- Added encryption module identity.go for reusable identity create, save etc funtions
- Updated make file to support identity/main.go
- Updated node/node.go on loadOrCreateIdentity to use encryption.identity
- Updated cli/main.go to remove fallbacks for identity
- Updated install-debros-network.sh script to use new ./cmd/identity and fixed port order on print
- Updated makefile and changelog
Production Security Features:
- RQLite authentication with secure user management
- Firewall configuration with IP-based restrictions
- Automated credential generation and storage
- Authenticated cluster join addresses
- Credential masking in logs for security
- Helper scripts for secure RQLite connections
Network Architecture:
- Port 4000: Public LibP2P P2P (encrypted)
- Port 4001/4002: RQLite cluster (IP-restricted to cluster members)
- UFW firewall rules restricting RQLite access to cluster IPs only
Security Components:
- /opt/debros/configs/rqlite-users.json: User authentication
- /opt/debros/keys/rqlite-cluster-auth: Secure credential storage
- Automatic credential masking in logs
- Production-ready setup script
This implements enterprise-grade security for public network deployment
while maintaining seamless cluster communication between trusted nodes.
CRITICAL FIX: Separate RQLite and LibP2P ports to prevent service startup failures
Changes:
- LibP2P now uses port 4000 (was conflicting with RQLite on 4001)
- RQLite continues to use port 4001 for HTTP API
- RQLite Raft uses port 4002
- Updated bootstrap peer configurations to use port 4000
- Updated install script port configurations
- Fixed firewall configuration to allow correct ports
This resolves the 'bind: address already in use' error that was preventing
the debros-node service from starting properly.
- Remove references to debros-bootstrap service in update logic
- Standardize on single debros-node service for all node types
- Fix service stopping/starting during updates
- Clean up legacy service references
- Remove invalid -port flag from systemd service ExecStart command
- The node binary doesn't support -port flag, it uses hardcoded port 4001
- Fix variable name RAFT_NODE_PORT to RAFT_PORT in two places
- Update check_existing_installation to only check for node binary since bootstrap binary was removed
This resolves the service startup failure where the service was exiting with:
'flag provided but not defined: -port'
- Fixed variable references with extra spaces that caused chmod commands to fail
- Corrected '' variable interpolation in permission commands
- Script now properly sets directory permissions without syntax errors
- Remove duplicate 'node node' references in service start messages
- Remove 'Node Type: node' line from completion output
- Simplify service messages to 'Starting/Started DeBros Network service'
- Simplify final success messages to remove redundant 'node' references
- Clean, professional output without confusing terminology duplication
- Remove logic that detects existing bootstrap.yaml and sets NODE_TYPE to 'bootstrap'
- Always use NODE_TYPE='node' in update mode for consistent terminology
- This ensures all services, configs, and outputs use 'node' terminology
- Completes the full migration from bootstrap to node naming convention
- Existing bootstrap installations will be updated to use node terminology
- Replace BOOTSTRAP_PORT, RQLITE_BOOTSTRAP_PORT, RAFT_BOOTSTRAP_PORT
with NODE_PORT, RQLITE_NODE_PORT, RAFT_NODE_PORT in completion output
- Ensures all port variables are correctly defined and displayed
- Completes the full bootstrap-to-node terminology migration
- Update service creation to use NODE_PORT instead of undefined BOOTSTRAP_PORT
- This fixes the service startup failure where the wrong port variable was referenced
- Service command now correctly uses: /opt/debros/bin/node -data /opt/debros/data/node -port 4001
- Replace BOOTSTRAP_PORT with NODE_PORT (4001)
- Replace RQLITE_BOOTSTRAP_PORT with RQLITE_NODE_PORT (5001)
- Replace RAFT_BOOTSTRAP_PORT with RAFT_NODE_PORT (7001)
- Update port checks to use new node port variables
- Update configuration generation to use NODE_PORT variables
- Update firewall configuration to use node ports
- Update systemd service creation to use node terminology
- Simplify port management by removing separate bootstrap/node distinctions
- All installations now use consistent 'node' terminology
- Skip port availability check during update mode
- Existing services will be using the ports, so checking causes false conflicts
- Add log message explaining why port check is skipped
- This fixes the 'Port 4001 is already in use' error during updates
- Fix root confirmation prompt to use echo -n and read instead of read -rp
- Fix non-interactive mode to use NODE_TYPE='node' instead of 'bootstrap'
- Simplify firewall configuration to always use bootstrap ports for node
- Fix final installation summary to show correct ports for node type
- Ensure consistent behavior across all node type checks
- Removed interactive node type selection (bootstrap vs regular)
- Set NODE_TYPE to 'node' by default
- Configure as bootstrap node but with 'node' naming
- Use bootstrap ports and configuration settings
- Simplified installation process by removing node type choice
- Add security warning when running as root
- Require explicit confirmation in interactive mode
- Allow automatic proceeding in non-interactive mode
- Use sudo alias approach for clean root execution
- Maintain security consciousness while enabling automation
- Prevent accidental root execution without user awareness
Major fixes for script reliability:
Interactive Mode Issues:
- Added NON_INTERACTIVE detection when run via curl | bash
- Automatic defaults for config wizard in non-interactive mode
- Sensible fallbacks for existing installation handling
Potential Hang Points Fixed:
- Non-interactive mode uses bootstrap node type by default
- Placeholder Solana wallet for automated installs
- Auto-update existing installations without prompts
- Fixed log function definition order issue
Error Handling Improvements:
- Better network operation error handling
- Cleaner function organization
- Removed duplicate log function code
Now supports both interactive and non-interactive usage modes safely.
- Added install_rqlite() function with architecture detection
- Downloads and installs RQLite v8.30.0 from GitHub releases
- Supports amd64, arm64, and arm architectures
- Checks if RQLite is already installed before downloading
- Installs both rqlited and rqlite binaries to /usr/local/bin
- Added RQLite installation to main() function flow
- Verifies installation success and displays version
- Add UFW rules regardless of current UFW status
- Preserve user's existing UFW policy (don't auto-enable)
- Provide better feedback on rule addition and UFW status
- Enhanced manual configuration instructions when UFW not found
- Rules are ready when UFW is eventually enabled by user
