Production Security Features:
- RQLite authentication with secure user management
- Firewall configuration with IP-based restrictions
- Automated credential generation and storage
- Authenticated cluster join addresses
- Credential masking in logs for security
- Helper scripts for secure RQLite connections
Network Architecture:
- Port 4000: Public LibP2P P2P (encrypted)
- Port 4001/4002: RQLite cluster (IP-restricted to cluster members)
- UFW firewall rules restricting RQLite access to cluster IPs only
Security Components:
- /opt/debros/configs/rqlite-users.json: User authentication
- /opt/debros/keys/rqlite-cluster-auth: Secure credential storage
- Automatic credential masking in logs
- Production-ready setup script
This implements enterprise-grade security for public network deployment
while maintaining seamless cluster communication between trusted nodes.
- Add automated network diagnostics for RQLite join addresses
- Test port connectivity with netcat, HTTP responses, ping, and DNS
- Provide detailed troubleshooting information in logs
- Help identify exact causes of RQLite cluster join failures
- Test connectivity before attempting RQLite cluster join
This will help diagnose the 'invalid join address' error by showing exactly
why the connection to 57.129.81.31:4001 is failing.
- Test join address reachability before attempting to join cluster
- Fall back to starting new cluster if join address is unreachable
- Add comprehensive logging for join address testing
- Prevent RQLite fatal errors when bootstrap node is down
This fixes the issue where secondary nodes fail with 'invalid join address'
when the primary bootstrap node is not accessible on port 4001.
- Replace hardcoded fallback IP with localhost for better compatibility
- Add join address format validation
- Improve logging for better troubleshooting
- Add detailed RQLite startup logging with full args
- Add automatic external IP detection for RQLite advertised addresses
- Use 0.0.0.0 for binding but actual IP for advertising to other nodes
- Add -http-adv-addr and -raft-adv-addr parameters to RQLite startup
- Resolves 'advertised HTTP address is not routable' error
- Enables proper RQLite cluster formation between nodes
- Change RQLite HTTP bind from localhost to 0.0.0.0
- Change RQLite Raft bind from localhost to 0.0.0.0
- This allows secondary bootstrap nodes and regular nodes to join the cluster
- Resolves 'invalid join address' error for secondary bootstrap nodes
CRITICAL FIX: Separate RQLite and LibP2P ports to prevent service startup failures
Changes:
- LibP2P now uses port 4000 (was conflicting with RQLite on 4001)
- RQLite continues to use port 4001 for HTTP API
- RQLite Raft uses port 4002
- Updated bootstrap peer configurations to use port 4000
- Updated install script port configurations
- Fixed firewall configuration to allow correct ports
This resolves the 'bind: address already in use' error that was preventing
the debros-node service from starting properly.
- Remove references to debros-bootstrap service in update logic
- Standardize on single debros-node service for all node types
- Fix service stopping/starting during updates
- Clean up legacy service references
- Primary bootstrap (57.129.81.31): starts new cluster (no join address)
- Secondary bootstrap (38.242.250.186): joins primary bootstrap cluster
- Regular nodes: join primary bootstrap cluster
This allows both VPS servers to be bootstrap nodes while forming a
proper RQLite cluster where the secondary bootstrap joins the primary
instead of trying to start its own independent cluster.
Should resolve the leadership establishment timeout on the second VPS.
The VPS at 57.129.81.31 was incorrectly trying to join itself as a
regular node instead of being detected as a bootstrap node.
Added isLocalIP() function to check if bootstrap peer IPs match
local machine IPs using 'ip addr show' and 'hostname -I' commands.
This should resolve the 'invalid join address' error where the
bootstrap node was trying to join http://57.129.81.31:4001 (itself).
The actual running bootstrap node has peer ID:
12D3KooWJvJj94TmNwG1sntDWgAXi7MN3xxLLkoQzgHX6gQ22eKi
But the constants file had the wrong peer ID:
12D3KooWQRK2duw5B5LXi8gA7HBBFiCsLvwyph2ZU9VBmvbE1Nei
This mismatch was causing nodes to fail to connect to the bootstrap
node, leading to the 'invalid join address' error from RQLite.
