Production Security Features:
- RQLite authentication with secure user management
- Firewall configuration with IP-based restrictions
- Automated credential generation and storage
- Authenticated cluster join addresses
- Credential masking in logs for security
- Helper scripts for secure RQLite connections
Network Architecture:
- Port 4000: Public LibP2P P2P (encrypted)
- Port 4001/4002: RQLite cluster (IP-restricted to cluster members)
- UFW firewall rules restricting RQLite access to cluster IPs only
Security Components:
- /opt/debros/configs/rqlite-users.json: User authentication
- /opt/debros/keys/rqlite-cluster-auth: Secure credential storage
- Automatic credential masking in logs
- Production-ready setup script
This implements enterprise-grade security for public network deployment
while maintaining seamless cluster communication between trusted nodes.
- Add automated network diagnostics for RQLite join addresses
- Test port connectivity with netcat, HTTP responses, ping, and DNS
- Provide detailed troubleshooting information in logs
- Help identify exact causes of RQLite cluster join failures
- Test connectivity before attempting RQLite cluster join
This will help diagnose the 'invalid join address' error by showing exactly
why the connection to 57.129.81.31:4001 is failing.
- Test join address reachability before attempting to join cluster
- Fall back to starting new cluster if join address is unreachable
- Add comprehensive logging for join address testing
- Prevent RQLite fatal errors when bootstrap node is down
This fixes the issue where secondary nodes fail with 'invalid join address'
when the primary bootstrap node is not accessible on port 4001.
- Replace hardcoded fallback IP with localhost for better compatibility
- Add join address format validation
- Improve logging for better troubleshooting
- Add detailed RQLite startup logging with full args
- Add automatic external IP detection for RQLite advertised addresses
- Use 0.0.0.0 for binding but actual IP for advertising to other nodes
- Add -http-adv-addr and -raft-adv-addr parameters to RQLite startup
- Resolves 'advertised HTTP address is not routable' error
- Enables proper RQLite cluster formation between nodes
- Change RQLite HTTP bind from localhost to 0.0.0.0
- Change RQLite Raft bind from localhost to 0.0.0.0
- This allows secondary bootstrap nodes and regular nodes to join the cluster
- Resolves 'invalid join address' error for secondary bootstrap nodes
- Primary bootstrap (57.129.81.31): starts new cluster (no join address)
- Secondary bootstrap (38.242.250.186): joins primary bootstrap cluster
- Regular nodes: join primary bootstrap cluster
This allows both VPS servers to be bootstrap nodes while forming a
proper RQLite cluster where the secondary bootstrap joins the primary
instead of trying to start its own independent cluster.
Should resolve the leadership establishment timeout on the second VPS.
