style: best
  aggregateattestation:
    style: best
  synccommitteecontribution:
    style: best

# blockrelay provides information about working with local execution clients and remote relays for block proposals.
# Configuration information for this section can be found in the execution layer documentation.
blockrelay:
  fallback-fee-recipient: '0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7'
  config:
    url: 'file:///config/exec-config.json'
	#!/usr/bin/env bash

	set -xeu

	CA_DAYS=3650


	create_cert() {
	local name="$1"
	local days="$2"

	if [ -d "${name}/certs" ]; then
	echo "${name}/certs already exists"
	exit 1
	fi

	mkdir -p "${name}/certs"
	pushd "${name}/certs"

	cat << EOF >"openssl.cnf"
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names

	[alt_names]
	DNS.1 = ${name}
	EOF

	# Create ECDSA certificate
	openssl ecparam -name prime256v1 -genkey -noout -out "${name}.key"
	openssl req -new -key "${name}.key" -out "${name}.csr" -subj "/CN=${name}"
	openssl x509 -req -in "${name}.csr" -CA ../../ca/ca.crt -CAkey ../../ca/ca.key \
	-CAcreateserial -out "${name}.crt" -days "${days}" -sha256 -extfile openssl.cnf
	cp ../../ca/ca.crt "ca.crt"

	# Cleanup
	rm "${name}.csr"
	rm openssl.cnf
	popd

	}

	if [ ! -d "ca" ]; then
	# Create ECDSA CA
	mkdir -p ca
	pushd ca
	openssl ecparam -name prime256v1 -genkey -noout -out ca.key
	openssl req -x509 -new -nodes -key ca.key -sha256 -days "${CA_DAYS}" \
	-subj "/CN=ca" -out ca.crt
	popd
	fi

	# Create certs
	create_cert "dirk" "${CA_DAYS}"
	create_cert "vouch" "${CA_DAYS}"
	# log-level is the global log level for Dirk logging.
	log-level: debug

	server:
	# id should be randomly chosen 8-digit numeric ID; it must be unique across all of your Dirk instances.
	id: 1
	# name is the name of your server, as specified in its SSL certificate.
	name: dirk
	# listen-address is the interface and port on which Dirk will listen for requests; change 127.0.0.1
	# to 0.0.0.0 to listen on all network interfaces.
	listen-address: 0.0.0.0:13141
	rules:
	# admin-ips is a list of IP addresses from which requests for voluntary exists will be accepted.
	admin-ips: [ 127.0.0.1 ]
	# storage-path is the path where information created by the slashing protection system is stored.
	storage-path: /data/protection
	certificates:
	# server-cert is the majordomo URL to the server's certificate.
	server-cert: file:///config/certs/dirk.crt
	# server-key is the majordomo URL to the server's key.
	server-key: file:///config/certs/dirk.key
	# ca-cert is the certificate of the CA that issued the client certificates. If not present Dirk will use
	# the standard CA certificates supplied with the server.
	ca-cert: file:///config/certs/ca.crt
	# stores is a list of locations and types of Ethereum 2 stores. If no stores are supplied Dirk will use the
	# default filesystem store.
	stores:
	- name: Local
	type: filesystem
	location: /data/wallets
	metrics:
	# listen-address is where Dirk's Prometheus server will present. If this value is not present then Dirk
	# will not gather metrics.
	listen-address: 0.0.0.0:8081
	peers:
	# These are the IDs and addresses of the peers with which Dirk can communicate for distributed key generation.
	# At a minimum it must include this instance.
	1: dirk:13141
	unlocker:
	# account-passphrases is a list of passphrases that can be used to unlock wallets. Each entry is a majordomo URL.
	account-passphrases:
	- file:///config/account-passphrase.txt
	process:
	# generation-passphrase is the passphrase used to encrypt newly-generated accounts. It is a majordomo URL.
	generation-passphrase: file:///config/account-passphrase.txt
	permissions:
	# This permission allows vouch the ability to carry out all operations on accounts in all wallets.
	vouch:
	.*: All
	version: "3.4"

	services:
	vouch:
	container_name: rocketpool_vouch
	image: attestant/vouch:1.7.5
	restart: unless-stopped
	command:
	- --base-dir=/config
	volumes:
	- ./vouch/config:/config:ro
	networks:
	- net
	dirk:
	container_name: rocketpool_dirk
	image: attestant/dirk:1.1.0
	restart: unless-stopped
	command:
	- --base-dir=/config
	volumes:
	- ./dirk/config:/config:ro
	- ./dirk/data:/data
	networks:
	- net