- Regular nodes now join actual bootstrap nodes instead of localhost:4001
- Extract IP from bootstrap peer multiaddrs for RQLite join address
- Add fallback to first known bootstrap node (57.129.81.31:4001)
- This fixes the 'fatal: http://localhost:4001 is an invalid join address' error
Regular nodes will now properly join the RQLite cluster of bootstrap nodes
instead of trying to join themselves, which was causing startup failures.
- Remove invalid -port flag from systemd service ExecStart command
- The node binary doesn't support -port flag, it uses hardcoded port 4001
- Fix variable name RAFT_NODE_PORT to RAFT_PORT in two places
- Update check_existing_installation to only check for node binary since bootstrap binary was removed
This resolves the service startup failure where the service was exiting with:
'flag provided but not defined: -port'
- Fixed variable references with extra spaces that caused chmod commands to fail
- Corrected '' variable interpolation in permission commands
- Script now properly sets directory permissions without syntax errors
- Remove duplicate 'node node' references in service start messages
- Remove 'Node Type: node' line from completion output
- Simplify service messages to 'Starting/Started DeBros Network service'
- Simplify final success messages to remove redundant 'node' references
- Clean, professional output without confusing terminology duplication
- Remove logic that detects existing bootstrap.yaml and sets NODE_TYPE to 'bootstrap'
- Always use NODE_TYPE='node' in update mode for consistent terminology
- This ensures all services, configs, and outputs use 'node' terminology
- Completes the full migration from bootstrap to node naming convention
- Existing bootstrap installations will be updated to use node terminology
- Replace BOOTSTRAP_PORT, RQLITE_BOOTSTRAP_PORT, RAFT_BOOTSTRAP_PORT
with NODE_PORT, RQLITE_NODE_PORT, RAFT_NODE_PORT in completion output
- Ensures all port variables are correctly defined and displayed
- Completes the full bootstrap-to-node terminology migration
- Update service creation to use NODE_PORT instead of undefined BOOTSTRAP_PORT
- This fixes the service startup failure where the wrong port variable was referenced
- Service command now correctly uses: /opt/debros/bin/node -data /opt/debros/data/node -port 4001
- Replace BOOTSTRAP_PORT with NODE_PORT (4001)
- Replace RQLITE_BOOTSTRAP_PORT with RQLITE_NODE_PORT (5001)
- Replace RAFT_BOOTSTRAP_PORT with RAFT_NODE_PORT (7001)
- Update port checks to use new node port variables
- Update configuration generation to use NODE_PORT variables
- Update firewall configuration to use node ports
- Update systemd service creation to use node terminology
- Simplify port management by removing separate bootstrap/node distinctions
- All installations now use consistent 'node' terminology
- Skip port availability check during update mode
- Existing services will be using the ports, so checking causes false conflicts
- Add log message explaining why port check is skipped
- This fixes the 'Port 4001 is already in use' error during updates
- Remove references to bootstrap/regular node distinctions throughout
- Update ports from ranges (4001-4003) to single ports (4001)
- Change 'Node Types' section to 'Node Setup'
- Remove node type selection references in deployment section
- Update table of contents to reflect structural changes
- Clarify script execution requires elevated privileges (sudo bash)
- Add user permission guidance for server setup
- Simplify network discovery descriptions
- Update firewall and service management descriptions
- Keep development section intact as it still uses separate binaries
- Remove references to node type selection in deployment section
- Update directory structure to show single node configuration
- Update service management commands to use debros-node instead of debros-bootstrap
- Update configuration examples to show single node.yaml file
- Simplify node setup section to reflect bootstrap nodes named 'node'
- Update all maintenance and monitoring commands
- Keep development section unchanged as it still uses separate bootstrap/node binaries
- Fix root confirmation prompt to use echo -n and read instead of read -rp
- Fix non-interactive mode to use NODE_TYPE='node' instead of 'bootstrap'
- Simplify firewall configuration to always use bootstrap ports for node
- Fix final installation summary to show correct ports for node type
- Ensure consistent behavior across all node type checks