	create-wallet:
	profiles:
	- tools
	image: wealdtech/ethdo
	volumes:
	- ./dirk/config:/config:ro
	- ./dirk/data:/data
	entrypoint:
	- /bin/bash
	- -c
	command:
	- set -eu
	&& /app/ethdo wallet create
	--base-dir=/data/wallets
	--type non-deterministic
	--wallet Wallet
	&& echo "Wallet created successfully"
	import-account:
	profiles:
	- tools
	image: wealdtech/ethdo
	volumes:
	- ./dirk/config:/config:ro
	- ./dirk/data:/data
	entrypoint:
	- /bin/bash
	- -c
	environment:
	- KEYSTORE
	- KEYSTORE_PASS
	- ACCOUNT_ID
	command:
	- set -eu
	&& { [ "$${KEYSTORE}x" != "x" ] \|\| { echo "Please set KEYSTORE"; exit 1; } }
	&& { [ "$${KEYSTORE_PASS}x" != "x" ] \|\| { echo "Please set KEYSTORE_PASS"; exit 1; } }
	&& { [ "$${ACCOUNT_ID}x" != "x" ] \|\| { echo "Please set ACCOUNT_ID"; exit 1; } }
	&& /app/ethdo
	account
	import
	--debug
	--base-dir=/data/wallets
	--account "Wallet/$${ACCOUNT_ID}"
	--passphrase "$(cat /config/account-passphrase.txt)"
	--keystore "$${KEYSTORE}"
	--keystore-passphrase "$${KEYSTORE_PASS}"
	&& echo "Account $${ACCOUNT_ID} ($${KEYSTORE}) imported successfully"
	verify-account:
	profiles:
	- tools
	image: wealdtech/ethdo
	volumes:
	- ./vouch/config:/config:ro
	networks:
	- net
	entrypoint:
	- /bin/bash
	- -c
	command:
	- set -eu
	&& /app/ethdo
	account
	info
	--remote dirk:13141
	--server-ca-cert /config/certs/ca.crt
	--client-cert /config/certs/vouch.crt
	--client-key /config/certs/vouch.key
	--account Wallet/val-0
	--verbose

	networks:
	net:
	name: rocketpool_net
	external: true
	{
	"version": 2,
	"fee_recipient": "0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7",
	"gas_limit": "30000000",
	"relays": {
	"https://builder-relay-goerli.flashbots.net": {
	"public_key": "0xafa4c6985aa049fb79dd37010438cfebeb0f2bd42b115b89dd678dab0670c1de38da0c4e9138c9290a398ecd9a0b3110"
	},
	"https://builder-relay-goerli.blocknative.com": {
	"public_key": "0x8f7b17a74569b7a57e9bdafd2e159380759f5dc3ccbd4bf600414147e8c4e1dc6ebada83c0139ac15850eb6c975e82d0"
	}
	}
	}
	#!/bin/sh

	set -eux

	KEYPATH="./keys"
	SRC_KEYPATH="${HOME}/.rocketpool/data/validators/lighthouse"

	PUBKEY="${1:-x}"
	ACCOUNT_ID="${2:-x}"

	if [ "${PUBKEY}" = "x" ] \|\| [ "${ACCOUNT_ID}" = "x" ]; then
	echo "usage: $0 PUBKEY ACCOUNT_ID"
	echo "example $0 0xdeadbeef val-0"
	exit 1
	fi

	mkdir -p "${KEYPATH}/secrets" "${KEYPATH}/validators"

	sudo mv "${SRC_KEYPATH}/secrets/${PUBKEY}" "${KEYPATH}"/secrets
	sudo mv "${SRC_KEYPATH}/validators/${PUBKEY}" "${KEYPATH}"/validators

	KEYSTORE=$(sudo cat ${KEYPATH}/validators/${PUBKEY}/voting-keystore.json)
	KEYSTORE_PASS=$(sudo cat ${KEYPATH}/secrets/${PUBKEY})

	export ACCOUNT_ID KEYSTORE KEYSTORE_PASS

	docker compose run --rm import-account
	# log-level is the global log level for Vouch logging.
	log-level: debug

	beacon-node-addresses:
	- eth2:5052
	- https://remote-beacon-node.example.com

	metrics:
	prometheus:
	# log-level is the log level for this module, over-riding the global level.
	log-level: warn
	# listen-address is the address on which prometheus listens for metrics requests.
	listen-address: 0.0.0.0:8081

	graffiti:
	static:
	value: RP-XV 1.9.3

	# scheduler handles the scheduling of Vouch's operations.
	scheduler:
	style: advanced

	accountmanager:
	dirk:
	endpoints:
	- dirk:13141
	client-cert: file:///config/certs/vouch.crt
	client-key: file:///config/certs/vouch.key
	ca-cert: file:///config/certs/ca.crt
	accounts:
	- Wallet

	submitter:
	style: multinode

	strategies:
	beaconblockproposal:
	style: first
	blindedbeaconblockproposal:
	style: first
	attestationdata:
	style: best
	aggregateattestation:
	style: best
	synccommitteecontribution:
	style: best

	# blockrelay provides information about working with local execution clients and remote relays for block proposals.
	# Configuration information for this section can be found in the execution layer documentation.
	blockrelay:
	fallback-fee-recipient: '0xd4E96eF8eee8678dBFf4d535E033Ed1a4F7605b7'
	config:
	url: 'file:///config/exec-config.json'